McAfee Email and Web Security
Appliance 5.1
Installation Guide
COPYRIGHT
Copyright © 2009 McAfee, Inc. All Rights Reserved.
No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form
or by any means without the written permission of McAfee, Inc., or its suppliers or affiliate companies.
TRADEMARK ATTRIBUTIONS
AVERT, EPO, EPOLICY ORCHESTRATOR, FLASHBOX, FOUNDSTONE, GROUPSHIELD, HERCULES, INTRUSHIELD, INTRUSION INTELLIGENCE,
LINUXSHIELD, MANAGED MAIL PROTECTION, MAX (MCAFEE SECURITYALLIANCE EXCHANGE), MCAFEE, MCAFEE.COM, NETSHIELD,
PORTALSHIELD, PREVENTSYS, PROTECTION-IN-DEPTH STRATEGY, PROTECTIONPILOT, SECURE MESSAGING SERVICE, SECURITYALLIANCE,
SITEADVISOR, THREATSCAN, TOTAL PROTECTION, VIREX, VIRUSSCAN, WEBSHIELD are registered trademarks or trademarks of McAfee, Inc.
and/or its affiliates in the US and/or other countries. McAfee Red in connection with security is distinctive of McAfee brand products. All other
registered and unregistered trademarks herein are the sole property of their respective owners.
LICENSE INFORMATION
License Agreement
NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED,
WHICH SETS FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH
TYPE OF LICENSE YOU HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS
THAT ACCOMPANIES YOUR SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET,
A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEB SITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU
DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN
THE PRODUCT TO MCAFEE OR THE PLACE OF PURCHASE FOR A FULL REFUND.
License Attributions
Refer to the product Release Notes.
McAfee Email and Web Security Appliance 5.1 Installation Guide2
Contents
Preface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Using this guide. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Audience. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Graphical conventions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Documentation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Pre-installation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
What’s in the box. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Plan the installation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Inappropriate use. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Operating conditions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Positioning the appliance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Considerations about Network Modes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Transparent bridge mode. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Transparent router mode. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Explicit proxy mode. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Deployment Strategies for Using the Appliance in a DMZ. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
SMTP configuration in a DMZ. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Connecting and Configuring the Appliance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Installation quick reference table. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Ports and Connections. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
3000, 3100 panel layout. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
3200 panel layout. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
3300 and 3400 panel layout. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Panel components: 3000, 3100, 3200, 3300, 3400. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Physically installing the appliance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Connect to the network. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Port numbers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Using Copper LAN connections. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Using Fiber LAN connections. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Monitor and keyboard. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Supplying power to the appliance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
3McAfee Email and Web Security Appliance 5.1 Installation Guide
Installing the software. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Using the Configuration Console. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Configurable settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Configuring the appliance using the Setup Wizard. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Logging on to the Setup Wizard. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Welcome page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Performing a standard installation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Performing a custom setup. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Using the Appliance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Updates and HotFixes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
After installation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Testing the Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Introducing the user interface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Testing the appliance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Exploring the Appliance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Generating reports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Further report information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Using policies to manage message scanning. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Creating an anti-virus scanning policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Creating an anti-spam scanning policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Creating an email compliance policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Creating a content filtering policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Troubleshooting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
General problems. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
The appliance is not receiving power. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
The appliance is not receiving traffic from the network. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
FAQ. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
General issues. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Interface problems. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Mail issues. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Delivery. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Email attachments. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
POP3. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Physical configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
System configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
System maintenance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Anti-virus automatic updating. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
McAfee Email and Web Security Appliance 5.1 Installation Guide4
Contents
Anti-spam. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Getting more help — the links bar. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
5McAfee Email and Web Security Appliance 5.1 Installation Guide
Contents
Preface
This guide provides the necessary information for installing the McAfee
®
Email and Web Security
Appliance 5.1. It provides steps and verification of the installation process.
This guide demonstrates how to configure Email and Web Security software and when completed
the user will have a fully functional appliance.
Contents
Using this guide
Audience
Graphical conventions
Documentation
Using this guide
This guide helps you to:
• Understand the appliance features and functions.
