McAfee MSA-3400-SWGI - Web Security Appliance 3400 Installation guide

Brand: McAfee

Model: MSA-3400-SWGI - Web Security Appliance 3400

Type: Installation guide

This manual is also suitable for

Email and Web Security Appliance 5.5

McAfee Email and Web Security

Appliance 5.5

Installation Guide

No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form

or by any means without the written permission of McAfee, Inc., or its suppliers or affiliate companies.

TRADEMARK ATTRIBUTIONS

AVERT, EPO, EPOLICY ORCHESTRATOR, FLASHBOX, FOUNDSTONE, GROUPSHIELD, HERCULES, INTRUSHIELD, INTRUSION INTELLIGENCE,

LINUXSHIELD, MANAGED MAIL PROTECTION, MAX (MCAFEE SECURITYALLIANCE EXCHANGE), MCAFEE, MCAFEE.COM, NETSHIELD,

PORTALSHIELD, PREVENTSYS, PROTECTION-IN-DEPTH STRATEGY, PROTECTIONPILOT, SECURE MESSAGING SERVICE, SECURITYALLIANCE,

SITEADVISOR, THREATSCAN, TOTAL PROTECTION, VIREX, VIRUSSCAN, WEBSHIELD are registered trademarks or trademarks of McAfee, Inc.

and/or its affiliates in the US and/or other countries. McAfee Red in connection with security is distinctive of McAfee brand products. All other

registered and unregistered trademarks herein are the sole property of their respective owners.

LICENSE INFORMATION

License Agreement

NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED,

WHICH SETS FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH

TYPE OF LICENSE YOU HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS

THAT ACCOMPANIES YOUR SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET,

A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEB SITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU

DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN

THE PRODUCT TO MCAFEE OR THE PLACE OF PURCHASE FOR A FULL REFUND.

License Attributions

Refer to the product Release Notes.

McAfee Email and Web Security Appliance 5.5 Installation Guide2

Contents

Introducing McAfee Email and Web Security Appliances. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

How to use this guide. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Who should read this guide. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Definition of terms used in this guide. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Graphical conventions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Documentation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Available resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Pre-installation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

What’s in the box. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Plan the installation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Inappropriate use. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Operating conditions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Positioning the appliance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Considerations about Network Modes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Transparent bridge mode. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Transparent router mode. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Explicit proxy mode. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Deployment Strategies for Using the device in a DMZ. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

SMTP configuration in a DMZ. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Workload management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

Connecting and configuring the appliance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Installation quick reference table. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Ports and connections. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

3000, 3100 panel layout. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

3200 panel layout. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

3300 panel layout. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

3400 panel layout. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Panel components: 3000, 3100, 3200, 3300, 3400. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Physically installing the appliance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

Mounting the appliance in a rack. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

Connect to the network. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

3McAfee Email and Web Security Appliance 5.5 Installation Guide

Port numbers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

Using Copper LAN connections. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

Using Fiber LAN connections. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Monitor and keyboard. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Supplying power to the appliance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Installing the software. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

Using the Configuration Console. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

Welcome page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

Performing a standard installation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

Performing a custom setup. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

Restoring from a file. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

Testing the Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

Introducing the user interface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

Testing the device. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

Using the device. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

Updates and HotFixes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

After installation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

Exploring the appliance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

Generating reports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

Using policies to manage message scanning. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

Creating an anti-virus scanning policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

Creating an anti-spam scanning policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

Creating an email compliance policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

Creating a content filtering policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

About Virtual host management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

Troubleshooting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

General problems. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

The appliance is not receiving power. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

The appliance is not receiving traffic from the network. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

FAQ. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

Interface problems. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

Mail issues. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

Delivery. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

Email attachments. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

POP3. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

Physical configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

System configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

McAfee Email and Web Security Appliance 5.5 Installation Guide4

Contents

System maintenance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

Anti-virus automatic updating. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

Anti-spam. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

Getting more help — the links bar. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

5McAfee Email and Web Security Appliance 5.5 Installation Guide

Contents

Introducing McAfee Email and Web Security

Appliances

This guide provides the necessary information for installing the McAfee

Email and Web Security

Appliance 5.5. It provides steps and verification of the installation process.

This guide demonstrates how to configure Email and Web Security software and when completed

the user will have a fully functional appliance.

Contents

How to use this guide

Definition of terms used in this guide

Graphical conventions

Documentation

Available resources

How to use this guide

This guide helps you to:

• Plan and perform your installation.

• Become familiar with the interface.

• Test that the product functions correctly.

• Apply the latest detection definition files.

