McAfee Content Security Blade Server 5.5 (M3

Transcription

McAfee Content Security Blade Server
5.5 (M3 chassis)
Installation Guide
COPYRIGHT
Copyright © 2009 McAfee, Inc. All Rights Reserved.
No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form
or by any means without the written permission of McAfee, Inc., or its suppliers or affiliate companies.
TRADEMARK ATTRIBUTIONS
AVERT, EPO, EPOLICY ORCHESTRATOR, FLASHBOX, FOUNDSTONE, GROUPSHIELD, HERCULES, INTRUSHIELD, INTRUSION INTELLIGENCE,
LINUXSHIELD, MANAGED MAIL PROTECTION, MAX (MCAFEE SECURITYALLIANCE EXCHANGE), MCAFEE, MCAFEE.COM, NETSHIELD,
PORTALSHIELD, PREVENTSYS, PROTECTION-IN-DEPTH STRATEGY, PROTECTIONPILOT, SECURE MESSAGING SERVICE, SECURITYALLIANCE,
SITEADVISOR, THREATSCAN, TOTAL PROTECTION, VIREX, VIRUSSCAN, WEBSHIELD are registered trademarks or trademarks of McAfee, Inc.
and/or its affiliates in the US and/or other countries. McAfee Red in connection with security is distinctive of McAfee brand products. All other
registered and unregistered trademarks herein are the sole property of their respective owners.
LICENSE INFORMATION
License Agreement
NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED,
WHICH SETS FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH
TYPE OF LICENSE YOU HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS
THAT ACCOMPANIES YOUR SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET,
A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEB SITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU
DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN
THE PRODUCT TO MCAFEE OR THE PLACE OF PURCHASE FOR A FULL REFUND.
License Attributions
Refer to the product Release Notes.
2
McAfee Content Security Blade Server 5.5 (M3 chassis) Installation Guide
Contents
Introducing McAfee Content Security Blade Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
How to use this guide. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Who should read this guide. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Definition of terms used in this guide. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Graphical conventions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Documentation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Available resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Introducing the blade servers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Key advantages of the blade servers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Types of blade. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Management blade. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Failover Management blade. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Content scanning blades. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Pre-installation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
What’s in the box. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Plan the installation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Inappropriate use. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Where to place the blade server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Considerations about Network Modes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Transparent bridge mode. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Transparent router mode. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Explicit proxy mode. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Deployment Strategies for Using the device in a DMZ. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
SMTP configuration in a DMZ. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Workload management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
In-built redundancy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Planning Your Installation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Before installing the enclosure. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Installation process overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Setting up lights-out management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
After installation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
3
Contents
Connecting and Configuring the blade server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Physically installing the blade server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Connect to the network. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Installing the switches. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Port numbers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Using Copper LAN connections. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Using Fiber LAN connections. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Supplying power to the blade server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Installing the software. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Order of installing the Management blades. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Software images. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Locally installing the software on the Management blades. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Remotely installing the software. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Using the Configuration Console. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Welcome page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Performing a custom setup. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Restoring from a file. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Using the device. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Updates and HotFixes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
After installation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Testing the Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Introducing the user interface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Testing the device. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Testing connectivity. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Testing mail traffic. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Testing virus detection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Testing spam detection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Exploring the blade server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Demonstrating failover and workload management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Testing management features on the blade server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Blade server status information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Generating reports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
Using policies to manage message scanning. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
Creating an anti-virus scanning policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Creating an anti-spam scanning policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Creating an email compliance policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
4
Contents
Creating a content filtering policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
About Virtual host management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
Troubleshooting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
System configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
Transparent Web Authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
Anti-spam. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Anti-virus automatic updating. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Delivery. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Directory Harvest Prevention does not work. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
Email attachments. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
ICAP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
Mail issues. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
POP3. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
General issues. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
System maintenance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
Getting more help — the user information bar. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
5
Introducing McAfee Content Security Blade
Server
®
This guide provides the necessary information for installing the McAfee Content Security Blade
Server version 5.5 supplied with the M3 blade server chassis. It provides steps and verification
of the installation process.
NOTE: The terms chassis and enclosure are used interchangeably throughout the documentation
set.
This guide demonstrates how to configure Content Security Blade Server 5.5 and when completed
the user will have a fully functional blade server.
Contents
How to use this guide
Definition of terms used in this guide
Graphical conventions
Documentation
Available resources
How to use this guide
This guide helps you to:
• Plan and perform your installation.
• Become familiar with the interface.
• Test that the product functions correctly.
• Apply the latest detection definition files.
• Explore some scanning policies, create reports, and get status information.
• Troubleshoot basic issues.
You can find additional information about the product's scanning features in the online help.
Who should read this guide
The information in this guide is intended primarily for network administrators who are responsible
for their company's anti-virus and security program.
6
Introducing McAfee Content Security Blade Server
This information defines some key terms used in this guide.
Term
Definition
demilitarized zone (DMZ)
A computer host or small network inserted as a buffer
between a private network and the outside public network
to prevent direct access from outside users to resources
on the private network.
DAT files
Detection definition (DAT) files, also called signature files,
containing the definitions that identify, detect, and repair
viruses, Trojan horses, spyware, adware, and other
potentially unwanted programs (PUPs).
operational mode
Three operating modes for the product: explicit proxy
mode, transparent bridge mode, and transparent router
mode.
policy
A collection of security criteria, such as configuration
settings, benchmarks, and network access specifications,
that defines the level of compliance required for users,
devices, and systems that can be assessed or enforced by
a McAfee security application.
Reputation Service check
Part of sender authentication. If a sender fails the
Reputation Service check, the appliance is set to close the
connection and deny the message. The sender's IP address
is added to a list of blocked connections and is
automatically blocked in future at the kernel level.
7
Figures in this guide use the following symbols.
Internet
Blade Server (M3
chassis)
Mail server
Other server (such as DNS
server)
User or client computer
Router
Switch
Firewall
Network zone (DMZ or
VLAN)
Network
Actual data path
Perceived data path
Documentation
This Installation Guide is included with your product. Additional information is available in the
online help included with the product, and other documentation available from the
http://mysupport.mcafee.com website.
Available resources
This information describes where to get more information and assistance.
8
McAfee products
McAfee KnowledgeBase. Go to
https://mysupport.mcafee.com/eservice/Default.aspx
and click Search the KnowledgeBase. From
the Product list, select Email and Web
Security Appliance Software.
Product Guide
McAfee download site. Includes information
about basic concepts, policies, protocols
(SMTP, POP3, FTP, HTTP, and ICAP),
maintenance, and monitoring. You will need
your Grant ID number.
Online help
Product interface. Includes information about
basic concepts, policies, protocols (SMTP,
Available resources
POP3, FTP, HTTP, and ICAP), maintenance,
and monitoring.
9
Introducing the blade servers
®
The McAfee Content Security Blade Server version 5.5 scans web and email traffic for viruses,
spam, and many other threats to your network.
The blade servers are the highest capacity models within the McAfee Email and Web Security
product range.
The blade server:
• Scans and processes your SMTP and POP3 messaging traffic (Email Security software).
• Scans and processes your HTTP, ICAP, and FTP traffic (Web Security software).
• Runs eight times faster than a standalone Secure Messaging Gateway appliance.
• Reduces the cost of storing and running standalone appliances in your datacenter.
• Is scalable. You can add more content scanning blades to increase the scanning throughput
without compromising performance.
• Is easy to manage and administer. It balances the scanning workload and updates the
detection definition (DAT) files across the blades.
• With this release, you can install McAfee Web Gateway 6.8.5 (formally WebWasher) software
onto some or all of your content scanning blades.
NOTE: The blade server has built-in workload management. If you already use a load balancer
in your network, you can leave it there when you install the blade server; even though it is no
longer required to balance the scanning workload.
Contents
Key advantages of the blade servers
Types of blade
Key advantages of the blade servers
Email threat protection
• Award-winning email threat protection
• Detect and block spam, phishing, spyware, and viruses from your email systems
Web threat protection
• Detect and block phishing sites, spyware, potentially unwanted programs and viruses from
being downloaded onto your network
• You can use the web scanning features included within the Content Security Blade Server
software, or you can install the McAfee Web Gateway 6.8.5 (Formally WebWasher) software
onto some or all of your content scanning blades.
10
Types of blade
• Award-winning McAfee SiteAdvisor protects users against visiting unsuitable sites
Content filtering
• Comply with email privacy regulations such as the Health Insurance Portability and
Accountability Act (HIPAA), the Sarbanes-Oxley Act (SOX), the European Union (EU) Directive,
and others
Cost savings
• Reduce product acquisition, license, and support fees
• Reduce data center costs for cooling, space, and power
• Reduce long-term capital costs
