McAfee MSA-3400-SWGI - Web Security Appliance 3400 Installation guide

Type
Installation guide

This manual is also suitable for

McAfee Email and Web Security
Appliance 5.5
Installation Guide
COPYRIGHT
Copyright © 2009 McAfee, Inc. All Rights Reserved.
No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form
or by any means without the written permission of McAfee, Inc., or its suppliers or affiliate companies.
TRADEMARK ATTRIBUTIONS
AVERT, EPO, EPOLICY ORCHESTRATOR, FLASHBOX, FOUNDSTONE, GROUPSHIELD, HERCULES, INTRUSHIELD, INTRUSION INTELLIGENCE,
LINUXSHIELD, MANAGED MAIL PROTECTION, MAX (MCAFEE SECURITYALLIANCE EXCHANGE), MCAFEE, MCAFEE.COM, NETSHIELD,
PORTALSHIELD, PREVENTSYS, PROTECTION-IN-DEPTH STRATEGY, PROTECTIONPILOT, SECURE MESSAGING SERVICE, SECURITYALLIANCE,
SITEADVISOR, THREATSCAN, TOTAL PROTECTION, VIREX, VIRUSSCAN, WEBSHIELD are registered trademarks or trademarks of McAfee, Inc.
and/or its affiliates in the US and/or other countries. McAfee Red in connection with security is distinctive of McAfee brand products. All other
registered and unregistered trademarks herein are the sole property of their respective owners.
LICENSE INFORMATION
License Agreement
NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED,
WHICH SETS FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH
TYPE OF LICENSE YOU HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS
THAT ACCOMPANIES YOUR SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET,
A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEB SITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU
DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN
THE PRODUCT TO MCAFEE OR THE PLACE OF PURCHASE FOR A FULL REFUND.
License Attributions
Refer to the product Release Notes.
McAfee Email and Web Security Appliance 5.5 Installation Guide2
Contents
Introducing McAfee Email and Web Security Appliances. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
How to use this guide. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Who should read this guide. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Definition of terms used in this guide. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Graphical conventions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Documentation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Available resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Pre-installation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
What’s in the box. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Plan the installation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Inappropriate use. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Operating conditions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Positioning the appliance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Considerations about Network Modes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Transparent bridge mode. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Transparent router mode. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Explicit proxy mode. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Deployment Strategies for Using the device in a DMZ. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
SMTP configuration in a DMZ. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Workload management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Connecting and configuring the appliance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Installation quick reference table. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Ports and connections. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
3000, 3100 panel layout. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
3200 panel layout. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
3300 panel layout. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
3400 panel layout. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Panel components: 3000, 3100, 3200, 3300, 3400. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Physically installing the appliance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Mounting the appliance in a rack. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Connect to the network. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
3McAfee Email and Web Security Appliance 5.5 Installation Guide
Port numbers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Using Copper LAN connections. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Using Fiber LAN connections. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Monitor and keyboard. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Supplying power to the appliance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Installing the software. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Using the Configuration Console. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Welcome page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Performing a standard installation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Performing a custom setup. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Restoring from a file. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Testing the Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Introducing the user interface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Testing the device. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Using the device. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Updates and HotFixes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
After installation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Exploring the appliance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Generating reports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Using policies to manage message scanning. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Creating an anti-virus scanning policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Creating an anti-spam scanning policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Creating an email compliance policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Creating a content filtering policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
About Virtual host management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Troubleshooting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
General problems. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
The appliance is not receiving power. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
The appliance is not receiving traffic from the network. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
FAQ. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
Interface problems. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
Mail issues. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Delivery. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Email attachments. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
POP3. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
Physical configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
System configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
McAfee Email and Web Security Appliance 5.5 Installation Guide4
Contents
System maintenance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
Anti-virus automatic updating. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
Anti-spam. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Getting more help the links bar. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
5McAfee Email and Web Security Appliance 5.5 Installation Guide
Contents
Introducing McAfee Email and Web Security
Appliances
This guide provides the necessary information for installing the McAfee
®
Email and Web Security
Appliance 5.5. It provides steps and verification of the installation process.