• Explore some scanning policies, create reports, and get status information.

• Troubleshoot basic issues.

You can find additional information about the product's scanning features in the online help.

Who should read this guide

The information in this guide is intended primarily for network administrators who are responsible

for their company's anti-virus and security program.

Definition of terms used in this guide

This information defines some key terms used in this guide.

McAfee Email and Web Security Appliance 5.5 Installation Guide6

DefinitionTerm

A computer host or small network inserted as a buffer

between a private network and the outside public network

demilitarized zone (DMZ)

to prevent direct access from outside users to resources

on the private network.

Detection definition (DAT) files, also called signature files,

containing the definitions that identify, detect, and repair

DAT files

viruses, Trojan horses, spyware, adware, and other

potentially unwanted programs (PUPs).

Three operating modes for the product: explicit proxy

mode, transparent bridge mode, and transparent router

mode.

operational mode

A collection of security criteria, such as configuration

settings, benchmarks, and network access specifications,

policy

that defines the level of compliance required for users,

devices, and systems that can be assessed or enforced by

a McAfee security application.

Part of sender authentication. If a sender fails the

Reputation Service check, the appliance is set to close the

Reputation Service check

connection and deny the message. The sender's IP address

is added to a list of blocked connections and is

automatically blocked in future at the kernel level.

Introducing McAfee Email and Web Security Appliances

Definition of terms used in this guide

7McAfee Email and Web Security Appliance 5.5 Installation Guide

Graphical conventions

Figures in this guide use the following symbols.

InternetAppliance

Other server (such as DNS

server)

Mail server

RouterUser or client computer

FirewallSwitch

NetworkNetwork zone (DMZ or

VLAN)

Perceived data pathActual data path

Documentation

This Installation Guide is included with your product. Additional information is available in the

online help included with the product, and other documentation available from the

http://mysupport.mcafee.com website.

Available resources

This information describes where to get more information and assistance.

McAfee KnowledgeBase. Go to

https://mysupport.mcafee.com/eservice/Default.aspx

McAfee products

and click Search the KnowledgeBase. From

the Product list, select Email and Web

Security Appliance Software.

McAfee download site. Includes information

about basic concepts, policies, protocols

Product Guide

(SMTP, POP3, FTP, HTTP, and ICAP),

maintenance, and monitoring. You will need

your Grant ID number.

Product interface. Includes information about

basic concepts, policies, protocols (SMTP,

Online help

Introducing McAfee Email and Web Security Appliances

Graphical conventions

McAfee Email and Web Security Appliance 5.5 Installation Guide8

POP3, FTP, HTTP, and ICAP), maintenance,

and monitoring.

Introducing McAfee Email and Web Security Appliances

Available resources

9McAfee Email and Web Security Appliance 5.5 Installation Guide

Pre-installation

To ensure the safe operation of the product, consider the following before you begin the

installation.

• Familiarize yourself with its operational modes and capabilities. It is important that you

choose a valid configuration.

• Decide how to integrate the appliance into your network and determine what information

you need before you start. For example, the name and IP address for the appliance.

• Unpack the product as close to its intended location as possible.

• Remove the product from any protective packaging and place it on a flat surface.

• Observe all provided safety warnings.

CAUTION: Review and be familiar with all provided safety information.

Contents

What’s in the box

Plan the installation

Inappropriate use

Operating conditions

Positioning the appliance

What’s in the box

To check that all components are present, refer to the packing list supplied with your product.

Generally, you should have:

• An appliance

• Power cords

• Network cables

• Email and Web Security v5.5 installation and recovery CD

• Linux source code CD

If an item is missing or damaged, contact your supplier.

Pre-installation

Plan the installation

Before unpacking your blade server, it is important to plan the installation and deployment.

Consider the following:

McAfee Email and Web Security Appliance 5.5 Installation Guide10

• Environmental requirements

Information on environmental site requirements, including temperature, airflow, and space

requirements.

• Power requirements and considerations

Power requirements and electrical factors that must be considered before installation.

• Hardware specifications and requirements

• Configuration scenarios

• Preparing for installation.

Pre-installation

Inappropriate use

The product is:

• Not a firewall. — You must use it within your organization behind a correctly configured

firewall.

• Not a server for storing extra software and files. — Do not install any software on

the device or add any extra files to it unless instructed by the product documentation or

your support representative. The device cannot handle all types of traffic. If you use explicit

proxy mode, only protocols that are to be scanned should be sent to the device.

Pre-installation

Operating conditions

10 to 35°C (50 to 95°F).Temperature

20% to 80% (non-condensing) with a maximum humidity

gradient of 10% per hour.

