McAfee Web Security Appliance 5.6.0 User manual

Product Guide

McAfee Email and Web Security

Appliances 5.6.0

COPYRIGHT

No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or by

any means without the written permission of McAfee, Inc., or its suppliers or affiliate companies.

TRADEMARK ATTRIBUTIONS

AVERT, EPO, EPOLICY ORCHESTRATOR, FOUNDSTONE, GROUPSHIELD, INTRUSHIELD, LINUXSHIELD, MAX (MCAFEE SECURITYALLIANCE EXCHANGE),

MCAFEE, NETSHIELD, PORTALSHIELD, PREVENTSYS, SECURITYALLIANCE, SITEADVISOR, TOTAL PROTECTION, VIRUSSCAN, WEBSHIELD are registered

trademarks or trademarks of McAfee, Inc. and/or its affiliates in the US and/or other countries. McAfee Red in connection with security is distinctive of

McAfee brand products. All other registered and unregistered trademarks herein are the sole property of their respective owners.

LICENSE INFORMATION

License Agreement

NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS

FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU

HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANY YOUR

SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A

FILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET

FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OF

PURCHASE FOR A FULL REFUND.

2

McAfee Email and Web Security Appliances 5.6.0 Product Guide

Contents

Preface 7

About this guide ..................................7

Audience ..................................7

Conventions .................................7

Finding product documentation .........................8

Contact information ..............................8

Optional components and related products ........................8

Working with your McAfee Email and Web Security Appliances ................9

The interface ................................10

Common tasks within the interface ....................... 12

Ports used by Email and Web Security Appliances .................16

Resources .................................17

Overview of Dashboard features 21

Dashboard ....................................21

Edit Preferences ...............................25

Graphs Edit Preferences ............................27

Overview of Reports features 29

Types of reports ..................................29

Scheduled Reports .................................30

Email Reports overview ...............................33

Interactive Reporting — Total view ....................... 37

Interactive Reporting — Time view .......................38

Interactive Reporting — Itemized view ......................38

Interactive Reporting — Detail view .......................39

Selection — Favorites .............................40

Selection — Filter ..............................40

Web Reports overview ...............................43

Interactive Reporting — Total view ....................... 46

Interactive Reporting — Time view .......................47

Interactive Reporting — Itemized view ......................47

Interactive Reporting — Detail view .......................48

Selection — Favorites .............................49

Selection — Filter ..............................49

System Reports ..................................52

Interactive Reporting — Detail view .......................54

Selection — Favorites .............................54

Selection — Filter ..............................55

Overview of Email features 59

Life of an email message ..............................59

Message Search ..................................62

Email Overview ..................................70

Email Configuration ................................ 71

McAfee Email and Web Security Appliances 5.6.0 Product Guide

3

Protocol Configuration ............................ 72

Receiving Email ...............................86

Sending Email ................................97

Email Policies ..................................101

Introduction to policies ............................101

Email Scanning Policies menu .........................103

About Protocol Presets ............................109

Email Scanning Policies ...........................109

Dictionaries ................................146

Registered Documents ............................155

Quarantine Configuration ..............................159

Quarantine Options .............................159

Quarantine Digest Options ..........................160

Digest Message Content ...........................161

Overview of Web features 163

Web Configuration ................................163

HTTP Connection Settings ...........................163

HTTP Protocol Settings ............................165

ICAP Connection Settings ...........................169

ICAP Authentication .............................171

ICAP Protocol Settings ............................172

FTP Connection Settings ...........................174

FTP Protocol Settings ............................175

Web Policies ...................................178

Introduction to policies ............................178

Web Scanning Policies ............................179

Dictionaries ................................197

Overview of System features 207

Appliance Management ..............................207

General ..................................207

DNS and Routing ..............................212

Time and Date ...............................214

Appliance Management — Remote Access ....................215

UPS Settings ................................219

Database Maintenance ............................222

Appliance Management — System Administration .................225

Default Server Settings ...........................232

Cluster Management ...............................233