Highest throughput, scalability, and reliability
• Increase capacity as needed with no downtime with hotswappable blades
• Redundant power supplies and automatic failover
Proven anti-spam technology
• Detect and block more than 98 percent of spam, including the latest image, PDF, and MP3
spam attacks, with no critical false positives (as measured by third-party tests)
• Streaming updates every two to three minutes quickly shut down new forms of spam
• Anti-spam effectiveness is achieved through a combination of technologies including:
• McAfee® IP reputation filtering
• Domain-name reputation scoring
• Heuristic detection
• Content filtering
• Sender authentication based on the Sender Policy Framework (SPF) and DomainKeys
Identified Mail (DKIM) standards
• Greylisting, which tracks and allows mail from known legitimate senders to pass while
temporarily rejecting unknown senders
Types of blade
This section describes the different types of blade that come with the blade server:
• Management blade.
• Failover Management blade.
• Content scanning blades.
Management blade
The Management blade manages the network traffic, and passes off the traffic to the content
scanning blades using its internal workload management. The Management blade is not used
to scan files. The Management blade:
• Provides the initial software installation for the content scanning blades.
11
Types of blade
• Manages all updates for the other blades.
• Aggregates all events, quarantined email, and deferred email.
Either the Management blade or the Failover Management blade is active at any one time. They
cannot be active at the same time.
The Management blade and content scanning blades work together as a single system when
you:
• Make configuration changes using a web-based interface.
• Update the DAT files.
• View status information.
The Management blade also ensures that:
• The whole system does not experience downtime during updates.
• Updates do not happen if a previous update failed.
• Relevant alerts (SNMP, for example) are generated when a blade is added, removed, or
fails.
The Management blade can interact with the chassis to:
• Shutdown, reboot or disable a content scanning blade.
• Interact with McAfee Quarantine Manager. The Quarantine Manager application ensures
that your network has a centralized quarantine resource.
Failover Management blade
The Failover Management blade is identical to the Management blade. It takes over the
management functions should the Management blade fail. To do so, it uses:
• Spanning Tree Protocol (STP) for transparent bridge mode.
• Virtual Router Redundancy Protocol (VRRP) for transparent router and explicit proxy modes.
The Failover Management blade is not used to scan files. When configured, it remains dormant
until it is needed.
Content scanning blades
At least one content scanning blade is supplied with the blade server.
When you first install a content scanning blade, the Management blade automatically installs
the scanning software image on the new blade. The scanning software image installed depends
on the options you select during the configuration of your blade server.
You can choose to install the scanning features included within the Content Security Blade
Server software, or you can install the McAfee Web Gateway 6.8.5 (Formally WebWasher)
software onto some or all of your content scanning blade. You can install:
• Email and Web Security software — this installs on all content scanning blades, and each
blade scans both email and web traffic.
• Email Security software — you can select the content scanning blades to install the Email
Security software.
• Web Security software — you can select the content scanning blades to install the Web
Security software.
12
Types of blade
• McAfee Web Gateway software — you can select the content scanning blades to install the
McAfee Web Gateway (formally WebWasher) software.
NOTE: If you select and install McAfee Web Gateway software, you cannot install either the
Email and Web Security software, or the Web Security Software on the same chassis. You must
also install your blade server in Explicit Proxy mode if you are planning on using McAfee Web
Gateway software.
Each content scanning blade starts scanning immediately after software is installed.
A content scanning blade is used only to scan your traffic. It is not a Management blade. The
content scanning blade:
• Receives the DAT files and software patches from the Management blade.
• Sends information about all scanning and detection events to the Management blade.
• Sends information about all quarantined and deferred email messages and files to the
Management blade.
13
Pre-installation
To ensure the safe operation of the product, consider the following before you begin the
installation.
• Understand the power requirements for your blade server and your power supply system.
• Familiarize yourself with its operational modes and capabilities. It is important that you
choose a valid configuration.
• Decide how to integrate the blade server into your network and determine what information
you need before you start. For example, the name and IP address for the blade server.
• Unpack the product as close to its intended location as possible.
• Remove the product from any protective packaging and place it on a flat surface.
• Observe all provided safety warnings.
CAUTION: Review and be familiar with all provided safety information.
Contents
Where to place the blade server
Considerations about Network Modes
Planning Your Installation
What’s in the box
To check that all components are present, refer to the packing list supplied with your product.
Generally, you should have:
• A Blade Server chassis/enclosure
• A Management blade
• A Failover Management blade
• One or more Scanning blades
• Power cords
• Network cables
• Email and Web Security v5.5 installation and recovery CD
• Linux source code CD
• McAfee Quarantine Manager v6.0 CD
• Documentation CD
If an item is missing or damaged, contact your supplier.
14
Pre-installation
Plan the installation
Plan the installation
Before unpacking your blade server, it is important to plan the installation and deployment.
Information to help you is contained in: HP BladeSystem c-Class Site Planning Guide.
Consider the following:
• General guidelines to prepare your site
Overviews of general site requirements to prepare your computer room facility for the blade
server hardware.
• Environmental requirements
Information on environmental site requirements, including temperature, airflow, and space
requirements.
• Power requirements and considerations
Power requirements and electrical factors that must be considered before installation.
Includes Power Distribution Unit (PDU) installation.
• Hardware specifications and requirements
System specifications for the blade server enclosure, racks, and single-phase and three-phase
power sources.
• Configuration scenarios
• Preparing for installation.
Inappropriate use
The product is:
• Not a firewall. — You must use it within your organization behind a correctly configured
firewall.
• Not a server for storing extra software and files. — Do not install any software on
the device or add any extra files to it unless instructed by the product documentation or
your support representative. The device cannot handle all types of traffic. If you use explicit
proxy mode, only protocols that are to be scanned should be sent to the device.
Where to place the blade server
Install the blade server so that you can control physical access to the unit and access the ports
and connections.
A rack-mounting kit is supplied with the blade server M3 chassis, allowing you to install the
blade server in a 19-inch rack. See the HP BladeSystem c3000 Enclosure Quick Setup Instructions.
Before you install and configure your Content Security Blade Server, you must decide which
network mode to use. The mode you choose determines how you physically connect your blade
server to your network.
15
Pre-installation
You can choose from the following network modes.
• Transparent bridge mode — the device acts as an Ethernet bridge.
• Transparent router mode — the device acts as a router.
• Explicit proxy mode — the device acts as a proxy server and a mail relay.
If you are still unsure about the mode to use after reading this and the following sections,
consult your network expert.
CAUTION: If you plan on deploying one or more scanning blades running McAfee Web Gateway
(formally WebWasher) software, you must configure your blade server in Explicit Proxy mode.
Architectural considerations about network modes
The main considerations regarding the network modes are:
• Whether communicating devices are aware of the existence of the device. That is, if the
device is operating in one of the transparent modes.
• How the device physically connects to your network.
• The configuration needed to incorporate the device into your network.
• Where the configuration takes place in the network.
Considerations before changing network modes
In explicit proxy and transparent router modes, you can set up the device to sit on more than
one network by setting up multiple IP addresses for the LAN1 and LAN2 ports.
If you change to transparent bridge mode from explicit proxy or transparent router mode, only
the enabled IP addresses for each port are carried over.
TIP: After you select an operational mode, McAfee recommends not changing it unless you
move the device or restructure your network.
Contents
Transparent bridge mode
In transparent bridge mode, the communicating servers are unaware of the device — the
device’s operation is transparent to the servers.
Figure 1: Transparent communication
In Figure 1: Transparent communication, the external mail server (A) sends email messages
to the internal mail server (C). The external mail server is unaware that the email message is
intercepted and scanned by the device (B).
The external mail server seems to communicate directly with the internal mail server — the
path is shown as a dotted line. In reality, traffic might pass through several network devices
and be intercepted and scanned by the device before reaching the internal mail server.
16
Pre-installation
What the device does
In transparent bridge mode, the device connects to your network using the LAN1 and LAN2
ports. The device scans the traffic it receives, and acts as a bridge connecting two separate
physical networks, but treats them as a single logical network.
Configuration
Transparent bridge mode requires less configuration than transparent router and explicit proxy
modes. You do not need to reconfigure all your clients, default gateway, MX records, Firewall
NAT or mail servers to send traffic to the device. Because the device is not a router in this
mode, you do not need to update a routing table.
Where to place the device
For security reasons, you must use the device inside your organization, behind a firewall.
Figure 2: Single logical network
TIP: In transparent bridge mode, position the device between the firewall and your router, as
shown in Figure 2: Single logical network.
In this mode, you physically connect two network segments to the device, and the device treats
them as one logical network. Because the devices — firewall, device, and router — are on the
same logical network, they must all have compatible IP addresses on the same subnet.
Devices on one side of the bridge (such as a router) that communicate with devices on the
other side of the bridge (such as a firewall) are unaware of the bridge. They are unaware that
17
Pre-installation
traffic is intercepted and scanned, therefore the device is said to operate as a transparent
bridge.
Figure 3: Transparent bridge mode
Spanning Tree Protocol for managing bridge priority
Should a blade fail, the Spanning Tree Protocol (STP) directs network traffic to the blade with
the next higher bridge priority.
In transparent bridge mode, the Management blade and the Failover Management blade have
different IP addresses.
In transparent router and explicit proxy modes, the two blades again have different IP addresses,
but are then configured with the same virtual IP address or addresses.
Normally, email traffic is handled by the Management blade. If that blade fails, email traffic is
handled by the Failover Managment blade.
Each blade has a different bridge priority. Because the Management blade has the higher priority
(for example, an STP value of 100), the Management blade normally scans the network traffic.
If the Management blade fails, the STP directs network traffic through a path with the next
higher bridge priority, namely the Failover Management blade (for example, with an STP value
of 200).
The blade which has a port blocked by STP will go into redundant mode.
Transparent router mode
In transparent router mode, the device scans email traffic between two networks. The device
has one IP address for outgoing scanned traffic, and must have one IP address for incoming
traffic.
The communicating network servers are unaware of the intervention of the device — the device’s
operation is transparent to the devices.
18
Pre-installation
What the device does
In transparent router mode, the device connects to your networks using the LAN1 and LAN2
ports. The device scans the traffic it receives on one network, and forwards it to the next
network device on a different network. The device acts as a router, routing the traffic between
networks, based on the information held in its routing tables.
Configuration
Using transparent router mode, you do not need to explicitly reconfigure your network devices
to send traffic to the device. You need only configure the routing table for the device, and
modify some routing information for the network devices on either side of it (the devices
connected to its LAN1 and LAN2 ports). For example, you might need to make the device your
default gateway.
In transparent router mode, the device must join two networks. The device must be positioned
inside your organization, behind a firewall.
NOTE: Transparent router mode does not support Multicast IP traffic or non-IP protocols, such
as NETBEUI and IPX.
Firewall rules
In transparent router mode, the firewall connects to he physical IP address for the LAN1/LAN2
connection to the Management blade.
