Documente Academic
Documente Profesional
Documente Cultură
Revision A
COPYRIGHT
Copyright 2015 McAfee, Inc., 2821 Mission College Boulevard, Santa Clara, CA 95054, 1.888.847.8766, www.intelsecurity.com
TRADEMARK ATTRIBUTIONS
Intel and the Intel logo are registered trademarks of the Intel Corporation in the US and/or other countries. McAfee and the McAfee logo, McAfee Active
Protection, McAfee DeepSAFE, ePolicy Orchestrator, McAfee ePO, McAfee EMM, McAfee Evader, Foundscore, Foundstone, Global Threat Intelligence,
McAfee LiveSafe, Policy Lab, McAfee QuickClean, Safe Eyes, McAfee SECURE, McAfee Shredder, SiteAdvisor, McAfee Stinger, McAfee TechMaster, McAfee
Total Protection, TrustedSource, VirusScan are registered trademarks or trademarks of McAfee, Inc. or its subsidiaries in the US and other countries.
Other marks and brands may be claimed as the property of others.
LICENSE INFORMATION
License Agreement
NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS
FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU
HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANY YOUR
SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A
FILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET
FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OF
PURCHASE FOR A FULL REFUND.
Product Guide
Contents
Preface
11
How McAfee Email Gateway processes mail traffic through your network . . . . . . . . . . .
The interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
User preferences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Make changes to the appliance's configuration . . . . . . . . . . . . . . . . . . .
Using lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Import and export information . . . . . . . . . . . . . . . . . . . . . . . . .
Ports used by Email Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Top Frequently Asked Questions (FAQs) . . . . . . . . . . . . . . . . . . . . . . . . .
Using the McAfee Email Gateway 7.x troubleshooting tree . . . . . . . . . . . . . . . . .
Upgrading Email Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Benefits of upgrading from previous versions of the product . . . . . . . . . . . . .
Migrate settings from Email Gateway 7.5.3 or higher . . . . . . . . . . . . . . . .
Task Migrate settings from Email Gateway virtual appliances 7.5.3 or higher . . . . . .
Task Upgrade from Email Gateway 7.6.2 or higher appliances managed by McAfee ePolicy
Orchestrator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
About timeouts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Working with FIPS 140-2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Resetting user interface access . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Reasons the user interface might be locked out . . . . . . . . . . . . . . . . . .
Reset user interface access . . . . . . . . . . . . . . . . . . . . . . . . . . .
29
30
31
32
32
33
35
11
13
15
17
17
20
21
24
26
26
26
26
27
28
36
37
37
38
41
43
46
47
47
49
50
52
54
55
Product Guide
Contents
59
Types of reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Message Search overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Benefits of using Message Search . . . . . . . . . . . . . . . . . . . . . . . .
Message Search parameters . . . . . . . . . . . . . . . . . . . . . . . . . .
Message Search results . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Message Search icons . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Task Identify quarantined email messages . . . . . . . . . . . . . . . . . . .
Task Find out which email messages are queued . . . . . . . . . . . . . . . . .
Task Find out which email messages are being blocked . . . . . . . . . . . . . .
Task Find the emails that were successfully delivered . . . . . . . . . . . . . . .
Task A user has requested that I release one of their quarantined email messages . . .
Task Export a message search report . . . . . . . . . . . . . . . . . . . . .
Task Find a message containing a named attachment . . . . . . . . . . . . . . .
Using multiple search parameters . . . . . . . . . . . . . . . . . . . . . . . .
Searching for archived content . . . . . . . . . . . . . . . . . . . . . . . . .
Task - Configure identification of archived content . . . . . . . . . . . . . . . . .
Task - Find content of archived files . . . . . . . . . . . . . . . . . . . . . . .
Option definitions Blacklist/whitelist URLs . . . . . . . . . . . . . . . . . . . . . . .
Scheduled Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Benefits of creating scheduled reports . . . . . . . . . . . . . . . . . . . . . .
Option definitions Scheduled Reports . . . . . . . . . . . . . . . . . . . . . .
Task See the number of detections by protocol and threat type over the last week . . .
Task Send your manager an email activity report in PDF format every Monday at 10.00am
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Task Download a report in .csv format for further processing . . . . . . . . . . . .
Task Send the email administrator a report that shows virus detections in email messages
over the last week . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Scheduled Reports New Report dialog box . . . . . . . . . . . . . . . . . . . . . .
Scheduled Reports Edit Report dialog box . . . . . . . . . . . . . . . . . . . . . . .
Email Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Introduction to the Email Reports page . . . . . . . . . . . . . . . . . . . . . .
Benefits of using email reports . . . . . . . . . . . . . . . . . . . . . . . . .
Types of Email reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Types of Email report views . . . . . . . . . . . . . . . . . . . . . . . . . .
Types of email report filters . . . . . . . . . . . . . . . . . . . . . . . . . .
Favorite reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Task Generate an email activity overview for a particular sender . . . . . . . . . . .
Task Show me the total viruses detected over the previous week . . . . . . . . . .
System Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Introduction to the System Reports page . . . . . . . . . . . . . . . . . . . . .
Benefits of using system reports . . . . . . . . . . . . . . . . . . . . . . . .
Types of System reports . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Types of System report views . . . . . . . . . . . . . . . . . . . . . . . . .
Types of System report filters . . . . . . . . . . . . . . . . . . . . . . . . .
Favorite reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Task Generate a report that shows all threat detection updates . . . . . . . . . . .
59
60
61
62
65
68
69
71
72
72
72
73
73
74
75
76
76
77
77
78
80
81
81
81
82
82
82
84
84
84
85
86
87
89
90
91
91
92
92
92
92
93
93
94
95
Product Guide
Contents
113
114
126
133
134
134
135
141
144
146
151
154
156
159
166
166
168
168
169
169
169
171
171
207
236
289
331
332
332
337
347
347
347
348
348
348
349
350
360
362
364
367
370
371
372
372
373
374
374
380
380
382
382
384
384
387
Product Guide
Contents
Group Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Directory Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Network Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Option definitions Add Network Group . . . . . . . . . . . . . . . . . . . .
Option definitions Add Rule . . . . . . . . . . . . . . . . . . . . . . . . .
Email Senders and Recipients . . . . . . . . . . . . . . . . . . . . . . . . .
Option definitions Add User Group . . . . . . . . . . . . . . . . . . . . . .
Task Add a user group . . . . . . . . . . . . . . . . . . . . . . . . . . .
Add Directory Service wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Benefits of adding LDAP directory services . . . . . . . . . . . . . . . . . . . .
Option definitions Directory Service Details page . . . . . . . . . . . . . . . .
Option definitions Directory Service Queries page . . . . . . . . . . . . . . . .
Option definitions Directory Service Query page . . . . . . . . . . . . . . . . .
Option Definitions Test Directory Service Query page . . . . . . . . . . . . . . .
Task Set up the appliance to use a Microsoft Exchange Server as an LDAP server . . .
Task Create a sample LDAP query . . . . . . . . . . . . . . . . . . . . . .
Quarantine Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Quarantine Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Quarantine Digest Options . . . . . . . . . . . . . . . . . . . . . . . . . .
Option definitions Digest Message Content . . . . . . . . . . . . . . . . . .
Quarantine Queue Settings . . . . . . . . . . . . . . . . . . . . . . . . . .
411
Appliance Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Network Interfaces Wizard . . . . . . . . . . . . . . . . . . . . . . . . . .
DNS and Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Time and Date . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Remote Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Email Gateway Certificate . . . . . . . . . . . . . . . . . . . . . . . . . .
Certificate and Key Export wizard . . . . . . . . . . . . . . . . . . . . . . .
UPS Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Add UPS Device Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Default Server Settings . . . . . . . . . . . . . . . . . . . . . . . . . . .
System Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuration Management . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuration Push . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Cluster Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Option definitions MAC Addresses . . . . . . . . . . . . . . . . . . . . . .
Resilient Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configure Automatic Configuration Backups wizard . . . . . . . . . . . . . . . .
Database Maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Rescue Image . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
System Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Users and Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Option definitions New Role dialog box . . . . . . . . . . . . . . . . . . . .
Option definitions Role Details dialog box . . . . . . . . . . . . . . . . . . .
Password Management . . . . . . . . . . . . . . . . . . . . . . . . . . .
Forgotten password . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Login Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Add Login Services wizard . . . . . . . . . . . . . . . . . . . . . . . . . .
Session Management . . . . . . . . . . . . . . . . . . . . . . . . . . . .
DoD CAC Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . .
Option definitions CAC Certificate Attribute Mapping . . . . . . . . . . . . . . .
Option definitions Custom Text dialog box . . . . . . . . . . . . . . . . . . .
390
390
393
393
394
394
395
395
396
396
397
398
399
399
400
400
401
401
403
405
405
411
412
413
417
419
420
426
427
427
430
431
433
434
436
438
442
443
444
446
449
453
455
455
457
457
457
459
460
461
463
464
465
465
Product Guide
Contents
476
477
477
478
478
486
486
487
497
499
500
501
502
506
507
511
511
512
513
514
515
515
515
517
520
529
533
533
539
545
553
Troubleshooting Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Ping and Trace Route . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Generate Test Email . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
System Load . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Route Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Disk Space . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Hardware Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
FIPS Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ATD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Troubleshooting Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Minimum Escalation Report . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Capture Network Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . .
466
466
466
469
470
470
474
474
475
475
475
553
554
554
555
555
556
557
557
558
558
558
559
Product Guide
Contents
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. .
. .
. .
. .
. .
565
566
569
570
570
571
572
573
573
574
574
577
Index
565
573
560
561
562
563
563
577
577
578
578
579
579
581
Product Guide
Preface
Contents
About this guide
Find product documentation
Audience
McAfee documentation is carefully researched and written for the target audience.
The information in this guide is intended primarily for:
Administrators People who implement and enforce the company's security program.
Conventions
This guide uses these typographical conventions and icons.
Book title, term,
emphasis
Bold
Commands and other text that the user types; a code sample; a displayed
message.
Interface text
Words from the product interface like options, menus, buttons, and dialog
boxes.
Hypertext blue
Product Guide
Preface
Find product documentation
10
Enter a product, select a version, then click Search to display a list of documents.
Product Guide
McAfee Email Gateway protects your network from viruses, undesirable content, spam, and other
threats. Understand these concepts to help you configure your McAfee Email Gateway.
Contents
How McAfee Email Gateway processes mail traffic through your network
The interface
Ports used by Email Gateway
Resources
Top Frequently Asked Questions (FAQs)
Using the McAfee Email Gateway 7.x troubleshooting tree
Upgrading Email Gateway
About timeouts
Working with FIPS 140-2
Resetting user interface access
Product Guide
11
12
Product Guide
The interface
The user interface provides you with an intuitive way of finding information and configuring options for
your McAfee Email Gateway.
The interface you see might look slightly different from that shown here, because it can vary depending
on the appliance's hardware platform, software version, and language.
A Navigation area
The navigation area contains four areas: user information, section icons, tab bar, and support controls.
Menu
Features
Dashboard
Use this page to see a summary of the appliance. From this page you can
access most of the pages that control the appliance.
Reports
Use the Reports pages to view events recorded on the appliance, such as
viruses detected in email messages, and system activities such as details of
recent updates and logins.
Product Guide
13
Icon
Menu
Features
System
Troubleshoot Use the Troubleshoot pages to diagnose any problems with the appliance.
D Tab bar
The contents of the tab bar are controlled by the selected section icon. The selected tab dictates what
is displayed in the content area.
F View control
The view control button shows or hides a status window.
The status window, which appears in the bottom right of the interface, shows recent activity. New
messages are added at the top of the window. If a message is blue and underlined, you can click the
link to visit another page. You can also manage the window with its own Clear and Close links.
G Content area
The content area contains the currently active content and is where most of your interaction will be.
The changes that you make take effect after you click the green checkmark.
Contents
User preferences
Make changes to the appliance's configuration
Using lists
Import and export information
14
Product Guide
User preferences
The User Preferences link in the User information bar allows you to personalize specific behaviors in
McAfee Email Gateway.
Issue You have responsibility for monitoring and creating reports for management review. This task
requires logging on to Email Gateway several times per day. Navigating directly to the Reports tab
streamlines the work flow.
Solution Use User Preferences to set Reports as the opening page for your account.
Product Guide
15
Option
Definition
Preferences
After login open From the drop-down list, select the page Email Gateway displays when you log on.
Options include:
Dashboarddisplays the opening page for the Dashboard tab.
Reportsdisplays the opening page for the Reports tab.
Emaildisplays the opening page for the Email tab.
Systemdisplays the opening page for the System tab.
Troubleshootdisplays the opening page for the Troubleshoot tab.
Last visited pagetakes you back to the last page you opened before you last logged
off.
Change password
Current password
New password
Confirm password
In the Preferences section, After login open, select the page to display from the drop-down menu.
The menu contains only those pages available for your access permissions.
Click Apply.
The next time you log on to Email Gateway, the page you chose appears as your opening page.
16
Product Guide
Task
1
In the Change Password section, type your current password in the data field.
Type your new password again in the Confirm password data field.
Click Apply.
Your new password is effective the next time you log on.
In the navigation bar, click an icon. The blue tabs below the icons change to show the available
features.
Click the tabs until you reach the page you need.
To locate any page, examine the tabs, or locate the subject in the Help index. The location of the
page is often described at the top of the Help page. Example:
On the page, select the options. Click the Help button (?) for information about each option.
To save your configuration changes, click the green checkmark icon at the top right of the window.
In the Configuration change comment window, type a comment to describe your changes, then click OK.
Wait a few minutes while the configuration is updated.
To see all your comments, select Review Configuration Changes in System | System Administration | Configuration
Management.
Using lists
Within the McAfee Email Gateway user interface, lists are used in many places to help define
information.
Contents
Make and view lists
Add information to a list
Remove single items from a list
Remove many items from a list
Change information in a list
View information in a long list
Product Guide
17
Type the details in the new row. Press Tab to move between fields.
For help with typing the correct information, move your cursor over the table cell, and wait for a
pop-up to appear. For more information, click
Task
1
Click the item to select it. The row turns pale blue.
In the column of checkboxes on the left of the table, select each required item. To select many
items, select the checkbox in the table's heading row to select all the items, then deselect those
that you want to keep.
18
Product Guide
Task
1
3
4
To determine the position of an item in the list or the size of the list, view the text at the bottom of
the list, such as Items 20 to 29 of 40.
To move through the list or to move quickly to either end of the list, click the arrows at the bottom
right of the list. (
).
In the Move column (on the right of the table), click the upward or downward arrow:
To force items in a column into alphabetical order, click the column heading. Items in other
columns are automatically sorted accordingly. An icon appears in the column heading to indicate
that this column is sorted:
To reverse and restore the alphabetical order of the information within a single column, click the
icons in the column heading:
Product Guide
19
Task
1
Click Import.
Format
Example
Domain
D, domain, IP address
D, www.example.com, 192.168.254.200
Network address
N, 192.168.254.200, 255.255.255.0
Email address
E, email-address
E, network_user@example.com
Format
Example
Domain
D, domain, IP address
D, www.example.com, 192.168.254.200
Network address
N, 192.168.254.200, 255.255.255.0
Email address
E, email-address
E, network_user@example.com
Task
20
In the Export or Download window, follow the instructions to create the file.
Product Guide
Use
Destination
Direction
Software updates
FTP
TCP
21
ftp.nai.com
Outbound
TCP
80
(default)
update.nai.com
Outbound
21
(optional)
The
anti-virus
DAT and
Engine
update
packages
are
encrypted
and signed
before
being
transported
over HTTP.
ftp.nai.com
TCP
443
tau.mcafee.com
Outbound
Anti-spam rules
and streaming
updates
TCP
80
http://su3.mcafee.com
Outbound
HTTP
http://sav-su3-1.mcafee.com
208.69.152.139
The
anti-spam
rules and
streaming
updates are
encrypted
and signed
before
being
transported
over HTTP.
192.187.128.17
Anti-spam engine
updates
HTTP
TCP
443
tau.mcafee.com
Outbound
Advanced Threat
Defense server
HTTPS
TCP
443
(default)
Outbound
URL reputation
lookup
HTTPS
TCP
443
tunnel.web.trustedsource.org
Outbound
URL reputation
database update
HTTP
TCP
80
list.smartfilter.com
Outbound
HTTPS
TCP
443
Management Port
for the User
Interface
HTTPS
TCP
10443
Product Guide
21
Table 1-4
Use
Destination
Direction
Domain Name
System (DNS)
DNS
TCP/UDP
53
Outbound
LDAP
TCP
3268
Outbound
LDAP
TCP
636
Outbound
LDAP
TCP
3269
Outbound
Active Directory
LDAP
TCP
389
Outbound
TCP
80
Bidirectional
McAfee Global
HTTPS
Threat Intelligence
message
reputation
TCP
443
tunnel.web.trustedsource.org
Outbound
McAfee Global
DNS
Threat Intelligence
file reputation
UDP
53
Outbound
McAfee Global
HTTPS
Threat Intelligence
feedback
TCP
443
gtifeedback.trustedsource.org Outbound
443
Direction
Email Hybrid
Proprietary
TCP
25
Inbound
Email Hybrid
HTTPS
(hybridapi.mxlogic.com)
TCP
443
208.65.144.0/21
Outbound
TCP
HTTPS
208.81.64.0/21
443
default.megrh.mxlogic.net Outbound
22
Product Guide
Port number
80
8081 (default)
8082 (default)
8443
8444
Intercept ports
When operating in transparent modes transparent bridge mode or transparent router mode the
appliance uses the following intercept ports to intercept traffic for scanning.
Table 1-7 Intercept ports
Protocol
Port number
POP3
110
SMTP
25
Listening ports
The appliance typically uses the following ports to listen for traffic on each protocol. The appliance
listens for traffic arriving on the designated ports. You can set up one or more listening ports for each
type of traffic scanned by your appliance.
Table 1-8 Typical listening ports
Protocol
Port number
POP3
110
SMTP
25
IP addresses needed for communication between Email Gateway and the McAfee
Email Protection (Hybrid)
To allow communication between Email Gateway and the McAfee Email Protection (Hybrid), you must
ensure that relevant IP addresses for the McAfee Email Protection (Hybrid) can be accessed from your
Email Gateway appliances.
Preferred Setting
If your hardware firewall solution accepts CIDR notation and supports Class 8 C notation, include the
following information:
CIDR
Starting IP address
Ending IP address
208.65.144.0/21
208.65.144.0
208.65.151.255
208.81.64.0/21
208.81.64.0
208.81.71.255
Alternative settings
Product Guide
23
If your hardware firewall solution accepts CIDR notation but supports only Class 1 C notation, you
must include the following entries for the entire subnet:
CIDR
Starting IP address
Ending IP address
208.65.144.0/24
208.65.144.0
208.65.144.255
208.65.145.0/24
208.65.145.0
208.65.145.255
208.65.146.0/24
208.65.146.0
208.65.146.255
208.65.147.0/24
208.65.147.0
208.65.147.255
208.65.148.0/24
208.65.148.0
208.65.148.255
208.65.149.0/24
208.65.149.0
208.65.149.255
208.65.150.0/24
208.65.150.0
208.65.150.255
208.65.151.0/24
208.65.151.0
208.65.151.255
208.81.64.0/24
208.81.64.0
208.81.64.255
208.81.65.0/24
208.81.65.0
208.81.65.255
208.81.66.0/24
208.81.66.0
208.81.66.255
208.81.67.0/24
208.81.67.0
208.81.67.255
208.81.68.0/24
208.81.68.0
208.81.68.255
208.81.69.0/24
208.81.69.0
208.81.69.255
208.81.70.0/24
208.81.70.0
208.81.70.255
208.81.71.0/24
208.81.71.0
208.81.71.255
Resources
The information, links, and supporting files that you can find from the Resources dialog box.
Click Resources from the black information bar at the top of the McAfee Email Gateway user interface.
The Resources dialog box contains links to different areas or to files that you might need when setting
up your appliance.
24
Product Guide
Link name
Description
Technical
Support
Clicking this link takes you to the McAfee Technical Support ServicePortal login page
(https://mysupport.mcafee.com/Eservice/Default.aspx).
From this page, you can search the KnowledgeBase, view product documentation and
video tutorials, as well as access other technical support services.
Submit a sample
If you have a file that you believe to be malicious, but that your McAfee systems are
not detecting, you can safely submit it to McAfee for further analysis.
Follow the Submit a sample link and either log on or register as a new user to access the
McAfee Labs Tool to submit suspicious files.
Virus Information Viruses are continually evolving, with new malicious files being developed daily. To
Library
find out more about particular viruses or other threats, follow the link to the McAfee
Threat Center.
McAfee
This free tool integrates into Microsoft Outlook and allows users to submit missed
Customer
spam samples and email that was wrongly categorized as spam to McAfee Labs.
Submission Tool McAfee Customer Submission Tool version 2.3 can also be used with McAfee Email
Gateway and McAfee Quarantine Manager.
The tool supports automated blacklisting and whitelisting, and has an installer that
supports automated script-based installations.
The latest McAfee Customer Submission Tool and documents can also be downloaded
from the following location:
http://www.mcafee.com/us/downloads/free-tools/customer-submission-tool.aspx
ePO Extensions
Download the McAfee ePolicy Orchestrator extensions for Email and Web Security
Appliances.
This file contains both the EWG and the EWS extensions.
The EWG extension allows reporting from within McAfee ePolicy Orchestrator for the
following products:
McAfee Email and Web Security Appliances version 5.5
McAfee Email and Web Security Appliances version 5.6
McAfee Web Gateway
McAfee Email Gateway
The EWS extension provides full McAfee ePolicy Orchestrator management for McAfee
Email and Web Security Appliances version 5.6.
For you to use McAfee ePolicy Orchestrator for either reporting or management, the
ePO extensions need to be installed on your McAfee ePolicy Orchestrator server.
ePO Help
Extensions
Download the McAfee ePolicy Orchestrator Help extensions for the ePO extensions
listed above.
This file installs the Help extensions relating to the McAfee ePolicy Orchestrator
extensions for Email and Web Security Appliances onto your McAfee ePolicy
Orchestrator server.
SMI File
Download the Structure of Managed Information (SMI) file for use with the Simple
Network Management Protocol (SNMP).
This file provides information about the syntax used by the SNMP Management
Information Base (MIB) file.
MIB File
HP OpenView
NNM Smart
Plug-in Installer
Download the HP OpenView installer file to enable you to configure your McAfee Email
Gateway to communicate with HP OpenView.
Product Guide
25
From an Email Gateway installation CD, perform a new installation and then restore a configuration
file from a previous version.
From an Email Gateway installation CD, perform an upgrade from a previous version, retaining
configuration and log files.
Perform the upgrade remotely, by obtaining the latest Email Gateway ISO image and uploading it
to your Email Gateway. Use the Rescue Image feature (System | System Administration | Rescue Image) to
perform this remote upgrade.
Features associated with LDAP and role-based access control include enhanced protection options in
Email Gateway.
26
Product Guide
If upgrading a cluster of appliances, first upgrade the Failover Management appliance. Repeat the
upgrade on the Management appliance, and then upgrade all scanning appliances.
If installing on a blade server, first upgrade the Failover Management blade. Repeat the upgrade on
the Management blade, and then upgrade all scanning blades.
Task
1
Switch on the appliance or blade server, and agree to the license agreement.
When the installation options menu appears, choose one of the following installation options:
a
Choose option a to perform a new installation, then restore the Email Gateway configuration
from a previously backed up configuration file.
Choose option c to back up the configuration, policies, log files, and email messages and
restore them automatically when you install the latest version of Email Gateway.
Choose option e to restore policy settings, but no log files or email messages.
To get a description of the installation options, press the RETURN key on the installation
options menu . Press the RETURN key to continue through the descriptions until you return to
the installation options menu.
Use the installation options menu to define further options, such as the action you want to take
when the installation finishes. Press the ENTER key.
Select option a to perform the upgrade, then press the ENTER key to confirm the installation
option that you chose.
Press the RETURN key to complete the installation, and wait while the computer restarts.
Depending on your chosen installation option, all protocol, email policy, and system settings from
Email Gateway 7.5.3 or higher are migrated. This migration ensures that your previous levels of
protection are maintained.
To change any network settings after installation, select System | Appliance Management | General and click
Change Network Settings.
Product Guide
27
Download the Email Gateway virtual appliance .ISO file from the McAfee download site and extract
it.
Log on to the virtual appliance user interface and go to System | System Administration | System
Commands
Log on to VMware ESX Server or use the VMware Infrastructure Client, or the VMware vSphere
Client to log on to VMware Virtual Center Server.
Enable a Power-on-Boot delay to get enough time to force the virtual machine to boot from CD:
a
Select the virtual appliance in the Inventory list and click Summary.
In Power-on-Boot delay, type 10,000 in the text box, and click OK.
Make sure the cursor focus is on the virtual appliance console. Then press the ESC key to open the
Boot Menu.
Do not select any options yet.
Release the cursor from the console and select Connect CD/DVD1.
Browse to the folder where you downloaded the Email Gateway virtual appliance .ISO file and
double-click <McAfee-MEG 7.6-<build-number>.VMbuy.iso>.
When the .ISO file is connected, click back on to the console screen. Select CD-ROM Drive and press
the ENTER key.
The virtual appliance starts from the .ISO file.
28
Product Guide
Depending on your chosen installation option, all protocol, email policy, and system settings from your
Email Gateway virtual appliance 7.5.3 or higher are migrated. This migration ensures that your
previous levels of protection are maintained.
Download the ePO Extensions and ePO Help Extensions from the Resources link
within the user interface of one of the upgraded appliances.
From within your McAfee ePO user interface, install the new versions of the
ePO Extensions and ePO Help Extensions.
Before you can upgrade to the latest version of Email Gateway, your existing appliance
must be running Email Gateway version 7.6.2 and be correctly configured and running.
This upgrade process automatically disconnects the appliance from being managed by
McAfee ePO.
The in-built Email Gateway migration tools migrate many of your existing Email Gateway settings for
you. However, some settings may need to be recreated.
Task
1
In McAfee ePO, click Policy Catalog and select the Email Gateway 7.6.2 or higher product.
Select the epo_config_<date_stamp>.xml file produced at the end of this process, and save the file.
From the Email Gateway Resources link, download the ePO Extensions and ePO Help Extensions files.
10 From McAfee ePO, install the ePO Extensions and ePO Help Extensions files.
11 In McAfee ePO, click Policy Catalog and select the McAfee Email Gateway 7.<x> product.
Product Guide
29
About timeouts
Learn about the timeouts that occur between the appliance receiving a message, scanning it, and
delivering it.
When the appliance receives an email message, the SMTP conversation and corresponding timeouts
occur as follows:
Where T equals "Time".
T0 The time the appliance receives the connection (where time = zero)
T1 The time taken between commands (EHLO, MAIL FRIM, RCPT TO, DATA (but not the dot that
signifies the end of DATA), RSET) defined in Email | Email Configuration | Protocol Configuration | Connection
Settings (SMTP) | Timeouts
T2 The time taken between receiving the chunks of data during DATA transfer
T3 The time taken for the whole conversation to occur, that is, to receive a message, scan it,
and deliver it
T4 The total time taken to scan the message, that is, when the appliance has received all the
data
As an email message passes through the appliance, the following timeouts are applied.
30
Product Guide
Client: Connection
Client: EHLO
Appliance: 250 OK
Appliance: 220 OK
Client: DATA
Client:
Subject: 1234
Hello there
The appliance delivers the message and makes an onward connection. It has taken T3 T5
T0 to deliver the message. In other words, if the overall time to process a message is six
minutes, (T3), and receiving the message and scanning has taken four minutes, the appliance
has two minutes to deliver the message. If this limit is exceeded, the email is queued for
delivery later.
Appliance: 250 OK
Product Guide
31
Failure
SSLFIPS Enable or disable the OpenSSL FIPS checking (enabled by default) All applications on the
appliance that use the OpenSSL library perform the OpenSSL FIPS validity check when they
start. If it causes compatibility issues with other devices, it can be disabled
Validate
Re-run FIPS validity tests The ability to re-run the tests and view the output in the console.
To check that the appliance is running in FIPS mode, click About the Appliance in the menu bar. The FIPS
140-2 Compliant status shows Yes, No, or Partial.
A Partial status is given in the following situations:
FIPS validation failures occurred, where the failure handling has been modified from the
default setting Prompt for cryptographic officer password.
Go to Reports | System Reports in the user interface to get more information about the FIPS
status.
32
The user-configured management port is being blocked by a firewall, preventing access to the
appliance user interface.
A badly formed Access Control List (ACL) can result in 403 Forbidden responses when you attempt
to log on to the user interface.
Product Guide
X.509 (also known as Department of Defense Common Access Card or DoD CAC) authentication
can be misconfigured in a number of ways, perhaps because the CA certificates required to validate
the user certificates are not present, the user certificates have expired, role mapping has been
mistyped, or the certificate chain length might exceed the permitted length.
If out-of-band management has been enabled on the appliance but incorrectly configured, and
in-band management has been disabled, the appliance user interface will not be accessible from
any network interface.
From the Configuration Menu, select Manage and then press Enter.
The Management Menu is displayed.
Use the space bar to select or deselect the checkbox, then press Enter.
The relevant reset screen is displayed. If you have multiple issues that may cause access to be
locked out, repeat this process for the other problematic settings.
6
When you have reset any problematic settings, select Quit until the top-level Configuration Menu is
displayed.
Product Guide
33
34
Product Guide
When you first open the browser, you see the Dashboard, which gives a summary of the activity of the
appliance.
Dashboard
From this page you can access most of the pages that control the appliance.
Contents
Benefits of using the Dashboard
Dashboard portlets
Configurable thresholds
Option definitions Inbound Mail Summary portlet
Option definitions Outbound Mail Summary portlet
Option definitions SMTP Detections portlet
Option definitions POP3 Detections portlet
Option definitions System Summary portlet
Option definitions Hardware Summary portlet
Option definitions Network Summary portlet
Option definitions Services portlet
Option definitions Clustering portlet
Option definitions Advanced Threat Defense portlet
Option definitions Tasks portlet
Task Setting System Summary thresholds
Task Setting Services thresholds
Product Guide
35
Some portlets display graphs that show appliance activity over the following periods of time:
1 hour
2 weeks
4 weeks
1 week
Within the Dashboard, you can make some changes to the information and graphs displayed:
See a status indicator that shows whether the item needs attention:
36
and
and
buttons.
Use
and
to zoom in and zoom out of a timeline of information. There is a short delay while
the view is updated. By default, the Dashboard shows data relating to the previous one day.
Move a portlet to another location on the Dashboard.
Product Guide
Double-click the top bar of a portlet to expand it across the top of the Dashboard.
Set your own alert and warning thresholds to trigger events. To do so, highlight the item and click
it, edit the alert and warning threshold fields, and click Save. When the item exceeds the threshold
you set, an event is triggered.
Depending on the browser used to view the McAfee Email Gateway user interface, the Dashboard
"remembers" the current state of each portlet (whether it is expanded or collapsed, and if you have
drilled down to view specific data), and attempts to re-create that view if you navigate to another page
within the user interface and then return to the Dashboard within the same browsing session.
Dashboard portlets
The McAfee Email Gateway Dashboard portlets provide information about the state of email traffic,
recent detections and the current status of your McAfee Email Gateway.
Option
Definition
Inbound Mail
Summary
Displays the delivery and status information about messages sent to your
organization.
Outbound Mail
Summary
Displays the delivery and status information about messages sent from your
organization.
SMTP Detections
Displays the total number of messages that triggered a detection based on the
sender or connection, the recipient, or the content, and to view data specific to
either inbound or outbound SMTP traffic.
POP3 Detections
System Summary
Displays information about load balancing, the disk space used for each partition,
total CPU usage, used and available memory, and swap details.
Hardware Summary
Status indicators to show the status of network interfaces, UPS servers, bridge
mode (if enabled), and RAID status.
Network Summary
Services
Displays update and service status statistics based on protocol and external
servers used by the appliance.
Clustering
Provides information about the entire cluster when appliance is part of a cluster or
you are using the blade server hardware.
Tasks
Links directly to the areas of the user interface that search the message queue,
view reports, manage policies, configure mail protocol settings and network and
system settings, and access troubleshooting features.
Configurable thresholds
You can configure user-defined warning thresholds and critical thresholds for some status indicators.
When set, McAfee Email Gateway then provides the relevant level of warnings when these
user-defined values are exceeded.
For the System Summary portlet, you can configure the threshold values for the following parameters:
Swap | Used
Disk Space | /deferred | Inodes used
Disk Space | /deferred | Disk used
Product Guide
37
38
Delivered
Blocked
Queued
Product Guide
Bounced
Scanning Skipped
Quarantined
Counter
Definition
Total Inbound
Messages
A top level counter which increments for each email that passes the MAIL FROM stage
of the SMTP conversation.
If multiple messages are sent down one connection, this counter will increment. You
can drill down to see how the email connection was received:
TLS The email was received over a TLS connection.
Non TLS The email was received over a standard non TLS connection.
Delivered
A top level counter which increments for each email that is delivered. You can drill
down to see how the email was delivered:
Plain The email was delivered as a standard plain message.
Encrypted The email was delivered encrypted by:
TLS The email was delivered over a TLS connection:
Secure Web Mail The content was encrypted using one of the following methods:
Push
Pull
Push/Pull
S/Mime The content was encrypted by S/MIME.
PGP The content was encrypted by PGP.
Plain The content was a standard plain message.
Non TLS The email was delivered over a standard non TLS connection:
Secure Web Mail The content was encrypted by one of the following methods:
Push
Pull
Push/Pull
S/Mime The content was encrypted by S/MIME.
PGP The content was encrypted by PGP.
Product Guide
39
Counter
Definition
Blocked
A top level counter which increments for each email that is blocked. You can expand
the counter to see the number of messages blocked by sender or connection, recipient,
and content:
Sender/Connection provides a breakdown of the scanner that blocked the email,
either:
Deny Sender
BATV
FCrDNS
Recipient provides a breakdown of the scanner that blocked the email, either:
Anti-Relay
LDAP Recipient
Grey Listing
Directory Harvesting
Rejected Recipient
Content provides a breakdown of the scanner that blocked the email, either:
GTI Message Reputation
Compliance
Sender ID
Image Filtering
DKIM
Spam
Phish
DLP
Mail Filtering
Virus
PUPs
File Filtering
Packers
Denial of Service
Bounced
Scanning
Skipped
The total number of inbound messages that resulted in a policy-based action that did
not require scanning to be carried out.
Queued for ATD The total number of inbound messages that are currently queued to be sent to the
McAfee Advanced Threat Defense servers.
Queued
The total number of inbound messages that are queued awaiting delivery.
Quarantined
A top level counter which increments for each message that is quarantined.
The total number of messages in all of the quarantine queues.
The total number of messages requested for release by users by quarantine digests.
From within the Quarantined area, you can also drill-down into the number of email
messages quarantined in each quarantine category.
A single message may be quarantined to more than one category. Summing the total
number of messages in all categories will not necessarily generate the total quarantined
messages.
40
Sender and
Recipient
Type the name of a particular sender or recipient for whom you wish to locate a
message, and click Search to go to the Message Search page.
Search
Click Search to go to the Message Search feature where you can look for messages based
on their status; either blocked, bounced, delivered, quarantined, or queued.
Product Guide
Delivered
Blocked
Queued
Bounced
Quarantined
Scanning Skipped
If you are using the quarantine features, messages may also summarized in the quarantined list.
Counter
Definition
Total Outbound A top level counter which increments for each email that passes the MAIL TO stage of
Messages
the SMTP conversation.
If multiple messages are sent down one connection, this counter will increment. You
can drill down to see how the email connection was received:
TLS The email was received over a TLS connection.
Non TLS The email was received over a standard non TLS connection.
Delivered
A top level counter which increments for each email that is delivered. You can drill
down to see how the email was delivered:
Plain The email was delivered as a standard plain message
Encrypted The email was delivered encrypted by:
TLS The email was delivered over a TLS connection:
Secure Web Mail the content was encrypted using one of the following methods:
Push
Pull
Push/Pull
S/Mime The content was encrypted by S/MIME.
PGP The content was encrypted by PGP.
Plain The content was a standard plain message.
Non TLS The email was delivered over a standard non TLS connection:
Secure Web Mail The content was encrypted by one of the following methods:
Push
Pull
Push/Pull
S/Mime The content was encrypted by S/MIME.
PGP The content was encrypted by PGP.
Product Guide
41
Counter
Definition
Blocked
A top level counter which increments for each email that is blocked. You can expand
the counter to see the number of messages blocked by sender or connection, recipient,
and content:
Sender/Connection Provides a breakdown of the scanner that blocked the email,
either:
Deny Sender
BATV
FCrDNS
Recipient Provides a breakdown of the scanner that blocked the email, either:
Anti-Relay
LDAP Recipient
Grey Listing
Directory Harvesting
Rejected Recipient
Content Provides a breakdown of the scanner that blocked the email, either:
GTI Message Reputation
Compliance
Sender ID
Image Filtering
DKIM
Spam
Phish
DLP
Mail Filtering
Virus
PUPs
File Filtering
Packers
Denial of Service
Bounced
Scanning
Skipped
The total number of outbound messages that resulted in a policy-based action that did
not require scanning to be carried out.
Queued for ATD The total number of outbound messages that are currently queued to be sent to the
McAfee Advanced Threat Defense server.
Queued
The total number of outbound messages that are queued awaiting delivery.
Quarantined
A top level counter which increments for each message that is quarantined.
The total number of messages in all of the quarantine queues.
The total number of messages requested for release by users by quarantine digests.
A single message may be quarantined to more than one category. Summing the total
number of messages in all categories will not necessarily generate the total quarantined
messages.
Search
42
Click Search to go to the Message Search feature where you can look for messages based
on their status; either blocked, bounced, delivered, quarantined, or queued.
Product Guide
Product Guide
43
Option Definition
Total
Shows the total number of inbound and outbound messages that triggered a detection, and
expands the statistics further to see the number of messages based on the following
criteria:
Sender/Connection Provides a breakdown of the scanner that triggered a detection, either:
Deny Sender
BATV
FCrDNS
Recipient Provides a breakdown of the scanner that triggered a detection, either:
Anti-Relay
LDAP Recipient
Grey Listing
Directory Harvesting
Rejected Recipient
Policy Based Action Provides a count of the actions taken based on policy rather than a
scanning trigger.
Content Provides a breakdown of the scanner that triggered a detection, either:
GTI Message Reputation
Sender ID
DKIM
Spam
Phish
Mail Filtering
Mail Size Filtering
File Filtering
Denial of Service
Compliance
Image Filtering
Mail URL Reputation
Mail URL Reputation DoS
DLP
Virus By either the McAfee or the Commtouch
Command scanner
Command scanner
Command scanner
Shows the total number of inbound messages that triggered a detection, and expands the
statistics further to see the number of messages based on the following criteria:
Sender/Connection Provides a breakdown of the scanner that triggered a detection, either:
Deny Sender
BATV
FCrDNS
44
Product Guide
Option Definition
Recipient Provides a breakdown of the scanner that triggered a detection, either:
Anti-Relay
LDAP Recipient
Grey Listing
Directory Harvesting
Rejected Recipient
Policy Based Action Provides a count of the actions taken based on policy rather than a
scanning trigger.
Content Provides a breakdown of the scanner that triggered a detection, either:
GTI Message Reputation
Sender ID
DKIM
Spam
Phish
Mail Filtering
Mail Size Filtering
File Filtering
Denial of Service
Compliance
Image Filtering
Mail URL Reputation
Mail URL Reputation DoS
DLP
Virus By either the McAfee or the Commtouch
Command scanner
Command scanner
Command scanner
BATV
FCrDNS
Recipient Provides a breakdown of the scanner that triggered a detection, either:
Anti-Relay
LDAP Recipient
Grey Listing
Directory Harvesting
Rejected Recipient
Policy Based Action Provides a count of the actions taken based on policy rather than a
scanning trigger.
Product Guide
45
Option Definition
Content Provides a breakdown of the scanner that triggered a detection, either:
GTI Message Reputation
Sender ID
DKIM
Spam
Phish
Mail Filtering
Mail Size Filtering
File Filtering
Denial of Service
Compliance
Image Filtering
Mail URL Reputation
Mail URL Reputation DoS
DLP
Virus By either the McAfee or the Commtouch
Command scanner
Command scanner
Command scanner
46
Option
Definition
Spam
Phish
Image Filtering
Virus
PUPs
Packers
Product Guide
Definition
Uptime
Displays the amount of time the appliance has been running since it was last started
Load Average
Processor
Memory
Displays:
Memory used includes used and buffered memory
Free memory includes free and cached memory
Displays:
Swap
Used Percentage used of swap (the area on the hard disk that is part of the
appliance's virtual memory which temporarily stores inactive memory pages if there
is insufficient physical memory available to do so.)
Rate A high swap-rate indicates the system is in some form of overload.
Disk Space
Displays the percentage of Inodes and disk space used for each partition
Information states
On the Hardware Summary portlet, there are the following status indicators available:
functioning normally
a warning threshold has been exceeded
a critical threshold has been exceeded
the service is not enabled.
Further descriptions of a red status indicator for external services are given in the definition table.
Product Guide
47
Option
Definition
Network
Interface
Cooling Device
Voltage
Memory
Fan
Module Board
Current
Cable Interconnect
Physical Security
Management subsystem
Power Supply
Any module that is not installed is categorized as Not Applicable. Any module that shows as
red or amber contains links to Troubleshoot | Tools | Hardware Status where you can get more
detailed information.
UPS
48
Product Guide
Option
Definition
Bridge
A red status indicates that McAfee Email Gateway is running in bridge mode, and is not
forwarding the network data.
RAID
Depending on the type of RAID controller and hard disk drives installed on your appliance
or blade server, the overall status of the RAID system is displayed:
In addition, where this information is reported to McAfee Email Gateway, the status of
each hard disk drive within the RAID array is reported. The possible statuses for these
drives are:
Definition
Connections
A top level counter which increments to show the total number of TCP connections
made to the SMTP port on the appliance
Throughput
A top level counter which increments to show the average throughput of data for all
TCP connections made to the SMTP port on the appliance
Kernel Mode
Blocking
A top level counter which increments to show the total number of SYN packets
blocked from an IP address that has triggered a Reject, close and deny (Block) action. The
GTI message reputation lookup feature is configured to perform this action by default
for the next ten minutes.
Within the Kernel Mode Blocking counter, you can also drill down to view information
about the number of Blocked Hosts.
The information given by the Kernel Mode Blocking counter are the number of blocked
packets for the currently selected time frame. The information given by the Blocked Hosts
counter are the number of hosts currently being blocked.
Product Guide
49
Information states
On the Services portlet, the following status indicators are available:
Functioning normally.
A warning threshold has been exceeded.
A critical threshold has been exceeded.
The service is not enabled.
Further descriptions of a red status indicator for external services are given in the definition table.
50
Product Guide
Option Definition
Updates
Anti-Virus Shows the anti-virus DAT and engine update status. Any older than three days
are shown in red.
If you have activated the additional Commtouch Command anti-virus engine, information
specific to this engine is also shown.
Anti-Spam Shows the anti-spam definition and engine update status. Any older than 30
minutes are shown in red.
Status
Configuration Shows any configuration alerts, such as the appliance operating as an open
relay.
FIPS 140-2 Compliance When installed in FIPS-compliant mode, shows the current FIPS
status for the McAfee Email Gateway. More details information on the FIPS status can be
found at Troubleshoot | Tools | FIPS Status.
SMTP Service Shows whether the SMTP service is functioning correctly.
POP3 Service Shows whether the POP3 service is functioning correctly.
Encryption Service Shows whether the encryption service is functioning correctly.
External
McAfee ePO Shows the state of the communication between Email Gateway and McAfee
ePolicy Orchestrator.
The following are reported:
Event Reports Events are regularly sent from the appliance to the ePolicy Orchestrator
server for to be used to generate reports. If event files are not successfully uploaded,
this indicator turns red. (The default threshold is 25 files that failed to upload.)
Communication Attempts The appliance communicates with the ePolicy Orchestrator server
at regular intervals. Failures with these communication attempts are shown here.
Configuration Integrity The appliance checks that the configuration that has been pushed
by the ePolicy Orchestrator server does not contain any inconsistencies. Inconsistencies
could be a policy that refers to a Policy group or Directory service that might no longer
exist. The status is either Healthy, or Operational, but requires attention.
This issue can occur if incorrect ePolicy Orchestrator policies are assigned within the
ePolicy Orchestrator System tree.
Policy Enforcement Confirmation that the policy has been correctly enforced on the
appliance.
DLP DB Updates Confirmation that the Data Loss Prevention database has been correctly
updated.
MQM Shows the state of the communication between Email Gateway and McAfee
Quarantine Manager (MQM).
A red status indicates that communication between Email Gateway and MQM is broken.
GTI Message Reputation Shows the state of the communication between Email Gateway and
the McAfee Global Threat Intelligence (McAfee GTI) message reputation server.
A red status indicates that communication between Email Gateway and the McAfee
GTImessage reputation server is broken.
GTI Feedback Shows the state of the communication between Email Gateway and the
McAfee GTI feedback server.
Product Guide
51
Option Definition
A red status indicates that communication between Email Gateway and the McAfee GTI
feedback server is broken.
GTI File Reputation Shows the state of the communication between Email Gateway and the
McAfee GTI file reputation server.
A red status indicates that a DNS query of a sample <Artemis> query did not respond
with the expected answer.
RBL Shows the state of the communication between Email Gateway and any RBL
(Real-time Blackhole List) servers that are configured.
A red status indicates that communication between Email Gateway and RBL servers is
broken, or gray status can indicate that there are no servers to monitor.
Syslog Shows the state of the communication between Email Gateway and any off-box
system log servers that are configured.
A red status indicates that communication between Email Gateway and the system log
servers is broken, or a gray status can indicate that there are no servers to monitor.
LDAP Shows the state of the communication between Email Gateway and any LDAP
servers that are configured.
A red status indicates that a test query did not respond with the expected response, or
gray status can indicate that there are no servers to monitor.
SNMP Shows whether the SNMP service is functioning correctly.
A red status indicates that the SNMPD agent is not running or functioning correctly.
DNS Shows the state of the communication between Email Gateway and any DNS
servers that are configured.
A red status indicates that communication between Email Gateway and the DNS servers is
broken, or gray status can indicate that there are no servers to monitor.
NTP Shows the state of the communication between Email Gateway and active NTP
(Network Time Protocol) servers that are configured.
A red status indicates that the time synchronization is not up to date with the active NTP
server.
Anti-spam cloud lookup Shows the state of the communication between Email Gateway and
the anti-spam cloud servers.
A red status indicates that communication between Email Gateway and the anti-spam
cloud servers is broken.
This section is available only on a cluster master appliance or management blade (on a blade
server).
52
Product Guide
Option
Definition
Displays the average throughput of the cluster, based on measurements taken every
few minutes. If the cluster has twice as many scanning appliances, its throughput
almost doubles too. Extra management activity consumes some of the processing
power
Status
Scanning Device
Type
Name
State
Load
Active
Displays the number of active connections for each appliance. The row for the
cluster master shows the total for all appliance
Connections
Displays the number of connections handled by each appliance since the counters
were last reset
Component
Displays the versions of anti-spam and anti-virus DAT files. The version numbers are
version information the same if the appliances are up-to-date. During updating, the values might be
different. To see more information, move the cursor over the text and wait for a
yellow box to appear
Product Guide
53
Functioning normally.
Needs attention. This error is usually due to an issue with a specific scan request, rather than
general communication issues between the McAfee Email Gateway and McAfee Advanced Threat
Defense servers.
Needs immediate attention. This could be because authentication to the Advanced Threat Defense
server has failed, incorrect credentials have been entered or other communication errors between
the McAfee Email Gateway and McAfee Advanced Threat Defense servers have occurred.
Definition
<McAfee Advanced Threat Defense server name> Each of your configured McAfee Advanced Threat Defense
servers are listed.
54
Product Guide
Definition
View Message
Queue and
Reports
Search the Message Queue Search for messages blocked, bounced, delivered,
quarantined, and queued by sender, recipient, and subject.
View Favorite Reports Display your most popular email reports in a variety of view
types.
Manage Scheduled Reports Create schedules for available report documents, such as
email activity.
Create Policy
Manage Policy (SMTP) Go to the Email Policies settings for the SMTP protocol where you
can create and edit policies for anti-virus and anti-spam protection, and compliance
settings.
Manage Policy (POP3) Go to the Email Policies settings for the POP3 protocol where you
can create and edit policies for anti-virus and anti-spam protection, and compliance
settings.
Manage Compliance Dictionaries Choose from a library of predefined rules, or create your
own rules and dictionaries specific to your organization. Compliance rules can vary in
complexity from a straightforward trigger when an individual term within a dictionary
is detected, to building on and combining score-based dictionaries which will only
trigger when a certain threshold is reached. Using the advanced features of
compliance rules, dictionaries can be combined using logical operations.
Register DLP Documents Restrict the flow of sensitive information sent by email
through the appliance. for example, block the transmission of a sensitive document
such as a financial report that is to be sent outside of your organization.
Configure Mail
Protocol
Configure Email Relay Domains Build a list of IP addresses, networks, and users who
can, or cannot connect to the appliance.
Configure Domain Routing Set up the network hosts that you want the appliance to use
to route mail traffic to specific domains.
Configure Encryption Enable the appliance to use supported encryption methods to
securely deliver your email messages.
Manage Certificates Use digitally signed certificates for tasks such as securely
transferring email using TLS, or using S/MIME certificates.
Configure
Network
Manage Network Settings View and edit basic settings for the appliance such as its
domain name, and the network interfaces settings.
Manage a Cluster Specify the appliance's load balancing requirements when it acts as
part of a cluster.
Manage Virtual Hosting Specify the addresses where the appliance receives or
intercepts mail traffic on the Inbound Address Pool.
Product Guide
55
Option
Definition
Configure
System
Troubleshoot
Generate a Minimum Escalation Reports Create a report that contains the minimum
information needed by support to help them diagnose a problem with the appliance.
Run System Tests Perform a series of tests on the appliance to ensure that key areas
are functioning correctly.
Back up and Restore Configuration Configure the appliance to back up the configuration,
or create a backup schedule, and restore the configuration if necessary.
Click the status indicator (the red, yellow or green circle) for the area on which to set the
threshold.
The parameter name is replaced as shown:
When the values for the dashboard information reaches the new threshold, the status indicator
changes to the appropriate color and an event is logged.
Events will not be logged until after the thresholds have been saved, the next Dashboard refresh has
taken place and the threshold has been hit or exceeded.
56
Product Guide
Task
1
Click the status icon beside the area to have thresholds set.
The parameter name is replaced as shown:
When the values for the dashboard information reaches the new threshold, the status indicator
changes to the appropriate color and an event is logged.
Events will not be logged until after the thresholds have been saved, the next Dashboard refresh has
taken place and the threshold has been hit or exceeded.
Product Guide
57
58
Product Guide
This topic provides an overview of the features within Email Gateway that relate to reporting the
activities of the appliance.
Reports
Contents
Types of reports
Message Search overview
Option definitions Blacklist/whitelist URLs
Scheduled Reports
Scheduled Reports New Report dialog box
Scheduled Reports Edit Report dialog box
Email Reports
System Reports
Types of reports
You can generate reports either on your appliance, your ePolicy Orchestrator server, or externally.
Reports
Use the external methods to keep the reported events over a longer period of time than that offered
by the reporting options on the appliance itself. Use features available from System | Logging, Alerting and
SNMP, or McAfee ePolicy Orchestrator to send data to generate reports externally.
Table 3-1 External reporting options
External report
generation option
Definition
System log
System | Logging, Alerting and SNMP. Supports the common event formats for
Splunk and ArcSight.
SNMP
System | Logging, Alerting and SNMP. Supports the SNMP Alert Settings and SNMP
Monitor Settings options. The MIB file can be downloaded from the Resources tab
available from the appliances toolbar.
Product Guide
59
Definition
Email Alerting
System | Logging, Alerting and SNMP | Email Alerting. You can configure Email
Alerting to alert specified people about different events that occur on your
appliance.
McAfee ePolicy
Orchestrator
System | Logging, Alerting and SNMP. Generates reports about Uniform Resource
Locator (URL) filtering activities. See the McAfee Web Reporter Product
Guide, available from the McAfee download site.
Use the appliance Dashboard to see high-level event statistics. Use the options in Reports to produce
regular and real-time reports on the following types of events on the appliance.
Table 3-2 Reporting options on the appliance
Report type
Definition
Scheduled reports Reports Set up regular activity overview (by protocol, threat type, and
detection), email detections, web detections, and system event reports and send
them to other administrators.
Email reports
Reports Create and view information about threats detected in the email passing
through your appliance, and the subsequent actions taken by the appliance.
System reports
Reports Create and view information about threat detection updates, and
system events.
Contents
Benefits of using Message Search
Message Search parameters
Message Search results
Message Search icons
Task Identify quarantined email messages
Task Find out which email messages are queued
Task Find out which email messages are being blocked
Task Find the emails that were successfully delivered
Task A user has requested that I release one of their quarantined email messages
60
Product Guide
A common request from users is "What happened to the email message I sent yesterday?", or "My
supplier emailed me on Monday, why haven't I received his message yet?"
From a single location within the user interface, Message Search allows you to confirm the status of
email messages that have passed through the appliance. It provides you with information about the
email, including:
Was it delivered?
Was it blocked?
Does the message contain attachments? If so, what are the file names?
If an archive attachment includes non-English filenames that do not display correctly within Message
Search, change the Default decode character set options from Email | Email Policies | Policy Options | Content handling |
Email Options | Advanced Options.
You can use a wide range of different criteria to search on, including:
Source IP
Email disposition
Category
Product Guide
61
Date range
Audit ID
If you have configured Sender address masquerading or Recipient address aliasing, Message Search shows the
masqueraded or aliased email addresses.
Definition
Message status
You can choose to search All email messages. If you suspect that a message is in a
certain state, you can also search only for messages that are:
Advanced Threat Defense
Message Search only reports Advanced Threat Defense messages that are either
pending or being scanned by the Advanced Threat Defense servers. As soon as
scanning is complete, the messages are shown within the section relevant to the
scan results.
Blocked
Bounced
Delivered
Quarantined
This includes quarantined items that have pending release requests.
Queued
You can multi-select to search for messages in more than one status.
Sender,
You can search for emails containing particular sender, recipient, or subject text.
Recipient, Subject The appliance can modify the subject of some emails, typically by adding a [spam] or
[phish] prefix to the subject line. However, the subject displayed on the Message
Search page is the original subject line of the email message before the appliance
makes any changes.
You can use the * and ? wildcard characters in your searches.
To search for a literal *, ?, or \ character within these fields, use the backslash (\)
character before the search term. For example, use \* to search for the asterisk
character.
62
Product Guide
Option
Definition
Category
When you search on Blocked or Quarantined items, you can further refine your
search by selecting the Category that the appliance used to block or quarantine the
message.
When viewing messages that have been Blocked, the following Category options are
available:
Anti-Phish
Anti-Spam
Anti-Virus
If you have enabled the additional Commtouch Command anti-virus engine, you
will see anti-virus detections listed by detection engine.
Anti-Virus (Packer)
Anti-Virus (PUP)
Advanced Threat Defense
Compliance
Corrupt Content
Data Loss Prevention
Encrypted Content
File Filtering
Mail Filtering
Mail Size
Signed Content
Directory Harvesting
Image Filtering
URL Reputation
Denial of Service
Unscannable Content
Sender Authentication Threshold
DKIM
SenderID
Message reputation
For messages that were Quarantined by the appliance, the following Category
options are available:
Anti-Phish
Anti-Spam
Anti-Virus
If you have enabled the additional Commtouch Command anti-virus engine, you
will see anti-virus detections listed by detection engine.
Anti-Virus (Packer)
Anti-Virus (PUP)
Product Guide
63
Option
Definition
Advanced Threat Defense
Compliance
Corrupt Content
Data Loss Prevention
Encrypted Content
File Filtering
Mail Filtering
Mail Size
Signed Content
Directory Harvesting
Image Filtering
URL Reputation
Denial of Service
Unscannable Content
Sender Authentication Threshold
DKIM
SenderID
Message reputation
You can multi-select to search for messages in more than one category. See
Quarantine Options to find out how the categories relate to those reported in McAfee
Quarantine Manager.
Quarantined to:
For messages that were quarantined, you can search all quarantine queues, or select
one or more from the list of configured queues. The queues are:
Viruses
Other
PUPs
Phish
Compliance
Spam
A single message may be quarantined to more than one category. Summing the total
number of messages in all categories will not necessarily generate the total
quarantined messages.
64
You can search on All Dates , or you can specify a Date Range, using From and To
dates and times.
Product Guide
Option
Definition
Audit ID
This audit ID information can be used to track the message as it passes through the
appliance.
Source IP
This is the source IP address of the originating email server. If your appliance is
configured behind one or more Mail Transfer Agents (MTAs), the email headers are
used to obtain the correct source IP address.
If you know the IP address that is sending email messages to you, you can search
using this address.
You can use either a single address (for example, 192.168.0.1) or a network
address/netmask (for example, 192.168.0.0/255.255.255.0).
Disposition
Allows you to select All or One or more of Inbound, Outbound and Internal messages
in your search.
Type
When dealing with quarantined email messages, this allows you to search for the all,
messages, original email or for messages that have been modified by the appliance.
It also allows you to search for messages that have their Release requested by your
users.
Virtual host
If you have enabled the use of virtual hosts on your appliance, you can track or view
email messages that are processed by an individual virtual host on the appliance.
To do this, select the relevant host name from the Virtual host drop-down list.
Attachment
(only visible
when
Attachment
identification
is enabled)
To find specific attachments within email messages, enter a full or partial attachment
name. You can also use wildcard characters.
View recipients
Clicking on any of the highlighted links in the View recipients area shows you either All
messages, or a list of recipients and the number of items against each recipient
beginning with the selected character. For example, it might show that one recipient
currently has four queued messages, one quarantined message and three delivered
messages.
By clicking on a particular recipient, you can then view all relevant items for that
recipient.
To revert to the total view of messages, click Close.
Search/Refresh
Click to search the appliance for email messages that match your search parameters,
or to refresh the list if you have changed any of the parameters.
Clear Parameters
Product Guide
65
Option
Definition
Options
After you search for your required email types, you can perform actions based on the
type of message. These actions include:
Delete selected.
Release selected Only available if all selected messages are quarantined
"on-the-box," and do not contain viral content.
Retry selected.
Forward selected Only available if all selected messages are either queued or
quarantined.
Find related.
Submit false positive Submit the selected messages to McAfee for analysis, to help
reduce false positive detections.
Submit unscannable content.
Delete all.
Blacklist / whitelist URLs Enables you to extract URLs from within the scan log, and to
add these URLs to either the blacklist or whitelist.
Cancel ATD scan Allows the appliance to proceed with processing the email without
waiting for scan results from the McAfee Advanced Threat Defense server.
This action does not stop the Advanced Threat Defense server from completing the
scan.
If you configured your appliance to perform off-box quarantining using McAfee
Quarantine Manager, you cannot make release requests from within Message Search.
Real-Time retry
To retry the delivery of a queued item and to then show the results of the SMTP
conversation with the target MTA, click Real-Time Retry.
You can only use Real-Time Retry by selecting a single queued message.
Download ATD
Report
When using Advanced Threat Defense, click Download ATD Report to save and view the
report from the Advanced Threat Defense server that scanned the selected message.
View Message
If the message is still available to the appliance, you can view the selected message.
For example, if the email message has been queued or quarantined on the appliance.
From within the message view, you can:
Delete the message from the appliance.
Release the message from the appliance. (Quarantined messages only).
Retry to deliver the message from the appliance. (Queued messages only).