Backup and Restore Configuration .......................233

Configuration Push .............................235

Load Balancing ...............................236

Resilient Mode ...............................239

Users, Groups and Services .............................240

Directory Services .............................240

Web User Authentication ...........................240

Policy Groups ...............................241

Role-Based User Accounts ..........................241

Virtual Hosting ..................................250

Virtual Hosts ................................250

Virtual Networks ..............................255

Certificate Management ..............................256

Certificates ................................256

Certificate Revocation lists (CRLs) .......................259

Logging, Alerting and SNMP .............................261

Contents

4

McAfee Email and Web Security Appliances 5.6.0 Product Guide

Email Alerting ...............................261

SNMP Alert Settings .............................268

SNMP Monitor Settings ............................268

System Log Settings ............................269

WebReporter ................................275

Logging Configuration ............................275

Component Management ..............................276

Update Status ...............................276

Package Installer ..............................282

ePO ...................................283

Setup Wizard ..................................284

Welcome .................................285

Overview of Troubleshoot features 311

Troubleshooting Tools ...............................311

Ping and Trace Route ............................312

System Load ................................312

Route Information .............................313

Disk Space ................................314

Troubleshooting Reports ..............................314

Minimum Escalation Report ..........................314

Capture Network Traffic ...........................315

Save Quarantine ..............................316

Log Files .................................316

Error Reporting Tool .............................318

Tests ......................................318

System Tests ...............................318

How appliances work with ePolicy Orchestrator 321

Configuring your appliance for ePolicy Orchestrator management 323

Managing your appliances from within ePolicy Orchestrator 325

Index 327

Contents

McAfee Email and Web Security Appliances 5.6.0 Product Guide

5

Preface

This guide provides the information you need to configure, use, and maintain your McAfee product.

About this guide

This information describes the guide's target audience, the typographical conventions and icons used

in this guide, and how the guide is organized.

Audience

McAfee documentation is carefully researched and written for the target audience.

The information in this guide is intended primarily for:

• Administrators — People who implement and enforce the company's security program.

Conventions

This guide uses the following typographical conventions and icons.

Book title or Emphasis Title of a book, chapter, or topic; introduction of a new term; emphasis.

Bold Text that is strongly emphasized.

User input or Path Commands and other text that the user types; the path of a folder or program.

Code

A code sample.

User interface

Words in the user interface including options, menus, buttons, and dialog

boxes.

Hypertext blue A live link to a topic or to a website.

Note: Additional information, like an alternate method of accessing an option.

Tip: Suggestions and recommendations.

Important/Caution: Valuable advice to protect your computer system,

software installation, network, business, or data.

Warning: Critical advice to prevent bodily harm when using a hardware

product.

McAfee Email and Web Security Appliances 5.6.0 Product Guide

7

Finding product documentation

McAfee provides the information you need during each phase of product implementation, from

installation to daily use and troubleshooting. After a product is released, information about the product

is entered into the McAfee online KnowledgeBase.

Task

1

Go to the McAfee Technical Support ServicePortal at http://mysupport.mcafee.com.

2

Under Self Service, access the type of information you need:

To access... Do this...

User documentation

1

Click Product Documentation.

2

Select a Product, then select a Version.

3

Select a product document.

KnowledgeBase

• Click Search the KnowledgeBase for answers to your product questions.

• Click Browse the KnowledgeBase for articles listed by product and version.

Contact information

Use this information to contact McAfee.

To contact McAfee, either contact your local representative, or visit http://www.mcafee.com.

Optional components and related products

The appliances have several components and related products. Some components can be fully

integrated into the appliances. Other products provide a central point for monitoring and managing

several McAfee

®

products, including the appliances. The next table describes the optional components

and related products. For more information, see the McAfee website.

Related products

The following McAfee products can be used with your McAfee

®

Email and Web Security Appliances

product.

Component/ Product Description Compatible with type of

appliances

McAfee Quarantine Manager Consolidates quarantine

management for many McAfee

products, including the

appliances.

Email

Email+Web

McAfee ePolicy Orchestrator Provides a central control point

for reporting activity on several

appliances.