Use the device in transparent router mode to replace an existing router on your network.
TIP: If you use transparent router mode and you do not replace an existing router, you must
reconfigure part of your network to route traffic correctly through the device.
Figure 4: Transparent router mode configuration
You need to:
19
Pre-installation
• Configure your client devices to point to the default gateway.
• Configure the device to use the Internet gateway as its default gateway.
• Ensure your client devices can deliver email messages to the mail servers within your
organization.
Explicit proxy mode
In explicit proxy mode, some network devices must be set up explicitly to send traffic to the
device. The device then works as a proxy or relay, processing traffic on behalf of the devices.
Explicit proxy mode is best suited to networks where client devices connect to the device through
a single upstream and downstream device.
TIP: This might not be the best option if several network devices must be reconfigured to send
traffic to the device.
Network and device configuration
If the device is set to explicit proxy mode, you must explicitly configure your internal mail server
to relay email traffic to the device. The device scans the email traffic before forwarding it, on
behalf of the sender, to the external mail server. The external mail server then forwards the
email message to the recipient.
In a similar way, the network must be configured so that incoming email messages from the
Internet are delivered to the device, not the internal mail server.
Figure 5: Relaying email traffic
The device scans the traffic before forwarding it, on behalf of the sender, to the internal mail
server for delivery, as shown in Figure 5: Relaying email traffic.
For example, an external mail server can communicate directly with the device, although traffic
might pass through several network servers before reaching the device. The perceived path is
from the external mail server to the device.
Protocols
To scan a supported protocol, you must configure your other network servers or client computers
to route that protocol through the device, so that no traffic bypasses the device.
Firewall rules
Explicit proxy mode invalidates any firewall rules set up for client access to the Internet. The
firewall sees only the IP address information for the device, not the IP addresses of the clients,
so the firewall cannot apply its Internet access rules to the clients.
20
Pre-installation
Deployment Strategies for Using the device in a DMZ
Configure the network devices so that traffic needing to be scanned is sent to the device. This
is more important than the location of the device.
The router must allow all users to connect to the device.
Figure 6: Explicit proxy configuration
The device must be positioned inside your organization, behind a firewall, as shown in Figure
6: Explicit proxy configuration.
Typically, the firewall is configured to block traffic that does not come directly from the device.
If you are unsure about your network’s topology and how to integrate the device, consult your
network expert.
Use this configuration if:
• The device is operating in explicit proxy mode.
• You are using email (SMTP).
For this configuration, you must:
• Configure the external Domain Name System (DNS) servers or Network Address Translation
(NAT) on the firewall so that the external mail server delivers mail to the device, not to the
internal mail server.
• Configure the internal mail servers to send email messages to the device. That is, the internal
mail servers must use the device as a smart host. Ensure that your client devices can deliver
email messages to the mail servers within your organization.
• Ensure that your firewall rules are updated. The firewall must accept traffic from the device,
but must not accept traffic that comes directly from the client devices. Set up rules to prevent
unwanted traffic entering your organization.
Deployment Strategies for Using the device in a
DMZ
A demilitarized zone (DMZ) is a network separated by a firewall from all other networks, including
the Internet and other internal networks. The typical goal behind the implementation of a DMZ
is to lock down access to servers that provide services to the Internet, such as email.
21
Pre-installation
Hackers often gain access to networks by identifying the TCP/UDP ports on which applications
are listening for requests, then exploiting known vulnerabilities in applications. Firewalls
dramatically reduce the risk of such exploits by controlling access to specific ports on specific
servers.
The device can be added easily to a DMZ configuration. The way you use the device in a DMZ
depends on the protocols you intend to scan.
Contents
SMTP configuration in a DMZ
Workload management
In-built redundancy
SMTP configuration in a DMZ
The DMZ is a good location for encrypting mail. By the time the mail traffic reaches the firewall
for the second time (on its way from the DMZ to the internal network), it has been encrypted.
Devices which scan SMTP traffic in a DMZ are usually configured in explicit proxy mode.
Configuration changes need only be made to the MX records for the mail servers.
NOTE: You can use transparent bridge mode when scanning SMTP within a DMZ. However, if
you do not control the flow of traffic correctly, the device scans every message twice, once in
each direction. For this reason, explicit proxy mode is usually used for SMTP scanning.
Mail relay
Figure 7: Device in explicit proxy configuration in a DMZ
If you have a mail relay already set up in your DMZ, you can replace the relay with the device.
To use your existing firewall policies, give the device the same IP address as the mail relay.
Mail gateway
SMTP does not provide methods to encrypt mail messages — you can use Transport Layer
Security (TLS) to encrypt the link, but not the mail messages. As a result, some companies do
not allow such traffic on their internal network. To overcome this, they often use a proprietary
22
Pre-installation
mail gateway, such as Lotus Notes® or Microsoft® Exchange, to encrypt the mail traffic before
it reaches the internal network.
To implement a DMZ configuration using a proprietary mail gateway, add the scanning device
to the DMZ on the SMTP side of the gateway.
Figure 8: Protecting a mail gateway in DMZ
In this situation, configure:
• The public MX records to instruct external mail servers to send all inbound mail to the device
(instead of the gateway).
• The device to forward all inbound mail to the mail gateway, and deliver all outbound mail
using DNS or an external relay.
• The mail gateway to forward all inbound mail to the internal mail servers and all other
(outbound) mail to the device.
• The firewall to allow inbound mail that is destined for the device only.
NOTE: Firewalls configured to use Network Address Translation (NAT), and that redirect inbound
mail to internal mail servers, do not need their public MX records reconfigured. This is because
they are directing traffic to the firewall rather than the mail gateway itself. In this case, the
firewall must instead be reconfigured to direct inbound mail requests to the device.
Firewall rules specific to Lotus Notes
By default, Lotus Notes servers communicate over TCP port 1352. The firewall rules typically
used to secure Notes servers in a DMZ allow the following through the firewall:
• Inbound SMTP requests (TCP port 25) originating from the Internet and destined for the
device.
• TCP port 1352 requests originating from the Notes gateway and destined for an internal
Notes server.
• TCP port 1352 requests originating from an internal Notes server and destined for the Notes
gateway.
• SMTP requests originating from the device and destined for the Internet.
23
Pre-installation
All other SMTP and TCP port 1352 requests are denied.
Firewall rules specific to Microsoft Exchange
A Microsoft Exchange-based mail system requires a significant workaround.
When Exchange servers communicate with each other, they send their initial packets using the
RPC protocol (TCP port 135). However, once the initial communication is established, two ports
are chosen dynamically and used to send all subsequent packets for the remainder of the
communication. You cannot configure a firewall to recognize these dynamically-chosen ports.
Therefore, the firewall does not pass the packets.
The workaround is to modify the registry on each of the Exchange servers communicating
across the firewall to always use the same two “dynamic” ports, then open TCP 135 and these
two ports on the firewall.
We mention this workaround to provide a comprehensive explanation, but we do not recommend
it. The RPC protocol is widespread on Microsoft networks — opening TCP 135 inbound is a red
flag to most security professionals.
If you intend to use this workaround, details can be found in the following Knowledge Base
articles on the Microsoft website:
• Q155831
• Q176466
Workload management
The blade server includes its own internal workload management, distributing the scanning
load evenly between all scanning blades installed within the enclosure.
You do not need to deploy an external load balancer.
In-built redundancy
With the Content Security Blade Server, if any content scanning blade fails, the workload
management features distribute work among the remaining content scanning blades.
Should the Management blade fail, the Failover Management blade continues to handle workload
management, ensuring highly reliable scanning.
In addition, the blade server includes redundancy within the chassis, by having multiple power
supplies and cooling fans. If a power supply or fan fails, the blade server keeps running, and
the failed component can be replaced without powering down the blade server.
The configuration of your existing network often dictates how the device should be inserted
into your network.
Before deploying the device, analyze your network topography diagrams and familiarize yourself
with your existing network.
To get the best possible performance from your new device, it is essential that you monitor the
traffic flow in your existing network carefully, and analyze how integrating your device will
change that flow.
24
Pre-installation
Contents
Before installing the enclosure
Before installing the enclosure, determine the following:
• Power and air conditioning.
• Network mode.
• Network addresses.
• Onboard Administrator
• Lights-out management.
• Failover requirements.
Power and air conditioning
To determine power and air conditioning requirements for the enclosure with the expected
number of blades, see:
• HP BladeSystem cClass Solution Overview
• HP BladeSystem c3000 Enclosure Setup and Installation Guide
• HP BladeSystem Power Sizer Tool
Network mode
You need to decide which network mode to use for the installation:
• Transparent router mode.
• Transparent bridge mode.
• Explicit proxy mode.
Network addresses
You need to determine the IP subnet and DHCP address range for the blade server.
Onboard Administrator
When setting up the onboard Administrator:
• Configure the Onboard Administrator using the chassis display.
• Login to the Onboard Administrator interface via HTTP.
• Run the Onboard Administrator setup wizard.
See HP BladeSystem c3000 Enclosure Setup and Installation Guide
Lights-out management
You need to determine:
• Onboard Administrator IP address.
• Lights-out management IP addresses.
• Network infrastructure for lights-out management.
Failover requirements
Failover requirements depend on the mode used to configure the blade server.
25
Pre-installation
• Transparent bridge mode
The Bridge Priority (STP setting) determines which is the Management blade and which is
the Failover Management blade. The blade with the lower priority becomes the Management
blade. You must determine what Bridge Priority to use for the two blades, based on your
environment.
• Transparent router and explicit proxy modes
The blade server uses Virtual Router Redundancy Protocol (VRRP) to configure the
Management blade and Failover Management blade. The Management blade and Failover
Management blade each have a distinct IP address, but external devices connect to the
blade server using a virtual IP address. In this way, external devices can connect to the
blade server (using the same virtual IP address), no matter which physical blade is active.
You must:
• Determine the virtual IP address for the external devices.
• Determine the IP addresses for the Management blade and the Failover Management
blade.
• Specify which blade is to be the Management blade.
Installation process overview
Install the blade server in the following order. A summary of these steps, and the location of
the instructions you need to follow, are provided in Installation quick reference table.
1
Unpack the pallet and check the contents against the parts lists in the box.
2
Rack-mount the enclosure. This includes the physical installation, and setting the integrated
Lights-out (iLO)software for the enclosure.
3
Insert the Management blade (transparent router or explicit proxy mode) or the Failover
Management blade (transparent bridge mode).
4
Connect the peripherals (monitor, keyboard) to the KVM module located at the rear of the
chassis.
5
Connect the power sources to the enclosure.
6
Use the KVM to mount the internal CD/DVD drive to the required Management blade. Install
the software on the Management blade. See Installing the software.
7
Use the Configuration Console for basic configuration, such as server name, IP addresses,
and gateway.
8
Connect to the administration interface.
9
Run the Setup Wizard, remembering to switch on load balancing.
10 Repeat steps 3 to 9 for the remaining Management blade, remembering to switch on load
balancing.
11 Connect the blade server to the network, noting deployment scenarios and intended network
mode.
12 Insert each content scanning blade in turn, and PXE boot from the Management blade.
This process takes approximately 10 minutes per blade.
26
Pre-installation
New blades default to a PXE boot for a first-time installation. Subsequent reinstallations
are performed using lights-out management.
NOTE: It is possible to install several content scanning blades at a time, but installing too
many content scanning blades concurrently may slow the installation process. McAfee