• Plan and perform the appliance installation and deployment.
• Begin to use the appliance.
• Test the appliance in a laboratory environment (optional).
You can find additional information about McAfee Email and Web Security Appliance scanning
features in the online help. This includes information about:
• Basic concepts
• Policies
• Protocols (SMTP, POP3, FTP, HTTP and ICAP)
• Maintenance
• Monitoring
Audience
The information in this guide is intended primarily for network administrators who are responsible
for their company’s anti-virus and security program.
McAfee Email and Web Security Appliance 5.1 Installation Guide6
Graphical conventions
Figures in this guide use the following symbols.
InternetAppliance
Other server (such as DNS
server)
Mail server
RouterUser or client computer
FirewallSwitch
NetworkNetwork zone (DMZ or
VLAN)
Perceived data pathActual data path
Documentation
This Installation Guide is included with your appliance. Additional information is available in the
online help, and other documentation available from the documentation CD.
Preface
Graphical conventions
7McAfee Email and Web Security Appliance 5.1 Installation Guide
Pre-installation
To ensure the safe operation of the Email and Web Security Appliance, consider the following
before you begin the installation.
• Familiarize yourself with its operational modes and capabilities. It is important that you
choose a valid configuration.
• Decide how to integrate the appliance into your network and determine what information
you need before you start. For example, the name and IP address for the appliance.
• Unpack the appliance as close to its intended location as possible.
• Remove the appliance from any protective packaging and place it on a flat surface.
• Observe all provided safety warnings.
CAUTION: Review and be familiar with all safety information provided.
Contents
What’s in the box
Plan the installation
Inappropriate use
Operating conditions
Positioning the appliance
What’s in the box
To check that all appliance components were delivered, refer to the packing list supplied with
your appliance.
Generally, you should have:
• An appliance
• Power cords
• Network cables
• Secure Messaging Gateway v5.0 installation and recovery CD
• Linux source code CD
• Quarantine Manager v5.0 CD
• Documentation CD
If an item is missing or damaged, contact your supplier.
McAfee Email and Web Security Appliance 5.1 Installation Guide8
Plan the installation
Before unpacking your appliance, it is important to plan the installation and deployment.
Consider the following:
• How you need to prepare your site.
• Environmental requirements.
• Power requirements and considerations.
• Hardware specifications and requirements.
• Configuration scenarios.
• Preparing for installation.
Inappropriate use
The appliance is:
• Not a firewall.
You must use it within your organization behind a correctly configured firewall.
• Not a server for storing extra software and files.
Do not install any software on the appliance or add any extra files to it unless instructed by
the product documentation or your support representative. The appliance cannot handle all
types of traffic. If you use explicit proxy mode, only protocols that are to be scanned should
be sent to the appliance.
Operating conditions
10 to 35°C (50 to 95°F).Temperature
20% to 80% (non-condensing) with a maximum humidity
gradient of 10% per hour.
Relative humidity
0.25 G at 3–200 Hz for 15 minutes.Maximum vibration
One shock pulse in the positive z axis (one pulse on each
side of the unit) of 31 G for up to 2.6 ms.
Maximum shock
-16 to 3,048 m (-50 to 10,000 ft.).Altitude
Positioning the appliance
Install the appliance so that you can control physical access to the unit and access the ports
and connections.
A rack-mounting kit is supplied with the appliance, allowing you to install the appliance in a
19-inch rack — see Mounting the appliance in a rack.
Pre-installation
Plan the installation
9McAfee Email and Web Security Appliance 5.1 Installation Guide
Considerations about Network Modes
Before you install and configure your appliance, you must decide which network mode to use.
The mode you choose determines how you physically connect your appliance to your network.
You can choose from the following network modes.
• Transparent bridge mode
the appliance acts as an Ethernet bridge.
• Transparent router mode
the appliance acts as a router.
• Explicit proxy mode
the appliance acts as a proxy server and a mail relay.
If you are still unsure about the mode to use after reading this and the following sections,
consult your network expert.
Architectural considerations about network modes
The main considerations regarding the network modes are:
• Whether communicating devices are aware of the existence of the appliance. That is, if the
appliance is operating in one of the transparent modes.
