Watchguard QMS User guide

WatchGuard XCS 3.0 User Guide

WatchGuard QMS

3.0 User Guide

About this User Guide

For the most recent product documentation, see the WatchGuard QMS Help on the WatchGuard web

site at: http://www.watchguard.com/help/documentation/.

Information in this guide is subject to change without notice. Companies, names, and data used in

examples herein are fictitious unless otherwise noted. No part of this guide may be reproduced or

transmitted in any form or by any means, electronic or mechanical, for any purpose, without the

express written permission of WatchGuard Technologies, Inc.

Guide revised: 11/19/2013

Copyright, Trademark, and Patent Information

mentioned herein, if any, are the property of their respective owners.

Complete copyright, trademark, patent, and licensing information can be found in the Copyright and

Licensing Guide, available online at: http://www.watchguard.com/help/documentation/.

Note Thisproductisforindooruseonly.

About WatchGuard

WatchGuard offers affordable, all-in-one network and content

security solutions that provide defense-in-depth and help meet

regulatory compliance requirements. The WatchGuard XTM

line combines firewall, VPN, GAV, IPS, spam blocking and

URL filtering to protect your network from spam, viruses,

malware, and intrusions. The new XCS line offers email and

web content security combined with data loss prevention.

WatchGuard extensible solutions scale to offer right-sized

security ranging from small businesses to enterprises with

10,000+ employees. WatchGuard builds simple, reliable, and

robust security appliances featuring fast implementation and

comprehensive management and reporting tools. Enterprises

throughout the world rely on our signature red boxes to

maximize security without sacrificing efficiency and

productivity.

For more information, please call 206.613.6600 or visit

www.watchguard.com.