recommends only installing 4 or 5 content scanning blades at a time.
13 Route the test network traffic through the blade server.
14 Test that the network traffic is being scanned.
15 Configure policies and reporting.
16 Route production traffic through the system.
Setting up lights-out management
Use this task to set up lights-out management for remote hardware administration of the blade
server.
For details about setting up and using lights-out management, see the HP Integrated Lights-Out
2 User Guide.
Task
1
Using the Onboard Administrator, assign IP addresses to the integrated Lights Out (iLO's)
for each blade.
2
Log on to the HP management system.
3
Assign an IP address for the blade server.
After installation
After you have installed the device, make sure that your configuration is working correctly. See
Testing the device.
27
Connecting and Configuring the blade server
McAfee recommend that you consider installing the blade server in the following order:
This step ...
is described here ...
1.
Unpack the pallet and check the
contents against the parts lists in the
box.
http://h20000.www2.hp.com/bc/docs/support/SupportManual/c01167165/c01167165.pdf
2.
Rack-mount the enclosure and install
the blades. This includes setting up iLO
for each blade.
3.
Connect the peripherals and power.
4.
Connect the blade server to the network. Connect to the network
5.
Install the software on the management Installing the software
blades.
6.
Perform basic configuration.
7.
Connect to the administration interface.
8.
Install each content scanning blade in
turn, and PXE boot from the
Management blade.
Installing the software on a content scanning blade
9.
Route the test network traffic through
the blade server.
Testing the device
10.
Test that the network traffic is being
scanned.
Testing the device
11.
Configure policies and reporting.
12.
Configure production traffic through the
system.
CAUTION: Connecting the blade server to your network can disrupt Internet access or other
network services. Ensure that you have arranged network down-time for this, and that you
schedule this during periods of low network usage.
Contents
Physically installing the blade server
Connect to the network
Supplying power to the blade server
28
Physically installing the blade server
Use this task to physically install the blade server.
Task
1
Remove the blade server from the protective packaging and place it on a flat surface.
2
If you are going to install the blade server in a 19-inch rack, perform the steps in the
http://h20000.www2.hp.com/bc/docs/support/SupportManual/c01167165/c01167165.pdf.
3
Connect a monitor and keyboard to the blade server.
4
Connect power leads to the monitor and the blade server, but do not connect to the power
supplies yet.
29
This section describes how to connect the blade server to your network.
The switches and cables that you use to connect the blade server to your network depend on
how you are going to use the blade server. For information about network modes, see
Considerations about Network Modes.
Installing the switches
Before making any connections, you must install and configure the Ethernet switches.
The switches are installed at the rear of the chassis. The LAN 1 switch fits into the top left
switch bay, and the LAN 2 switch fits into the top right switch bay.
Ensure that you:
• Ensure the Spanning Tree Protocol (STP) state is OFF for Spanning Tree Group 1 (by default,
all ports are members of STP Group 1.) (If you are installing your blade server in transparent
bridge mode.)
• Configure the Access Control Lists (ACLs) on the switches to isolate the content scanning
blades from receiving external DHCP addresses.
• Configure the ACLs so that the blade heartbeat packets are kept within the blades server.
• If VLAN-tagged traffic is to pass through the blade server, the switches need to be configured
to allow this traffic to pass.
Information about how to do this is provided in the documentation listed below:
• http://bizsupport.austin.hp.com/bc/docs/support/SupportManual/c00865002/c00865002.pdf
• http://bizsupport.austin.hp.com/bc/docs/support/SupportManual/c00865010/c00865010.pdf
Port numbers
When you connect the blade server to your network, use the following port numbers:
• For HTTPS, use Port 443.
• For HTTP, use Port 80.
• For SMTP, use Port 25.
• For POP3, use port 110.
• For FTP, use Port 21.
30
Using Copper LAN connections
Using Copper LAN connections
Using the LAN1 and LAN2 switch connections and the supplied network cables (or equivalent
Cat 5e or Cat 6 Ethernet cables), connect the blade server to your network according to the
network mode you have chosen.
Use the copper LAN cables (supplied) to connect the blade server’s LAN1 and LAN2 switches
to your network so that the blade server is inserted into the data stream.
The blade server functions as a router. The LAN segments connected to its two network interfaces
must therefore be on different IP subnets. It must replace an existing router, or a new subnet
must be created on one side of the blade server. Do this by changing the IP address or the
netmask used by the computers on that side.
Explicit proxy mode
Use a copper LAN cable (supplied) to connect the LAN1 or LAN2 switch to your network. The
cable is a straight-through (uncrossed) cable, and connects the blade server to a normal
uncrossed RJ-45 network switch.
In explicit proxy mode, the unused switch connection can be used as a dedicated management
port. To manage the blade server locally, use a crossover Cat 5e Ethernet cable to connect the
blade server to your local computer’s network card.
Using Fiber LAN connections
Before making any connections, you must install the fiber-optic SFP transceivers. To do this,
see the
http://bizsupport.austin.hp.com/bc/docs/support/SupportManual/c00865010/c00865010.pdf.
NOTE: Only use the fiber-optic SFP transceivers supplied by HP or McAfee. Using SFP transcievers
from other vendors is likely to prevent access to the blade server.
Use the fiber cables to connect the LAN1 and LAN2 switches to your network. The switches and
cables that you use depend on how you are going to use the blade server.
Use the fiber cables to connect the LAN1 and LAN2 switches to your network.
Use the fiber cables to connect the LAN1 and LAN2 switches to different IP subnets.
Explicit proxy mode
Use a fiber cable to connect the blade server’s LAN1 switches to your network.
In explicit proxy mode, the unused switch can be used as a dedicated management switch. If
your management computer has a compatible Network Interface Card (NIC), connect it to the
remaining switch for local management.
31
Supplying power to the blade server
Use this task to supply power to the blade server and switch it on.
Task
1
Connect the blade server power cables to power outlets.
NOTES
• To ensure all blades power up, use two different power circuits. If only one circuit is
used, and the power management settings are configured to AC redundant (as
recommended), some blades will fail to power up.
• If the power cords are not suitable for the country of use, contact your supplier.
2
Switch on the blade server by pushing the power buttons on the management and failover
management blades.
After booting up, the Configuration Console appears on the monitor. See .
32
Installing the software
Use these tasks to install the blade server software on the Management blade or the Failover
Management blade.
Tasks
Locally installing the software on the Management blades
Remotely installing the software
Using the Configuration Console
Order of installing the Management blades
You should install and configure the Management blade first, and then install and configure the
Failover Management blade.
Software images
With Content Security Blade Server version 5.5, you can select the software images that can
be installed onto the content scanning blades. The options are:
• Email and Web Security
• Email Security
• Web Security
• McAfee Web Gateway (formally WebWasher)
If you select Email and Web Security, all content scanning blades have this software image
installed. If you select Email Security and either Web Security or McAfee Web Gateway, you
configure each content scanning blade to scan either email or web traffic.
NOTE: You can select either Web Security or McAfee Web Gateway. You cannot install both
web scanning images onto the same blade system.
Refer to the McAfee Web Gateway Appliances Installation and Configuration Guide for further
information on configuring McAfee Web Gateway software.
Locally installing the software on the Management
blades
Use this task to install the software on the Management blade or Failover Management blade
when you are local to the blade server.
33
Before installing the software, check to see if newer versions of your software are available
from the McAfee download site:
http://www.mcafee.com/us/downloads/
NOTE: You will need a valid grant number.
Tasks
1
Insert the Management blade into position 1 (for the Management blade) or position 2 (for
the Failover Management blade).
2
Attach a monitor and keyboard to the KVM, located on the rear of the chassis.
3
Using the KVM interface, mount the CD/DVD-ROM drive to the Management blade being
installed.
4
Boot the Management blade or Failover Management blade from the Installation and
Recovery CD. The software is installed on the selected blade.
5
Set the basic configuration. See Using the Configuration console.
Use this task to install the software on the Management blade or Failover Management blade
when you are away from the blade server.
NOTE: The integrated Lights-Out features for each blade can also be accessed via the Onboard
Administrator.
Use integrated Lights-Out software to boot the blade server from the Installation CD.
See Setting up lights-out management and the
http://h20000.www2.hp.com/bc/docs/support/SupportManual/c00553302/c00553302.pdf.
With the version 5.5 software, the configuration process has been simplified. You can now
configure your device either from the Configuration Console, or from the Setup Wizard within
the user interface.
The Configuration Console launches automatically at the end of the startup sequence after
either:
• an unconfigured device starts,
• or after a device is reset to its factory defaults.
When launched, the Configuration Console provides you with options to either configure your
device in your preferred language from the device console, or provides instructions for you to
connect to the Setup Wizard within the user interface from another computer on the same class
C subnet. Both methods provide you with the same options to configure your device.
NOTE: From the Configuration Console, you can configure a new installation of the appliance
software. However, to configure your appliance using a previouosly saved configuration file,
you need to log onto the appliance user interface, and run the setup Wizard (System | Setup
Wizard).
34
This version of the software also introduces automatic configuration using DHCP for the following
parameters:
• Host name
• Domain name
• Default gateway
• DNS server
• Leased IP address
• NTP server
Welcome page
Performing a custom setup
Restoring from a file
Welcome page
This is the first page of the Setup Wizard. Use this page to select the type of installation you
want to perform.
NOTE: If you access this page from the Setup Wizard, you will be prompted to enter your
username and password.
• Select Custom Setup (default) to select the operating mode for your device. If you choose
to protect mail traffic you can enable SMTP and POP3. If you choose to protect web traffic
you can enable HTTP, FTP and ICAP. You should use this if you need to configure IPv6 and
to make other changes to the default configuration.
• Select Restore from a File (not available from the Configuration Console) to set up your
device based on a previously saved configuration. Following the import of the file you will
be able to chack the imported settings before finishing the wizard.
Performing a custom setup
For the Custom setup, the wizard includes these these pages:
• Traffic
• Basic Settings
• Network Settings
• Cluster Management
• DNS and Routing
• Time Settings
• Password
• Summary
Traffic
Use this page to specify the type of traffic that the device scans.
• Web traffic includes HTTP (for web browsing), ICAP (for use with ICAP clients), and FTP for
file transfer.
• Email traffic includes SMTP and POP3.
35
You can enable or disable each protocol (SMTP, POP3, HTTP, ICAP and FTP). If the device is
in Transparent Router or Transparent Bridge mode, and the protocol is disabled, traffic for the
protocol passes through the device, but is not scanned.
NOTE: If you are installing McAfee Web Gateway software, the device must be configured in
Explicit Proxy mode.
If you intend to use Web Security Gateway, specify the schedules for software updates on this
page, and upload the license file.
If the device is in Explicit Proxy mode, and a protocol is disabled, traffic directed to the blade
server for that protocol is refused. The protocol is blocked at the device. In Explicit Proxy mode,
only SMTP, POP3, HTTP, ICAP and FTP traffic is handled by the blade server. All other traffic
is refused.
If, after installation, you do not want to scan any of the types of traffic, you can disable each
protocol from its page. From the menu, select Email | Email Configuration | Protocol
Configuration or Web | Web Configuration
Option definitions
Option
Definition
Scan web traffic
Using Web Gateway
scanning devices
Select this option to install McAfee Web Gateway (formaly
WebWasher) software onto one or more of your content
scanning blades.
Further options enable you to:
Using Web Security
scanning devices
•
Upload Web Gateway license file
•
Set the URL Filter updates interval
•
Set the McAfee Web Gateway anti-Virus updates interval
•
Set the Proactive Scanning updtes interval
•
Set the CRL updates interval
Select this option to install Web Security scanning on your
blade server.
You can also choose to Enable protection against
Potentially Unwanted Programs (including
Spyware).
McAfee Anti-Spyware protects your network from many
types of potentially unwanted software such as spyware,
adware, remote administration tools, dialers and password
crackers. This feature is not enabled by default.