• How the appliance physically connects to your network.
• The configuration needed to incorporate the appliance into your network.
• Where the configuration takes place in the network.
Considerations before changing network modes
In explicit proxy and transparent router modes, you can set up the appliance to sit on more
than one network by setting up multiple IP addresses for the LAN1 and LAN2 ports.
If you change to transparent bridge mode from explicit proxy or transparent router mode, only
the enabled IP addresses for each port are carried over.
TIP: After you select an operational mode, McAfee recommends not changing it unless you
move the appliance or restructure your network.
Contents
Transparent bridge mode
Transparent router mode
Explicit proxy mode
Pre-installation
Considerations about Network Modes
McAfee Email and Web Security Appliance 5.1 Installation Guide10
Transparent bridge mode
In transparent bridge mode, the communicating devices are unaware of the appliance — the
appliance’s operation is transparent to the devices.
Figure 1: Transparent communication
In Figure 1: Transparent communication, the external mail server (A) sends email messages
to the internal mail server (C). The external mail server is unaware that the email message is
intercepted and scanned by the appliance (B).
The external mail server seems to communicate directly with the internal mail server — the
path is shown as a dotted line. In reality, traffic might pass through several network devices
and be intercepted and scanned by the appliance before reaching the internal mail server.
What the appliance does
In transparent bridge mode, the appliance connects to your network using the LAN1 and LAN2
ports. The appliance scans the traffic it receives, and acts as a bridge connecting two separate
physical networks, but treats them as a single logical network.
Configuration
Transparent bridge mode requires less configuration than transparent router and explicit proxy
modes. You do not need to reconfigure all your clients, default gateway, MX records, Firewall
NAT or mail servers to send traffic to the appliance. Because the appliance is not a router in
this mode, you do not need to update a routing table.
Where to place the appliance
For security reasons, you must use the appliance inside your organization, behind a firewall.
Figure 2: Single logical network
TIP: In transparent bridge mode, position the appliance between the firewall and your router,
as shown in Figure 2: Single logical network.
In this mode, you physically connect two network segments to the appliance, and the appliance
treats them as one logical network. Because the devices — firewall, appliance, and router —
are on the same logical network, they must all have compatible IP addresses on the same
subnet.
Devices on one side of the bridge (such as a router) that communicate with devices on the
other side of the bridge (such as a firewall) are unaware of the bridge. They are unaware that
Pre-installation
Considerations about Network Modes
11McAfee Email and Web Security Appliance 5.1 Installation Guide
traffic is intercepted and scanned, therefore the appliance is said to operate as a transparent
bridge.
Figure 3: Transparent bridge mode
Transparent router mode
In transparent router mode, the appliance scans email traffic between two networks. The
appliance has one IP address for outgoing scanned traffic, and must have one IP address for
incoming traffic.
The communicating network devices are unaware of the intervention of the appliance — the
appliance’s operation is
transparent
to the devices.
What the appliance does
In transparent router mode, the appliance connects to your networks using the LAN1 and LAN2
ports. The appliance scans the traffic it receives on one network, and forwards it to the next
network device on a different network. The appliance acts as a router, routing the traffic between
networks, based on the information held in its routing tables.
Configuration
Using transparent router mode, you do not need to explicitly reconfigure your network devices
to send traffic to the appliance. You need only configure the routing table for the appliance,
and modify some routing information for the network devices on either side of it (the devices
connected to its LAN1 and LAN2 ports). For example, you might need to make the appliance
your default gateway.
In transparent router mode, the appliance must join two networks. The appliance must be
positioned inside your organization, behind a firewall.
NOTE: Transparent router mode does not support Multicast IP traffic or non-IP protocols, such
as NETBEUI and IPX.
Pre-installation
Considerations about Network Modes
McAfee Email and Web Security Appliance 5.1 Installation Guide12
Where to place the appliance
Use the appliance in transparent router mode to replace an existing router on your network.
TIP: If you use transparent router mode and you do not replace an existing router, you must
reconfigure part of your network to route traffic correctly through the appliance.