All

Preface

Optional components and related products

8

McAfee Email and Web Security Appliances 5.6.0 Product Guide

Auxiliary hardware

Some appliances include auxiliary hardware:

Auxiliary hardware Features Appliance

Accelerator card Higher throughput for HTTP

protocol.

3400

Fiber card Connection via optical fiber

instead of copper wire.

3300, 3400

Remote Access card Remote access and some

management of the appliance.

For example, the card can

re-image the appliance remotely

using a CD in another computer.

3300, 3400

Your appliance has all auxiliary hardware pre-installed for the hardware

and software combination that you have purchased.

Combinations of software and hardware

The following combinations of software and hardware are possible:

Appliance Combined Email and Web Email only Web only

3000 Yes No No

3100 Yes No No

3200 Yes No No

3300 Yes No No

3400 No Yes Yes

M3 Content

Security Blade

Server

Yes Yes Yes

M7 Content

Security Blade

Server

Yes Yes Yes

Virtual appliances

The McAfee

®

Email and Web Security Appliance software is also available as a virtual appliance,

running within a VMware environment. It is available as the combined Email and Web version of the

software.

Working with your McAfee Email and Web Security Appliances

This section describes important concepts to help you configure your McAfee

®

Email and Web Security

Appliance.

Preface

Working with your McAfee Email and Web Security Appliances

McAfee Email and Web Security Appliances 5.6.0 Product Guide

9

The interface

Use this page to get to know your way around the user interface.

The interface you see might look slightly different from that shown here,

because it can vary depending on the appliance's hardware platform,

software version, and language.

Refer

ence

Option

A Navigation bar

B User information bar

C Section icons

D Tab bar

E Support control buttons

F View control

G Content area

A — Navigation bar

The navigation bar contains four areas: user information, section icons, tab bar, and support controls.

B — User information bar

C — Section icons

The number of section icons depends on the software version that you are using. Click an icon to

change the information in the content area and the tab bar. The icons include the following:

Preface

Working with your McAfee Email and Web Security Appliances

10

McAfee Email and Web Security Appliances 5.6.0 Product Guide

Icon Menu Features

Dashboard

Use this page to see a summary of the appliance. From this page

you can access most of the pages that control the appliance.

Reports

Use the Reports pages to view events recorded on the appliance,

such as viruses detected in email messages or during web access,

and system activities such as details of recent updates and logins.

Email

Use the Email pages to manage threats to email messages,

quarantine of infected email, and other aspects of email

configuration.

Web

Use the Web pages to manage threats to web downloads, and to

manage other aspects of web configuration.

System

Use the System pages to configure various features on the appliance.

Troubleshoot

Use the Troubleshoot pages to diagnose any problems with the

appliance.

D — Tab bar

The contents of the tab bar are controlled by the selected section icon. The selected tab dictates what

is displayed in the content area.

E — Support control buttons

The support control buttons are actions that apply to the content area.

Icon Description

Refreshes or updates the content.

Returns you to the previously viewed page. We recommend that you click this button,

rather than your browser's Back button.

Appears when you configure something to allow you to apply your changes.

Appears when you configure something to allow you to cancel your changes.

Opens a window of Help information. Much of the information in this window also

appears in the Product Guide.

F — View control

The view control button shows or hides a status window.

The status window, which appears in the bottom right of the interface, shows recent activity. New

messages are added at the top of the window. If a message is blue and underlined, you can click the

link to visit another page. You can also manage the window with its own Clear and Close links.

Preface

Working with your McAfee Email and Web Security Appliances

McAfee Email and Web Security Appliances 5.6.0 Product Guide

11

G — Content area

The content area contains the currently active content and is where most of your interaction will be.

The changes that you make take effect after you click the green

checkmark.

Common tasks within the interface

This section describes some common procedures for setting up, configuring, and managing your

appliance.

Tasks

• Enabling each feature on page 12

To ensure good detection and best performance, some features on the appliance are on

(enabled) by default, while others are off (disabled). Many dialog boxes and windows have

an Enabled checkbox. To use any feature, make sure you have selected this checkbox.