Forward the message to another email address.
Download the message to your local file system in .eml format.
You can also use Show headers to view the information contained within the email
header.
66
Product Guide
Option
Definition
View
You can view conversation details of email messages through the different stages of
Conversation Log the SMTP conversation.
SMTP conversation logging must be enabled on your appliance (from Email | Email Configuration
| Protocol Configuration | Connection Settings (SMTP) | SMTP conversation logging.)
Select an email message and click View Conversation Log to see the conversation details
for the selected message.
Download
Messages
Show Report
Downloads the selected queued or quarantined messages to your local file system.
If you select a single message, an .eml file is downloaded. If you select multiple
messages, a .zip file containing individual .eml files is downloaded.
View information about the selected email message.
Hide and
You can hide and show columns in the Message Search results area.
show columns
Export
Maintenance
options
Click to go to the Database Maintenance area, where you can define the number of items
identified using Message Search that is retained in the database.
Definition
Checkbox
Select the checkbox next to a particular message to enable actions you can take
regarding that message. The checkbox in the header row enables or disables all
messages in the list.
Date
Displays the date and time Email Gateway received the message.
Sender
Recipient
Subject
Policy
Status/Category
Quarantined to
Product Guide
67
Definition
Attachments
When attachment detection is enabled, shows information in a tree form about the
attachments. The information includes file name and file type, and can also include
archive data.
Email Gateway cannot obtain attachment information from the following file types:
CAB files
BZIP-compressed files
Password-protected files
Encrypted files
Source IP
Properties
Size
68
Product Guide
Option Definition
Email message was scanned by Advanced Threat Defense, and scanning has completed.
Access to the quarantined email message is restricted. You do not have sufficient privileges
to view or download the message, or perform any actions (delete, release, forward) on the
message.
Click Search/Refresh.
All messages that have been quarantined are displayed in the lower part of the page.
Complete the steps in Task Find out which email messages are quarantined.
Click Search/Refresh.
The lower part of the screen is refreshed to show only the messages that have been quarantined due
to compliance issues.
Select the relevant quarantined message using the checkbox to the left of the page.
The selected message is displayed in a new window. From this window, you can view the content of
the email message. You can also choose to view the detailed email header information. After you have
viewed the message, by clicking the relevant buttons, you can choose further actions to perform on
the email message.
Product Guide
69
By investigating samples of genuine email messages that have been incorrectly detected as either
spam or phishing email messages (false positive detections), McAfee can improve the accuracy of the
spam and phishing message detections.
Task
1
Click Search/Refresh.
Select the email messages that have been incorrectly identified as either spam or phishing
messages.
Click Go.
The selected incorrectly-identified spam or phishing messages are submitted to a secure McAfee site
where they can be analyzed and the results used to improve spam and phishing email message
detections.
70
Product Guide
Click Search/Refresh.
All messages that have been queued are displayed in the lower part of the page.
Task Find out which email messages are queued for inbound delivery
Use this task to refine your search for messages queued for inbound delivery.
You can further refine your search for queued email messages to show only those messages that have
been queued for inbound or outbound delivery. To view the queued messages awaiting inbound
delivery:
Task
1
Complete the steps in Task Find out which email messages are queued.
Click Search/Refresh.
All messages that have been queued for inbound delivery are displayed in the lower part of the page.
Complete the steps in Task Find out which email messages are queued for inbound delivery.
Select the relevant queued messages using the check-boxes to the left of the page.
For a single message, click View Message, and then select the Retry button.
To retry the sending of the messages and then see the results within the page, click Real-Time
Retry.
Product Guide
71
Click Search/Refresh.
All messages that have been blocked are displayed in the lower part of the page. Email messages can
be blocked for a variety of reasons, and the table showing all blocked messages includes the reason
that each message was blocked within the Status/Category column.
Click Search/Refresh.
All messages that have been successfully delivered by the appliance are listed in the lower part of the
page.
72
Click Search/Refresh.
Product Guide
If you are happy that the selected message is safe to release, select Release selected from the Options
drop-down list.
Click Go.
In the Dashboard | Email Queues area, you can see how many quarantine release requests have been made
by your users. Clicking the link on this page opens the Message Search page, and auto-populates the fields
required to release these messages.
The report displays. The format is essentially the same as the Message Search results table, with a
few differences:
The time displays both as seconds for sorting, and as a human-readable local time string.
The Properties column shows as three columns: Disposition, Type, and Encryption Type.
Product Guide
73
Task
1
Navigate to the Message Search window. You can navigate using Reports | Message search, or using the
Task portlet on the Dashboard ( Dashboard | Tasks | Message Search & Reports | Search the Message Queue).
The Message Search window opens.
Use the Attachments column to identify messages containing the relevant attachment.
You can also search for specific attachment names by using the Attachment field. This field accepts
either complete attachment names or partial names with wildcard characters.
Use the available controls to take appropriate actions on the selected messages.
The sales representative named Rep1, representing Example Corporation, sent the message. We
don't know the first name.
The message should have arrived during the last week of last month (February 23, 2015 through
February 27, 2015), probably on February 25, 2015.
The message included a PDF attachment, the information sheet about the new product.
The message might include words like "Revolutionary" or "Amazing" in the subject line.
For Message Status, select One or more of, then select Quarantined.
Since the message was not delivered, it might be quarantined or blocked.
74
Product Guide
For Category, select One or more of, then select Anti-Spam, File Filtering, and Mail Filtering.
You suspect one of these three categories includes the message.
For Quarantined to, select One or more of, then select Spam.
Select Date Range, the select February 23, 2015 and February 27, 2015 from the calendars as From and To
dates.
ZIP (*.zip)
TAR (*.tar)
RAR (*.rar)
7-ZIP (*.7z)
CAB (*.cab)
Password-protected files
Encrypted files
Product Guide
75
Solution Identifying file names in archive attachments permits you to conduct the required search.
Configure Attachment Identification and include identification of archive contents by typing payload.exe in
the Attachment data field. Then click Search/Refresh to conduct a message search.
Select Email | Email Configuration | Protocol Configuration | Connection Settings (SMTP) | Basic SMTP settings.
The Connection Settings (SMTP) window opens.
Scroll down the page to the Attachment Identification section. Click the expansion icon to reveal the
configuration parameters.
Select the Enable attachment identification checkbox and configure a limit for the Maximum number of
attachments scanned per message.
Option
Description
Enter a number If you encounter issues due to large numbers of attachments, deselect the No limit
checkbox. Enter a limit for the number of attachments to identify.
No limit
4
Selected by default. All attachments are identified and searchable in Message Search.
Select the Enable identification of archive contents checkbox and configure a limit for the Maximum nesting depth
per message.
Option
Description
Enter a number By default, the appliance identifies attachments in nested archives up to five levels
deep. If you encounter issues with attachments due to layers of nesting, reduce this
number.
No limit
5
All attachments are identified with no limit on the number of layers of nesting.
Click the green checkmark in the menu bar to save your changes.
Navigate to the Message Search window. You can navigate using Reports | Message search, or using the
Task portlet on the Dashboard.
The Message Search window opens.
76
Product Guide
Select or add the search parameters you want, including Attachment information, such as the archive,
attachment, and file name.
The Attachment field accepts either complete attachment names or partial names with wildcard
characters.
Use the available controls to take appropriate actions on the selected messages.
Definition
URLs found
Lists the unique URLs found within the scan log. Information from the scan log,
and the available action options, are shown.
URL Pattern
Score
Action to be taken. The available actions are:
Ignore
Blacklist
Whitelist
Parse options
Choose between using Simple pattern or Regular expression to match the URLs.
Also, choose if the matches are case-sensitive.
You can add the discovered URLs to the blacklists or whitelists for one or more
of the available policies where URL reputation has been enabled.
Scheduled Reports
Use this page to see a list of the available reports about threats that the appliance has detected.
Product Guide
77
Definition
Overview
Lists the number of detections by protocol, and type of threat, and provides details
about the types of detection made per protocol.
Email security summary (inbound) shows the percent and number of messages to internal
users that were delivered or blocked because a threat was detected.
Email security summary (outbound) shows the percent and number of messages to external
users that were delivered or blocked because a threat was detected.
Email traffic flow provides information relating to the flow of messages into and out of
the organization.
Email security trend.
Email volume trends (inbound and outbound) provides information relating to the amount of
messages coming into and going out of the organization.
Email size trends (inbound and outbound) provides information relating to the size of the
messages coming into and going out of the organization.
Average number of emails displays the average number of messages sent into or out of
the organization for one or more days.
Users activity lists internal or external users who send or receive the most blocked or
monitored messages.
Top detections lists top viruses, potentially unwanted programs, spam or phish
detections, and sender authentication failures.
Favorite
78
Click Edit to choose from a list of pre-defined report types for email and system
reports, and to optionally send the report to other people in your organization daily,
weekly, or monthly. Any new favorite reports that you created in the Email Interactive
Reports section are available from here, too.
Product Guide
Definition
Dashboard
Inbound Mail
Lists all inbound mail activity, broken out into various categories, such as plain text,
encryption method used, information about messages quarantined, bounced, queued
and blocked, detection types triggered and information about the senders, connections
and email recipients.
Outbound Mail
Lists all outbound mail activity, broken out into various categories, such as plain text,
encryption method used, information about messages quarantined, bounced, queued
and blocked, detection types triggered and information about the senders, connections
and email recipients.
Services
SMTP
Detections
Shows network connections, kernel mode blocking statistics and total throughput.
System
Summary
Hardware
Summary
Shows information about your hardware, including information about the mode of
operation, the network interfaces, information relating to the hardware modules, RAID
and UPS status.
Product Guide
79
Definition
Clustering
Attachment
Profiling
The report includes information about the number of attachments sent to ATD if it is
enabled, or that would be sent if ATD were enabled. Administrators can use this data
to assess deployment of ATD servers.
Definition
Name
Displays the name of the report. By default, the list includes some standard reports,
which you cannot delete.
The icon indicates the type of content in that report:
Overview, such as numbers of overall detections.
Email activity
System activity such as disk usage.
A choice of popular reports.
Description
Displays the title that appears on the first page of the report, the scheduling
information, and a list of the recipients.
Download
When clicked, generates the report, then allows you to download it for viewing in a
browser or saving as a file.
Email Now
When clicked, generates the report, then immediately sends it to the recipients. Any
regular schedule is not affected.
If the icon is disabled, the schedule has not been set. Double-click the icon, then
specify the details under Delivery Schedule.
New report
When clicked, lets you create a new report, which is an exact copy of an existing
report. A dialog box prompts you for further information:
Report name, which appears under the Name column on this page.
Report title, which appears at the top of the report.
When you click OK, you return to the main page. There you can select the new report,
click the icon under Edit, and design your own report.
Edit
Delete
80
When the icon is clicked, enables you to change the schedule, content, format and
delivery information of the selected report.
When the icon is clicked, deletes the selected report.
Product Guide
From the list of report types, select Overview, and click Edit.
In the Edit Report dialog box, set the Reporting period to 1 week.
From the list of report types, select Email, and click Edit.
Set the Report sent option to Weekly and choose Monday from the drop-down menu.
From the list of report types, select Favorite, and click Edit.
In Report content, select the information that you want to appear in the .csv formatted file. For
example, select Email reports and Top Spam Senders (last 24h).
In Advanced options, select CSV as the Document format. Configure other options to suit your
requirements.
Click Download.
Product Guide
81
From the list of report types, select Favorite, and click Edit.
Definition
Name
Type a name for the new report that you are creating.
Title
Use the Title field to enter a descriptive title for the new report.
Use template
Select the template that you want to use as the basis of the new report.
Definition
Report sent to At
Use Daily, Weekly, Monthly and At to specify how often, and at what time, you
want the scheduled report to be delivered.
Reporting period
Select the time period that you want covered by the report.
(Attachment Profiling only) Select the checkbox to choose the preconfigured
options or to set the beginning and ending dates for the reporting period.
For Period, the available options are:
Today (default option)
2 weeks
Previous day
1 month
1 week
For Date, click the calendar icons for From and To, and select the dates you want
to include.
If the mail database is empty, only the current date is available.
82
Product Guide
Definition
Granularity
From the drop-down list, select the time period to include in each line of the
(Attachment Profiling report. Options are:
only)
1 hour
12 hours
3 hours
1 day
6 hours
7 days
Select to use the postmaster address as the sending address for the
scheduled reports.
Sender address
Recipients
The list of email addresses to which the scheduled reports are to be sent.
Click New Recipient to specify new addresses.
Definition
Title
Specify the title for the scheduled report you are creating.
Include these reports Select the information to be included in the scheduled report. The available options
change depending on the type of report (Overview, Email, or System report.)
Header
Enter text that you want displayed on the header of the report.
Footer
Enter text that you want displayed on the footer of the report.
Definition
Document format
Paper size
Character set
Message subject
Enter the subject line that you want to appear on the email containing
the scheduled report.
Enter the body text for the email message containing the scheduled
report.
Select this option to ensure that each scheduled report has a unique file
name.
Maximum number of items in a list Specify the maximum number of items that you want to appear in each
list.
Product Guide
83
Email Reports
Use this page to create and view real-time reports about threats detected in the email passing through
your Email Gateway, and the subsequent actions taken by the appliance.
Total view
Time view
Itemized view
Detail view
Favorites enables you to choose a report with pre-defined filters, and generate it immediately. See
Report types.
Filter enables you to further define the data in each Favorite report using standard and advanced
filter settings, and set the period of time for which you want to retrieve data. See Filter types.
Additionally, use the Email Reports feature with the Scheduled Reports feature to create regular
reports, and send them immediately to other people, or at regular intervals.
You can compile a list of, for example, blocked email messages using the Message Search feature
(Reports | Message search). Message Search cannot locate messages if the appliance has not received the
message body, such as messages blocked by the Real-time Blackhole Lists (RBLs). In this situation, use
the Email Reports feature to find out about an individual message.
84
Product Guide
Definition
Email Overview
Displays results in Total view by default. Results show the number of legitimate,
monitored, modified, rerouted, or blocked messages processed over the previous
day.
Email Profile
Displays results in Itemized view by default. Results show the number of items detected
for each filter selection over the previous week.
Top Spam Senders Displays results in Itemized view by default. Results are filtered using the Spam/
Phish category by default, and show the spam or phish (or both) messages by sender
over the previous 24 hours.
Top Viruses
Displays results in Itemized view by default. Results are filtered using the Viruses
category by default, and show the viruses detected over the previous week, or
results for a specific threat that you specify.
Legitimate
Displays results in Time view by default. Results show the number of messages
categorized as Legitimate (that is, delivered with no detection or modification) for all
threat categories over the previous 24 hours.
Monitored
Displays results in Time view by default. Results show the number of messages for all
threat categories over the previous 24 hours that triggered an event log but were
delivered with no modification.
Modified
Displays results in Time view by default. Results show the number of modified
messages (for example, cleaned or replaced with an alert message) for all threat
categories over the previous 24 hours.
Rerouted
Displays results in Time view by default. Results show the number of messages routed
to another server (for example, an encryption server) for all threat categories over
the previous 24 hours.
Blocked
Displays results in Time view by default. Results show the number of inbound or
outbound messages stopped by the appliance for all threat categories over the
previous 24 hours.
Product Guide
85
Action Displays the list of actions taken by the appliances policies against each email
message or web access.
Number of email messages Displays the number of email messages or web accesses where
this action was applied.
Time view
For information about the Filter or Favorites section on the right, click its tab, then
click the Help button (?).
Start Displays the start of the period, such as on the hour.
Legitimate to Blocked Displays the numbers of email messages or web accesses
corresponding to each action in that period. If Action is not set to All, most columns have
values of 0.
86
Product Guide
Type of Definition
View
Itemized
view
Pie chart Displays the percentage of all email or web accesses that match the criteria
selected in the Filter tab.
The orange portion of the pie shows the portion of the data that matches the criteria. The
green portion shows the remainder. If no filtering is set, the whole pie appears orange.
Filter criteria Displays the list of categories taken against the email message or web
access. Click any blue link for more information represented as a bar chart.
To return to the pie chart, click List all criteria. To examine the information further, click any
blue links.
As you click each link, values in the Filter tab are updated. Click Apply to display the pie
chart again.
Number of distinct criteria items within the selection Displays the number of email messages or
web accesses where each criteria applies.
Detail view
Date and other headings Displays the details of each email message or web access.
To see all columns, move the horizontal scroll bar.
To sort the data in any column, click the column heading. The most recently sorted
column is indicated by a red arrow in the column heading.
Data Click the blue link to see further information about an email message in a table
or as raw data (that is, in an XML-like format).
To move through the list or to move quickly to either end of the list, click the arrows at
the bottom right of the list.
Product Guide
87
Each report allows you to filter the results by standard and advanced criteria. For example, you can
see information about viruses from all sources in the last month. Make your selections, then click
Apply. The new report might take a while to appear. You can save these selections to produce a similar
report at any time. or clear the selections you made.
Table 3-10 Option definitions Email Reports filter options
Option
Definition
Period and
Ending
Displays information for a period from one hour to one month, based on the selected
start date.
When clicked, the Previous and Next buttons adjust the From date, for example, moving it
to next week or the previous day.
Protocol
Traffic
Sender
To view information about all senders' names that begin with b or B, type:
<b*
To view information about all senders' names that begin with b, B, e, or E, type:
<b*, <e*
Recipient
To view information about all senders' names that begin with b or B, type:
<b*
To view information about all senders' names that begin with b, B, e, or E, type:
<b*, <e*
88
Product Guide
Definition
Action
Category
All
Modified
Legitimate
Rerouted
Monitored
Blocked
Compliance
Viruses
Spam/Phish
PuPs
Legitimate
Sender Authentication
Other
If the selection is not All, you see further options relevant to your selection. For
example, if you select Content, you can further select Mail Size.
Extra categories appear if you have installed any optional software.
Table 3-11 Option definitions Show Advanced options
Option
Definition
Detection
Top Spam Senders report only. Choose whether the report should contain results for
spam senders, phish senders, or both.
Virus/PuPs
Top Viruses report only. Type the name of the virus or potentially unwanted program to
get detection results for that specific threat.
Show Advanced
Source Domain
Filter traffic based on the domain that the messages are being sent from.
Source IP
Filter traffic based on the IP address that the messages are being sent from.
Destination Domain Filter traffic based on the domain that the messages are being sent to.
Destination IP
Filter traffic based on the IP address that the messages are being sent to.
Audit ID
As traffic passes through the appliance it can have an Audit ID assigned. Use this
field to filter traffic with a specific Audit ID.
Policy
Favorite reports
Use this page to run an existing favorite report immediately, or build a list of links to reports that you
have already saved.
Reports | Email Reports | Selection | Favorites
Reports | System Reports | Selection | Favorites
Product Guide
89
Definition
Name
Run report When clicked, opens the selected report and displays it to the left of the screen.
Edit
Opens the Filter page from where you can change the settings, test the report results, and
save the report criteria into a new favorite report.
Delete
Removes that Favorite report from the list, and from the reports available in Scheduled
Reports.
Create a report that shows global email activity in the previous 24 hours
Save the report as a new favorite report to be run again in the future
From the Favorites list, select the Email Overview (last 24h) report.
A report is created that shows the email traffic over the last 24 hours, for all users.
Task Filter the data for a particular sender and save the report as a new
favorite report
Use this task to filter data produced from a global email report to refer to a particular sender.
Additionally, save the new report as a favorite.
Before you begin
Make sure that you have created the report detailed in Task Run a standard email
activity report .
Task
1
Click Filter.
In Sender, type sender@examplecompany.com and click Apply to filter the data for that sender.
Click Save, type a name for the report, and click OK.
90
Product Guide
In the list of available report documents, select Favorite, and click Edit.
Select Enable scheduled delivery, and set the report to run Daily at 17:00 hours.
In the list of favorite reports, select the report that you created, click OK, and apply the changes to
the appliance.
The selected report is send each day at 17:00 hours to the specified email administrator.
From the Favorites list, select the Top Viruses report, and click Filter.
Select Time view to see the action that was taken on each message broken down into eight hour
periods.
Select Detail view to see further information such as policy details, and the source IP address for each
message.
The required report, showing the total number of viruses detected in the previous week, is generated.
System Reports
Use this page to create and view real-time reports about threat detection updates, and system events.
Reports | System Reports
You can generate a report based on a set of pre-defined filters, or edit the filters, test the results, and
save the report as a new report.
Product Guide
91
Favorites enables you to choose a report with pre-defined filters, and generate it immediately. See
Report types.
Filter enables you to further define the data in each Favorite report, and set the period of time for
which you want to retrieve data. See Filter types.
Definition
Displays results in Detail view by default. Results show the type of update
(anti-virus, spam rules, or URL filtering definitions), when it was made, the
results, and reference number associated with the update file
Displays results in Detail view by default. Results show the type of update
(anti-virus, spam rules, or URL filtering definitions), when it was made, the
results, and reference number associated with the update file
92
Product Guide
For information about the Filter or Favorites section on the right, click its tab, then click the Help button
(?).
Table 3-14 Option definitions
Option
Definition
Interactive
reporting Detail
view
Definition
Period and Ending Displays information for a period from one hour to one month, based on the
selected start date.
When clicked, the Previous and Next buttons adjust the From date, for example,
moving it to next week or the previous day.
Event type
Displays reports about particular event types. For example, issues concerning the
Network.
Event
Reason
Favorite reports
Use this page to run an existing favorite report immediately, or build a list of links to reports that you
have already saved.
Reports | Email Reports | Selection | Favorites
Reports | System Reports | Selection | Favorites
Table 3-16 Option definitions
Option
Definition
Name
Run report When clicked, opens the selected report and displays it to the left of the screen.
Edit
Opens the Filter page from where you can change the settings, test the report results, and
save the report criteria into a new favorite report.
Delete
Removes that Favorite report from the list, and from the reports available in Scheduled
Reports.
Product Guide
93
Run a report that shows all updates that took place in the last week
Filter the results to show only the URL filter updates that failed
Save the report as a new favorite report to be run again in the future
Task
1
From the Favorites list, select the Anti-Virus Updates (last week) report.
Click Filter.
In Event, select URL filter update failed, and click Apply to filter the data accordingly.
Click Save, type a name for the report, and click OK.
94
Product Guide
This section of the online help topic provides an overview of the Email features and controls within
your Email Gateway appliances.
Email
Contents
Life of an email message
Email Configuration overview
Email Policies
DLP and Dictionaries overview
Encryption
Certificate Management
Hybrid configuration
Group Management
Add Directory Service wizard
Quarantine Configuration
CONNECT
Permit Sender
Deny Sender
EHLO/MAIL
FROM
Product Guide
95
RCPT TO
DATA
Address Masquerading
Anti-Relay
Anti-Relay Settings
Greylisting
Recipient Authentication
Address Aliasing
(Masquerading)
Recipient Authentication
Recipient Authentication
Recipient Authentication
RBL
SPF
Sender ID
Anti-spam
Scanning
Anti-Spam Settings - Advanced Options
Anti-Spam Settings - Blacklists and Whitelists
Anti-phish
Anti-Phish Settings
96
Corrupt content
Encrypted content
HTML check
Compliance
Compliance Settings
Product Guide
DLP
Image filtering
File filter
Delivery
Proxy Mode
Domain Relay
DNS
Fallback relay
Transparent
Mode
When passing through the scanning stage, the next step that the email message takes depends on the
scanners that are triggered and the primary actions defined for each scanner.
Deny connection
Replace
Refuse
Allow through
The appliance scans an email message and triggers against both a virus and spam. The anti-virus
scanner is configured to block on detection, whereas the anti-spam scanner is configured to block.
In this situation, the appliance will report the email message as containing viral content, as this is
the highest-priority primary action.
The appliance scans an email message and again triggers against both a virus and spam. However,
this time, both the anti-virus and the anti-spam scanners have their primary actions set to block.
In this case, the appliance will report the anti-spam trigger anti-spam scanning occurs before
the anti-virus scanning but, as both scanners are configured with the same priority primary
action, this will also be reported as containing viral material.
Product Guide
97
Contents
Protocol Configuration
Option definitions Protocol Presets dialog box
Option definition - New Protocol Preset
Receiving Email
Sending Email
Sending Email Add Relay List dialog box and Add MX Lookup dialog box
Anti-Relay Settings Add Relay Domain dialog box and Add MX Lookup dialog box
Protocol Configuration
The Protocol Configuration tab within Email Configuration enables you to configure settings that are
protocol-dependant.
Email | Email Configuration | Protocol Configuration | Connection Settings (SMTP) | Basic SMTP settings
Changing these settings can affect scanning performance. If you are not sure about the impact of
making changes, ask your network expert.
Definition
When deselected, ignores any SMTP traffic. Other traffic is not affected.
Listening ports
98
Product Guide
Definition
When selected, enables the appliance to perform lookups. Default value is Yes.
Append appliance
domain name for DNS
lookups
If you encounter issues with non-delivery of sent email messages routed using
DNS lookups to recipients using legacy email systems, select this option.
Take care if deselecting this setting. If you deny reverse DNS lookups, some
functions might fail.
Selecting this option appends the domain name of the appliance (for example:
appliance.domain.test) to the domain details found within the message. So, if a
message is sent to user@recipientdomain.test, the appliance carries out DNS
lookups for both recipientdomain.test.domain.test and recipientdomain.test.
This option is disabled by default.
Appending appliance domain names to the DNS lookups is known to cause issues
with DNS systems configured with wildcard records.
Timeouts
Use this area to specify the timeouts that apply to the SMTP conversations.
These settings are configured by default to provide the best SMTP performance with most appliances
and network configurations. Changing these settings can affect performance. If you are not sure about
the impact of making any changes, ask your network expert.
Protocol preset
Select the required protocol preset, or create a new preset, using the drop-down list and button to the
right of the page.
Product Guide
99
Option
Definition
Between commands
Definition
Establishing a connection
Definition
Enable SMTP conversation logging Select to produce a log of performed scans. These logs are available
from Reports | Message search.
100
Product Guide
Definition
CAB files
BZIP-compressed files
Search options:
Password-protected files
Encrypted files
Product Guide
101
Definition
Definition
Specify the maximum length of a line within the message data. Setting
this option prevents data with excessively long line lengths from being
processed by the appliance. By default, no limit is set.
Specifies the maximum number of hops allowed, that is, the maximum
number of Received lines allowed in the email header.
Default value is 100.
102
Specifies how the appliance responds. Default value is Close the connection.
Product Guide
Definition
Limits the time between opening the connection and receiving the final
dot (.) command.
Default value is No limit.
Delay period
Product Guide
103
Message processing
Use this area to configure message processing options within the SMTP protocol.
Table 4-7 Option definitions
Option
Definition
Welcome message
Specifies the text that is seen by a host when connecting to the appliance in
Explicit Proxy mode.
By default, this message is empty.
Store and forward email Always Selecting the check box causes Email Gateway to queue all messages
for delivery at a later time.
When the message size exceeds Messages which exceed the specified size limits will
always be accepted and queued by the appliance before onward delivery is
attempted. Default value: no limit.
When the number of recipients exceeds Messages which exceed the specified number
of recipients will always be accepted and queued by the appliance before onward
delivery is attempted. Default value: no limit.
Messages below the specified limits will have delivery attempted immediately.
Maximum number of
MX records used
Maximum number of A
records used
Advanced options
Use this section to specify further settings for message processing. You do not normally need to
change the settings.
Definition
If you prefer that the domain address of your server is not made
available, deselect this feature.
104
Product Guide
Definition
Definition
Specifies the welcome message that appears when a host using SMTP connects
to an appliance operating in a transparent mode.
When selected, displays the welcome message of the mail server at the other
end of the connection. Prefixes extra text, if specified in the next option.
When not selected, displays the appliance's own welcome message (in the
Message processing section).
Default value is Yes.
Prevents the connection between the appliance and the onward email server
from timing-out when the appliance is scanning large email messages by
sending a keep-alive command to the destination server. This keeps the
connection alive until the DATA phase from the sending email server to the
appliance has completed. When the data has been transferred to the appliance,
the appliance stops sending the commands and starts the DATA phase between
the appliance and the destination email server. Default value is No.
Specify how often to send the keep-alive (NOOP) commands during the DATA
phase.
Default value of interval is 55 seconds
Advanced options
Use this section to specify further settings for transparency options. You do not normally need to
change these settings.
Product Guide
105
Definition
Allow the appliance to Generates additional scanning alerts to warn a network administrator or other
generate additional
users when specific events occur.
scanning alerts
Default value is Yes.
The actions that the appliance takes when one of these events occurs, depends on
which detection was triggered and how the policies have been set up for each
protocol. By default, most secondary actions are not available when the appliance
is operating in a transparent mode. Only the quarantine actions are available by
default.
Allow multiple
policies per email
Allows the use of multiple policies for email messages that have more than one
recipient.
Default value is No.
If an email message has more than one recipient, you can configure the appliance
to allow different policies to apply to each of the recipients. If you do not allow
multiple policies, the appliance applies only the highest priority policy, as defined
by the order of your policies.
Add a Received
header to email
Secure conversation
pass-through
With this option selected, when the McAfee Email Gateway either receives the
STARTTLS command or a connection is received on a Secure Port (SMTPS), the
connection is passed through to the other email server, allowing a secure
server-to-server connection to be made directly between the client and server
without McAfee Email Gateway scanning or processing the data.
As the TLS or SSL connection is effectively direct between the two email servers,
McAfee Email Gateway cannot scan the secured traffic that is passed through it
using Secure conversation pass-through. Therefore, it is possible that malicious content
could pass undetected through your McAfee Email Gateway and into your network.
ESMTP extensions
Microsoft Exchange
ESMTP extensions
106
Product Guide
Definition
Definition
Advertise McAfee Secure Web Mail When using this appliance to provide encryption services to other
policy support in the EHLO
McAfee Email Gateway appliances, you should enable this option.
response
Use the Protocol presets to ensure that the appliance only advertises
McAfee Secure Web Mail policy support when the connection is coming
from other McAfee Email Gateway appliances.
Send and receive email for general enquiries using an anonymous address such as
info@example.com, instead of one persons specific address.
Modify the email headers to hide information about your internal domains.
Make modifications to the From address and sender headers of outgoing email under Sender address
masquerading.
Make modifications to the To address of incoming email under Recipient address aliasing.
Address masquerading is based on protocol presets and can affect a large number of email messages.
When configuring your policies, consider whether you need the policy rules to apply to the email
addresses before or after they might be re-written.
Product Guide
107
Useful websites
Regular expressions: http://www.regular-expressions.info/reference.html
Definition
Type
Search pattern
Specifies a search pattern that uses regular expressions to convert the original sender
email address to a masqueraded email address.
Take care with the use of ^ and $ in a regular expression. If the email headers contain
extra characters such as chevrons (< >), the regular expression will not replace the
email address, as expected.
Replacement
Displays the address you want to put in place of the original email address.
Move
The search for the pattern is done from the top to the bottom of the list. When a
pattern matches, it replaces using the replacement. In the case of LDAP lookups, it
uses the relevant LDAP query.
Add Entry
When clicked, opens a further window where you can test whether your regular
expression makes the correct replacement address. Type an email address as input,
click Check to see the resulting output address.
Export
When clicked, this link opens a dialog box you can use to export your list of
masquerade addresses as a text file. The list can be stored on the appliance, or on
your local computer.
The list is a text file in the following format:
List, search pattern
Replacement
List, search pattern
Replacement
Write down the file name and location in case you need to import it.
Import
108
When clicked, this link opens a dialog box you can use to navigate to a stored
(exported) address list and import it to your current Masquerade window. You can
overwrite existing addresses, or append to the existing list.
Product Guide
Definition
Sender mail headers Specifies the mail headers to search within outgoing email messages.
to search
You need only add new headers if your mail server attaches its own unique
headers, or extra headers are defined in new email specifications.
By default, the following email headers are searched when using Sender address
masquerading:
return-path
resent-sender
from
reply-to
sender
return
resent-from
Definition
Type
Search pattern
Specifies a search pattern that uses regular expressions to convert the recipients email
address to an aliased email address.
Take care with the use of ^ and $ in a regular expression. If the email headers contain
extra characters such as chevrons (< >), the regular expression will not replace the
email address, as expected.
Replacement
Displays the address you want to put in place of the recipient email address.
Move
The search for the pattern is done from the top to the bottom of the list. When a
pattern matches, it replaces using the replacement. In the case of LDAP lookups, it
uses the relevant LDAP query.
Add Entry
When clicked, opens a further window where you can test whether your regular
expression makes the correct replacement address. Type an email address as input,
click Check to see the resulting output address.
Export
When clicked, this link opens a dialog box you can use to export your list of virtual
addresses as a text file. The list can be stored on the appliance, or on your local
computer.
The list is a text file in the following format:
List, search pattern
Replacement
List, search pattern
Replacement
Write down the file name and location in case you need to import it.
Import
When clicked, this link opens a dialog box you can use to navigate to a stored
(exported) address list and import it to your current Masquerade window. You can
overwrite existing addresses, or append to the existing list.
Product Guide
109
Definition
Recipient mail headers to Specifies the email headers to search within incoming email messages.
search
You need only add new headers if your mail server attaches its own unique
headers, or if extra headers are defined in new email specifications.
Task
1
In Replacement, select the correct server and address masquerading query and click Test.
In Input email address, type the email address that you want to masquerade. and click Check.
The Pattern matched and Output email address fields are automatically populated.
Click Close.
When the query is selected, any email that comes from, for example originalsender@test.dom, should
be replaced with the masqueraded email address such as <masqueraded sender>@test.dom.
Email | Email Configuration | Protocol Configuration | Connection and Protocol Settings (POP3)
Optionally specify periods when some parts of the network will not be scanned.
Before turning off scanning of any traffic, consider the security risks. The most secure option is to scan
all traffic. If an appliance is operating in a transparent mode, use this feature to exclude some parts of
the network from scanning traffic in a protocol during specific periods. You might need to do this if you
regularly move many large files through the appliance.
Changing these settings can affect scanning performance. If you are not sure about the impact of
making any changes, ask your network expert.
110
Product Guide
Email | Email Configuration | Protocol Configuration | Connection and Protocol Settings (POP3) | Basic POP3
settings
Changing these settings can affect scanning performance. If you are not sure about the impact of
making changes, ask your network expert.
Definition
When deselected, ignores any POP3 traffic. Other traffic is not affected.
Listening ports
Transparent
interception ports
When selected, enables the appliance to perform lookups. Default value is Yes.
Append appliance
domain name for DNS
lookups
If you encounter issues with non-delivery of sent email messages routed using
DNS lookups to recipients using legacy email systems, select this option.
Take care if deselecting this setting. If you deny reverse DNS lookups, some
functions might fail.
Selecting this option appends the domain name of the appliance (for example:
appliance.domain.test) to the domain details found within the message. So, if a
message is sent to user@recipientdomain.test, the appliance carries out DNS
lookups for both recipientdomain.test.domain.test and recipientdomain.test.
This option is disabled by default.
Appending appliance domain names to the DNS lookups is known to cause issues
with DNS systems configured with wildcard records.
Timeouts
Use this area to specify time-out values for the POP3 protocol.
You do not need to change these values often.
Product Guide
111
Definition
Maximum wait times when talking to Specifies how long the appliance waits for responses from the
a POP3 client
computer that sends the email message. Default values:
Between commands 600 seconds
Completing data transfer 60 seconds
Maximum wait times when talking to Specifies how long the appliance waits for responses from the mail
a POP3 server
server that receives the email message. Default values:
Establishing a connection 60 seconds
Completing data transfer 60 seconds
Definition
Enable server
keepalives
Specifies values to keep the server connection open. The appliance can repeatedly
send a POP3 command to prevent the connection between the appliance and the
mail server timing-out.
Default values:
Enable server keepalives No
Keepalive interval 60 seconds
Keepalive command Not set
Enable client
keepalives
Specifies values to keep the client connection open. The appliance can repeatedly
send a POP3 command to prevent the connection between the appliance and the
POP3 mail client timing-out. Default values:
Enable client keepalives No
Keepalive interval 60 seconds
Address delimiters
Specifies the characters that identify each part of an email address. For example:
[user name]#[host name]:[port number]. Default values:
# User delimiter
: Host delimiter
You need only change the delimiter characters if your POP3 provider uses different
characters.
Respond to CAPA
requests
112
Product Guide
Definition
Click to open the Add Network Group dialog box to group together hosts or networks
that you want to be associated with each other.
Network groups can be used when defining rules for email policies and protocol
presets by selecting the source or destination network group rule type.
Add Policy
Order
Shows the presets in the order in which you want them to be evaluated. The
default policy is always evaluated last.
Policy name /
Move / Delete
Lists the presets, and allows you to move them or edit them as appropriate.
The default policy cannot be modified or deleted.
Option
Definition
Policy name
Description
Optionally type a description for the policy to help you identify it.
Inherit settings
from
Select the protocol preset from which you want to inherit the settings, that is, any
settings that are not overridden by this protocol preset will be taken from the
protocol preset specified here.
Policy type
Select either:
Physical A standard policy that has rules available. A physical policy can be
triggered when its rules are matched and can also be used for inheritance.
Virtual A virtual policy can be considered to be a collection of settings available
for the purposes of inheritance. A virtual policy can never be triggered.
This option is only available when you create a protocol preset from Email | Email
Configuration when virtual hosting has been enabled on the appliance.
Match logic
Select either:
Match one or more of the following rules this policy triggers if any of the specified rules
are matched.
Match all of the following rules this policy triggers if all of the specified rules are
matched.
This option is only available when you create a protocol preset from Email | Email
Configuration.
Rule type /
Move / Edit
Lists the rules associated with the preset, and allows you to move or edit them as
appropriate.
This option is only available when you create a protocol preset from Email | Email
Configuration.
Product Guide
113
Option
Definition
Add Rule
Click to specify the type of rule that you want to apply to the preset, and set its
Match and Value.
This option is only available when you create a protocol preset from Email | Email
Configuration.
Add network
group
Receiving Email
The Receiving Email tab within Email Configuration enables you to configure settings that are
protocol-dependant.
Further tabs enable you to configure permit and deny lists and anti-relay settings as well as recipient
authentication and bounce address tag validation.
Contents
Permit and Deny Lists
Anti-Relay Settings
Recipient Authentication
Bounce Address Tag Validation
114
Product Guide
Definition
IP address The appliance accepts email from this address even if a detected threat caused a "Deny
connection" action. This setting ensures that the appliance does not delay email from
trusted senders.
Add
Delete
Import List To prevent you having to enter the permitted connections individually onto each of your
appliances, you can import a list of permitted connections.
Export List Once you have configured the permitted connections list for one of your appliances, you
can export the permitted connections list, to be imported onto other appliances.
The file is created in comma separated values (CSV) format.
Table 4-17 Option definitions Blocked connections
Option
Definition
Virtual Host
Displays the name of the virtual host that received the connection currently
being blocked by the appliance.
IP address
Domain Name
Port
Displays the number of the port on which the message was received. This is
typically port 25.
VLAN ID
Displays the ID of the virtual LAN on which the message was received. This is
typically 1 to 4094.
Applicable to Transparent Bridge mode only.
Seconds remaining
Displays the time that must pass before the appliance again allows a connection
from this IP address.
Refresh
When clicked, updates the list of connections. The list is not automatically
updated.
Resolve Addresses
When clicked, the appliance attempts to resolve the IP addresses to show the
relevant domain name.
Unblock
Store a maximum of
items in the blocked
connections list
If the limit is reached, the appliance can only add more IP addresses to the list
when an existing address expires or is removed manually by clicking Unblock.
Default value is 5000.
Product Guide
115
Definition
Displays the details of the sender (email address, IP address and domain
name).
Reject
Resolve permitted /
blocked host names to IP
addresses
When selected, causes the appliance to use DNS to resolve host names to IP
addresses from a domain name. These lookups take place when the SMTP
proxy is initialized. The default value is Yes.
When selected, causes the appliance to use DNS to do a reverse lookup of the
sending IP address to match domains in the list. Because this requires an extra
lookup for each connection, this can affect performance. The default value is
No.
Import List
Export List
Once you have configured the permitted or denied senders list for one of your
appliances, you can export the information, to be imported onto other
appliances.
The files are created in comma separated variables (CSV) format.
Browse to Email | Email Configuration | Receiving Email | Permit and Deny Lists | Permitted and blocked connections |
Permitted connections.
Click Add.
Type the IP address and the netmask for the connection that you want listed as permitted.
116
Product Guide
Browse to Email | Email Configuration | Receiving Email | Permit and Deny Lists.
Click Export List for the relevant area (Permitted connections, Permitted senders or Blocked senders).
Click Close.
Your list of Permitted connections, Permitted senders or Blocked senders is downloaded to your local file system.
Ensure that you have exported the required list, and that it is located where it can be accessed
from your user interface.
Browse to Email | Email Configuration | Receiving Email | Permit and Deny Lists.
From the relevant area (Permitted connections, Permitted senders or Blocked senders), click Import List.
Click OK.
Anti-Relay Settings
Use this page to prevent the appliance from being used as an open relay.
Product Guide
117
Relaying email
Anti-relay options
A typical scenario is that the local domain, such as *.local.dom, accepts messages for delivery by
the appliance. You also have a network from which you accept messages, such as 192.168.0.0/24.
The anti-relay feature checks the contents of these lists to determine whether a recipient is
acceptable.
Yes. The appliance operates as an open relay and allows the recipient to receive the message.
Yes. The appliance checks whether the recipient matches on a permitted routing character.
118
Product Guide
Definition
Add Domain
Click to specify the domains that can relay messages through the appliance to the
recipient. Choose from:
Local domain These are the domains or networks for which email is accepted for
delivery. For convenience, you can import a list of your local domain names using
the Import Lists and Export Lists options. McAfee recommends that you add all domains
or networks that are allowed to relay messages as local domains.
Permitted domain Email is accepted. Use permitted domains to manage exceptions.
Denied domain Email is refused. Use denied domains to manage exceptions.
Hold your mouse cursor over the field to see the recommended format.
Ensure that you define at least one local domain, as well as the domains from which you
want to permit email relaying, and that you want to deny email relaying. Defining a
domain as a Permitted domain ensures that email traffic from that domain is always allowed
to be relayed.
Add MX Lookup
Click to specify a domain that the appliance will use to identify all mail server IP
addresses from which it will deliver messages.
Delete Selected
Items
Removes the selected item from the table. You must apply the changes before the
item is completely removed from the appliance configuration.
Domain Name/
Network
Address/MX
Record
Displays the domain names, wildcard domain names, network addresses, and MX
lookups from which the appliance will accept or refuse email.
Type
Domain name for example, example.dom. The appliance uses this to compare the
recipient's email address and compare the connection against an A record lookup.
Network Address for example, 192.168.0.2/32 or 192.168.0.0/24. The appliance
uses this to compare the recipient's IP literal email address such as
user@[192.168.0.2], or the connection.
MX Record Lookup for example, example.dom. The appliance uses this to compare the
connection against an MX record lookup.
Wildcard domain name for example, *.example.dom. The appliance only uses this
information to compare the recipients email address.
Category
Local domain
Permitted domain
Denied domain
Resolve the
above domain
names to IP
addresses
If selected, allows the appliance to use DNS to resolve the IP addresses of the
domains. These lookups take place only when the SMTP proxy is initialized.
Product Guide
119
Option
Definition
If a sender or
recipient is
rejected
Reject sends an SMTP 550 (permanent failure) response and closes the connection.
Reject the email and close the connection sends a rejection code, SMTP 550 (permanent
failure) response code or a SMTP 421 (Temporarily unavailable service due to
potential threat message), then closes the connection.
Accept and ignore the recipient sends an acceptance code, SMTP 250 (OK). McAfee does
not recommend this option because it suggests to the sender that the message was
received as intended.
Import Lists/
Export Lists
On an appliance from which you want to save a list of domains for anti-relay
specification, click Export Lists to create a comma-separated CSV file that contains
details of all the domains that you specified on this page, whether they are local,
permitted or denied. On an appliance onto which you wish to put the list of domains,
click Import Lists.
To create your own list, see Formats for export lists later on this page.
Definition
Permitted routing
characters
Specifies permitted routing characters. Normally you do not need to type any
characters here.
When selected, prevents the use of the following routing characters: *!* *%*
*|*
Denied routing
characters
When selected, prevents the use of the following routing characters: *!* *%*
*|*
Protocol preset
120
Product Guide
Click Add Domain, and type the network address or the IP address from which you expect to receive
messages (such as 192.168.0.2/32 or 192.168.0.0/24).
The domains that you specify are allowed to relay incoming or outgoing email traffic.
Type the domain name that you want to deny using a wildcard, such as *example.dom to reject all
messages sent to that domain.
Click Add Domain again, and type the name of the subdomain that you want to accept, such as
sub.example.dom.
On a master appliance, go to Email | Email Configuration | Receiving Email to set up the local domain, and
any permitted or denied domains.
Click Export Lists to create a CSV file that contains a list of all domains displayed in the Relaying
email list.
Product Guide
121
Click the link to download the file, and save it onto your local file system.
On a secondary appliance, go to Email | Email Configuration | Receiving Email and click Import Lists.
For example:
LD *inbri.bs.dom, LN 10.6.1.3/24, PD *qa.ext.bs.dom, DD *ext.bs.dom
Recipient Authentication
Use this page to prevent attacks from zombie networks, bogus recipient names, and directory
harvesting.
122
Product Guide
Definition
Protocol preset
Specifies the policy (and network group) to which these settings apply.
Accept SMTP
callback requests
Specifies how long to reject any early attempt to resend the email. The default
value is 3600 seconds (1 hour). Many mail servers typically try to resend after one
hour. The range is up to 86400 seconds (1 day).
Unretried record
lifetime
Specifies how long to keep a record, where the sender has not tried to send
another message.
After this time, the appliance deletes the record of any triplet that has not be
retried. We recommend a value below 8 hours. The range is up to 96 hours (4
days). Default value is 4 hours.
Greylisted record
lifetime
Specifies how long to keep a greylisted record. The appliance deletes records of
triplets that have not been referenced for some time. The range is up to 2160
hours (90 days). Default value is 864 hours (36 days), which is suitable for
occasional mail like monthly newsletters.
Maximum number of Specifies the maximum number of greylisted records. When the number of records
records
approaches this value, the appliance starts deleting old records. The range is
50,000 to 2,000,000. Default value is 2000000.
Definition
Protocol preset
Specifies the policy (and network group) to which these settings apply.
When selected, checks the recipient address against email addresses in the list.
Email address
Lists the acceptable email addresses. You can use wildcards, for example:
user*@example.com. We recommend that you do not overuse wildcards,
because you will defeat the intention. Add or remove addresses as necessary.
When selected, checks the recipient address against email addresses in the LDAP.
To connect to an LDAP server, select Email | Group management | Directory Services and
click Add Server.
Accept and ignore the recipient Accepts the email message and ignores it. The
appliance sends an acceptance code (SMTP 250 OK). We do not recommend
this option because it suggests to the sender that the message was received as
intended.
Reject Sends a rejection code (SMTP 550 Fail). We recommend this option
because the sender is normally informed that the message was not accepted.
Product Guide
123
Definition
Protocol preset
Specifies the policy (and network group) to which these settings apply.
Response delay
When a tarpit action was selected, specifies the delay in responding to this
email.
Default value is 5 seconds. This is often enough to deter an attack.
Maximum number of
recipients
When a tarpit action was selected, specifies how many recipient addresses
each email may have. Default value is 10.
Applies a delay if there are too many recipient addresses in the email message.
A directory harvesting
attack ...
Defines this type of attack. Default values are 5 failed recipients and 10%
accepted recipients.
Email that falls outside this specification is not considered to be an attack, so
no action is taken.
Task Block all incoming email where the user does not exist in LDAP
Use this task to block all incoming email messages where the user does not exist in LDAP.
Task
124
Select Or if the recipient does not satisfy the query and select the desired Valid recipient query for the LDAP
server.
Product Guide
Definition
Protocol preset:
Product Guide
125
Table 4-20 Option definitions Bounce Address Tag Validation Actions (continued)
Option
Definition
Specifies how the appliance must handle each invalid bounced message.
The available options are:
Allow through
Reject
You can assign different actions for each preset.
When you enable BATV tagging, the maximum length of local part of the MAIL FROM address used by
the appliance increases by 16 characters. Adjust your configuration setting to allow up to 80 characters
to allow BATV tagged email addresses. To do this, navigate to Email | Email Configuration | Protocol Configuration |
Protocol Settings (SMTP) | Address Parsing Options and change the maximum length.
Option
Definition
Signature lifetime Specifies how long the signature seed will be used to sign outgoing email. Mail servers
typically try to deliver mail for up to four days. McAfee recommend a value of 47
days.
Signature seed
Generate
When clicked, generates a signature seed that has 20 random letters and numbers.
You can use this method instead of typing your own signature seed.
Import settings
When clicked, opens a file browser to import a text file that contains BATV settings
from another appliance.
Export settings
When clicked, opens a file browser to create a text file that contains BATV settings for
use by another appliance.
Sending Email
Use this page to specify how the appliance delivers email messages.
126
Product Guide
If the recipient's domain matches those listed in Domain Routing, it uses those relays to deliver the
message.
If the recipient's domain does not match those listed in Domain Routing, it can be configured to use an
MX record lookup to deliver using DNS. If no MX records are available, it attempts to make the
delivery using an A record lookup. MX delivery is attempted to hosts in the order of priority that is
returned by the DNS server.
If it cannot deliver using one of the previous methods, it uses fallback relays to make the delivery
(providing the recipient's domain matches those listed in the Fallback relays field).
If the domain does not exist, the appliance generates a non-delivery report and sends it to the
originator.
If the receiving server cannot accept delivery, or there are no IP addresses to complete the
delivery, the message is queued.
Option
Definition
Import Lists
Export Lists
Product Guide
127
Option
Definition
Domain Routing
Click Add MX Lookup to populate the Domain Routing table with an MX record lookup to
determine the IP addresses for delivery.
Delivery will be attempted to host names returned by the MX lookup in the order of
priority given by the DNS server.
Click Add LDAP Lookup to populate the Domain routing table with an LDAP lookup to
determine the Home Mail Transfer Agent (MTA) to be used for emails to the specified
domain.
Only LDAP servers that have already been set up in Email | Group Management | Directory
Services | Add Server appear on this list.
Use an IPv4 or IPv6 address with optional port number or a fully qualified domain
name. For example, 10.6.1.6, 10.6.1.5:25,
2001:db8:ac10:fe01:205:2cff:fe03:2a45 or mailrelay.mydomain1.dom. If you
specify a fully qualified domain name, the appliance does an A-record lookup to
determine the IP address.
To specify multiple relays for a single domain, separate each with a space.
If the first mail relay is accepting email, all email is delivered to the first relay. If that
relay stops accepting email, subsequent email is delivered to the next relay in the
list.
128
Product Guide
Option
Definition
Enable DNS
lookup for
domains not
listed above
If selected, the appliance uses DNS to route email for other, unspecified domains.
DNS delivery attempts an MX-record lookup. If there are no MX records, it does an
A-record lookup.
If you deselect this checkbox, the appliance delivers email only to the domains that
are specified under Domain Routing.
Fallback relays for Specifies the fallback relays. If delivery is unsuccessful by any other method, and the
unreachable
domain matches an entry in this list, the appliance uses the information in this list to
domains
determine a host to be used for delivery.
Click Add Relay List to populate the Domain Routing table with a list of host names, or IP
addresses for delivery. Delivery will be attempted using the hosts in the order
specified unless you select the Round-robin the above hosts option which will distribute the
load between the specified hosts.
Host names/IP addresses may include a port number.
Click Add MX Lookup to populate the Domain Routing table with an MX record lookup to
determine the IP addresses for delivery.
Delivery will be attempted to host names returned by the MX lookup in the order of
priority given by the DNS server.
Click Add LDAP Lookup to populate the Domain Routing table with an LDAP lookup to
determine the Home Mail Transfer Agent (MTA) to be used for emails to the specified
domain.
Only LDAP servers that have already been set up in Email | Group Management | Directory
Services | Add Server appear on this list.
Definition
Postmaster
address
Specifies an email address that the appliance uses to deliver email that has a
recipient of postmaster.
We recommend that you specify an email address here, so that any delivery
problems are handled promptly. You can specify a distribution list or a single user
who reads email regularly.
Definition
Enable digest messages Specifies whether to enable digest messages for the selected protocol preset.
and message
Protocol preset
Reminds you that digest messages are enabled for this protocol preset.
Allows you to make settings for any exception to the default setting. For
example, you can specify that some parts of the network do not use digest
messages.
Product Guide
129
Definition
Enable DKIM
signing
When selected, adds a DKIM header (like a digital signature) to each email message as
it is sent.
You must add a key before you can enable DKIM signing.
Domain name
and Selector
During verification, the recipient extracts your Domain Name and Selector from the
signature to retrieve the public key associated with the appliances private signing key.
For example, if your Selector is mail and your Domain Name is example.com, the
recipient must issue a DNS query for the TXT record of mail._domainkey.example.com.
Signing key
DKIM signing
keys
Export
When clicked, allows you to save the private key to a file, in case the original private
key is lost or erased.
View Public Key Place the public key on your DNS server or give it to your Internet Service Provider, so
that recipients can verify email from your organization.
130
Product Guide
Option
Definition
Import Key
Advanced
options
This section enables you to select specific advanced options that relate to the way your
appliance carries out DKIM checks.
From this area, you can choose:
What to sign either signing All headers or Selected headers. Click the linked text to select
the individual headers to sign.
Header canonicalization you can choose either Simple or Relaxed canonicalization for the
headers.
Body canonicalization you can choose either Simple or Relaxed canonicalization for the
body text.
Key expiry choose to either have a key that does not expire, or to set an expiry date
for the key.
Signing identity add an optional signing identity to your DKIM keys.
Definition
Domain
Specifies other options that control the rate for delivering email to this
domain.
Product Guide
131
Task Deliver all email to a specific domain using round robin delivery
Use this task to deliver all email to a specific domain using round robin delivery.
Task
1
Your Email gateway is configured to deliver all email to the specified domain using round robin
delivery.
Your email messages sent to the specified domain are delivered using MX lookup.
Task Use a specified LDAP server to deliver email from a specific domain
Use this task to specify that email messages from a particular domain are handed by a specified LDAP
server.
Before you begin
You must configure your appliance to use the required LDAP server using Email | Group
Management | Directory Services | Add Server before using this feature. You also need ensure that
the Home MTA queries in the Add Server wizard match the configuration for your LDAP directory
services.
Task
1
In Directory servers, select the LDAP directory server to be used to deliver email messages to the
domain specified in Domain name.
The specified LDAP server is used to handle email messages from the selected domain.
132
Product Guide
All failed email message deliveries are now sent to the specified server.
Task - Deliver the email for a user to the Home MTA attribute defined in
LDAP
Use this task to deliver a message for a user to the Home Message Transfer Agent attribute defined in
LDAP.
Task
1
In the Domain Routing area under Delivering email, select Add LDAP Lookup.
In the Domain name field, add the domain name of the email recipients on which you want to perform
the LDAP lookups.
Select the server from the list of directory servers, and click OK.
Sending Email Add Relay List dialog box and Add MX Lookup
dialog box
Add a relay to the lists for sending email, or use MX lookups.
Table 4-22 Add Relay List dialog box
Option
Definition
Domain name
Relay host
Add Host
To delete relays listed in the lists, select the relevant relays, and click Delete
Selected Hosts.
Round-robin the above hosts Select this to enable the hosts to be used in a round-robin when sending
email.
Table 4-23 Add MX Lookup dialog box
Option
Definition
Domain name
MX record
Enter the MX lookup information that determines the IP addresses for delivery.
Product Guide
133
Definition
Domain name
Category
Category
Local domain
Permitted domain
Denied domain
You can only enter one MX record per domain name.
Email Policies
Use this page to view and configure policies relating to your email traffic.
134
Product Guide
Introduction to policies
The appliance uses policies which describe the actions that the appliance must take against threats
such as viruses, spam, unwanted files, and the loss of confidential information.
Policies are collections of rules or settings that can be applied to specific types of traffic or to groups of
users.
SMTP policies
Email Gateway provides the following features when scanning the SMTP protocol:
SMTP
Anti-Virus, including:
Anti-virus
McAfee Anti-Spyware
Packer detection
Spam, including:
Spam
Phish
Product Guide
135
Sender Authentication
Compliance, including:
File filtering
Image filtering
Compliance
Scanning limits
Content handling
Alert settings
Encryption
POP3 policies
Email Gateway provides the following features when scanning the POP3 protocol:
136
POP3
Anti-Virus, including:
Anti-virus
McAfee Anti-Spyware
Packer detection
Spam, including:
Spam
Phish
Compliance, including:
Image filtering
Scanning limits
Content handling
Alert settings
Product Guide
Anti-Virus, including:
Anti-virus
McAfee Anti-Spyware
Packer detection
Spam, including:
Spam
Phish
Compliance, including:
File filtering
Compliance
Image filtering
Scanning limits
Content handling
Alert settings
Encryption
Part of the network can handle larger or smaller files than normal.
By creating a protocol preset, you can cater for this exception to the connection settings.
Product Guide
137
Primary Action
The primary action is defined as What happens to the message coming from the client MTA to the
server MTA?":
Was it blocked?
The message is scanned by all scanners. If multiple scanners trigger, the primary action that has the
highest priority is applied. For example, if the file filtering policy is set to Allow Through (Monitor), and the
anti-spam policy was set to Accept and Drop the data (Block), then the Accept and Drop the data (Block) action
applies.
Table 4-26 Primary actions behavior in top-down priority order
138
Type
Action
Sender perspective
Blocking
Deny Connection
Yes
Blocking
No
Blocking
No
Modify
Replace the
content with an
alert
Replacement
message (alert
received)
No
Reroute
Reroute
Dependent on
action taken by
onward server
No
Recipient
perspective
Kernel
mode
blocking
Product Guide
Action
Sender perspective
Recipient
perspective
Kernel
mode
blocking
Monitor
Allow Through
Message received
No
Skip
scanning
Allow through,
without scanning
Message received
No
Deny Connection (Block) Blocks the message from being delivered, returns a 550 SMTP code to the
sending MTA, places the connecting IP address in the Kernel Mode Block list.
Refuse the data and return an error code (Block) Blocks the message from being delivered, returns a 550
SMTP code to the sending MTA.
Accept and Drop the data (Block) Accepts the connection, but blocks the message from being delivered,
returning a 250 SMTP code to the sending MTA.
Replace the content with an alert (Modify) Replaces any detected content with a configurable alert and
delivers the modified Email to its intended recipients.
Allow Through (Monitor) Lets the message pass to its intended recipients, but information is retained
within the logs and reports.
Tarpit - Delays the response to the email message. By default, the delay is 5 seconds, and is
configurable from the Default Sender Authentication Settings | Cumulative score and other options tab.
Reject (Block) Blocks the message from being delivered, and returns the appropriate code to the
sending MTA.
Reject and close (Block) Blocks the message from being delivered, returns appropriate code to the
sending MTA and the closes the connection.
Reject, close and deny (Block) - Kernel Mode Blocking. This is an effective method of combating spam, as
it deals with the message itself (reject), the connection (close) and adds the sending server to the
deny list.
Not all primary actions are available to all policy areas.
Product Guide
139
Secondary action
A secondary action is defined as What additional actions will happen due to the scanner triggering a
detection?:
The message is scanned by all scanners. If multiple scanners trigger, the secondary actions are
aggregated together. For example, if the file filtering policy is set to Annotate and deliver original to a list, and
the anti-spam policy is set to Annotate and deliver original to a list, then only one notification is sent.
You can also configure any or all of the following secondary actions:
Quarantine options
Quarantine original Select to have the original message added to the Quarantine database.
Quarantine modified Select to have the modified message added to the Quarantine database.