Address

505 Fifth Avenue South

Suite 500

Seattle, WA 98104

Support

www.watchguard.com/support

U.S. and Canada +877.232.3531

All Other Countries +1.206.521.3575

Sales

U.S. and Canada +1.800.734.9905

All Other Countries +1.206.613.0895

ii WatchGuard QMS

User Guide iii

User Guide iv

Table of Contents

WatchGuard QMS Overview 1

User Accounts 2

Spam Digest Notifications 2

Spam Digest Templates 3

Policies 3

Trusted and Blocked Senders Lists 3

WatchGuard QMS Deployment 4

About IPv6 Support 5

WatchGuard QMSv 6

Installation Prerequisites for VMware 6

QMSv Device Installation Overview 7

Features Not Supported with WatchGuard QMSv 7

Getting Started 9

Before You Begin 9

Verify Basic Components 9

Hardware Installation 9

Get a Feature Key from LiveSecurity 11

Gather Network Addresses 11

Network Firewall Configuration 14

Installation 15

Connect the WatchGuard QMS 15

Default Network Settings 16

Start the Installation Wizard 17

Post-Installation Tasks 23

Add a Feature Key 23

Update a Feature Key 25

Troubleshoot Feature Key Updates 25

Remove a Feature Key 26

Security Connection 27

Software Updates 28

Install a Software Update 28

Delete a Software Update 29

Start Messaging System 30

Administration 31

Connect to the WatchGuard QMS 31

Navigate the Main Menu 32

Activity 32

Configuration 32

Administration 33

Support 34

WatchGuard QMS Console 35

Console Activity Page 35

Configure the Admin User 38

Add Admin Users 39

Log in with Tiered Admin Privileges 40

Admin User Automatic Logout and Lockout 40

Web Server 41

External Proxy Server 43

Customize the Web UI Interface 44

Regional Settings 46

Certificates 47

Root CACertificate Bundle (Advanced) 49

Network and Mail Settings 51

Network Configuration 51

Network Interface Configuration 53

Advanced Parameters 55

Support Access 55

Static Routes 57

Mail Delivery Settings 58

Default Mail Relay 58

Delivery Settings 58

Advanced Mail Delivery Options 61

System Variables for Notifications 64

v WatchGuard QMS

User Guide vi

Mail Access 66

Maximum message size 66

SMTP Banner 66

Queue Monitoring 66

User Accounts 69

Create User Accounts 69

Local User Accounts 70

Upload and Download User Lists 70

Automatic User Account Creation 71

LDAPUser Accounts 72

Define Directory Servers 72

Import Directory Users 73

Import Settings 75

Mirror LDAP Accounts as Local Users 75

LDAPAliases 76

Remote Authentication 78

Configure LDAP Authentication 78

WatchGuard XCS Configuration 81

QMSIntegration Wizard 81

WatchGuard QMS Configuration 83

Configure the WatchGuard QMS 83

Additional Quarantine Functions 86

Spam Digest Templates 87

Edit Templates 87

Template Text 88

Spam Digest Message 93

Trusted and Blocked Senders Lists 94

Upload Trusted and Blocked Senders Lists 95

Trusted and Blocked Sender List Downloads 95

Language Editor 96

User Quarantine Configuration 101

Enable User Quarantine Access 101

User Quarantine Management 102

Spam Quarantine 102

Quarantine Settings 103

Trusted and Blocked Senders List 103

Change Password 104

Administrative Links 105

Policies 107

Policy Overview 107

Policy Hierarchy 107

Multiple Group Policies 108

Configure Policies 109

Domain Policies 111

Upload and Download Domain Policy Lists 111

Group Policies 113

Re-order Groups 114

Assign Group Policies 115

Upload Group Policy Lists 115

Orphaned Groups 115

User Policies 116

Upload and Download User Address Lists 116

Policy Diagnostics 117

System Management 119

Backup 119

Backup File Name 119

Start a Backup 120

Restore from Backup 123

Backup and Restore Alarms and Errors 125

Daily Backup 126

Add a Feature Key 126

Update a Feature Key 129

Troubleshoot Feature Key Updates 129

Remove a Feature Key 130

Reboot and Shutdown 131

Security Connection 132

vii WatchGuard QMS

User Guide viii

Software Updates 133

Install a Software Update 133

Delete a Software Update 134

Reports and Logs 135

About Reports 135

Schedule Reports 137

Create a New Report 138

View Reports 140

Custom Report Logo 141

Configure Reports 142

Mail Logs 143

Search the Mail Log 144

System Logs 146

Search the System Log 146

WatchGuard QMS Logs 148

Previous Searches 149

Configure Logs 150

Offload (Backup) 150

Offload (Report) 151

Log Search Configuration 152

Monitoring 153

Dashboard 153

Recent Mail Activity 154

System Utilities 155

System Status 155

Messaging System Controls 155

Utilities 156

Diagnostics 156

Hostname Lookup 158

SMTP Probe 160

Ping Utility 161

Traceroute Utility 162

Mail Queue 163

Display Options 163

Manage the Quarantine 164

Message History 166

Email History Search 167

Advanced Search 167

Message History Search Tips 168

Message Details 169

System History 171

Syslog Host 173

SNMP (Simple Network Management Protocol) 174

Configure SNMP 175

Permitted Clients 175

Trap Hosts 176

MIB Files 176

Alarms 177

Configure Alarms 178

Alarms List 178

Problem Reporting 180

ix WatchGuard QMS

User Guide 1

1

WatchGuard QMS Overview

The WatchGuard QMS device enables spam messages from the WatchGuard XCS to be directed to a

local quarantine area that provides spam storage for each individual user. Because spam filters

occasionally result in false positives (legitimate email classified as spam), spam quarantine gives end

users the ability to manage their quarantined message. They can identify and release any false

positives and delete actual spam messages.

The WatchGuard QMS offloads spam quarantine resources to a separate system to relieve processing

and disk space on the primary WatchGuard XCS system or cluster.

When integrated with the WatchGuard XCS, the Intercept Anti-Spam engine redirects messages for a

specific spam classification to the WatchGuard QMS. For example, messages in the Probably Spam

category can be quarantined to allow users to review them at a later time and either delete them or

release them to their inbox.

Spam digest notifications are sent periodically to end users. End users can then review, delete, and

release mail, or add a sender to their trusted or blocked senders list. End users can log in to the

WatchGuard QMS to manage their specific quarantine settings, select the language template for their

spam digest message, and manage their trusted and blocked senders lists. The WatchGuard QMS

supports organizations with both single and multiple domains.