• Making changes to the appliance's configuration on page 12

Use this task to make changes to the operation of the appliance.

Enabling each feature

To ensure good detection and best performance, some features on the appliance are on (enabled) by

default, while others are off (disabled). Many dialog boxes and windows have an Enabled checkbox. To

use any feature, make sure you have selected this checkbox.

Making changes to the appliance's configuration

Use this task to make changes to the operation of the appliance.

Task

1

In the navigation bar, click an icon. The blue tabs below the icons change to show the available

features.

2

Click the tabs until you reach the page you need.

To locate any page, examine the tabs, or locate the subject in the Help index. The location of the

page is often described at the foot of the Help page. Example:

System | Appliance Management | Database Maintenance

3

On the page, select the options. Click the Help button (?) for information about each option.

4

Navigate to other pages as needed.

5

To save your configuration changes, click the green checkmark icon at the top right of the window.

6

In the Configuration change comment window, type a comment to describe your changes, then click OK.

Wait a few minutes while the configuration is updated.

7

To see all your comments, select System | Cluster Management | Backup and Restore Configuration [+] Review

Configuration Changes in the navigation bar.

Preface

Working with your McAfee Email and Web Security Appliances

12

McAfee Email and Web Security Appliances 5.6.0 Product Guide

Using lists

The following information explains the use of lists within Email and Web Security Appliances.

Contents

Making and viewing lists

Adding information to a list

Removing single items from a list

Removing many items from a list

Changing information in a list

Viewing information in a long list

Ordering information in a list

Ordering information alphabetically in a list

Making and viewing lists

Lists specify information such as domains, addresses and port numbers on many pages in the

interface. You can add new items to a list, and delete existing items.

Although the number of rows and columns might vary, all lists behave in similar ways. In some lists,

you can also import items from a prepared file, and change the order of the items. Not all lists have

these actions. This section describes all the actions that are available in the interface.

Adding information to a list

Use this task to add information into a list within the user interface.

Task

1

Click Add below the list.

A new row appears in the table. If this is your first item, a column of checkboxes appears on the

left of the table. You might also see a Move column on the right of the table.

2

Type the details in the new row. Press Tab to move between fields.

3

For help with typing the correct information, move your cursor over the table cell, and wait for a

pop-up to appear. For more information, click

.

4

To save the new items immediately, click the green checkmark: .

Removing single items from a list

Some lists take a long time to create, and therefore you can delete only one entry at a time to prevent

the accidental deletion of a lot of information.

Click the trashcan icon .

If the item cannot be deleted, the icon is unavailable:

Alternatively, do the following:

Task

1

Click the item to select it. The row turns pale blue.

2

Click Delete at the bottom of the list.

Removing many items from a list

On some long lists, you can remove many items quickly.

Preface

Working with your McAfee Email and Web Security Appliances

McAfee Email and Web Security Appliances 5.6.0 Product Guide

13

Task

1

In the column of checkboxes on the left of the table, select each item. To select many items, select

the checkbox in the table's heading row to select all the items, then deselect those that you want

to keep.

2

Click Delete at the bottom of the list.

3

To save the new changes immediately, click the green checkmark:

.

Changing information in a list

Use this task to change hte information contained within a list within the user interface.

If an item cannot be changed, the icon is unavailable: .

Task

1

Click the edit icon

.

2

Click on the text, then delete or retype it.

3

To save the new changes immediately, click the green checkmark:

4

To cancel any recent changes, click the close button at the top right of the window:

Viewing information in a long list

If the list has many items, you might not be able to see them all at the same time.

Task

1

To determine the position of an item in the list or the size of the list, view the text at the bottom of

the list, such as Items 20 to 29 of 40.

2

To move through the list or to move quickly to either end of the list, click the arrows at the bottom

right of the list. (

).

Ordering information in a list

Some lists display items in priority order. The first item in the list is the highest priority, the last item

is the lowest priority. To change the item's priority:

Task

1

Find the row that contains the item.