Figure 4: Transparent router mode configuration
You need to:
• Configure your client devices to point to the default gateway.
• Configure the appliance to use the Internet gateway as its default gateway.
• Ensure your client devices can deliver email messages to the mail servers within your
organization.
Explicit proxy mode
In explicit proxy mode, some network devices must be set up explicitly to send traffic to the
appliance. The appliance then works as a proxy or relay, processing traffic on behalf of the
devices.
Explicit proxy mode is best suited to networks where client devices connect to the appliance
through a single upstream and downstream device.
TIP: This might not be the best option if several network devices must be reconfigured to send
traffic to the appliance.
Network and device configuration
If the appliance is set to explicit proxy mode, you must explicitly configure your internal mail
server to relay email traffic to the appliance. The appliance scans the email traffic before
forwarding it, on behalf of the sender, to the external mail server. The external mail server then
forwards the email message to the recipient.
Pre-installation
Considerations about Network Modes
13McAfee Email and Web Security Appliance 5.1 Installation Guide
In a similar way, the network must be configured so that incoming email messages from the
Internet are delivered to the appliance, not the internal mail server.
Figure 5: Relaying email traffic
The appliance scans the traffic before forwarding it, on behalf of the sender, to the internal
mail server for delivery, as shown in Figure 5: Relaying email traffic.
For example, an external mail server can communicate directly with the appliance, although
traffic might pass through several network devices before reaching the appliance. The perceived
path is from the external mail server to the appliance.
Protocols
To scan a supported protocol, you must configure your other network devices or client computers
to route that protocol through the appliance, so that no traffic bypasses the appliance.
Firewall rules
Explicit proxy mode invalidates any firewall rules set up for client access to the Internet. The
firewall sees only the IP address information for the appliance, not the IP addresses of the
clients, so the firewall cannot apply its Internet access rules to the clients.
Where to place the appliance
Configure the network devices so that traffic needing to be scanned is sent to the appliance.
This is more important than the location of the appliance.
The router must allow all users to connect to the appliance.
Figure 6: Explicit proxy configuration
The appliance must be positioned inside your organization, behind a firewall, as shown in Figure
6: Explicit proxy configuration.
Typically, the firewall is configured to block traffic that does not come directly from the appliance.
If you are unsure about your network’s topology and how to integrate the appliance, consult
your network expert.
Pre-installation
Considerations about Network Modes
McAfee Email and Web Security Appliance 5.1 Installation Guide14
Use this configuration if:
• The appliance is operating in explicit proxy mode.
• You are using email (SMTP).
For this configuration, you must:
• Configure the external Domain Name System (DNS) servers or Network Address Translation
(NAT) on the firewall so that the external mail server delivers mail to the appliance, not to
the internal mail server.
• Configure the internal mail servers to send email messages to the appliance. That is, the
internal mail servers must use the appliance as a smart host. Ensure that your client devices
can deliver email messages to the mail servers within your organization.
• Ensure that your firewall rules are updated. The firewall must accept traffic from the
appliance, but must not accept traffic that comes directly from the client devices. Set up
rules to prevent unwanted traffic entering your organization.
Deployment Strategies for Using the Appliance in
a DMZ
A demilitarized zone (DMZ) is a network separated by a firewall from all other networks, including
the Internet and other internal networks. The typical goal behind the implementation of a DMZ
is to lock down access to servers that provide services to the Internet, such as email.
Hackers often gain access to networks by identifying the TCP/UDP ports on which applications
are listening for requests, then exploiting known vulnerabilities in applications. Firewalls
dramatically reduce the risk of such exploits by controlling access to specific ports on specific
servers.
The appliance can be added easily to a DMZ configuration. The way you use the appliance in
a DMZ depends on the protocols you intend to scan.
Contents
SMTP configuration in a DMZ
SMTP configuration in a DMZ
The DMZ is a good location for encrypting mail. By the time the mail traffic reaches the firewall
for the second time (on its way from the DMZ to the internal network), it has been encrypted.
Appliances which scan SMTP traffic in a DMZ are usually configured in explicit proxy mode.
Configuration changes need only be made to the MX records for the mail servers.