User Accounts

The WatchGuard QMS requires a user account for each user to store their quarantined spam

messages. There are three ways to add accounts to the WatchGuard QMS:

n Manual creation of Local Accounts — Administrators can manually add each local user

account or use uploaded lists. This method is recommended only for small deployments with a

manageable number of users.

n Automatic creation of Local Accounts — If the WatchGuard QMS receives a message to be

quarantined and that user account does not already exist, the WatchGuard QMS can

automatically create a local account based on the email address of a recipient. This method is

recommended for organizations that do not use LDAP directory services or organizations that

support multiple independent domains.

Note The user cannot log in to this account until the administrator assigns apassword for the

account, or configures the system to automatically generate a password forthe user.

n LDAP Import of User Accounts — User account information can be imported from an LDAP

directory and the accounts mirrored locally on the WatchGuard QMS. Remote authentication

can be enabled to authenticate users with the LDAP directory server when they log in to the

WatchGuard QMS.

Spam Digest Notifications

The spam digest is a notification sent out from the WatchGuard QMS to each user. It identifies how

many messages are currently in the spam quarantine area for that user, and displays the message

headers of each message (such as the Sender and Subject fields) for the user to review. With the

spam digest message, users do not have to log in to the WatchGuard QMS to manage the spam in

their quarantine area.

From the links in the spam digest message, users can perform any of these tasks:

n View — Displays the contents of a message.

n Not Spam — Delivers a message to the inbox and adds the sender to the trusted senders list

for that user.

n Delete — Deletes the message from the quarantine.

n Delete All — Deletes all the spam messages shown in the digest message. This link is located

at the end of the digest.

n Block — Adds the sender to the blocked senders list for that user.

WatchGuard QMS Overview

2 WatchGuard QMS

WatchGuard QMS Overview

User Guide 3

Spam Digest Templates

Administrators can customize the templates for the spam digest message. Administrators can apply

separate spam digest templates for different domains or users with the policy feature of the

WatchGuard QMS.

The templates are also used to create spam digest messages in different languages. The templates

are in HTML-like format. They include several customized variables and controls to provide a default

template of the content that is sent to end users as part of the spam digest message.

Language Support

The WatchGuard QMS provides support for several different languages for use with the spam digest

notification message. Users can specify the language in which they prefer to receive the spam digest.

With policies, administrators can apply separate language templates for different domains and users.

The default templates offer these languages:

n Danish

n English

n Finnish

n French

n German

n Italian

n Japanese

n Norwegian

n Spanish

n Swedish

Policies

Powerful policy features enable administrators to create spam quarantine policies for multiple domains

or users. System settings, such as expiry times, disk space quotas, and spam digest message

templates, can be applied to different domains and users. For example, some users can have different

disk quotas set depending on how much spam they receive. Spam summary templates can be

customized for different domains and include support for multiple languages.

Trusted and Blocked Senders Lists

With the Trusted Senders List, end users can add specific email addresses that are trusted for Anti-

Spam processing purposes. With the Blocked Senders List, end users can specify a list of addresses

from which they do not want to receive mail. These senders are blocked and cannot send mail to that

specific user through the WatchGuard XCS. If a sender is on the blocked senders list, the message

can either be rejected with notification or discarded by the WatchGuard XCS.

End users can log in to the WatchGuard QMS and create their own list of trusted and blocked senders.

These lists can be imported by the WatchGuard XCS to provide a global trusted and blocked senders

list that is used when the WatchGuard XCS processes new mail.

Note The Trusted/Blocked Senders List on the WatchGuard QMS must be imported to the

WatchGuard XCS system used with the WatchGuard QMS. The lists are applied as

the message arrives on the WatchGuard XCS.

WatchGuard QMS Deployment

There are two primary ways that theWatchGuard QMS can be deployed: as an internal deployment or

as a hosted deployment.

Internal Deployment

With a basic internal deployment, the WatchGuard QMS is installed on the same network as the

WatchGuard XCS. Incoming mail is processed by the WatchGuard XCS and any spam to be

quarantined is redirected from the WatchGuard XCS to the WatchGuard QMS. Spam digest

notifications and released messages from the quarantine are delivered through the WatchGuard XCS

to the internal mail servers, where they are received by the end user. End users can log in to the

WatchGuard QMS to manage their specific quarantine settings, select the language template for their

spam digest message, and manage their trusted and blocked senders lists.