If you are using off-box quarantine, you can also select the quarantine queue into which the email
message is placed. This selection can include custom quarantine queues that you have created.
Send one or more notification emails Use notification templates to customize the notifications send. Click
Manage templates to make changes to the notification options.
Annotate and deliver original to sender Deliver the original email message to the sender, with
annotations added.
Deliver a notification email to 'Notification Email List' Deliver a notification email to all addresses defined
within the notification email list.
Deliver a notification email to the original recipient(s) Deliver a notification email to all the recipients on
the original email message.
Deliver a notification email to the sender Deliver a notification email to the sender of the email
message.
Deliver an audit copy to 'Auditing Email List' Deliver a copy of the original email message for auditing
purposes to all addresses defined within the auditing email list.
Deliver the modified email to the sender Deliver the email message to the sender, with modifications
made by McAfee Email Gateway included.
Show selected/Show all To help manage the options shown, you can hide unselected notification
templates.
In addition to the pre-defined templates shown above, this list will also include any custom
notification templates that you create.
Other actions
140
Modify subject McAfee Email Gateway rewrites the subject of the email message using
user-definable templates, and then delivers the message to the intended recipients. Click Manage
templates to change the way the subject is re-written.
Modify headers McAfee Email Gateway modifies the email message headers using user-definable
templates, and then delivers the message to the intended recipients. You can select multiple
header modification templates. Click Manage templates to change the way the headers are re-written.
Product Guide
When triggered, adds a header, and removes pre-existing headers of the same name.
Deliver message using encryption Attempt delivery of the message using your configured encryption
settings.
Policy exceptions
Use policy exceptions to minimize the number of policies that you need to create and maintain.
By applying exceptions for specific circumstances to standard policies, you avoid the time-consuming
task of changing all of your policies.
Contents
What are policy exceptions?
Benefits of using policy exceptions
Task - Configure a policy exception to allow email messages containing blacklisted URLs to be
received by members of Human Resources
Product Guide
141
Click Add Rule in the Scanning Policies New Policy Exception window.
In the Value field, type the information that identifies the selected entity.
Example: *@hr.example.com.
e
6
Click OK.
Click OK.
The Scanning Policies New Policy Exception window closes, and the new exception appears in the
exceptions box. An exceptions icon is displayed to the left of the policy area to which it applies.
142
Product Guide
In the exceptions box, click the button for the exception to which you want to add a rule.
In the Value field, type the information that identifies the selected entity.
Click OK.
Click OK.
In the exceptions box, click the button for the exception you want to change.
The configuration page for the policy shows the settings that apply to the exception.
Example: From the URL Reputation Settings page, select Blacklists and Whitelists. Remove the URLs you
want excluded from the blacklist.
5
Click OK.
Human Resources are allowed to see links to competitor's employment opportunities without other
departments receiving this information within their email messages.
Product Guide
143
In the exceptions box, click the button for the exception you want to edit.
The Scanning Policies Edit Policy Exception Details window opens.
Click OK.
Custom Notifications
McAfee Email Gateway allows you to create your own custom notification email messages for any rule
that allows secondary actions.
Custom notifications allow you to send different messages to specific individuals or groups when an
email message triggers the associated rule. You can use custom notification templates along with the
pre-configured templates. You can also have more than one custom notification template for each rule,
and use any of the available templates in combination.
Provide the most relevant information to different individuals about messages that trigger action.
144
Product Guide
Issue In the default policy, you have enabled Compliance, and you created five compliance rules. By
default, all five rules use the default compliance notification. You want to send more detailed
notifications to two distinct groups when a message triggers specific rules: the Legal Department, and
a list of other individuals.
Solution You create two custom notification templates, one for each of these groups. Then you can
add the notifications to the actions for each rule you want, without affecting the actions for other
rules.
Issue You have created a policy that applies to inbound mail, and you have enabled Image Filtering.
You have created a rule that scans messages for objectionable images. You want to notify the intended
recipient about the message, and you want to inform Human Resources. The notification to Human
Resources contains unique content.
Solution You create a custom notification template for Human Resources, then apply it to the rule.
You also apply the preconfigured notification to the recipient.
Select Email | Email Policies. In the scanner column of your choice, select the link for a rule.
Under Take the following action, select the main action for the rule.
Under And also, scroll to Notification email options and select the check box to Send one or more notification
emails.
Use the Add Notification Template wizard to create the custom notification template.
Product Guide
145
Email Policies
Use this page as a single point where you can access the pages and dialog boxes you need to set up
and configure your policies.
Definition
Select a
protocol:
Use the drop-down list to display, create, or edit your policies for:
SMTP
POP3
McAfee Secure Web Mail
Order
Policies are used in a "top-down" order. When more than one policy has been created,
you can select the order in which they are applied.
Policy Name
146
Product Guide
Definition
Displays brief details about the Anti-Virus options settings.
Click any link within the Anti-Virus area of the relevant policy to open the Anti-Virus Settings
page.
From the Anti-Virus Settings page you can access:
Basic Options, including McAfee GTI file reputation
Advanced Threat Defense
McAfee Anti-Spyware
Packers
Custom Malware Options
Spam
Spam Rules
Advanced Options
Spam Terms
RBL Configuration
SPF, Sender ID, DKIM and FCrDNS
Cumulative Score and Other Options
Compliance
Product Guide
147
Definition
Policy Options
Advanced options
Character sets
Use the arrow icons to move your policies higher or lower in priority order.
148
Product Guide
Definition
Delete
After creating policies, you can choose to delete any that you no longer require, by
clicking
.
You cannot delete the default policy.
When clicked, opens the Scanning Options New Policy dialog box where you can create new
policies, user groups, and network groups.
Add Policy
3
4
Click
Task View policies for SMTP, POP3 or McAfee Secure Web Mail
View the scanning policies that exist for SMTP, POP3 or McAfee Secure Web Mail.
You use this page to create, and manage your SMTP, POP3 or McAfee Secure Web Mail email scanning
policies.
The POP3 protocol limits some of the scanning actions that can be applied to email messages. Options
not available to scan POP3 email messages are hidden from the POP3 protocol view.
Task
1
Select either SMTP, POP3 or McAfee Secure Web Mail from the Select a protocol: drop-down list.
The Email | Email Policies | Scanning Policies page refreshes to show the policies that have been defined for
the selected protocol.
Product Guide
149
If you have created more than two scanning policies, you can change the order that your appliance
uses the policies to evaluate email traffic. This is achieved by moving the relevant policies up or down
the policy list.
The default policy always appears at the bottom of the list of policies. You cannot change its position.
Task
1
or
If the identified policy is either at the top of the evaluation order, or is next to the default policy,
then one or other of the icons will not be available for selection.
Task Turn on GTI message reputation for all users in the HR group
defined in LDAP
Use this task to enable GTI message reputation checks for all users in the Human Resources group
defined in LDAP.
Before you begin
Before completing this task, you must do the following:
Configure an LDAP server and at least one query (Email | Group Management | Directory Services
Define a user group for Human Resources (Email | Group Management | Network Groups
Task
1
Type a name for the new policy, and add a description if desired.
Select the policy from which this policy will inherit settings.
Indicate the email direction for messages treated with this policy.
In the Add Rule dialog box, select the LDAP Query rule type and click OK.
The Add Rule dialog box closes.
10 In the Spam section for the new policy (or for the Default policy if you selected that), click the link
for GTI message reputation.
The Sender Authentication Settings dialog box opens.
150
Product Guide
Task Create a compliance dictionary to match all subject lines on page 151
Create a compliance dictionary that matches all email messages with a valid subject line.
Task Create a compliance dictionary to match subject lines that have already been
modified on page 152
To prevent the subject line of a message being re-written each time any other process
modifies the subject, create a new compliance dictionary.
Task Configure a policy to use the new compliance dictionaries on page 153
Link the new compliance dictionaries to a policy, so that your McAfee Email Gateway can
re-write the subject of email messages matching the compliance dictionary, unless the
subject line has already been modified.
Type a name for the new category. For example, type All Subjects in the Name field.
Click OK.
Under Dictionary details for 'All Subjects', a New term is added.
Click the Everything link from within Dictionary details for 'All Subjects'.
Unselect Everything.
The File categories and Subcategories areas are enabled.
From the New term row of the Dictionary details for 'All Subjects' table, click the edit
icon.
Product Guide
151
Type a name for the new category. For example, type Previously Modified Subjects in the Name
field.
Click OK.
Under Dictionary details for 'Previously Modified Subjects', a New term is added.
Click the Everything link form within Dictionary details for 'Previously Modified Subjects'.
Unselect Everything.
The File categories and Subcategories areas are enabled.
From the New term row of the Dictionary details for 'Previously Modified Subjects' table, click the edit
14 Click OK.
15 Apply the new configuration.
152
Product Guide
icon.
The new compliance dictionary is created, and is configured to match any email message with a
subject line that includes re: or fw:
This rule is not case sensitive, so it will match re: Re: RE: fw: Fw: or FW:
Task
1
Ensure that Compliance is enabled (Select Yes at the top of the dialog box.)
Previously Modified Subjects for the rule to prevent multiple subject re-writes.
Click Next.
Search for and select the compliance dictionaries you previously created (in the example, this was
"All Subjects", and "Previously Modified Subjects".)
Click Next.
Click Next.
10 From the If the compliance rule is triggered drop-down list, select Allow Through (Monitor).
11 From And also, select Modify subject from the Other actions sub-category.
12 Click Manage templates.
13 Click Add from the Subject Templates dialog box.
14 Select or edit the required Subject templates:
For the "All Subjects" rule, edit the subject template by adding the text you want to be
displayed in the subject line for email messages matching this policy. For example, type "Policy
Match: " before the %SUBJECT% token.
For the "Previously Modified Subjects" rule, select the %SUBJECT% option, and make sure that
it has a higher priority than the "Policy Match: %SUBJECT%" template (by moving this to the
top of the list).
Product Guide
153
15 Click OK.
16 Click OK.
17 Select the modified subject from the Select a template drop-down list.
18 Click Finish.
19 Click OK.
20 Apply the changes.
The subject line of all email messages matching this policy are re-written, unless the subject lines
have already been modified.
Task Configure a policy to use the new compliance dictionaries on page 155
Link the new compliance dictionary to a policy, so that your McAfee Email Gateway can add
a custom header to email messages matching the compliance dictionary.
Type a name for the new category. For example, type All Subjects in the Name field.
Click OK.
Under Dictionary details for 'All Subjects', a New term is added.
Click the Everything link from within Dictionary details for 'All Subjects'.
Unselect Everything.
The File categories and Subcategories areas are enabled.
154
Product Guide
11 Click OK.
The new dictionary, All Subjects, now is applied only to email messages with a valid Subject line.
12
From the New term row of the Dictionary details for 'All Subjects' table, click the edit
icon.
Task
1
Ensure that Compliance is enabled (Select Yes at the top of the dialog box.)
Type a name for the new rule: (for example:) Match all messages for the All Subjects rule.
Click Next.
Search for and select the compliance dictionary you previously created (in the example, this was
"All Subjects".)
Click Next.
Click Next.
10 From the If the compliance rule is triggered drop-down list, select Allow Through (Monitor).
11 From And also, select Modify headers from the Other actions sub-category.
12 Click Manage templates.
13 Click Add from the Header Modification Templates dialog box.
14 Select or edit the required header templates, including defining the name for each header and
specifying the tokens applicable to each header.
To prevent multiple copies of a defined header being added to a message, select Remove Existing.
Product Guide
155
15 Click OK.
16 Click OK.
17 Select one or more Header Modification Templates from the list of currently configured templates.
18 Click Finish.
19 Click OK.
20 Apply the changes.
Definition
Policy name
Description
Select the policy from which you want this policy to inherit its settings.
Email direction
Choose whether you want the policy to apply to inbound or outbound email traffic
only. By default, policies apply to both inbound and outbound traffic.
Match logic
Choose whether you want the match to be made on one or more of the rules, or all
of the rules in the list.
Add Rule
Opens a new dialog box where you can specify the type and match for the rule
that you want to create, and specify the value.
The network group and user group and LDAP query rules are not available until you
create the items.
Move
Use the arrows to move the rules up and down the list.
The rules are actions from the top of the list downwards.
156
Product Guide
Definition
Group name
Selected or
unselected
Select a group and click Edit or Delete Selected Rules as appropriate. Use the arrow
icons to move the rules up and down the list.
Rule type
Choose from:
Sender email address
Recipient email address
Sender user group
Recipient user group
LDAP Query (if configured)
The LDAP query and user group options become available only when a user
group or LDAP server has been created.
Match
Choose from:
is
is not
is like
is not like
Value
Add Rule
Definition
Group name
Rule type
Choose from:
IP address
VLAN identifier
Network connection
Host name
Match
Choose from:
is
is not
is in
is not in
Value
Type the value associated with the type of rule that you chose
Move
Use the arrows to move the rules up and down the list
The rules are actions from the top of the list downwards.
Reset
Product Guide
157
Select the required protocol using steps in Task View policies for SMTP, POP3 or McAfee Secure
Web Mail.
In the Scanning Policies New Policy page, enter the following information:
a
Choose if the policy is to apply to inbound or outbound email traffic. (SMTP only)
Select the type of rule, how it should match, and the value that the rule tests against.
and
Click OK.
158
Product Guide
In Value, select the user group you created, and click OK.
Click Add, and type a name for the network group such as Internal Email Servers.
In Match, select is, and type the IP address of one of your mail servers.
In Value, type the IP address of one of your email servers, and click OK.
Click Email | Email Policies | Add Policy..., and type a name for the policy.
If the network group that you want to use for the policy is not already created, click Add network group.
Product Guide
159
Table 4-28
Rule type
Source IP address Use this rule to enforce a policy based on the IP address of
the incoming network connection.
The source IP address is usually the IP address of the
Senders MTA or of the Firewall/NAT in front of the MTA.
This rule works with proxy or transparent connections.
Destination IP
address
Supported match
options
is
is not
is in
is not in
is
is not
is in
is not in
Sender email
address
is
is not
is like
is not like
Masqueraded
sender email
address
is
is not
is like
is not like
160
Product Guide
Table 4-28
Rule type
Explanation
Recipient email
address
Supported match
options
is
is not
is like
is not like
Recipient email
address list
contains
does not contain
contains values like
does not contain
values like
Product Guide
161
Table 4-28
Rule type
Explanation
Aliased recipient
email address
Supported match
options
is
is not
is like
is not like
Aliased recipient
email address list
VLAN identifier
contains
does not contain
contains values like
does not contain
values like
is
is not
162
Incoming network Use this rule to enforce a policy based on a specific network
connection
connector (NIC) for incoming connections.
is
Outgoing network Use this rule to enforce a policy based on a specific network
connection
connector (NIC) for outgoing connections.
is
Source host name Use this rule to enforce a policy based on the domain name
for the origin or the message.
is
is not
is like
is not like
Destination host
name
is
is not
is like
is not like
Source network
group
is
is not
Destination
network group
is
is not
User group
is
is not
LDAP query
Product Guide
Table 4-28
Rule type
Explanation
Email subject
Supported match
options
matches
does not match
is
is
is
is
is
is
is
is
Email header
not
like
not like
empty
not empty
present
not present
matches
does not match
is empty
is not empty
is present
is not present
N/A
This option is only available when you select the rule type.
Match
Available LDAP querymatch options vary with the rule type you choose. The match
logic options table below shows the permitted matches for each rule type.
Value
Enter or select the value associated with the type of rule that you chose.
Product Guide
163
Definition
Explanation
is
Network
connection
Network IP
address
VLAN identifier
Email address
Host name
Domain name
is not
Network
connection
Network IP
address
VLAN identifier
Email address
Host name
Domain name
is like
Network
connection
Network IP
address
VLAN identifier
Email address
Host name
Domain name
is not like
Network
connection
Network IP
address
VLAN identifier
Email address
Host name
Domain name
164
Product Guide
Definition
Explanation
contains
Network
connection
Network IP
address
VLAN identifier
Email address
Host name
Domain name
does not contain
Network
connection
Network IP
address
VLAN identifier
Email address
Host name
Domain name
contains values
like
Network
connection
Network IP
address
VLAN identifier
Email address
Host name
Domain name
does not contain
values like
Network
connection
Network IP
address
VLAN identifier
Email address
Host name
Domain name
is empty
N/A
is not empty
N/A
is present
N/A
is not present
N/A
Product Guide
165
Definition
Explanation
matches
Table 4-30
Option
Definition
Exception name
Description (optional)
Match logic
Select the required option to determine how the system applies policy
exception rules.
Rule type
Displays the type of the rule, based on the parameters set when you
created the rule.
Move
Clicking the relevant arrow moves a rule up or down in the list of rules.
Rule priority is determined by the position within the list, with the rules at
the top of the list having a higher priority than those lower down.
Edit
Definition
Rule type
Drop-down list displays the available entity types. The rule applies this type.
Match
The drop down selections determine how the rule applies to the entity.
Value
166
Option
Definition
Group name
Selected or
unselected
Select a group and click Edit or Delete Selected Rules as appropriate. Use the arrow
icons to move the rules up and down the list.
Product Guide
Option
Definition
Rule type
Choose from:
Choose from:
Match
is
is not
is like
is not like
Value
Add Rule
In Value, select the user group you created, and click OK.
Product Guide
167
Definition
Group name
Rule type
Choose from:
IP address
VLAN identifier
Network connection
Host name
Choose from:
Match
is
is not
is in
is not in
Value
Type the value associated with the type of rule that you chose.
Move
Use the arrows to move the rules up and down the list.
Add Rule / Delete Selected Rules Click to add a new rule to the list.
Use the Reset button to clear the entries you have made in this dialog box.
Reset
Definition
Template
Shows the text or tokens that will be used to re-write the subject line.
Priority
Move
Use the arrow icons to move your subject template higher or lower in priority order.
Edit
Click to make changes to the text that is used to re-write the subject line.
Delete
168
Add
Insert
Product Guide
Definition
Header Name
Shows the name of the header being added or modified within the email message.
Header Value
Shows the tokens that provide information used to modify the email headers.
Remove Existing
When selected, Email Gateway removes existing headers with the same name.
Edit
Delete
Add
Definition
Template Name Lists the names for all the pre-defined and custom notification templates.
Email Content
Provides an overview of the content of the notification emails generated from each
notification template.
Sender
Recipients
Lists the recipients that will receive notifications when each notification template is used
to generate a notification email message.
Subject
Edit
Delete
Add
Create a new notification template. The new template is added at the bottom of the
template list.
Email Content
Subject
Sender
Other options
Recipients
When editing a pre-configured customized notification template, these same pages are available from
tabs accessed from the Edit Notification Template link.
Product Guide
169
Definition
Template name
Add or edit the name for the template. This name is reflected in the first column of
the Notification Templates dialog box.
Predefined content To use predefined content within the notification, select one of the options:
Send a default notification email
Custom content
Editing area
When creating custom notification content, use the editing area to create the
notification. Select from the drop down list of available tokens to have McAfee Email
Gateway add the required information at the time the notification is sent. Type any
other message for the intended recipients of the notification.
Definition
To have notification emails appear to be from a specific, custom sender, enter the
required email address.
Definition
Predefined recipients
Select from either the recipient (or recipients) for the original email message, or
the sender of the original email message.
Custom recipient
To have notification emails sent to another recipient, enter the required email
address.
Configured recipient lists To have the notification messages sent to a list of recipients, enable One or more
recipient lists, and then select the required list or lists.
Table 4-36 Option definitions Add/Edit Notification Template Subject
Option
Definition
Definition
Attachments
Miscellaneous options
170
Product Guide
Table 4-37 Option definitions Add/Edit Notification Template Other options (continued)
Option
Definition
Definition
Anti-virus features
The anti-virus protection within Email Gateway provides many ways to protect your network and
users.
Protects your network from potentially unwanted programs (PUPs). The appliance can be
configured to:
Detect specific types of potentially unwanted programs, such as mass mailers and Trojan
horses.
Protects your network from named packers. You can add and remove packer names from the list of
packers that will be detected.
Product Guide
171
Packers compress files and can effectively disguise executable programs. They can also compress
Trojan horses and make them harder to detect. The appliance can be configured to:
Protects your network from PUPs. A cautious user might want to be informed of PUPs, and might
want to remove them.
McAfee anti-spyware software detects and, with your permission, removes potentially unwanted
programs. Some purchased or intentionally downloaded programs act as hosts for other potentially
unwanted programs. Removing these potentially unwanted programs may prevent their hosts from
working. Review the license agreement for these host programs for further details. McAfee does not
encourage nor condone breaking any license agreements. Read the details of license agreements
and privacy policies carefully before downloading or installing any software.
Automatically decompresses and scans files compressed in the packages that include PKZip, LHA,
and ARJ.
Detects new viruses in executable files and OLE compound documents, using a technique called
heuristic analysis.
Viruses
Spyware
Adware
Various kinds of malware (malicious software) and other potentially unwanted software.
Spyware can steal information and passwords. This category includes potentially unwanted programs
(PUPs), which are any software that a cautious network administrator might want to be informed of,
and possibly remove, such as password crackers. Adware, too is among these nuisances, because it
distracts employees from their normal work.
172
Product Guide
Some software programs written by legitimate companies might alter the security or privacy of the
computer where they are installed. This software can include spyware, adware, and dialers, and might
be downloaded unwittingly with a program that the user wants. Cautious users prefer to know about
such programs, and in some cases, remove them.
Product Guide
173
To specify that a scanner on the appliance handles some packers and PUPs differently, use the Custom
Malware Options tab.
174
Product Guide
The appliance scans each file, comparing its code against the information (or signatures) in the
current detection definitions (DAT) file.
If the code is not recognized and is suspicious, for example, the file is packed or encrypted, the
appliance sends a small definition (or fingerprint) of that code to McAfee Global Threat Intelligence
an automated analysis system at McAfee. Millions of other computers with McAfee software also
contribute fingerprints.
McAfee compares the fingerprint against a database of fingerprints collected worldwide, and
informs the appliance of the likely risk within seconds. Based on settings in the scanning
policies, the appliance can then block, quarantine, or try to clean the threat.
If McAfee later determines that the code is malicious, a DAT file is published as usual.
Definition
Definition
Number of exceptions
Policy name
Exception name
Add exception
Move up and
down
Move
When you have two or more policy exceptions, you can change the
priority in which they are used by using the
and
buttons. The
exception at the top of the list is given the highest priority.
Click to open the Scanning Policies Edit Policy Exception Details window to edit
the properties of the selected policy exception.
Click to delete the selected policy exception.
Delete exception
Product Guide
175
Definition
Specify which files to Scan all files Offers the highest security. However, scanning takes longer and
scan
might affect performance.
Some operating systems such as Microsoft Windows use the extension name of a
file to identify its type. For example, files with the extension .exe are programs.
However, if an infected file is renamed with a harmless extension such as .txt, it
can escape detection. The operating system cannot run the file as a program
unless it is renamed later. This option ensures that every file is scanned.
Default file types The scanner examines only the default file types in other
words, it concentrates its efforts on scanning those files that are susceptible to
viruses.
For example, many popular text and graphic formats are not affected by viruses.
Currently the scanner examines over 100 types by default, which includes .exe
and .com file types.
Defined file types Scans only the types in the list.
Using this option, you can specify the types of files that you want scanned.
Scan archive files
(ZIP, ARJ, RAR ...)
By default, the scanner does not scan inside file archives such as .zip or .lzh files
because any virus-infected file inside them cannot become active until it has been
extracted.
When selected, Email Gateway scans these types of files.
However, scanning takes longer and might affect performance. As the contents of
these files are harmful only when files inside are extracted, they can be scanned by
the on-access scanners on individual computers in your network.
An anti-virus scanner typically detects viruses by looking for the virus signature,
which is a binary pattern that is found in a virus-infected file. However, this
approach cannot detect a new virus because its signature is not yet known,
therefore the scanner uses another technique: heuristic analysis. Program file
heuristics scans program files and identify potential new file viruses. Macro
heuristics scans for macros in the attachments (such as those used by Microsoft
Word, Microsoft Excel, and Microsoft Office) and identify potential new macro
viruses.
When selected, does extra analysis to find any virus-like behavior.
Find unknown macro Macros inside documents are a popular target for virus writers.
viruses to Remove When selected, take actions against macros in documents. Macros inside
all macros from
documents are a popular target for virus writers.
document files
Enable McAfee
Global Threat
Intelligence file
reputation with
Sensitivity level
176
Product Guide
Definition
Attempt to clean
When selected, the infection inside the item is removed, if possible. When
deselected, the entire item is removed.
If cleaning
succeeds
Specify the secondary actions to take if the appliance successfully cleans the
infection.
Quarantine options
Quarantine original Select to have the original message added to the Quarantine
database.
Quarantine modified Select to have the modified message added to the Quarantine
database.
If you are using off-box quarantine, you can also select the quarantine queue into
which the email message is placed. This selection can include custom quarantine
queues that you have created.
Other actions
Modify subject McAfee Email Gateway rewrites the subject of the email message
using user-definable templates, and then delivers the message to the intended
recipients. Click Manage templates to change the way the subject is re-written.
Modify headers McAfee Email Gateway modifies the email message headers using
user-definable templates, and then delivers the message to the intended
recipients. You can select multiple header modification templates. Click Manage
templates to change the way the headers are re-written.
The following icons indicate the template settings:
Product Guide
177
Definition
Notification and
annotated email
options
When clicked, opens another window where you can specify who the appliance will
notify when a threat is detected.
If cleaning fails
Specify the primary action to take if the appliance cannot clean the infection.
Deny connection (Block)
178
Product Guide
Definition
And also
Specify the secondary actions to take if the appliance cannot clean the infection.
Quarantine options
Quarantine original Select to have the original message added to the Quarantine
database.
Quarantine modified Select to have the modified message added to the Quarantine
database.
If you are using off-box quarantine, you can also select the quarantine queue into
which the email message is placed. This selection can include custom quarantine
queues that you have created.
Other actions
Modify subject McAfee Email Gateway rewrites the subject of the email message
using user-definable templates, and then delivers the message to the intended
recipients. Click Manage templates to change the way the subject is re-written.
Modify headers McAfee Email Gateway modifies the email message headers using
user-definable templates, and then delivers the message to the intended
recipients. You can select multiple header modification templates. Click Manage
templates to change the way the headers are re-written.
The following icons indicate the template settings:
Product Guide
179
Definition
If a file is zero
bytes after
cleaning
Provides an action against a file that is now empty. Zero-byte files cannot carry
threats, but you might prefer to remove the files if they confuse users.
The available options are:
Keep zero byte file
Remove zero byte file
Treat as a failure to clean
Definition
Definition
Enable Commtouch
Command anti-virus
When selected, enables the Commtouch Command anti-virus engine within your
policies.
Scanning optimization Select how the Commtouch Command anti-virus engine is used:
Perform optimized scanning Objects are not passed to the Commtouch Command
anti-virus engine if the McAfee anti-virus engine makes a detection that is then
either replaced with an alert message, or that causes the email message to be
dropped.
Depending on the actions configured for the McAfee anti-virus engine, the
additional anti-virus engine might not be used to scan an email message.
180
From within Specify which files to scan, select Enable McAfee Global Threat Intelligence file reputation.
Select your required Sensitivity level. A low setting means that the McAfee Email Gateway may miss
some potentially harmful content, whereas a high setting means that the McAfee Email Gateway
may detect some harmless files and wrongly label them as potentially harmful.
Click OK.
Click Apply.
Product Guide
Product Guide
181
found to be malicious, McAfee Advanced Threat Defense reports the threat level to your Email
Gateway, which then takes the actions on the original email message that you have configured within
the user policy for the reported threat level.
Step Description
1
Any attachments contained within the message are sent to McAfee Advanced Threat Defense
for further advanced analysis.
McAfee Advanced Threat Defense carries out the advanced analysis on the attachments and
components of the message.
On completion of the advanced analysis, McAfee Advanced Threat Defense reports to McAfee
Email Gateway, which takes the configured actions within the user policy for the reported
threat level.
If both Email Gateway and McAfee Advanced Threat Defense finds no issue with the message,
it is delivered to the intended recipients.
182
Product Guide
Install Microsoft Windows XP virtual machine profiles on some McAfee Advanced Threat Defense
servers, with Microsoft Windows 7 Professional virtual machine profiles on the remaining McAfee
Advanced Threat Defense servers.
Configure Email Gateway to use a policy exception so that all email messages going to employees
of the new acquisition are analyzed using McAfee Advanced Threat Defense servers with the
Microsoft Windows XP virtual machine profiles installed.
For messages going to your other users, configure your policy to use the McAfee Advanced Threat
Defense servers that include the Microsoft Windows 7 Professional virtual machine profiles.
Install and configure one or more McAfee Advanced Threat Defense servers within your network.
Create suitable virtual machine profiles within your McAfee Advanced Threat Defense servers.
Configure Email Gateway to use your selected McAfee Advanced Threat Defense servers. (Navigate
to System | ATD Servers | McAfee Advanced Threat Defense Server Configuration.)
Create policies that include the enabled McAfee Advanced Threat Defense configuration. (Navigate
to Email | Email Policies | Anti-Virus | Advanced Threat Defense.)
Definition
Number of exceptions
Policy name
Exception name
Add exception
Move up and
down
Move
When you have two or more policy exceptions, you can change the
priority in which they are used by using the
and
buttons. The
exception at the top of the list is given the highest priority.
Click to open the Scanning Policies Edit Policy Exception Details window to edit
the properties of the selected policy exception.
Click to delete the selected policy exception.
Delete exception
Product Guide
183
Definition
Definition
Action
Informational
Medium
Very Low
High
Low
Very High
184
Product Guide
Definition
And also
Other actions
Modify subject McAfee Email Gateway rewrites the subject of the email
message using user-definable templates, and then delivers the message to the
intended recipients. Click Manage templates to change the way the subject is
re-written.
Modify headers McAfee Email Gateway modifies the email message headers
using user-definable templates, and then delivers the message to the intended
recipients. You can select multiple header modification templates. Click Manage
templates to change the way the headers are re-written.
The following icons indicate the template settings:
Product Guide
185
Definition
Additional configuration
for notification emails
When clicked, open another window where you can specify who the appliance
notifies when a threat is detected.
If an action results in an
alert
Definition
If the time spent waiting to Select a timeout value in minutes, after which the configured Timeout Action is
send an email to the
taken. This value is the time in which McAfee Email Gateway expects to receive
server and process it
the scan results from the McAfee Advanced Threat Defense server.
exceeds
Action
186
Product Guide
Definition
And also
Other actions
Modify subject McAfee Email Gateway rewrites the subject of the email
message using user-definable templates, and then delivers the message to
Product Guide
187
Definition
the intended recipients. Click Manage templates to change the way the subject is
re-written.
Modify headers McAfee Email Gateway modifies the email message headers
using user-definable templates, and then delivers the message to the
intended recipients. You can select multiple header modification templates.
Click Manage templates to change the way the headers are re-written.
The following icons indicate the template settings:
Deliver message using encryption Attempt delivery of the message using your
configured encryption settings.
Additional configuration
for notification emails
When clicked, open another window where you can specify who the appliance
notifies when a threat is detected.
If an action results in an
alert
Definition
Define the queue size that results in alternative actions being taken.
Action
Select the main action to take when the configured number of waiting emails
are exceeded. The available options are:
Deny connection (Block)
188
Product Guide
Definition
And also
Other actions
Modify subject McAfee Email Gateway rewrites the subject of the email
message using user-definable templates, and then delivers the message to
Product Guide
189
Definition
the intended recipients. Click Manage templates to change the way the subject is
re-written.
Modify headers McAfee Email Gateway modifies the email message headers
using user-definable templates, and then delivers the message to the
intended recipients. You can select multiple header modification templates.
Click Manage templates to change the way the headers are re-written.
The following icons indicate the template settings:
Deliver message using encryption Attempt delivery of the message using your
configured encryption settings.
Additional configuration
for notification emails
When clicked, open another window where you can specify who the appliance
notifies when a threat is detected.
If an action results in an
alert
Task
1
Select Email | Email Policies | Anti-Virus | Advanced Threat Defense and select Enable Advanced Threat Defense.
Select which of the available virtual machine profiles are to be used by this policy to analyze traffic
from your Email Gateway.
A high threshold can increase the load on your Advanced Threat Defense servers.
too low a level, leading to threats bypassing Advanced Threat Defense, with increased load on your
Advanced Threat Defense servers if a more severe threshold is chosen.
190
Product Guide
Configure the actions you want Email Gateway to take when Advanced Threat Defense is triggered.
a
Select any secondary actions from the scrolling And also menu.
Click the Additional configuration for notification email link to set options on the Notification Emails page.
Specify the use of the default alert text by selecting the Use default text checkbox.
If you want to change the text of the alert, click the Change the default alert text link.
Configure the actions you want Email Gateway to take if Advanced Threat Defense fails to return
the scan result within the configured Timeout period.
a
Select any secondary action or actions from the scrolling And also menu.
Click the Additional configuration for notification email link to set options on the Notification Emails page.
Specify the use of the default alert text by selecting the Use default text checkbox.
If you want to change the text of the alert, click the Change the default alert text link.
Click OK.
See also
Option definitions Attachment identification on page 101
Check the status of the connected McAfee Advanced Threat Defense servers, from the Dashboard |
Advanced Threat Defense portlet.
Check the Queued For ATD counters on the Dashboard | Inbound Email Summary and Dashboard | Outbound Email
Summary portlets.
Test the connections to your McAfee Advanced Threat Defense servers, using the Troubleshoot | Tests.
View the conversation log for the specific email message from within Reports | Message search.
SMTP conversation logging must be enabled from Email | Email Configuration | Protocol Configuration | Connection
Settings (SMTP) | SMTP conversation logging to use this feature.
Define conversation events from System | Logging, Alerting and SNMP | Logging Configuration.
Product Guide
191
Definition
Number of exceptions
Policy name
Exception name
Add exception
Move up and
down
192
Move
When you have two or more policy exceptions, you can change the
priority in which they are used by using the
and
buttons. The
exception at the top of the list is given the highest priority.
Product Guide
Definition
Click to open the Scanning Policies Edit Policy Exception Details window to edit
the properties of the selected policy exception.
Click to delete the selected policy exception.
Delete exception
Table 4-50 Option definitions Potentially Unwanted Program (PUP) detection
Option
Definition
Enable anti-virus scanning When selected, scans for viruses and other threats such as worms and
spyware. The option is normally set to Yes. Select No only if you have anti-virus
protection elsewhere in your network.
Enable detection
Product Guide
193
Definition
If detected
Other actions
Modify subject McAfee Email Gateway rewrites the subject of the email message
using user-definable templates, and then delivers the message to the intended
recipients. Click Manage templates to change the way the subject is re-written.
Modify headers McAfee Email Gateway modifies the email message headers using
user-definable templates, and then delivers the message to the intended recipients.
You can select multiple header modification templates. Click Manage templates to
change the way the headers are re-written.
The following icons indicate the template settings:
194
Product Guide
Definition
If an action
results in an alert
Definition
Number of exceptions
Policy name
Exception name
Add exception
Opens the Scanning Policies New Policy Exception window, enabling you to
create a policy exception.
Product Guide
195
Definition
Move
When you have two or more policy exceptions, you can change the
priority in which they are used by using the
and
buttons. The
exception at the top of the list is given the highest priority.
Click to open the Scanning Policies Edit Policy Exception Details window to edit
the properties of the selected policy exception.
Click to delete the selected policy exception.
Delete exception
Table 4-53 Option definitions Packer detections
196
Option
Definition
Enable detection
Product Guide
Definition
If detected
Other actions
Modify subject McAfee Email Gateway rewrites the subject of the email message
using user-definable templates, and then delivers the message to the intended
recipients. Click Manage templates to change the way the subject is re-written.
Modify headers McAfee Email Gateway modifies the email message headers using
user-definable templates, and then delivers the message to the intended recipients.
You can select multiple header modification templates. Click Manage templates to
change the way the headers are re-written.
The following icons indicate the template settings:
Product Guide
197
Definition
If an action
results in an alert
Definition
Number of exceptions
Policy name
Exception name
Add exception
Move up and
down
198
Move
When you have two or more policy exceptions, you can change the
priority in which they are used by using the
and
buttons. The
exception at the top of the list is given the highest priority.
Product Guide
Definition
Click to open the Scanning Policies Edit Policy Exception Details window to edit
the properties of the selected policy exception.
Click to delete the selected policy exception.
Delete exception
Table 4-56 Option definitions Apply different actions to certain detection types
Option
Definition
Product Guide
199
Definition
If detected
Other actions
Modify subject McAfee Email Gateway rewrites the subject of the email message
using user-definable templates, and then delivers the message to the intended
recipients. Click Manage templates to change the way the subject is re-written.
Modify headers McAfee Email Gateway modifies the email message headers using
user-definable templates, and then delivers the message to the intended
recipients. You can select multiple header modification templates. Click Manage
templates to change the way the headers are re-written.
200
Product Guide
Definition
The following icons indicate the template settings:
If a custom
malware action
results in an alert
When an email message triggers an action during the scan by the cloud-based McAfee Email
Protection Service, the results of that scan are communicated to your Email Gateway appliance.
You can configure the way hybrid scanning responds when actions are triggered.
Definition
Number of exceptions
Policy name
Exception name
Add exception
Move up and
down
Move
When you have two or more policy exceptions, you can change the
priority in which they are used by using the
and
buttons. The
exception at the top of the list is given the highest priority.
Click to open the Scanning Policies Edit Policy Exception Details window to edit
the properties of the selected policy exception.
Click to delete the selected policy exception.
Delete exception
Table 4-59
Option
Definition
Product Guide
201
Table 4-59
Option
Definition
Re-scan the email locally Enables or disables additional scanning by the Email Gateway appliance for any
if it is NOT found to be
email that passes through the SaaS Email Protection Service without triggering
infected
an action.
Actions
If a virus is detected
Sets the action to be taken by the Email Protection Service if it detects a virus.
Options are:
Deny connection (Block)
202
Product Guide
Table 4-59
Option
Definition
And also
Sets additional actions to be taken by the Email Protection Service for emails
that were not blocked as the primary action. Options are:
Quarantine options
Quarantine original Select to have the original message added to the
Quarantine database.
Quarantine modified Select to have the modified message added to the
Quarantine database.
If you are using off-box quarantine, you can also select the quarantine queue
into which the email message is placed. This selection can include custom
quarantine queues that you have created.
Other actions
Modify subject McAfee Email Gateway rewrites the subject of the email
message using user-definable templates, and then delivers the message to
Product Guide
203
Table 4-59
Option
Definition
the intended recipients. Click Manage templates to change the way the subject is
re-written.
Modify headers McAfee Email Gateway modifies the email message headers
using user-definable templates, and then delivers the message to the
intended recipients. You can select multiple header modification templates.
Click Manage templates to change the way the headers are re-written.
The following icons indicate the template settings:
Notification and
annotated email options
Link that opens the Notification Emails page where you can set options.
If an action results in an
alert
Enables or disables use of the default text for virus alerts. If the default is
disabled, the system uses alert text provided by the user.
If a potentially unwanted Sets the action to be taken by the Email Protection Service if it detects a
program is detected
potentially unwanted program. Options are:
Deny connection (Block)
Refuse the data and return an error code (Block)
Accept and then drop the data (Block)
Replace with an alert (Modify)
Allow through (Monitor)
204
Product Guide
Table 4-59
Option
Definition
And also
Sets additional actions to be taken by the Email Protection Service for emails
that were not blocked as the primary action. Options are:
Quarantine options
Quarantine original Select to have the original message added to the
Quarantine database.
Quarantine modified Select to have the modified message added to the
Quarantine database.
If you are using off-box quarantine, you can also select the quarantine queue
into which the email message is placed. This selection can include custom
quarantine queues that you have created.
Other actions
Modify subject McAfee Email Gateway rewrites the subject of the email
message using user-definable templates, and then delivers the message to
Product Guide
205
Table 4-59
Option
Definition
the intended recipients. Click Manage templates to change the way the subject is
re-written.
Modify headers McAfee Email Gateway modifies the email message headers
using user-definable templates, and then delivers the message to the
intended recipients. You can select multiple header modification templates.
Click Manage templates to change the way the headers are re-written.
The following icons indicate the template settings:
Notification and
annotated email options
Link that opens the Notification Emails page where you can set options.
If an action results in an
alert
Enables or disables use of the default text for potentially unwanted program
alerts. If the default is disabled, the system uses alert text provided by the user.
Opens the Alert Editor page for potentially unwanted program alerts.
Select Email | Email Policies, then in the Anti-Virus column, click the Viruses: Clean or Replace link.
The Default Anti-Virus Settings (SMTP) page opens.
206
In the Hybrid scanning options section of the page, select the checkbox to enable hybrid scanning.
If you want your Email Gateway appliance to scan any email that passes through the hybrid scan
without triggering an action, select the Rescan the mail locally checkbox.
Configure the actions you want the Email Protection Service to take when it detects a virus.
a
Select the primary action for virus detection from the drop-down list.
Select any secondary action or actions from the scrolling And also menu.
Click the Notification and annotated email options link to set options on the Notification Emails page.
Product Guide
Specify the use of the default alert text for anti-virus alerts by selecting the Use default text
checkbox.
If you want to change the text of the anti-virus alert, click the Change the default alert text link.
Configure the actions you want the Email Protection Service to take when it detects a potentially
unwanted program (PUP).
a
Select the primary action for PUP detection from the drop-down list.
Select any secondary action or actions from the scrolling And also menu.
Click the Notification and annotated email options link to set options on the Notification Emails page.
Specify the use of the default alert text for PUP alerts by selecting the Use default text checkbox.
If you want to change the text of the alert, click the Change the default alert text link.
Anti-spam features
The anti-spam protection within Email Gateway provides many ways to protect your users from
unsolicited email messages.
The anti-spam features include:
ability to add prefixes to the subject line of emails identified as being unsolicited
spam rules that can be disabled if they are incorrectly identifying legitimate emails as spam
In addition, Email Gateway provides protection against phishing emails. Phishing emails are messages
that purport to come from a users bank or other institution, but, in fact are aimed at tricking the user
into disclosing sensitive financial data about their account and PIN numbers.
Another method of reducing the amount of unsolicited email is to use Sender Authentication to check that
the email messages have actually been sent from the source that it appears to have been sent.
Product Guide
207
Definition
Definition
Number of exceptions
Policy name
Exception name
Add exception
Move up and
down
When you have two or more policy exceptions, you can change the
Move
Click to open the Scanning Policies Edit Policy Exception Details window to edit
the properties of the selected policy exception.
Click to delete the selected policy exception.
Delete exception
Table 4-62 Option definitions Reporting options
Option
Definition
Specifies a spam threshold. Messages that have a spam score below the
threshold are not treated as spam.
Typically, a spam score of 5 or more indicates spam. You need only change
this threshold if its default value is not effective. You can enter numbers with
decimal fractions, for example 6.25.
Default value is 5.
208
Product Guide
Definition
When selected, adds a report to the messages, showing the names of the
anti-spam rules that have triggered.
We recommend that you select a spam report for initial testing only, because
it can affect your server's performance. When you have collected the
information, deselect the option.
Verbose reporting
Product Guide
209
Definition
Specify the actions to take when the spam score exceeds a user-specified value.
The available actions are:
Deny connection (Block)
And also
Other actions
Modify subject McAfee Email Gateway rewrites the subject of the email message
using user-definable templates, and then delivers the message to the intended
recipients. Click Manage templates to change the way the subject is re-written.
Modify headers McAfee Email Gateway modifies the email message headers using
user-definable templates, and then delivers the message to the intended
recipients. You can select multiple header modification templates. Click Manage
templates to change the way the headers are re-written.
210
Product Guide
Definition
The following icons indicate the template settings:
Deliver message using encryption Attempt delivery of the message using your
configured encryption settings.
When clicked, opens another window where you can specify who the appliance will
notify when a threat is detected.
Notification and
annotated email
options
Table 4-64
Alert settings
Option
Definition
Select whether to use the default alert text when an anti-spam action triggers.
You can edit the alert text by clicking either:
change the default alert text, or
customize the alert text
Product Guide
211
Solution You do not have to update the software on your appliances to take advantage of the
improved spam detection available using anti-spam cloud lookup. Simply enable Anti-Spam Cloud Lookup
within your Email Gateway appliances, to benefit from these features.
Specify limits
The advanced options tab allows you to configure limits that apply to the anti-spam scanning.
These limits include:
By configuring these settings, you can tune the spam scanning and reporting from your Email
Gateway appliances.
212
Product Guide
Header name
Header value
You can also specify if the custom headers are never added, are added only to spam messages, only
to non-spam messages or to all messages.
Definition
Number of exceptions
Policy name
Exception name
Add exception
Move up and
down
When you have two or more policy exceptions, you can change the
Move
Definition
Enable anti-spam
cloud Lookup
Select to allow your Email Gateway to send information about your incoming email
messages to McAfee data centers for real-time spam analysis.
Policy exceptions do not apply to anti-spam cloud lookups, as these lookups are
made at the protocol level.
Select this option to use the currently configured proxy settings, or click (configure
defaults) to move to System | Appliance Management | Default Server Settings, where you can
change these settings.
Specify limits
Option
Definition
Use the default maximum Select to use the default message size limits.
message size
The currently installed anti-spam engine sets the default message size.
Deselect to set a custom Maximum message size.
Maximum message size
Specifies the maximum size of the email message. Spam messages are
typically small.
Product Guide
213
Option
Definition
Specifies the maximum width of headers that the appliance adds to email
messages.
We do not recommend that you decrease the value. For example, Verbose
reporting creates header lines, each with the name and description of a rule. A
reduced width truncates the rule descriptions, making them more difficult to
read.
Default value is 76 bytes.
Maximum number of
reported rules
Specifies the maximum number of anti-spam rule names that can be included
in a spam report.
Default value is 180.
Definition
Specifies the name and value of an extra email header, that can be used for
later processing.
Specifies the type of email message to which to add the email header. For
example, you can add the customized email header to spam messages only.
Default value is Never.
If selected, appends the text - Checked to the normal spam header names
when the email message did not contain spam. This option can be useful to
other devices that handle the same email message later.
214
Product Guide
If you find that people that send legitimate email messages into your organization have their
messagse erroneously tagged as being spam, adding their addresses to the whitelists can prevent the
messages being tagged as spam.
Definition
Number of exceptions
Policy name
Exception name
Add exception
Move up and
down
Move
When you have two or more policy exceptions, you can change the
priority in which they are used by using the
and
buttons. The
exception at the top of the list is given the highest priority.
Click to open the Scanning Policies Edit Policy Exception Details window to edit
the properties of the selected policy exception.
Click to delete the selected policy exception.
Delete exception
Option
Definition
Email Address
Use this to make a list of email addresses that often send spam.
Specifies each email address. You can use wildcards, for example: user_?
@example.*
Add Address
Click to add a new row to the list of email addresses that often send spam. Type
the email address that you want added to the list.
Delete Selected
Addresses
If you find that legitimate email sender addresses have been added to the
Blacklisted Senders list, select each legitimate address, and click Delete Selected Addresses.
Definition
Number of exceptions
Policy name
Exception name
Add exception
Move up and
down
Move
When you have two or more policy exceptions, you can change the
priority in which they are used by using the
and
buttons. The
exception at the top of the list is given the highest priority.
Product Guide
215
Definition
Click to open the Scanning Policies Edit Policy Exception Details window to edit
the properties of the selected policy exception.
Click to delete the selected policy exception.
Delete exception
Option
Definition
Email Address
Use this to make a list of email addressses that often receive spam.
Specifies each email address. You can use wildcards, for example: user_?
@example.*
Add Address
Click to add a new row to the list of email addresses that often receive spam. Type
the email address that you want added to the list.
Delete Selected
Addresses
If you find that legitimate email addresses have been added to the Blacklisted
Recipients list, select each legitimate address, and click Delete Selected Addresses.
Definition
Number of exceptions
Policy name
Exception name
Add exception
Move up and
down
Move
When you have two or more policy exceptions, you can change the
priority in which they are used by using the
and
buttons. The
exception at the top of the list is given the highest priority.
Click to open the Scanning Policies Edit Policy Exception Details window to edit
the properties of the selected policy exception.
Click to delete the selected policy exception.
Delete exception
Option
Definition
Email Address
Use this to make a list of users who want to send email messages that the
appliance normally treats as spam.
Specifies each email address. You can use wildcards, for example: user_?
@example.*
216
Add Address
Click to add a new row to the list of email addresses that are to be allowed to send
email. Type the email address that you want added to the list.
Delete Selected
Addresses
If you find that illegal email sender addresses have been added to the Whitelisted
Senders list, select each illegal address, and click Delete Selected Addresses.
Product Guide
Definition
Number of exceptions
Policy name
Exception name
Add exception
Move up and
down
Move
When you have two or more policy exceptions, you can change the
priority in which they are used by using the
and
buttons. The
exception at the top of the list is given the highest priority.
Click to open the Scanning Policies Edit Policy Exception Details window to edit
the properties of the selected policy exception.
Click to delete the selected policy exception.
Delete exception
Table 4-70 Option definitions
Option
Definition
Email Address
Use this page to make a list of users who want to receive email messages that
are normally identified as spam.
Specifies each email address. You can use wildcards, for example: user_?
@example.*
Add Address
Click to add a new row to the list of email addresses that are to be allowed to
receive email messages. Type the email address that you want added to the list.
Delete Selected
Addresses
If you find that illegal email recipient addresses have been added to the Whitelisted
Recipients list, select each illegal address, and click Delete Selected Addresses.
Definition
Number of exceptions
Policy name
Exception name
Product Guide
217
Definition
Opens the Scanning Policies New Policy Exception window, enabling you to
create a policy exception.
Add exception
Move up and
down
When you have two or more policy exceptions, you can change the
Move
Click to open the Scanning Policies Edit Policy Exception Details window to edit
the properties of the selected policy exception.
Click to delete the selected policy exception.
Delete exception
Table 4-72 Option definitions
Option
Definition
View
Filter
Specify the information that you want to filter the list by. Click Apply.
The lists are filtered to only show those entries that match the entered filter
string.
Modify, Add and Delete Use these buttons to add, remove or edit entries within the user-submitted lists.
Import Lists
Export Lists
Create a list of the user submitted blacklisted and whitelisted email addresses,
and export them as an xml file.
218
Product Guide
However, on occasion, one of these rules might wrongly detect legitimate email messages as spam - a
false positive detection. In this situation, you can disable just the rule that is causing the false positive
detections. You can also edit the spam score for any rule with a name that begins with EDT_.
Issue McAfee Email Gateway generates excessive false positive detections caused by messages
that trigger rule EDT_ SDHA_HMS_FRM. The current spam score is set to 1.0 (the number contributed
to the total spam score).
Solution Edit the spam score for the rule to a lower value. Save your changes, and monitor the
results.
Issue You notice several email messages being delivered, where the email addresses in the 821
header and 822 header do not agree. The spam rule EDT_SDHA_ADR_FRG should trigger for these
messages. The current spam score for this rule to 0.2.
Solution Edit the spam score for this rule to a higher value. Save the changes, and monitor the
results.
If the editable spam rules do not appear in the list, you must add them manually.
The rules will appear automatically only if they existed in the imported Email Gateway configuration.
You can enable or disable the added rules for all rules.
You cannot edit scores for spam rules that do not begin with EDT_.
You can edit scores for any spam rules that begin with EDT_.
See also
Task Edit a spam score on page 221
Benefits of using basic Anti-Spam options on page 208
Product Guide
219
Definition
Number of exceptions
Policy name
Exception name
Add exception
Move up and
down
When you have two or more policy exceptions, you can change the
Move
Click to open the Scanning Policies Edit Policy Exception Details window to edit
the properties of the selected policy exception.
Click to delete the selected policy exception.
Delete exception
Table 4-74 Option definitions Anti-spam settings
Option
Definition
Rule Name
Rule Score
Displays the rule score, which is typically 15. You can edit the spam score for any
rule with a name that begins with EDT_.
EDT_ rules support scores ranging from -999.99 to 999.99.
Enabled
Apply and Filter When Apply is clicked, the table shows only those numbers specified by Filter. You can
type a regular expression here, for example:
^AA Find all terms that begin with AA.
BB$ Find all terms that end with BB.
CC Find all terms that contain CC.
To see the full list again, clear Filter and click Apply.
Rule name
Trigger condition
220
Description
This rule triggers when the MAIL FROM has a null
sender.
EDT_ SDHA_HMS_FRM
Header From missing This rule triggers when the header From is missing or
empty.
EDT_SDHA_FRM_INV
Product Guide
Table 4-75
Rule name
Trigger condition
Description
EDT_SDHA_ADR_FRG
Address forged
EDT_SDHA_DMN_FRG
Domain forged
From the Email Gateway opening screen, select the Email tab.
The screen defaults to the Email Policies screen,
Select a protocol.
You can choose SMTP, POP3, or McAfee Secure Web Mail.
Enable or disable individual spam rule by selecting or deselecting the Enabled checkbox.
Click the Spam Rules tab to see the list of existing rules.
When an email message triggers this rule, Email Gateway applies the edited score.
Product Guide
221
See also
Option definitions Spam Rules on page 219
Option definitions - Editable spam rules on page 220
Sender Authentication Settings McAfee Global Threat Intelligence message reputation on
page 227
Definition
Number of exceptions
Policy name
Exception name
Add exception
Move up and
down
Move
When you have two or more policy exceptions, you can change the
priority in which they are used by using the
and
buttons. The
exception at the top of the list is given the highest priority.
Click to open the Scanning Policies Edit Policy Exception Details window to edit
the properties of the selected policy exception.
Click to delete the selected policy exception.
Delete exception
222
Product Guide
Definition
Dictionaries Lists the dictionaries that are used to match terms within email messages and to modify
the spam scores for that message.
If you have configured your McAfee Email Gateway to scan for Graymail, the predefined
Graymail dictionary is automatically added to this list. If you have not configured Graymail
from the Setup Wizard, you can manually add this dictionary to the Dictionaries list.
Exclusions
Use a custom dictionary to define a list of terms that cause the email message containing
the terms defined within the configured Dictionaries to be whitelisted.
Score
The value used to modify the total spam score for the message.
For terms to be considered as spam, add a positive value in this field.
For terms to not be considered as spam, add a negative value.
Add Term
Opens a window to define further dictionaries that are used to modify spam scores.
Define whether to use simple string matching or regular expressions for this dictionary.
Click OK.
An empty dictionary is created.
Use the Add OR condition, Add AND Condition, and Insert Term buttons to define the terms to be added to
the new dictionary and to configure the relationships between the terms.
Click OK.
Enter a name for the dictionary; for example, Spam Term Exclusions.
Optionally, enter a description for this dictionary.
Define whether to use simple string matching, or regular expressions for this dictionary.
Click OK.
An empty dictionary is created.
Product Guide
223
Use the Add OR condition, Add AND Condition, and Insert Term buttons to define the exclusion terms to be
added to the new dictionary and to configure the relationships between the terms.
Click OK.
Task Use the spam terms and spam term exclusions dictionaries to modify spam
scores
Use the dictionaries containing the spam terms and spam term exclusions to modify the spam scores
for the email messages.
Before you begin
Before attempting this task, ensure that you have created suitable dictionaries containing
spam terms and spam term exclusions.
Task
1
Search for the dictionaries containing the required spam terms (in the example, this was Spam
Terms).
Search for the dictionaries containing the required spam term exclusions .
In the Score field, enter the score to be added to the total spam score for each message.
10 Click OK.
11 Apply your changes.
224
Product Guide
Definition
Definition
Number of exceptions
Policy name
Exception name
Add exception
Move up and
down
When you have two or more policy exceptions, you can change the
Move
Click to open the Scanning Policies Edit Policy Exception Details window to edit
the properties of the selected policy exception.
Click to delete the selected policy exception.
Delete exception
Reporting options
Option
Definition
When selected, adds a prefix to help users to see phishing messages in their
email inbox quickly.
Specifies text for the prefix.
We recommend that you do not use characters from multi-byte (extended)
character sets here unless the re-encoding is UTF-8.
When selected, adds an indicator in the email X-header, which enables other
software to process or analyze the message further.
When selected, attaches a report to the email message, which explains why
the email message was marked as phish.
Verbose reporting
Product Guide
225
Actions
Option
Definition
If a phishing attempt Provides a main action to take against the phish message. The options available
is detected
are:
Deny connection (Block)
If the action to take against email is Route to an alternate relay, you can click a Manage the
list of relays link to a list of other devices that will handle the email instead.
And also
Other actions
Modify subject McAfee Email Gateway rewrites the subject of the email message
using user-definable templates, and then delivers the message to the intended
recipients. Click Manage templates to change the way the subject is re-written.
Modify headers McAfee Email Gateway modifies the email message headers using
user-definable templates, and then delivers the message to the intended
recipients. You can select multiple header modification templates. Click Manage
templates to change the way the headers are re-written.
226
Product Guide
Option
Definition
The following icons indicate the template settings:
Deliver message using encryption Attempt delivery of the message using your
configured encryption settings.
Notification and
annotated email
options
When clicked, opens another window where you can specify who the appliance will
notify when a threat is detected.
If an anti-phishing
action results in an
alert
Enables you to use the default anti-phish alert message, or to change the text to
create your own message.
You can also choose the following options:
Do not attach the original message
Attach the original message in RFC822 format
Attach the original message in plain text format
Product Guide
227
Definition
Detection threshold
Select an appropriate detection threshold for the higher detections. The available
options are:
Highly suspect
Suspect
Custom
The default threshold is Highly Suspect.
When Custom is selected, you also need to enter the appropriate Threshold value.
Whenever you choose Add to score as your action, you have the option to edit the current score if
necessary. Change the score in the data field.
228
Product Guide
Definition
Select an appropriate detection threshold for the lower detections. The available
options are:
Highly suspect
Suspect
Custom
The default threshold is Highly Suspect.
When Custom is selected, you also need to enter the appropriate Threshold value. This
value should be lower than the value set for the Higher Detection Threshold.
Whenever you choose Add to score as your action, you have the option to edit the current score if
necessary. Change the score in the data field.
Product Guide
229
Definition
Definition
After verifying an email message, the appliance attaches its own header to the
email message, which indicates to other mail servers in your organization that
the email message has been verified.
230
Product Guide
Definition
Enable FCrDNS
Definition
Product Guide
231
Navigate to Email | Email Policies | Spam | Sender Authentication | Cumulative Score and Other Options.
Cumulative Score and Other Options is available from the drop-down list on the Default Sender Authentication
Settings (SMTP) window tab bar.
Select Parse the email headers for sender address if behind an MTA.
Click OK.
Apply changes.
SPF checks are now carried out after the DATA phase of the SMTP conversation starts.
232
Product Guide
Select Message Reputation, then select the checkbox to Enable McAfee GTI Message Reputation at the higher
detection threshold.
For If the sender fails the check, select the action Add to score, a then type the value you want to add.
Click OK.
The Default Sender Authentication Settings (SMTP) window closes.
Select a rule you want to configure, then type the score that triggers the rule.
10 Click OK.
The Default Anti-Spam Settings (SMTP) window closes.
11 Select Spam.
The Default Anti-Spam Settings (SMTP) window opens.
12 Configure any Additional score-based actions you want.
13 Click OK.
The Default Anti-Spam Settings (SMTP) window closes.
14 Click the green checkmark icon to apply your changes.
See also
Spam rules that support adding sender authorization scores on page 235
Product Guide
233
Configure an Anti-Spam policy exception for the required recipient. Disable Anti-Spam.
The messages for the specific recipient are exempt from McAfee GTI reputation checks, and do not
add authentication scores to the spam score.
Ensure that the score for the EDT rule you are applying exceeds the configured threshold.
234
Product Guide
Enable SPF, then select Allow through (Monitor) as the action for If the sender fails the check.