This guide demonstrates how to configure Email and Web Security software and when completed
the user will have a fully functional appliance.
Contents
How to use this guide
Definition of terms used in this guide
Graphical conventions
Documentation
Available resources
How to use this guide
This guide helps you to:
Plan and perform your installation.
Become familiar with the interface.
Test that the product functions correctly.
Apply the latest detection definition files.
Explore some scanning policies, create reports, and get status information.
Troubleshoot basic issues.
You can find additional information about the product's scanning features in the online help.
Who should read this guide
The information in this guide is intended primarily for network administrators who are responsible
for their company's anti-virus and security program.
Definition of terms used in this guide
This information defines some key terms used in this guide.
McAfee Email and Web Security Appliance 5.5 Installation Guide6
DefinitionTerm
A computer host or small network inserted as a buffer
between a private network and the outside public network
demilitarized zone (DMZ)
to prevent direct access from outside users to resources
on the private network.
Detection definition (DAT) files, also called signature files,
containing the definitions that identify, detect, and repair
DAT files
viruses, Trojan horses, spyware, adware, and other
potentially unwanted programs (PUPs).
Three operating modes for the product: explicit proxy
mode, transparent bridge mode, and transparent router
mode.
operational mode
A collection of security criteria, such as configuration
settings, benchmarks, and network access specifications,
policy
that defines the level of compliance required for users,
devices, and systems that can be assessed or enforced by
a McAfee security application.
Part of sender authentication. If a sender fails the
Reputation Service check, the appliance is set to close the
Reputation Service check
connection and deny the message. The sender's IP address
is added to a list of blocked connections and is
automatically blocked in future at the kernel level.
Introducing McAfee Email and Web Security Appliances
Definition of terms used in this guide
7McAfee Email and Web Security Appliance 5.5 Installation Guide
Graphical conventions
Figures in this guide use the following symbols.
InternetAppliance
Other server (such as DNS
server)
Mail server
RouterUser or client computer
FirewallSwitch
NetworkNetwork zone (DMZ or
VLAN)
Perceived data pathActual data path
Documentation
This Installation Guide is included with your product. Additional information is available in the
online help included with the product, and other documentation available from the
http://mysupport.mcafee.com website.
Available resources
This information describes where to get more information and assistance.
McAfee KnowledgeBase. Go to
https://mysupport.mcafee.com/eservice/Default.aspx
McAfee products
and click Search the KnowledgeBase. From
the Product list, select Email and Web
Security Appliance Software.
McAfee download site. Includes information
about basic concepts, policies, protocols
Product Guide
(SMTP, POP3, FTP, HTTP, and ICAP),
maintenance, and monitoring. You will need
your Grant ID number.
Product interface. Includes information about
basic concepts, policies, protocols (SMTP,
Online help
Introducing McAfee Email and Web Security Appliances
Graphical conventions
McAfee Email and Web Security Appliance 5.5 Installation Guide8
POP3, FTP, HTTP, and ICAP), maintenance,
and monitoring.
Introducing McAfee Email and Web Security Appliances
Available resources
9McAfee Email and Web Security Appliance 5.5 Installation Guide
Pre-installation
To ensure the safe operation of the product, consider the following before you begin the
installation.
Familiarize yourself with its operational modes and capabilities. It is important that you
choose a valid configuration.
Decide how to integrate the appliance into your network and determine what information
you need before you start. For example, the name and IP address for the appliance.
Unpack the product as close to its intended location as possible.
Remove the product from any protective packaging and place it on a flat surface.
Observe all provided safety warnings.
CAUTION: Review and be familiar with all provided safety information.
Contents
What’s in the box
Plan the installation
Inappropriate use
Operating conditions
Positioning the appliance
What’s in the box
To check that all components are present, refer to the packing list supplied with your product.