Hosted Deployment

With a hosted service deployment, the WatchGuard QMS is deployed at the same location as the

WatchGuard XCS and is accessible to external hosted servers and users. The WatchGuard QMS

must supports multiple domains because the WatchGuard XCS processes and routes all mail to the

recipient domain email servers.

WatchGuard QMS Overview

4 WatchGuard QMS

WatchGuard QMS Overview

User Guide 5

About IPv6 Support

The WatchGuard QMS supports the IPv6 protocol. You can assign an IPv6 address to any network

interface, and most QMS features support the use of IPv6 addresses in their configuration.

n Static IPv6 addresses can be assigned to a network interface.

n IPv6 static routes can be configured.

n The WatchGuard QMS supports Dual Stack Mode where network interfaces can have both

IPv4 and IPv6 addresses and both IPv4 and IPv6 connections can be made simultaneously. By

default, IPv6 connections are used in preference over IPv4. You can modify this behavior in the

advanced network settings.

n At least one interface must be designated as IPv4 or IPv4 and IPV6 interface mode.

IPv6 Support Notes

n Auto-configuration of IPv6 addresses from compatible IPv6 routers is not supported.

n IPv6 configuration is not available on the system console.

n IPv6 to IPv4 tunneling is not supported.

These features and third-party services currently do not support IPv6.

n WatchGuard Security Connection for software updates

WatchGuard QMSv

WatchGuard QMSv provides the following features and benefits:

n Automated, intelligent and easy-to-use virtual email quarantine appliance that allows messages

containing unwanted content, including spam, phishing, messages with attachments, and other

unwanted or large email messages to be directed to a local quarantine server.

n Provides a secure holding area for messages containing suspected threats or spam, and

enables flexible control and maximum threat protection, with self-service capabilities that

enable end users to manage their own quarantined messages. End users can identify and

release any false positives from the quarantine, and delete messages that are actually spam.

n Delivers the same email quarantine capabilities as the WatchGuard QMS hardware appliances,

and combines the many benefits of virtualization, including cost savings, rapid deployment and

provisioning, and simplified change management.

n Fully integrates with WatchGuard XCS content security appliances or any other email security

gateway, and provides ease of deployment for VMware’s virtualization products. By offloading

spam quarantine resources to a separate system, the WatchGuard QMSv reduces processing

load and disk space usage on the primary email security system.

Installation Prerequisites for VMware

You must install the QMSv virtual device in a VMware environment that meets these requirements.

VMware

n To install an QMSv virtual device, you must have a VMware vSphere/ESXi v4.1 Update 2 (or

later version) host installed on any supported server hardware. Make sure your vSphere/ESXi

software is updated to the latest patch level.

n You must also install the VMware vSphere Client 4.1 (or later version) on a supported Windows

computer.

n VMware Tools is installed by default with the QMSv virtual device. VMware Tools is a suite of

utilities that enhances and improves the performance and management of the virtual machine,

and includes the ability to cleanly power off or reset the guest operating system software from

the host system.

Hardware

n The hardware requirements for QMSv are the same as the hardware requirements for VMware

vSphere/ESXi.

n For information about VMware hardware compatibility, see the VMware Compatibility Guide at:

http://www.vmware.com/resources/compatibility/search.php

n WatchGuardQMSv requires that yourhost hardwaresupports Intel Virtualization Technology

(Intel VT)orAMD Virtualization (AMD-V)andhas theseoptions enabledinthehost system BIOS.

n For more information about Intel VT compatibility, see the Intel Virtualization Technology

List at: http://ark.intel.com/VTList.aspx

n AMD-V is supported in all K8 AMD (Athlon 64) processors from revision F, and all newer

processors support AMD-V technology.