Click OK.
The Sender Authentication window closes.
Select Spam.
The Anti-Spam Settings window opens.
Type the score that triggers the rule, then click OK.
The Anti-Spam Settings window closes.
Description
EDT_SA_AU_FAIL
EDT_SA_AU_PASS
Triggers when the overall sender authentication score does not exceed
the configured sender authentication cumulative score threshold
EDT_SA_BV_FAIL
EDT_SA_BV_PASS
EDT_SA_DK_FAIL
EDT_SA_DK_NEUTRAL
EDT_SA_DK_NONE
EDT_SA_DK_PASS
EDT_SA_DN_PASS
EDT_SA_FD_FAIL
EDT_SA_FD_PASS
EDT_SA_PR_FAIL
EDT_SA_PR_PASS
EDT_SA_RB_FAIL
Triggers when Real-Time Black hole lists (RBL) check results in a fail
action
EDT_SA_RB_NONE
Triggers when Real-Time Black hole lists (RBL) check results in a none
action
EDT_SA_RB_PASS
Triggers when Real-Time Black hole lists (RBL) check results in a pass
action
EDT_SA_SI_HARD_FAIL
EDT_SA_SI_NEUTRAL
Product Guide
235
Table 4-84
Description
EDT_SA_SI_NONE
EDT_SA_SI_PASS
EDT_SA_SI_PERM_ERROR
EDT_SA_SI_SOFT_FAIL
EDT_SA_SI_TEMP_ERROR
EDT_SA_SP_HARD_FAIL
EDT_SA_SP_NEUTRAL
EDT_SA_SP_NONE
EDT_SA_SP_PASS
EDT_SA_TS_NONE
EDT_SA_TS_PASS
EDT_SA_TS_TEMP_ERROR Triggers when McAfee GTI message reputation check results in a temp
error action
EDT_SA_TS_TIMEOUT
Triggers when McAfee GTI message reputation check query times out
File Filtering
Use this page to specify actions against different types of files. This is known as file filtering.
236
Product Guide
File format If your organization's valuable information is in databases or other special files, it is
important to control the movement of these files. The appliance examines files based on their true
content.
Any file can be made to masquerade as another. A person with malicious intent might rename the
important database file customers.mdb to notes.txt, attempting to transfer that file undetected.
Fortunately, you can configure the appliance to examine each file based on its content or file
format, and not on its file name extension alone.
You can also define the types of file that are sent to your Advanced Threat Defense appliances (if
applicable) by selecting the categories and subcategories of files. Also, you can create rules to, for
example, prevent small graphics files being sent for further scanning by Advanced Threat Defense,
while still sending larger files of the same formats for advanced scanning.
File name Some graphic file formats such as bitmap (.bmp) use large amounts of computer
memory and can affect network speed when transferred. You might prefer that users work with
other more compact formats such as .gif, .png, or .jpeg.
If your organization produces computer software, you might see executable (.exe) files moving
around the network. Within another organization, those files might be games or illegal copies of
software. Similarly, unless your organization regularly handles movie files (MPEG or MPG), they are
probably for entertainment only. A file filtering rule that examines the file extension name can
restrict the movement of these files.
Financial information might have file names like Year2008.xls or 2008Results. A file filter that
matches the text 2008 can detect the movement of these files.
File protection status You can create a rule to take a configured action on all files that have a
protected status, such as files that are password-protected.
File size Although you might allow graphic files to be moved around your network, you can
restrict their size to prevent the service running too slowly for other users.
When you create settings to control the use of any file, remember that some departments within your
organization might need fewer constraints. For example, a marketing department might need large
graphic files for advertising.
This feature is not available to the POP3 protocol.
One or more Advanced Threat Defense appliances configured within your network
Configured Email Gateway to communicate with your Advanced Threat Defense appliances
Product Guide
237
Solution Create a file filtering rule that excludes your corporate logo file from Advanced Threat
Defense scanning, as long as the file name matches and is below a certain size.
See also
Task Configure Email Gateway to communicate with your Advanced Threat Defense
appliances on page 476
Task Configure Advanced Threat Defense policies on page 190
Definition
Number of exceptions
Policy name
Exception name
Add exception
Move up and
down
Move
When you have two or more policy exceptions, you can change the
priority in which they are used by using the
and
buttons. The
exception at the top of the list is given the highest priority.
Click to open the Scanning Policies Edit Policy Exception Details window to edit
the properties of the selected policy exception.
Click to delete the selected policy exception.
Delete exception
Table 4-86 Option definitions File Filtering Rules
Option
Definition
Order
Displays the order in which the filters are applied. To change the order,
click icons in the Move column.
Rule Name
If Triggered
Displays the action to take. Click the link to change the primary and
secondary actions associated with the rule.
Add Rule
Opens a further window where you can specify the types of file you want
to detect.
Select to use the default alert message, or click Change the default alert text to
open a further window where you can change the alert message that is
issued after a detection.
238
Product Guide
One or more Advanced Threat Defense appliances configured within your network
Configured Advanced Threat Defense to scan graphics files found within email messages
The Do not scan the attachment with Advanced Threat Defense option is only available when the primary action is set
to Allow through.
Task
1
Enter a name for this rule, for example, Exclude Logo from ATD.
Select Continue scanning if rule triggers so that other attachments may be scanned.
Within Advanced Threat Defense - Supported formats, select Graphics/Presentation: Portable Network Graphics Format or
other appropriate file subcategory.
This ensures only .png files are impacted by this rule.
Enter the name of the file to be excluded from Advanced Threat Defense scanning, for example,
companylogo.png. Click OK.
The new file filtering rule is created.
Product Guide
239
Setting the DLP policy to action, and control the detection (this topic)
If an uploaded registered document contains embedded documents, their content is also fingerprinted
so the combined content is used when calculating the percentage match at scan time. To have
embedded documents treated individually, they must be registered separately.
Definition
Number of exceptions
Policy name
Exception name
Add exception
Move up and
down
Move
When you have two or more policy exceptions, you can change the
priority in which they are used by using the
and
buttons. The
exception at the top of the list is given the highest priority.
Click to open the Scanning Policies Edit Policy Exception Details window to edit
the properties of the selected policy exception.
Click to delete the selected policy exception.
Delete exception
240
Product Guide
Option
Definition
Document match
percentage
The percentage of the original registered document which must be seen in order
to trigger DLP. For example, if you register two documents; one with 100 pages
of content, and another with 10 pages, a setting of 30% would require 30 pages
to match the document with 100 pages, and just 3 pages to match the document
of 10 pages.
The algorithm involved in DLP is sophisticated and involves text normalization,
common word removal, and signature generation. These figures offer a guideline
only.
Number of consecutive Set the number of sequential signatures which will cause a trigger. For example,
signatures (advanced): if you register two documents; one with 100 pages of content, and another with
10 pages, use this feature to detect a small section of the original content,
irrespective of its original size.
The algorithm involved in DLP is sophisticated and involves text normalization,
common word removal, and signature generation. An approximate guide is that 1
signature represents 8 words of text after common words have been removed.
Rules
Select the box to show or hide the list of existing DLP rules.
This list is empty until you set up categories for registered documents. Click the
link to create a new data loss prevention rule based on the categories that you
set in Registered Documents.
This opens a dialog box to allow you to select one or more DLP categories.
Exclusions
Select the box to show or hide the list of existing document exclusions.
Create document
exclusion
This list is empty until you register documents. Click the link to specify registered
documents to exclude from this policy.
This opens a dialog box to allow you to select one or more documents to be
excluded from the rule.
If a Data Loss
Prevention action
results in an alert
When selected, issues the default alert upon detection. When deselected, allows
you to click the link, then change the text of the alert.
In the Default Data Loss Prevention Settings dialog box, click Yes to enable the policy.
Click Create new rule, select the Finance category, and click OK to have the category appear in the Rules
list.
Product Guide
241
Select the action associated with the category, change the primary action to Deny connection (Block),
and click OK.
In the Default Data Loss Prevention Settings dialog box, click Yes to enable the policy.
Enable the consecutive signatures setting, and type the number of consecutive signatures against
which the DLP policy will trigger a detection. The level is set to 10 by default.
Click Create new rule, select the Finance category, and click OK to have the category appear in the
Rules list.
Select the action associated with the category, change the primary action to Deny connection (Block),
and click OK.
In the Default Data Loss Prevention Settings dialog box, click Yes to enable the policy.
Click Create document exclusion, select the document you want to ignore for this policy, and click OK.
242
Message Size
Attachment Size
Product Guide
Attachment Count
Options
The default policy values are normally suitable, but you might need another policy to allow the
occasional transfer of large numbers of large email messages, or the occasional transfer of large
attachments within email messages, or the number of attachments within email messages, or to
investigate possible attacks.
Changing these settings can affect scanning performance. If you are not sure about the impact of
making any changes, ask your network expert.
Definition
Number of exceptions
Policy name
Exception name
Add exception
Move up and
down
Move
When you have two or more policy exceptions, you can change the
priority in which they are used by using the
and
buttons. The
exception at the top of the list is given the highest priority.
Click to open the Scanning Policies Edit Policy Exception Details window to edit
the properties of the selected policy exception.
Click to delete the selected policy exception.
Delete exception
Option
Definition
(Menu)
Product Guide
243
Option
Definition
And also
Other actions
Modify subject McAfee Email Gateway rewrites the subject of the email message
using user-definable templates, and then delivers the message to the intended
recipients. Click Manage templates to change the way the subject is re-written.
Modify headers McAfee Email Gateway modifies the email message headers using
user-definable templates, and then delivers the message to the intended
recipients. You can select multiple header modification templates. Click Manage
templates to change the way the headers are re-written.
The following icons indicate the template settings:
244
Product Guide
Option
Definition
Deliver message using encryption Attempt delivery of the message using your
configured encryption settings.
Notification and
annotated email
options
Follow the link to configure the options for notification messages and annotated
email messages.
If attachments are
replaced with an
alert
Definition
Number of exceptions
Policy name
Exception name
Add exception
Move up and
down
Move
When you have two or more policy exceptions, you can change the
priority in which they are used by using the
and
buttons. The
exception at the top of the list is given the highest priority.
Click to open the Scanning Policies Edit Policy Exception Details window to edit
the properties of the selected policy exception.
Click to delete the selected policy exception.
Delete exception
Table 4-90 Option definitions Specify a maximum attachment size
Option
Definition
If an attachment size
exceeds
(Menu)
Product Guide
245
Definition
And also
Other actions
Modify subject McAfee Email Gateway rewrites the subject of the email message
using user-definable templates, and then delivers the message to the intended
recipients. Click Manage templates to change the way the subject is re-written.
Modify headers McAfee Email Gateway modifies the email message headers
using user-definable templates, and then delivers the message to the intended
recipients. You can select multiple header modification templates. Click Manage
templates to change the way the headers are re-written.
The following icons indicate the template settings:
246
Product Guide
Definition
Deliver message using encryption Attempt delivery of the message using your
configured encryption settings.
Notification and
annotated email
options
Follow the link to configure the options for notification messages and annotated
email messages.
If attachments are
replaced with an alert
Table 4-91 Option definitions Specify the maximum size of all attachments
Option
Definition
Specifies the limit for the combined size of all attachments. The default values
are:
Size of all attachments - 64000KB (64MB).
Use the attachment size only as a guide. When encoded as an attachment, a file
can become up to 33% larger. To use the actual size of the attachments, select
Decode email parts for the purposes of size calculation from the Options tab.
(Menu)
Product Guide
247
Table 4-91 Option definitions Specify the maximum size of all attachments (continued)
Option
Definition
And also
Other actions
Modify subject McAfee Email Gateway rewrites the subject of the email message
using user-definable templates, and then delivers the message to the intended
recipients. Click Manage templates to change the way the subject is re-written.
Modify headers McAfee Email Gateway modifies the email message headers
using user-definable templates, and then delivers the message to the intended
recipients. You can select multiple header modification templates. Click Manage
templates to change the way the headers are re-written.
The following icons indicate the template settings:
248
Product Guide
Table 4-91 Option definitions Specify the maximum size of all attachments (continued)
Option
Definition
Deliver message using encryption Attempt delivery of the message using your
configured encryption settings.
Notification and
annotated email
options
Follow the link to configure the options for notification messages and annotated
email messages.
If attachments are
replaced with an alert
Definition
Number of exceptions
Policy name
Exception name
Add exception
Move up and
down
Move
When you have two or more policy exceptions, you can change the
priority in which they are used by using the
and
buttons. The
exception at the top of the list is given the highest priority.
Click to open the Scanning Policies Edit Policy Exception Details window to edit
the properties of the selected policy exception.
Click to delete the selected policy exception.
Delete exception
Option
Definition
If the attachment
count exceeds
(Menu)
Product Guide
249
Option
Definition
And also
Other actions
Modify subject McAfee Email Gateway rewrites the subject of the email message
using user-definable templates, and then delivers the message to the intended
recipients. Click Manage templates to change the way the subject is re-written.
Modify headers McAfee Email Gateway modifies the email message headers using
user-definable templates, and then delivers the message to the intended
recipients. You can select multiple header modification templates. Click Manage
templates to change the way the headers are re-written.
The following icons indicate the template settings:
250
Product Guide
Option
Definition
Deliver message using encryption Attempt delivery of the message using your
configured encryption settings.
Notification and
annotated email
options
Follow the link to configure the options for notification messages and annotated
email messages.
If attachments are
replaced with an
alert
Definition
Number of exceptions
Policy name
Exception name
Add exception
Move up and
down
Move
When you have two or more policy exceptions, you can change the
priority in which they are used by using the
and
buttons. The
exception at the top of the list is given the highest priority.
Click to open the Scanning Policies Edit Policy Exception Details window to edit
the properties of the selected policy exception.
Click to delete the selected policy exception.
Delete exception
Table 4-94 Option definitions Options
Option
Definition
Compliance Settings
Use this page to create and manage compliance rules.
Product Guide
251
Compliance rules can vary in complexity from a straightforward trigger when an individual term within
a dictionary is detected, to building on and combining score-based dictionaries which will only trigger
when a certain threshold is reached. Using the advanced features of compliance rules, dictionaries can
be combined using logical operations of any of, all of, or except.
Definition
Number of exceptions
Policy name
Exception name
Add exception
Move up and
down
Move
When you have two or more policy exceptions, you can change the
priority in which they are used by using the
and
buttons. The
exception at the top of the list is given the highest priority.
Click to open the Scanning Policies Edit Policy Exception Details window to edit
the properties of the selected policy exception.
Click to delete the selected policy exception.
Delete exception
Option
Definition
Enable compliance
Rules
If a compliance action results in an alert When selected, issues the default alert upon detection. When
deselected, allows you to click the link, then change the text of the
alert.
252
In the Default Compliance Settings dialog box, click Yes to enable the policy.
Click Create new rule from template to open the Rule Creation Wizard.
Select the Acceptable Use - Threatening Language policy, and click Next.
Change the primary action to Deny connection (Block), and click Finish.
Product Guide
In the Default Compliance Settings dialog box, click Yes to enable the policy.
Select the Social Security Number dictionary, and click Next twice.
In the Default Compliance Settings dialog box, click Yes to enable the policy.
Select a dictionary that you want to exclude from the rule in the exclusion list.
Select the action that you want to take place if the rule triggers.
From the And conditionally drop-down list, select All, and click Finish.
Select the new dictionary that you want to include, and click OK.
Product Guide
253
Task
1
Click Create new rule, type a name for it such as Discontent - Low, and click Next.
Click Finish.
Repeat steps 2 through 4 to create another new rule but name it Discontent - High and assign it
a threshold of 40.
Click Finish.
Expand the rule that you want to edit, then select the Edit icon next to the dictionary whose score
you want to change.
In dictionary threshold, type the score on which you want the rule to trigger, and click OK.
254
Product Guide
Task
1
Expand the rule that you want to edit, then click the Edit icon next to the dictionary whose score
you want to change.
In Maximum term count, type the maximum number of times that you want a term to contribute to the
score.
Image Filtering
The Image Filtering scanner analyzes images to determine attributes that indicate the image may be of a
pornographic nature.
Definition
Number of exceptions
Policy name
Exception name
Add exception
Move up and
down
Move
When you have two or more policy exceptions, you can change the
priority in which they are used by using the
and
buttons. The
exception at the top of the list is given the highest priority.
Product Guide
255
Definition
Click to open the Scanning Policies Edit Policy Exception Details window to edit
the properties of the selected policy exception.
Click to delete the selected policy exception.
Delete exception
Table 4-97 Option definitions Higher Image Detection Threshold
Option
Definition
Detection threshold
Choose from Highly Suspect, Suspect, and Custom. Set to Highly Suspect by default.
Select Custom to set the Confidence level.
Confidence level
256
Product Guide
Definition
And also
Other actions
Modify subject McAfee Email Gateway rewrites the subject of the email message
using user-definable templates, and then delivers the message to the intended
recipients. Click Manage templates to change the way the subject is re-written.
Modify headers McAfee Email Gateway modifies the email message headers using
user-definable templates, and then delivers the message to the intended
recipients. You can select multiple header modification templates. Click Manage
templates to change the way the headers are re-written.
The following icons indicate the template settings:
Product Guide
257
Definition
Deliver message using encryption Attempt delivery of the message using your
configured encryption settings.
Notification and
annotated email
options
When clicked, opens another window where you can specify who the appliance will
notify when a threat is detected.
Definition
Detection threshold
Choose from Highly Suspect, Suspect, and Custom. Set to Suspect by default.
Select Custom to set the Confidence level %.
Confidence level
258
Product Guide
Definition
And also
Other actions
Deliver message using encryption Attempt delivery of the message using your
configured encryption settings.
Notification and
annotated email
options
When clicked, opens another window where you can specify who the appliance will
notify when a threat is detected.
Definition
Product Guide
259
In the Higher Image Detection Threshold section, select the Accept and then drop the data (Block) action.
Quarantined messages can be viewed in the Message Search feature (Reports | Message Search), in the Image
Filtering category.
In the Lower Image Detection threshold section, select the Allow Through (Monitor) action.
In And also, select the Forward modified to... notification email option.
The message is sent to any email lists you have created.
a
To change the email recipients who will receive the forwarded message, click Edit.
The Email Recipients dialog box opens.
b
6
Select the lists that you want to receive the message and click OK.
260
Signed Content
Encrypted Content
Product Guide
Plaintext Content
For each category, you can choose a primary action to take when that type of content is detected, and
optionally choose a secondary action. Additionally, you can set notification and alert actions too.
Definition
Number of exceptions
Policy name
Exception name
Add exception
Move up and
down
Move
When you have two or more policy exceptions, you can change the
priority in which they are used by using the
and
buttons. The
exception at the top of the list is given the highest priority.
Click to open the Scanning Policies Edit Policy Exception Details window to edit
the properties of the selected policy exception.
Click to delete the selected policy exception.
Delete exception
Product Guide
261
Definition
When content that is Select the primary action that you want the appliance to take in this circumstance.
signed but not
The available options are:
encrypted is
Deny connection (Block)
detected
Refuse the data and return an error code (Block)
Accept and then drop the data (Block)
Allow the changes to break the signed email (Monitor)
Do not allow the changes to break the signed email (Monitor)
Replace the content with an alert (Modify)
Reroute to an alternative relay (Reroute)
And also
Other actions
262
Product Guide
Definition
Modify subject McAfee Email Gateway rewrites the subject of the email message
using user-definable templates, and then delivers the message to the intended
recipients. Click Manage templates to change the way the subject is re-written.
Modify headers McAfee Email Gateway modifies the email message headers using
user-definable templates, and then delivers the message to the intended
recipients. You can select multiple header modification templates. Click Manage
templates to change the way the headers are re-written.
The following icons indicate the template settings:
Deliver message using encryption Attempt delivery of the message using your
configured encryption settings.
Notification and
annotated email
options
Follow the link to configure the options for notification messages and annotated
email messages.
Alert Settings
Select to use the default alert, or follow the link to make changes to the alert text.
Product Guide
263
Definition
Select the primary action that you want the appliance to take in this circumstance.
The available options are:
Deny connection (Block)
Refuse the data and return an error code (Block)
Accept and then drop the data (Block)
Replace the content with an alert (Modify)
Reroute to an alternative relay (Reroute)
Allow Through (Monitor)
And also
Other actions
Modify subject McAfee Email Gateway rewrites the subject of the email message
using user-definable templates, and then delivers the message to the intended
recipients. Click Manage templates to change the way the subject is re-written.
264
Product Guide
Definition
Modify headers McAfee Email Gateway modifies the email message headers using
user-definable templates, and then delivers the message to the intended
recipients. You can select multiple header modification templates. Click Manage
templates to change the way the headers are re-written.
The following icons indicate the template settings:
Deliver message using encryption Attempt delivery of the message using your
configured encryption settings.
Notification and
annotated email
options
Follow the link to configure the options for notification messages and annotated
email messages.
Alert Settings
Select to use the default alert, or follow the link to make changes to the alert text.
Product Guide
265
Definition
When content that is Select the primary action that you want the appliance to take in this circumstance.
both signed and
The available options are:
encrypted is detected
Deny connection (Block)
Refuse the data and return an error code (Block)
Accept and then drop the data (Block)
Allow the changes to break the signed email (Monitor)
Do not allow the changes to break the signed email (Monitor)
Replace the content with an alert (Modify)
Reroute to an alternative relay (Reroute)
And also
Other actions
266
Product Guide
Definition
Modify subject McAfee Email Gateway rewrites the subject of the email message
using user-definable templates, and then delivers the message to the intended
recipients. Click Manage templates to change the way the subject is re-written.
Modify headers McAfee Email Gateway modifies the email message headers using
user-definable templates, and then delivers the message to the intended
recipients. You can select multiple header modification templates. Click Manage
templates to change the way the headers are re-written.
The following icons indicate the template settings:
Deliver message using encryption Attempt delivery of the message using your
configured encryption settings.
Notification and
annotated email
options
Follow the link to configure the options for notification messages and annotated
email messages.
Alert Settings
Select to use the default alert, or follow the link to make changes to the alert text.
Product Guide
267
Definition
Select the primary action that you want the appliance to take in this circumstance.
The available options are:
And also
Other actions
Modify subject McAfee Email Gateway rewrites the subject of the email message
using user-definable templates, and then delivers the message to the intended
recipients. Click Manage templates to change the way the subject is re-written.
268
Product Guide
Definition
Modify headers McAfee Email Gateway modifies the email message headers
using user-definable templates, and then delivers the message to the intended
recipients. You can select multiple header modification templates. Click Manage
templates to change the way the headers are re-written.
The following icons indicate the template settings:
Deliver message using encryption Attempt delivery of the message using your
configured encryption settings.
Notification and
annotated email
options
Follow the link to configure the options for notification messages and annotated
email messages.
Alert Settings
Select to use the default alert, or follow the link to make changes to the alert text.
McAfee Global Threat Intelligence (McAfee GTI)(McAfee GTI) performs lookups on URLs that are
embedded in email messages.
Product Guide
269
Option
Definition
Definition
Number of exceptions
Policy name
Exception name
Add exception
Move up and
down
Move
When you have two or more policy exceptions, you can change the
priority in which they are used by using the
and
buttons. The
exception at the top of the list is given the highest priority.
Click to open the Scanning Policies Edit Policy Exception Details window to edit
the properties of the selected policy exception.
Click to delete the selected policy exception.
Delete exception
Table 4-107
Option
Definition
Confidence level
And also
Notification and annotated email options Click this link to configure default notifications and alerts.
Lower URL reputation threshold
Detection threshold
270
Confidence level
This field is pre-populated with the proper score to trigger the lower
threshold.
Product Guide
Table 4-107
Option
Definition
And also
Notification and annotated email options Click this link to configure default notifications and alerts.
Alert settings
If an action results in an alert
If URL reputation scanning is not already enabled, click the Yes radio button.
Select the primary action for URLs that trigger the higher threshold.
Set notification and alert options associated with the higher threshold.
Select the primary action for URLs that trigger the lower threshold.
Set notification and alert options associated with the lower threshold.
Click OK.
The Default URL Reputation Settings page closes, and the URL reputations link shows the primary action.
Product Guide
271
http://user:1234@www.mydomain.com:10443/index.php?id=5678#para1
ftp://user:1234@ftp.domain.com:2021/docs/data.rtf;type=a
Format
Example
Parsing string
Scheme
Protocol
http://
Ends at '*://'
ftp://
Credentials
user:1234
Host
www.mydomain.com:
10443
Domain name
ftp.domain.com:2021
index.php
docs/data,rtf
type=a
IPv4 address
IPv6 address
Square brackets are
required.
272
Product Guide
Format
Example
Parsing string
id=5678
para1
Using expressions
Global Threat Intelligence tests URLs found in emails against regular expressions to determine if the
URL is allowed or forbidden to enter the system.
Email Gateway permits the user to specify patterns for the individual parts of the URL and then
compile these parts into a regular expression that will match a complete URL. If the user does not
enter a value for a part, the compiled expression matches anything or nothing for that part.
You must enter a value for the Host part. A recognizable URL must have, at a minimum, a host name.
You can specify parts as either simple DOS patterns or as regular expressions.
Simple patterns
Simple patterns allow you to enter much less information than regular expressions, but offer much
less flexibility. You can use simple wildcards:
Certain matches are not possible with simple patterns. For example:
In the Host field, '*' does not match '.' by design. This prevents possible unwanted matches.
Regular expressions
The ability to specify the URL parts of interest as regular expressions overcomes any restrictions of
simple patterns:
www\.mcafee\.(?:com|co\.uk)
8080|8443
(?:[12]?\d{1,2}\.){3}[12]?\d{1,2}
On the URL Expression Builder, each text field is a separate regular expression that follows Perl-compatible
regular expression (PCRE) syntax, and is validated as a regular expression. Regular expressions offer
greater flexibility, but they are more complex than simple patterns. You are allowed to enter nothing
for all fields, resulting in a generated regex that matches anything that sufficiently resembles a URL.
You must remember to escape characters that have significant meaning in a regular expression.
These characters are: \.-[]{}()^$|+?*
Product Guide
273
You must not use positional matches, otherwise known as anchors, in regular repressions.
Examples of anchors are: '^', '$', '\A' and '\z'.
Anyone who wants to use regular expressions in this feature should already be comfortable with regular
expressions, due to their complexity.
If you want to specify a regular expression that matches any number or character, avoid using '.* and
'.+' as the expression. Either of these choices is likely to match more characters than you desire and
will result in less efficient pattern matching. Use one of these combinations to 'match any character'
based on the part you want to specify:
Host '[^:/\?#]' (match anything apart from ':', '/', '?' and '#')
When you use these patterns, the matches stop at the next part of the URL.
The best approach when constructing regular expressions is to use the URL parser tool which is
regex-aware and will do the necessary escaping for you.
Definition
Number of exceptions
Policy name
Exception name
Add exception
Move up and
down
When you have two or more policy exceptions, you can change the
Move
Click to open the Scanning Policies Edit Policy Exception Details window to edit
the properties of the selected policy exception.
Click to delete the selected policy exception.
Delete exception
Table 4-110
274
Option
Definition
Search
Type any portions of the URL as search parameters. Applies to the Description
and Pattern columns.
Type
Description
Product Guide
Table 4-110
Option
Definition
Pattern
Match Case
Edit
Clicking this link opens the URL Expression Builder where you can edit this URL .
Click this button to open the URL Expression Builder to add a URL by entering a
simple DOS pattern.
Click this button to open the URL Expression Builder to add a URL by entering a
regular expression.
Click this button to delete any patterns you have checked in this table.
Search
Type any portions of the URL as search parameters. Applies to the Description
and Pattern columns.
Type
Description
Pattern
Match Case
Edit
Clicking this link opens the URL Expression Builder where you can edit this URL .
Click this button to open the URL Expression Builder to add a URL by entering a
simple DOS pattern.
Click this button to open the URL Expression Builder to add a URL by entering a
regular expression.
Click this button to delete any patterns you have checked in this table.
If URL reputation scanning is not already enabled, click the Yes radio button.
Product Guide
275
Click the Add Simple Pattern button or the Add Regular Expression button.
The URL Expression Builder page appears.
To delete a URL from either list, select the Delete check box associated with the URL.
Click the Parse a URL link on the URL Expression Builder page.
The URL Parser dialog box opens.
Type or paste the URL into the data field, then click OK.
The URL Parser closes, and the component parts of the URL populate the URL Expression Builder.
9
Click the URL encode/decode link on the URL Expression Builder page.
The URL Encode/Decode dialog box opens.
To encode the fragment to its canonical representation (%-encoded sequence), click the Encode
button.
The encoded fragment appears in the data field.
To decode a %-encoded fragment into readable form, click the Decode button.
The decoded fragment appears in the data field.
To convert an improperly or partially encoded sequence into its canonical representation, click
the Canonicalize button.
The canonical representation of the sequence appears in the data field.
10 Click OK.
The URL Expression Builder closes, returning you to Default URL Reputation Settings page which shows the
results of your additions, edits, or deletions.
11 Save your changes before you log off.
12 Click OK.
276
Product Guide
ClickProtect
The ClickProtect feature in McAfee Email Gateway scans email messages for embedded links to protect
the enterprise and its users from malware and phishing attempts.
The full ClickProtect features require your McAfee Email Gateway to be provisioned to use the
cloud-based McAfee Email Protection service. If hybrid scanning is not configured, ClickProtect can
remove or replace non-whitelisted URLs.
You can configure a preview of the webpage and a summary of its content to be presented to the user.
McAfee Email Gateway does not support the scanning of embedded URLs contained within email
attachments.
URLs categorized as low-risk load the original website as it appears in the message.
URLs categorized as unverified or medium-risk trigger a warning page where the content of the
website is summarized.
You can configure whether users can access web hyperlinks or not.
ClickProtect uses the hybrid scanning feature. Hybrid scanning must be enabled for ClickProtect to
provide real-time malware scanning. However, you do not have to route your email flow to the
cloud-based McAfee Email Protection (Hybrid) service.
Whitelisted URLs bypass ClickProtect. ClickProtect does not protect whitelisted URLs. Whitelist any local
or intranet URLs (including IP address based URLs) to allow users to click them directly.
ClickProtect protects users who access their email accounts and click URLs inside or outside the
corporate network.
Product Guide
277
Using ClickProtect
This example illustrates a situation where you might use ClickProtect.
Issue On a Friday evening, spammers start a spam campaign, sending email messages containing
links to websites that have a good reputation, and contain no malware. Over the weekend, the
spammers then "infect" the website with malicious content. On their return to work, your users are
presented with links within their email messages pointing to websites now containing malicious
content.
Solution By enabling URL reputation scanning, Email Gateway ensures that when email messages
are received, only URLs that point to websites with a good reputation are allowed. Enabling
ClickProtect ensures that at the time that users click those links (click time), the content of the
website is still safe for your users to visit.
Step Description
278
A sender directs an email message that contains a web link toward an internal user.
MEG initiates a McAfee Global Threat Intelligence (McAfee GTI) scan to check the link for any
threats.
If the message has an acceptable URL reputation score, ClickProtect rewrites the URL and
delivers the message.
Product Guide
Step Description
5
When the user clicks the link, ClickProtect initiates a cloud-based McAfee Email Protection
(Hybrid) service scan to ensure that no threats have been added.
.
Option
Definition
Enable ClickProtect
From the drop-down list for each URL risk level, select the appropriate action:
Risk levels:
A high risk URL Specifies a URL that exhibits detrimental behavior. For
example, the site is known to host malware. By default, ClickProtect denies
the message and sends an alert.
A medium risk URL Specifies a URL that exhibits questionable behavior that
might be detrimental to the user. By default, ClickProtect issues a warning.
An unverified URL Specifies a URL for which no reputation information has
been calculated. By default, ClickProtect issues a warning.
A low risk URL Specifies a URL that exhibits appropriate behavior or that is
verified as trusted. By default, ClickProtect re-writes the URL, and, at click
time, McAfee Email Protection (Hybrid) redirects the user to the original
website.
Actions:
Deny Denies the connection.
Warn Warns the user about risks.
Allow Allows the connection.
Product Guide
279
Definition
HTML
message
actions
Select the actions to take when McAfee Email Gateway detects a URL within an
HTML-based message.
Clickable URLs URLs that include the information allowing users to click the link and be
taken to the linked website.
Visible URLs any text that is formatted to look like a URL, but that does not contain
hypertext information.
Actions:
Leave original URL do not make any changes to the way that clickable URLs are
displayed.
Use the ClickProtect URL replace the original URL with the URL that includes the click
protected information.
If McAfee Email Gateway is not provisioned to use the cloud-based McAfee Email
Protection (Hybrid) service, you cannot select this option.
Remove the URL remove the URL without substituting any text.
Replace with custom text remove the URL and substitute it with the text defined in the
text box to the right.
Plain text
message
actions
Select the action to take when McAfee Email Gateway detects a URL within a plain text
message.
Actions:
Leave original URL do not make any changes to the way that visible URLs are displayed.
Use the ClickProtect URL replace the original URL with the URL that includes the click
protected information.
If McAfee Email Gateway is not provisioned to use the cloud-based McAfee Email
Protection (Hybrid) service, you cannot select this option.
Remove the URL remove the URL without substituting any text.
Replace with custom text remove the URL and substitute it with the text defined in the
text box to the right.
Definition
And also
If an action results in an
alert
280
Product Guide
Enable ClickProtect.
Under ClickProtect URL Replacement Actions, set options for replacement of URLs.
Some of these options can be configured without requiring McAfee Email Protection (Hybrid) to be
enabled.
Under ClickProtect Actions, select the action to take if URL rewriting is not possible.
Definition
Number of exceptions
Policy name
Exception name
Add exception
Move up and
down
Move
When you have two or more policy exceptions, you can change the
priority in which they are used by using the
and
buttons. The
exception at the top of the list is given the highest priority.
Product Guide
281
Definition
Click to open the Scanning Policies Edit Policy Exception Details window to edit
the properties of the selected policy exception.
Click to delete the selected policy exception.
Delete exception
Table 4-112 Option definitions URL Count
Option
Definition
Typing a number in the text field sets the maximum number of URLs
in one email. If the URLs exceed the number, the system takes the
configured action.
And also
Notification and annotated email options This link opens the Default Notification and Routing Settings page.
If an action results in an alert
Selecting the check box enables use of the default text. Clicking the
associated link permits editing the default text.
Option
Description
Description
Scheme
Protocol
Credentials
Host
Port
TCP port
Path
Query string
Named anchor
Specifies a location within the document. Not relevant for FTP URLs.
Match the credentials, path, query Selecting the check box causes McAfee GTI to match the URL
string and named anchor
case-sensitively.
case-sensitively.
If you leave this unchecked, whatever you type in the text fields is
converted to lower case when you click OK.
282
This dynamic table shows the regular expression you create as you enter
one or more parts.
Product Guide
Table 4-113
Option
Description
Test a URL
Data field where you can type or paste a URL to test it against the
regular expression. Icons indicate whether the URL matches or not.
Link opens an additional dialog box where you can paste or type a URL
and have it parsed into its component parts. If you click OK in this dialog,
the URL will populate the fields in the URL Expression Builder.
The URL is not validated.
Parsing URLs
The URL Expression Builder includes a link that allows you to parse a URL into its component parts.
The parsed URL populates the appropriate fields on the page.
URL normalization
Certain characters, such as /', ? and #, serve as delimiters in the URL. Other characters, such as
control codes, are not printable. These characters must be escaped by encoding them as % followed
by their hexadecimal ASCII value when they are used in the Credentials, Path, or Query string, or in the
named Anchor field. For example, = must be represented by %3B so it will not be misinterpreted as a
key-value separator in the Query string.
The ASCII characters A-Z, a-z, 0-9 and -._~ never need to be escaped. Characters outside the ASCII
range must be represented by the %-encoding of their UTF-8 byte values. For example, a character
is encoded as %E2%82%AC.
Attackers can manipulate the %-encoding rules to obfuscate the URL. Manipulations include:
Escaping characters that do not need to be escaped to make part of the URL unreadable to
humans. An example of this would be the sequence %2E%2E%2F/ in the path.
Not escaping characters that should be escaped. For example, the glyph for the Unicode character
U+2215, DIVISION SLASH, looks identical to an ASCII / character. If used in un-escaped form in
the path, it would look indistinguishable from a regular path separator. This is called a homograph
attack.
To overcome any issues from ambiguous representation, URLs found in emails are normalized by
decoding the individual parts and reapplying the %-encoding so that it is in strict compliance with the
encoding rules in RFC 3986, Uniform Resource Identifier (URI): Generic Syntax. The path is further
normalized so that . (current directory) and .. (directory above the current directory) sequences are
removed. For example /a/b/../c is normalized to the equivalent /a/c.
Address normalization
Instead of a domain name in the host field, a URL may contain an IP address.
An IPv4 address may be represented in many different ways, all of which offer an attacker
opportunities to obscure the host that a URL points to. As well as the familiar a.b.c.d format where a,
b, c and d represent base-10 numbers in the range 0-255, an IPv4 address may be represented by 1
to 4 numbers, each of which may be represented using base 10, octal (base 8) and hexadecimal (base
16). For example, it is not at all obvious that the following URLs point to the same resource:
Product Guide
283
http://7763631671/
http://235396898359/
http://206.057717067/
When testing URLs found in emails, all variant representations of IPv4 addresses are normalized to the
a.b.c.d format.
IPv6 addresses have stricter rules for representation within a URL. However, the same address can
vary in its representation depending on how empty quads are displayed and how many leading zeroes
are used. Therefore, IPv6 addresses are normalized to their most compact form with hexadecimal
values in uppercase. For example, http://[2001:ea75:0000:0:00:000:0:0001]/ is normalized to
http://[2001:EA75::1]/.
284
Product Guide
The encoded sequences %00 - %1F and %7F are control characters any may render unpredictably
when decoded. Two-byte sequences starting with %C2 followed by %80 - %A0 are also control
characters.
Do not use the URL encode tool to encode, for example, the entire path. This will result in a
non-canonical encoding. Encoding a/b will result in the string a%2Fb which will no longer match
a/b in the path. Only encode individual path segments and individual terms (the keys and values
in key-value pairs) in the Query string.
Definition
Name
Documents
Definition
Name
Documents
Definition
Search
Search by name for documents that you want to exclude from the policy.
Name
Size
Trained on
Definition
Rule name
With most Email Gateway rules, scanning stops and the configured actions are
taken if the rule triggers. Select this option to take the configured actions, but
to continue the scan when the rule triggers.
Select this option when using file filtering to define the files sent to Advanced
Threat Defense and when using file filtering for other purposes, such as Image
filtering.
Product Guide
285
Option
Definition
File categories Select the file categories to which you want the rule to apply.
Categories include:
Advanced Threat Defense - Supported
formats
Archive/Compressed files
E-Mail messages
Documents
HTML content
Databases
Spreadsheets
Multimedia
Graphics/Presentation
Select this option to enable this rule to be used for file categories that are
unrecognized.
MP3
MPEG
MPEG-1 video
MPEG-2 video
MPEG-4 file
MPEG-7 file
Windows Video
286
Option
Definition
Product Guide
Definition
Select either:
Protected
Unprotected
Definition
Take action when the file size is Select to take the configured actions when a file is either less than or
greater than the configured file size.
Definition
Select the primary action to take when the rule triggers. Choose from:
Deny connection (Block)
Refuse the data and return an error code (Block)
Replace the content with an alert (Modify)
Allow Through (Monitor)
And also
Select the secondary actions to take when the rule triggers on the original
message, and set notification and ecryption options as necessary.
When clicked, takes you to the Default Notification and Routing Settings
(SMTP) set of options.
Definition
Rule name
Definition
Search
Search the list of dictionaries for the ones that you want to include in the rule.
Name
Displays the dictionary name as it appears in the Compliance Dictionaries list (Email | DLP and
Dictionaries | Compliance Dictionaries).
Product Guide
287
Option
Definition
Threshold
Displays the threshold that will trigger a score-based dictionary. To enable score-based
detection for a dictionary, go to Email | DLP and Dictionaries | Compliance Dictionaries.
Max Term Count Displays the maximum number of times that terms in that dictionary can contribute
towards a threshold score.
Definition
Search
Search the list of dictionaries for the ones that you want to exclude from the rule
Name
Displays the dictionary name as it appears in the Compliance Dictionaries list (Email | DLP and
Dictionaries | Compliance Dictionaries).
Threshold
Displays the threshold that will trigger a score-based dictionary. To enable score-based
detection for a dictionary, go to Email | DLP and Dictionaries | Compliance Dictionaries.
Max Term Count Displays the maximum number of times that terms in that dictionary can contribute
towards a threshold score.
Definition
Select the primary type of action from the drop-down list that you want the
appliance to take when it triggers a compliance detection.
And also
Optionally, select secondary actions that can be applied to the detection, such
as quarantining the original or modified message, notifying the sender, and
sending the message to other people. The options displayed differ according to
the primary action that you select.
Opens the Default Notification and Routing Settings pages. See Email | Email Policies |
Policy Options | Notifications and routing.
And conditionally
Specify whether you want the actions to take place when Any or All of the
dictionaries in the rule trigger a match.
Definition
Expand the rule that contains the settings on which to base the new rule.
Search
Search the list of dictionaries for the rule on which you want to base your
new rule.
288
Option
Definition
Rule name
Product Guide
Definition
Select the primary type of action from the drop-down list that you want the
appliance to take when it triggers a compliance detection.
And also
Optionally, select secondary actions that can be applied to the detection, such
as quarantining the original or modified message, notifying the sender, and
sending the message to other people. The options displayed differ according to
the primary action that you select.
Notification and annotated Opens the Default Notification and Routing Settings pages. See Email | Email Policies |
email options
Policy Options | Notifications and routing | Routing.
Specify whether you want the actions to take place when Any or All of the
dictionaries in the rule trigger a match.
And conditionally
Scanner Limits
Use this page to set limits on scanning to prevent attacks and other performance issues.
Definition
Number of exceptions
Policy name
Exception name
Add exception
Move up and
down
Move
When you have two or more policy exceptions, you can change the
priority in which they are used by using the
and
buttons. The
exception at the top of the list is given the highest priority.
Click to open the Scanning Policies Edit Policy Exception Details window to edit
the properties of the selected policy exception.
Click to delete the selected policy exception.
Delete exception
Product Guide
289
Definition
Specifies the limit. The default value is: File size 500MB
(menu)
290
Product Guide
Definition
And also
Other actions
Modify subject McAfee Email Gateway rewrites the subject of the email
message using user-definable templates, and then delivers the message to the
intended recipients. Click Manage templates to change the way the subject is
re-written.
Modify headers McAfee Email Gateway modifies the email message headers
using user-definable templates, and then delivers the message to the intended
recipients. You can select multiple header modification templates. Click Manage
templates to change the way the headers are re-written.
The following icons indicate the template settings:
Product Guide
291
Definition
Deliver message using encryption Attempt delivery of the message using your
configured encryption settings.
Notification and
annotated email
options
Follow the link to configure the options for notification messages and annotated
email messages.
If a denial of service
action results in an
alert
Select to use the default alert, or follow the link to make changes to the alert
text.
Definition
If nesting depth
exceeds
(menu)
292
Product Guide
Definition
And also
Other actions
Modify subject McAfee Email Gateway rewrites the subject of the email
message using user-definable templates, and then delivers the message to the
intended recipients. Click Manage templates to change the way the subject is
re-written.
Modify headers McAfee Email Gateway modifies the email message headers
using user-definable templates, and then delivers the message to the intended
recipients. You can select multiple header modification templates. Click Manage
templates to change the way the headers are re-written.
The following icons indicate the template settings:
Product Guide
293
Definition
Deliver message using encryption Attempt delivery of the message using your
configured encryption settings.
Notification and
annotated email
options
Follow the link to configure the options for notification messages and annotated
email messages.
If a denial of service
action results in an
alert
Select to use the default alert, or follow the link to make changes to the alert
text.
Definition
(menu)
294
Product Guide
Definition
And also
Other actions
Modify subject McAfee Email Gateway rewrites the subject of the email
message using user-definable templates, and then delivers the message to the
intended recipients. Click Manage templates to change the way the subject is
re-written.
Modify headers McAfee Email Gateway modifies the email message headers
using user-definable templates, and then delivers the message to the intended
recipients. You can select multiple header modification templates. Click Manage
templates to change the way the headers are re-written.
The following icons indicate the template settings:
Product Guide
295
Definition
Deliver message using encryption Attempt delivery of the message using your
configured encryption settings.
Notification and
annotated email
options
Follow the link to configure the options for notification messages and annotated
email messages.
If a denial of service
action results in an
alert
Select to use the default alert, or follow the link to make changes to the alert
text.
Alert settings
Use this page to control the format and appearance of the alert message that users receive when the
appliance detects a threat.
Definition
Number of exceptions
Policy name
Exception name
Add exception
Move up and
down
Move
When you have two or more policy exceptions, you can change the
priority in which they are used by using the
and
buttons. The
exception at the top of the list is given the highest priority.
Click to open the Scanning Policies Edit Policy Exception Details window to edit
the properties of the selected policy exception.
Click to delete the selected policy exception.
Delete exception
296
Product Guide
Option
Definition
Alert format
Header text
Show
Shows the header text as HTML source (showing tags such as <p>) or as users see
the text (WYSIWYG). This option is not applicable for text alerts.
Footer text
Show
Shows the footer text as HTML source (showing tags such as <p>) or as users see
the text (WYSIWYG). This option is not applicable for text alerts.
Restore Defaults
Specifies the name of the file that contains the alert. Default value is warning.htm or
warning.txt.
Definition
Style / Font / Size Select the paragraph style, size, and font that you want to apply to the text.
Tokens
Select the token variables that you want to appear in the message, such as the name
of the attachment and the policy that it infringed.
Show
Choose how you want to view the notification text in the Alert Editor.
Use Default
Email | Email Policies | Policy Options | Content handling | Email Options | Basic Options
To cater for the needs of various departments, you might need several policies, each with its own
disclaimer. Alternatively, you can configure policy exceptions, to reduce the total number of policies
you need to maintain.
Table 4-120 Option definitions Policy exceptions
Option
Definition
Number of exceptions
Policy name
Exception name
Product Guide
297
Definition
Opens the Scanning Policies New Policy Exception window, enabling you to
create a policy exception.
Add exception
Move up and
down
Move
When you have two or more policy exceptions, you can change the
priority in which they are used by using the
and
buttons. The
exception at the top of the list is given the highest priority.
Click to open the Scanning Policies Edit Policy Exception Details window to edit
the properties of the selected policy exception.
Click to delete the selected policy exception.
Delete exception
Table 4-121 Option definitions Content Handling Settings Email Options Basic
Options
Option
Definition
Specifies a prefix that the appliance adds to the subject line after a major
modification to the message, for example when an alert message replaces
an infected item.
If this prefix is added to the subject line, it precedes other prefixes such as
those that indicate spam or phish detections. If you add a disclaimer to a
message, its subject line is not affected.
Disclaimer text
Placement
When re-encoding
attachments
Email | Email Policies | Policy Options | Content handling | Email Options | Advanced Options
Changing these settings can affect scanning performance. If you are not sure about the impact of
making any changes, ask your network expert.
298
Product Guide
Definition
Number of exceptions
Policy name
Exception name
Add exception
Move up and
down
Move
When you have two or more policy exceptions, you can change the
priority in which they are used by using the
and
buttons. The
exception at the top of the list is given the highest priority.
Click to open the Scanning Policies Edit Policy Exception Details window to edit
the properties of the selected policy exception.
Click to delete the selected policy exception.
Delete exception
Table 4-123 Option definitions Content Handling Settings Email Options Advanced
Options
Option
Definition
But do not encode if the text is already When selected, prevents encoding of 7-bit data.
7-bit
Default decode character set
Product Guide
299
Email | Email Policies | Policy Options | Content handling | Email Options | Missing / Empty Headers
In spam and spoofed email, headers are sometimes altered to hide the identity of the sender.
Table 4-124 Option definitions Policy exceptions
Option
Definition
Number of exceptions
Policy name
Exception name
Add exception
Move up and
down
When you have two or more policy exceptions, you can change the
Move
Click to open the Scanning Policies Edit Policy Exception Details window to edit
the properties of the selected policy exception.
Click to delete the selected policy exception.
Delete exception
Table 4-125 Option definitions Content Handling Settings Email Options Missing/
Empty Headers
Option
Definition
Action
300
Product Guide
Table 4-125 Option definitions Content Handling Settings Email Options Missing/
Empty Headers (continued)
Option
Definition
And also
Other actions
Modify subject McAfee Email Gateway rewrites the subject of the email
message using user-definable templates, and then delivers the message to
Product Guide
301
Table 4-125 Option definitions Content Handling Settings Email Options Missing/
Empty Headers (continued)
Option
Definition
the intended recipients. Click Manage templates to change the way the subject is
re-written.
Modify headers McAfee Email Gateway modifies the email message headers
using user-definable templates, and then delivers the message to the
intended recipients. You can select multiple header modification templates.
Click Manage templates to change the way the headers are re-written.
The following icons indicate the template settings:
Notification and
annotated email options
Follow the link to configure the options for notification messages and annotated
email messages.
Select to use the default alert, or follow the link to make changes to the alert
text.
Content Handling Settings Email Options Text and binary MIME types
Use this page to specify special MIME types as text or binary to improve the efficiency of the scanning.
Email | Email Policies | Policy Options | Content handling | Email Options | Text and binary MIME types
The appliance handles common MIME types. You need only specify any new or unusual MIME types
here.
Table 4-126 Option definitions Policy exceptions
Option
Definition
Number of exceptions
Policy name
Exception name
Add exception
Move up and
down
Move
When you have two or more policy exceptions, you can change the
priority in which they are used by using the
and
buttons. The
exception at the top of the list is given the highest priority.
Click to open the Scanning Policies Edit Policy Exception Details window to edit
the properties of the selected policy exception.
Click to delete the selected policy exception.
Delete exception
302
Product Guide
Table 4-127 Option definitions Content Handling Settings Email Options Text and
binary MIME types
Option
Definition
Email | Email Policies | Policy Options | Content handling | Email Options | Text and binary MIME types
Examples of non-ASCII formats, include:
8-bit audio
Video files
MIME defines different ways of encoding the non-ASCII formats so that they can be represented using
characters in the 7-bit ASCII character set.
MIME also defines extra email headers that contain further information:
The resulting MIME message can be "decoded" or "re-encoded" after transmission. We say
"re-encoded", because the MIME messages can be converted into a different character set from the
original message.
Email | Email Policies | Policy Options | Content handling | Email Options | Character sets
You can select a fixed mapping (always use the alternative character set) or a list of alternatives to be
used only if decoding fails.
Table 4-128 Option definitions Policy exceptions
Option
Definition
Number of exceptions
Policy name
Product Guide
303
Definition
Exception name
Add exception
Move up and
down
Move
When you have two or more policy exceptions, you can change the
priority in which they are used by using the
and
buttons. The
exception at the top of the list is given the highest priority.
Click to open the Scanning Policies Edit Policy Exception Details window to edit
the properties of the selected policy exception.
Click to delete the selected policy exception.
Delete exception
Table 4-129 Option definitions Email Options Character sets
Option
Definition
Character sets
Fixed
Alternatives
Definition
Number of exceptions
Policy name
Exception name
Add exception
Move up and
down
Move
When you have two or more policy exceptions, you can change the
priority in which they are used by using the
and
buttons. The
exception at the top of the list is given the highest priority.
Click to open the Scanning Policies Edit Policy Exception Details window to edit
the properties of the selected policy exception.
Click to delete the selected policy exception.
Delete exception
304
Product Guide
Definition
Email | Email Policies | Policy Options | Content handling | Corrupt or Unreadable Content | Corrupt content
Scanners and other applications can have difficulty reading corrupt content. You can specify the action
to take when the appliance detects corrupt content in:
Email messages
Archives
Documents
Definition
Number of exceptions
Policy name
Exception name
Add exception
Move up and
down
Move
When you have two or more policy exceptions, you can change the
priority in which they are used by using the
and
buttons. The
exception at the top of the list is given the highest priority.
Click to open the Scanning Policies Edit Policy Exception Details window to edit
the properties of the selected policy exception.
Click to delete the selected policy exception.
Delete exception
Product Guide
305
Option
Definition
If corrupt content is
detected
Other actions
Modify subject McAfee Email Gateway rewrites the subject of the email message
using user-definable templates, and then delivers the message to the intended
recipients. Click Manage templates to change the way the subject is re-written.
Modify headers McAfee Email Gateway modifies the email message headers using
user-definable templates, and then delivers the message to the intended
recipients. You can select multiple header modification templates. Click Manage
templates to change the way the headers are re-written.
The following icons indicate the template settings:
306
Product Guide
Option
Definition
Notification and
annotated email
options
Follow the link to configure the options for notification messages and annotated
email messages.
Select to use the default alert, or follow the link to make changes to the alert text.
Email | Email Policies | Policy Options | Content handling | Corrupt or Unreadable Content | Protected files
You can specify the action to take when the appliance is unable to scan into an email attachment
(either archive or document) or a file that is being requested from a website, because it has been
password protected. If the content is protected by password, the appliance cannot examine the
contents because they are encrypted.
If you choose to allow such files into your network, you must ensure that their contents can be
scanned later for any threats by an on-access scanner.
Table 4-133 Option definitions Policy exceptions
Option
Definition
Number of exceptions
Policy name
Exception name
Add exception
Move up and
down
Move
When you have two or more policy exceptions, you can change the
priority in which they are used by using the
and
buttons. The
exception at the top of the list is given the highest priority.
Click to open the Scanning Policies Edit Policy Exception Details window to edit
the properties of the selected policy exception.
Click to delete the selected policy exception.
Delete exception
Product Guide
307
Definition
If a read protected document Provides a main action to take. The available options are:
is detected
Deny connection (Block)
Replace all attachments with an alert
(Modify)
Refuse the data and return an error code
(Block)
And also
Other actions
Modify subject McAfee Email Gateway rewrites the subject of the email
message using user-definable templates, and then delivers the message to
308
Product Guide
Definition
the intended recipients. Click Manage templates to change the way the subject
is re-written.
Modify headers McAfee Email Gateway modifies the email message headers
using user-definable templates, and then delivers the message to the
intended recipients. You can select multiple header modification templates.
Click Manage templates to change the way the headers are re-written.
The following icons indicate the template settings:
Follow the link to configure the options for notification messages and
annotated email messages.
If an action results in an
alert
Select to use the default alert, or follow the link to make changes to the alert
text.
If a password-protected
archive file is detected
Product Guide
309
Definition
And also
Other actions
Modify subject McAfee Email Gateway rewrites the subject of the email
message using user-definable templates, and then delivers the message to
310
Product Guide
Definition
the intended recipients. Click Manage templates to change the way the subject
is re-written.
Modify headers McAfee Email Gateway modifies the email message headers
using user-definable templates, and then delivers the message to the
intended recipients. You can select multiple header modification templates.
Click Manage templates to change the way the headers are re-written.
The following icons indicate the template settings:
Follow the link to configure the options for notification messages and
annotated email messages.
If an action results in an
alert
Select to use the default alert, or follow the link to make changes to the alert
text.
Email | Email Policies | Scanning Policies | Scanner Options | Content Handling | Corrupt or Unreadable Content
A partial message. If a message has been divided into smaller parts for sending as several separate
email messages, each part is called a partial message.
An external-body message. The message contains a reference to an external resource and the
scheme (usually FTP) that retrieves that resource.
Definition
Number of exceptions
Policy name
Exception name
Add exception
Move up and
down
Move
When you have two or more policy exceptions, you can change the
priority in which they are used by using the
and
buttons. The
exception at the top of the list is given the highest priority.
Product Guide
311
Definition
Click to open the Scanning Policies Edit Policy Exception Details window to edit
the properties of the selected policy exception.
Click to delete the selected policy exception.
Delete exception
312
Product Guide
Definition
If a message/partial
type is encountered
Other actions
Other actions
Modify subject McAfee Email Gateway rewrites the subject of the email message
using user-definable templates, and then delivers the message to the intended
recipients. Click Manage templates to change the way the subject is re-written.
Product Guide
313
Definition
Modify headers McAfee Email Gateway modifies the email message headers
using user-definable templates, and then delivers the message to the intended
recipients. You can select multiple header modification templates. Click Manage
templates to change the way the headers are re-written.
The following icons indicate the template settings:
Notification and
annotated email
options
Follow the link to configure the options for notification messages and annotated
email messages.
If a message/
external-body type is
encountered
314
Product Guide
Definition
And also
Other actions
Modify subject McAfee Email Gateway rewrites the subject of the email message
using user-definable templates, and then delivers the message to the intended
recipients. Click Manage templates to change the way the subject is re-written.
Modify headers McAfee Email Gateway modifies the email message headers
using user-definable templates, and then delivers the message to the intended
recipients. You can select multiple header modification templates. Click Manage
templates to change the way the headers are re-written.
The following icons indicate the template settings:
Product Guide
315
Definition
Notification and
annotated email
options
Follow the link to configure the options for notification messages and annotated
email messages.
Select to use the default alert, or follow the link to make changes to the alert
text.
Email | Email Policies | Policy Options | Content handling | Corrupt or Unreadable Content | Unscannable Content
You can specify the action to take when the appliance finds a file that is unscannable.
Table 4-137 Option definitions Policy exceptions
Option
Definition
Number of exceptions
Policy name
Exception name
Add exception
Move up and
down
Move
When you have two or more policy exceptions, you can change the
priority in which they are used by using the
and
buttons. The
exception at the top of the list is given the highest priority.
Click to open the Scanning Policies Edit Policy Exception Details window to edit
the properties of the selected policy exception.
Click to delete the selected policy exception.
Delete exception
316
Product Guide
Definition
If unscannable content Provides a main action to take. The available options are:
is detected
Deny connection (Block)
Replace the content with an alert (Modify)
Refuse the data and return an error code
(Block)
Other actions
Modify subject McAfee Email Gateway rewrites the subject of the email message
using user-definable templates, and then delivers the message to the intended
recipients. Click Manage templates to change the way the subject is re-written.
Modify headers McAfee Email Gateway modifies the email message headers
using user-definable templates, and then delivers the message to the intended
recipients. You can select multiple header modification templates. Click Manage
templates to change the way the headers are re-written.
Product Guide
317
Definition
The following icons indicate the template settings:
Notification and
annotated email
options
Follow the link to configure the options for notification messages and annotated
email messages.
Select to use the default alert, or follow the link to make changes to the alert
text.
Policy-based actions
Policy-based actions execute when an email message matches a configured policy, without needing a
scan to trigger the selected action.
Contents
Benefits of fine-tuning scanning with policy-based actions
Option definitions Policy based actions
Scenario - Configure Policy based actions
Applying policy exceptions to Policy based actions
Task - Add an exception to a policy based action
Definition
Number of exceptions
Policy name
Exception name
Add exception
Move up and
down
318
Move
When you have two or more policy exceptions, you can change the
priority in which they are used by using the
and
buttons. The
exception at the top of the list is given the highest priority.
Product Guide
Definition
Click to open the Scanning Policies Edit Policy Exception Details window to edit
the properties of the selected policy exception.
Click to delete the selected policy exception.
Delete exception
Product Guide
319
Definition
And also
Quarantine options
Quarantine original Select to have the original message added to the Quarantine
database.
Quarantine modified Select to have the modified message added to the Quarantine
database.
If you are using off-box quarantine, you can also select the quarantine queue into
which the email message is placed. This selection can include custom quarantine
queues that you have created.
320
Product Guide
Definition
Other actions
Modify subject McAfee Email Gateway rewrites the subject of the email message
using user-definable templates, and then delivers the message to the intended
recipients. Click Manage templates to change the way the subject is re-written.