NOTE: McAfee Anti-Spyware is designed to detect and, with
your permission, remove potentially unwanted programs
(PUPs). Some purchased or intentionally downloaded
programs act as hosts for PUPs. Removing these PUPs may
prevent their hosts from working. Be sure to review the
license agreements for these host programs for further
details. McAfee, Inc. neither encourages nor condones
breaking any license agreements that you may have entered
into. Please read the details of all license agreements and
privacy policies carefully before downloading or installing
any software.
Scan email traffic
Email traffic includes SMTP and POP3 traffic. After installation:
The device protects your network against viruses, spam and phish, and uses McAfee
TrustedSource to protect your network from unwanted email.
Further options include:
36
Option
Local relay domain
Definition
•
Enable protection against Potentially Unwanted Programs (including
Spyware)
•
Scan SMTP traffic
•
Scan POP3 traffic
Under Relaying options, the device suggests the domain information if this is available
via DHCP. Delete the asterisk to accept the domain name, or type another domain name.
Basic Settings
Use this page to specify basic settings for the device.
The device tries to provide some information for you, and shows the information highlighted
in amber. To change the information, click and retype.
Option definitions
Option
Definition
Cluster Mode
•
Cluster Master - This blade becomes the Management blade, and controls the
scanning workload for several other contetn scanning blades.
•
Cluster Failover - If the Management blade fails, this blade controls the scanning
workload instead.
Device Name
Specifies a name, such as appliance1.
Domain Name
Specifies a name such as domain.example.com.
Default Gateway (IPv4) Specifies an IPv4 address such as 198.168.10.1. You can test later that the appliance can
communicate with this server.
Next Hop Router (IPv6) Specifies an IPv6 address, such as FD4A:A1B2:C3D4::1.
Network Settings
The first time you run a configuration on a new install (or revert to default settings) the Network
Settings page is launched. If you change the Cluster Mode of the device, this page will also be
launched.
Use this page to configure the IP address, network speeds and operating mode for the device.
If possible, your device will populate many of these options using DHCP. The IP addresses must
be unique and suitable for your network. Specify only as many IP addresses as you need.
Option definitions
Option
Definition
Change Network Settings When clicked, starts a wizard with the following options.
Operating mode
Offers a choice of mode.
In Transparent Route or Transparent Bridge mode, other network devices, such
as mail servers, are unaware that the blade server has intercepted and scanned the
email before forwarding it. The operation is transparent to the devices.
In Explicit Proxy mode, some network devices send traffic to the appliance. The
blade server then works as a proxy, processing traffic on behalf of the devices.
LAN Interface Type
Specifies the type of connection — copper wire or optical fiber. This option is available
only with higher-speed appliances.
37
Option
IP Address
Definition
Specifies network addresses to enable the appliance to communicate with your
network. For example, 198.168.10.1.
Specify the IP address for each Management blade.
You can specify multiple IP addresses for the blade server ports. If the blade server
is in Transparent Bridge mode, the IP addresses are combined into one list for both
ports. In the other modes, click Network Interface 1 or Network Interface 2
to work on each of the two lists.
Configure the IP address for the Management blade, and for load balancing. If you
are in explicit proxy or transparent router mode, create a virtual IP address. The
virtual IP address must be the same for both the Management blade and the Failover
Management blade.
NOTE: You will need to setup the Failover Management blade with different IP addresses
to the Management blade for both the physical IP and for load balancing.
The IP address at the top of a list is the primary address. Any IP addresses below it
are “aliases.”
Network Mask
Specifies an IPv4 network mask, for example: 255.255.255.0, or specifies the IPv6
prefix length (1-64 or 128).
Cluster Management
Use this page to specify load-balancing requirements.
• Cluster Management (Cluster Master)
• Cluster Management (Cluster Failover)
A cluster is a group of devices that shares both its configuration and balances the network
traffic.
The cluster contains:
• One cluster master. The master both synchronizes the configuration and balances the load
of network traffic to the other cluster members.
• One cluster failover. If the cluster master fails, the cluster failover will seamlessly take over
the work of the cluster master.
• One or more cluster scanners. They scan traffic according to the policies synchronized from
the master.
Benefits
• Scalable performance through load balancing multiple devices removes the need for costly
upgrades.
• Easier management through synchronization of configuration and updates, reducing
administrative overhead.
• Improved resilience through high availability, reducing possibility of unscheduled outages.
• Improved intelligence through consolidated reports.
Setting up the cluster
When configuring a master or failover, the administrator must do the following:
• For Proxy or Transparent Router Mode, set a virtual IP address that is the same on both the
master and failover. The cluster members then use VRRP to failover.
• For Transparent Bridge, set up the cluster to use STP to failover. The bridge priority must
be lower on the master (set by default).
38
For all cluster members, the administrator must set the cluster identifier. This unique identifier
ensures that members of the cluster are joined correctly. To create multiple clusters, you can
use a different identifier for each cluster.
Direct all network traffic that is to be scanned to the Cluster Master (or the virtual IP address
if a Cluster Failover will be used.
Managing the cluster
Once configured, the cluster is joined automatically using the cluster identifier. The Dashboard
on the cluster master lists the device and cluster type.
The administrator then only needs to use the user interface of the cluster master for
management, for example, setting scanning policies. The cluster master will then automatically
push this configuration to the other cluster members.
The cluster master collates:
• Anti-virus updates
• Reports
• Queued email
• McAfee Quarantine Manager (MQM)
NOTE: Software patches need to be applied to each separate device in turn.
Cluster Management (Cluster Master)
Use this page to specify information for the Management blade.
Option
Definition
Address to use for load
balancing
Specifies the Management blade address.
Cluster identifier
Specifies an identifier. Range is 0-65535.
Cluster Management (Cluster Failover)
Use this page to specify information for the Failover Management blade.
Option
Definition
Address to use for load
balancing
Specifies the Failover Management blade address. Provides a list of all subnets assigned
to the appliance.
Cluster identifier
Specifies an identifier. Range is 0-65535.
DNS and Routing
Use this page to configure the device’s use of DNS and routes.
Domain Name System (DNS) servers translate or "map" the names of network devices into IP
addresses (and the reverse operation). The device sends requests to DNS servers in the order
that they are listed here.
Option definitions
Option
Server Address
Definition
Specifies the DNS servers. The first server in the list must be your fastest or most
reliable server. If the first server cannot resolve the request, the device contacts the
39
Option
Definition
second server. If no servers in the list can resolve the request, the device forwards
the request to the DNS root name servers on the Internet.
If your firewall prevents DNS lookup (typically on port 53), specify the IP address of
a local device that provides name resolution.
Network Address
Displays the network address of a routing device.
Mask
Displays the network subnet mask such as 255.255.255.0.
Gateway
Specifies the IP addresses of other gateways (typically firewall or routers) through
which the device will communicate with the network.
The Basic Settings page specified the default gateway.
Metric
Displays a number used by routing software. Default value is 0.0.
Enable dynamic routing
Dynamic routing allows your network devices, including the device, to listen for the
routing information that routers broadcast on your network. The devices can use
that information to configure their own routing information.
NOTE: The device supports only the Routing Information Protocol (RIP) and Open
Shortest Path First (OSPF) routing protocols.
Time Settings
Use this page to set the time and date, and any details for the use of the Network Time Protocol
(NTP). NTP synchronizes timekeeping among devices in a network. Some Internet Service
Providers (ISPs) provide a timekeeping service. For more information about NTP, see RFC 1305
at www.apps.ietf.org/rfc/rfc1305.html, www.ntp.org or www.ntp.isc.org
The device can synchronize its time settings to other devices, keeping its own logs, reports and
schedules accurate. Because NTP messages are not sent often, they do not noticeably affect
the blade servers performance.
Option definitions
Option
Definition
Time zone
Specifies your local time zone. You might need to set this twice each year if your region
observes daylight saving time.
System time (local)
Specifies the date and the local time. To set the date, click the calendar icon.
Set time now
When clicked, sets the time on the device. You need to click this button before you
click Next.
If it is needed, you can configure Network Time Protocol (NTP) after installation.
Enable NTP
When selected, accepts NTP messages from a specified server or a network broadcast.
Enable NTP client
broadcasts
When selected, accepts NTP messages from network broadcasts only. This method is
useful on a busy network but must trust other devices in the network.
When deselected, accepts NTP messages only from servers specified in the list.
NTP Server
Displays the network address or a domain name of one or more NTP servers that your
device uses.
If you specify several servers, the device examines each NTP message in turn to
determine the correct time.
40
Password
Use this page to specify a password for the device. For a strong password, include letters and
numbers. You can type up to 15 characters.
Option definitions
Option
Definition
User ID
This is scmadmin. You can add more users later.
Password
Specifies the new password. Change the password as soon as possible to keep your
device secure.
You must enter the new password twice to confirm it. The original default password
is scmchangeme.
NOTE: You must change the password from its default value before you can apply the
configuration.
Summary
Use this page to review a summary of the settings that you have made through the Setup
Wizard. To change any value, click its blue link to display the page where you originally typed
the value.
After you click Finish, the setup wizard has completed.
Use the IP address shown on this page to access the interface. For example
https://192.168.200.10. Note that the address begins with https, not http.
When you first log onto the interface, type the user name, scmadmin and the password that
you gave to this setup wizard.
Option definitions
Option
Definition
The value is set according to best practice.
The value is probably not correct.
Although the value is valid, it is not set according to best practice. Check the value before
continuing.
No value has been set. The value has not been changed from the default. Check the value
before continuing.
Restoring from a file
When configuring your device from the Setup Wizard within the user interface, using the Restore
from a file option enables you to import previously saved configuration information and apply
it to your device. After this information has been imported you can make changes before applying
the configuration.
41
Option
Definition
Import Config
Browse to and select a previously saved configuration file to upload to your device.
Values to Restore
By default all configuration is restored. You can choose to restore only specific parts
of your configuration by de-selecting the information you do not want restored.
You will have the chance to review these changes before applying them.
Configuration Import
Messages
As the configuration file is imported, messages are displayed.
Once the configuration information has been imported, you are taken to the Custom Mode of
the Setup Wizard. (See Performing a custom setup.) All imported options are shown on the
wizard pages, giving you the opportunity to make any amendments before applying the
configuration.
42
Using the device
Read this information before you use the device.
Contents
Updates and HotFixes
After installation
Updates and HotFixes
Before deploying the device, download and apply the latest applicable updates and HotFixes
from the download site:
http://www.mcafee.com/us/downloads/
NOTE: You will need a valid grant number.
After installation
After you have installed the device, make sure that your configuration is working correctly. See
Testing the device.
43
Testing the Configuration
You are now ready to test the configuration on the device. This section includes some information
to help you get started:
• How to start the user interface again.
• Tasks to complete to make sure that the device is working correctly.
Contents
Introducing the user interface
Testing the device
To start the interface for the device, you must log on using the username and password. The
user interface opens on the Dashboard page.
NOTE: The interface you see might look slightly different from that shown here, because it can
vary depending on the hardware platform, software version and language.
Figure 9: Interface components - Dashboard page
Navigation bar
44
Support control buttons
User information bar
View control
Section icons
Content area
Tab bar
Navigation bar
The navigation bar contains four areas: user information, section icons, tab bar, and support