Relative humidity

0.25 G at 3–200 Hz for 15 minutes.Maximum vibration

One shock pulse in the positive z axis (one pulse on each

side of the unit) of 31 G for up to 2.6 ms.

Maximum shock

-16 to 3,048 m (-50 to 10,000 ft.).Altitude

Positioning the appliance

Install the appliance so that you can control physical access to the unit and access the ports

and connections.

A rack-mounting kit is supplied with the appliance, allowing you to install the appliance in a

19-inch rack — see Mounting the appliance in a rack.

Pre-installation

Inappropriate use

11McAfee Email and Web Security Appliance 5.5 Installation Guide

Considerations about Network Modes

Before you install and configure your Email and Web Security Appliance, you must decide which

network mode to use. The mode you choose determines how you physically connect your

appliance to your network.

You can choose from the following network modes.

• Transparent bridge mode — the device acts as an Ethernet bridge.

• Transparent router mode — the device acts as a router.

• Explicit proxy mode — the device acts as a proxy server and a mail relay.

If you are still unsure about the mode to use after reading this and the following sections,

consult your network expert.

CAUTION: If you plan on deploying one or more scanning blades running McAfee Web Gateway

(formally WebWasher) software, you must configure your blade server in Explicit Proxy mode.

Architectural considerations about network modes

The main considerations regarding the network modes are:

• Whether communicating devices are aware of the existence of the device. That is, if the

device is operating in one of the transparent modes.

• How the device physically connects to your network.

• The configuration needed to incorporate the device into your network.

• Where the configuration takes place in the network.

Considerations before changing network modes

In explicit proxy and transparent router modes, you can set up the device to sit on more than

one network by setting up multiple IP addresses for the LAN1 and LAN2 ports.

If you change to transparent bridge mode from explicit proxy or transparent router mode, only

the enabled IP addresses for each port are carried over.

TIP: After you select an operational mode, McAfee recommends not changing it unless you

move the device or restructure your network.

Contents

Pre-installation

Transparent bridge mode

Transparent router mode

Explicit proxy mode

Pre-installation

Considerations about Network Modes

McAfee Email and Web Security Appliance 5.5 Installation Guide12

Transparent bridge mode

In transparent bridge mode, the communicating servers are unaware of the device — the

device’s operation is transparent to the servers.

Figure 1: Transparent communication

In Figure 1: Transparent communication, the external mail server (A) sends email messages

to the internal mail server (C). The external mail server is unaware that the email message is

intercepted and scanned by the device (B).

The external mail server seems to communicate directly with the internal mail server — the

path is shown as a dotted line. In reality, traffic might pass through several network devices

and be intercepted and scanned by the device before reaching the internal mail server.

What the device does

In transparent bridge mode, the device connects to your network using the LAN1 and LAN2

ports. The device scans the traffic it receives, and acts as a bridge connecting two separate

physical networks, but treats them as a single logical network.

Configuration

Transparent bridge mode requires less configuration than transparent router and explicit proxy

modes. You do not need to reconfigure all your clients, default gateway, MX records, Firewall

NAT or mail servers to send traffic to the device. Because the device is not a router in this

mode, you do not need to update a routing table.

Where to place the device

For security reasons, you must use the device inside your organization, behind a firewall.

Figure 2: Single logical network

TIP: In transparent bridge mode, position the device between the firewall and your router, as

shown in Figure 2: Single logical network.

In this mode, you physically connect two network segments to the device, and the device treats

them as one logical network. Because the devices — firewall, device, and router — are on the

same logical network, they must all have compatible IP addresses on the same subnet.

Devices on one side of the bridge (such as a router) that communicate with devices on the

other side of the bridge (such as a firewall) are unaware of the bridge. They are unaware that

Pre-installation

Considerations about Network Modes

13McAfee Email and Web Security Appliance 5.5 Installation Guide

traffic is intercepted and scanned, therefore the device is said to operate as a transparent

bridge.

Figure 3: Transparent bridge mode

Transparent router mode

In transparent router mode, the device scans email traffic between two networks. The device

has one IP address for outgoing scanned traffic, and must have one IP address for incoming

traffic.

The communicating network servers are unaware of the intervention of the device — the device’s

operation is

transparent

to the devices.

What the device does

In transparent router mode, the device connects to your networks using the LAN1 and LAN2

ports. The device scans the traffic it receives on one network, and forwards it to the next

network device on a different network. The device acts as a router, routing the traffic between

networks, based on the information held in its routing tables.