Modify headers McAfee Email Gateway modifies the email message headers using
user-definable templates, and then delivers the message to the intended
recipients. You can select multiple header modification templates. Click Manage
templates to change the way the headers are re-written.
The following icons indicate the template settings:
Deliver message using encryption Attempt delivery of the message using your
configured encryption settings.
In the options, n represents the number of lists you select for each related action.
Notification and
annotated email
options
Exceptions
Click the Exceptions tab at the left side of the Policy Based Action Settings window to show
or hide the policy exceptions options.
With Exceptions showing, you can configure or edit exceptions and set the actions for
them.
Product Guide
321
Task
1
From the drop-down list, select the policy from which the new policy inherits settings. In this
case, select Default policy.
To set the Match logic, select Match one or more of the following rules.
Click OK.
The Add Rule window closes and the new rule appears on the Scanning Policies New Policy window.
Click OK.
The Scanning Policies New Policy window closes, and the new policy appears at the top of the list on
the Email Policies page.
Within the new policy, select the Policy Options | Policy based action link.
Be sure you select options within the new policy, rather than the default or any other configured
policies!
Ensure that Use the same settings as the default policy is not selected.
For the primary action, select Skip scanning from the drop-down list.
For the secondary action, select Other Actions | Deliver message using encryption.
Click OK.
The Policy Based Action Settings window closes, and the policy-based actions appear under Policy
Options.
Outbound messages from the Legal Department are encrypted, and are not scanned.
322
Product Guide
From the drop-down list, select the policy from which the new policy inherits settings. In this
case, select Default policy.
To set the Match logic, select Match one or more of the following rules.
Click OK.
The Add Rule window closes and the new rule appears on the Scanning Policies New Policy window.
Click OK.
The Scanning Policies New Policy window closes, and the new policy appears at the top of the list on
the Email Policies page.
Within the new policy, select the Policy Options | Policy based action link.
Be sure you select options within the new policy, rather than the default or any other configured
policies!
Ensure that Use the same settings as the default policy is not checked.
For the primary action, select Allow through (Monitor) from the drop-down list.
For the secondary action, check Original email options | Forward original to n lists.
Product Guide
323
Click OK.
The Policy Based Action Settings window closes, and the policy-based actions appear under Policy
Options.
A designated reviewer receives original email messages from XYZ Corp. and can take further action.
Issue You have to send audit copies of email messages to specific auditors, based on either the
sender or the recipient of the message. You want to do this using your default policy, rather than
creating policies to meet the requirement. For example, you might want to send the legal group audit
copies of messages addressed to tax accounting. You might also want to send sales management
copies of messages from field representatives.
Solution Without changing your default policy, add a policy exception to send audit copies of
messages destined for anyone in tax accounting to the legal team. Then create another exception to
send copies of messages from field representatives to sales management.
Creating user groups for members of tax accounting, field representatives, and sales managers might
be helpful.
324
Product Guide
In policies table, for the policy where you want to add an exception, select Policy based actions.
The Policy Based Action Settings window opens.
Product Guide
325
Definition
Sender
Specifies the From address that the appliance uses when sending a
response to the sender of email that contained a threat.
Subject
Definition
Sender
Specifies the From address that the appliance uses when sending a response to
the sender of email that contained a threat.
Subject
Content
Display (including
Name:)
Specifies the From address that the appliance uses when sending a response to the sender
bounce email messages.
Subject
326
Sender
Specifies the From address that the appliance uses when sending a response to the modified
email messages being returned to the sender.
Subject
Define the subject line to be used in modified email messages being returned to the sender.
Product Guide
Select the sender from whom forwarded emails appear to come from. The options are:
Original sender (default)
Notification email sender
Definition
Definition
Route the email to an alternative SMTP relay Selects the relay from the list on the SMTP Relays page.
Manage the list of relays
When clicked, opens a window where you can make a list of SMTP
relays.
Email | Email Policies | Policy Options | Notifications and routing | SMTP Relays
Table 4-148 Option definitions
Option
Definition
Relay List
Specifies the relays. To edit the list, click the blue link to open the Edit List window.
Email | Email Policies | Policy Options | Notifications and routing | Encryption Servers
Table 4-149 Option definitions
Option
Definition
Server Group Specifies the name of the list of encryption servers. To edit the list, click the blue link to
open the Edit List window.
Product Guide
327
Email | Email Policies | Policy Options | Notifications and routing | Email Recipients
For example, you can make lists of email addresses for administration and auditing. The lists are used
by several pages in the interface, for example: Email | Email Policies | Scanning Policies [Scanner Options] |
Notification and routing | Audit Copies
Table 4-150 Option definitions
Option Definition
Email List Specifies the name of the list. To edit the list, click the blue link to open the Edit List window.
Email | Email Policies | Scanning Policies | Scanner Options | McAfee GTI feedback
Dashboard | Services
Encryption settings
Define the encryption settings for this policy.
Encryption Settings
Option
Definition
328
Click to open the Encryption Servers dialog box where you add lists of
encryption servers.
Product Guide
Definition
Choose from:
S/MIME
PGP
Secure Web Mail
If more than one encryption option is chosen, the encryption methods are
attempted in the order that you see here until one is successful.
If selected, Email Gateway attempts to use TLS to secure the link. If TLS is
established, the content of the email message is not encrypted.
However, if TLS cannot be established, then the email message content is
encrypted using your chosen encryption methods.
If none of the selected If the selected encryption method(s) fail, specify the action that you want to
encryption methods are take:
possible
Attempt delivery using TLS and send an NDR if that is not possible TLS is enforced for
delivery subject to your TLS settings
Send an NDR without attempting delivery using TLS the email is not delivered, and a
report is sent to the sender.
Definition
Attempt to decrypt S/MIME-encrypted Enable this to configure your appliance to attempt the decryption of
emails
email messages encrypted using S/MIME.
By default, this option is disabled.
Attempt to decrypt PGP-encrypted
emails
The decryption settings are based on the highest-order policy that applies to all recipients. Decryption
cannot be configured for policies that only apply to a sub-set of users.
If these options are left disabled, or the appliance is unable to decrypt the message, the
Encrypted Content settings are used.
Product Guide
329
Task
1
Click OK.
Once you have enabled Secure Web Mail, you will need to configure your Email Policies to use this feature.
Click to open the Edit List dialog box where you can create a new notification list.
Reset
Click reset to remove the information within all fields in the dialog box .
Definition
List name
Displays the name of the list - either Administration Email List, Notification Email List, or
Auditing Email List, or a list that you created yourself.
Email address A list of email addresses that belong to the list. Use the trashcan icon to remove a
selected address from the list. The trashcan icon becomes active only when more than
one address exists in the list.
Add
Click to open the Edit Email Address dialog box where you can either type or use a template
to add a new email address to the list.
Delete
330
Option
Definition
Standard
Template
Reset
Click to remove all information from the fields in this dialog box.
Product Guide
Definition
Number of exceptions
Policy name
Exception name
Add exception
Move up and
down
When you have two or more policy exceptions, you can change the
Move
Click to open the Scanning Policies Edit Policy Exception Details window to edit
the properties of the selected policy exception.
Click to delete the selected policy exception.
Delete exception
Table 4-152
Option
Definition
Search
Type any portions of the URL as search parameters. Applies to the Description
and Pattern columns.
Type
Description
Pattern
Match Case
Edit
Clicking this link opens the URL Expression Builder where you can edit this URL .
Click this button to open the URL Expression Builder to add a URL by entering a
simple DOS pattern.
Click this button to open the URL Expression Builder to add a URL by entering a
regular expression.
Click this button to delete any patterns you have checked in this table.
Search
Type any portions of the URL as search parameters. Applies to the Description
and Pattern columns.
Type
Description
Product Guide
331
Table 4-152
Option
Definition
Pattern
Match Case
Edit
Clicking this link opens the URL Expression Builder where you can edit this URL .
Click this button to open the URL Expression Builder to add a URL by entering a
simple DOS pattern.
Click this button to open the URL Expression Builder to add a URL by entering a
regular expression.
Click this button to delete any patterns you have checked in this table.
Registered Documents
Use this page to register documents for inclusion in the Data Loss Prevention policies.
332
Product Guide
Sensitive documents can be uploaded where the content is then transformed into a set of signatures
representing the original content. Note that only the signatures are permanently stored on the
appliance, not the original contents. Once the policy is set, these signatures are compared against all
content sent by email through the appliance to prevent data leakage occurring.
If a document is used by a data loss prevention policy, you cannot delete either the document, or any
categories that the document belongs to. To delete either the category, or the document, the document
must first be removed from any associated policies. Hover the cursor over the Used by column to see
the policies that use either the category, or the document.
Definition
Categories
Status
shows that there are two possible states, with appropriate tool tips:
The category has been modified (renamed)
Documents have been added or removed from the category
indicates that the category is new and does not exist in the Data Loss Prevention
database. This status disappears as soon as the configuration is applied.
indicates that everything is normal
Used by
Displays the number of data loss policies that use this category.
Documents
Add
Product Guide
333
Definition
Copy selected documents to another category. When you select this option, it opens the
Search feature which will look for categories without that document.
Documents from other categories cannot be copied into the Excluded Content category.
However, you can upload documents from other categories to the Excluded Content
category.
When you upload a document from another category to the Excluded Content category, the
document's signatures increase. The version of the document in the other category has
the same higher number of signatures as the version in the Excluded Content category.
Delete multiple documents by name. When you select this option, it opens the Search
feature which looks for documents by name in all categories or just a selected category.
To delete documents from all the categories click on Clear Selection first. If no category is
selected, the selected documents are deleted in every category so that the document is
removed entirely from the registered documents database.
File Name
Lists all the documents associated with the selected document category.
Status
indicates that there is an error in the document. See the tooltip to see the reason,
either:
an error in the database
an error occurred while uploading the document
an error occurred during document training
indicates that there are modifications that have not yet been applied.
indicates that the document is new. Documents are trained when they are
uploaded.
indicates that the document is normal, either:
the document is unchanged.
the uploaded document was trained successfully.
Digest
Size
Excluded by
The number of policies that have this file in the exclusion list.
334
Signatures
Trained on
Product Guide
Option
Definition
Upload
Click to register documents against this category, either individually or within an archive.
Supported archive formats are:
Zip (*.zip)
Tar (*.tar)
Gzip (*.gz)
The Character Encoding drop-down list allows you to specify the character set used for
filenames.
To upload files in .TXT format, McAfee recommends that you save them using Unicode or
UTF-8 formats.
Copy existing Click to copy an existing document from other categories into the selected category.
When you select this option, it opens the Search feature which will look for documents
that are not currently linked to the selected category, but that exist in other categories.
Solution
Identify the policy by hovering over the value in the Used by column,
and remove the category from the policies listed in the tooltip.
Product Guide
335
Browse to the file that you want to register in the Finance category, and click OK.
Either select a pre-defined category from the list, or create a new one.
Browse to the zip file that you created, and click OK.
Browse to the template file that you want to ignore, and click OK.
In the Documents section, select the document, and click the Copy icon.
Select the categories to which you want the document to be associated, and click OK.
336
In the document list, locate the file that you want to remove as registered document, and try to
click the Delete icon.
Hover the mouse cursor over the Excluded by entry for that document to find out which policy
excludes that document.
Product Guide
Go to Policy Catalog | McAfee Email Gateway 7.6.4 | Email Policies and click Edit Settings.
Click the Delete icon next to the appropriate document in the Exclusions list.
Compliance Dictionaries
Use this page to view and edit compliance dictionaries.
Definition
Language
Dictionary
Displays the name of the dictionary and a symbol to indicate its type:
Red book: Non score-based
Blue book: Score-based
Green book: User-defined
Open book: Currently selected item
Category
Dictionaries are grouped into related categories. For example, Profanity and Sex are
in the Acceptable Use category.
Used by
Edit
When the icon is clicked, a window opens where you can change the dictionary name
and description.
Delete
Product Guide
337
Option
Definition
Add dictionary
When clicked, adds a new dictionary. Type a name and description for your
dictionary, and select whether the dictionary will match on regular expressions, or
simple strings.
A new row for your dictionary appears at the bottom of the list of dictionaries. You
can add words to the new dictionary later.
Import dictionaries When clicked, imports a file to replace your existing dictionaries.
Export dictionaries When clicked, exports the dictionaries as an XML file. You can send the file to other
appliances, ensuring that content scanning is consistent.
Definition
Match type
Applies to
Term
Enter the term that you want the appliance to search for.
Definition
Opens a Locate a term window, where you can type text to locate in the terms of the
currently selected dictionary.
You can type a regular expression here using Boost Perl Regular Expression Syntax.
Regular expressions are case sensitive; to make a pattern case insensitive, start it with
(?I).
Copy the listed terms within the selected dictionary
Paste the copied terms into the selected dictionary.
Open a window where you can change the description for the currently selected
dictionary. You cannot change the name of dictionaries supplied by McAfee.
Deletes the selected term.
Conditions
(OR)
For dictionaries that are not score-based, you can view lists of terms that are combined
using the logical OR operator. The dictionary will trigger when 'any of' the term lists
trigger.
Individual term lists can apply to different contexts. For example, one term list might
look for terms within message bodies whilst another might look for terms within the
subject line.
338
Product Guide
Definition
Term lists
For dictionaries that are score-based, you can view the individual lists of terms in the
selected dictionary.
Individual term lists can apply to different contexts. For example, one term list might
look for terms within message bodies whilst another might look for terms within the
subject line.
Applies to
Click the link to specify the category and subcategory against which the terms will be
searched for, such as looking for terms within an email message subject line.
Term
Displays the trigger word or phrase. The icon before the term indicates whether it is a
regular expression, simple string or complex term.
Hover your mouse cursor over the icon to see the term type.
Score
Displays the score attributed to the term. To make the dictionary score-based, click Add.
To find out more about using thresholds and scores, see the tasks in Compliance
Settings.
Case sensitive
If selected, the appliance responds only to text that matches the term exactly in letter
case.
Example: If the term is Abc, the appliance responds to the word Abc. However, the
appliance ignores abc or ABC.
Wildcard
When selected, allows the use of ? and * in the term to represent unknown single or
multiple characters.
Example: If the term is ab?, the appliance responds to the word abc or abd. If the term
is ab*f, the appliance responds to the word abcdef or abcf.
Starts with
When selected, matches the term when it appears at the start of a word.
Example: If the term is bc, the appliance responds to the words bc, bcd or bcdef.
However, the appliance ignores abc or abcd.
Ends with
When selected, matches the term when it appears at the end of a word.
Example: If the term is bc, the appliance responds to the words bc or abc. However, the
appliance ignores bcd or abcd.
When used together, Starts with and Ends with match the term when it appears as a whole
word.
Example: If the term is bc, the appliance responds to the words bc. However, the
appliance ignores bcd or abc.
Edit
When clicked, opens a window that allows you to change the basic term properties, or
create a complex term.
Term details Edit the basic term properties including the actual text that you are
looking for, as well as case sensitive, wildcard, and starts with and ends with as
defined above.
Contextual matching (advanced) Set triggers for terms based on proximity to other terms.
To set these details, click Add Word or Phrase:
Display string Sets the display name for the term in the list of dictionary terms.
Enable near matching Enable or disable triggers based on proximity.
Condition Specify the conditions under which you want the term to trigger.
Within a block Set the proximity within which the terms must be found.
Word or phrase The list of terms.
Product Guide
339
Definition
Removes the term from the dictionary.
For dictionaries that are not score-based, click to add new lists that are combined using
the logical OR operator using the following settings:
Name The name that you want to apply to the list of terms.
Description A unique description for the list.
Match type Specify whether the list contains regular expressions, or simple strings.
Applies to Click the link to specify the category and subcategory against which the
terms will be applied, such as looking for terms within an email message subject line.
Term Provide the first term in the list.
The dictionary will trigger when 'any of' the term lists trigger.
Individual term lists can apply to different contexts. For example, one term list might
look for terms within message bodies whilst another might look for terms within the
subject line.
Add AND
condition
For dictionaries that are not score-based, click to add new lists that are combined using
the logical AND operator using the following settings:
Match type Specify whether the list contains regular expressions, or simple strings.
Applies to Click the link to specify the category and subcategory against which the
terms will be applied, such as looking for terms within an email message subject line.
Term Provide the first term in the list.
The dictionary will trigger when 'all of' the conditions trigger.
Individual term lists can apply to different contexts. For example, one term list might
look for terms within message bodies whilst another might look for terms within the
subject line.
340
Product Guide
Definition
For dictionaries that are score-based, click to add a list of terms in the selected
dictionary, using the following settings:
Name The name that you want to apply to the list of terms.
Description A unique description for the list.
Match type Specify whether the list contains regular expressions, or simple strings.
Applies to Click the link to specify the category and subcategory against which the
terms will be applied, such as looking for terms within an email message subject line.
Term Provide the first term in the list.
Individual term lists can apply to different contexts. For example, one term list might
look for terms within message bodies whilst another might look for terms within the
subject line.
Insert term
When clicked, opens a window where you can add a new term using the following
settings:
Term details Specify the basic term properties including the actual text that you are
looking for, as well as case sensitive, wildcard, and starts with and ends with as
defined above.
Contextual matching (advanced) Set triggers for terms based on proximity to other terms.
To set these details, click Add Word or Phrase:
Display string Set the display name for the term in the list of dictionary terms.
Enable near matching Enable or disable triggers based on proximity.
Condition Specify the conditions under which you want the term to trigger.
Within a block Set the proximity within which the terms must be found.
Word or phrase The list of terms.
This feature assumes that you have selected a dictionary and one of its terms. When
you click OK in the Term Details window, the appliance adds the term to the dictionary and
next to the selected term. Both terms have the same condition.
Each character in a regular expression is either a metacharacter with its special meaning, or a
regular character with its literal meaning. Together, they can identify textual material of a given
pattern, or process a number of instances of it that can vary from a precise equality to a very general
similarity of the pattern. All regular expressions follow the same basic structure: expression plus flag.
Product Guide
341
Characters
A regular expression that contains no special characters ($()*+.?[^|) will match exactly what is
contained within the expression. Literal characters match themselves, so a simple regular expression
will produce results. However, special characters allow for more specific searches.
Metacharacters provide additional control to the matches a regex produces. The characters .[{()*?|^$
are metacharacters. For example,
Anchors require that an expression is found in a particular place within a string, but do not match any
characters (zero width assertions):
For example:
342
Product Guide
In the Dictionary List section of the page, scroll down and select Credit Card Number as the dictionary to
use.
The Dictionary section of the page populates with any configured conditions and regular expressions.
In the Dictionary section, select the regular expression to validate the credit card number.
In the Validation Algorithm drop-down list, select Luhn10 (Credit Card, IMEI etc.) as the validation
algorithm.
For any regular expression dictionary, users can choose a type of validation algorithm that best suits
their purpose. None is the default.
Product Guide
343
Introduction to Graymail
Graymail is bulk email that does not meet the definition of spam.
Graymail messages could be considered either spam or legitimate email, depending upon the opinion
of the recipient.
Characteristics of Graymail
Graymail is email sent to a large number of recipients, but it differs from spam in several ways:
The user, at one time or another, requested to receive the messages, by such things as supplying
an email address.
Graymail messages come from reputable sources who want a relationship with the recipient, such
as a customer or client relationship.
Graymail typically contains content that might be of value to the recipients, and that might appeal
to their interests.
Graymail often includes an element of timeliness, such as an expiration date for an offer of goods
or services.
Requested or solicited email messages become graymail when the recipient becomes less interested in
receiving them.
Graymail detections show in reports as Spam detections triggered against the Graymail rule group,
along with the term that triggered the detection.
344
Product Guide
Task
1
Complete the steps, or click Next for each step to leave them unchanged, to step 6, Email Configuration.
If you leave the check box unchanged from the way you found it, the Graymail configuration is
not updated.
Graymail is already configured - you did not check the box, but it was already checked.
Graymail is enabled, but it is not using the default action - the box was already checked, but the action has
previously been modified from the default action.
You can navigate back to the Email Configuration page in the Setup Wizard and uncheck then
recheck the checkbox to enable Graymail protection with the default action.
Click OK.
The dictionary appears selected in the dictionary list, and its term list appears at the bottom of the
page.
Click the edit icon next to the default term new term, replace it with the text you want to trigger
on, and click OK.
Product Guide
345
In the Term List, select the term you want to adjust, and change its score.
Apply changes.
Select the first regular expression, click the edit icon, and click Test.
Select the second regular expression, click the edit icon, and click Test.
Task Add a complex term to find the word Poker only when it is close to
the word Game
Use this task to add a complex term to the dictionary. A complex term is a word or phrase that had a
dependancy on another word or phrase.
Task
346
Either create a new or select an existing non-score-based dictionary (indicated by a red book).
Product Guide
Email | DLP and Compliance | Compliance Dictionaries | Email dictionary list | Add Dictionary
Option
Definition
Name
Description
Language
Match type
Definition
Everything
De-select this to specify specific file categories and subcategories, or leave selected for
all file types to be scanned.
File categories With the Everything check-box de-selected, choose the categories of files to be added into
the DLP Compliance Dictionaries.
Subcategories Within the selected category of files, select the sub-categories that you want included
within each chosen category.
Definition
Name
Description An optional text field to enable you to enter descriptive information about this condition
and the categories/subcategories it contains.
Match type Choose from:
Simple strings
Regular expressions
Applies to
Set to Everything by default. Click to open the Applicable File Formats dialog box to choose the
categories and subcategories to which you want the condition to apply.
Term
Product Guide
347
Definition
Term
Definition
Term
Enter the regular expression to be used to match content within the searched
documents.
Test
Click the Test button to launch the Regular Expression Test Interface (see separate table
below)
Case sensitive Select to make the regular expression search case sensitive.
Description
Definition
Regular Expression
The regular expression entered in the Edit Regular Expression dialog box
is displayed.
Case sensitive
Copy and paste, or type in some text that you want to be detected
by the regular expression.
Matches
Encryption
The Encryption pages enable you to set up McAfee Email Gateway to use the supported encryption
methods to securely deliver your email messages.
Email | Encryption
The McAfee Email Gateway includes several encryption methodologies, and can be set up to provide
encryption services to the other scanning features, or can be set up as an encryption-only server used
just to encrypt email messages.
Contents
Types of Encryption
Secure Web Mail
S/MIME
348
Product Guide
PGP encryption
TLS
Secure Web Mail Branding
Task Encrypt all email that triggers against the HIPAA compliance dictionaries
Task Use S/MIME to encrypt all email to a specific target domain
Task Deliver all email from a specific customer using S/MIME encryption
Task Use PGP to encrypt all email messages
Task Deliver all email from a specific customer using PGP encryption
Types of Encryption
Information about the types of encryption methods that are available on the McAfee Email Gateway.
McAfee Email Gateway includes several different encryption methods to enable you to configure your
appliance to best match your existing email and network topography. These can be divided into the
following groups:
Server-to-server encryption
Server-to-server encryption, as its name suggests uses encryption to secure the transmission of email
messages between email servers. Many different methods of securing the server-to-server traffic are
available. McAfee Email Gateway can be configured to use the following methods to secure the
server-to-server link:
S/MIME
PGP
Can be used to transmit files that are larger than many email server limits.
The McAfee Email Gateway has limited storage space, so the longevity of the message is limited.
Product Guide
349
Push delivery
With push delivery, the end user is sent a notification that contains the encrypted message as an
attachment the encrypted message is "pushed" to the end users' email system.
To read the message, the user needs to log onto the McAfee Email Gateway. During this process, the
encrypted message is returned to the McAfee Email Gateway where it is decrypted. The decrypted
message is then viewed by the end user in a secure browser.
Advantages of Push delivery include:
As the encrypted messages are stored on the end users' email system, the longevity of the
message is unlimited.
The McAfee Email Gateway handles all the encryption key and certificate generation for each
recipient.
The message is secure, as only the McAfee Email Gateway can decrypt the message.
Push delivery of secure email messages does not work well on handheld devices.
With a large number of end users concurrently accessing their secure messages, the CPU load on
the McAfee Email Gateway can be high.
350
Product Guide
Version
7, 8, 9
Mozilla Firefox
3.6, 4, 5, 6
Apple Safari
4, 5
Table 4-157 Compatible operating systems for accessing Secure Web Mail using mobile
devices
Operating System
Version
Android
Apple iOS
Blackberry OS
webOS
1.4
Symbian S60
5th Edition
Windows Phone
Product Guide
351
The messages are formatted so that they can be easily read on handheld devices.
Large messages can be delivered without hitting the typical email server size limitations.
Definition
Select this to enable the Secure Web Mail Client on your McAfee Email Gateway.
After enabling the Secure Web Mail Client, configure your Email Policies to set
the triggers for using this feature.
Select to force all messages composed from within the Secure Web Mail Client to
be scanned for malicious content.
Definition
Default locale Select the default language that is to be displayed within the email notifications.
Once the end user receives their Secure Web Mail: Welcome message and clicks to activate
their account, they are able to select their own preferred language.
Definition
Postmaster name
Use this field to define the email address that is added to the notification
messages received by the end user.
By default, the end user will request support using the postmaster address
details.
If you choose to define a separate support contact for your end users, enter
the Support contact address that the end users will see.
If you choose to define a separate support contact for your end users, enter
the Support contact name that the end users will see.
By de-selecting this option, you can then define a Support contact address and
Support contact name.
352
Product Guide
Option
Definition
Theme
Select the theme that the und users will see when logging into Secure Web Mail.
Create themes in Email | Encryption | Branding to add them to this drop-down list.
Notification
messages
Select the notification branding that the und users will see when they receive a
Secure Web Mail notification.
Create customized notifications in Email | Encryption | Branding to add them to this
drop-down list.
Definition
Enable auto-enrollment
By default, all outgoing Secure Web mail notifications are digitally signed
by the McAfee Email Gateway.
By default, all Secure Web Mail notifications are sent in HTML format.
However, to conserve bandwidth, you can deselect this option to form plain
text notifications.
Product Guide
353
Definition
Allow messages to be
stored on the gateway
(PULL messages)
Notify recipients of
unread PULL
messages
Choose whether to notify recipients of unread messages sent using the PULL
method of encryption delivery.
When selected, you can also configure the Interval between notifications in days.
You can also specify a time period between unread message notifications.
Definition
Definition
Set the actions that the user can take on encrypted messages:
Print messages
Reply to messages
Bcc messages
Forward messages
Maximum message size (including
attachments)
Restrict the generated Secure Web Mail notifications to plain text rather than
HTML
Use this task to send notification messages in plain text.
Task
1
All Secure Web Mail notification messages are sent in plain text.
354
Product Guide
In Message Encryption - PULL Messages, deselect Allow messages to be stored on the gateway.
In Message Encryption - PUSH Messages, select Allow messages to be stored on end users' systems.
Infrequent users of the Secure Web Mail system forgetting their passwords, and contacting the
configured support email address requesting help.
Users who have expired passwords, needing to have their accounts reactivated.
End users that request that their accounts are removed from your servers.
User Search
Option
Definition
Email address
To search for a particular Secure Web Mail end user, enter a full or partial email
address, and click Search.
All user accounts matching your search are displayed in the User Search table.
You can refine your search using the options in the Status drop-down menu.
Reset account Sends an Email notification to the recipient so that they can reset
their password and unlock their account
Lock Account Prevents the user from accessing their account
Delete Account Deletes the account and all the user's messages
Domain
Refresh
Product Guide
355
User Creation
Option
Definition
Email address Enter the email address for the end user account you are creating.
Create
After entering and confirming the email address for the end user account, click Create.
The new user account information is displayed in the User Search table.
In User Search, add the email address of the user whose account you wish to lock, such as
user@example.domain.com and click Search.
Displays the status of the account, including information such as the number of read and unread
messages, and the last time that user logged in, and provides a status of the account. The number
of read and unread messages is updated every 15 minutes.
Select the email address, and in For the selected users, select Lock account, then click Perform action.
The next time you search for this user, the account shows its Status as Locked.
To unlock the account, select it, and click Reset account.
356
Product Guide
Definition
Minimum length
Select the minimum length that you will allow for end-user passwords. Longer
passwords are more secure, but may result in more calls to your support address as
end users find them more difficult to remember.
Minimum number of Specify the minimum number of alphabetical characters to be used within the end
ALPHA characters
users' passwords.
To increase security, you can also Require a mixture of upper and lowercase characters to be
used.
Minimum number of The more different types of characters that may be used within an end users'
DIGIT characters
password, the more secure that password can be made.
Forcing your end users to use numbers within their passwords improves the
security of the passwords.
Minimum number of The more different types of characters that may be used within an end users'
SPECIAL characters password, the more secure that password can be made.
Forcing your end users to use special characters within their passwords improves
the security of the passwords.
Special characters are non-alphanumeric characters such as underscores (_),
hyphens (-) and other punctuation.
Definition
Decide whether your end users will need to periodically renew their
passwords.
Specify the Password lifetime in days, and also the Grace period they are allowed
before the Password lifetime, during which they are allowed to still log into the
Secure Web Mail system, but are then forced to change their password.
Choose if you want your end users to be notified that their passwords are due
to expire. Also, select the required Interval between reminders.
Number of recent
passwords to disallow
Use this field to prevent end users from re-entering their previous passwords.
Specify any limits you want to place on the frequency with which end users
can change their passwords.
Product Guide
357
Definition
Choose whether you want users to reset passwords without going through
any security questions.
Set the number of potential answers a user must provide to set up their
challenge response questions.
To provide secure password changing, McAfee recommends at least 5
challenge response questions are used.
Number of questions to ask a When challenge response is enabled, set how many questions each user
user
must answer correctly to pass the security check.
To provide secure password changing, McAfee recommends at least 2
challenge response questions are asked of the end-user.
Message Management
The Message Management options provide information about the number of messages stored on your
system, and the disk space you have available so you can remove some if necessary.
Statistics
Purge Messages
358
Product Guide
Definition
Statistics
Shows the number of read, unread, and draft messages and the amount of available
disk space.
Certificates
Use this page to specify the contents of a self-signed digital certificate for the appliance.
Definition
Country [C]
Specifies a two-letter code such CN, DE, ES, FR, JP, KR. (See ISO 3166)
Default value is US.
Specifies the location of your organization. Give a full name rather than an
abbreviation.
Product Guide
359
Option
Definition
Organization [O]
View
Import
When clicked, opens a window where you can specify the file.
To import a password-protected certificate, type the passphrase to unlock the
private key. The appliance stores the decrypted certificate in a secure internal
location.
The appliance only verifies the certificate, and makes it available to use, after
you click the icon to apply your changes:
Export
When clicked, opens a window where you can specify a passphrase, then
download a file. The file name extension is CRT (base-64 encoded) or P12
(PKCS#12). The certificate is in PEM format.
Generate Certificate
Signing Request
When clicked, opens a window where you can request that the Certificate
Signing Request is signed by a Certificate Authority on the appliance or by an
external Certificate Authority. The file name extension is CSR.
Regenerate
When clicked, you are prompted to confirm that you want to regenerate the
certificate and private key.
Entries in the Option fields determine the information that appears in a subsequent certificate signing
request (CSR).
For internally self-signed certificates, the information is used to regenerate the certificates.
Subsequent viewing of these certificates reflect the changes, along with new valid to and valid
from dates.
For externally signed certificates, changing the option settings has no immediate effect on the
viewable certificate details. You must regenerate the CSR, have it externally signed, and then
import it in order to see the changed information.
The View link opens the Certificate Details window, containing the detailed information about the
certificate.
S/MIME
Understand how McAfee Email Gateway uses S/MIME to provide encrypted delivery of email messages.
360
Product Guide
Definition
Country [C]
Specifies a two-letter code such CN, DE, ES, FR, JP, KR. (See ISO 3166)
Default value is US.
Specifies the location of your organization. Give a full name rather than an
abbreviation.
Organization [O]
Import
When clicked, opens a window where you can specify the file.
Export
When clicked, opens a window where you can specify a passphrase, then
download a file. The file name extension is CRT (base-64 encoded) or P12
(PKCS#12). The certificate is in PEM format.
Generate Certificate
Signing Request
When clicked, opens a window where you can request that the Certificate
Signing Request is signed by a Certificate Authority on the appliance or by an
external Certificate Authority. The file name extension is CSR.
Product Guide
361
Definition
Escrow certificate
Message encryption
algorithm
S/MIME Encryption
Certificates for External
Domains
See the currently stored S/MIME Encryption Certificates for External Domains.
You can add or delete domains from this list , or view the certificates
provided by each domain.
Use Filter to help find a particular certificate
Domain
S/MIME Certificate
Add Domain
View Certificate
PGP encryption
Understand how McAfee Email Gateway uses PGP to provide encrypted delivery of email messages.
362
Product Guide
Definition
Displayable name A user-editable field, allowing you to choose the name that is displayed for this
encryption key.
Comment
A user-editable field, allowing you to choose a comment for this encryption key.
Email address
View
Import
Click to open the Import Certificate and Key dialog box where you an upload a certificate to
the appliance, and add a passphrase to open a private key.
Export
Click to open the Certificate and Key Export dialog box where you can choose whether you
want to export with no private key, or export a complete chain, and the format of key
that you want to export.
Regenerate
Click to regenerate the PGP public and private keys, using the information on this
page.
Definition
Escrow key
See the currently stored PGP Encryption Keys for External Domains.
You can add or delete domains from this list , or view the certificates
provided by each domain.
Use Filter to help find a particular key.
Domain
PGP Key
Add Domain
View Key
Product Guide
363
TLS
Use this page to specify how devices use encrypted communications and to manage their digital
certificates.
The McAfee Email Gateway requests a secure connection to the receiving email server and presents
a list of cipher suites to the receiving email server.
The receiving email server then selects the strongest supported cipher from that list, and then
notifies the McAfee Email Gateway of the chosen cipher.
The servers then use Public Key Infrastructure (PKI) to establish their authenticity. This is achieved
by the exchanging of digital certificates. On occasions, these digital certificates may be validated
against the Certificate Authority (CA) that issued the certificates.
Using the server's public key, McAfee Email Gateway generates a random number as a session key,
and sends it to the receiving email server. The receiving server then decrypts this session key using
its private key.
Both the McAfee Email Gateway and the receiving email server then use this encrypted session key
to set up communications, completing the handshake process.
Once the handshake has been completed, the secure connection is used to transfer the email
messages. The connection remains secure until the connection is closed.
364
Product Guide
TLS Connections
Use this area to define hosts that use TLS encryption.
Table 4-158 Option definitions When receiving email (gateway is acting as server)
Option
Definition
Client Domain /
Subnet
Use TLS
Authenticate Client
Server Certificate
Add Domain
View Certificate
Delete Selected
Domains
Import
Import full information about hosts that are configured to use TLS.
Example The following is an extract from an imported full list of hosts:
Import a list of domains that use TLS. Use the dialog boxes to define the TLS
settings to be applied to all entries in the list.
Example The following is an extract from an imported list of domains:
Export
Export the list of configured domains, for backup or for import into other McAfee
Email Gateway appliances.
Product Guide
365
Table 4-159 Option definitions When sending email (gateway is acting as a client)
Option
Definition
Server Domain /
Subnet
Use TLS
Authenticate Self
Specifies whether the client must verify itself to the recipient before sending
email. The client then needs its own certificate.
Client Certificate
Add Domain
View Certificate
Delete Selected
Domains
Import
Import full information about hosts that are configured to use TLS.
Example The following is an extract from an imported full list of hosts:
Import a list of domains that use TLS. Use the dialog boxes to define the TLS
settings to be applied to all entries in the list.
Example The following is an extract from an imported list of domains:
366
Export
Export the list of configured domains, for backup or for import into other McAfee
Email Gateway appliances.
Manage TLS
certificates and keys
Click to jump to Email | Certificate Management | Certificates | TLS Certificates and Keys.
Product Guide
Definition
Cipher strength
Allow no encryption
By default, McAfee Email Gateway allows the use of TLS v1.2 cipher suites. If
you experience interoperability issues with other mail servers, you can disable
the use of these cipher suites.
TLS enforcement
If selected, the appliance will enforce TLS using the sender's envelope address
rather than the ehlo address for inbound email.
Specify images that appear as the logo for the desktop client, logo for the mobile client, and the
favorites icon icon.
View real time changes to the branding that you make in the previews available.
Customize the product name that's displayed, or that is presented to the user as either a text
string, or an image.
Edit notification messages and view your changes immediately within the right hand screen.
Product Guide
367
Notification
Token
Description
Welcome
GATEWAY
ACTIVATE_LINK
GATEWAY
LOGIN_LINK
SUBJECT
SENDER
GATEWAY
PULL_MESSAGE
PUSH_MESSAGE
(PULL_MESSAGE
token)
PULL_LINK
(PULL_MESSAGE
token)
DAYS_LEFT
(PUSH_MESSAGE
token)
PUSH_FILE
Message read
RECIPIENT
SUBJECT
DATE_SENT
DATE_READ
REPORT_FILE
GATEWAY
NUM_MESSAGES
GATEWAY
Account activated
Message received
Unread messages
GATEWAY
REQUEST_EMAIL
368
GATEWAY
LOGIN_LINK
GATEWAY
Product Guide
Table 4-161
Notification
Token
Description
LOGIN_LINK
DAYS_LEFT
Account locked
GATEWAY
Disclaimer text
<none>
Support contact
SUPPORT_EMAIL
Footnote
<none>
Copyright notice
YEAR
Offline notice
<none>
Definition
Name
Usage
Notification
messages
Displays the notification messages that you have created. Click Default notification set to
view all default messages.
Click on the notification on the left to get an expanded palette of all the notification
messages, and other available components such as disclaimers. The notification
contains a text area to edit content and a drop down list that allows you to insert
tokens. Some messages contain tokens that can be edited.
On the right hand screen, the content is updated to reflect your current selection. Also
on the right is a language picker to choose a different language. The language is one
of the basic settings of the virtual host. To change language, go to virtual host to
change the language that users will see.
Edits are saved when you change selection.
Copy Item
Click to create a new notification theme based on the currently active theme.
Delete Item
Desktop
Preview /
Mobile Preview
Images
Import the logo that you want to use on the notification, and view how it appears on
the desktop, mobile, and through a browser.
Upload new images through a form submission. Supported file formats for logos and
the favorites icon are .JPEG, .PNG, and .BMP. The .ICO format is also supported for the
favorites icon.
Images are scaled to the appropriate size, and converted to .PNG format for the logos,
and .ICO format for the favorites icon.
The favorites icon should be the same height and width.
Product Guide
369
Option
Definition
Product Name
Set whether you want to use text or an image to display the product name.
If you choose to use an image to display the product name, the same upload rules and
supported formats apply as those that apply to Images.
Color Palette
370
Click Enable compliance, and select Create new rule from template.
Product Guide
10 In On-box Encryption Options, select Secure Web Mail, and click OK.
11 Apply the changes.
In S/MIME Certificate, select the certificate for example.<domainname>.com that you just imported.
In Policy name, type the name of the policy, such as Recipients for example.domainname.com.
Product Guide
371
Click Export.
Click Next.
This will generate a self signed certificate.
Click Finish.
Once the customer successfully configures their email system to use S/MIME encryption with the
certificate you provided, McAfee Email Gateway will automatically decrypt all of the incoming S/MIME
emails from this customer using the private key.
372
Click Email | Certificate Management | Certificates | PGP Encryption Keys and import your PGP key, such as
example.<domainname>.com.
In PGP Key, select the key for example.<domainname>.com that you just imported.
Product Guide
In Policy name, type the name of the policy, such as Recipients for example.domainname.com.
Click Export.
Click Next.
This will generate a PGP public key.
Click Finish.
Send the public key pgp_encryptor_<machinename>.asc to customer <abc>, to use for encrypting
all of their email messages to your organization.
Product Guide
373
Once the customer successfully configures their email system to use PGP encryption with the public
key you provided, McAfee Email Gateway will automatically decrypt all of the incoming PGP emails
from this customer using its private key.
Certificate Management
The Certificate Management pages enable you to configure and view certificates for use with your
appliance.
Certificates
Use the linked pages to view and change important information about the certificates relating to your
appliance.
CA certificates
Use this page to manage digital certificates from Certification Authorities.
Description
Certificate is valid
Certificate is invalid. For example, the certificate has expired.
374
Product Guide
Definition
Certificate ID
Trusted
Subject
Issuer
Expires
Displays the certificate's expiry date, such as May 15 2010 12:15:00. If this date
has passed, the certificate is not valid.
Delete
View
Export Selected or
Export All
When clicked, opens a browser for saving a file. If you export a single certificate,
the file name includes the certificate ID. The file name extension is crt (for
Base64, PEM) or p7b (for PKCS#7).
Import CA Certificate
When clicked, opens another window where you can select a file. The imported
certificate can be in one of these formats:
Binary (or DER-encoded) certificate file
PEM (Base64) encoded certificates
Binary PKCS#7 file
PEM-encoded PKCS#7 file
The appliance can accept certificate chains and certificates with
password-protected private keys.
The appliance only verifies the certificate, and makes it available to use, after you
click the icon to apply your changes:
Product Guide
375
Once imported into McAfee ePO, you can push and install these TLS certificates and keys to other
Email Gateway appliances being managed from your McAfee ePO server. This feature provides central
management of the TLS certificates used by your Email Gateway appliances, rather than having to
manage the certificates on each appliance individually.
376
Option
Definition
Certificate ID
Subject
Issuer
Expires
Product Guide
Option
Definition
Delete
View
Displays details of the selected certificate, such as its version, issuer, and public
key.
Export
Opens another window, where you can choose to export the certificate or a
complete certificate chain, and specify the certificate format. The file name
extension is typically CRT.
Import Certificate
and Key
Opens another window where you can select a file. The imported certificate can be
in one of these formats:
Binary (or DER-encoded) certificate file
PEM (Base64) encoded certificates
Binary PKCS#12 file
PEM-encoded PKCS#12 file
You can also import a .zip archive containing multiple certificates.
To import a password-protected certificate, type the passphrase to unlock the
private key. The appliance stores the decrypted certificate in a secure internal
location.
The appliance only verifies the certificate, and makes it available to use, after you
click to apply your changes:
From the McAfee ePO user interface, select Menu | Gateway Protection | MEG 7.6.4 Common Settings |
Certificates | TLS Certificates and Keys.
Click OK.
All certificates included within the TLS certificate package are displayed.
Product Guide
377
From within McAfee ePO, drill down the System Tree and select the Email Gateway appliances to
receive the TLS certificates and keys.
The TLS certificates and keys, and all other Email Gateway policy settings are pushed to the selected
Email Gateway appliances.
S/MIME
Understand how McAfee Email Gateway uses S/MIME to provide encrypted delivery of email messages.
378
Option
Definition
Certificate ID
Subject
Issuer
Expires
Delete
View
When clicked, displays details of the selected certificate, such as its version, issuer,
and public key.
Product Guide
Option
Definition
Export
When clicked, opens another window, where you can choose to export the certificate
or a complete certificate chain, and specify the certificate format. The file name
extension is typically CRT.
Import Certificate When clicked, opens another window where you can select a file. The imported
certificate can be in one of these formats:
Binary or base-64 (PEM) encoded certificate
Binary PKCS#7 file
You can choose to import any CA certificates in the file.
PGP encryption
Understand how McAfee Email Gateway uses PGP to provide encrypted delivery of email messages.
Definition
Displayable name A user-editable field, allowing you to choose the name that is displayed for this
encryption key.
Comment
A user-editable field, allowing you to choose a comment for this encryption key.
Email address
View
Product Guide
379
Option
Definition
Import
Click to open the Import Certificate and Key dialog box where you an upload a certificate to
the appliance, and add a passphrase to open a private key.
Export
Click to open the Certificate and Key Export dialog box where you can choose whether you
want to export with no private key, or export a complete chain, and the format of key
that you want to export.
Definition
Escrow key
See the currently stored PGP Encryption Keys for External Domains.
You can add or delete domains from this list , or view the certificates
provided by each domain.
Use Filter to help find a particular key.
Domain
PGP Key
Add Domain
View Key
Definition
Details
Certification path
View information about the Certificate ID and the Subject of the certificate.
380
Product Guide
Contents
Installed CRLs
CRL Updates
Installed CRLs
Use this page to manage Certificates Revocation Lists.
Definition
ID
Issuer
Delete
View
Export Selected
When clicked, opens a browser for saving a file. The file name extension is
typically CRL.
Import CRL
CRL Updates
Use this page to specify how often the appliance fetches updates to its Certificate Revocation Lists.
Product Guide
381
The private key used by the certificate may have been compromised.
Being able to regularly update the CRLs on your McAfee Email Gateway enables you to be confident
that the McAfee Email Gateway will not continue to use certificates that have been revoked.
Definition
Update now
Specifies how often the appliance will collect CRL updates. Choose a time
when your network is least busy.
If you do not want to use this feature, select Never.
If you intend to use a HTTP proxy that is not specified on the Default Server
Settings page, deselect this checkbox.
Configure defaults
When clicked, opens the Default Server Settings page, where you can view or
change the default settings for the HTTP proxy.
To view proxy information at any other time, select System | Appliance Management
| Default Server Settings from the navigation bar.
Hybrid configuration
Hybrid email scanning uses the McAfee Email Gateway to scan your outbound email traffic, and uses
the cloud-based McAfee Email Protection (Hybrid) to scan your inbound email traffic.
Contents
Benefits of using hybrid email scanning
About the hybrid email registration and configuration process
Registration
Domain Management
382
Product Guide
Inbound email messages from trusted partners can be send directly to your McAfee Email Gateway for
scanning.
All communications between the cloud service and your McAfee Email Gateway are encrypted. You
configure and optimize the scanning of both inbound and outbound email traffic from a single location
the user interface of your McAfee Email Gateway.
When the McAfee Email Protection (Hybrid) makes detections within any email messages, information
about the email message and the detection is sent to your McAfee Email Gateway appliance.
Then, depending on your configuration, the McAfee Email Gateway can request the message data be
sent for further actions or for delivery. If the action is to quarantine the message, the inbound email
messages are quarantined alongside quarantined outbound email messages.
This allows you to use Message Search or other system logging options on your appliance to
investigate each message, regardless of whether it is scanned locally by your McAfee Email Gateway
or by McAfee Email Protection (Hybrid).
The communication between McAfee Email Protection (Hybrid) and the appliance must not pass through
another MTA, as the communication uses a proprietary protocol and will not succeed if another SMTP
gateway is involved in the conversation.
Product Guide
383
The process to register your McAfee Email Gateway appliance and the McAfee Email Protection
(Hybrid) service starts when you purchase hybrid email scanning from McAfee or a McAfee partner.
When you purchased your McAfee Email Protection (Hybrid), you were asked for information that is
used to set up a cloud-based account for you. As soon as this information has been entered, you
receive an email message containing the required links and credentials.
Install your McAfee Email Gateway appliance. When running through the Setup Wizard, select Use the
McAfee SaaS Email Protection Service to process inbound email on the Email Configuration page.
After applying the Setup Wizard configuration and re-loading the McAfee Email Gateway user
interface, the Email | Hybrid Configuration | Registration page is displayed.
Clicking the link in the Email | Hybrid Configuration | Registration page displays information that outlines
the registration process for your appliance and McAfee Email Protection (Hybrid) service.
Follow the information given to complete the registration, using the credentials provided by email
message.
After you have successfully completed registration, a new tab appears at
Configuration | Domain Management.
Email | Hybrid
Before inbound email traffic can be scanned by the McAfee Email Protection (Hybrid), you must first
configure McAfee Email Protection (Hybrid) to accept email for your domain(s), and then configure
your public MX records for those domain(s) to point to the McAfee Email Protection (Hybrid)
servers.
Registration
To enable and configure hybrid email scanning, you must first register your McAfee Email Gateway
appliances with the McAfee Email Protection (Hybrid) service.
Contents
Benefits of registering hybrid email scanning
Option definitions Registration
Task Register with the McAfee Email Protection (Hybrid) service
Task Cancel your registration with the McAfee Email Protection (Hybrid) service
384
Product Guide
Definition
User name
Password
Configure this appliance to handle email for Configures the appliance you are currently logged onto to act as
the initial domain
the initial McAfee Email Gateway for your McAfee Email Protection
(Hybrid).
Not displayed when your
appliance is ePO-managed.
Address
Not displayed when your
appliance is ePO-managed.
Port
Not displayed when your
appliance is ePO-managed.
Register
Definition
Cancel Registration Disables your registration and prevents the use of the McAfee Email Protection
(Hybrid) to process your inbound email. You do not need to enter any credentials.
Before cancelling your registration, you should ensure that the MX records for your
managed domains no longer point to the McAfee Email Protection (Hybrid) service.
Product Guide
385
Task
1
Enter the user name and password from your welcome email in the appropriate data fields.
(Optional) Configure your initial appliance for inbound email, for use by the McAfee Email
Protection (Hybrid) service.
If your McAfee Email Gateway does not have a public IP address, use the Email | Hybrid Configuration |
Domain Management page.
Select the Configure this appliance to handle email for the initial domain checkbox.
Select the appliance domain name and IP address from the drop down list.
Select the port assigned to the appliance from the drop down list.
You should configure a virtual address for the receiving appliance when the appliance is the cluster
master.
4
Click Register.
Your appliance is registered with McAfee Email Protection (Hybrid), and the Domain Management tab
appears in the Hybrid Configuration window. The Registration window expands to show the Cancel Registration
information.
Task Cancel your registration with the McAfee Email Protection (Hybrid)
service
You can stop using the McAfee Email Protection (Hybrid) at any time.
Before you begin
Before you cancel your service, ensure that the MX records for any managed domain no
longer point to the service.
Task
1
386
Product Guide
Domain Management
You can use the user interface to specify which domains you want scanned by McAfee Email Protection
(Hybrid).
Configure your domains after you have registered McAfee Email Protection (Hybrid).
The Email | Hybrid Configuration | Domain Management tab is only visible after you have registered to use Hybrid
Email scanning.
The Domain Management window shows the list of domains you have configured for McAfee Email
Protection (Hybrid), and their associated appliances. From this window, you can add domains, and edit
or delete existing domains.
Contents
Benefits of using domain management
Option definitions Domain Management page
Option definitions Add/Edit domains page
Task Manage your domains using Hybrid Email protection
Definition
Domain
Shows the fully qualified domain names of all domains protected by the McAfee
Email Protection (Hybrid) service.
McAfee Email Gateways Shows the IP addresses for the McAfee Email Gateway appliances associated with
each managed domain.
Edit
Add Domain
Opens the Edit Domain window, where you can add or modify domains where you
want email scanned.
Product Guide
387
Option
Definition
Domain name
Specifies the fully qualified domain name of the server you are adding or editing.
Public addresses of
Lists the McAfee Email Gateway appliances associated with the domain, showing:
McAfee Email Gateways
IP address or domain name (port optional)
Current status
Rank within the list of appliances for this domain
You can rank the appliances on your list to establish a preference order, with
the lowest number being tried first. The McAfee Email Protection (Hybrid)
service will try the appliances in rank order until it succeeds. If all appliances
are ranked equally, the service round-robins amongst them.
Test Connection
Tests if the selected host is accessible from McAfee Email Protection (Hybrid)
service. The test verifies:
A connection can be established to the service.
The McAfee Email Gateway has been registered with the McAfee Email
Protection (Hybrid) service.
The test button is active when you select a single appliance.
Delete
Enter the fully qualified domain name for the domain you want to add.
388
Type the IP address or the fully qualified domain name for the appliance. Optionally, you can
include the port identification.
Product Guide
To indicate the status of the appliance, select or deselect the Active? checkbox. Click Add McAfee Email
Gateways again and repeat steps 4 and 5 if you want to add more than one appliance.
(Optional) If you add more than one appliance, you can indicate their rank (order) by typing a
number in the Rank data field.
(Optional) You can test the connection between any single appliance and the McAfee Email
Protection (Hybrid) service by clicking Test Connection.
When you have completed the information on this window, click OK.
On the Domain Management page, click the Edit icon for the domain you want to change.
The Edit Domain window appears, showing the current information about the selected domain.
Make your changes to the domain. You can change the domain name, add or delete appliances,
change the status, and for multiple appliances change the rank.
(Optional) To test the connection between any single appliance and the McAfee Email Protection
(Hybrid) service, click Test Connection.
On the Domain Management page, select the check boxes for one or more domains you want to delete.
The Delete Selected Domains button becomes active.
The domain or domains are removed from the Domain Management page.
Product Guide
389
Group Management
The Group Management pages enable you to set up directory services to work with your LDAP servers,
and create network groups, and user groups who relay on the appliances.
Directory Services
Use this page to build a group of directory services to work with your LDAP servers.
Directory Services
Directory Synchronization
Recipient Authentication
Address Masquerading
Policy selection
Delivery routes
Custom queries can be created for use in policy selection using the Add Query option in the Add Directory
Service wizard.
The appliance supports the following types of LDAP servers:
Lotus Domino
Novell NDS
Netscape/Sun iPlanet
Microsoft Exchange
You can set up groups of LDAP servers to ensure high availability by adding secondary servers to the
primary LDAP server.
The name that you give the primary server Service name in the Add Directory Service wizard is the name of the
group that you see when you come to select the LDAP group in the LDAP-related features in McAfee
Email Gateway, such as Address Masquerading.
Directory Synchronization.
Directory Synchronization is the mechanism to synchronize LDAP data on the appliance with remote
LDAP servers.
390
Product Guide
Once LDAP data has been synchronized, the appliance no longer performs LDAP lookups on the
remote server and uses its own on-box database, minimizing loading on the remote LDAP servers.
To enable Directory synchronization, add the LDAP server to which you need to synchronize to the
Directory Services page.
You must also select the queries that need to be synchronized, by selecting Cache Result option on the
Directory Service Queries page of the Add Directory Service wizard.
The advantages of Directory synchronization are more apparent on cluster or blade server
environments because each scanner no longer performs LDAP lookups, but uses the on-box database.
The Master is responsible for synchronizing the database with the remote LDAP servers. Once the
synchronization is finished the database is synchronized with other members of the cluster and is then
used for LDAP checks.
Attributes on the LDAP server can be accessed in real time (allowing for the most up-to-date data to
be available), or be cached on the appliance (a faster option that causes less impact to your network)
by using the Cache Result checkbox in the Add Directory Services wizard.
Use the Synchronization schedule feature to schedule when to update the cache.
McAfee Email Gateway uses queries defined on the Directory Service Queries page to populate the local
LDAP database. The 'List of Groups' and 'Synchronization' queries are mandatory and cannot be
unselected, as they are used to get group and email address information from the LDAP server. You
can choose to cache all other queries. If you choose not to cache the results of any other query,
McAfee Email Gateway will carry out a real-time lookup when the SMTP features that use the query
are used.
By default LDAP caching is on for each query. When you apply configuration changes to the appliance,
the synchronization process updates the local LDAP cache database. If the database has not been
updated for a particular server, the LDAP lookup is done in real time. Additionally, if the query is missing
or has been modified for a particular server, the LDAP lookup is done in real time.
When you configure Directory Synchronization, the following information is stored in the on-box
database:
The LDAP queries that you have configured to run against the LDAP servers.
User information, stored as a BLOB. This information includes the email addresses of the users, the
group membership of each user and any extra information collected by the LDAP queries.
Product Guide
391
Directory Services
This information describes the settings of any LDAP server that you have set up. To add a connection
to an LDAP server, click Add Server.
Option
Definition
Displays information about each directory server such as a type like Domino or
Active Directory. Click Edit to open the Add Directory Service wizard to change a
server's settings.
Add Server
When clicked, starts the Add Directory Services wizard where you can add details
of a directory service.
The Service name that you give this server is what is shown when you set up features
in the appliance to work with LDAP.
The server at the top of the list is queried first. You can create groups of servers
by using the Add Secondary Server option.
Add Secondary
Server
Use this option to create groups of LDAP servers by adding secondary servers that
are queried should the primary server be unavailable, or not have the required
information. From the features that work with LDAP, you will not see secondary
servers listed, only the primary server in the group.
Delete Server
Perform server
certificate verification
on secure
connections
Sets whether the appliance should attempt to validate a remote server certificate
that is used to encrypt a secure connection between the appliance and an LDAP
server.
You can manage the certificates required from Email | Certificate Management.
Directory Synchronization
This information describes the options available in the Directory Synchronization section of the page.
Option
Definition
Update information
Information is available for query. The time and date shows when the
latest update occurred.
The on-box directory has no data, or is not up-to-date.
Update Now
When clicked, the appliance immediately copies directory information from the
servers under Directory Services to its own directory.
Synchronization
schedule
Specifies how often the appliance copies directory information from the LDAP
servers to which you have connected to its own directory.
Setting the schedule to Hourly can create a heavy load on your network.
392
Product Guide
The queries should only take a few seconds to complete. If the queries do not quickly return a
response, check the following:
Ensure all the LDAP attributes specified in the query are also available within the LDAP schemas on
the server being queried.
Make sure all LDAP attributes specified in the query are indexed on the remote LDAP server.
Network Groups
This page enables you to create network groups to use as a policy selection criteria.
You can also define user groups based on sender email addresses, recipient email addresses, or LDAP
queries.
Definition
Displays the name of the group, whether it is in use, and provides the
option to remove the group from the list.
Add
Definition
Group name
Choose from:
IP address
VLAN identifier
Network connection
Host name
Product Guide
393
Option
Definition
Match
Choose from:
is
is not
is in
is not in
Value
Adds a new line to the list where you can specify the name, type, and values
to match on for a new network group.
Definition
Rule Type
Match
Value
394
Product Guide
LDAP authentication
Definition
Displays the name of the group, whether it is in use, and provides the
option to remove the group from the list.
Add
Definition
Group name
Selected or
unselected
Select a group and click Edit or Delete Selected Rules as appropriate. Use the arrow
icons to move the rules up and down the list.
Rule type
Choose from:
Sender email address
Choose from:
Match
is
is not
is like
is not like
Value
Add Rule
Product Guide
395
In Value, select the user group you created, and click OK.
List of groups
Valid recipient
Group membership
Delivery MTA
Synchronization
Address masquerade
Use the Next > and < Back buttons to navigate through the screens. After you have successfully tested
the group and member queries, click Finish to complete the wizard.
Recipient Authentication
Address Masquerading
Policy selection
Delivery routes
Custom queries can be created for use in policy selection using the Add Query option in the Add Directory
Service wizard.
The appliance supports the following types of LDAP servers:
396
Product Guide
Lotus Domino
Novell NDS
Netscape/Sun iPlanet
Microsoft Exchange
You can set up groups of LDAP servers to ensure high availability by adding secondary servers to the
primary LDAP server.
The name that you give the primary server Service name in the Add Directory Service wizard will be the
name of the group that you see when you come to select the LDAP group in the features in Email
Gateway that you can use with LDAP, such as Address Masquerading.
Directory Synchronization offers a choice of access. The appliance can query an external directory server in
real-time, or its own ("on-box") cached directory.
Attributes on the LDAP server can be accessed in real time (allowing for the most up-to-date data to
be available), or be cached on the appliance (a faster option that causes less impact to your network)
by using the Cache Result checkbox in the Add Directory Services wizard.
Use the Synchronization schedule feature to schedule when to update the cache.
Definition
Service name
Enter a name for the service you are adding. This name is displayed in the list of
Directory Services
Enter the address for the server that hosts the directory service you are adding.
Server type
Domino
Netscape/Sun iPlanet
Exchange
Based on the server type you select, the default queries are modified to match
with the default attributes. Different server types have different attributes
associated with them depending on the schemas that you have specified.
Base DN
Enter the base distinguished name to be used by the directory service you are
adding.
Username
Enter the user name needed for the appliance to connect to the directory service.
Password
Enter the password needed for the appliance to connect to the directory service.
Product Guide
397
Option
Definition
Referrals
Select this to allow the appliance to follow LDAP referrals to other servers that
hold a part of the directory tree.