controls.
User information bar
The left-hand side of the user information bar displays a list of currently logged on users (and
the server they’re logged on to), a Change Password button, and a Log Off button. On the
right-hand side of the bar, About the Appliance gives you appliance and package version
information. Resources provides instructions on how to submit a virus sample to McAfee correctly
and links to additional McAfee resources such as our Service Portal and the Virus Information
Library.
These links can be accessed from the user information bar.
About
Product and licensing information.
Resources
Contact and the following information:
Technical Support — Frequently asked questions on the McAfee website.
Submit a Sample — Instructions for submitting a virus sample to McAfee.
Virus Information Library — Links to the Virus information Library,
which describes every virus and other potentially unwanted programs that
McAfee detects and cleans.
Download SNMB files — Download files for SMI, MIB and HP
Openview.
Help Topics button
Opens the Online Help.
Section icons
There are five or six section icons depending on the software that you are using. Click an icon
to change the information in the content area and the tab bar.
, when displayed, to open the page for the web scanning software you
Use the Web icon
have installed. When you have McAfee Web Gateway installed, use this icon to open the McAfee
Web gateway interface directly in the content area.
NOTE: With McAfee Web Gateway installed, you can access the McAfee Web Gateway interface
directly, as directed above. However, some tasks — such as creating new users — is better
carried out from the Content Security Blade Server interface, as the new user profiles are then
replicated onto the McAfee Web Gateway software.
Tab bar
The contents of the tab bar are controlled by the selected section icon. The selected tab dictates
what is displayed in the content area.
Support control buttons
The support control buttons are actions that apply to the content area. They are (from left to
right) Back and Help. Two additional buttons appear when you configure something that allows
you to apply or cancel your changes.
View control
45
Testing the device
The view control button turns an optional Status window on and off.
Content area
The content area contains the currently active content and is where most of your interaction
will be.
NOTE: The changes that you make take effect after you click the green checkmark.
Testing the device
Use these tasks to test:
• The device configuration
• Mail traffic
• Virus detection
• Spam detection
NOTE: Before using the device, update its DAT files.
Testing connectivity
Use this task to confirm basic connectivity.
Task
1
From the interface, select Troubleshoot | Tests | System Tests.
2
Click Start in the upper-right corner. Each test should succeed.
3
Look in the System Tests area and check that all the tests are successful.
Testing mail traffic
Use this task to ensure that mail traffic is passing through the device.
Task
1
Send an email message from an external email account (such as Hotmail) to an internal
mailbox and confirm that it arrived.
2
Select Dashboard.
The SMTP protocol section shows that a message was received.
Testing virus detection
Use this task to test the software by running the EICAR Standard AntiVirus Test File. This file
is a combined effort by anti-virus vendors throughout the world to implement one standard by
which customers can verify their anti-virus installations.
Task
1
Copy the following line into a file, making sure you do not include any spaces or line breaks:
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
46
Testing the device
2
Save the file with the name EICAR.COM.
3
From an external email account, create a message that contains the EICAR.COM file as an
attachment and send the message to an internal mailbox.
4
Return to the Dashboard page.
The SMTP protocol section shows that a virus was detected.
Delete the message when you finish testing your installation, to avoid alarming unsuspecting
users.
This file is not a virus. For more information about the EICAR test file, visit:
http://www.eicar.org/.
Testing spam detection
Use this task to run a General Test mail for Unsolicited Bulk Email (GTUBE) to verify that the
device is detecting incoming spam.
Task
1
From an external email account (SMTP client), create a new email message.
2
In the body of the message, copy the following text:
XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34X
Make sure that you type this line with no line breaks.
3
Send the new email message to an internal mailbox address.
The device scans the message, recognizes it as a junk email message, and deals with it
accordingly. The GTUBE overrides blacklists and whitelists.
For more information about the GTUBE, visit http://spamassassin.apache.org/.
47
Exploring the blade server
This section contains tasks and scenarios that show some key benefits of using a blade server
to protect your gateway.
To complete the tasks and scenarios, you will need some of the information that you entered
in the configuration console and Setup Wizard.
Tasks
Demonstrating failover and workload management
Testing management features on the blade server
Demonstrating failover and workload management
Use this task to demonstrate the blade server’s workload management and built-in redundancy
management.
Your blade server comes with at least one content scanning blade blade. You can add more as
necessary. This test assumes that you have two content scanning blade blades.
NOTE: For information about adding and removing blades from the enclosure, refer to the HP
BladeSystem c3000 Enclosure Quick Setup Instructions.
Task
1
On the Dashboard | Blade page, select the Blade Status tab to ensure the blade server
is functioning correctly.
• The management blade has the name you entered when using the Configuration Console.
The management blade has a NETWORK status.
• The Failover Management blade has the name you entered when using the Configuration
Console. The Failover Management blade has a REDUNDANT status.
• The content scanning blades are called Blade <number> and have a status of OK.
2
Remove the management blade from the enclosure and watch as the blade server continues
to function using the Failover Management blade.
• The Failover Management blade state changes to Network.
• The management blade changes to a Failed state.
3
From System | Cluster Management, select a content scanning blade and click Disable
to take that content scanning blade off-line. The blade server continues scanning traffic.
CAUTION: The design of the blade server allows the removal of a content scanning blade
blade from the enclosure without first stopping the content scanning blade blade. However,
McAfee do not recommend that you do so, as there is a slight risk that doing this could
corrupt the information on the disk drives.
48
4
Look at the Messages column to watch the number of messages that are processed by
each content scanning blade.
5
On Blade Status, select the content scanning blade blade that you turned off and click
Start.
6
Look at the Messages column again. The blade server scans more traffic and automatically
balances the scanning load between the two blades.
7
Optional: Add a third content scanning blade to the enclosure and activate it.
8
Check Blade Status again. The blade server scans even more messages and balances
the scanning load between the three blades.
Use these tasks to demonstrate how the blade server management features reduce your system
management burden; the system is managed as one system whether you have one content
scanning blade or several.
You can obtain reports and status information for all the blades using the Status and Logs
information. You can use the Management blade to keep DAT files on all the content scanning
blade up-to-date and also manage the quarantine location.
Blade server status information
While traffic passes through the blade server, you can look at the Dashboard to get up-to-date
information about the total traffic throughput, detections, and performance for each protocol.
The Dashboard includes blade-specific information, such as:
• General Status (Management blade and )
• Hardware Status (Management blade)
• Blade Status (all blades)
This table shows the information that you can get about all the blades.
Speedometer
The average throughput of the blade server, based on measurements taken every
few minutes.
Name
Name of the blade:
•
The Management blade.
•
The Failover Management blade.
NOTE: These names are specified using the Configuration Console.
•
Blade <number> — content scanning blades.
State
The current state of each blade.
Load
The overall system load for each blade.
Active
The number of connections currently active on each blade. The row for the
Management blade shows the total for all content scanning blades.
Connections
The total number of connections since the counters were last reset. The row for
the Management blade shows the total for all content scanning blades.
Other columns
Version information for the Anti-Virus Engine, Anti-Virus DAT files, Anti-Spam Engine
and Anti-Spam Rules. The version numbers are the same if the blades are
up-to-date. During updating, the values might be different.
49
Using policies to manage message scanning
Generating reports
The Content Security Blade Server includes several pre-defined reports that you can download
in PDF, HTML or Text formats. You can define the schedule for these reports being generated,
and can define who the reports are sent to. You can also create your own reports.
The blade server log displays event information according to the report type and period you
select. The blade server’s own reporting features can generate reports, or show logs, statistics,
performance counters and graphs for a wide range of data about the blade server and its
activities, such as memory and processor usage.
For example, after you performed the steps in Testing virus detection, click Email | Email
Overview. The INCOMING EMAIL SUMMARY shows the EICAR test file that you detected.
Task
Use this task to update the blade server’s DAT files and to then view the the update report.
NOTE: The Dashboard is displayed by default each time you log on to the blade server.
1
Select System | Component Management | Update Status.
2
From the Version information and updates, click Update now for any anti-virus or
anti-spam DAT file updates that you want to update.
3
Select Reports | System reports.
4
Select Filter | Updates.
5
Click Apply. Information about the updates applied to your blade server are displayed.
Further report information
You can:
• Save the report into Favorites. This allows you to run the same report at future times.
• Where relevant, switch between different views of the reported data.
Use these tasks to demonstrate the blade server scanning features in action. It provides
step-by-step instructions to create and test some sample policies and tells you how to generate
applicable reports.
A policy is a collection of settings and rules that tells the blade server how to combat specific
threats to your network. When you create real scanning policies for your organization, it is
important that you spend time researching and planning your requirements. You can find
guidelines to help you in your policy planning in the Online help.
Before you create policies
All quarantine actions are disabled by default. Before you enable them, configure the blade
server to use the McAfee Quarantine Manager to manage the quarantine location. To do this:
50
1
From the user interface, select Email | Quarantine Configuration.
2
Select Use an off-box McAfee Quarantine Manager (MQM) service.
3
Enter details of your McAfee Quarantine Manager.
NOTE: If you are replacing an existing McAfee appliance with your blade server, make sure
you use your existing Appliance ID. If you use a different Appliance ID, you will not be
able to release any messages quarantined by the old appliance.
4
Apply your changes.
Creating an anti-virus scanning policy
Create an anti-virus scanning policy to:
• Detect viruses in incoming messages.
• Quarantine the original email.
• Notify the recipient.
• Alert the sender.
Task
Use this task to demonstrate what happens when a mass mailer virus rule is triggered by the
EICAR test file, and actions that can be taken.
1
On the device, ensure that you are using McAfee Quarantine Manager ( Email |
Quarantine Configuration | Quarantine Options ).
2
On the device, select Email | Email Policies | Scanning Policies.
The default policy is set to Clean or Replace with an alert, if cleaning fails.
3
Click Viruses: Clean or replace with an alert to display the Default Anti-Virus
Settings (SMTP).
4
Under Actions, in If a virus is detected ensure that Attempt to clean is selected.
5
In the And also section beneath the action, select Deliver a notification email to the
sender and Quarantine the original email.
6
In If cleaning fails, select Replace the detected item with an alert.
7
In the And also section beneath If cleaning fails, select Deliver a notification E-mail
to the sender and Quarantine the original email as the secondary actions.
8
Click OK.
9
Select Email | Email Policies | Scanning Policies [Scanner Options] -- Email
address configuration.
10 In Bounced emails, assign the email address as an administrator email address.
Without this configuration, the device does not include a From: address on the email
notification. Most email servers do not deliver email without a From: address.
11 Click OK, then click the green checkmark.
12 Select Email | Email Policies | Scanning Policies [Anti-Virus] | Custom Malware
Options.
13 Select Mass mailers, then set If detected to Deny connection (block).
The sending mail server receives a Code 550: denied by policy error message. The
device keeps a list of connections that are not allowed to send email under any
circumstances. The list can be viewed at Email | Email Configuration | Receiving
Email | Permit and Deny [+] Permitted and blocked connections. The Denied
Connections option is described in the Online help.
14 Test the configuration:
51
a Send an email from <client email address> to <server email address>.
b Create a text file that includes the following string:
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
c Save the file as eicar.txt.
d Attach the file to the email.
The gateway security device replaces the file with an alert and the sender receives a
notification alert.
15 Return to Custom Malware Options and click Specific detection name:.
16 Type EICAR.
17 Ensure the primary action is Refuse the original data and return an error code
(block), then click OK.
18 From an external email account, create a message and attach the EICAR test file.
The email client returns with an error 550: denied by policy error message.
Email | Email Configuration | Receiving Email | Permit and Deny Lists [+]
Blocked connections is empty.
19 In Custom Malware options, change the primary action to Deny the connection, then
click OK.
20 Send the same email and check the denied connection. It has the IP address of your client
machine (example IP address).
21 Try to send a benign email. This is also denied because of the denied connections list. To
the sending server, it appears that the server is not online.
The device checks the message as it enters your mail gateway and identifies that it contains a
virus. It quarantines the message and notifies the intended recipient and the sender that the
message was infected.
Creating an anti-spam scanning policy
Use this task to set up a policy to protect your organization from receiving unsolicited messages.
A policy like this protects users from receiving unsolicited email messages that reduce productivity
and increase the message traffic through your servers.
Task
1
On the device, ensure that you are using McAfee Quarantine Manager Email | Quarantine
Configuration.
2
Select Email | Email Policies | Scanning Policies.
You must set up a separate anti-spam policy for the SMTP and POP3 protocols.
3
Set the primary action to Accept and drop the data.
4
Set the secondary action to Quarantine the original E-mail. Change the spam score to
5.
If you enable anti-spam detection, McAfee recommends that you also enable anti-phishing
detection. Scanning performance is not impacted by performing both anti-spam and
anti-phish checks.
5
From an external email account, create a message to a mailbox protected by the device.
6
In the message body, use the text:
XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34X
7
52
Send the message.
8
Open McAfee Quarantine Manager and look at the spam queue.
9
Release the spam message.
10 Check the recipient email account to see the message.
Detected messages are sent to McAfee Quarantine Manager and can be managed by an
administrator.
Creating an email compliance policy
Use this task to set up a policy to ensure that messages your users send to external mail accounts
comply with official content libraries.
This policy maintains regulatory compliance to standards such as the HIPAA personal medical
information privacy standard and privacy standards on messages that contain sensitive
information. It notifies senders that their messages failed the compliance requirements.
Task
1
On the device, select Email | Email Policies | Dictionaries.
2
Select Privacy Rules.
3
View the List of terms for selected dictionary.
4
Select Email | Email Policies | Scanning Policies.
5
Under Content, select Content Scanning.
6
Select Enable content scanning | Yes.
7
Click OK.
8
Under Content scanning rules, click Create new content scanning rule.
9
Select Privacy Rules, from within Type: Compliancy.
10 Click OK.
11 In If Triggered, select Accept and then drop the data (Block).
12 Click OK.
13 Click OK.
14 Create an email on the server from <example server email address> to <example client
email address>. Include the line: Hi: We need to assess the accredited accumulation on your
annuity. Please consider arbitration if your assets have less capital than expected.
15 Send the message.
16 Use Email | Email Overview | INCOMING EMAIL SUMMARY to see the results.
The client email agent does not receive the email. The server email account should receive two
email messages: an email notification that the message failed the compliancy test and a copy
of the original email.
Creating a content filtering policy
Use this task to set up a policy to quarantine incoming messages that contain unwanted content.
This is now achieved using a wizard to guide you.
Use the following to set up an example of content filtering:
53
Task
1
On the device, select Email | Email Policies | Scanning Policies.
If content scanning is disabled, select Yes in Enable content scanning.
2
From the Content section, click Content scanning.
If content scanning is currently disabled, click Yes.
3
Type a Rule name:.
4
Click Next >.
5
From The rule is triggered if any selected dictionary applies, select one or more
dictionaries, for example, Gambling (English).
6
Click Next >.
7
From The rule is ignored if any selected dictionary applies, select any dictionary you
want ignored. For this example, do not select any dictionaries.
8
Click Next >.
9
From If the content scanning rule is triggered, select your required action, for example
Replace the content with an alert (Modify).
10 Select Quarantine from the Original email options area.
11 Click Finish.
12 Click OK to complete the wizard.
13 Apply your configuration changes.
14 From an external email account, create a message to a test mailbox that the device protects.
In the message body, type the words: See you at the blackjack table tonight!
15 Send the message.
16 Open the mailbox to which you addressed the message and view the alert message.
17 Use Email | Email Overview | INCOMING EMAIL SUMMARY to see the event.
18 View the Dashboard to see information about items quarantined because of their content.
19 Using the recipient’s email account, open McAfee Quarantine Manager User interface and
select Unwanted Content.
20 Select the message and click Submit for Release.
21 Open the McAfee Quarantine Manager Administrator interface and select User
Submissions.
22 Select Submitted for Release.
23 Select the message and click Release.
24 Open the mailbox to which you sent the message to view the received message.
The device checks the message as it enters your mail gateway and identifies that it contains a
virus. The device quarantines the message and notifies the intended recipient and the sender
that the message was infected.
About Virtual host management
Using virtual hosts, a single device can appear to behave like several devices. Each virtual device
can manage traffic within specified pools of IP addresses, enabling the device to provide scanning
services to traffic from many sources or customers.
Benefits
• Separates each customer's traffic.
54
• Policies can be created for each customer or host, which simplifies configuration and prevents
clashes that might occur in complex policies.
• Reports are separately available for each customer or host, which removes the need for
complex filtering.
• If any behavior places the device on a reputation black list, only a virtual host is affected —
not the whole device.
Setting up the virtual hosts
The feature is available for SMTP scanning only. To specify the pool of inbound IP addresses
and the optional pool of outbound addresses, see the System | Virtual Hosting | Virtual
Networks page.
Managing the virtual hosts
Feature
Behavior
Email Policy
Each virtual host has its own tab, where you can create its scanning policies.
Email Configuration
Each virtual host has its own tab, where you can configure MTA features specific for
that host.
Queued Email
You can view all queued email, or just queued email for each host.
Quarantined Email
You can view all quarantined email, or just quarantined email for each host.
Reporting
You can view all reports, or just reports for each host.
Behavior between the device and MTAs
When the device receives email sent to the virtual host's IP address range, the virtual host:
• Responds to the SMTP conversation with its own SMTP Welcome banner.
• Optionally adds its own address information to the Received header.
• Scans the email according to its own policy.
When the device delivers email:
• The IP address is taken from an outbound address pool, or a physical IP address (if this is
not set).
• The receiving Mail Transfer Agent (MTA) sees the IP address of the virtual host.
• If there is a pool of addresses, the IP address will be selected "round robin."
• The EHLO response will be for the virtual host.
55
Troubleshooting
This section describes some of the problems you might encounter when integrating your device
into the existing network.
To use the troubleshooting tools, select Troubleshooting from the navigation bar.
Frequently asked questions (FAQs)
System configuration
Anti-spam
Anti-virus automatic updating
Delivery
Directory Harvest Prevention does not work
Email attachments
ICAP
Mail issues
POP3
General issues
System maintenance
Getting more help — the user information bar
System configuration
I have disabled the FTP protocol but my users can still use FTP with their browsers
Check the browser's FTP proxy settings. On Internet Explorer, select Tools | Internet Options
| Connections | LAN Settings | Proxy Server | Advanced.
The appliance can support FTP over its HTTP protocol handler, so if the FTP proxy is set to use
port 80, your users can still use FTP.
NOTE: This is for FTP download only. The appliance does not support FTP uploads over HTTP.
Transparent Web Authentication
How do I configure Transparent Web Authentication using Kerberos?
When configuring Transparent Web Authentication using Kerberos on a blade server, you must
login separately to the Management blade and to the Failover Management blade, and configure
Kerberos on each. This is because the authentication information cannot be automatically
56
Troubleshooting
Anti-spam
synchronized between the Management blade and the Failover Management blade, for the
following reasons:
When using transparent bridge mode, a keytab cannot be created that will work on both the
Management blade and the Failover Management blade.
This is because the keytab includes the hostname of the blade server, which resolves to either
the IP address for the Management blade, or to the IP address of the Failover Management
blade.
To configure Kerberos to work in transparent bridge mode, create two keytabs, one containing
the Management blade IP address and hostname and the other containing the Failover
Management blade IP address and hostname. Import each keytab into the relevant Management
blade
NOTE: This is not an issue in explicit proxy mode or transparent router mode, as the blade
server uses a virtual IP address for the currently active Management blade.
How do I configure Transparent Web Authentication using NTLM?
When configuring Transparent Web Authentication using NTLM on a blade server, you must
login separately to the Management bladeManagement blade and to the Failover Management
blade, and configure NTLM on each. This is because the authentication information cannot be
automatically synchronized between the Management blade and the Failover Management
blade, for the following reasons:
To authenticate using NTLM, the username and password needs to be entered to allow the
blade server to connect to the NTLM Domain Controller. For security reasons, the username
and password are not stored on the blade server.
You need to log into the Management blade and Failover Management blade separately and
connect to the Domain Controller. In both cases, you only need to apply the username and
password during the initial configuration.
NOTE: McAfee recommends that you log into the Failover Management blade after configuring
the Management blade. The interface will display a warning message reminding you to import
the keytab, or to join the NTLM domain controller.
Anti-spam
I have configured the appliance to reject spam with an RBL Servers check but some
spam mail is still getting through
No anti-spam software is fully effective, and cannot guarantee to block all spam email messages.
The appliance uses a list of the names of known email abusers and the networks they use.
These lists are effective in reducing unwanted email messages but are not complete.
To block a specific sender of spam, add the sender's email address to the Denied senders
list.
Email | Email Configuration | Receiving Email | Permit and Deny Lists [+]
Permitted and blocked senders
Users are not getting normal email messages
Users might not receive normal email messages for several reasons:
57
Troubleshooting
Anti-spam
• The email messages might be coming from someone listed in the Blocked senders list.
You might need to:
• Refine the Blocked senders list to ensure that wanted email messages are not blocked.
For example, you might need to type specific email addresses rather than ban a whole
domain or network.
• Add the sender, domain, or network to the Permitted senders list. The appliance does
scan email from senders, domains and networks in this list for spam. The Permitted
senders list overrides entries in the Blocked senders list.
• The email message might have been blocked because it comes from a sender or organization
that has been recognized by a real-time anti-spam list as a potential source of spam.
• The balance between blocking spam and normal email messages might need changing. For
example, if the appliance is blocking email messages when there is only a small chance that
they contain spam, you risk unintentionally blocking normal email messages. It is probably
better to risk letting some spam through.
• The email message might contain a virus or potentially unwanted program, and has been
blocked by anti-virus scanning.
Email | Email Configuration | Receiving Email | Permit and Deny Lists
Users are still receiving spam
Users might still receive spam for several reasons:
• No anti-spam software can block all email messages that might contain spam. For the best
chance of detecting and preventing spam, ensure that the appliance is using the latest
versions of the anti-spam engine, anti-spam rules, and extra rules files. See also Sender
authentication and reputation to ensure that you are using all the features that can block
unwanted email.
• The appliance is allowing streaming media to pass through.
Allowing streaming media to pass through the appliance is a security risk, because streaming