NOTE: You can use transparent bridge mode when scanning SMTP within a DMZ. However, if
you do not control the flow of traffic correctly, the appliance scans every message twice, once
in each direction. For this reason, explicit proxy mode is usually used for SMTP scanning.
Pre-installation
Deployment Strategies for Using the Appliance in a DMZ
15McAfee Email and Web Security Appliance 5.1 Installation Guide
Mail relay
Figure 7: Appliance in explicit proxy configuration in a DMZ
If you have a mail relay already set up in your DMZ, you can replace the relay with the appliance.
To use your existing firewall policies, give the appliance the same IP address as the mail relay.
Mail gateway
SMTP does not provide methods to encrypt mail messages — you can use Transport Layer
Security (TLS) to encrypt the link, but not the mail messages. As a result, some companies do
not allow such traffic on their internal network. To overcome this, they often use a proprietary
mail gateway, such as Lotus Notes
®
or Microsoft
®
Exchange, to encrypt the mail traffic before
it reaches the internal network.
To implement a DMZ configuration using a proprietary mail gateway, add the appliance to the
DMZ on the SMTP side of the gateway.
Figure 8: Protecting a mail gateway in DMZ
In this situation, configure:
Pre-installation
Deployment Strategies for Using the Appliance in a DMZ
McAfee Email and Web Security Appliance 5.1 Installation Guide16
• The public MX records to instruct external mail servers to send all inbound mail to the
appliance (instead of the gateway).
• The appliance to forward all inbound mail to the mail gateway, and deliver all outbound mail
using DNS or an external relay.
• The mail gateway to forward all inbound mail to the internal mail servers and all other
(outbound) mail to the appliance.
• The firewall to allow inbound mail that is destined for the appliance only.
NOTE: Firewalls configured to use Network Address Translation (NAT), and that redirect inbound
mail to internal mail servers, do not need their public MX records reconfigured. This is because
they are directing traffic to the firewall rather than the mail gateway itself. In this case, the
firewall must instead be reconfigured to direct inbound mail requests to the appliance.
Firewall rules specific to Lotus Notes
By default, Lotus Notes servers communicate over TCP port 1352. The firewall rules typically
used to secure Notes servers in a DMZ allow the following through the firewall:
• Inbound SMTP requests (TCP port 25) originating from the Internet and destined for the
appliance.
• TCP port 1352 requests originating from the Notes gateway and destined for an internal
Notes server.
• TCP port 1352 requests originating from an internal Notes server and destined for the Notes
gateway.
• SMTP requests originating from the appliance and destined for the Internet.
All other SMTP and TCP port 1352 requests are denied.
Firewall rules specific to Microsoft Exchange
A Microsoft Exchange-based mail system requires a significant workaround.
When Exchange servers communicate with each other, they send their initial packets using the
RPC protocol (TCP port 135). However, once the initial communication is established, two ports
are chosen dynamically and used to send all subsequent packets for the remainder of the
communication. You cannot configure a firewall to recognize these dynamically-chosen ports.
Therefore, the firewall does not pass the packets.
The workaround is to modify the registry on each of the Exchange servers communicating
across the firewall to always use the same two “dynamic” ports, then open TCP 135 and these
two ports on the firewall.
We mention this workaround to provide a comprehensive explanation, but we do not recommend
it. The RPC protocol is widespread on Microsoft networks — opening TCP 135 inbound is a red
flag to most security professionals.
If you intend to use this workaround, details can be found in the following Knowledge Base
articles on the Microsoft website:
• Q155831
• Q176466
Pre-installation
Deployment Strategies for Using the Appliance in a DMZ
17McAfee Email and Web Security Appliance 5.1 Installation Guide
Connecting and Configuring the Appliance
We recommend that you consider installing the appliance in the following order:
1 Unpack the appliance and confirm no parts are missing (check against parts lists in the
box)
2 Rack-mount the appliance.
3 Connect the peripherals and power (monitor, keyboard).
4 Connect the appliance to the network, noting deployment scenarios and intended network
mode.