Page Size
Query types
Query Name
Description
List of groups
Group membership
Query to get the list of groups that an email address belongs to.
When the primary server and the secondary server have different set of groups, and
if Stop on Result is selected on the primary server, only the groups from the primary
server appear on the policy creation page. To avoid this, deselect Stop On Result for
the List of Groups and Group membership queries.
Synchronization
Query to get all the email addresses on the LDAP server to synchronize to the
appliance.
Valid recipient
Delivery MTA
Query to find the Message Transfer Agent (MTA) to which you want to deliver for a
particular email recipient.
Address masquerade Query to find the email address that you want to masquerade.
Definition
Enabled
Cache Result
Specify whether you want to cache results on the appliance to reduce the time it takes
to run the query, and reduce network load. Deselecting this option queries the LDAP
server in real time.
Fail Open
Select to query a secondary LDAP server (if set up) if the primary LDAP server fails.
Stop On Result Select to stop a query on a secondary server when a successful result occurs.
When the primary server and the secondary server have different set of groups, and if
Stop on Result is selected on the primary server, only the groups from the primary server
appear on the policy creation page. To avoid this, deselect Stop On Result for the List of Groups
and Group membership queries.
398
Add Query
Click to open a new page of the wizard that allows you to create a new query in addition
to the queries already set up for you.
Edit Query
Select a query, then click Edit Query to open a new page of the wizard that allows you to
edit the query.
Product Guide
Option
Definition
Remove Query Delete the selected query. Default queries cannot be removed.
Test Query
Click to open a new page of the wizard that allows you to test whether the query
provides the results that you want before you apply the configuration to the appliance.
When the results are returned, click Next to return to this page.
Finish
Completes the wizard. The query becomes available to select in areas of the appliance
that can work with LDAP, such as:
Address Masquerading
Recipient Authentication
Creating a new policy
Delivering Email
You must apply the changes to the appliance for the LDAP query to register and become
available to create a new policy.
Definition
Full Query String Displays the default attributes associated with the query.
Query Name
Primary Query
Secondary Query If necessary, create a secondary query as a further query to the first. For example, if a
primary query in the Group membership query is to locate a specific user, you can create a
secondary query to discover which user group the user belongs to.
Definition
Query Name
Displays the search filters, and the attributes associated with them.
Query Results
Product Guide
399
Task
1
Go to Email | Group Management | Directory Services and click Add Server to open the Add Directory Service
wizard.
On the Directory Service Details page of the wizard, add the following data:
In Server address, type the IP address of the server to which you want to connect.
In Base DN, where the domain name is test.dom, type dc=test, dc=dom.
Type the username and password of the server to which you are connecting, and click Next.
On the Directory Service Queries page of the wizard, ensure that the following queries have the
Enabled and Cache Results checkboxes selected:
List of groups
Group membership
Valid recipient
Delivery MTA
Address masquerade
Click Test to verify the query returns the information you want, then click Finish.
In the Directory Synchronization section of the page, set the frequency to Hourly.
In the Directory Services section of the page, select the service you created, then select Add
Secondary Server to open the Add Directory Service wizard again.
Specify the details of the secondary server that you want to add.
400
Click Add Server, and type the name of the service such as generic.
In Server address, add the server IP address of the LDAP server to which you are connecting.
Product Guide
In Base DN, where the domain name is test.dom, type dc=admin, dc=test, dc=dom.
Type the username and password of the server to which you are connecting.
Leave the other settings in their default state, and click Next.
10 In Identity attribute, type the attributes that you want to retrieve, such as cn and click Next.
11 On the Directory Service Queries page, select the query you created, and click Test Query.
12 In Identity for query, type the email address that you want to get the cn for, and click Perform LDAP Query.
The cn of the email address displays in the Query Results area.
The query will be available to that directory service.
Quarantine Configuration
Use this page to set your email quarantine configurations.
From within this page of the user interface, you can access the settings for the quarantine options,
quarantine digest options, the digest message content, and quarantine queue settings.
Contents
Quarantine Options
Quarantine Digest Options
Option definitions Digest Message Content
Quarantine Queue Settings
Quarantine Options
Use this page to configure your quarantine options.
Product Guide
401
Definition
With this selected, the appliance uses its own database to hold quarantined email
messages.
Select this to use a McAfee Quarantine Manager (MQM) service hosted on another
server.
When selected, the following fields are made active:
Appliance ID Usually, you would use the default ID
MQM server address The IP address of the server that is hosting your McAfee
Quarantine Manager service.
Listening port the port used by your McAfee Quarantine Manager service.
Use HTTPS to communicate with the MQM server When selected, forces secure
communications between the appliance and the McAfee Quarantine Manager
server.
Verify the MQM server certificate Configure the appliance so that it verifies the
MQM server certificate before sending quarantined email messages to the
McAfee Quarantine Manager server.
Enable user submitted blacklists and whitelists Allow your users to blacklist and
whitelist quarantined email messages from specific senders.
Update interval specify the time between updates between the appliance and
your McAfee Quarantine Manager service. The default value is 4 hours.
When you select Use an off-box McAfee Quarantine Manager (MQM) service, the Quarantine Digest
Options and Digest Message Content tabs are removed from the user interface.
402
Message Search
Anti-Phish
Phish
Anti-Spam
Spam
Anti-Virus
Viruses
Anti-Virus (Packer)
Anti-Virus (PUP)
Compliance
Corrupt Content
Product Guide
Table 4-167 The relationship between quarantine categories displayed in Message Search
and MQM (continued)
Message Search
Encrypted Content
Encryption Compliance
File Filtering
Mail Filtering
Mail Size
Signed Content
Directory Harvesting
Others
Image Filtering
Denial of Service
Option
Definition
Enable digest messages Specifies whether to enable digest messages for the selected protocol preset.
and message
Protocol preset
Reminds you that digest messages are enabled for this protocol preset.
Allows you to make settings for any exception to the default setting. For
example, you can specify that some parts of the network do not use digest
messages.
Definition
or
and
message
Reminds you whether digest messages are enabled for this protocol preset.
Product Guide
403
Option
Definition
Message format
Message encoding
Specifies the character set encoding for the email message that contains the
digest.
Default value is UTF-8.
To view the settings for user-submitted blacklists and whitelists, select Email |
Email Policies | Scanning Policies [Spam] | Blacklists and Whitelists | User Submitted in the
navigation bar.
To view how quarantine digest messages are displayed when alllowing users to
create and manage blacklists and whitelists, select Allow users to create and manage
blacklists and whitelists and then click Message Preview.
Interaction type
Client-server
Specifies the communication method for interactive digests when using HTML
communication method forms:
HTTP POST Parameters are hidden, which means internal information is not
visible. However, the users do not receive a response from the appliance when
their requests are received.
HTTP GET Works with any mail client. A user can receive a response from the
appliance. However, information is displayed in the action URL, which means
internal information is visible.
Appliance IP address or Specifies an IP address or a domain name, to appear as the sending information
domain name to use in for the digest messages.
digest messages
For example,
192.168.254.200
example.com.
404
When selected, uses the (FQDN) format (as specified in the appliance's basic
settings) instead of an IP address.
Message Preview
When clicked, displays an example of the digest that users will see.
Product Guide
Option
Definition
Send
When clicked, sends all digests that have not been sent since the last scheduled
time or since you last pressed the Send button.
Specifies how often to send the digests, for example Weekly on Monday at 12
o'clock. We recommend that you select a time when the network is less busy.
Default values are Daily at 3 a.m.
If you select Never, you can send the digests by clicking Send.
Quarantine digests might not be delivered exactly at your specified time. The
appliance staggers the delivery times to prevent overloading the mail servers.
Definition
Message subject
Specifies the text of the subject line of the email message that carries the
digest.
Default value is Quarantine Summary Digest.
When selected, uses the default value. To change any item such as the
subject line of the email message that carries the digest, deselect its
corresponding Use the default value checkbox.
When clicked, opens a window that displays the stylesheet that controls the
appearance of the digests when in HTML format. To edit the stylesheet, you
need some knowledge of CSS (Cascading Style Sheets).
When clicked, opens a window where you can edit the main text of the
digest.
When clicked, opens a window where you can edit the first sentence of the
digest.
You can edit the HTML content directly or at source.
When Use the default value is deselected, you can change the column headings
that the user sees in the digest.
When clicked, opens a window where you can edit the text of the response
message, if it is in HTML format.
You can edit the HTML content directly or at source.
Product Guide
405
ePO) the queues for all managed McAfee Email Gateway appliances are displayed. The list includes the
default quarantine queues as well as any queues that have been added.
Viruses
Other
Phish
Compliance
Spam
All quarantined messages go to at least one of these queues. However, a message may trigger more
than one quarantine action, and be added to more than one quarantine queue.
Role Restrictions
Access to the quarantine queues is role-based, and each queue can have specific roles assigned. The
primary value of configuring multiple quarantine queues is to control the users that are permitted to
access each queue.
You can add custom quarantine queues to your McAfee Email Gateway appliance. When an email
message triggers a quarantine action, you can direct the message to your custom queue. This action
allows you to track quarantined messages in a more granular manner. You can more easily research
the effectiveness of specific policies by isolating the results of the quarantine actions.
Configuring custom queues requires two components:
406
Product Guide
Option
Definition
Queue name
Description
Priority
Shows the queue order that determines where the system quarantines messages that
trigger multiple quarantine actions.
Permitted roles Shows all configured roles that are permitted access to each queue.
Permitted roles do not apply to custom quarantine queues.
Edit
This link allows you to change the properties for the selected queue.
You cannot edit the name of any queue.
Delete
Add
Insert
Type the queue name and a brief description in the proper text fields.
You cannot configure permitted roles for a custom quarantine queue.
You cannot change the custom queue name after you have applied your changes.
Click OK.
The dialog closes and your new quarantine queue appears at the bottom of the Quarantine Queues
table. The queue is assigned the lowest priority.
If you want to change the assigned priority, use the arrows in the Move column to put the queue in
its proper place.
Apply your changes by clicking the green checkmark at the upper right of the page.
Product Guide
407
Task
1
For the quarantine queue you wish to change, select the Edit link.
The Change Permitted Roles dialog displays, listing all configured roles that have access to Message Search.
The roles assigned to the specific queue are indicated by selection of the check box in the Permitted
column.
Make changes to the permitted roles by selecting or deselecting appropriate check boxes.
Click OK.
The Change Permitted Roles page closes.
Your reconfigured permissions now appear in the Permitted roles for Message Search on the Role Restrictions
list.
Task
1
408
Product Guide
Find the user-defined quarantine queue you want to delete. Click the associated Delete icon to the
far right of the queue name.
A confirmation dialog box appears.
If the queue is in use by one or more policies, the icon is unavailable.
Product Guide
409
410
Product Guide
This section of the online Help provides an overview of the System menu features and controls within
your McAfee Email Gateway appliances.
Contents
Appliance Management
System Administration
Users
Virtual Hosting
McAfee Advanced Threat Defense Server Configuration
Option definitions Add ATD Server
Logging, Alerting and SNMP
Component Management
Setup Wizard
Appliance Management
The Appliance Management pages enable you to reset basic and network settings for the appliance,
and specify settings such as remote access, and DNS and Routing.
Product Guide
411
Use these pages to define settings for the appliance, such as the domain name and default gateway.
General
Use this page to specify basic settings for the appliance like those you defined in the Setup Wizard.
The appliance can handle IP addresses in IPv4 and IPv6 formats.
Basic Settings displays settings such as the default gateway and domain name.
Network Interface Settings displays the current network interface settings for NIC 1 and NIC 2.
Some sections are relevant only when the appliance is in the appropriate mode.
Definition
Appliance name
Domain name
Operational language
Selects the language that will be used for internal reporting and error messages.
412
Option
Definition
<mode>
The operating mode that you set during installation or in the Setup Wizard
Network Interface 1
Expands to show the IP address and netmask associated with Network Interface
1, the auto-negotiation state, and the size of the MTU.
Network Interface 2
Expands to show the IP address and netmask associated with Network Interface
2, the auto-negotiation state, and the size of the MTU
Change Network
Settings
Click to open the Network Interface Wizard to specify the IP address and adapter
settings for NIC 1 and NIC 2, and change the chosen operating mode.
Product Guide
If the appliance is operating in Transparent Bridge mode, and the Spanning Tree Protocol (STP) is
running on your network, make sure that the appliance is configured according to STP rules.
Additionally, you can set up a bypass device in transparent bridge mode.
To configure your McAfee Email Gateway Blade Server to failover from the management blade to the
failover management blade, you must specify at least one virtual IP address, shared between the
management and failover management blades.
Definition
IP Address
Network Mask
Specifies the network mask. In IPv4, you can use a format such as 255.255.255.0, or
CIDR notation, such as 24. In IPv6, you must use the prefix length, for example, 64.
Enabled
Virtual
Product Guide
413
Option
Definition
New Address/
Delete Selected
Addresses
NIC 1 Adapter
Options or NIC
2 Adapter
Options
414
Option
Definition
IP Address
Network Mask
Specifies the network mask, for example: 255.255.255.0. In IPv4, you can use a
format such as 255.255.255.0, or CIDR notation, such as 24. In IPv6, you must use
the prefix length, for example, 64.
Enabled
Virtual
When selected, the appliance treats this IP address as a virtual address. This option
only appears in cluster configurations, or on a McAfee Content Security Blade Server.
Product Guide
Option
Definition
New Address/
Delete Selected
Addresses
NIC 1 Adapter
Options or NIC
2 Adapter
Options
Enable sending IPv6 router advertisements on this interface When enabled, allows IPv6 router
advertisements to be sent to machines on the sub-net that require a router
response to complete auto-configuration.
Definition
Select all
IP Address
Network Mask
Specifies the network mask, for example: 255.255.255.0. In IPv4, you can use a
format such as 255.255.255.0, or CIDR notation, such as 24. In IPv6, you must use
the prefix length, for example, 64.
Enabled
Product Guide
415
Option
Definition
New Address/
Delete Selected
Addresses
NIC Adapter
Options
Definition
Enable STP
Bridge priority
Sets the priority for the STP bridge. Lower numbers have a higher priority. The
maximum number that you can set is 65535.
Advanced parameters Expand to set the following options. Change the settings only if you understand
the possible effects, or you have consulted an expert:
Forwarding delay
Definition
The bypass device inherits settings from those you entered in NIC Adapter Options
416
Watchdog timeout
(seconds)
For the bypass device, the time, in seconds, that can elapse before the system
bypasses the appliance.
Product Guide
Option
Definition
Heartbeat interval
(seconds)
Advanced parameters This option becomes active when you select a bypass device.
Mode choose to monitor the heartbeat or the heartbeat and the link activity.
Link activity timeout (seconds) becomes active when you select Monitor heartbeat and link
activity in Mode
Enable buzzer enabled by default. If the bypass device fails to detect the
heartbeat signal for the configured Watchdog timeout, the buzzer sounds.
DNS Servers
Routing
Product Guide
417
Definition
Server Address
Displays the IP addresses of the DNS servers. The first server in the list must be your
fastest or most reliable server. If the first server cannot resolve the request, the
appliance contacts the second server. If no servers in the list can resolve the request,
the appliance forwards the request to the DNS root name servers on the Internet.
If your firewall prevents DNS lookup (typically on port 53), specify the IP address of a
local device that provides name resolution
New Server/
Delete Selected
Servers
Adds a new server to the list, or removes one when, for example, you need to
decommission a server due to network changes. Use the arrows to move the servers
up and down the list.
Only send
Selected by default. McAfee recommends that you leave this option selected because it
queries to these might speed up DNS queries as the appliance sends the queries to the specified DNS
servers
servers only. If they don't know the address, they go to the root DNS servers on the
Internet. When they get a reply, the appliance receives it and caches the response so
that other servers that query that DNS server can get an answer more quickly.
If you deselect this option, the appliance first tries to resolve the requests, or might
query DNS servers outside your network.
Definition
Network Address
Mask
Specifies how many hosts are on your network, for example, 255.255.255.0.
Gateway
Specifies the IP address of the router used as the next hop out of the network. The
address 0.0.0.0 (IPv4), or :: (IPv6) means that the router has no default gateway.
Metric
Specifies the preference given to the route. A low number indicates a high
preference for that route.
New Route /
Delete Selected
Routes
Add a new route to the table, or remove one. Use the arrows to move the route up
and down the list. The routes are chosen based on their metric value.
Enable dynamic
routing
Use this option in transparent router mode only. When enabled, the appliance can:
receive broadcast routing information received over RIP (default) that it applies its
routing table so you don't have to duplicate routing information on the appliance
that is already present in the network.
broadcast routing information if static routes have been configured through the
user interface over RIP.
418
Product Guide
Click New Server and type the IP address. The appliance sends requests to DNS servers in the order
that they are listed.
If necessary, click Only send queries to these servers, and choose the servers.
Network Address
Gateway
Metric
Useful websites
http://www.ntp.org
Product Guide
419
Definition
Appliance Time
Zone
Specifies the time zone of the appliance. You might need to set this twice each year
if your region observes daylight saving time.
Appliance Time
(UTC)
Specifies the date and UTC time for the appliance. To select the date, click the
calendar icon. You can determine the UTC time from websites such as http://
www.worldtimeserver.com.
Set Now
When clicked, applies the date and UTC time that you specified in this row.
Client Time
Displays the time according to the client computer from which your browser is
currently connected to the appliance.
Synchronize
appliance with
client
When selected, the time in the Appliance Time (UTC) immediately takes its value from
Client Time. You can use this checkbox as an alternative to manual setting of Appliance
Time (UTC). The appliance calculates the UTC time based on the time zone that it finds
on the client's browser.
Ensure that the client computer is aware of any daylight savings adjustments. To find
the setting on Microsoft Windows, right-click the time display in the bottom right
corner of the screen.
Enable NTP
When selected, accepts NTP messages from network broadcasts only. This method
is useful on a busy network but must trust other devices in the network.
When deselected, accepts NTP messages only from servers specified in the list.
NTP Server
Displays the network address or a domain name of one or more NTP servers that
the appliance uses. For example, time.nist.gov.
If you specify several servers, the appliance examines each NTP message in turn to
determine the correct time.
New Server
Task Using an NTP Server to set the appliance date and time
Use this task to add an NTP server to manage the appliance time and date.
Task
1
Remote Access
Use this page to provide the methods of accessing the appliance remotely.
420
Product Guide
Product Guide
421
Definition
Enable the
Click to enable the use of Secure Shell (SSH) to connect remotely to your appliance. By
secure shell default, when you enable the use of SSH, it allows all hosts or networks that can access
the appliance.
Click Allow permitted hosts / networks listed below, then select New Address to add only the specified
devices access.
You can use your SSH client to access the support account on the appliance. Use the
same password that you use to access the interface from a remote computer.
If you are using out-of-band management and have blocked port 22, change the SSH
configuration to allow Secure Shell access.
Permitted
Host /
Network
Displays details of devices that can access the appliance. By default, access is available to
ALL hosts or networks that can use Secure Shell (SSH).
The entries here are added to the /etc/hosts.allow file, and therefore must follow its
conventions. We recommend that you allow access to known domains or users initially.
Click New Address / Delete Selected Addresses to add or remove permitted hosts or networks
from the list.
To add a network use the following notation formats:
IPv4: 192.168.5.0/24 or 192.168.5.0/255.255.255.0 (allows every host with a
network address beginning 192.168.5 to access the secure shell)
IPv6: [3ffe:505:2:1::]/64 (allows every address in the range `3ffe:505:2:1::
through `3ffe:505:2:1:ffff:ffff:ffff:ffff)
domain wildcards: *.example.com (allows all hosts in the example.com domain to
access the secure shell)
To add an individual host, use the following notation formats:
IPv4: 192.168.0.5 (only allows the particular IP address to access the secure shell)
IPv6: [2001:470:921b:7896::3c]. The [ ] must be typed.
hostname: host1.example.com (only allows host1 in the example.com domain to
access the secure shell)
To add individual hosts, netmasks can not be used.
Definition
Management Port
This field allows you to specify the port used to access the User Interface.
When the McAfee Email Gateway is first installed, port 443 is used. However, during
the configuration process, this value is changed by default to 10443.
If you intend using any of the encryption features within McAfee Email Gateway, you
must change the management port to 10443 and apply these settings.
422
Product Guide
Option
Definition
Allow permitted
hosts/networks
listed below
Displays details of devices that can access the appliance through its web-based
interface (IPv4 addresses only). Restricts access to the user interface to the hosts
or networks that you specify here. By default, access is available to ALL devices.
Click New Address / Delete Selected Addresses to add or remove permitted hosts or
networks from the list.
Type the IP addresses or domains carefully, otherwise the appliance can become
inaccessible.
The email address of the main appliance administrator. This address appears if
someone tries to access an invalid page on the appliance user interface in the form
of the webmaster's email address.
Option
Definition
When selected, allows you to control the appliance through a direct connection.
Ethernet adapter
Offers a choice of Ethernet adapter, such as Belkin F5D5050 for a USB network
adapter, or Gb4(mb3) for in-built network adapter.
IP Address /
netmask
Product Guide
423
Option
Definition
NIC Adapter Options Specifies various details for the out-of-band connection, which is effectively a third
NIC connection for the appliance.
MTU size the maximum size (expressed in bytes) of a single unit of data (for
example, an Ethernet Frame) that can be sent over the connection. Default value
is 1500 bytes.
Autonegotiation state on by default.
Connection speed 100Mbps by default.
Duplex state Full by default.
Enable IPv6 auto-configuration Select this option to allow the appliance automatically
configure its IPv6 addresses and IPv6 default next-hop router, by receiving
Router Advertisement messages sent from your IPv6 router.
This option is grayed out by default if your appliance is running in transparent
router mode, or is part of a cluster configuration.
Enable in-band
management
Specifies ports to prevent any attempts to access the appliance via ports over the
main (non-management) interface.
New Port
Delete Selected Port
Definition
Select to have the appliance manage the remote access card through the user
interface.
Listening port
Obtain an IP address
dynamically using DHCP
IP address / netmask
424
Product Guide
Option
Definition
Use the drop-down box to select the USB driver, or in-built ethernet adapter.
Expand the NIC Adapter Options area (optional), and change any necessary information .
Access the appliance through the out-of-band interface, and go to System | Appliance Management |
Remote Access.
Deselect Enable in-band management. By default, the user interface (port 443), the secure shell (port
22), and SNMP (port 161) are blocked on the appliance IP address.
Click New Port to add any new ports that you want to block on the main appliance IP address and
only access through the management network.
Product Guide
425
Definition
Country [C]
Specifies a two-letter code such CN, DE, ES, FR, JP, KR. (See ISO 3166)
Default value is US.
Specifies the location of your organization. Give a full name rather than an
abbreviation.
Organization [O]
Import
When clicked, opens a window where you can specify the file.
426
Export
When clicked, opens a window where you can specify a passphrase, then
download a file. The file name extension is CRT (base-64 encoded) or P12
(PKCS#12). The certificate is in PEM format.
Generate Certificate
Signing Request
When clicked, opens a window where you can request that the Certificate
Signing Request is signed by a Certificate Authority on the appliance or by an
external Certificate Authority. The file name extension is CSR.
Regenerate
When clicked, you are prompted to confirm that you want to regenerate the
certificate and private key.
Product Guide
Definition
Options
Select if you want to export the certificate only, without including your private keys.
Format
Definition
Protect the private key with the following passphrase Password-protect the private key within the exported file.
Confirm the passphrase
Definition
Download
When the file has been downloaded locally, click Finish to close this wizard.
UPS Settings
Understand how to configure your McAfee Email Gateway to work with third-party Uninterruptible
Power Supply (UPS) systems.
Product Guide
427
Definition
Specifies the number of minutes before the appliance shuts down. The default As
long as possible option means that the power stays on until the UPS signals that the
battery is low. If you set the minutes value to zero, the appliance shuts down
immediately.
Status
Type
Displays the type of connection between the appliance and the UPS USB
Cable, Serial Cable, or Network.
New Device
When clicked, opens the Add UPS Device wizard where you can specify UPS settings
for the (master) appliance that connects to the UPS, or settings for one or more
appliances (slaves) that connect to the master appliance via the network.
Option
Definition
Appliance Name or
Address
Type
Displays the status of the monitoring device. Every added device is defined as
Slave. This list always contains one Master entry.
New Client
When clicked, opens a window, where you can specify the address of the client,
and a user name and password that the client must specify to access the UPS
information. The user name and password are those specified when you set up the
master device.
Connect the USB UPS to the appliance to ensure the list displays the UPS.
Select the appropriate values for Vendor Name, UPS Device Model, and Attached USB Device.
To begin with, you can keep the default Off delay and On delay settings.
428
Product Guide
Edit the settings for the following options as applicable for more information:
Connect the serial UPS to the appliance using the serial cable supplied with the UPS.
Select appropriate values for Vendor Name, UPS Device Model, and Serial Port.
Click Edit to change the settings for the following options as applicable for more information:
Task Configure your appliance to accept UPS status requests from other
appliances
Use this task to have the appliance accept UPS status requests from other appliances.
Task
1
Ensure that your UPS is working (a green checkmark shows in the Status column).
In Client Address, type the IP address of the client that you wish to allow queries from.
Product Guide
429
Note the information in the Username and Password fields; you will need them later to enter into
the client machine.
Select OK.
Complete the steps in Configure your appliance to accept UPS status requests from other
appliances.
Select Get Power status from another appliance and click Next.
Type in the name or IP address of the appliance that has the UPS connected to it.
Add the username and password displayed that you made a note of in Configure your appliance to
accept UPS status requests from other appliances.
Click Test Authentication to check that the communication is working, then click Finish and apply
changes.
Definition
USB device
Serial device
Get power status from another appliance
The options you see in the wizard depend on the type of device that you choose.
Definition
Vendor name
Select from the list of supported USB models supplied by the vendor you chose
430
Product Guide
Option
Definition
Off delay
The length of time, in seconds, that the UPS waits before turning off the UPS after
it receives the "turn off" command
On delay
The length of time, in seconds, that the UPS waits before restoring power after the
mains power returns
Definition
Vendor name
UPS device model Select from the list of supported USB models supplied by the vendor you chose
Serial port
Select the serial port that you want to use. COM1 is the built-in serial port on the
appliance
Definition
Appliance name or address The host name or IP address of the master appliance
User name
Password
Test Authentication
Click to test the connection between the appliance and the master device
defined above
FTP
Product Guide
431
Definition
Proxy server
Proxy port
Proxy username
Proxy password
Definition
Proxy server
Proxy port
432
Proxy username
Proxy password
Product Guide
Definition
Transfer to FTP
Server
Selected by default:
Server
Proxy server
Port
Proxy port
Directory
Proxy username
Proxy password
If you use either FTP or SSH with password authentication, your passwords are stored in the appliance
configuration files, in plain text format. The most secure option is to use SSH with public key
authentication. To use this feature, you must click the link to generate a key file, which you must then
copy and paste into your authorized keys file so that the appliance can perform the backup.
System Administration
The System Administration pages provide you with the features you need to enable you to set up and
maintain your McAfee Email Gateway.
Product Guide
433
Rescue Image
System Commands
Configuration Management
Use this page to back up and restore the information about the appliances configuration.
Backup Configuration
Restore Configuration
Configuration Report
Definition
Backup Configuration
When clicked, puts all the appliances configuration settings into a file, and allows
you to download the file.
You can safely store configuration details about the appliance offline, and restore
that information later if the original appliance fails. The system configuration files
are saved to a .zip file, which contains mainly XML files and associated DTD files.
The .zip file size is typically less than 1MB.
When selected, automatically includes information in the backup file about any
DLP categories and file fingerprints. To find the contents of the DLP database, go
to Email | DLP and Dictionaries.
Selecting this option uses large amounts of disk space.
Include TLS
certificates and
private keys
When selected, includes information in the backup file about any digital
certificates and private keys that are stored on the appliance. You need to
consider the security of your private keys.
To find the certificates, go to Email | Certificate Management | Certificates | TLS Certificates
and Keys.
By default, the TLS certificates and private keys are not encrypted when stored in
the backup file.
434
Product Guide
Option
Definition
When Include TLS certificates and private keys is selected, choose to encrypt the private
keys. You will need to specify the Passphrase.
When selected, includes information in the backup file about any digital
certificates and private keys relating to Email Hybrid implementation that are
stored on the appliance.
The Email Hybrid private key is not encrypted when stored in the backup file.
When selected, includes information in the backup file about any public
certificates and private keys, as well as configuration details for each domain and
each user that are configured for Secure Web Mail.
Email messages are not included in the configuration backup.
When selected, configuration backups are made periodically and sent to a server
whose details you can specify. If no server is configured already, the Configure
Automatic Configuration Backups wizard starts. Otherwise, click the link next to
Backup Scheduled to specify the server.
Enable automatic
backup
Definition
Restore From File When clicked, imports configuration settings from a backup file.
You can choose which details you need. If the file came from an earlier version of the
software, some details are not available.
Table 5-7 Option definitions Configuration Report
Option
Definition
Produce Report Create an online report that details changes and settings in each area of the appliance
configuration and status pages.
View the report View the online report generated using the Produce Report button.
Product Guide
435
Definition
Review Configuration
Changes
Show Differences
Select more than one configuration change, and click to display the files that
have been changed. Select a file, and click Show Difference to display the
configuration differences in code view between them.
Rollback to Selected
Configuration
Select a configuration change, and click to select the values to restore. Secure
Web Mail user and system data configuration changes are not rolled back.
Configuration Push
Use this page to copy the settings on one appliance to other appliances.
Default routes
IP addresses
Load-balancing settings
Static routes
Proxy settings
436
Product Guide
Definition
Hostname/ Address
Push enabled
Platform
Last Push
Update Progress
Refresh
When clicked, sends the settings to the other appliances in the list that
have been enabled (see Push enabled above).
When clicked, sends the settings to the appliances in the list that have
been selected.
Definition
Product Guide
437
Definition
Advanced settings
Push the configuration push setting and the managed appliance list Push the
managed appliance list and configuration push settings.
Push Secure Web Mail user and system data If you have Secure Web
Mail configured select this option to push the user and system
data.
Specify how often you want this appliance to carry out a scheduled
configuration push. The options are:
Never
Hourly
Daily
Weekly
Cluster Management
Use this page to specify the cluster and load-balancing requirements for the McAfee Email Gateway
when acting as part of a cluster.
438
Product Guide
If you have only a master and a failover appliance, with both configured to scan traffic, the master
will send most connections to the failover appliance for scanning.
If you have scanning appliances, and scanning enabled on the master and failover, then the
scanning appliances will receive the most traffic to scan, then the failover, with the master
receiving the least. If you have more than three appliances in a cluster, McAfee recommends that
you do not enable scanning on the master appliance.
You cannot configure the master or the failover blades of the McAfee Email Gateway Blade Server to
scan traffic.
McAfee recommends that when using your appliance in a cluster environment, you use McAfee
Quarantine Manager to quarantine Email messages.
Definition
Cluster mode
DHCP address
range (Content
Security
Blade Servers
only)
Product Guide
439
Definition
Cluster identifier
If you have more than one McAfee Email Gateway cluster or McAfee Email
Gateway Blade Server on the same subnet, assign each a different Cluster
identifier to ensure the clusters do not conflict.
The allowable range is 0-255.
Specify the IP address used for load balancing within the cluster.
If not selected, this appliance distributes all scanning workload to the scanning
appliances.
Configure New
Management Device
(Content Security
Blade Server only)
For a cluster of appliances, if you have only a master and a failover appliance,
with both configured to scan traffic, the master will send most connections to
the failover appliance for scanning.
Definition
MAC Address
Disabled
Encryption Storage
If the scanning device is in a ready state, you can choose to include the device in
the Encryption Storage pool.
Manage MAC Addresses Opens the MAC Addresses dialog box that enables you to manage the list of
available MAC addresses.
Although you can add the MAC addresses of management and failover devices to this table, they always
contribute hard disk space for Secure Web Mail messages and cannot be disabled.
440
Product Guide
This wizard steps you through the process to configure the network interfaces when configuring your
appliance as part of a cluster.
The options that are displayed as you progress through the wizard depend on the operating mode and
other selections that you make. This means that you may not see all the controls and fields detailed in
this topic.
Definition
Select operating mode Select the mode of operation for the cluster of appliances, or for your McAfee
Content Security Blade Server.
When configuring a cluster in either explicit proxy mode or transparent router mode, you need to
configure a virtual IP address that is on the same subnet as both the real IP addresses for the master
and the failover appliances. This ensures that traffic is directed to whichever appliance is currently
acting as the master appliance.
Definition
IP Address
Network Mask
Specifies the network mask. In IPv4, you can use a format such as 255.255.255.0,
or CIDR notation, such as 24. In IPv6, you must use the prefix length, for example,
64.
Enabled
Virtual
When selected, the appliance treats this IP address as a virtual address. This option
only appears in cluster configurations, or on a McAfee Content Security Blade Server.
Product Guide
441
Definition
New Address/
Delete Selected
Address
NIC 1 Adapter
Options or NIC 2
Adapter Options
Definition
Attached devices
The section contains a list of devices that are currently members of the cluster.
Each device is identified by its MAC address and hostname and you can check the
items that you want to be included in the MAC address table.
If you are setting up your cluster, this section will be empty.
Unknown devices
(not available
from within the
Setup Wizard)
The section contains a list of MAC addresses that are not currently in the cluster.
Only the MAC address is shown since the device is unrecognized.
If you are setting up your cluster all MAC addresses will appear in this section.
If the cluster has already been configured, a device may be unknown because the
appliance is currently unreachable over the network. You can check the items that
you want to be removed from the MAC address table.
442
Product Guide
Option
Definition
Additional devices
The section offers a convenient way of adding the MAC addresses of devices that
you intend to add to the cluster at a future time.
You may enter any number of addresses separated by spaces.
You will not be able to configure the Encryption Storage option for these unless they are
the addresses of devices that are currently members of the cluster.
Check this option to prevent the management blade from acknowledging DHCP
requests sent by arbitrary hosts on its network.
If selected, you should add the MAC addresses of all scanning blades that you
intend adding to your cluster to the MAC address table. Failing to do this will
prevent a scanning blade from acquiring the correct IP address.
Since the state of the cluster updates periodically, it is possible for a device to move from the unknown
section to the attached section (or vice versa) while you are working in this dialog. This may happen if a
device has just rebooted, for example.
Resilient Mode
Use this page of the user interface to enable resiliency mode on your blade server.
This page only applies to the McAfee Content Security Blade Server.
Product Guide
443
Definition
Enable Resilient
Mode
Within this area, you can check the current status regarding resiliency of your blade
server.
You can also enable or disable resiliency mode.
Ensure that you have downloaded the chassis configuration files before enabling
resiliency mode.
After clicking Enable Resilient Mode or Disable Resilient Mode, and clicking OK on the
warning dialog box, your blade server will automatically be shut down,
allowing you to make the required cabling changes.
Configuration Files From the user interface, you can view or download the interconnect configuration
files for both resilient and non-resilient mode operation for all the interconnects.
To download all the configuration files, click interconnect_config.zip, as this file
contains all the other configuration files.
444
Product Guide
Definition
Transfer to FTP
Server
Selected by default:
Server
Proxy server
Port
Proxy port
Directory
Proxy username
Proxy password
If you use either FTP or SSH with password authentication, your passwords are stored in the appliance
configuration files, in plain text format. The most secure option is to use SSH with public key
authentication. To use this feature, you must click the link to generate a key file, which you must then
copy and paste into your authorized keys file so that the appliance can perform the backup.
System Log
Product Guide
445
Option
Definition
Hourly to Weekly
Specifies the schedule. If you do not need this feature, select Never.
Next / Finish
Moves to the next page of the wizard , or closes it and applies the settings.
Definition
Test
Checks that the backup configuration works, and provides the desired information.
Database Maintenance
Use this page to manage the number of events contained in the reporting database, and the number
of items identified using the Message Search feature, and to enable external devices to access
information about email events via SQL.
Retention Limits
Event Options
External Access
Maintenance
Retention Limits The appliance uses information from this database to display the reports that you
can view from Reports on the navigation bar. Information about earlier events is removed
periodically.
Retention limits are dependent on the type of hardware and the size of the appliance hard disk
space. McAfee recommends that you do not change these values unless directed to do so by your
McAfee Support representative.
446
Event Options You can choose the following options relating to information about events:
Insert events into the database. Doing this can provide useful information in reports, but will increase
the amount of data that is written to, or read from the database.
Insert only primary events into the database. Allow only the most important events data to be logged to
the database.
Pass on events to the logging channels. Select to allow data about events to be available to other
logging methods available from the appliance.
Product Guide
External Access External access to a limited set of views in the reports database on an appliance
can be configured.
Enable off box sql access. Select to allow access to the appliance' database.
Enable external database access for this address range. Limit the systems that can access the external
database to machines within a specified IP address range.
Allow external database to user. Select the level of user that can configure external database access.
Maintenance When run, the maintenance tasks trim the contents of the reporting database and
items identified using the Message Search feature according to the settings in the Retention Limits
area.
McAfee recommends that you clean up the reporting database and message search items regularly
to prevent the database from becoming too large.
Option
Definition
Events
Quarantined emails
Maximum number or length of time that messages can be held in the quarantine
database.
Please refer to the user interface for these retention limits.
Delivery status
(delivered, blocked,
bounced)
Definition
Select to add information about reporting events into the database. Be aware
that the database can fill quickly when reporting events are stored.
McAfee recommends that Content Security Blade Server users use the offbox
syslog feature for reporting events and deselect this option.
Select to allow events to be passed to the logging channels from logging and
alerting sources such as syslog, SNMP, and email detections.
Product Guide
447
Definition
Define the address and subnet mask for the external hosts to which
you want to allow access.
Define the user that the external client uses to log into the appliance.
This is set to reporter by default.
Define the password that the external database uses to log into the
appliance. This is set to reports by default.
Definition
Maintenance schedule Select the frequency that the appliance carries out database maintenance tasks.
The default is every 30 minutes.
Reset Database
Enter the password and then click Reset Database to return the database to its default
state.
All information within the database will be lost.
Maintain Database
Click to manually start the database maintenance tasks ever X minutes. The
database checks for items in the reporting database or identified using the
Message Search feature have reached the retention limit that you set.
448
Open the command line on the computer from which you want to view the database.
Type psql -U <username> -d reports - h <host address> and press the Enter key.
Type the password for the user to whom you gave access.
Press the Enter key to see the list of report view that you have available. Choose from:
Email_details
Configuration_change_view.
Product Guide
Rescue Image
Use this section to force the McAfee Email Gateway to boot from a rescue image stored on a protected
partition on the hard disk. You can also manage your rescue images and create a bootable USB drive
containing the rescue image from here.
On a USB drive:
mounted internally within the appliance if you have fitted an optional internal USB drive to
your appliance. (Applies to appliances based on the Dell R610 hardware only.)
Creating a bootable rescue image on a USB drive will result in the loss of all files located on the USB
device.
To prevent tampering or accidental stopping, you must type the appliance password to operate these
features.
When managing your Email Gateway appliances, having the image for each appliance stored on a
protected partition on the hard disk or USB drive for each appliance enables you to remotely
reimage your appliances without needing to locate a CD containing the correct version of the
software.
The rescue image negates the requirement for remote access cards to be fitted to your appliance
(if you have suitable appliance models) in order for the appliances to be reimaged from a remote
location.
By creating a library of stored rescue images on your local network or on a local FTP or HTTP
server, you can use the rescue images to roll back your appliance to a previous .iso release of the
software, or to upgrade to a newer version. You do this by importing the required image to the
rescue partition on your appliance and then forcing your appliance to boot from the newly imported
rescue image using the Perform a full installation overwriting existing data option. To roll back, you need to
use the option 2 or 3 settings; to upgrade you need to use option 2, 3 or 4 settings.
Product Guide
449
Definition
Provides details of the rescue image currently stored within the rescue partition of
your appliance.
Browse to a rescue image stored on your local drive, and copy this image onto
the rescue partition on your appliance.
Browse to a rescue image stored on a local FTP or HTTP server, and copy this
image onto the rescue partition on your appliance.
Export Image
Save a rescue image to a file, or select a USB drive to create a bootable copy of
the rescue image on the USB drive.
Click to refresh the USB devices shown in the drop down list on the left of this
option.
Verify the version information displayed under Rescue image details, or from the About the Appliance
window.
Task Updating the rescue image held on the appliances' hard disk from a local
network or drive
Use this task to update the rescue image on the appliance hard disk from a local drive.
The software allows you to overwrite the rescue partition with a new image, without re-installing the
software. You can import an image from a local network or drive.
Task
450
Click OK.
Product Guide
Task Updating the rescue image held on the appliances' hard disk from a local
FTP or HTTP server
Use this ask to update the rescue image from a local FTP or HTTP server without re-installing the
software.
You can import an image from a local FTP or HTTP server.
Task
1
Specify the server settings, and if required, your proxy settings and passwords.
Click OK.
Task Installing from the rescue image on the appliances' hard disk
Use this task to install a rescue image on an appliance.
When you have verified that you have the correct version of the rescue image stored on the protected
partition of the appliances' hard disk, you can use this image to reimage your appliance
Task
1
Select from:
Boot to menu
If you select Boot to menu, ensure that you are either local to the appliance, or that you have
access to the appliance using a DRAC card.
Perform a full installation overwriting existing date but preserving network settings
If you select either of the full installation options, you will need to take further action to import
saved configurations, or to re-configure the appliance.
Click OK.
The appliance reboots, and uses the rescue image to reimage the appliance, using the installation
options you selected.
Product Guide
451
To create an image on a USB drive, you can export the image to any suitable USB drive connected to
your appliance.
You cannot export a rescue image to a USB drive from the VMtrial version of the software.
If you have fitted an optional internal USB drive to your appliance, you can select this USB drive.
(Applies to appliances based on the Dell R610 hardware only.)
Task
1
Select the required USB device from the USB device drop-down list.
The rescue image is copied to the USB drive, overwriting any existing files, and creates a bootable
image.
Task Installing from the rescue image on the appliance USB drive
Use this task to install from the rescue image on the appliance USB drive.
You can use the bootable rescue image stored on an external USB drive, or on an internal USB drive
(hardware dependant) to reimage your appliance.
Task
1
Ensure that the USB drive with the correct version of the rescue image is attached to your
appliance.
Enter the appliance password into the text box next to Reboot Appliance in the System Commands section.
As the appliance reboots, choose Boot Menu using the appliances' keyboard and monitor.
The appliance reboots, and uses the rescue image found on the USB drive to reimage the appliance,
using the installation options you select in the standard license and console displayed on the monitor
connected to the appliance.
Task - Create a bootable USB drive rescue image without using the
appliance
Use this task to create a bootable rescue image on a USB drive without using your appliance.
Before you begin
You need a computer that has Internet access, your McAfee Grant Number for your Email
Gateway appliance, and third party software that enables you to create a bootable image
onto a USB drive.
452
Product Guide
Task
1
Browse to the McAfee download site, and enter your Grant Number.
Download the .iso file for the version of the Email Gateway appliance software.
Create a bootable image on the USB drive from the downloaded file, using suitable system
commands or disk-imaging software.
System Commands
Use this page to safely turn off the appliance, reboot the appliance, or revert to factory default
settings.
Definition
Shutdown Appliance
When clicked, turns off the power to the appliance or takes the appliance to
a state where you can safely turn off its power.
Reboot Appliance
Revert to Default Configuration When clicked, restores all the original out-of-the-box settings to the
appliance.
Product Guide
453
Task
1
The appliance commences its shut down process, and will switch off in a few minutes.
Task
1
The appliance commences its shut down process, and reboots after about 5 minutes.
Task
1
Enter the system password next to the Revert to Default Configuration button.
454
Product Guide
Users
The Users pages enable you to set up your users and roles, and perform session management tasks.
System | Users
From these pages you can configure the appliance to set up and administer your role-based user
accounts to perform tasks such as viewing or managing reports, and managing email and system
settings. Additionally, you can tell the appliance how you want to manage session timeouts, and
whether you want your users to see your company email usage policy as they log on. The email policy
notification text can be edited.
Contents
Users and Roles
Option definitions New Role dialog box
Option definitions Role Details dialog box
Password Management
Forgotten password
Login Services
Add Login Services wizard
Session Management
DoD CAC Authentication
Option definitions CAC Certificate Attribute Mapping
Option definitions Custom Text dialog box
Option definitions User Details
Product Guide
455
Definition
Role
The name of the role. By default, the appliances comes with the following roles already
created:
Super Administrator has the ability to view and manage all aspects of the appliance's email
and system settings.
Email Administrator has the ability to view and manage all email-related configuration and
reports settings.
Reports Administrator has the ability to view and manage the reports settings.
Description Contains any optional description text you entered when you created the role.
Edit
Click to open the Role Details dialog box and view the role's specifications. The Role Details
dialog box is read-only and cannot be saved.
Delete
Add Role
10 Click OK.
The new user is created with the selected privileges.
456
Product Guide
Definition
Role name /
Description
Type the name of the new role, and optionally add a description to help you identify
it in the User Roles list.
Privileges
Under the type of role that you want to create, select the privileges that you want to
associate with it for example, to have the rights to view report results, or set the
data that the report contains.
The following role types are available:
General
Email Administration
Dashboard
System Administration
Definition
Privileges
The access, management, and viewing rights associated with the role.
The information in this dialog box is based on the information you entered when you created the role. It
is read-only, and cannot be saved.
Password Management
The Password Management page defines the complexity and change control that you want to apply to
the passwords that can access the appliance.
Password Complexity
Product Guide
457
A complex password is more secure than a very simple one, but is more likely to create a greater
volume of "forgotten password" reset requests from your end users. Therefore, you need to decide the
balance between complex passwords that are likely to generate lots of reset requests, and simpler
passwords that will require less maintenance.
When a user changes their password, an expiry date is always set even when password expiry is not
enabled.
This does not apply to resetting the password when the expiry date is set to 0 (zero). If the user
changes the password while completing the Setup Wizard, enabling password expiry will not cause the
password to expire.
If you set the reminder period to >0, the user starts to receive expiry reminders as the expiry date
approaches. A password change is enforced at the login screen when the expiry time is reached.
If you set the minimum period between changes to >0, the user has to wait that many days before
the password can be changed again so that it cannot be immediately changed to be the same
password that has been used for the past six months.
The appliance maintains a history of the past ten password for each user so any reuse policy can be
applied retroactively. When changing their password, a dialog box informs the user that complexity
constraints that are currently in force.
An administrator can still reset passwords for other users. The generated passwords will not
necessarily meet the exact complexity requirements. If password expiry is in force they will only be
good for one login.
Password Complexity
Option
Definition
Minimum length
Select the minimum length that you will allow for end user passwords. Longer
passwords are more secure, but may result in more calls to your support address
as end users fine them more difficult to remember.
Minimum number of
ALPHA characters
Specify the minimum number of alphabetical characters to be used within the end
users passwords. To increase security, you can also Require a mixture of upper and
lowercase characters to be used.
Minimum number of
DIGIT characters
The more different types of characters that may be used within an end users
password, the more secure that password can be made. Forcing your end users to
use numbers within their passwords improves the security of the passwords.
Minimum number of
SPECIAL characters
The more different types of characters that may be used within an end users
password, the more secure that password can be made. Forcing your end users to
use special characters within their passwords improves the security of the
passwords.
Special characters are non-alphanumeric characters such as underscores (_),
hyphens (-) and other punctuation.
Minimum difference
from the previous
password
Specify how different a new password must be from the existing password. This is
based on the minimum number of characters that must change between the
passwords.
This option is case-sensitive, so changing the case of existing characters within the
password is seen as a difference.
458
Product Guide
Definition
Enable
password
expiry
Decide whether your end users will need to periodically renew their passwords. Specify
the required password expiry parameters:
Password lifetime in days The number of days for which a password is valid.
Reminder period in days The time during which the user is reminded about changing
their password.
Number of recent passwords to disallow Configure this to prevent your users re-using
passwords.
Minimum interval between password changes in days Specify any limits you want to place on
the frequency with which end users can change their passwords.
Forgotten password
Understand the process required to regain access to your McAfee Email Gateway if you have forgotten
your password.
From the physical McAfee Email Gateway appliance, press the power button twice within 5 seconds.
This causes the McAfee Email Gateway to reboot.
When the boot menu appears, select Rescue Media. Press Enter.
Product Guide
459
From the virtual environment management software, locate the required McAfee Email Gateway
virtual appliance.
When the boot menu appears, select Rescue Media. Press Enter.
Login Services
Use the Login Services options to manage user authentication and authorization using either Kerberos or
RADIUS authentication servers.
460
Product Guide
Definition
Service Name
The name for the service definition that you create in the Add Login Service wizard.
Service Type
Realm
Role Determination Shows how the user's privileges for managing the gateway are determined. This can
be done either by referencing locally defined users whose name matches the login
name, or for RADIUS, the gateway can examine the attributes in the Access-Accept
response to determine the role that the user assumes.
This contents of this field is determined by the option you choose on the Role Mappings
page of the Add Login Service wizard.
Default Role
If at login time, it is not possible to determine the role from other information
available, this is the role that an authenticated user will assume. The login will fail if
it is not possible to determine the user's role from data returned that is returned
from the authentication server, or from user information defined on the gateway.
Add Service
Starts the Add Login Service wizard. After you have created a service, you can edit its
details using the standard edit button.
A backup server
A shared secret
Role mappings
Contents
Option
Option
Option
Option
definitions
definitions
definitions
definitions
Basic Settings
Type-Specific Settings
Role Mappings
Test
Definition
Service name
Description (optional)
Service type
Choose from RADIUS or Kerberos. After defining the service, you cannot change
this value.
Product Guide
461
Option
Definition
Server address
Backup server (optional) For RADIUS only, the address of a server that can be used if the primary server
is unavailable.
The TCP port used by the authentication server. This defaults to port 88 for
Kerberos, or to port 1812 for RADIUS.
Port
Definition
Shared secret
Set the key that will be used for encrypting data sent between the gateway and the
RADIUS server to prevent passwords, for example, from being sent by the RADIUS
server in clear text.
This field does not appear if you chose the Kerberos server type on the Basic Settings page.
The authentication realm - in RADIUS you can use it to partition your users database.
If you are linking to a Kerberos server, this field is mandatory because user names are
not globally unique.
Realm
This field is optional if you chose the RADIUS server type on the Basic Settings page.
Realm notation
Realm delimiter Typically, this is an @ for postfix notation, or \ for prefix notation. The character that is
used to join the user name and the realm to form a fully qualified user name.
This field does not appear if you chose the Kerberos server type.
NAS-IP-Address If your RADIUS server is configured to require the IP address attribute, select the
required address from the drop-down list. This is needed, for example, if you have a
Microsoft Active Directory environment with default settings for RADIUS authentication.
If you change the IP addresses used by your Email Gateway, you have to manually
update this field.
Option
Definition
Use locally defined Select to have the gateway look for a user in its own database with the same name
user details...
as the login name to determine access privileges.
462
Select to have the gateway use data returned by the authentication server to
determine access privileges. A RADIUS server returns name value pairs called
attributes. You can define RADIUS attribute to gateway role mappings.
RADIUS Attribute
Product Guide
Option
Definition
Attribute Value
Role
Includes any role that has been created in Users and Roles, as well as the default roles.
If an attribute with the specified name and value is found in the Access-Accept
response, the authenticated user is assigned that role.
Add Mapping
Opens the RADIUS Attribute Mapping dialog box where you can set a name and value for
the attribute, and select the type of user role that you want to associate with it.
Default role
If it is not possible to determine a user's role through other means (either a user
defined on the gateway, or by examining data from the authentication server), this
is the role that an authenticated user is assigned. You can select any defined role, or
None. If you select None and it is not possible to determine a user's role, login fails
even if authentication is successful.
The result of the last authentication test, either success or failure. If you have not yet
performed a test, the status shows as Unknown.
Output
Test
Finish
Click to exit the wizard. The details you entered are displayed on the Login Services page.
Session Management
This information describes the benefits and features of the Session Management options.
Product Guide
463
Definition
Choose from:
Prompt for password
Log off
Timeout
Set the length of time, in minutes, before the appliance times out.
Select to have the appliance display a notification to your users that details
your usage policy. Click Edit to open the Custom Text dialog box and view the
default notification message, or change it.
Definition
Link to import CA
certificates
Definition
CAC Certificate Subject Field Shows the Distinguished Name (DN) component used to map a user to a
specific role.
464
Field Value
Role
Product Guide
Definition
Add Mapping
Click to open the CAC Certificate Attribute Mapping dialog box, to create a new role
mapping.
Default role
You can configure a default role if a role cannot be established when a user
logs into McAfee Email Gateway using DoD CAC Authentication.
Default value is None.
Definition
To create the roll mapping, select the Distinguished Name (DN) component
to use as the identifier.
Options are:
C
CN
OU
ST
UID
L
Attribute Value
Enter the Attribute Value to be used to identify the user when mapping them
to a role.
Role
Definition
NOTICE TO USERS
Displays the system usage policy text that your users see when
they log on to the appliance.
Reset
Product Guide
465
Definition
Login ID
Full name
Change the information displayed in the Full name field for this user.
Description (optional)
Primary role
Account type
Reset password
Click the link to reset the password for this user to the default value.
After a short time, a message displays the new password for that user.
Virtual Hosting
The Virtual Hosting pages enable you to configure the virtual hosts and virtual networks that the
appliance needs to scan.
Virtual Hosts
Use this page to add, edit, or delete virtual hosts and show available virtual hosts.
466
Product Guide
You can specify the addresses where the appliance receives or intercepts traffic on the Inbound
Address Pool. At least one IP address must be present.
These addresses must be unique. They must not be referenced in the Inbound addresses for any other
virtual host. However, they are allowed in the Outbound addresses of any other virtual host.
Create policies for each customer or host, which simplifies configuration and prevents clashes that
might occur in complex policies.
Provide reports for each customer or host in the appliance's Favorite reports feature (Reports |
Scheduled Reports | Favorite, which removes the need for complex filtering.
If any behavior places the appliance on a reputation black list, only a single virtual host is affected
not the whole appliance.
Transparent This type of virtual host can only be created on an appliance configured for bridge
or router mode. A transparent virtual host intercepts traffic passing through the appliance destined
for an address in the range specified for the virtual host. To configure a transparent virtual host,
simply specify the IP address (or range) of the SMTP servers for which traffic should be
intercepted.
Proxy This type of virtual host configures the appliance to listen for SMTP connections on the IP
address ranges specified for the virtual host. A proxy-mode virtual host can be configured to have
any number of addresses used for delivering mail from the appliance (Outbound address pool).
Configuring a proxy-mode virtual host is more complex, because the appliance needs to have some
knowledge of the routing to the networks for each of the IP addresses it intercepts.
Virtual hosts behave differently depending on whether the virtual host is running in proxy mode which
listens on the inbound addresses, while virtual hosts running in transparent mode intercept traffic
going to the IP addresses listed.
If you create outbound IP address pools on both the LAN1 and LAN2 NICs, the virtual host uses the IP
addresses on the appliance interface as determined by the routing table.
The following constraints apply when you create virtual hosts and virtual networks:
All Virtual Host IP address ranges must be contained within a Virtual Network
Virtual networks
The concept of a virtual network is used to bind a subnet to a specific interface of the appliance. With
this knowledge the appliance knows to route traffic to or from that subnet via the appropriate network
interface.
Product Guide
467
Virtual network configuration is handled automatically by the Add Virtual Host wizard, which selects
(or suggests) the appropriate virtual network and populates the Network address field accordingly when
you specify an inbound or outbound address.
Definition
Name
Displays the name of the virtual host. The name must be unique, and is used in
other locations on the appliance user interface, such as:
Email Configuration
Email Policies
Message Search
Reports
The icons indicate the type of host:
Physical host
Virtual host
The policy name must be unique across all virtual hosts.
Host Name
Domain name
Inbound/Intercept
Address Pool
Outbound Address
Pool
Add
When clicked, opens a wizard where you can type the details of a new virtual
host.
This option is available to virtual hosts running in proxy mode. The addresses are
used in a round robin fashion.
468
Product Guide
Type a Description for this virtual host. This step is optional, but enables you to quickly identify
further information about this virtual host.
Click Next.
Specify the Address range, Network address and Network interface for the Inbound/Intercept Address Pool.
Click OK.
Click Next.
10 Click Add to specify addresses in the Outbound Address Pool. This step is optional.
a
Specify the Address range, Network address and Network interface for the Outbound Address Pool.
Click OK.
11 Click Finish.
In Base scanning policy, select the Virtual policy in a new virtual host, or an existing one.
Virtual Networks
Use this page to specify virtual networks.
Product Guide
469
Definition
Network address
Network interface
Displays the network interface for that virtual network address Bridge, LAN1
or LAN2.
When clicked, opens the Edit Virtual Network dialog box.
Edit
Delete
When clicked, deletes the network in that row. You cannot delete networks that
are in use.
Add
Definition
Network address Enter the required IP address and range for the virtual network, such as
192.168.254.0/24.
Network interface Select the network interface to associate with the virtual network.
470
Product Guide
Definition
Virtual host name Specify a unique name and description of the virtual host that is used by other
and Description locations on the appliance user interface, such as:
Email Configuration
Email Policies
Message Search
Reports
(
Host name
This value is used with the domain name to generate the SMTP greeting banner. If
the domain name is a Fully Qualified Domain Name (FQDN), the host name does not
appear in the SMTP greeting banner.
Domain name
The domain name has the form domain.dom and must be unique across all virtual
hosts. If the domain name is a Fully Qualified Domain Name (FQDN), the host name
does not appear in the SMTP greeting banner.
Mode
This option is only available when the appliance runs in a transparent mode.
Offers a choice of policies from the physical host, or allows you to specify a new
policy.
To view all the policies at any time, select Email | Email Policies | Scanning Policies on the
navigation bar.
Base protocol
preset
Offers a choice of presets from the physical host, or allows you to specify a new
preset. Presets are the connection-based policies.
Base McAfee
Secure Web Mail
policy
Offers a choice of policies from McAfee Secure Web Mail, or allows you to specify a
new policy.
Product Guide
471
Option
Definition
Email relaying
Enable logical
virtual hosting
Logical virtual hosting allows you to configure virtual hosts on different appliances
with the same policies, but with different network configuration.
When you push a configuration to another appliance within the same cluster:
If a virtual host with the same logical identifier has not yet been defined, an empty
virtual host entry will be created.
If a virtual host with the same logical identifier has been defined, then the IP
addresses for the virtual host are preserved.
A logical identifier can be a combination of characters and numbers.
Definition
Address
range
Displays the address range for this virtual host. At least one IP address must be specified.
Add
Click Add to display the Edit IP Address Range dialog box. This enables you to define the
inbound IP address pool for the virtual host. These are the addresses that the appliance
intercepts traffic on.
Address range You must specify at least one inbound IP address.
These addresses must be unique, and cannot be used as the inbound addresses for any
other physical or virtual host. The addresses, can, however, be used as outbound
addresses for other virtual hosts.
Network address Specify the subnet for the address range. The appliance auto-fills this
field, based on the information you enter in Address range. Check that this is appropriate
for your infrastructure, and edit the value if necessary.
Network interface Select the interface on which you need to create the IP addresses.
Choose from the available network interfaces.
You cannot ping the IP address externally, or see the address by running the ip addr
show commands. To test that the virtual host is listening on the expected address, telnet
to the configured SMTP port.
472
Product Guide
Displays the address range for this virtual host. At least one IP address must be
specified.
Add
Click Add to display the Edit IP Address Range dialog box. This enables you to define the
outbound IP address pool for the virtual host. These are the addresses on which the
appliance will deliver scanned email.
If you do not specify any outbound IP addresses, the appliance will use the physical
host IP address.