media is not scanned by the appliance. We recommend that you do not allow streaming
media of type application/octet-stream or application/* to pass through the appliance because
these MIME types are executable and are a security risk.
• You might need a more stringent anti-spam policy. For example, you might want to ensure
that more email messages are marked as spam before they are received by users, or to
simply block the spam at the appliance.
• The email messages might be coming from senders, domains, or networks that are in the
Permitted senders list. Review the list to make sure that you really want email messages
from these senders to bypass anti-spam scanning. You might need to refine the entry in the
list. For example, rather than permitting whole domains or networks, specify individual email
addresses instead. See the Permitted senders list.
• The mail client software does not automatically move unwanted messages into a spam
folder, so users still see spam in their inboxes. See Configuring Mail Clients for information
on setting mail clients.
• The email message might be larger than is permitted, so it is not scanned for spam. See
theadvanced options in the anti-spam settings to change the size.
• Email messages are not being routed through an appliance with the anti-spam software
enabled.
Email | Email Configuration | Receiving Email
58
Troubleshooting
Email | Email Policies | Scanning Policies [Spam] | Advanced Options
How can I stop a particular type of spam?
Your blade server updates its anti-spam engine and spam detection rules frequently.
To ensure that you have the best chance of detecting and preventing spam, check that:
• The appliance is using the latest versions of the anti-spam engine and anti-spam rules.
• The appliance has not been configured to allow streaming media to pass through.
System | Component Management | Update Status
Email | Email Policies | Scanning Policies [Spam] | Advanced Options
Users are complaining that their mailboxes are full
If users automatically divert spam to a spam folder in the mailbox, their mailboxes can quickly
exceed their size limit. Remind users to regularly check their spam folders and delete spam.
When I request an immediate update, nothing happens. How do I know when the
DAT is updated?
The DAT files are downloaded, checked and applied — they are not just added regardless. The
appliance does not wait for the update to complete but starts it in the background. The update
can take a few minutes even with a fast Internet connection.
You can see the version number of the installed DAT files soon after the appliance has
successfully installed the new DAT files.
System | Component Management | Update Status
Dashboard [System Health] -- Updates
Delivery
What can I check if I have problems with mail delivery?
If your internal mailserver is not receiving inbound mail, check that this mail server is configured
to accept email from the appliance.
In the list of local domains for email delivery, do not specify a wildcard catch-all rule. Instead,
enable the fallback relay, and specify it there.
Email | Email Configuration | Receiving Email | Anti-Relay Settings
59
Troubleshooting
For Directory Harvest Prevention to work correctly, your email server must check for valid
recipients during the SMTP conversation, and then send a non-delivery report.
Several email servers do not send User unknown errors as part of the SMTP configuration.
These include (but might not be limited to):
• Microsoft Exchange 2000 and 2003 (when using their default configuration).
• qmail.
• Lotus Domino.
Check the user documentation for your email server to see if your email server can be configured
to send 550 Recipient address rejected: User unknown reports as part of the SMTP conversation
when a message to an unknown recipient is encountered.
LDAP integration can provide a work around for this.
Email attachments
The appliance blocks all email when I reduce the number of attachments to block
This setting is intended to block email messages with huge numbers of attachments, which
waste bandwidth.
Some mail clients (like Outlook Express) store extra information in extra attachments, and even
embed the main body of the message in an attachment.
If this number is set too low, even normal email might be rejected.
Email | Email Policies | Scanning Policies [Content] -- Mail size filtering |
Attachment Count
EICAR (the test virus) or content that must be blocked is still getting through
Make sure the appliance is in the mail path. Look at the headers of an email message (in Outlook,
select View | Options | Internet Headers).
If the appliance is in the mail path, you will see a header of the form Received: from sender
by appliance_name via ws_smtp with sender and appliance_name replaced with the
actual sender's name and the name of the appliance.
When the appliance detects a virus, I get notification of a content violation
This problem might be due to a conflict between the HTML template warning page, and a
content-scanning rule.
For example, if you are content-filtering on the word Virus but you have also set up the HTML
template for virus detection to warn you A virus has been detected, an incoming message
containing a virus triggers the message to be replaced with the message, A virus has been
detected. This replacement message then passes through the content filter which triggers on
the word Virus, and the message is replaced with a content violation instead of a virus
notification.
Email | Email Policies | Scanning Policies [Content]
60
Troubleshooting
ICAP
The appliance is slow to respond when I log on to the interface
Make sure the browser from which you are connecting is not using the appliance itself as a
proxy. In Internet Explorer, go to Tools | Internet Options | Connections | LAN Settings,
and deselect Use a proxy server.
Check the DNS setup on the appliance. The DNS server field must contain the IP address of a
valid DNS server, which must be accessible from the appliance.
If the appliance is experiencing a heavy load, responses from the interface are slower. Consider
using out-of-band management.
System | Appliance Management | DNS and Routing
System | Appliance Management | Remote Access [+] Out of Band management
ICAP
ICAP service not found
This section describes a common configuration problem that occurs when setting up or
reconfiguring your ICAP services.
If the ICAP client cannot find the requested service:
• Check that the ICAP client is requesting a valid ICAP service. When configuring the ICAP
client, it is easy to mistype the service path. Service paths start with a forward slash (/) and
are case-sensitive. Make sure that you use the exact path name. For example, the path
/REQMOD is different from the path /REQMOD/.
• Check that the appliance supports the ICAP service, and that the requested service has not
been disabled on that appliance.
NOTE: Some ICAP servers do not support all ICAP verbs. For example, some ICAP clients
support the REQMOD verb only. By default, the appliance supports the REQMOD, RESPMOD
and OPTIONS verbs. However, the REQMOD and RESPMOD services can be disabled on the
appliance.
• Check that the network connection between the ICAP client and the ICAP server is working.
Use a ping test.
Troubleshoot | Tools | Ping and Trace Route
Appliance connections are unavailable
If the appliance runs out of available connections, you might have to restart the ICAP protocol.
Understanding ICAP status codes
This list of ICAP status codes was accurate at the time of publication. If a status code is not in
the table, see the ICAP RFC standard for the latest information.
Table 1: ICAP status codes
Code
Description
100
Continue after ICAP preview.
200
OK. The appliance understands the request and will reply.
61
Troubleshooting
Mail issues
Code
Description
204
No modifications are needed (also known as 204 No content).
400
Bad request.
404
ICAP service was not found.
405
The method is not allowed for this service. For example, a RESPMOD request was issued to a service that
supports only REQMOD.
408
Request has timed-out. ICAP server gave up waiting for a request from an ICAP client.
500
ICAP server error. For example, the ICAP server might have run out of disk space.
501
Method (verb) not implemented.
502
Bad gateway.
503
Service is overloaded. The ICAP server has exceeded a connection limit associated with the service. The
ICAP client must not exceed this limit in the future.
505
The ICAP version is not supported by the ICAP server.
Mail issues
Why can I not just give the name of the sender that I want to block from relaying?
Think of anti-relay as system-to-system blocking, while anti-spam is sender-based blocking.
Anti-relay is configured using the domains and networks that the appliance delivers mail for,
while the anti-spam configuration blocks a message based on who sent it.
Email | Email Configuration | Receiving Email | Anti-Relay Settings [+]
Relaying email
Email | Email Policies | Scanning Policies [Spam]
For Directory Harvest Prevention to work correctly, your email server must check for valid
recipients during the SMTP conversation, and then send a non-delivery report.
Some email servers do not send User unknown errors as part of the SMTP configuration.
These include (but might not be limited to):
• Microsoft Exchange 2000 and 2003 when using their default configuration.
• qmail.
• Lotus Domino.
Check the user documentation for your email server to see if your email server can be configured
to send 550 Recipient address rejected: User unknown reports as part of the SMTP
conversation when a message to an unknown recipient is encountered.
LDAP integration can provide a work around for this.
Email | Email Configuration | Receiving Email | Recipient Authentication [+]
Directory harvest prevention
62
Troubleshooting
POP3
Replication between mail servers is not working
If the appliance is between two Microsoft Exchange servers, ensure that the appliance does
not block the Extended SMTP (ESMTP) email headers. Allow the use of all the ESMTP extensions:
X-EXPS, X-LINK2STATE, XEXCH50, and CHUNKING.
Email | Email Configuration | Protocol Configuration | Protocol Settings [+]
Transparent Options [+] Advanced options
POP3
I have set up a dedicated POP3 connection, and POP3 no longer works
Check that the generic and dedicated servers do not share the same port. The default port
number for POP3 is 110. The dedicated server will override the generic server.
Email | Email Configuration | Protocol Configuration | Protocol Settings [+]
POP3 protocol settings
When fetching mail with Outlook Express over POP3, I sometimes get a time-out
message, giving me the option to Cancel or Wait
The appliance needs to download and scan the entire mail message before it can start passing
it to Outlook Express. For a large message or a slow mail server, this can take some time. Click
Wait to force Outlook Express to wait for the appliance to finish processing the message.
I sometimes get two copies of POP3 mail messages
Some mail clients do not handle time-outs correctly. If the appliance is downloading and scanning
a very large message, the client might time-out while waiting for a response.
A pop-up window prompts you to wait for or cancel the download. If you select Cancel and
try to download again, two copies of the message might appear in your mailbox.
General issues
The Back button on my browser does not take me to the previous page
This is a known issue with web browsers. McAfee recommends that you click the back arrow
in the top right corner of the appliance interface.
63
Troubleshooting
System maintenance
System maintenance
The appliance does not accept the HotFix file
Do not unzip the HotFix file before copying it to the appliance. The appliance accepts the original
file as you received it — with a .ZIP extension.
System | Component Management | Package Installer
How can I control the size of the appliance's log files?
The appliance stores its log files in a text-like (XML) format in a partition (/log) on its internal
disk. By default, the logs are purged every few days. The appliance issues warnings when its
areas are nearing full, typically at 75% and 90%.
McAfee recommends that you:
• Find the percentage usage of the logging partition.
• Limit the size of the log file, and take regular backups of the log.
• Adjust the warning levels.
Troubleshoot | Tools | Disk Space
System | Cluster Management | Backup and Restore Configuration
Dashboard [System Health] -- Edit
Getting more help — the user information bar
From the Resources link on the user information bar, you can access links to more sources of
information. You can:
• Access the McAfee online virus information library to find out more about a specific virus.
• Submit a virus sample to McAfee for analysis.
• Contact McAfee Technical Support.
See the Online help for more information.
64
Index
A
L
anti-virus updates, nothing happens 59
attachments, email is blocked 60
logs, control the size of 64
Lotus Domino 62
B
M
Back button, problem 63
mail, delivery problems 59
mailboxes are full 59
Microsoft Exchange servers, ESMTP problem 63
D
delivery 59
Directory Harvest Prevention, does not work 60
Directory Harvest Prevention, not working 62
E
EICAR test virus, email gets through 60
email replication, not working 63
email, all blocked 60
email, blocked as spam 57
email, blocked by attachments 60
F
FAQ, ICAP 61
FAQs 56
frequently asked questions 56
FTP, on browsers 56
FTP, uploads over HTTP 56
P
POP3, does not work 63
POP3, two copies of mail 63
problems, Back button 63
Q
qmail, Microsoft Exchange 2000 and 2003 62
S
spam, mailboxes are full 59
spam, still gets through despite RBL 57
spam, stopping any type of 59
spam, users still receive 58
spam,no normal email gets through 57
T
troubleshooting, introduction 56
H
HotFix, not accepted 64
HTTP, cannot upload over HTTP 56
V
virus, causes content violation 60
I
ICAP FAQ 61
65
700-2316A00

McAfee Content Security Blade Server 5.5 (M3

Transcription

Similar documents

Paul Strisik NA - American Fine Art Magazine

koevo autoportante

Paper Lanterns

≥4810 ep semi-automatic programmable cutter

CHOPMASTER - Forrest Saw Blades

Joewell KCX

crawler dozer

Crain 820 / 820V Heavy

Nordic Plow for Dixie Chopper Zee 2

Fishing Report #7 - Capt. Tony Buffa`s Fishing Charters