Configuration

Using transparent router mode, you do not need to explicitly reconfigure your network devices

to send traffic to the device. You need only configure the routing table for the device, and

modify some routing information for the network devices on either side of it (the devices

connected to its LAN1 and LAN2 ports). For example, you might need to make the device your

default gateway.

Pre-installation

Considerations about Network Modes

McAfee Email and Web Security Appliance 5.5 Installation Guide14

In transparent router mode, the device must join two networks. The device must be positioned

inside your organization, behind a firewall.

NOTE: Transparent router mode does not support Multicast IP traffic or non-IP protocols, such

as NETBEUI and IPX.

Where to place the device

Use the device in transparent router mode to replace an existing router on your network.

TIP: If you use transparent router mode and you do not replace an existing router, you must

reconfigure part of your network to route traffic correctly through the device.

Figure 4: Transparent router mode configuration

You need to:

• Configure your client devices to point to the default gateway.

• Configure the device to use the Internet gateway as its default gateway.

• Ensure your client devices can deliver email messages to the mail servers within your

organization.

Explicit proxy mode

In explicit proxy mode, some network devices must be set up explicitly to send traffic to the

device. The device then works as a proxy or relay, processing traffic on behalf of the devices.

Explicit proxy mode is best suited to networks where client devices connect to the device through

a single upstream and downstream device.

TIP: This might not be the best option if several network devices must be reconfigured to send

traffic to the device.

Pre-installation

Considerations about Network Modes

15McAfee Email and Web Security Appliance 5.5 Installation Guide

Network and device configuration

If the device is set to explicit proxy mode, you must explicitly configure your internal mail server

to relay email traffic to the device. The device scans the email traffic before forwarding it, on

behalf of the sender, to the external mail server. The external mail server then forwards the

email message to the recipient.

In a similar way, the network must be configured so that incoming email messages from the

Internet are delivered to the device, not the internal mail server.

Figure 5: Relaying email traffic

The device scans the traffic before forwarding it, on behalf of the sender, to the internal mail

server for delivery, as shown in Figure 5: Relaying email traffic.

For example, an external mail server can communicate directly with the device, although traffic

might pass through several network servers before reaching the device. The perceived path is

from the external mail server to the device.

Protocols

To scan a supported protocol, you must configure your other network servers or client computers

to route that protocol through the device, so that no traffic bypasses the device.

Firewall rules

Explicit proxy mode invalidates any firewall rules set up for client access to the Internet. The

firewall sees only the IP address information for the device, not the IP addresses of the clients,

so the firewall cannot apply its Internet access rules to the clients.

Where to place the device

Configure the network devices so that traffic needing to be scanned is sent to the device. This

is more important than the location of the device.

Pre-installation

Considerations about Network Modes

McAfee Email and Web Security Appliance 5.5 Installation Guide16

The router must allow all users to connect to the device.

Figure 6: Explicit proxy configuration

The device must be positioned inside your organization, behind a firewall, as shown in Figure

6: Explicit proxy configuration.

Typically, the firewall is configured to block traffic that does not come directly from the device.

If you are unsure about your network’s topology and how to integrate the device, consult your

network expert.

Use this configuration if:

• The device is operating in explicit proxy mode.

• You are using email (SMTP).

For this configuration, you must:

• Configure the external Domain Name System (DNS) servers or Network Address Translation

(NAT) on the firewall so that the external mail server delivers mail to the device, not to the

internal mail server.

• Configure the internal mail servers to send email messages to the device. That is, the internal

mail servers must use the device as a smart host. Ensure that your client devices can deliver

email messages to the mail servers within your organization.

• Ensure that your firewall rules are updated. The firewall must accept traffic from the device,

but must not accept traffic that comes directly from the client devices. Set up rules to prevent

unwanted traffic entering your organization.

Deployment Strategies for Using the device in a

DMZ

A demilitarized zone (DMZ) is a network separated by a firewall from all other networks, including

the Internet and other internal networks. The typical goal behind the implementation of a DMZ

is to lock down access to servers that provide services to the Internet, such as email.

Hackers often gain access to networks by identifying the TCP/UDP ports on which applications

are listening for requests, then exploiting known vulnerabilities in applications. Firewalls

dramatically reduce the risk of such exploits by controlling access to specific ports on specific

servers.

Pre-installation

Deployment Strategies for Using the device in a DMZ

17McAfee Email and Web Security Appliance 5.5 Installation Guide

The device can be added easily to a DMZ configuration. The way you use the device in a DMZ

depends on the protocols you intend to scan.

Contents

Pre-installation

SMTP configuration in a DMZ

The DMZ is a good location for encrypting mail. By the time the mail traffic reaches the firewall

for the second time (on its way from the DMZ to the internal network), it has been encrypted.