Generally, you should have:
An appliance
Power cords
Network cables
Email and Web Security v5.5 installation and recovery CD
Linux source code CD
If an item is missing or damaged, contact your supplier.
Pre-installation
Plan the installation
Before unpacking your blade server, it is important to plan the installation and deployment.
Consider the following:
McAfee Email and Web Security Appliance 5.5 Installation Guide10
Environmental requirements
Information on environmental site requirements, including temperature, airflow, and space
requirements.
Power requirements and considerations
Power requirements and electrical factors that must be considered before installation.
Hardware specifications and requirements
Configuration scenarios
Preparing for installation.
Pre-installation
Inappropriate use
The product is:
Not a firewall. You must use it within your organization behind a correctly configured
firewall.
Not a server for storing extra software and files. Do not install any software on
the device or add any extra files to it unless instructed by the product documentation or
your support representative. The device cannot handle all types of traffic. If you use explicit
proxy mode, only protocols that are to be scanned should be sent to the device.
Pre-installation
Operating conditions
10 to 35°C (50 to 95°F).Temperature
20% to 80% (non-condensing) with a maximum humidity
gradient of 10% per hour.
Relative humidity
0.25 G at 3–200 Hz for 15 minutes.Maximum vibration
One shock pulse in the positive z axis (one pulse on each
side of the unit) of 31 G for up to 2.6 ms.
Maximum shock
-16 to 3,048 m (-50 to 10,000 ft.).Altitude
Positioning the appliance
Install the appliance so that you can control physical access to the unit and access the ports
and connections.
A rack-mounting kit is supplied with the appliance, allowing you to install the appliance in a
19-inch rack see Mounting the appliance in a rack.
Pre-installation
Inappropriate use
11McAfee Email and Web Security Appliance 5.5 Installation Guide
Considerations about Network Modes
Before you install and configure your Email and Web Security Appliance, you must decide which
network mode to use. The mode you choose determines how you physically connect your
appliance to your network.
You can choose from the following network modes.
Transparent bridge mode the device acts as an Ethernet bridge.
Transparent router mode the device acts as a router.
Explicit proxy mode the device acts as a proxy server and a mail relay.
If you are still unsure about the mode to use after reading this and the following sections,
consult your network expert.
CAUTION: If you plan on deploying one or more scanning blades running McAfee Web Gateway
(formally WebWasher) software, you must configure your blade server in Explicit Proxy mode.
Architectural considerations about network modes
The main considerations regarding the network modes are:
Whether communicating devices are aware of the existence of the device. That is, if the
device is operating in one of the transparent modes.
How the device physically connects to your network.
The configuration needed to incorporate the device into your network.
Where the configuration takes place in the network.
Considerations before changing network modes
In explicit proxy and transparent router modes, you can set up the device to sit on more than
one network by setting up multiple IP addresses for the LAN1 and LAN2 ports.
If you change to transparent bridge mode from explicit proxy or transparent router mode, only
the enabled IP addresses for each port are carried over.
TIP: After you select an operational mode, McAfee recommends not changing it unless you
move the device or restructure your network.
Contents
Pre-installation
Transparent bridge mode
Transparent router mode
Explicit proxy mode
Pre-installation
Considerations about Network Modes
McAfee Email and Web Security Appliance 5.5 Installation Guide12
Transparent bridge mode
In transparent bridge mode, the communicating servers are unaware of the device the
device’s operation is transparent to the servers.
Figure 1: Transparent communication
In Figure 1: Transparent communication, the external mail server (A) sends email messages
to the internal mail server (C). The external mail server is unaware that the email message is
intercepted and scanned by the device (B).
The external mail server seems to communicate directly with the internal mail server the
path is shown as a dotted line. In reality, traffic might pass through several network devices
and be intercepted and scanned by the device before reaching the internal mail server.
What the device does
In transparent bridge mode, the device connects to your network using the LAN1 and LAN2
ports. The device scans the traffic it receives, and acts as a bridge connecting two separate
physical networks, but treats them as a single logical network.