2

In the Move column (on the right of the table), click the upward or downward arrow:

Preface

Working with your McAfee Email and Web Security Appliances

14

McAfee Email and Web Security Appliances 5.6.0 Product Guide

Ordering information alphabetically in a list

When information is given in a list, you can sort the list alphabetically.

Task

•

To change the order:

• To force items in a column into alphabetical order, click the column heading. Items in other

columns are automatically sorted accordingly. An icon appears in the column heading to indicate

that this column is sorted:

• To sort the information differently, click the other column headings.

• To reverse and restore the alphabetical order of the information within a single column, click the

icons in the column heading:

Importing and exporting information

Topics describing how to import and export information.

Contents

Importing prepared information

Exporting prepared information

Importing prepared information

From some pages, you can import information from other devices, appliances, or software for use on

the appliance, such as from a previously prepared comma-separated value (.csv).

Imported information normally overwrites the original information.

Table 1 Some formats for comma-separated value (.csv) files

Type of information Format Example

Domain D, domain, IP address D, www.example.com,

192.168.254.200

Network address N, IP address, IP subnet mask N, 192.168.254.200,

255.255.255.0

Email address E, email-address E, [email protected]

Each item in the file is on a single line.

Task

1

Click Import.

2

In the Import window, browse to the file.

If further options are displayed in the dialog box, make the relevant choices based on the type of

file or information you are importing.

3

Click Open to import the information from the file.

Exporting prepared information

From some pages, you can export information from the appliance for use on other devices, appliances,

or software.

The information is generated in various forms, such as a .zip file, a .pdf, or a .csv file.

Preface

Working with your McAfee Email and Web Security Appliances

McAfee Email and Web Security Appliances 5.6.0 Product Guide

15

Table 2 Some formats for comma-separated value (.csv) files

Type of information Format Example

Domain D, domain, IP address D, www.example.com,

192.168.254.200

Network address N, IP address, IP subnet mask N, 192.168.254.200,

255.255.255.0

Email address E, email-address E, [email protected]

Each item in the file is on a single line.

Task

1

Click Export.

2

In the Export window, follow the instructions to create the file.

Ports used by Email and Web Security Appliances

Use this topic to review the ports used by your McAfee Email and Web Security Appliance.

The appliance uses various ports to communicate with your network and other devices.

Table 3 Ports used by Email and Web Security Appliances

Use Protocol Port Number

Software updates FTP 21

Anti-virus HTTP

FTP

80

21

McAfee Global Threat

Intelligence file reputation

DNS 53

Anti-spam rules and streaming

updates

HTTP 80

Anti-spam engine updates FTP 21

McAfee Global Threat

Intelligence message reputation

SSL 443

McAfee Global Threat

Intelligence web reputation

lookup

SSL 443

McAfee Global Threat

Intelligence web reputation

database update

HTTP 80

Domain Name System (DNS) DNS 53

McAfee Quarantine Manager HTTP 80

Active directory 389

McAfee Global Threat

Intelligence feedback

SSL 443

Preface

Working with your McAfee Email and Web Security Appliances

16

McAfee Email and Web Security Appliances 5.6.0 Product Guide

Intercept ports

When operating in either of the transparent modes — transparent bridge mode or transparent router

mode — the appliance uses the following intercept ports to intercept traffic to be scanned.

Table 4 Intercept ports

Protocol Port number

FTP 21

HTTP 80 or 8080

ICAP 1344

POP3 110

SMTP 25

Listening ports

The appliance typically uses the following ports to listen for traffic on each protocol. The appliance

listens for traffic arriving on the designated ports. You can set up one or more listening ports for each

type of traffic being scanned by your appliance.

Table 5 Typical listening ports

Protocol Port number

FTP 21

HTTP 80

ICAP 1344

POP3 110

SMTP 25

Ports used for ePolicy Orchestrator communication

When you configure your Email and Web Security Appliances to be managed by ePolicy Orchestrator

®

,

or when you set ePolicy Orchestrator to monitor and report on your appliances, the following ports are

used by default for communication between ePolicy Orchestrator and your appliances.