Address range
The range of addresses can be specified in the following formats:
192.168.254.1 a single IP address
192.168.254.1-254 a range of IP addresses from 192.168.254.1 to
192.168.254.254
192.168.254.1+9 a range of IP addresses from 192.168.254.1 to
192.168.254.10
192.168.254.0/24 all host IP addresses in the /24 subnet
The IP addresses are created on the network driver, so you cannot ping or see the
IP address by running the ip addr show commands.
Specifies the name that appears in the SMTP HELO greetings, using one of the
following options:
Resolve at runtime This option can impact performance
Use an IP address literal The IP address of a host used in place of its domain name.
To indicate that it is an address literal, it is in [square] brackets. Fr example,
[192.168.254.3]. Literal IP addresses are used because no DNS lookup needs to be
done, so it is always correct.
n
Use the following value Click Look Up to resolve the IP address to a name
Network address
Specify the subnet for the address range. The appliance auto-fills this field, based on
the information you enter in Address range. Check that this is appropriate for your
infrastructure, and edit the value if necessary.
Network interface
Select the interface on which you need to create the IP addresses. Choose from the
available network interfaces.
You cannot ping the IP address externally, or see the address by running the ip addr
show commands. To test that the virtual host is listening on the expected address,
telnet to the configured SMTP port.
Product Guide
473
Definition
Policy name
Description
Optionally type a description for the policy to help you identify it.
Email direction
Option
Definition
Policy name
Description
Optionally type a description for the policy to help you identify it.
Inherit settings
from
Select the protocol preset from which you want to inherit the settings, that is, any
settings that are not overridden by this protocol preset will be taken from the
protocol preset specified here.
Policy type
Select either:
Physical A standard policy that has rules available. A physical policy can be
triggered when its rules are matched and can also be used for inheritance.
Virtual A virtual policy can be considered to be a collection of settings available
for the purposes of inheritance. A virtual policy can never be triggered.
This option is only available when you create a protocol preset from Email | Email
Configuration when virtual hosting has been enabled on the appliance.
Match logic
Select either:
Match one or more of the following rules this policy triggers if any of the specified rules
are matched.
Match all of the following rules this policy triggers if all of the specified rules are
matched.
This option is only available when you create a protocol preset from Email | Email
Configuration.
Rule type /
Move / Edit
Lists the rules associated with the preset, and allows you to move or edit them as
appropriate.
This option is only available when you create a protocol preset from Email | Email
Configuration.
474
Product Guide
Option
Definition
Add Rule
Click to specify the type of rule that you want to apply to the preset, and set its
Match and Value.
This option is only available when you create a protocol preset from Email | Email
Configuration.
Add network
group
Definition
IP Address / Hostname Displays the IP address or the host name of the Advanced Threat Defense
appliance.
User
Displays the user name for the Advanced Threat Defense appliance.
Virtual Machines
After the Email Gateway successfully communicates with the Advanced Threat
Defense appliance, the list of virtual machines available on the Advanced Threat
Defense appliance is displayed.
Enabled
Select to enable individual Advanced Threat Defense appliances for Email Gateway
to use.
Edit
Select any Advanced Threat Defense appliance to edit the configuration or details
for that appliance.
Delete
Select any Advanced Threat Defense appliances to be deleted from the Email
Gateway configuration, and remove them from this list.
Product Guide
475
Definition
Add Server
Test Connection
Test that connections are correctly defined and the Advanced Threat Defense
appliances are available.
Import
Click the Import link to select a file containing Advanced Threat Defense appliance
details to be imported to your Email Gateway.
Export
Click the Export link to save details of your configured Advanced Threat Defense
appliances so that this information can be backed up or imported to other Email
Gateway appliances.
Definition
Scan these file types Select the file types to be sent to your Advanced Threat Defense appliances when
detected within email messages. The types of files that can be send for further
analysis include:
Advanced Threat Defense - Supported formats
Adobe PDF
Microsoft PowerPoint
Microsoft Word
Compuserve GIF
PDF Image
Java Class
JPEG
JPEG 2000
Windows Executables
Microsoft Excel
Use Email | Email Policies | Compliance | File filtering to control file submissions to your
Advanced Threat Defense appliances on a per-policy basis.
Clear selections
Task
1
Navigate to System | ATD Servers | McAfee Advanced Threat Defense Server Configuration.
476
Product Guide
Enter the information required to access the Advanced Threat Defense appliance.
Click Next.
If needed by your network, enter information required to access any proxy server.
Click Next.
Click Test Connection to ensure that you have entered valid information.
Click Finish.
The Advanced Threat Defense appliance is added to the ATD Servers list.
Select System | ATD Servers | McAfee Advanced Threat Defense Server Configuration | Scan these file types, then
select the categories of files to be sent to your Advanced Threat Defense appliances.
This allows you to select categories of files, such as all Adobe PDF files, or any type of archive or
compressed file, for further analysis. If you require more granular control of the types of files to
send to Advanced Threat Defense, configure File Filtering from Email | Email Policies | Compliance | File
filtering.
Definition
IP Address / Hostname Define the IP address or the host name for the McAfee Advanced Threat Defense
server for McAfee Email Gateway to use.
Port
Define the port to use to communicate with the McAfee Advanced Threat Defense
server. By default, this port is 443.
User
Define the user name that McAfee Email Gateway uses to communicate to the
McAfee Advanced Threat Defense server.
Password
Define the password that McAfee Email Gateway uses to communicate to the
McAfee Advanced Threat Defense server.
Product Guide
477
Definition
Proxy Server
If necessary for your network, define the proxy server settings required to enable
communications between McAfee Email Gateway and the McAfee Advanced Threat
Defense server.
Proxy Port
Proxy Username Define the user name for the proxy server to allow communication between McAfee
Email Gateway and the McAfee Advanced Threat Defense server.
Proxy Password Define the password for the proxy server to allow communication between McAfee
Email Gateway and the McAfee Advanced Threat Defense server.
Table 5-20 Option definitions Test
Option
Definition
Test Connection Use the Test Connection button to verify that the information you entered into the Add ATD
Server wizard is valid, and that communications between McAfee Email Gateway and the
McAfee Advanced Threat Defense server are working.
Email Alerting
Use this page to decide who receives an email message when events such as a virus detection occur.
478
Product Guide
Definition
Anti-virus events to
Authentication
events
When selected, sends email messages when this type of event occurs. To change
the message, click Edit to open an email alert window.
Alert Settings
System events
Compliance events
Authentication events
Specifies the sender name and sender email address that appears in the From field
of the email message. This does not have to be a real email address. Default value
is MEG.
Subject Specifies the subject line of the email message. Default value is MEG Alert.
Recipients Click Add to specify the email addresses of recipients who receive the
alerts. We recommend that you choose people who often read their email and can
respond quickly to these alerts.
The alert token Names begin and end with the % character.
Description Displays the type of information that replaces the substitution variable.
Alert tokens for Scanner alerts Theses are the actions that have been triggered on your Email
Gateway. For example, these tokens can be used to provide information about why a message
triggered an action or what action was taken.
Alert tokens for Email notifications This information is often used in the notifications that are
sent to your users.
Product Guide
479
Alert tokens for Quarantine digest messages When you configure Quarantine digest messages,
you can select tokens to provide information to your users about the messages being quarantined.
Alert tokens for Email alerts (Logging and Alerting) These tokens are useful when configuring
your logging and alerting messages.
Table 5-21
480
Token name
Description
%ACTIONNAME%:
%ACTIVECONTENT%:
%ATTACHMENTCONTEXT%:
%ATTACHMENTNAME%:
%AVDATVERSION%:
%AVENGINENAME%:
%AVENGINEVERSION%:
%BLOCKED_URL%:
The URL that has been requested and blocked by the URL
filtering engine. (URL)
%CONTENTREPORT%:
%CORRUPTIONTYPE%:
%DESTINATIONHOST%:
Destination Hostname
%DESTINATIONIP%:
Destination IP address
%DETECTIONS%:
%DICTIONARYGROUP%:
%DLP_FINGERPRINTSOURCE%:
%DLP_REPORT%:
%DLP_RULE%:
%DOSLIMIT%:
%FILTERCONTEXT%:
%FILTERNAME%:
The name of the file filtering rule that has triggered (File
Filtering)
%FILTERNAME%:
%FORMAT%:
%ID%:
%LOCALTIME%:
Local time
%POLICY%:
%POLICY_ID%:
%PROTOCOL%:
Protocol
%REASON%:
Description of the DoS limit that has been exceeded. E.g. max
nesting depth, file size or AV scanner timeout (DOS)
%RECIPIENTS%:
Product Guide
Table 5-21
Token name
Description
%SENDER%:
%SITEADVISOR%:
%SIZE%:
Size of data
%SOURCEHOST%:
%SOURCEIP%:
Source IP address
%SUBJECT%:
%TOTALSCORE%:
%URL_CATEGORY%:
%UTCTIME%:
UTC time
%WEB_REPUTATION_INFO%:
%WEBSHIELDIP%:
%WEBSHIELDNAME%:
%WEBSHIELDVIRTUALIP%:
Virtual IP address
Description
%AVDATVERSION%:
%AVENGINENAME%:
%AVENGINEVERSION%:
%DESTINATIONHOST%:
Destination Hostname
%DESTINATIONIP%:
Destination IP address
%DETECTIONS%:
%ID%:
%LOCALTIME%:
Local time
%POLICY%:
%POLICY_ID%:
%PROTOCOL%:
Protocol
%RECIPIENTS%:
%SCANNER%:
Scanner name(s)
%SENDER%:
%SIZE%:
Size of data
%SOURCEHOST%:
%SOURCEIP%:
Source IP address
Product Guide
481
Description
%SPAMENGINEVERSION%:
%SPAMSCORE%:
%SUBJECT%:
%UTCTIME%:
UTC time
%WEBSHIELDIP%:
%WEBSHIELDNAME%:
%WEBSHIELDVIRTUALIP%:
Virtual IP address
This group of tokens can also be used within the Modify subject and Modify header actions.
Description
Message body:
%SPAM_LIST%:
%FULL_SPAM_LIST%:
%CONTENT_LIST%:
%BLACK_LIST%:
%SENDER%:
%RECIPIENT%:
%EXP_DELAY%:
%MAX_EXP_DELAY%:
%PRODUCT_NAME%:
%POST_MASTER%:
%DIGEST_DATE%:
%ADD_WHITE_LIST%:
%ADD_BLACK_LIST%:
%SET_EXP_DELAY%:
Responses:
%REQUEST_RESULTS%:
Error response:
%ERR_TEXT%:
Table 5-24 Alert tokens for Email alerts (Logging and Alerting)
Token name
Description
Anti-Virus:
482
%PRODUCT%:
%EVENT%:
Product Guide
Table 5-24 Alert tokens for Email alerts (Logging and Alerting) (continued)
Token name
Description
%REASON%:
%SOURCEIP%:
Source IP address
%SOURCEHOST%:
%DESTINATIONIP%:
Destination IP address
%DESTINATIONHOST%:
%SERVERUSERNAME%:
%LOCALTIME%:
Local time
%UTCTIME%:
UTC time
%WEBSHIELDNAME%:
%WEBSHIELDIP%:
%APPLICATION%:
%SENDER%:
%RECIPIENTS%:
%DETECTIONS%:
%POLICY%:
%POLICY_ID%:
%SUBJECT%:
%SIZE%:
Size of data
%LDAP_ADDRESS%
%LDAP_SYNC_ERROR%
%LDAP_SYNC_ERROR_TEXT%
%LDAP_SYNC_SERVER%
%AVDATVERSION%:
%AVENGINEVERSION%:
%ATTACHMENTNAME%:
%IASCORE%
%IATHRESHOLD%
%DLP_RULE%:
%DLP_CATEGORY%
%DLP_FILEDIGEST%
%DLP_FILESIZE%
%DLP_FINGERPRINTDATE%
%DLP_FINGERPRINTSOURCE%:
%DLP_REPORT%:
%LB_APPLIANCE_IP_ADDRESS%
%LB_APPLIANCE_IP_NAME%
%LB_APPLIANCE_MAC_ADDRESS%
Product Guide
483
Table 5-24 Alert tokens for Email alerts (Logging and Alerting) (continued)
Token name
Description
%FILESYSTEM%:
%FILTERCONTEXT%:
%SPAMSCORE%:
%SPAMRULESBROKEN%:
%SPAMTHRESHOLD%
Aggregated data:
%PRODUCT%:
%EVENT%:
%PROTOCOL%
%SMTPNUMMESSAGES%:
%SMTPVIRUSDETECTED%:
%SMTPPUPSDETECTED%:
%SMTPANTIRELAYDETECTED%
%SMTPBATVDETECTED%
%SMTPCONTENTDETECTED%:
%SMTPCOMPLIANCEDETECTED%
%SMTPDENYSENDERDETECTED%
%SMTPDHDETECTED%
%SMTPDKIMDETECTED%
%SMTPDLPDETECTED%
%SMTPFILEFILTERDETECTED%
%SMTPGREYLISTDETECTED%
%SMTPGTIMSGREPDETECTED%
%SMPTIADETECTED%
%SMTPLDAPRCPTDETECTED%
%SMTPMAILFILTERDETECTED%
484
%SMTPPACKERSDETECTED%
%SMTPPHISHDETECTED%
%SMTPRBLDETECTED%
%SMTPRECIPIENTDETECTED%
%SMTPSENDCONNECTDETECTED%
%SMTPSENDERIDDETECTED%
%SMTPSPAMDETECTED%
Product Guide
Table 5-24 Alert tokens for Email alerts (Logging and Alerting) (continued)
Token name
Description
%SMTPSPFDETECTED%
%SMTPTOTALDETECTED%
%POP3NUMMESSAGES%:
%POP3VIRUSDETECTED%:
%POP3PUPSDETECTED%:
%POP3IADETECTED%
%POP3PHISHDETECTED%
%POP3SPAMDETECTED%
%POP3TOTALDETECTED%
%SPAMBLOCKEDRBL%:
%SPAMDETECTED%:
%SPAMBLOCKED%:
%SPAMQUAR%:
%CONTENTQUAR%:
%VIRUSQUAR%:
%SOURCEIP%:
Source IP address
%SOURCEHOST%:
%DESTINATIONIP%:
Destination IP address
%DESTINATIONHOST%:
%LOCALTIME%:
Local time
%UTCTIME%:
UTC time
%WEBSHIELDNAME%:
%WEBSHIELDIP%:
%GATEWAYIP%
%GATEWAYNAME%
%APPLICATION%:
%SCANHOSTNAME%
%SCANHOSTIP%
%LOGINUSER%
Product Guide
485
Definition
System events
Compliance events
Conversation events
Authentication events
SPF events
Trap manager, Community name,
Protocol version
486
Product Guide
Basic settings
Option
Definition
Name
Location
If required, provide information about the location of the appliance. This could be the
office in which it is located, or a specific rack position.
Contact details
Bind address
Select the network interface that the SNMP daemon uses to listen.
Protocol version
Select the required SNMP protocol version. When c3 is selected, the Security options
become available.
Community name Versions 1 and 2 of the SNMP protocol use the community name like a password. The
community name is required with each SNMP Get request to allow access to the
appliance. The default community name is public.
If you have several appliances, change the default name.
Definition
Authentication protocol
Select the required protocol for SNMP authentication. You can select MD5
or SHA protocols for this option.
Privacy protocol
Select the required protocol for privacy. You can select DES or AES
protocols for this option.
Authentication passphrase
Privacy passphrase
Select Store for configuration push (plain text) to include these settings in
configuration pushes between your appliance.
Be aware, however, that if you select this option, the configuration settings
for the SNMP v3 protocol are stored on the appliance in plain text.
Definition
Access control list The appliance is set to allow SNMP queries from all devices. We recommend that you
change the settings to allow access from known devices only. Specify the IP address
numbers of the devices that can read the appliances MIB parameters.
Product Guide
487
Syslog provides log information about the system itself, rather than about messages the system
processes. Extended logging allows you to use external software to generate reports.
Definition
Enable system Enables system logging (syslog) information to be collected and delivered to the
log events
on-appliance logging system, or sent to an off-box solution.
Select the type of logging format that you want to use. This option creates an output
log file that is structured so that it can be easily read by third-party applications and
used to generate custom reports. Due to the amount of data generated, we recommend
that this option is only enabled when using TCP syslog. Choose from:
Original
Splunk
Click View the system logs to see the log files on the appliance.
Log events to
the syslog for
the following
event types:
Specify the events to capture within the syslog. To prevent very large log files, we
recommend that you record only events that you want to monitor closely, and deselect
the events when you have finished.
Supported event types:
Anti-virus events
SPF events
Compliance events
System events
Transport events
Conversation events
Authentication events
The appliance cannot store the transport events produced by heavy traffic for long
periods. We recommend that you use the off-box syslog option to forward the transport
events to a central syslog server.
488
Product Guide
Option
Definition
Off-box
system log
Enable off-box system log To send system logs for storage off-box, enable this setting and
define the receiving server parameters:
Receiving server Specifies the IP address or host name of the server that receives the
syslog information.
Use IPv6 protocol Check this option when sending system logging information over an
IPv6 network.
Port Specify the port on the receiving server to be used to transfer the system log
information.
When using off-box system logging, you can specify different ports for each configured
off-box syslog server.
Protocol Either TCP or UDP. Specifies the packet type. UDP has a limit of 1024 bytes
per packet.
Add Server You can configure multiple off-box servers.
System Log
Archive
Send archive copies of the mail logs to another server, and set up a schedule for this to
happen. Click Enable log archive to open the Configure System Log Archive wizard. After
the wizard is complete, this section displays a summary of the schedule settings you
entered.
Syslog Entry
Notes
Example
Dec 30 10:58:10 Appliance1
app
Protocol
SMTP
name
A description
of the event
policy_name
Name of in
force policy
dvc_host
Host
responsible
for scanning
in a blade
environment
Appliance1
event_id
Event ID
180000
reason_id
Reason ID
145 - Clean
146 - Replace
624 - PuP Detection
625 - Packer Detection
direction
Whether
inbound (0)
or
outbound(1)
as defined by
the
administrator
for the policy
0, 1
Product Guide
489
Table 5-25
Syslog Entry
Notes
Example
src_ip
Originating
client IP
address of
the host
sending the
email
src_host
Originating
client host
name if
available
dest_ip
Destination
client IP
address of
the host
sending the
email
dest_host
Destination
client host
name if
available
is_primary_action
Indicates if
the action
taken is the
main action
defined for
the event. 1
indicates
primary
action
0,1
scanner
Which
scanner
detected the
event
AV - Anti Virus
action
The action
taken for the
event
490
status
A descriptive
message for
the event
sender
recipient
A list of
recipient
email
addresses
msgid
A unique id
assigned to
each mail
message
<testuser@domain.com>, <anotheruser@domain.com>,
<user@domain.com>
Product Guide
Table 5-25
Syslog Entry
Notes
nrcpts
Number of
3
the recipients
for the mail
relay
Address of
10.1.1.108
the next MTA
the mail
would be sent
to if known
subject
The subject
of the email
size
Size of the
message in
bytes
231
attachments
The
attachments
of the email
(optional)
file1.doc, file2.doc
number_attachments
The number
of
attachments
of the email
(optional)
virus_name
The name of
the detected
virus
file_name
Filename in
which the
detection
occurred
eicar_com.zip
spamscore
spamthreshold
The threshold
it exceeded
spamrules
A list of the
rules to
determine it's
status as
spam
URL
Url which
caused the
event to be
generated
contentrule
content_terms
The terms
that caused
the content
filter event
tz
Example
http://www.eicar.org/download/eicar.com
Product Guide
491
Table 5-25
Syslog Entry
Notes
Example
tz_offset
dlpfile
The
TestSpecTemplate.doc
registered
document file
name that
matched the
DLP trigger
dlprules
The DLP
category
Finance
dlpclassification
The DLP
category
Finance
dlpfileuploaded
Upload time
in UTC
2010-11-10 10:13:47
dlpfiledigest
dlpfilesize
23040
The
PGP 2
encryption
SMIME 4
type of the
email, shown Push delivery 8
as a number:
Pull delivery 16
Both push and pull delivery 32
492
orig_subject
The original
Meeting report
subject of the
email
orig_sender
The original
sender of the
email
scan-host-ip
Host (IP)
responsible
for scanning
host-name
Originating
hostname of
the client
making the
connection
exampleuser@example.com
Product Guide
Table 5-25
Syslog Entry
Notes
Example
host-domain-name
Domain name
of the
originating
client host
mac-address
MAC address
of the
appliance
product
Appliance's
product
version
uuid
Unique ID of
the event
user-name
User who
admin
logged in or
logged off the
appliance
30bc_0001_5d144be2_48dc_4590_87af_0836d4624407'
Name
Scanner
50006
Email Status
180000
AV (Anti Virus)
180002
Anti-spam classification
AS (Anti Spam)
180002
Anti-spam classification
AP (Anti Phish)
180003
FF (Format Blocking)
180004
MF (Mime Format)
180008
UF (URL Filtering)
180010
Compliance detection
PX (Compliance)
180011
180012
MS(Mail Size)
180031
SA (Site Advisor)
reason_id
Text
77
Email Delivered
83
Email Deferred
142
145
clean
146
replace
161
206
305
306
420
611
623
Phish Detection
Product Guide
493
reason_id
Text
624
PuP
625
Packer
689
DLP
728
Compliance
737
Event ID
Event Description
50005
50006
50022
180000
180001
180002
Anti-spam classification
180003
File-format detection
180004
Mail-Filtering detection
180010
Compliance detection
180011
180012
180013
180014
Image-Filtering detection
act
494
app
Product Guide
Table 5-28
msg
dvc
dst
dhost
src
shost
suser
duser
deviceDirection
sourceServiceName
filePath
fileId
fsize
rt
flexNumber1
'reason-id'
flexNumber1Label
cs1
cs1Label
cs2
Product Guide
495
Table 5-28
cs2Label
cs3
cs3Label
cs4
'email-attachments'
cs4Label
cs5
'AP' - Anti-Phish
'AS' - Anti-Spam
'AV' - Anti-Virus
'DL' - Data Loss Prevention
'FF' - File Filtering
'MF' - Mail Filtering
'MS' - Mail Size
'PA' - Packer
'PU' - Potentially Unwanted Program
'PX' - Compliance
'IA' - Image Filtering
'master-scan-type'
cs5Label
cs6
'email-subject'
cs6Label
Indicates if the action taken is the main action defined for cn1
the event. 1 indicates primary action
496
'is-primary-action'
cn1Label
cn2
'num-email-attachments'
cn2Label
cn3
'num-email-recipients'
cn3Label
McafeeEmailgatewayOriginalSubject
McafeeEmailgatewayOriginalSender
McafeeEmailgatewayOriginalMessageId
Product Guide
Table 5-28
McafeeEmailgatewayEmailEncryptionType
PGP 2
Pull delivery 16
SMIME 4
Push delivery 8
utc-time
local-time
utc-time-txt
scan-host-name
scan-host-ip
host-name
host-domain-name
mac-address
product
user-name
Logging Configuration
Use this page to specify which events are recorded in the appliances logs
Product Guide
497
Definition
Protocol events
Communication
events
Detection events
Advanced
When clicked, opens another window where you can examine the settings for
each event and choose which events to log or ignore. The information includes:
Medium Severity
Low Severity.
High Volume A symbol that indicates how often this event occurs:
Definition
Protocol events
Communication
events
498
Product Guide
Definition
Detection events
Advanced
When clicked, opens another window where you can examine the settings for
each event and choose which events to log or ignore. The information includes:
Enabled Whether the event is being recorded in the log now.
ID The event number, such as 50012, which is recorded in the log with the time
and date of the event.
Level A symbol that indicates the severity of the event:
Medium Severity
Low Severity.
High Volume A symbol that indicates how often this event occurs:
Definition
System events
User interface
events
Advanced
When clicked, opens another window where you can examine the settings for each
event and choose which events to log or ignore. The information includes:
Medium Severity
Low Severity.
High Volume A symbol that indicates how often this event occurs:
Definition
Enabled
ID
Product Guide
499
Option
Definition
Level
High Volume
Displays a warning icon if the event is likely to produce a high volume of alerts
Description
Restore defaults
Definition
Transfer to FTP
Server
Selected by default:
Server
Proxy server
Port
Proxy port
Directory
Proxy username
Proxy password
If you use either FTP or SSH with password authentication, your passwords are stored in the appliance
configuration files, in plain text format. The most secure option is to use SSH with public key
authentication. To use this feature, you must click the link to generate a key file, which you must then
copy and paste into your authorized keys file so that the appliance can perform the backup.
500
Product Guide
System Log
McAfee recommends that you update all scanning components on a new appliance using the Update
Now feature, then use the Schedule feature for each component to create regular updates at a time
when traffic is low, such as during the night.
Option
Definition
Hourly to Weekly
Specifies the schedule. If you do not need this feature, select Never.
Next / Finish
Moves to the next page of the wizard , or closes it and applies the settings.
Definition
Test
Checks that the backup configuration works, and provides the desired information.
Component Management
The Component Management pages enable you to view the status of your updates, to specify Package
Installer and ePolicy Orchestrator options, and to enable additional anti-virus engines.
Product Guide
501
Update Status
Use this page to check that each scanning component is using the most up-to-date threat detection
data to maintain your appliance security.
If you are using the Commtouch Command anti-virus engine, updates for that engine are downloaded
and applied at the same time as those for the McAfee anti-virus engine.
McAfee recommends that you update all scanning components on a new appliance using the Update Now
options, then use the scheduling options for each component to create regular updates at a time when
traffic is low, such as during the night. To update appliance software updates such as HotFixes and
patches, go to System | Component Management | Package Installer.
McAfee Email Gateway no longer supports the v1 detection definition (DAT) files. The appliances now
use the McAfee Agent to handle the updating of the v2 DAT files and scanning engine files even
without having an ePolicy Orchestrator server configured on your network. When not using an ePolicy
Orchestrator server, you can now configure your appliance to use ftp or http to download the v2 DAT
files and scanning engine files. These DAT files and scanning engine updates can be obtained by ePolicy
Orchestrator and pulled from the ePolicy Orchestrator repository using the McAfee Agent. You can also
manually download the files and install them onto your appliance.
You cannot use the Update Status pages to update the Hardware Acceleration PDB files used by older
hardware fitted with Hardware Acceleration cards.
502
Product Guide
Definition
Edit warning
thresholds
When clicked, opens a dialog box where you can specify the warning thresholds for
various component updates.
When applied, these thresholds are used in the Dashboard and within Version information
and updates to bring any missing or failed updates to your attention.
Component name
Displays the component name, preceded by an icon that indicates whether the
component is up-to-date:
Up-to-date.
Version
Update Status
Last Updated
Displays the date and time that each installed component was last updated.
Scheduled
Action
Update Now When clicked, updates a component immediately rather than wait for
the scheduled update.
Configure opens the Configure Anti-Spam Updates dialog box where you can specify a
proxy server from which the appliance downloads the update, or accept any default
server settings that you have already entered.
Import
Click Import to install the Engine and Database files previously exported from this, or
another appliance.
Export
Click Export to create a zip file containing the Engine and Database files currently
installed on the appliance.
You can include:
Anti-virus engine
Anti-virus database
Spam engine
Spam rules
within the exported file.
When you import the updates zip file, all updates that are contained within it are
imported to your appliance. If you do not want a particular update to be applied, then
McAfee recommends that you do not include that update when you export the update
file.
Product Guide
503
Definition
Update scheduled When clicked, the link opens a wizard, where you can specify the type, source and
schedule for installing packages, such as hot fixes and service packs.
Update now
Installs packages immediately. You can select options about how the package update
is handled.
When first configuring your appliance, using Update now confirms that the user settings
are configured correctly and working. Alternatively, you can browse to Troubleshoot |
Tests and run the System Tests to confirm these settings.
Definition
Remove Extra DAT If you have existing Extra DAT files installed, allows you to remove them once the
additional protection has been added to the standard DATs.
Table 5-35 Anti-virus DAT roll back
Option
Definition
Definition
Uses the FTP proxy settings set up on the Default Server Settings page (System
| Appliance Management | Default Server Settings).
configure defaults
Opens the Default Server Settings page where you can edit the default FTP
proxy settings.
Proxy Server to Proxy Password Displays the settings of the FTP proxy server.
Task Update the anti-virus engine and database daily at 04:00 over HTTP
using a proxy server
Use this task to update the anti-virus engine using detailed settings.
Task
1
Click the link in the Scheduled column for the Anti-virus engine component.
On the Specify the server settings for downloading the update via HTTP page, keep the default settings, and click
Next.
The update will use the proxy server that you set up in System | Appliance Management | Default Server
Settings.
504
Product Guide
In Select how the McAfee FTP update site should be used, select Not Used, and click Next.
In Time to schedule update for, select the Daily option, and set the time to 0400, and click Finish.
Updates for the Commtouch Command anti-virus engine occur simultaneously with the updates for
the McAfee anti-virus engine. You can choose to disable updates for the additional anti-virus engine.
Task
1
In the Scheduled column under Version information and updates, click the scheduled update link on the row
with the McAfee anti-virus engine.
A series of Configure Anti-Virus Updates pages opens.
Click Next on the first and second pages that appear, to get to the third page labeled Time to schedule
update for.
Uncheck the Enable updates for Commtouch Command anti-virus check box, then click Finish.
Click the link in the Scheduled column for the Spam engine component.
Click Next to have the update use the default FTP update server settings.
In Time to schedule update for, select the Daily option, and set the time to 0500, and click Finish.
Click Roll back to previous installed version, in Anti-virus DAT roll back .
Click OK to roll back to the previous installed version of the Anti-virus DAT file.
Product Guide
505
Package Installer
Use this page to examine and install new software packages.
Definition
Update From file When clicked, opens another window where you can select a file from a local source to
upload to the appliance.
Package Type
Name
Severity
Displays information such as whether we recommend that you install the package, or
allow you to decide.
Status
Displays information such as whether the package has been downloaded or installed.
Required Actions Displays information such as whether the appliance needs to be restarted when the
package is installed.
Notes
506
Install
When clicked, makes the selected patch ready to install. The patch is installed when
you click Apply.
Download
When clicked, makes the selected patch ready to download. The patch is downloaded
when you click Apply.
Export
When clicked, exports the downloaded file to another location so that another
appliance can use it via Manual Package Install
Refresh
When clicked, sends a request to the FTP server for any changes.
Apply
Product Guide
ePO
Use this page to manually set up the appliance to be managed by ePolicy Orchestrator.
Definition
Export Appliance
Configuration
Use this option to create an .xml file containing your Email Gateway
configuration that you can then load directly into the Policy Catalog within
McAfee ePO.
Use this option to select the configuration file from your McAfee ePO server,
to import your McAfee ePO settings into Email Gateway.
Definition
Click to browse to the McAfee ePO connection settings file, to import the
McAfee ePO connection information into the appliance.
Allow configuration to be
applied from ePO
When Enable ePO management is selected, use McAfee ePO to create, edit, and
manage all policies, and to have them pushed to your McAfee ePO-managed
Email Gateway appliances.
To create, edit, and manage policies for your Email Gateway appliance, use
McAfee ePO v4.5 (or later) software.
Product Guide
507
Option
Definition
Enter and confirm the passphrase required to unpack the TLS certificate
package.
Unless an appliance uses McAfee ePO encryption policies that only reference
the default appliance SSL certificate, all McAfee ePO-managed appliances must
be configured with the same passphrase.
Create a package of your TLS certificates and keys to be imported into your
McAfee ePO server.
Task Export the TLS certificate package from your Email Gateway
appliance
Export TLS certificates and keys from your Email Gateway appliance, to then import them into your
McAfee ePO server before pushing them to other Email Gateway appliances.
Before you begin
Ensure you have installed the Email Gateway extensions onto your McAfee ePO server, and
have exported the ePO Connection Settings from the McAfee ePO server.
The Email Gateway appliance from which you are exporting the TLS certificate and key
package must be enabled for McAfee ePO management.
Task
1
within the Email Gateway user interface, select System | Component Management | ePO.
Click Import ePO Connection Settings, and browse to the connection settings file (ePOConfigxxxx.zip).
Click OK to import the settings.
Click Export TLS certificates and keys. Optionally, include the TLS certificate and key used by the
appliance by default.
508
Click the link to download the TLS certificate package in preparation to import the certificates to
McAfee ePO.
Product Guide
From your McAfee Email Gateway appliance, select Resources and then click ePO Extensions and ePO
Help Extensions to download the extension files.
On the ePO server, install the extensions using Menu | Software | Extensions | Install Extensions.
On the ePO server, save the connections settings from Menu | Gateway Protection | Email and Web Gateway |
Actions | Export Connection Settings.
On the McAfee Email Gateway appliance, return to the Settings for ePO Management page in the
appliance Setup Wizard, and click Import ePO connection settings.
Click System | Component Management | ePO page, and click Import ePO connection settings.
Browse to the ePO connections settings file and click OK to upload it.
From the Setup Wizard, click Next to continue to the Basic Settings page and complete the setup.
From System | Component Management | ePO, select Enable ePO management and Allow configuration to be
applied from ePO and apply the changes to the appliance.
When a policy is sent from ePolicy Orchestrator and is then enforced on your McAfee Email Gateway,
events are sent back from your McAfee Email Gateway to ePolicy Orchestrator giving indications of
the success or failure of that enforcement, and of any warnings that may have been generated. You
can view these events from within ePolicy Orchestrator by browsing to Menu | Reporting | Threat Event
Log.
When you have configured your appliance to enable it to be managed by ePolicy Orchestrator, you will
be reminded each time that you make a configuration change using the appliance's user interface that
the appliance is under ePolicy Orchestrator management, and that your changes will be overwritten
the next time that ePolicy Orchestrator updates the configuration.
Download the ePO Extensions and ePO Help Extensions from the Resources link
within the user interface of one of the upgraded appliances.
From within your McAfee ePO user interface, install the new versions of the
ePO Extensions and ePO Help Extensions.
Product Guide
509
Before you can upgrade to the latest version of Email Gateway, your existing appliance
must be running Email Gateway version 7.6.2 and be correctly configured and running.
This upgrade process automatically disconnects the appliance from being managed by
McAfee ePO.
The in-built Email Gateway migration tools migrate many of your existing Email Gateway settings for
you. However, some settings may need to be recreated.
Task
1
In McAfee ePO, click Policy Catalog and select the Email Gateway 7.6.2 or higher product.
Select the epo_config_<date_stamp>.xml file produced at the end of this process, and save the file.
From the Email Gateway Resources link, download the ePO Extensions and ePO Help Extensions files.
10 From McAfee ePO, install the ePO Extensions and ePO Help Extensions files.
11 In McAfee ePO, click Policy Catalog and select the McAfee Email Gateway 7.<x> product.
12 Click Import, and import the epo_config_<date_stamp>.xml you saved in step 8.
The policies and settings within the configuration file are migrated across to your McAfee ePO
server.
After you have imported the settings into Email Gateway managed by McAfee ePO, you need to
re-assign the migrated policies to the correct groups in the System Tree in McAfee ePO.
13 On McAfee ePO, navigate to Menu | Gateway Protection | Email and Web Gateway.
14 From Actions, select Export Connection Settings. Save the epoConfig<xxxxxxx>.zip file.
15 On your Email Gateway, navigate to System | Component Management | ePO, click Import ePO connection
settings. Browse to the epoConfig<xxxxxxx>.zip file, and click OK.
Your McAfee ePO configuration settings are imported into your Email Gateway appliance.
16 Select both Enable ePO management, and Allow configuration to be applied from ePO.
17 Apply changes within your Email Gateway.
Your upgraded appliance is again under McAfee ePO control.
If you had documents registered for Data Loss Prevention in your previous Email Gateway appliance,
the document fingerprints for these are copied to your new Email Gateway McAfee ePO installation.
If you chose to create a scheduled task to push your previous Email Gateway DLP database to the new
Email Gateway version, you will need to create an equivalent scheduled task to push the new Email
Gateway DLP database to your appliance.
510
Product Guide
Anti-virus engines
Configure your McAfee Email Gateway to additionally use the Commtouch Command anti-virus
engine.
When enabled, the Commtouch Command anti-virus engine works in series with the McAfee anti-virus
engine, rather than in place of it.
Product Guide
511
Definition
Default value is Primary Site. If the appliance receives its updates from an
ePO server, the value is Not Used.
Server
Port
Directory
Username
Password
The appliance uses information that you type here or the default settings
from another page.
To access that page at any other time, select System | Appliance Management |
Default Server Settings on the navigation bar.
If the appliance obtains updates via a proxy server, type the details here.
Definition
Server
Port
Directory
Username
Password
The appliance uses information that you type here or the default
settings from another page. To access the page at any other time,
select System | Appliance Management | Default Server Settings on the navigation
bar.
If the appliance obtains updates via a proxy server, type the details
here.
512
Product Guide
Definition
The appliance uses information that you type here or the default
settings from another page. To access the page at any other time, select
If the appliance obtains updates via a proxy server, type the details
here.
Definition
Server
Port
Directory
Username
Product Guide
513
Definition
Password
The appliance uses information that you type here or the default
settings from another page. To access the page at any other time,
select System | Appliance Management | Default Server Settings on the navigation
bar.
If the appliance obtains updates via a proxy server, type the details
here.
Definition
Update action
Choose from:
Update database
Download
Download and install
Specifies the action that the appliance will take on receiving the
new software.
System Log
514
Option
Definition
Hourly to Weekly
Specifies the schedule. If you do not need this feature, select Never.
Next / Finish
Moves to the next page of the wizard , or closes it and applies the settings.
Product Guide
Definition
Parameter You can configure the warning thresholds for the following updates:
McAfee anti-virus engine
McAfee anti-virus database
Spam
Spam engine
If you have installed the additional Commtouch Command anti-virus engine, the following
rows will appear:
Warn After Specify the time between the last update and when an amber warning is shown within the
Dashboard.
Alert After Specify the time between the last update and when a red "critical level" alert is shown
within the Dashboard.
Setup Wizard
The Setup Wizard is available from the user interface to allow you to edit settings that you made in
the configuration console when you first installed the appliance.
Welcome
Use this page to select the type of installation that you want to follow.
This is the first page of the Setup Wizard. Use this page to select the type of installation you want to
perform.
Standard Setup (default) use this option to set up your device in transparent bridge mode, and
configure it to protect your network. The SMTP protocol is enabled by default. You can choose to
enable scanning of POP3 traffic.
Choosing Standard Setup forces the device to run in transparent bridge mode.
Custom Setup use this option to select the operating mode for your device. You can choose to
protect mail traffic using SMTP and POP3 protocols. You should use this if you need to configure
IPv6 and to make other changes to the default configuration.
Product Guide
515
Restore from a file (not available from the Configuration Console) use this to set up your device
based on a previously saved configuration. Following the import of the file you will be able to check
the imported settings before finishing the wizard. If the file came from an earlier McAfee Email and
Web Security Appliance, some details are not available.
ePolicy Orchestrator Managed Setup use this to set up your device so that it can be managed by your
ePolicy Orchestrator (McAfee ePO) server. Only minimal information is needed, as the device will
get most of its configuration information from your ePolicy Orchestrator server.
Encryption Only Setup use this option to set up your appliance as a standalone encryption server.
The appliance operates in one of the following modes transparent bridge, transparent router, or
explicit proxy. The mode affects how you integrate the appliance into your network and how the
appliance handles traffic. You will need to change the mode only if you restructure your network.
Explicit Proxy mode is best suited to networks where the client devices connect to the appliance
through a single upstream and downstream device. For example, you can configure your network to
have your web cache logically connected on one side of the appliance and a firewall on the other side,
with both physically connected through the LAN1 port. The advantage of this scenario is that you need
to reconfigure only the web cache and firewall. You do not need to reconfigure the clients.
Transparent Router mode is suitable for networks that have firewall rules, because the firewall still
sees the IP addresses of the clients and can therefore apply the Internet access rules to client traffic.
516
Product Guide
Transparent Bridge mode requires the least configuration. You do not need to reconfigure your clients
or default gateway to send traffic to the appliance. You do not need to update a routing table.
Standard Setup
Use the Standard Setup wizard to set up your appliance in Transparent Bridge mode, and configure it
to protect your network.
The Standard Setup wizard consists of the following pages:
Contents
Benefits of the Standard Setup wizard
Email Configuration page (Standard Setup)
Basic Settings page (Standard Setup)
Summary page (Standard Setup)
Definition
Enable protection
against Potentially
Unwanted Programs
Product Guide
517
Option
Definition
Click to activate hybrid email protection, with McAfee Email Protection (Hybrid)
scanning your inbound email traffic.
After enabling McAfee Email Protection (Hybrid), the configuration pages for this
service are displayed automatically when you next log into the user interface.
Enable Graymail
Protection
Click to enable protection from messages (such as email newsletters) that some
users want, but that others might prefer to block.
When selected, the Graymail dictionary is added to the Anti-Spam Terms list, found
in Email | Email Policies | Spam | Spam Terms.
To view the terms within the Graymail dictionary, select this dictionary from Email
| DLP and Dictionaries | Compliance Dictionaries.
Enter both the IP address and netmask for your local relay domain.
Click What is this? to read about how the feedback is used, and view the McAfee
Privacy Policy.
Ensure that you define at least one local domain, as well as the domains from
which you want to permit email relaying, and that you want to deny email
relaying. Defining a domain as a Permitted domain ensures that email traffic from
that domain is always allowed to be relayed.
Definition
Device name
Domain name
IP address
518
Subnet
Gateway Address
DNS Server IP
Specifies the address of a Domain Name Server that the appliance uses to convert
website addresses to IP addresses. This can be an Active Directory or a Domain
Name Service server. You can test later that the appliance can communicate with
this server.
Mode
User ID
The scmadmin user is the super administrator. You cannot change or disable this
account and the account cannot be deleted. However, you can add more login
accounts after installation.
Current
Password/New
Password
The original default password is password. Specify the new password. Change the
password as soon as possible to keep your appliance secure.
You must type the new password twice to confirm it.
Product Guide
Option
Definition
Appliance Time zone Specifies the time zone of the appliance. You might need to set this twice each year
if your region observes daylight saving time. The zones are organized from west to
east to cover mid-Pacific, America, Europe, Asia, Africa, India, Japan, and Australia.
Appliance Time
(UTC)
Specifies the date and UTC time for the appliance. To select the date, click the
calendar icon. You can determine the UTC time from websites such as http://
www.worldtimeserver.com.
Set Now
When clicked, applies the date and UTC time that you specified in this row.
Client Time
Displays the time according to the client computer from which your browser is
currently connected to the appliance.
Synchronize
When selected, the time in the Appliance Time (UTC) immediately takes its value from
appliance with client Client Time. You can use this checkbox as an alternative to manual setting of Appliance
Time (UTC). The appliance calculates the UTC time based on the time zone that it
finds on the client's browser.
Ensure that the client computer is aware of any daylight savings adjustments. To
find the setting on Microsoft Windows, right-click the time display in the bottom
right corner of the screen.
When you first log on to the interface, type the user name, admin and the password that you gave on
the Basic Settings page.
Table 5-41 Basic settings
Option Definition
The value is set according to best practice.
The value is probably not correct. Although the value is valid, it is not set according to best
practice. Check the value before continuing.
No value has been set. The value has not been changed from the default. Check the value
before continuing.
Product Guide
519
Custom Setup
Use the Custom Setup Wizard to choose the operating mode when you set up your appliance. You can
also make other choices, such as setting up IPv6 networking.
The Custom Setup Wizard consists of the following pages:
Contents
Benefits of the Custom Setup wizard
Important considerations for the Custom Setup Wizard
Basic Settings page (Custom Setup)
Network Settings page
Cluster Management page
DNS and Routing page
Email Configuration page (Custom Setup)
Time Settings page
Password page
Summary page
Cluster Management
When configuring a group of appliances or McAfee Content Security Blade Servers, the current master
uses a "least used" algorithm to assign connections to the appliances or blades configured to scan
traffic. The scanning appliance or blade that is currently showing the least number of connections, at
that moment in time, is assigned the next connection.
For a cluster of appliances:
If you have only a master and a failover appliance, with both configured to scan traffic, the master
will send most connections to the failover appliance for scanning.
If you have scanning appliances, and scanning enabled on the master and failover, then the
scanning appliances will receive the most traffic to scan, then the failover, with the master
receiving the least. If you have more than three appliances in a cluster, McAfee recommends that
you do not enable scanning on the master appliance.
You cannot configure the master or the failover blades of the McAfee Content Security Blade Server to
scan traffic.
McAfee recommends that when using your appliance in a cluster environment, you use McAfee
Quarantine Manager to quarantine email messages.
Delivering email
Using the recipient's domain, the appliance uses the following logic to decide how it will deliver
messages:
520
Product Guide
If the recipient's domain matches those listed in Known Domains and relay hosts, it uses those relays to
deliver the message.
If the recipient's domain does not match those listed in Known Domains and relay hosts, it can be
configured to use an MX record lookup to deliver using DNS. If no MX records are available, it
attempts to make the delivery using an A record lookup. MX delivery is attempted to hosts in the
order of priority that is returned by the DNS server.
If it cannot deliver using one of the previous methods, it uses fallback relays to make the delivery
(providing the recipient's domain matches those listed in the Fallback relays field).
If the domain does not exist, the appliance generates a non-delivery report and sends it to the
originator.
If the receiving server cannot accept delivery, or there are no IP addresses to complete the
delivery, the message is queued.
Definition
Cluster mode
Defines the options that appear on the Cluster Management page of the Setup Wizard.
Off This is a standard appliance.
Cluster Scanner The appliance receives its scanning workload from a master
appliance.
Cluster Master The appliance controls the scanning workload for several other
appliances.
Cluster Failover If the master fails, this appliance controls the scanning workload
instead.
Device name
Domain name
Default Gateway
Specifies an IPv4 address, such as 198.168.10.1. You can test later that the appliance
can communicate with this server.
Network Interface Becomes available when you set the Next Hop Router for IPv6.
Definition
<mode>
The operating mode that you set during installation or in the Setup Wizard
Network Interface 1
Expands to show the IP address and netmask associated with Network Interface
1, the auto-negotiation state, and the size of the MTU.
Product Guide
521
Option
Definition
Network Interface 2
Expands to show the IP address and netmask associated with Network Interface
2, the auto-negotiation state, and the size of the MTU
Change Network
Settings
Click to open the Network Interface Wizard to specify the IP address and adapter
settings for NIC 1 and NIC 2, and change the chosen operating mode.
Definition
Cluster identifier If you have more than one cluster or McAfee Content Security Blade Server on the
same subnet, assign each a different Cluster identifier to ensure the clusters do not
conflict.
The allowable range is 0-255.
Option
Definition
Cluster identifier
If you have more than one cluster or McAfee Content Security Blade Server
on the same subnet, assign each a different Cluster identifier to ensure the
clusters do not conflict.
The allowable range is 0-255.
Option
Definition
Cluster identifier
If you have more than one cluster or McAfee Content Security Blade Server on
the same subnet, assign each a different Cluster identifier to ensure the clusters do
not conflict.
The allowable range is 0-255.
If not selected, this appliance distributes all scanning workload to the scanning
appliances.
For a cluster of appliances, if you have only a master and a failover appliance,
with both configured to scan traffic, the master will send most connections to
the failover appliance for scanning.
522
Product Guide
Definition
MAC Address
Disabled
Manage MAC Addresses Opens the MAC Addresses dialog box that enables you to manage the list of
available MAC addresses.
Table 5-44 Advanced scanning device settings (blade servers)
Option
Definition
MAC Address
Disabled
Opens the MAC Addresses dialog box that enables you to manage the list of
available MAC addresses.
Although you can add the MAC addresses of management and failover devices to this table, they always
contribute hard disk space for Secure Web Mail messages and cannot be disabled.
Definition
Specifies the appliance address. Provides a list of all subnets assigned to the
appliance.
Cluster identifier
If you have more than one cluster or McAfee Content Security Blade Server
on the same subnet, assign each a different Cluster identifier to ensure the
clusters do not conflict.
The allowable range is 0-255.
Product Guide
523
Definition
Address to use for load balancing Specifies the appliance address. Provides a list of all subnets assigned to
the appliance.
If you have more than one cluster or McAfee Content Security Blade
Server on the same subnet, assign each a different Cluster identifier to
ensure the clusters do not conflict.
Cluster identifier
Definition
Server Address
Displays the IP addresses of the DNS servers. The first server in the list must be your
fastest or most reliable server. If the first server cannot resolve the request, the
appliance contacts the second server. If no servers in the list can resolve the request,
the appliance forwards the request to the DNS root name servers on the Internet.
If your firewall prevents DNS lookup (typically on port 53), specify the IP address of a
local device that provides name resolution
New Server/
Delete Selected
Servers
Adds a new server to the list, or removes one when, for example, when you need to
decommission a server due to network changes.
Only send
queries to these
servers
Selected by default. McAfee recommends that you leave this option selected because it
might speed up DNS queries as the appliance sends the queries to the specified DNS
servers only. If they don't know the address, they go to the root DNS servers on the
Internet. When they get a reply, the appliance receives it and caches the response so
that other servers that query that DNS server can get an answer more quickly.
If you deselect this option, the appliance first tries to resolve the requests, or might
query DNS servers outside your network.
Routing Settings
524
Option
Definition
Network Address
Mask
Specifies how many hosts are on your network, for example, 255.255.255.0.
Gateway
Specifies the IP address of the router used as the next hop out of the network. The
address 0.0.0.0 (IPv4), or :: (IPv6) means that the router has no default gateway.
Metric
Specifies the preference given to the route. A low number indicates a high
preference for that route.
Product Guide
Option
Definition
New Route /
Delete Selected
Routes
Add a new route to the table, ore remove routes. Use the arrows to move routes up
and down the list. The routes are chosen based on their metric value.
Enable dynamic
routing
Use this option in transparent router mode only. When enabled, the appliance can:
receive broadcast routing information received over RIP (default) that it applies its
routing table so you don't have to duplicate routing information on the appliance
that is already present in the network.
broadcast routing information if static routes have been configured through the
user interface over RIP.
Definition
Click to activate hybrid Email Protection, with McAfee Email Protection (Hybrid)
scanning your inbound email traffic.
After enabling McAfee Email Protection (Hybrid), the configuration pages for
this service are displayed automatically when you next log on to the user
interface.
Enable Graymail
Protection
Click to send information about your email messages to McAfee data centers
for real-time spam analysis.
Click What is this? to read about how the feedback is used, and view the McAfee
Privacy Policy.
Click What is this? to read about the information that is sent to McAfee and to
view the McAfee Privacy Policy.
Scan SMTP traffic / Scan
POP3 traffic
Option definitions Domains for which the appliance will accept or refuse email
Use these options to define how the appliance will relay email. After you complete the Setup wizard,
you can manage the domains from Email | Email Configuration | Receiving Email.
Product Guide
525
Option
Definition
Domain
Name/
Network
Address/MX
Record
Displays the domain names, wildcard domain names, network addresses, and MX
lookups from which the appliance will accept or refuse email.
Type
Domain name For example, example.com. The appliance uses this information to
compare the recipient's email address and compare the connection against an A
record lookup.
Network Address For example, 192.168.0.2/32 or 192.168.0.0/24. The appliance
uses this information to compare the recipient's IP literal email address such as
user@[192.168.0.2], or the connection.
MX Record Lookup For example, example.com. The appliance uses this information to
compare the connection against an MX record lookup.
Wildcard domain name For example, *.example.com. The appliance only uses this
information to compare the recipient's email address.
Category
Local domain
Permitted domain
Denied domain
Ensure that you define at least one local domain, as well as the domains from which you
want to permit email relaying, and that you want to deny email relaying. Defining a
domain as a Permitted domain ensures that email traffic from that domain is always allowed
to be relayed.
Add Domain
Click to specify the domains that can relay messages through the appliance to the
recipient. Choose from:
Local domain These are the domains or networks for which email is accepted for
delivery. For convenience, you can import a list of your local domain names using the
Import Lists and Export Lists options. McAfee recommends that you add all domains or
networks that are allowed to relay messages as local domains.
Permitted domain Email is accepted. Use permitted domains to manage exceptions.
Denied domain Email is refused. Use denied domains to manage exceptions.
Hold your mouse cursor over the field to see the recommended format.
You must set up at least one local domain.
Add MX
Lookup
Click to specify a domain that the appliance uses to identify all mail server IP addresses
from which it delivers messages.
Delete
Selected
Items
Remove the selected item from the table. You must apply the changes before the item is
removed from the appliance configuration.
526
Product Guide
Option
Definition
Domain name /
Network
Address / MX
Record
Type
Domain name For example, example.com. The appliance uses this information to
compare the recipient's email address and compare the connection against an A
record lookup.
Network Address For example, 192.168.0.2/32 or 192.168.0.0/24. The appliance
uses this information to compare the recipient's IP literal email address such as
user@[192.168.0.2], or the connection.
MX Record Lookup For example, example.com. The appliance uses this information to
compare the connection against an MX record lookup.
Wildcard domain name For example, *.example.com. The appliance only uses this
information to compare the recipient's email address.
Category
Click to populate the Known domains and relay hosts table with a list of host names or IP
addresses for delivery. Delivery is attempted in the order specified unless you select
the Round-robin the above hosts option, which distributes the load between the specified
hosts.
Host names/IP addresses can include a port number.
Add MX Lookup Click to populate the Known domains and relay hosts table with an MX record lookup to
determine the IP addresses for delivery.
Delivery is attempted to host names returned by the MX lookup in the order of priority
given by the DNS server.
Delete Selected
Items
Remove the selected item from the table. You must apply the changes before the item
is removed from the appliance configuration.
Enable DNS
lookup for
domains not
listed above
If selected, the appliance uses DNS to route email for other, unspecified domains. DNS
delivery attempts an MX-record lookup. If there are no MX records, it does an A-record
lookup.
If you deselect this checkbox, the appliance delivers email only to the domains that are
specified under Known domains and relay hosts.
Product Guide
527
Definition
Appliance Time
Zone
Specifies the time zone of the appliance. You might need to set this twice each year
if your region observes daylight saving time.
Appliance Time
(UTC)
Specifies the date and UTC time for the appliance. To select the date, click the
calendar icon. You can determine the UTC time from websites such as http://
www.worldtimeserver.com.
Set Now
When clicked, applies the date and UTC time that you specified in this row.
Client Time
Displays the time according to the client computer from which your browser is
currently connected to the appliance.
Synchronize
appliance with
client
When selected, the time in the Appliance Time (UTC) immediately takes its value from
Client Time. You can use this checkbox as an alternative to manual setting of Appliance
Time (UTC). The appliance calculates the UTC time based on the time zone that it finds
on the client's browser.
Ensure that the client computer is aware of any daylight savings adjustments. To find
the setting on Microsoft Windows, right-click the time display in the bottom right
corner of the screen.
Enable NTP
When selected, accepts NTP messages from network broadcasts only. This method
is useful on a busy network but must trust other devices in the network.
When deselected, accepts NTP messages only from servers specified in the list.
NTP Server
Displays the network address or a domain name of one or more NTP servers that
the appliance uses. For example, time.nist.gov.
If you specify several servers, the appliance examines each NTP message in turn to
determine the correct time.
New Server
Password page
Use this page to specify a password for the appliance.
For a strong password, include letters and numbers. You can type up to 15 characters.
Option Definition
User ID
Password Specifies the new password. Change the password as soon as possible to keep your
appliance secure.
You must enter the new password twice to confirm it. The original default password is
password.
Summary page
Review a summary of the settings that you have made for the network connections and scanning of
the email traffic.
To change any value, click its blue link to display the page where you originally typed the value.
528
Product Guide
When you first log on to the interface, type the user name, admin and the password that you gave on
the Password page.
Table 5-47 Basic settings
Option Definition
The value is set according to best practice.
The value is probably not correct. Although the value is valid, it is not set according to best
practice. Check the value before continuing.
No value has been set. The value has not been changed from the default. Check the value
before continuing.
If the appliance is operating in Transparent Bridge mode, and the Spanning Tree Protocol (STP) is
running on your network, make sure that the appliance is configured according to STP rules.
Additionally, you can set up a bypass device in transparent bridge mode.
To configure your McAfee Email Gateway Blade Server to failover from the management blade to the
failover management blade, you must specify at least one virtual IP address, shared between the
management and failover management blades.
Product Guide
529
Definition
IP Address
Network Mask
Specifies the network mask. In IPv4, you can use a format such as 255.255.255.0, or
CIDR notation, such as 24. In IPv6, you must use the prefix length, for example, 64.
Enabled
Virtual
New Address/
Delete Selected
Addresses
NIC 1 Adapter
Options or NIC
2 Adapter
Options
530
Product Guide
Definition
IP Address
Network Mask
Specifies the network mask, for example: 255.255.255.0. In IPv4, you can use a
format such as 255.255.255.0, or CIDR notation, such as 24. In IPv6, you must use
the prefix length, for example, 64.
Enabled
Virtual
When selected, the appliance treats this IP address as a virtual address. This option
only appears in cluster configurations, or on a McAfee Content Security Blade Server.
New Address/
Delete Selected
Addresses
NIC 1 Adapter
Options or NIC
2 Adapter
Options
Enable sending IPv6 router advertisements on this interface When enabled, allows IPv6 router
advertisements to be sent to machines on the sub-net that require a router
response to complete auto-configuration.
Product Guide
531
Definition
Select all
IP Address
Network Mask
Specifies the network mask, for example: 255.255.255.0. In IPv4, you can use a
format such as 255.255.255.0, or CIDR notation, such as 24. In IPv6, you must use
the prefix length, for example, 64.
Enabled
New Address/
Delete Selected
Addresses
NIC Adapter
Options
Definition
Enable STP
Bridge priority
Sets the priority for the STP bridge. Lower numbers have a higher priority. The
maximum number that you can set is 65535.
Advanced parameters Expand to set the following options. Change the settings only if you understand
the possible effects, or you have consulted an expert:
Forwarding delay
532
Product Guide
Definition
The bypass device inherits settings from those you entered in NIC Adapter Options
.
Select bypass device
Watchdog timeout
(seconds)
For the bypass device, the time, in seconds, that can elapse before the system
bypasses the appliance.
Heartbeat interval
(seconds)
Advanced parameters This option becomes active when you select a bypass device.
Mode choose to monitor the heartbeat or the heartbeat and the link activity.
Link activity timeout (seconds) becomes active when you select Monitor heartbeat and link
activity in Mode
Enable buzzer enabled by default. If the bypass device fails to detect the
heartbeat signal for the configured Watchdog timeout, the buzzer sounds.
Definition
LAN 1
LAN 2
Product Guide
533
Import Configuration
Use this dialog to import the configuration file containing the details that you want to use to configure
your appliance.
Table 5-49 Option definitions
Option
Definition
Browse
Locate the configuration file to use as a basis for your new settings.
The configuration filename is in the format:
config_<date and time stamp>.zip
Values to Restore
Use this dialog to choose the areas of the configuration that you want to restore.
By default, the setup wizard attempts to restore all settings found within the configuration file onto
your appliance.
You can choose not to restore settings in particular areas by deselecting them before continuing with
the installation.
The setup wizard enables you to review and change all setting before you apply then to the appliance.
Table 5-50 Option definitions
Option
Definition
Protocol configuration
Network configuration
Information about the IP addresses, host names and other details that are
specific to your appliance and your network.
The reporting configuration Information about how you have configured your Favorite Reports and Scheduled
Reports.
The user preferences
Information about how you have configured user interface options, such as the
Dashboard configuration.
Selecting this re-installs information about the role-based user accounts that
you have set up.
This does not include the passwords for default accounts.
ePO configuration
If the appliance that generated the configuration file was under ePolicy
Orchestrator management, this option applies these ePO configuration
settings.
534
Product Guide
Option
Definition
Cluster mode
Defines the options that appear on the Cluster Management page of the Setup Wizard.