5 Install the software onto the appliance.
6 Use the Configuration Console to carry out the basic configuration (server name, IP
addresses, gateway, and so on).
7 Connect to the administration interface.
8 Run the Setup Wizard.
9 Route test network traffic through the appliance.
10 Test that the network traffic is being scanned.
11 Configure policies and reporting.
12 Route production traffic through the appliance.
CAUTION: Connecting the appliance to your network can disrupt Internet access or other
network services. Ensure that you have arranged network down-time for this, and that you
schedule this during periods of low network usage.
Contents
Installation quick reference table
Physically installing the appliance
Connect to the network
Supplying power to the appliance
Installation quick reference table
To install the appliance, go through the steps in this table:
is described here ...This step ...
What’s in the boxUnpack the pallet and check the contents against the
parts lists in the box.
1.
Mounting the appliance in a rackRack-mount the appliance.2.
Monitor and keyboardConnect the peripherals and power.3.
McAfee Email and Web Security Appliance 5.1 Installation Guide18
is described here ...This step ...
Connect to the networkConnect the appliance to the network.4.
Installing the softwareInstall the software.5.
Using the Configuration ConsolePerform basic configuration.6.
Configuring the appliance using the Setup WizardConnect to the administration interface.7.
Configuring the appliance using the Setup WizardRun the Setup Wizard.8.
Testing the applianceRoute the test network traffic through the appliance.12.
Testing the applianceTest that the network traffic is being scanned.13.
Using policies to manage message scanningConfigure policies and reporting.14.
Configuring the appliance using the Setup WizardConfigure production traffic through the system.15.
Ports and Connections
This chapter shows the panel layouts for each model of appliance.
3000, 3100 panel layout
3200 panel layout
3300 and 3400 panel layout
Panel components: 3000, 3100, 3200, 3300, 3400
3000, 3100 panel layout
3200 panel layout
Connecting and Configuring the Appliance
Ports and Connections
19McAfee Email and Web Security Appliance 5.1 Installation Guide
3300 and 3400 panel layout
Panel components: 3000, 3100, 3200, 3300, 3400
CD-ROM drive
Use the CD-ROM drive only when restoring, upgrading, or diagnosing system faults on the
appliance.
System status and hard disk drive (HDD) LEDs
System status LED
• Lights blue — during normal use.
• Flashes blue — when the System
Identification ( ) button is pressed.
• Flashes amber when there is a system
fault.
HDD LED
• Flashes green when the hard disk drive is
in use.
Power and LED
Turns the appliance on and off.
• Lights green — when the appliance is operational.
• Flashes green — whenthe appliance is in standby mode. It is receiving power through the
power socket, but the power button is off. The network ports remain active but no protocols
or data intended for the appliance can pass through the appliance.
Power socket
Use the correct power cord for your location.
NOTE: 3300 and 3400 appliances only — We recommend you connect both power supplies.
Connecting and Configuring the Appliance
Ports and Connections
McAfee Email and Web Security Appliance 5.1 Installation Guide20
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
-
1
-
2
-
3
-
4
-
5
-
6
-
7
-
8
-
9
-
10
-
11
-
12
-
13
-
14
-
15
-
16
-
17
-
18
-
19
-
20
-
21
-
22
-
23
-
24
-
25
-
26
-
27
-
28
-
29
-
30
-
31
-
32
-
33
-
34
-
35
-
36
-
37
-
38
-
39
-
40
-
41
-
42
-
43
-
44
-
45
-
46
-
47
-
48
-
49
-
50
McAfee Email and Web Security Appliance 5.1 Installation guide
- Type
- Installation guide
- This manual is also suitable for
Ask a question and I''ll find the answer in the document
Finding information in a document is now easier with AI
Related papers
-
McAfee MSA-3400-SWGI - Web Security Appliance 3400 Installation guide
-
-
-
-
-
-
-
-
-
Other documents
-
F-SECURE ANTI-VIRUS - FOR MICROSOFT EXCHANGE Administrator's Manual
-
-
Watchguard XCS User guide
-
-
-
Kerio Tech WinRoute Firewall 6.7.1 User manual
-
SonicWALL TZ 190 User manual
-
-
-