Configuration
Transparent bridge mode requires less configuration than transparent router and explicit proxy
modes. You do not need to reconfigure all your clients, default gateway, MX records, Firewall
NAT or mail servers to send traffic to the device. Because the device is not a router in this
mode, you do not need to update a routing table.
Where to place the device
For security reasons, you must use the device inside your organization, behind a firewall.
Figure 2: Single logical network
TIP: In transparent bridge mode, position the device between the firewall and your router, as
shown in Figure 2: Single logical network.
In this mode, you physically connect two network segments to the device, and the device treats
them as one logical network. Because the devices firewall, device, and router are on the
same logical network, they must all have compatible IP addresses on the same subnet.
Devices on one side of the bridge (such as a router) that communicate with devices on the
other side of the bridge (such as a firewall) are unaware of the bridge. They are unaware that
Pre-installation
Considerations about Network Modes
13McAfee Email and Web Security Appliance 5.5 Installation Guide
traffic is intercepted and scanned, therefore the device is said to operate as a transparent
bridge.
Figure 3: Transparent bridge mode
Transparent router mode
In transparent router mode, the device scans email traffic between two networks. The device
has one IP address for outgoing scanned traffic, and must have one IP address for incoming
traffic.
The communicating network servers are unaware of the intervention of the device the device’s
operation is
transparent
to the devices.
What the device does
In transparent router mode, the device connects to your networks using the LAN1 and LAN2
ports. The device scans the traffic it receives on one network, and forwards it to the next
network device on a different network. The device acts as a router, routing the traffic between
networks, based on the information held in its routing tables.
Configuration
Using transparent router mode, you do not need to explicitly reconfigure your network devices
to send traffic to the device. You need only configure the routing table for the device, and
modify some routing information for the network devices on either side of it (the devices
connected to its LAN1 and LAN2 ports). For example, you might need to make the device your
default gateway.
Pre-installation
Considerations about Network Modes
McAfee Email and Web Security Appliance 5.5 Installation Guide14
In transparent router mode, the device must join two networks. The device must be positioned
inside your organization, behind a firewall.
NOTE: Transparent router mode does not support Multicast IP traffic or non-IP protocols, such
as NETBEUI and IPX.
Where to place the device
Use the device in transparent router mode to replace an existing router on your network.
TIP: If you use transparent router mode and you do not replace an existing router, you must
reconfigure part of your network to route traffic correctly through the device.
Figure 4: Transparent router mode configuration
You need to:
Configure your client devices to point to the default gateway.
Configure the device to use the Internet gateway as its default gateway.
Ensure your client devices can deliver email messages to the mail servers within your
organization.
Explicit proxy mode
In explicit proxy mode, some network devices must be set up explicitly to send traffic to the
device. The device then works as a proxy or relay, processing traffic on behalf of the devices.
Explicit proxy mode is best suited to networks where client devices connect to the device through
a single upstream and downstream device.
TIP: This might not be the best option if several network devices must be reconfigured to send
traffic to the device.
Pre-installation
Considerations about Network Modes
15McAfee Email and Web Security Appliance 5.5 Installation Guide
Network and device configuration
If the device is set to explicit proxy mode, you must explicitly configure your internal mail server
to relay email traffic to the device. The device scans the email traffic before forwarding it, on
behalf of the sender, to the external mail server. The external mail server then forwards the
email message to the recipient.
In a similar way, the network must be configured so that incoming email messages from the
Internet are delivered to the device, not the internal mail server.
Figure 5: Relaying email traffic
The device scans the traffic before forwarding it, on behalf of the sender, to the internal mail
server for delivery, as shown in Figure 5: Relaying email traffic.
For example, an external mail server can communicate directly with the device, although traffic
might pass through several network servers before reaching the device. The perceived path is
from the external mail server to the device.
Protocols
To scan a supported protocol, you must configure your other network servers or client computers
to route that protocol through the device, so that no traffic bypasses the device.