Domain name
Default Gateway
Specifies an IPv4 address, such as 198.168.10.1. You can test later that the appliance
can communicate with this server.
Network Interface Becomes available when you set the Next Hop Router for IPv6.
Definition
Cluster identifier If you have more than one cluster or McAfee Content Security Blade Server on the
same subnet, assign each a different Cluster identifier to ensure the clusters do not
conflict.
The allowable range is 0-255.
Option
Definition
Cluster identifier
If you have more than one cluster or McAfee Content Security Blade Server
on the same subnet, assign each a different Cluster identifier to ensure the
clusters do not conflict.
The allowable range is 0-255.
Product Guide
535
Option
Definition
Cluster identifier
If you have more than one cluster or McAfee Content Security Blade Server on
the same subnet, assign each a different Cluster identifier to ensure the clusters do
not conflict.
The allowable range is 0-255.
If not selected, this appliance distributes all scanning workload to the scanning
appliances.
For a cluster of appliances, if you have only a master and a failover appliance,
with both configured to scan traffic, the master will send most connections to
the failover appliance for scanning.
Definition
MAC Address
Disabled
Manage MAC Addresses Opens the MAC Addresses dialog box that enables you to manage the list of
available MAC addresses.
Table 5-53 Advanced scanning device settings (blade servers)
Option
Definition
MAC Address
Disabled
Opens the MAC Addresses dialog box that enables you to manage the list of
available MAC addresses.
Although you can add the MAC addresses of management and failover devices to this table, they always
contribute hard disk space for Secure Web Mail messages and cannot be disabled.
536
Product Guide
Definition
Specifies the appliance address. Provides a list of all subnets assigned to the
appliance.
Cluster identifier
If you have more than one cluster or McAfee Content Security Blade Server
on the same subnet, assign each a different Cluster identifier to ensure the
clusters do not conflict.
The allowable range is 0-255.
Definition
Address to use for load balancing Specifies the appliance address. Provides a list of all subnets assigned to
the appliance.
If you have more than one cluster or McAfee Content Security Blade
Server on the same subnet, assign each a different Cluster identifier to
ensure the clusters do not conflict.
Cluster identifier
Definition
Server Address
Displays the IP addresses of the DNS servers. The first server in the list must be your
fastest or most reliable server. If the first server cannot resolve the request, the
appliance contacts the second server. If no servers in the list can resolve the request,
the appliance forwards the request to the DNS root name servers on the Internet.
If your firewall prevents DNS lookup (typically on port 53), specify the IP address of a
local device that provides name resolution
New Server/
Delete Selected
Servers
Adds a new server to the list, or removes one when, for example, when you need to
decommission a server due to network changes.
Only send
queries to these
servers
Selected by default. McAfee recommends that you leave this option selected because it
might speed up DNS queries as the appliance sends the queries to the specified DNS
servers only. If they don't know the address, they go to the root DNS servers on the
Internet. When they get a reply, the appliance receives it and caches the response so
that other servers that query that DNS server can get an answer more quickly.
If you deselect this option, the appliance first tries to resolve the requests, or might
query DNS servers outside your network.
Product Guide
537
Routing Settings
Option
Definition
Network Address
Mask
Specifies how many hosts are on your network, for example, 255.255.255.0.
Gateway
Specifies the IP address of the router used as the next hop out of the network. The
address 0.0.0.0 (IPv4), or :: (IPv6) means that the router has no default gateway.
Metric
Specifies the preference given to the route. A low number indicates a high
preference for that route.
New Route /
Delete Selected
Routes
Add a new route to the table, ore remove routes. Use the arrows to move routes up
and down the list. The routes are chosen based on their metric value.
Enable dynamic
routing
Use this option in transparent router mode only. When enabled, the appliance can:
receive broadcast routing information received over RIP (default) that it applies its
routing table so you don't have to duplicate routing information on the appliance
that is already present in the network.
broadcast routing information if static routes have been configured through the
user interface over RIP.
Definition
Appliance Time
Zone
Specifies the time zone of the appliance. You might need to set this twice each year
if your region observes daylight saving time.
Appliance Time
(UTC)
Specifies the date and UTC time for the appliance. To select the date, click the
calendar icon. You can determine the UTC time from websites such as http://
www.worldtimeserver.com.
Set Now
When clicked, applies the date and UTC time that you specified in this row.
Client Time
Displays the time according to the client computer from which your browser is
currently connected to the appliance.
Synchronize
appliance with
client
When selected, the time in the Appliance Time (UTC) immediately takes its value from
Client Time. You can use this checkbox as an alternative to manual setting of Appliance
Time (UTC). The appliance calculates the UTC time based on the time zone that it finds
on the client's browser.
Ensure that the client computer is aware of any daylight savings adjustments. To find
the setting on Microsoft Windows, right-click the time display in the bottom right
corner of the screen.
Enable NTP
When selected, accepts NTP messages from network broadcasts only. This method
is useful on a busy network but must trust other devices in the network.
When deselected, accepts NTP messages only from servers specified in the list.
538
Product Guide
Option
Definition
NTP Server
Displays the network address or a domain name of one or more NTP servers that
the appliance uses. For example, time.nist.gov.
If you specify several servers, the appliance examines each NTP message in turn to
determine the correct time.
Type the IP address of a new NTP Server.
New Server
Password page
Use this page to specify a password for the appliance.
For a strong password, include letters and numbers. You can type up to 15 characters.
Option Definition
User ID
Password Specifies the new password. Change the password as soon as possible to keep your
appliance secure.
You must enter the new password twice to confirm it. The original default password is
password.
Summary page
Review a summary of the settings that you have made for the network connections and scanning of
the email traffic.
To change any value, click its blue link to display the page where you originally typed the value.
After you click Finish, the Setup Wizard has completed.
Use the IP address shown here to access the interface. For example https://192.168.200.10. The
address starts with https, not http.
If you have configured your McAfee Email Gateway to provide Secure Web Mail, then you need to
access the appliance using port 10443. So, using the example above, you would need to enter https://
192.168.200.10:10443.
When you first log on to the interface, type the user name, admin and the password that you gave on
the Password page.
Table 5-56 Basic settings
Option Definition
The value is set according to best practice.
The value is probably not correct. Although the value is valid, it is not set according to best
practice. Check the value before continuing.
No value has been set. The value has not been changed from the default. Check the value
before continuing.
Product Guide
539
Definition
ePO Extensions Download the McAfee ePolicy Orchestrator extensions for McAfee Gateway products,
including McAfee Email Gateway.
The file MEGv7.x_ePOextensions.zip contains both the EWG and the MEG McAfee
ePolicy Orchestrator extensions.
The EWG extension allows reporting from within McAfee ePolicy Orchestrator for the
following products:
McAfee Email and Web Security appliances
McAfee Web Gateway appliances
McAfee Email Gateway appliances
The MEG Extension provides full McAfee ePolicy Orchestrator management for McAfee
Email Gateway versions 7.0 onwards.
For you to use McAfee ePolicy Orchestrator for either reporting or management, the
McAfee ePolicy Orchestrator Extensions need to be installed on your McAfee ePolicy
Orchestrator server.
ePO Help
Extensions
Import ePO
connection
settings
Click to browse to the McAfee ePolicy Orchestrator connection settings file, to import
the McAfee ePolicy Orchestrator connection information into the appliance.
540
From your McAfee Email Gateway, on Settings for ePO Management, select ePO Extensions and click Save to
download the extension file.
From your McAfee Email Gateway, on Settings for ePO Management, select ePO Help Extensions and click Save
to download the help extension file.
On your McAfee ePolicy Orchestrator server, install these extensions using Menu | Software | Extensions
| Install Extensions.
Product Guide
On the McAfee ePolicy Orchestrator server, save the connections settings from Menu | Gateway
Protection | Email and Web Gateway | Actions | Export Connection Settings.
On the McAfee Email Gateway, return to the Settings for ePO Management page in the Setup Wizard, and
click Import ePO connection settings. Browse to the McAfee ePolicy Orchestrator connections settings file.
Click Next to continue to the Basic Settings page in the Setup Wizard.
Definition
Cluster mode
Device Name
Domain Name
Default Gateway (IPv4) Specifies an IPv4 address, such as 198.168.10.1. You can test later that the
appliance can communicate with this server.
Next Hop Router (IPv6) Specifies an IPv6 address, such as FD4A:A1B2:C3D4::1.
Network Interface
Becomes available when you set the Next Hop Router for IPv6.
Definition
<mode>
The operating mode that you set during installation or in the Setup Wizard
Network Interface 1
Expands to show the IP address and netmask associated with Network Interface
1, the auto-negotiation state, and the size of the MTU.
Network Interface 2
Expands to show the IP address and netmask associated with Network Interface
2, the auto-negotiation state, and the size of the MTU
Change Network
Settings
Click to open the Network Interface Wizard to specify the IP address and adapter
settings for NIC 1 and NIC 2, and change the chosen operating mode.
Product Guide
541
Definition
Cluster identifier
Definition
Cluster identifier
Enable scanning on this appliance If not selected, this appliance distributes all scanning workload to the
scanning appliances.
Definition
Address to use for load balancing Specifies the appliance address. Provides a list of all subnets assigned to
the appliance.
Specifies an identifier. Range is 0-255.
Cluster identifier
Enable scanning on this appliance If not selected, this appliance distributes all scanning workload to the
scanning appliances.
Definition
Server Address
Displays the IP addresses of the DNS servers. The first server in the list must be your
fastest or most reliable server. If the first server cannot resolve the request, the
appliance contacts the second server. If no servers in the list can resolve the request,
the appliance forwards the request to the DNS root name servers on the Internet.
If your firewall prevents DNS lookup (typically on port 53), specify the IP address of a
local device that provides name resolution
New Server/
Delete Selected
Servers
Adds a new server to the list, or removes one when, for example, when you need to
decommission a server due to network changes.
Only send
queries to these
servers
Selected by default. McAfee recommends that you leave this option selected because it
might speed up DNS queries as the appliance sends the queries to the specified DNS
servers only. If they don't know the address, they go to the root DNS servers on the
Internet. When they get a reply, the appliance receives it and caches the response so
that other servers that query that DNS server can get an answer more quickly.
If you deselect this option, the appliance first tries to resolve the requests, or might
query DNS servers outside your network.
542
Product Guide
Routing Settings
Option
Definition
Network Address
Mask
Specifies how many hosts are on your network, for example, 255.255.255.0.
Gateway
Specifies the IP address of the router used as the next hop out of the network. The
address 0.0.0.0 (IPv4), or :: (IPv6) means that the router has no default gateway.
Metric
Specifies the preference given to the route. A low number indicates a high
preference for that route.
New Route /
Delete Selected
Routes
Add a new route to the table, ore remove routes. Use the arrows to move routes up
and down the list. The routes are chosen based on their metric value.
Enable dynamic
routing
Use this option in transparent router mode only. When enabled, the appliance can:
receive broadcast routing information received over RIP (default) that it applies its
routing table so you don't have to duplicate routing information on the appliance
that is already present in the network.
broadcast routing information if static routes have been configured through the
user interface over RIP.
Definition
Appliance Time
Zone
Specifies the time zone of the appliance. You might need to set this twice each year
if your region observes daylight saving time.
Appliance Time
(UTC)
Specifies the date and UTC time for the appliance. To select the date, click the
calendar icon. You can determine the UTC time from websites such as http://
www.worldtimeserver.com.
Set Now
When clicked, applies the date and UTC time that you specified in this row.
Client Time
Displays the time according to the client computer from which your browser is
currently connected to the appliance.
Synchronize
appliance with
client
When selected, the time in the Appliance Time (UTC) immediately takes its value from
Client Time. You can use this checkbox as an alternative to manual setting of Appliance
Time (UTC). The appliance calculates the UTC time based on the time zone that it finds
on the client's browser.
Ensure that the client computer is aware of any daylight savings adjustments. To find
the setting on Microsoft Windows, right-click the time display in the bottom right
corner of the screen.
Enable NTP
When selected, accepts NTP messages from network broadcasts only. This method
is useful on a busy network but must trust other devices in the network.
When deselected, accepts NTP messages only from servers specified in the list.
Product Guide
543
Option
Definition
NTP Server
Displays the network address or a domain name of one or more NTP servers that
the appliance uses. For example, time.nist.gov.
If you specify several servers, the appliance examines each NTP message in turn to
determine the correct time.
New Server
Password page
Use this page to specify a password for the appliance.
For a strong password, include letters and numbers. You can type up to 15 characters.
Option Definition
User ID
Password Specifies the new password. Change the password as soon as possible to keep your
appliance secure.
You must enter the new password twice to confirm it. The original default password is
password.
544
Product Guide
Definition
Cluster mode
Defines the options that appear on the Cluster Management page of the Setup
Wizard.
Off This is a standard appliance.
Cluster Scanner The appliance receives its scanning workload from a master
appliance.
Cluster Master The appliance controls the scanning workload for several other
appliances.
Cluster Failover If the master fails, this appliance controls the scanning
workload instead.
Device name
Domain name
Default Gateway
Specifies an IPv4 address, such as 198.168.10.1. You can test later that the
appliance can communicate with this server.
Network Interface
Becomes available when you set the Next Hop Router for IPv6.
Select management port Specifies the port that manages the gateway. By default, McAfee Email Gateway
uses port 10443.
Definition
<mode>
The operating mode that you set during installation or in the Setup Wizard.
Network Interface 1
Expands to show the IP address and netmask associated with Network Interface
1, the auto-negotiation state, and the size of the MTU.
Network Interface 2
Expands to show the IP address and netmask associated with Network Interface
2, the auto-negotiation state, and the size of the MTU.
Change Network
Settings
Click to open the Network Interface Wizard to specify the IP address and adapter
settings for NIC 1 and NIC 2, and change the chosen operating mode.
Click to see the <?> associated with LAN1, LAN2, and the out of band interface.
Product Guide
545
Definition
Cluster identifier If you have more than one cluster or McAfee Content Security Blade Server on the
same subnet, assign each a different Cluster identifier to ensure the clusters do not
conflict.
The allowable range is 0-255.
Option
Definition
Cluster identifier
If you have more than one cluster or McAfee Content Security Blade Server
on the same subnet, assign each a different Cluster identifier to ensure the
clusters do not conflict.
The allowable range is 0-255.
Option
Definition
Cluster identifier
If you have more than one cluster or McAfee Content Security Blade Server on
the same subnet, assign each a different Cluster identifier to ensure the clusters do
not conflict.
The allowable range is 0-255.
If not selected, this appliance distributes all scanning workload to the scanning
appliances.
For a cluster of appliances, if you have only a master and a failover appliance,
with both configured to scan traffic, the master will send most connections to
the failover appliance for scanning.
546
Product Guide
Definition
Specifies the appliance address. Provides a list of all subnets assigned to the
appliance.
Cluster identifier
If you have more than one cluster or McAfee Content Security Blade Server on
the same subnet, assign each a different Cluster identifier to ensure the clusters do
not conflict.
The allowable range is 0-255.
Enable scanning on this If not selected, this appliance distributes all scanning workload to the scanning
appliance
appliances.
For a cluster of appliances, if you have only a master and a failover appliance,
with both configured to scan traffic, the master will send most connections to the
failover appliance for scanning.
Option
Definition
Specifies the appliance address. Provides a list of all subnets assigned to the
appliance.
Cluster identifier
If you have more than one cluster or McAfee Content Security Blade Server on
the same subnet, assign each a different Cluster identifier to ensure the clusters
do not conflict.
The allowable range is 0-255.
Definition
Server Address
Displays the IP addresses of the DNS servers. The first server in the list must be your
fastest or most reliable server. If the first server cannot resolve the request, the
appliance contacts the second server. If no servers in the list can resolve the request,
the appliance forwards the request to the DNS root name servers on the Internet.
If your firewall prevents DNS lookup (typically on port 53), specify the IP address of a
local device that provides name resolution
New Server /
Delete Selected
Servers
Adds a new server to the list, or removes one when, for example, when you need to
decommission a server due to network changes.
Only send
queries to these
servers
Selected by default. McAfee recommends that you leave this option selected because it
might speed up DNS queries as the appliance sends the queries to the specified DNS
servers only. If they don't know the address, they go to the root DNS servers on the
Internet. When they get a reply, the appliance receives it and caches the response so
that other servers that query that DNS server can get an answer more quickly.
If you deselect this option, the appliance first tries to resolve the requests, or might
query DNS servers outside your network.
Product Guide
547
Routing Settings
Option
Definition
Network Address
Mask
Specifies how many hosts are on your network, for example, 255.255.255.0.
Gateway
Specifies the IP address of the router used as the next hop out of the network. The
address 0.0.0.0 (IPv4), or :: (IPv6) means that the router has no default gateway.
Metric
Specifies the preference given to the route. A low number indicates a high
preference for that route.
New Route /
Delete Selected
Routes
Add a new route to the table, or remove routes. Use the arrows to move routes up
and down the list. The routes are chosen based on their metric value.
Enable dynamic
routing
Use this option in transparent router mode only. When enabled, the appliance can:
receive broadcast routing information received over RIP (default) that it applies its
routing table so you don't have to duplicate routing information on the appliance
that is already present in the network.
broadcast routing information if static routes have been configured through the
user interface over RIP.
Option
Definition
Domain
Displays the domain names, wildcard domain names, network addresses, and MX
Name /
lookups from which the appliance will accept or refuse email.
Network
Address / MX
Record
Type
Domain name for example, example.dom. The appliance uses this to compare the
recipient's email address and compare the connection against an A record lookup.
Network Address for example, 192.168.0.2/32 or 192.168.0.0/24. The appliance uses
this to compare the recipient's IP literal email address such as user@[192.168.0.2], or
the connection.
MX Record Lookup for example, example.dom. The appliance uses this to compare the
connection against an MX record lookup.
Wildcard domain name for example, *.example.dom. The appliance only uses this
information to compare the recipients email address.
548
Product Guide
Option
Definition
Category
Add Domain
Click to specify the domains that can relay messages through the appliance to the
recipient. Choose from:
Local domain These are the domains or networks for which email is accepted for
delivery. For convenience, you can import a list of your local domain names using the
Import Lists and Export Lists options. McAfee recommends that you add all domains or
networks that are allowed to relay messages as local domains.
Permitted domain Email is accepted. Use permitted domains to manage exceptions.
Denied domain Email is refused. Use denied domains to manage exceptions.
Hold your mouse cursor over the field to see the recommended format.
Ensure that you define at least one local domain, as well as the domains from which you
want to permit email relaying, and that you want to deny email relaying. Defining a
domain as a Permitted domain ensures that email traffic from that domain is always allowed
to be relayed.
Click to specify a domain that the appliance will use to identify all mail server IP
addresses from which it will deliver messages.
Add MX
Lookup
Delete
Remove the selected item from the table. You must apply the changes before the item
Selected Items is completely removed from the appliance configuration.
Domain Routing
After you complete the Setup Wizard, you can manage the domains from Email | Email Configuration |
Sending Email .
Option
Definition
Domain
Type
Domain name for example, example.dom. The appliance uses this to compare the
recipient's email address and compare the connection against an A record lookup.
Network Address for example, 192.168.0.2/32 or 192.168.0.0/24. The appliance
uses this to compare the recipient's IP literal email address such as
user@[192.168.0.2], or the connection.
MX record lookup for example, example.dom. The appliance uses this to compare the
connection against an MX record lookup.
Wildcard domain name for example, *.example.dom. The appliance only uses this
information to compare the recipients email address.
Relay List/MX
Record
Displays either the Relay List of the MX record for the selected domain.
Product Guide
549
Option
Definition
Click to populate the Known domains and relay hosts table with a list of host
names, or IP addresses for delivery. Delivery will be attempted in the order specified
unless you select the Round-robin the above hosts option which will distribute the
load between the specified hosts.
Host names/IP addresses may include a port number.
Add MX Lookup
Click to populate the Known domains and relay hosts table with an MX record
lookup to determine the IP addresses for delivery.
Delivery will be attempted to host names returned by the MX lookup in the order of
priority given by the DNS server.
Delete Selected
Items
Remove the selected item from the table. You must apply the changes before the item
is completely removed from the appliance configuration.
Enable DNS
lookup for
domains not
listed above.
If selected, the appliance uses DNS to route email for other, unspecified domains.
DNS delivery attempts an MX-record lookup. If there are no MX records, it does an
A-record lookup.
If you deselect this checkbox, the appliance delivers email only to the domains that are
specified under Known domains and relay hosts.
Definition
Appliance Time
Zone
Specifies the time zone of the appliance. You might need to set this twice each year
if your region observes daylight saving time.
Appliance Time
(UTC)
Specifies the date and UTC time for the appliance. To select the date, click the
calendar icon. You can determine the UTC time from websites such as http://
www.worldtimeserver.com.
Set Now
When clicked, applies the date and UTC time that you specified in this row.
Client Time
Displays the time according to the client computer from which your browser is
currently connected to the appliance.
Synchronize
appliance with
client
When selected, the time in the Appliance Time (UTC) immediately takes its value from
Client Time. You can use this checkbox as an alternative to manual setting of Appliance
Time (UTC). The appliance calculates the UTC time based on the time zone that it finds
on the client's browser. When selected, the time in the Appliance Time (UTC)
immediately takes its value from Client Time . You can use this checkbox as an
alternative to manual setting of Appliance Time (UTC). The appliance calculates the UTC
time based on the time zone that it finds on the client's browser.
Ensure that the client computer is aware of any daylight savings adjustments. To find
the setting on Microsoft Windows, right-click the time display in the bottom right
corner of the screen.
Enable NTP
550
Product Guide
Definition
When selected, accepts NTP messages from network broadcasts only. This method
is useful on a busy network but must trust other devices in the network.
When deselected, accepts NTP messages only from servers specified in the list.
NTP Server
Displays the network address or a domain name of one or more NTP servers that
the appliance uses. For example, time.nist.gov.
If you specify several servers, the appliance examines each NTP message in turn to
determine the correct time.
New Server
Option
Definition
User ID
Current Password
When you first log on to the interface, type the user name, admin and the password that you gave on
the Password page.
Table 5-59 Basic settings
Option Definition
The value is set according to best practice.
The value is probably not correct. Although the value is valid, it is not set according to best
practice. Check the value before continuing.
No value has been set. The value has not been changed from the default. Check the value
before continuing.
Product Guide
551
552
Product Guide
This topic provides an overview of the features within the McAfee Email Gateway that assist you in
troubleshooting the appliance.
Troubleshoot
If you are experiencing problems, read the troubleshooting section, which answers some frequently
asked questions. The appliance includes many diagnostic tools for identifying problems.
The Resources link at the top of the window provides links to the following information:
Contacting support.
Submitting a sample.
Additional resources, including links to a list of McAfee addresses and to the SNMP MIB definitions.
Contents
Troubleshooting Tools
Troubleshooting Reports
Tests
Troubleshooting Tools
Use these topics to learn about the troubleshooting tools included within the appliance.
Troubleshoot | Tools
Product Guide
553
Contents
Ping and Trace Route
Generate Test Email
System Load
Route Information
Disk Space
Hardware Status
FIPS Status
ATD
Definition
When selected, uses IPv6 protocol. When not selected, uses IPv4 protocol.
Ping Target
When clicked, sends the request and provides information about the packets.
Trace Route
When clicked, sends the request and provides information about route taken.
Definition
Recipient address Type the name of the mailbox that you want to receive the test notification message.
554
Subject
Type the subject line that you want to appear in the test notification message.
Generate
Click to send the test notification message to the mailbox you specified.
Product Guide
System Load
Use this page to display information about the processors state.
Definition
Pause
When clicked, stops the information being updated, Click Resume to return to normal
updating.
Uptime Info
Load Averages
Displays the load averages, which are the average number of processes that are
ready to run during the last 1, 5 and 15 minutes.
CPU
Displays the percentage of CPU time in user mode, system mode, and idle. (Niced
tasks are only those whose nice value is positive.) Time spent in niced tasks is
included in system and user time, so the total will be more than 100%.
Processes
Displays the total number of processes running at the time of the last update, and
shows the components of the total as processes that are running, sleeping, stopped,
or undead (zombie).
Memory
Displays statistics on memory usage, including total available memory, free memory,
used memory, shared memory, and memory used for buffers.
Swap
Displays statistics on swap space, including total swap space, available swap space,
and used swap space.
Route Information
Use this page to see information about routes used to access certain networks and hosts.
Routes used to access hosts that have recently received IP packets from the appliance. This host
information is stored in the appliances local cache.
The information might take a few minutes to display. The information is similar to that from the Linux
route command.
Table 6-3 Option definitions
Option
Definition
Display Routing
Cache
When selected, can provide address information that the appliance derives from
conversations with other devices. Click Refresh to see the information.
Use Numeric
Addresses
When selected, can provide IP addresses instead of domain names in the Source,
Destination and Gateway columns. Click Refresh to see the information.
Product Guide
555
Definition
Refresh
When clicked, provides the information requested by the settings of Display Routing
Cache and Use Numeric Addresses.
Destination
Displays the network where IP packets are sent for this route. A destination of
0.0.0.0 means that the default route, specified by the Setup Wizard, is used.
Gateway or Next
Hop
Displays IP address of the router used as the next hop out of the network. The
address 0.0.0.0 means that route has no default gateway.
Genmask
Flags
Metric
Displays the preference given to the route. A low number indicates a high preference
for that route.
Ref
Use
Displays the number of times that the appliance recently selected the route.
Interface
Disk Space
Use this page to see how disk space is being used.
556
Product Guide
Definition
Mounted on
Displays the name of each directory. Click a name to open another window, then
click the arrows next to more names to see the size of the subdirectories.
Size to Percentage used Displays information about each main directory. Percentages are rounded to the
nearest whole number.
Hardware Status
Use this page to find out more about hardware-related issues (or potential issues) highlighted on the
Hardware Summary portlet on the Dashboard.
The data used to provide hardware information on this page is refreshed every 10 minutes. However,
it can take some time for the hardware to report its hardware status to the user interface. To be sure
that the latest information is being displayed within this page, reload the page if it has been displayed
for some time.
Table 6-5 Option definitions
Option
Definition
Temperature
Voltage
Cooling
Provides the status and current fan speed for the components in the cooling system
within the hardware.
Power Supplies Displays information about the power supplies within the hardware.
Other Modules
Provides information on other modules included within your hardware. These can
include intrusion detection information, as well as information about memory usage
within the hardware.
Hard Disks
For appliances and blade servers that include RAID systems, and depending on the type
of the RAID controller and the hard disk drives, the status of each logical volume, as
well as the status, serial number and location of each hard disk drive might reported.
FIPS Status
Find out about FIPS 140-2 compliance issues highlighted on the System Summary portlet on the Dashboard.
Product Guide
557
ATD
When instructed to do so by your McAfee Support representative, use the controls on this page to
clear the McAfee Advanced Threat Defense cache on your McAfee Email Gateway appliance.
Table 6-6 Option definitions
Option
Definition
Refresh
Ensure that the interface is displaying the up-to-date information about the status of the
McAfee Advanced Threat Defense cache.
Clear cache Remove all cached information relating to your McAfee Advanced Threat Defense servers.
Clearing the contents of the McAfee Advanced Threat Defense cache can lead to duplicate
scans being triggered.
The ATD cache on Email Gateway includes details about the ATD server name and the job
ID. If you clear the ATD cache, MEG no longer has the information needed to download the
ATD report.
Troubleshooting Reports
Use these topics to learn about the troubleshooting reports included within the appliance.
Troubleshoot | Reports
Contents
Minimum Escalation Report
Capture Network Traffic
Save Email Queues
Save Log Files
Error Reporting Tool
558
Product Guide
Definition
When selected, includes certificates and keys in the Minimum Escalation Report.
The TLS Certificates and private keys are not encrypted when stored in
the Minimum Escalation Report.
The Email Hybrid private key is not encrypted when stored in the Minimum
Escalation Report.
When selected, runs the network tests and includes the results in the
Minimum Escalation Report.
When selected, includes the appliance logs within the Minimum Escalation
Report.
When selected, includes the system logs within the Minimum Escalation Report.
When selected, includes any SMTP dump files in the Minimum Escalation
Report.
When selected, includes the Mail Transfer Agent database in the Minimum
Escalation Report.
When selected, includes the logs for the SMTP conversations in the
Minimum Escalation Report.
When selected, ensures that any credentials are not included within the
Minimum Escalation Report. This setting is enabled by default.
Generate report
When clicked, allows you to view the information as several .html files on
the appliance, or save the information as a .zip file.
The file name includes the date and time.
The output file is gzip-compressed tcpdump capture file. You can analyze the output with a tool such
as Wireshark or WinDump.
Product Guide
559
Definition
Everything
Selected Protocols
When selected, collects only information about TCP packets that are from or to a
port corresponding to the selected protocols.
The file can become large, therefore do not collect from more protocols than you
need.
Duration of capture
Maximum size of
output file
Generate report
When clicked, begins capturing information about network traffic. While data is
collected, a new window shows the progress. To hide the window, click Close. To
reopen the window, click Display Current Progress.
When clicked, allows you to view the information as a several files on the
appliance, or save the information as a zipped tar file.
The file name includes the date and time.
The items are saved to a .ZIP file, which can take a few minutes to produce. To view the lists of email
queues on the appliance, select Reports | Message search on the navigation bar.
560
Product Guide
Definition
Quarantine viruses to
MQM deferred
Generate report
If you select Quarantine viruses, Quarantine queue or MQM deferred, the report may
contain infected files.
While data is collected, the status window shows the progress.
Depending on the number and size of the email messages within the email
queues, this file may be very large.
When clicked, allows you to save the report containing the email messages
within the select email queues to your local computer.
The file name includes the date and time.
Definition
Date ranges
Specifies the maximum size of the file when backing up the logs.
Default value is 30MB.
The output file is a collection of compressed files, containing information about
system activity, performance history, web server activity, and version numbers. For
more information about performance history, specify a large file size.
Backup Logs
When clicked, collects all the appliances log settings into a file, and allows you to
download the file.
You can safely store configuration details about the appliance offline, and restore
that information later if the original appliance fails. The system configuration files
are saved to a ZIP file.
Product Guide
561
Definition
From the drop-down list, select the log file that you want to view.
System log - this shows the contents of the system log stored at /var/log/
messages.
Mail log - with on-box syslog enabled, this shows the contents of mail log stored
at /var/log/mail. With off-box syslog enabled, this log is empty.
UI error log - this shows the log file of the web server that is hosting the
appliance user interface.
When selected, the displayed logs are updated as new entries are recorded by
the appliance.
Get Logs
Click to display the selected logging information using the selected options.
Click to stop displaying the log files. The current screen is retained, but no
further updates are shown until you select a further action.
Click this link to move to the System | Logging, Alerting and SNMP | System Log Settings
page, where you can configure your system logging options.
Definition
When the appliance encounters an error, selecting Add content data will allow
the appliance to store information about the data that was being handled
by the appliance at the time of the error.
This can greatly assist McAfee in diagnosing the problem.
562
Event lifetime
The number of days that the appliance will store events for, if an error is
detected.
Product Guide
Tests
Use these topics to learn about the troubleshooting tests that you can carry out from the appliance.
Troubleshoot | Tests
Option
Definition
Start Tests
Stop Tests
Stops the tests. Any test that has already started runs to completion.
Gateway tests
Ping the gateway. States whether the gateway can be pinged for every static route.
Ping by itself is not a reliable test of connections, because some devices might be
configured to ignore ping requests. However, even if the ping test fails, the
gateway must always appear in the ARP routing table.
Look for the gateway in the ARP table. States whether the gateway is listed in the ARP
routing table.
Ping the DNS server. States whether the appliance can contact the DNS servers.
Query the DNS server for the external address www.mcafee.com. States whether each DNS
server can resolve the address www.mcafee.com into the correct set of IP
addresses.
Time Synchronization status with server <servername>. Displays the status of each NTP server
that you have configured.
Off-box syslog servers Ping UDP syslog server <servername>. Checks that the UDP syslog server is responding.
tests
Check connectivity to TCP syslog server <servername>Check for connectivity to the TCP
syslog server.
MQM server test
Check if the MQM server is available. Sends a health check request to the McAfee
Quarantine Manager (MQM) server.
Query the appliance domain name and Query the appliance address. States whether each DNS
server can find the appliance, given its domain address and its fully qualified
domain name.
Product Guide
563
Option
Definition
Check for McAfee GTI file reputation connectivity. Confirms that the servers can be accessed
using a test sample.
Query the McAfee GTI feedback server. States whether the appliance can contact the
McAfee GTI feedback server.
Sender Authentication Query the McAfee GTI message reputation lookup server. States whether the appliance can
Servers tests
contact the server.
Query the RBL server/Test the RBL server. If you have defined an RBL server, the appliance
checks that:
A name server record exists for the RBL domain name.
An A (address) record for 2.0.0.127@RBL_DOMAIN exists.
Most RBL servers use the address 127.0.0.2 for testing.
The appliance performs a static query against the servers and tests the
connection.
LDAP Servers test
Check for connectivity to LDAP server. States whether the appliance can connect to the
LDAP server.
Connect to the web service. Verifies that the appliance can connect to the McAfee SaaS
web service.
Component Updates
tests
Talk to the AV update ftp server. Checks that the ftp anti-virus update site can be
accessed.
Connect to the anti-spam cloud lookup service. Verifies that the appliance can connect to
the McAfee anti-spam cloud service.
Talk to the AV update http server. Checks that the anti-virus update http site can be
accessed.
Talk to the Commtouch Command update server. Checks that the Commtouch Command
update site can be accessed.
Talk to the SPAM update server. Checks that the anti-spam update sites can be accessed.
(Only available when email is scanned.)
ePO tests
564
Product Guide
This topic provides an overview of the integration of McAfee Email Gateway appliances with McAfee
ePolicy Orchestrator.
Contents
How appliances work with ePolicy Orchestrator
Differences in Email Gateway appliance administration under ePolicy Orchestrator
Configuring your appliance for ePolicy Orchestrator management
Managing your appliances from within ePolicy Orchestrator
Task Upgrade from Email Gateway 7.6.2 or higher appliances managed by McAfee ePolicy
Orchestrator
Policy comparisons in ePolicy Orchestrator 5.1
the EWG 2.x extension that provides the monitoring and reporting capabilities for Email and Web
Security Appliances versions 5.5 and 5.6, McAfee Web Gateway and McAfee Email Gateway
products,
The MEG 7.6.2 extension that provides the method to push policy configuration from the ePolicy
Orchestrator server to your McAfee Email Gateway 7.6.2 appliances and blade servers.
Product Guide
565
In addition, you can also download the help extensions for each of these ePolicy Orchestrator
extensions. These are also available from the Resources link within the McAfee Email Gateway
appliances user interface.
Working from within ePolicy Orchestrator, you can push configurations to all your 'ePolicy
Orchestrator-enabled" appliances using the standard ePolicy Orchestrator workflow and features.
Further information about configuring your appliance for ePolicy Orchestrator management can be
found within the Setup Wizard | ePO Managed Setup help page.
Introduction
When McAfee ePolicy Orchestrator manages Email Gateway appliance, there are some noticeable
differences in the available features, and their behavior:
Data that is generated from "live" information for an Email Gateway appliance is not available in
ePolicy Orchestrator.
Some Email Gateway appliance features and options have different menu paths under ePolicy
Orchestrator.
The following tables provide a breakdown of the Email Gateway appliance 5.6 features that are not
part of ePolicy Orchestrator management, or located in a different place in the interface.
The menu paths are those used in Email Gateway appliance. The Troubleshooting tab available in Email
Gateway appliance does not appear in ePolicy Orchestrator.
Table 7-1
Report information
Menu path
Description
Dashboard
Reports | Scheduled
Reports
The Favorite report, and the Email Now, and Download reporting actions are
based on live information from the appliances, and are not available in
ePolicy Orchestrator.
566
Menu path
Description
Product Guide
Description
and
Email | Email Configuration |
Connection and Protocol
Settings (POP3)
Email | Email Policies |
Scanning Policies: Spam
Settings - User Submitted
Blacklists and Whitelists
User blacklists and whitelists contain live information, and are not
shown in ePolicy Orchestrator.
Spam rules are based on live information and are not shown in
ePolicy Orchestrator. However, you can manually exclude
individual rules by name from ePolicy Orchestrator.
Product Guide
567
Description
Email | Quarantine
Configuration | Quarantine
Options
Email |Quarantine
Configuration | Quarantine
Digest Options
Description
System | Appliance
Management | General
System | Appliance
Management | Time and Date
System | Appliance
Management | Remote Access
System | Appliance
Management | UPS Settings
System | Appliance
Management | Database
Maintenance
568
System | Appliance
Management | System
Administration
System | Appliance
Management | Default Server
Settings
Product Guide
Description
System | Certificate
Management | Certificates |
CA Certificates
System | Certificate
Management | Certificates |
TLS certificates and keys
System | Certificate
Management | Certificates |
Appliance HTTPS Certificate
System | Certificate
Management | Certificate
Revocation Lists (CRLs) |
Installed CRLs
System | Certificate
Management | Certificate
Revocation Lists (CRLs) | CRL
updates
System | Component
Management
Product Guide
569
the ePolicy Orchestrator extensions to your ePolicy Orchestrator software, and import your ePolicy
Orchestrator configuration to your Email and Web security appliance.
To configure your Email Gateway appliance to allow it to be managed by ePolicy Orchestrator, you
need to import the configuration details from your ePolicy Orchestrator software.
In addition, you also need to install the Email Gateway extension available from the Resources link
within the Email Gateway appliances user interface onto your ePolicy Orchestrator software.
To assist you with setting up your Email Gateway appliances for ePolicy Orchestrator management, the
Setup Wizard within Email Gateway appliances (System | Setup Wizard) includes a set of pages aimed
specifically at configuring your appliance to be managed by ePolicy Orchestrator.
If you have both your McAfee Email Gateway and your McAfee ePolicy Orchestrator software
configured to use a language other than English, when you register your McAfee Email Gateway within
McAfee ePolicy Orchestrator, the default locale for the Secure Web Mail Client and the default
language for all notifications will return to English. You must re-configure these to your required
language.
Within ePolicy Orchestrator, the configuration pages for your appliances can be found by browsing to
Menu | Gateway Protection and then selecting either Email Gateway or DLP and Compliance.
Management of your Email Gateway appliances follows the standard ePolicy Orchestrator workflows.
Please refer to the McAfee ePolicy Orchestrator 4.5 Product Guide or McAfee ePolicy Orchestrator 4.6
Product Guidefor further information.
570
Product Guide
Download the ePO Extensions and ePO Help Extensions from the Resources link
within the user interface of one of the upgraded appliances.
From within your McAfee ePO user interface, install the new versions of the
ePO Extensions and ePO Help Extensions.
Before you can upgrade to the latest version of Email Gateway, your existing appliance
must be running Email Gateway version 7.6.2 and be correctly configured and running.
This upgrade process automatically disconnects the appliance from being managed by
McAfee ePO.
The in-built Email Gateway migration tools migrate many of your existing Email Gateway settings for
you. However, some settings may need to be recreated.
Task
1
In McAfee ePO, click Policy Catalog and select the Email Gateway 7.6.2 or higher product.
Select the epo_config_<date_stamp>.xml file produced at the end of this process, and save the file.
From the Email Gateway Resources link, download the ePO Extensions and ePO Help Extensions files.
10 From McAfee ePO, install the ePO Extensions and ePO Help Extensions files.
11 In McAfee ePO, click Policy Catalog and select the McAfee Email Gateway 7.<x> product.
12 Click Import, and import the epo_config_<date_stamp>.xml you saved in step 8.
The policies and settings within the configuration file are migrated across to your McAfee ePO
server.
After you have imported the settings into Email Gateway managed by McAfee ePO, you need to
re-assign the migrated policies to the correct groups in the System Tree in McAfee ePO.
Product Guide
571
13 On McAfee ePO, navigate to Menu | Gateway Protection | Email and Web Gateway.
14 From Actions, select Export Connection Settings. Save the epoConfig<xxxxxxx>.zip file.
15 On your Email Gateway, navigate to System | Component Management | ePO, click Import ePO connection
settings. Browse to the epoConfig<xxxxxxx>.zip file, and click OK.
Your McAfee ePO configuration settings are imported into your Email Gateway appliance.
16 Select both Enable ePO management, and Allow configuration to be applied from ePO.
17 Apply changes within your Email Gateway.
Your upgraded appliance is again under McAfee ePO control.
If you had documents registered for Data Loss Prevention in your previous Email Gateway appliance,
the document fingerprints for these are copied to your new Email Gateway McAfee ePO installation.
If you chose to create a scheduled task to push your previous Email Gateway DLP database to the new
Email Gateway version, you will need to create an equivalent scheduled task to push the new Email
Gateway DLP database to your appliance.
572
Product Guide
This topic provides an overview of the integration of McAfee Email Gateway appliances with McAfee
Quarantine Manager.
Contents
About McAfee Quarantine Manager
How appliances work with McAfee Quarantine Manager
Understand the role of McAfee Quarantine Manager (MQM) in relation to your Email Gateway.
McAfee Quarantine Manager consolidates the quarantine and anti-spam management functionality of
multiple McAfee products, including Email Gateway. It provides a central point to analyze and act upon
emails and files that have been quarantined. These files can be quarantined because they have been
identified as containing spam, phish, viruses, potentially unwanted programs, or other undesirable
content. Integration with ePolicy Orchestrator provides centralized policy management and graphical
reporting.
While MQM is effective in managing unsolicited bulk email or Spam, no anti-spam filter can detect all
spam that flows through a network. Some emails are occasionally misidentified.
MQM allows administrators and users to continuously tune their anti-spam products according to the
changing environments and increase the effectiveness of their spam filtering.
Product Guide
573
When McAfee Email Gateway and McAfee Quarantine Manager have been configured to work together,
the McAfee Email Gateway sends all quarantined email messages to McAfee Quarantine Manager for
secure storage.
If, when quarantining large email messages, you get HTTP 413 errors, you need to increase the value of
the Microsoft Internet Information Service (IIS) UploadReadAheadSize metabase property on the
McAfee Quarantine Manager server. In this situation, McAfee recommends that you change the
UploadReadAheadSize property to equal 200000KB. See http://www.microsoft.com/technet/
prodtechnol/WindowsServer2003/Library/IIS/7e0d74d3-ca01-4d36-8ac7-6b2ca03fd383.mspx?mfr=true
for further details.
See also
Option definitions Quarantine Options page on page 402
Anti-Phish
Phish
Anti-Spam
Spam
Anti-Virus
Viruses
Anti-Virus (Packer)
Anti-Virus (PUP)
Compliance
Corrupt Content
Encrypted Content
Encryption Compliance
File Filtering
Mail Filtering
Mail Size
Signed Content
Directory Harvesting
Others
Image Filtering
Denial of Service
574
Product Guide
currently in all custom quarantine queues. A secondary list appears beside Custom Queues. You can
refine your search to any of the individual queues by selecting it from the secondary list. The results
show only messages quarantined in the selected custom queue.
See also
Custom quarantine queues on page 406
Create a custom quarantine queue on page 407
Product Guide
575
576
Product Guide
McAfee Content Security Reporter (Content Security Reporter) is a reporting software solution that
integrates within ePolicy Orchestrator to help you understand Internet and email usage within your
organization. Content Security Reporter can be configured to accept McAfee Email Gateway Syslog
data as an input source.
Contents
About Content Security Reporter
Benefits of using Content Security Reporter
Configure McAfee Email Gateway to send log data
Task Configure Content Security Reporter to receive Email Gateway data
Bandwidth overload
Liability exposure
Productivity loss
Security threats
Once identified, you can use this information to modify your policies and effectively enhance network
protection.
Product Guide
577
Number Description
1
Query Retrieves data from the database and defines how it is displayed.
Filter Limits the data set to specific user names, websites, and reputations.
5a
5b
Report Combines queries, filters, and other elements into PDF documents to provide
detailed information for analysis.
Further information
For further information about Content Security Reporter, see the latest version of the McAfee Content
Security Reporter Product Guide.
578
Product Guide
From Log events to the syslog for the following event types, select the types of events to be sent to Content
Security Reporter.
Type the IP address or host name for your Content Security Reporter server.
If using IPv6 addresses, check Use IPv6 protocol.
Type the port number for your Content Security Reporter server.
Product Guide
579
580
Product Guide
Index
.csv
download 81
A
about McAfee Quarantine Manager 573
about MQM 573
about this guide 9
actions
primary 138
secondary 138
Active Directory 396
Add Login Services wizard 461
Add Policy 156
Add rule
options 159
adding anti-virus engine 511
additional anti-virus engine
benefits 511
address pool
in virtual hosting 466
administrator roles
create 455
Advanced Threat Defense
benefits 181
configuring 190
including attachments 190
adware 172
Alert settings 296
alert tokens 479
alphabetically ordering lists 19
anti-phish policy 207
Anti-phish scanning
benefits of 225
Anti-Relay Settings 117
anti-spam
Advanced Options 211
anti-spam cloud lookup 211
anti-spam policy 207
anti-spam updates 512
anti-spyware
anti-virus settings 192
benefits 192
Anti-Spyware policy 192
anti-virus
customized settings 173
features 171
understanding policy for 172
Anti-Virus
Basic Options 174
Anti-virus DAT file
roll back 505
anti-virus engine
adding 511
Commtouch Command 511
enabling 511
anti-virus engine and database
updates 502
Anti-virus engines
disabling updates 505
Anti-Virus policy 171
anti-virus settings
anti-spyware 192
basic options 175
custom malware options 198
packers 195
anti-virus updates
using FTP 512, 513
using HTTP 511
appliance management 457
password settings 457
applying SPF checks to sub-policies 232
archive files
attachments 75
finding attachments 76
archived content
identifying 76
Artemis
see Global Threat Intelligence 175
attachment identification
archived content 76
attachments
archive files 75
finding messages containing 73
identifying 76
in archive files 76
Authentication
Passwords 460
Product Guide
581
Index
B
backup configuration 434
backup server 431
basic options
anti-virus settings 175
Basic options
Anti-Virus 174
basic settings
secure web mail 351
Basic Settings
Custom Setup Wizard 521
Encryption Only Wizard 545
Restore from a File Setup Wizard 534
batv
benefits 125
behavior
documents and categories 335
benefits
Advanced Threat Defense 181
batv 125
blacklists and whitelists 214
bounce address tag validation 125
CAC 464
domain management 387
hybrid domain management 387
hybrid email scanning 384
McAfee Advanced Threat Defense 181
PGP 362, 379
PGP sending email 363, 380
Policy based actions 318
registering hybrid email scanning 384
scanning policies 146
Secure Web Mail 351
sending email 126
benefits of Configure Automatic Configuration Backups 444
Benefits of configuring McAfee Advanced Threat Defense
servers 475
benefits of data loss prevention 240
benefits of DLP 240
benefits of message search 61
benefits of policy exceptions 141
benefits of setting passwords
appliance management 457
benefits of using additional anti-virus engine 511
benefits of using hybrid email scanning 382
benefits, anti-spyware 192
blacklists and whitelists
benefits 214
blocked messages
retention limits 447
bounce address tag validation
benefits 125
582
bounced messages
retention limits 447
branding
secure web mail 367
Bubbleboy 174
C
CAC
benefits 464
CAC Management 464
certificates
PGP Encryption Key 362, 379
s/MIME with encryption 378
S/MIME with encryption 360
changes
making to appliance operation 17
ClickProtect 277
benefits 277
configuring 281
option definitions 279
cloud anti-virus protection 175
cluster configuration
IPv6 auto-configuration 420
summary 544
virtual network address 413, 529
cluster management
network interfaces 440
Cluster Management
ePO Managed Setup 541
load balancing 438
push configuration 436
review configuration changes 17
Setup Wizard 522, 535
Cluster Mode
Setup Wizard 521, 534
Common Access Card
enable 464
Common Event Format
extended syslog attributes 494
Commtouch Command anti-virus engine 511
community threat intelligence 175
complex terms 346
compliance 251, 332
Compliance
benefits of 251
Graymail 344
scanning for 251
compliance dictionaries 337
Compliance policies 236
Compliance policy 236
Compliance Settings
Rule Creation Wizard 287
Rule Creation Wizard from template 288
component update
schedule 445, 500, 514
Product Guide
Index
D
dashboard
threshold 56
Dashboard 35
DAT roll back 505
data loss prevention 332
benefits 240
exlude content 332
register documents 332
data loss prevention (DLP) 240
Data Loss Prevention policy 236
Database Maintenance 446
event options 447
schedule 448
working with retention limits 448
database size
setting retention limits 446
delivered messages
retention limits 447
denial-of-service attacks
prevention from 242
Detecting
phish 225
detection
image filtering 255
signed or encrypted content 260
detections
external access to information 446
mail size filtering 242
dictionaries
adding to policies 251
configure compliance 337
editing scores and terms 251
import and export 337
Dictionary of spam term exclusions 223
Dictionary of spam terms 223
Directory harvest prevention 122
directory services
configure 390
Directory Services 390
Directory Synchronization 390
DLP
benefits 240
see data loss prevention 332
DLP (data loss prevention) 240
DLP and Compliance
compliance dictionaries 337
DNS servers
options 418
setting up 417
Product Guide
583
Index
documentation
audience for this guide 9
product-specific, finding 10
typographical conventions and icons 9
documents
register for dlp 332
domain
adding local domain 117
domain management
benefits 387
download 20
dynamic routing 417
E
E-mail notifications
Creating 144
Custom 144
Edit rule
options 159
Editing spam scores 227
email 95
how messages are processed 95
reports 84
Email Administrator role 455
email configuration
overview 97
email detections
external access to 448
Email Gateway
working with 11
Email Gateway appliances integration 565, 573
email menu 95
Email notifications
Custom
benefits 144
Usage (scenarios) 144
email policies 134
compliance 251
email protection
domains 388
McAfee Email Protection (Hybrid) service 385
registering 385
email reports
benefits 84
email scanning
add domain 388
delete domain 389
edit domain 389
email scanning SaaS
Hybrid 387
enable CAC 464
enable Common Access Card 464
enabling anti-virus engine 511
encrypted content 260
584
encryption 348
available types 349
benefits of setting passwords 356
benefits of user accounts 353
PGP 362, 379
PGP Encryption Key 362, 379
S/MIME 360, 378
secure web mail 350
tls 364
Encryption
PGP 362, 379
Encryption Only
Setup Wizard 545
Encryption policy
benefits of 328
Encryption policy settings 328
ePO
integration with 565
management by 565
monitoring by 565
ePO Managed Setup 539
Cluster Management 541
ePO Managed Setup Wizard
cluster summary 544
ePO policy comparisons 572
ePolicy Orchestrator
Managing appliances from 570
setup 515
ePolicy Orchestrator extension
removing 570
ePolicy Orchestrator integration 565
ePolicy Orchestrator managed appliance
manual setup 507
ePolicy Orchestrator Management setup 540
event options 447
export
from a list 20
export anti-virus engine and database 502
extended syslog attributes for Common Event Format 494
extended syslog attributes for Splunk 489
External Access 448
Extra DAT update 502
F
factory default
password 459
factory default password
resetting to 459
FAQs 26
features
anti-virus 171
file filtering 237
File filtering policy 236
filter
messages based on size 242
Product Guide
Index
filtering
file 237
finding attachments
archive files 76
FIPS status 557
firewall
IP addresses for hybrid email 21
Frequently Asked Questions 26
FTP
adding proxy server 431
update server 512, 513
G
Generic LDAP Server v3 396
getting started 11
Global Threat Intelligence 175
Global Threat Intelligence feedback settings 328
graphic user interface 13
Graymail 344
Setup 344
Greylisting 122
group management 390
directory services 390
network groups 393
senders and recipients 394
groups
senders and recipients 394
GTI feedback, See Global threat Intelligence feedback settings
H
header modification 154
heuristic network checking 175
HotFix
install update 506
HTTP
adding proxy server 431
update server 511
hybrid actions 138
hybrid domain management
benefits 387
hybrid email scanning
benefits 384
registration process 384
hybrid scanning
benefits 382
Hybrid scanning
benefits 201
configure 206
hybrid scanning results 201
I
icons
message search 68
image filtering 255
K
Kerberos 460
L
LDAP 122, 396
LDAP query
create sample 400
LDAP Synchronization 390
least used 438, 522, 535
listening ports 21
lists
changing information 19
making and viewing 18
ordering alphabetically 19
removing many items from 18
removing single items from 18
viewing long 19
load balancing
configuring 438
log files
save 561
view 561
logging
configure system log archive 500
Login Services 460
lookups
with anti-relay 117
Lotus Domino 396
M
mail size filtering policy 242
Mail size filtering policy 236
mail traffic
flow of 11
Product Guide
585
Index
586
modify
email headers 154
MQM 401
about 573
differences with Message Search 402, 574
integration with 573
MQM integration 573
Multipurpose Internet Mail Extensions (MIME) 303
MX lookups
with anti-relay 117
N
Netscape/Sun iPlanet 396
network groups
configure 393
network interfaces
cluster management 440
network settings
basic 412
Network Time Protocol (NTP)
adding a server 419
NIC adapter settings 412
Notification and Routing settings 289
Novell NDS (eDirectory) 396
NTP 419
O
off-box
access to reporting database 448
off-box quarantine 401
on-box quarantine 401
online troubleshooting resource 26
operating modes
options 515
setting 412
operational language 412
option definitions
McAfee Anti-Spyware 192
Out of Band Management 420
outbound address pool 466
adding 470
overview
Email Gateway appliances integration 565, 573
ePolicy Orchestrator integration 565
McAfee Quarantine Manager integration 573
overview of email configuration 97
P
packers 173
anti-virus settings 195
Packers policy 195
password
factory default 459
session management 463
Product Guide
Index
Password
changing 16
password authentication 431
Password authentication 460
password management
complexity 457
setting policy 457
password management settings
appliance 457
secure web mail 356
password reset 459
hardware appliance 460
physical appliance 460
virtual appliance 459
patch software
install update 506
PGP
benefits of 362, 379
encryption 362, 379
Encryption 362, 379
PGP Encryption Key
encryption 362, 379
PGP sending email
benefits 363, 380
Phish
scanning for 225
physical host
with virtual hosting 466
policies
email 134
introduction to 135
POP3 134, 136
Secure Web Mail 137
signed or encrypted content 260
smtp 134
SMTP 135
with virtual hosts 470
policy
Anti-Spyware 192
anti-virus settings 172
Custom Malware Options 198
image filtering 255
mail size filtering 242
Packers 195
Policy based actions
benefits 318
configure 321
Policy exceptions 325
using policy exceptions 324
policy exceptions 141
benefits 141
understanding 141
Policy exceptions
Add 142
Add rule 143
Q
Quarantine
create queues 407
custom queues 406
Quarantine Manager
differences with Message Search 402, 574
integration with 573
Quarantine Manager integration 573
quarantine options
off-box 401
on-box 401
quarantine queues
changing roles 408
deleting 408
multiple 406
options 407
role access 405
settings 405
quarantined items
retention limits 447
questions often asked by customers 26
queues
quarantine 408
queues, quarantine 405
Product Guide
587
Index
R
RADIUS 460
re-write
subject 151
Recipient checks 122
Registered Documents
with DLP 332
registering hybrid email scanning
benefits 384
registration process
hybrid email scanning 384
regular expressions 341
compliance dictionaries 337
relay
preventing open relay 117
remote backup server 431
removing ePolicy Orchestrator extension 570
replacement tokens 479
report
message search 73
reporting database
external access to 446, 448
maintenance 448
reset 448
setting event items 446
reporting items
event option settings 447
retention limits 447
reports 59
.csv 81
email reports 84
favorite reports 89, 93
scheduled 78
scheduled reports 77
system 91
troubleshooting 558
types of 59
Reports Administrator role 455
Reputation checks
notifications 234
rescue image 449
reset
password 459
resetting to factory default password 459
resolving connection issues
Advanced Threat Defense 191
restore configuration 434
results
hybrid scanning 201
Results
Message search 65
retention limits 447
review configuration changes 434
roles
create 455
588
roll back
Anti-virus DAT file 505
routing
dynamic and static 417
routing characters
permitted and denied 117
Rule Creation Wizard 287
from template 288
S
S/MIME
encryption 360, 378
save log files 561
scanner limits
maximum file size 289
maximum nesting depth 289
maximum scan time 289
Scanning
for compliance 251
phish 225
scanning policies
benefits 146
schedule
reports 77
updates 445, 500, 514
schedule,
component updates 502
scheduled reports 78
search for quarantined messages 60
search for queued messages 60
search quarantine 60
search queues 60
secondary action 138
Secure Shell 420
secure web mail 350
basic settings 351
benefits of setting passwords 356
branding 367
password management settings 356
user account settings 353
user management 355
Secure Web Mail
benefits 351
policies 137
Sender authentication
Adding results to spam scores 232
message reputation 227
options 227
spam scores 227
Spam scores 234
SPF 234
sender authentication policy 207
senders and recipients
create groups 394
Product Guide
Index
sending email
benefits 126
server settings
system log archive 500
Server setup
McAfee Advanced Threat Defense 475
ServicePortal, finding product documentation 10
Session Management 463
setting critical thresholds 37
setting thresholds 56
Setting up ePolicy Orchestrator managed appliances 507
setting warning thresholds 37
settings
Alert 296
Encryption 328
setup options
custom and standard 515
encryption only 515
ePO 515
restore from a file 515
Setup Wizard
Basic Settings (Custom) 521
Basic Settings (Encryption Only) 545
Basic Settings (Restore from a File) 534
Cluster Management 522, 535
Cluster Mode 521, 534
description of options 515
Encryption Only 545
Graymail protection 344
installation options 515
shut down the appliance
with UPS 427
signed content 260
Signed or encrypted content policy 236
SMTP
policies 135
smtp policies 134
Spam rules
Configuring 221
edit spam score 221
editable 220
spam rules and engine updates 502
Spam score
Adding sender authentication results 233
editable 221
Spam scores
Editable
Adding sender authentication 235
Sender authentication results 232
editing 227
Policy exceptions 233
Spam term exclusions
dictionary 223
Spam terms
dictionary 223
T
Technical Support
Frequently Asked Questions 26
technical support, finding product information 10
tests
troubleshooting 563
threats
blocking specific 174
thresholds
configurable 37
setting 56
setting critical 37
setting warning 37
Time and Date
setting 419
Time zone 419
Timeout
set time 463
tls 364
tokens
alert 479
replacement 479
Product Guide
589
Index
tools
troubleshooting 553
transparent ports 21
troubleshoot 553
reports
capture network traffic 559
mer 558
minimum escalation report 558
save email queues 560
tests
system tests 563
tools
disk space 556
ping 554
route information 555
system load 555
trace route 554
troubleshooting reports
log files 561
troubleshooting 553
Advanced Threat Defense 191
troubleshooting reports 558
troubleshooting tests 563
troubleshooting tools 553
Troubleshooting Tree 26
Troubleshooting, using the online tree 26
URLs
decoding 284
encoding 284
parsing 283
regular expressions 273
simple patterns 273
URLs canonicalize
decode 275
encode 275
parse 275
user account settings
secure web mail 353
user accounts (encryption users)
benefits 353
user interface 13
User Interface Access Configuration 420
user management
secure web mail 355
User preferences 15
benefits 15
options 16
password 16
Setting opening page 16
User preferences configuring opening page 16
types
encryption 349
users
create roles 455
UTC
Universel Temps Coordinee 419
Validation algorithms
benefits 343
variables
alert 479
substitution 479
view log files 561
Virtual Host 466
adding 470
590
W
warning thresholds
setting 37
web policies
compliance 251
wizard
Add Login Services 461
automatic confuguration backup 444
Configure System Log Archive 500
Rule Creation Wizard 287
Rule Creation Wizard from template 288
Product Guide
Index
Product Guide
591
0A00