Table 6 ePolicy Orchestrator communication ports

Port usage Port number

Agent-to-server communication port

80

Agent-to-server communication secure port

443 (when enabled)

Agent wake-up communication port

8081 (default)

Agent broadcast communication port

8082 (default)

Console-to-application server communication port

8443

Client-to-server authenticated communication port

8444

Resources

This topic describes the information, links, and supporting files that you can find from the Resources

dialog box.

Click Resources from the black information bar at the top of the Email and Web Security Appliance user

interface.

Preface

Working with your McAfee Email and Web Security Appliances

McAfee Email and Web Security Appliances 5.6.0 Product Guide

17

The Resources dialog box contains links to different areas or to files that you might need when setting

up your appliance.

Link name Description

Technical

support

Clicking this link takes you to the McAfee Technical Support ServicePortal login page

(https://mysupport.mcafee.com/Eservices/Default.aspx).

From this page, you can search the KnowledgeBase, view product documentation and

video tutorials, as well as access other technical support services.

Submit a sample

If you have a file that you believe to be malicious, but that your McAfee systems are

not detecting, you can safely submit it to McAfee for further analysis.

Follow the Submit a sample link and either log on or register as a new user to access the

McAfee Labs Tool to submit suspicious files.

Virus Information

Library

Viruses are continually evolving, with new malicious files being developed daily. To

find out more about particular viruses or other threats, follow the link to the McAfee

Threat Center.

McAfee Spam

Submission Tool

This free tool integrates into Microsoft Outlook and allows users to submit missed

spam samples and email that was wrongly categorized as spam to McAfee Labs.

McAfee Spam Submission Tool (MSST) version 2.2 can also be used with McAfee

Secure Content Management appliances and McAfee Quarantine Manager to train the

Bayesian database.

The tool supports automated blacklisting and whitelisting, and has an installer that

supports automated script-based installations. Supported platforms: Windows 2000

and Windows XP with Microsoft Outlook 2000 or later.

The latest MSST and documents can be downloaded from the following location:

http://www.mcafee.com/us/enterprise/downloads/free_tools/index.html

ePO Extensions

Download the ePolicy Orchestrator extensions for Email and Web Security Appliances.

This file contains both the EWG and the EWS extensions.

The EWG extension allows reporting from within ePolicy Orchestrator for the following

products:

• Email and Web Security Appliances version 5.5

• Email and Web Security Appliances version 5.6

• McAfee Web Gateway

• McAfee Email Gateway

The EWS extension provides full ePolicy Orchestrator management for Email and Web

Security Appliances version 5.6.

For you to use ePolicy Orchestrator for either reporting or management, the ePO

extensions need to be installed on your ePolicy Orchestrator server.

ePO 4.5 Help

Download the ePolicy Orchestrator Help extensions for the two ePO extensions listed

above.

This file installs the Help extensions relating to the ePolicy Orchestrator extensions for

Email and Web Security Appliances onto your ePolicy Orchestrator server.

SMI File

Download the Structure of Managed Information (SMI) file for use with the Simple

Network Management Protocol (SNMP).

This file provides information about the syntax used by the SNMP Management

Information Base (MIB) file.

Preface

Working with your McAfee Email and Web Security Appliances

18

McAfee Email and Web Security Appliances 5.6.0 Product Guide

Link name Description

MIB File

Download the MIB file for use with SNMP.

This file is used to define the information that your Email and Web Security Appliance

can transmit using SNMP.

HP OpenView

NNM Smart

Plug-in Installer

Download the HP OpenView installer file to enable you to configure your Email and

Web Security Appliance to communicate with HP OpenView.

Preface

Working with your McAfee Email and Web Security Appliances

McAfee Email and Web Security Appliances 5.6.0 Product Guide

19

Page is loading ...

McAfee Web Security Appliance 5.6.0 User manual

This manual is also suitable for

McAfee Web Security Appliance 5.6.0 User manual

Related papers

Other documents