Firewall rules
Explicit proxy mode invalidates any firewall rules set up for client access to the Internet. The
firewall sees only the IP address information for the device, not the IP addresses of the clients,
so the firewall cannot apply its Internet access rules to the clients.
Where to place the device
Configure the network devices so that traffic needing to be scanned is sent to the device. This
is more important than the location of the device.
Pre-installation
Considerations about Network Modes
McAfee Email and Web Security Appliance 5.5 Installation Guide16
The router must allow all users to connect to the device.
Figure 6: Explicit proxy configuration
The device must be positioned inside your organization, behind a firewall, as shown in Figure
6: Explicit proxy configuration.
Typically, the firewall is configured to block traffic that does not come directly from the device.
If you are unsure about your network’s topology and how to integrate the device, consult your
network expert.
Use this configuration if:
The device is operating in explicit proxy mode.
You are using email (SMTP).
For this configuration, you must:
Configure the external Domain Name System (DNS) servers or Network Address Translation
(NAT) on the firewall so that the external mail server delivers mail to the device, not to the
internal mail server.
Configure the internal mail servers to send email messages to the device. That is, the internal
mail servers must use the device as a smart host. Ensure that your client devices can deliver
email messages to the mail servers within your organization.
Ensure that your firewall rules are updated. The firewall must accept traffic from the device,
but must not accept traffic that comes directly from the client devices. Set up rules to prevent
unwanted traffic entering your organization.
Deployment Strategies for Using the device in a
DMZ
A demilitarized zone (DMZ) is a network separated by a firewall from all other networks, including
the Internet and other internal networks. The typical goal behind the implementation of a DMZ
is to lock down access to servers that provide services to the Internet, such as email.
Hackers often gain access to networks by identifying the TCP/UDP ports on which applications
are listening for requests, then exploiting known vulnerabilities in applications. Firewalls
dramatically reduce the risk of such exploits by controlling access to specific ports on specific
servers.
Pre-installation
Deployment Strategies for Using the device in a DMZ
17McAfee Email and Web Security Appliance 5.5 Installation Guide
The device can be added easily to a DMZ configuration. The way you use the device in a DMZ
depends on the protocols you intend to scan.
Contents
Pre-installation
SMTP configuration in a DMZ
SMTP configuration in a DMZ
The DMZ is a good location for encrypting mail. By the time the mail traffic reaches the firewall
for the second time (on its way from the DMZ to the internal network), it has been encrypted.
Devices which scan SMTP traffic in a DMZ are usually configured in explicit proxy mode.
Configuration changes need only be made to the MX records for the mail servers.
NOTE: You can use transparent bridge mode when scanning SMTP within a DMZ. However, if
you do not control the flow of traffic correctly, the device scans every message twice, once in
each direction. For this reason, explicit proxy mode is usually used for SMTP scanning.
Mail relay
Figure 7: Device in explicit proxy configuration in a DMZ
If you have a mail relay already set up in your DMZ, you can replace the relay with the device.
To use your existing firewall policies, give the device the same IP address as the mail relay.
Mail gateway
SMTP does not provide methods to encrypt mail messages you can use Transport Layer
Security (TLS) to encrypt the link, but not the mail messages. As a result, some companies do
not allow such traffic on their internal network. To overcome this, they often use a proprietary
mail gateway, such as Lotus Notes
®
or Microsoft
®
Exchange, to encrypt the mail traffic before
it reaches the internal network.
Pre-installation
Deployment Strategies for Using the device in a DMZ
McAfee Email and Web Security Appliance 5.5 Installation Guide18
To implement a DMZ configuration using a proprietary mail gateway, add the scanning device
to the DMZ on the SMTP side of the gateway.
Figure 8: Protecting a mail gateway in DMZ
In this situation, configure:
The public MX records to instruct external mail servers to send all inbound mail to the device
(instead of the gateway).
The device to forward all inbound mail to the mail gateway, and deliver all outbound mail
using DNS or an external relay.
The mail gateway to forward all inbound mail to the internal mail servers and all other
(outbound) mail to the device.