WatchGuard QMS Overview

6 WatchGuard QMS

WatchGuard QMS Overview

User Guide 7

QMSv Device Installation Overview

For VMware, WatchGuard distributes QMSv as an OVF template file. To complete initial installation on

VMware, you must perform these procedures:

1. In the VMware vSphere client, deploy the QMSv OVF template file to the VMware host.

2. Perform any resource allocation (CPU, memory, disk) modifications on the VMware host.

3. Power on the QMSv virtual machine.

4. Connect to the QMSv device to run the Setup Wizard.

For detailed steps to set up an QMSv device, see the WatchGuard QMSv Setup Guide available at

http://www.watchguard.com/help/documentation.

Features Not Supported with WatchGuard QMSv

These features are not supported for use with WatchGuard QMSv :

General

n Network storage disks for the virtual host.

n QMSv console options:

n Serial console — This feature is redundant with the physical host system serial console.

n UPS configuration — UPS communications must be configured on the physical host

system.

VMware

n vMotion for virtual device migration between VMware hosts.

n You cannot set the SMBIOS.reflectHost setting in VMware. This interferes with product

identification and licensing.

WatchGuard QMS Overview

User Guide 8

Getting Started

User Guide 9

2

Getting Started

Before You Begin

Before you begin the installation process, make sure you do the tasks described in the subsequent

sections.

Verify Basic Components

Make sure that you have:

n A computer with an Ethernet network interface card and a web browser installed

n A WatchGuard QMS device or QMSv virtual host system

n Ethernet cables

n Power cables

You can also attach an optional monitor and keyboard (USB or PS/2) to get access to the WatchGuard

QMS console.

Hardware Installation

For detailed instructions on how to install the WatchGuard QMS device in an equipment rack, see the

Hardware Guide. For the QMS v, see the QMS v Setup Guide for detailed information on hardware

requirements and how to set up your virtual host system.

Physical Location

To safely install your WatchGuard QMS device or QMS v virtual host system, we recommend you

select a physical location that meets these specifications:

n Install the device in a secure location, for example, in a locked equipment rack or a secure

server room.

n Make sure that the network connections are secure, and the network hubs and switches are in

the same secure location. Any network patch cables should be of the appropriate length (as

short as possible).

n If a monitor and keyboard are attached to the device for console use, make sure that keystroke

logging devices cannot be added to the keyboard connection. Connect the monitor and

keyboard directly to the device.

n Use the Web UI only in a secure location at a trusted workstation. Do not use the Web UI in any

location where the administrative session can be monitored physically or electronically.

Connect the Network Interfaces

Before installation, make sure that you physically connect at least one of the network interfaces to the

network.

When you install your device, we recommend you use the first onboard Ethernet network interface at

the left of the device (NIC 1) to connect to your network. This is the first default interface assigned by

the WatchGuard QMS . After you complete the installation, you can configure additional network

interfaces.

Getting Started

10 WatchGuard QMS

Getting Started

User Guide 11

Get a Feature Key from LiveSecurity

A feature key is a license that enables you to activate your purchased feature set on your WatchGuard

QMS . You must register the device serial number on the WatchGuard LiveSecurity web site and

retrieve your feature key before adding it to the WatchGuard QMS .

Note A feature key is not required for WatchGuard QMSv.

To retrieve a feature key from the LiveSecurity web site:

1. Open a web browser and go to https://www.watchguard.com/activate.

Note Make sure you can access the Internet if the device is installed behind a network

firewall, or connects through an external proxy server.

2. If you have not already logged in to LiveSecurity.

The LiveSecurity Log In page appears.

3. Enter your LiveSecurity user name and password.

The Activate Products page appears.

4. Enter the serial number for the product, including the hyphens.

5. Click Continue.

The Choose Product to Upgrade page appears.

6. In the drop-down list, select the WatchGuard QMS.

7. Click Activate.

The Retrieve Feature Key page appears.

8. Copy the full feature key to a text file and save it on your computer.

9. Click Finish.

Gather Network Addresses

Before you start the installation, make sure you have this information about your network:

Hostname

The hostname assigned to the device. For example, if the FQDN (Fully Qualified Domain

Name) is hostname.example.com, use hostname.

Page is loading ...

Watchguard QMS User guide

Watchguard QMS User guide

Related papers

Other documents