Devices which scan SMTP traffic in a DMZ are usually configured in explicit proxy mode.

Configuration changes need only be made to the MX records for the mail servers.

NOTE: You can use transparent bridge mode when scanning SMTP within a DMZ. However, if

you do not control the flow of traffic correctly, the device scans every message twice, once in

each direction. For this reason, explicit proxy mode is usually used for SMTP scanning.

Mail relay

Figure 7: Device in explicit proxy configuration in a DMZ

If you have a mail relay already set up in your DMZ, you can replace the relay with the device.

To use your existing firewall policies, give the device the same IP address as the mail relay.

Mail gateway

SMTP does not provide methods to encrypt mail messages — you can use Transport Layer

Security (TLS) to encrypt the link, but not the mail messages. As a result, some companies do

not allow such traffic on their internal network. To overcome this, they often use a proprietary

mail gateway, such as Lotus Notes

or Microsoft

Exchange, to encrypt the mail traffic before

it reaches the internal network.

Pre-installation

Deployment Strategies for Using the device in a DMZ

McAfee Email and Web Security Appliance 5.5 Installation Guide18

To implement a DMZ configuration using a proprietary mail gateway, add the scanning device

to the DMZ on the SMTP side of the gateway.

Figure 8: Protecting a mail gateway in DMZ

In this situation, configure:

• The public MX records to instruct external mail servers to send all inbound mail to the device

(instead of the gateway).

• The device to forward all inbound mail to the mail gateway, and deliver all outbound mail

using DNS or an external relay.

• The mail gateway to forward all inbound mail to the internal mail servers and all other

(outbound) mail to the device.

• The firewall to allow inbound mail that is destined for the device only.

NOTE: Firewalls configured to use Network Address Translation (NAT), and that redirect inbound

mail to internal mail servers, do not need their public MX records reconfigured. This is because

they are directing traffic to the firewall rather than the mail gateway itself. In this case, the

firewall must instead be reconfigured to direct inbound mail requests to the device.

Firewall rules specific to Lotus Notes

By default, Lotus Notes servers communicate over TCP port 1352. The firewall rules typically

used to secure Notes servers in a DMZ allow the following through the firewall:

• Inbound SMTP requests (TCP port 25) originating from the Internet and destined for the

device.

• TCP port 1352 requests originating from the Notes gateway and destined for an internal

Notes server.

• TCP port 1352 requests originating from an internal Notes server and destined for the Notes

gateway.

• SMTP requests originating from the device and destined for the Internet.

All other SMTP and TCP port 1352 requests are denied.

Firewall rules specific to Microsoft Exchange

A Microsoft Exchange-based mail system requires a significant workaround.

Pre-installation

Deployment Strategies for Using the device in a DMZ

19McAfee Email and Web Security Appliance 5.5 Installation Guide

When Exchange servers communicate with each other, they send their initial packets using the

RPC protocol (TCP port 135). However, once the initial communication is established, two ports

are chosen dynamically and used to send all subsequent packets for the remainder of the

communication. You cannot configure a firewall to recognize these dynamically-chosen ports.

Therefore, the firewall does not pass the packets.

The workaround is to modify the registry on each of the Exchange servers communicating

across the firewall to always use the same two “dynamic” ports, then open TCP 135 and these

two ports on the firewall.

We mention this workaround to provide a comprehensive explanation, but we do not recommend

it. The RPC protocol is widespread on Microsoft networks — opening TCP 135 inbound is a red

flag to most security professionals.

If you intend to use this workaround, details can be found in the following Knowledge Base

articles on the Microsoft website:

• Q155831

• Q176466

Workload management

The appliances includes its own internal workload management, distributing the scanning load

evenly between all appliances configured to work together.

The blade server includes its own internal workload management, distributing the scanning

load evenly between all scanning blades installed within the enclosure.

You do not need to deploy an external load balancer.

Pre-installation

Deployment Strategies for Using the device in a DMZ

McAfee Email and Web Security Appliance 5.5 Installation Guide20

Page is loading ...

McAfee MSA-3400-SWGI - Web Security Appliance 3400 Installation guide

Brand: McAfee

Model: MSA-3400-SWGI - Web Security Appliance 3400

Type: Installation guide

This manual is also suitable for

Email and Web Security Appliance 5.5

Download PDF

report

McAfee MSA-3400-SWGI - Web Security Appliance 3400 Installation guide

This manual is also suitable for

McAfee MSA-3400-SWGI - Web Security Appliance 3400 Installation guide

Related papers

Other documents