The firewall to allow inbound mail that is destined for the device only.
NOTE: Firewalls configured to use Network Address Translation (NAT), and that redirect inbound
mail to internal mail servers, do not need their public MX records reconfigured. This is because
they are directing traffic to the firewall rather than the mail gateway itself. In this case, the
firewall must instead be reconfigured to direct inbound mail requests to the device.
Firewall rules specific to Lotus Notes
By default, Lotus Notes servers communicate over TCP port 1352. The firewall rules typically
used to secure Notes servers in a DMZ allow the following through the firewall:
Inbound SMTP requests (TCP port 25) originating from the Internet and destined for the
device.
TCP port 1352 requests originating from the Notes gateway and destined for an internal
Notes server.
TCP port 1352 requests originating from an internal Notes server and destined for the Notes
gateway.
SMTP requests originating from the device and destined for the Internet.
All other SMTP and TCP port 1352 requests are denied.
Firewall rules specific to Microsoft Exchange
A Microsoft Exchange-based mail system requires a significant workaround.
Pre-installation
Deployment Strategies for Using the device in a DMZ
19McAfee Email and Web Security Appliance 5.5 Installation Guide
When Exchange servers communicate with each other, they send their initial packets using the
RPC protocol (TCP port 135). However, once the initial communication is established, two ports
are chosen dynamically and used to send all subsequent packets for the remainder of the
communication. You cannot configure a firewall to recognize these dynamically-chosen ports.
Therefore, the firewall does not pass the packets.
The workaround is to modify the registry on each of the Exchange servers communicating
across the firewall to always use the same two “dynamic” ports, then open TCP 135 and these
two ports on the firewall.
We mention this workaround to provide a comprehensive explanation, but we do not recommend
it. The RPC protocol is widespread on Microsoft networks opening TCP 135 inbound is a red
flag to most security professionals.
If you intend to use this workaround, details can be found in the following Knowledge Base
articles on the Microsoft website:
Q155831
Q176466
Workload management
The appliances includes its own internal workload management, distributing the scanning load
evenly between all appliances configured to work together.
The blade server includes its own internal workload management, distributing the scanning
load evenly between all scanning blades installed within the enclosure.
You do not need to deploy an external load balancer.
Pre-installation
Pre-installation
Deployment Strategies for Using the device in a DMZ
McAfee Email and Web Security Appliance 5.5 Installation Guide20
  • Page 1 1
  • Page 2 2
  • Page 3 3
  • Page 4 4
  • Page 5 5
  • Page 6 6
  • Page 7 7
  • Page 8 8
  • Page 9 9
  • Page 10 10
  • Page 11 11
  • Page 12 12
  • Page 13 13
  • Page 14 14
  • Page 15 15
  • Page 16 16
  • Page 17 17
  • Page 18 18
  • Page 19 19
  • Page 20 20
  • Page 21 21
  • Page 22 22
  • Page 23 23
  • Page 24 24
  • Page 25 25
  • Page 26 26
  • Page 27 27
  • Page 28 28
  • Page 29 29
  • Page 30 30
  • Page 31 31
  • Page 32 32
  • Page 33 33
  • Page 34 34
  • Page 35 35
  • Page 36 36
  • Page 37 37
  • Page 38 38
  • Page 39 39
  • Page 40 40
  • Page 41 41
  • Page 42 42
  • Page 43 43
  • Page 44 44
  • Page 45 45
  • Page 46 46
  • Page 47 47
  • Page 48 48
  • Page 49 49
  • Page 50 50
  • Page 51 51
  • Page 52 52
  • Page 53 53
  • Page 54 54
  • Page 55 55
  • Page 56 56
  • Page 57 57
  • Page 58 58
  • Page 59 59
  • Page 60 60

McAfee MSA-3400-SWGI - Web Security Appliance 3400 Installation guide

Type
Installation guide
This manual is also suitable for

Ask a question and I''ll find the answer in the document

Finding information in a document is now easier with AI