Page 1 Product Guide McAfee Email and Web Security Appliances 5.6.0...
Page 2 MCAFEE, NETSHIELD, PORTALSHIELD, PREVENTSYS, SECURITYALLIANCE, SITEADVISOR, TOTAL PROTECTION, VIRUSSCAN, WEBSHIELD are registered trademarks or trademarks of McAfee, Inc. and/or its affiliates in the US and/or other countries. McAfee Red in connection with security is distinctive of McAfee brand products. All other registered and unregistered trademarks herein are the sole property of their respective owners.
Page 3: Table Of Contents
Optional components and related products ......8 Working with your McAfee Email and Web Security Appliances ....9 The interface .
Page 4 Logging, Alerting and SNMP ......261 McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 5 System Tests ....... 318 How appliances work with ePolicy Orchestrator Configuring your appliance for ePolicy Orchestrator management Managing your appliances from within ePolicy Orchestrator Index McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 7: Preface
Preface This guide provides the information you need to configure, use, and maintain your McAfee product. About this guide This information describes the guide's target audience, the typographical conventions and icons used in this guide, and how the guide is organized.
Page 8: Finding Product Documentation
Optional components and related products Finding product documentation McAfee provides the information you need during each phase of product implementation, from installation to daily use and troubleshooting. After a product is released, information about the product is entered into the McAfee online KnowledgeBase.
Page 9: Working With Your Mcafee Email And Web Security Appliances
VMware environment. It is available as the combined Email and Web version of the software. Working with your McAfee Email and Web Security Appliances ® This section describes important concepts to help you configure your McAfee Email and Web Security Appliance. McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 10: The Interface
Preface Working with your McAfee Email and Web Security Appliances The interface Use this page to get to know your way around the user interface. The interface you see might look slightly different from that shown here, because it can vary depending on the appliance's hardware platform, software version, and language.
Page 11 Preface Working with your McAfee Email and Web Security Appliances Icon Menu Features Use this page to see a summary of the appliance. From this page Dashboard you can access most of the pages that control the appliance. Use the Reports pages to view events recorded on the appliance,...
Page 12: Common Tasks Within The Interface
Preface Working with your McAfee Email and Web Security Appliances G — Content area The content area contains the currently active content and is where most of your interaction will be. The changes that you make take effect after you click the green checkmark.
Page 13 Preface Working with your McAfee Email and Web Security Appliances Using lists The following information explains the use of lists within Email and Web Security Appliances. Contents Making and viewing lists Adding information to a list Removing single items from a list...
Page 14 Preface Working with your McAfee Email and Web Security Appliances Task In the column of checkboxes on the left of the table, select each item. To select many items, select the checkbox in the table's heading row to select all the items, then deselect those that you want to keep.
Page 15 Preface Working with your McAfee Email and Web Security Appliances Ordering information alphabetically in a list When information is given in a list, you can sort the list alphabetically. Task To change the order: • • To force items in a column into alphabetical order, click the column heading. Items in other columns are automatically sorted accordingly.
Page 16: Ports Used By Email And Web Security Appliances
In the Export window, follow the instructions to create the file. Ports used by Email and Web Security Appliances Use this topic to review the ports used by your McAfee Email and Web Security Appliance. The appliance uses various ports to communicate with your network and other devices.
Page 17: Resources
Preface Working with your McAfee Email and Web Security Appliances Intercept ports When operating in either of the transparent modes — transparent bridge mode or transparent router mode — the appliance uses the following intercept ports to intercept traffic to be scanned.
Page 18 Submit a sample If you have a file that you believe to be malicious, but that your McAfee systems are not detecting, you can safely submit it to McAfee for further analysis.
Page 19 Preface Working with your McAfee Email and Web Security Appliances Link name Description Download the MIB file for use with SNMP. MIB File This file is used to define the information that your Email and Web Security Appliance can transmit using SNMP.
Page 21: Overview Of Dashboard Features
You can also configure a list of links to tasks that you often use, providing you with a quick and easy method of moving to the correct area of the user interface. McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 22 Queued, Quarantined, and Release requests queues maintained by the appliance, using icons. To visit the pages that manage the queues, click the blue links. To quickly search through email in the queues, click Quick search McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 23 — Cluster Master — Cluster Failover — Email and Web Security Appliance — Email Security Appliance — Web Security Appliance — Web Gateway Appliance Displays the name of the appliance as configured Name McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 24 • When the appliance intercepts the TLS conversation, from the second <MAIL FROM> command if more than one email is received in the same SMTP conversation • When messages are sent over SMTPS McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 25: Edit Preferences
Task — Turn off the McAfee Global Threat Intelligence feedback disabled warning By default, the appliance displays a warning message if you have not enabled McAfee Global Threat Intelligence (GTI) feedback because McAfee considers it best practice to enable this form of communication.
Page 26 Use this page to set the protocols for which you want policies to display, and whether you want to see detailed policy information on the Dashboard. On each page, you can reset the values to the default settings. McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 27: Graphs Edit Preferences
To stop receiving notifications that the appliance is an open relay, if web-based user authentication needs more setup or when you have not configured McAfee Global Threat Intelligence feedback, click Edit in the System Health area, and deselect the relevant warnings.
Page 29: Overview Of Reports Features
Use the external methods to keep the reported events over a longer period of time than that offered by the reporting options on the appliance itself. Use features available from System | Logging, Alerting and SNMP, or McAfee ePolicy Orchestrator to send data to generate reports externally. Table 8 External reporting options...
Page 30: Scheduled Reports
McAfee Web Reporter System | Logging, Alerting and SNMP. Generates reports about Uniform Resource Locator (URL) filtering activities. See the McAfee Web Reporter Product Guide, available from the McAfee download site. Use the appliance Dashboard to see high-level event statistics. Use the options in Reports to produce regular and real-time reports on the following types of events on the appliance.
Page 31 Any new favorite reports that you created in the Email Interactive Reports, or Web Interactive Reports section are available from here too. McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 32 From the list of report types, select Overview, and click Edit. In the Edit Report dialog box, set the Reporting period to 1 week. Click OK, and apply the changes to the appliance. Click Download to generate the report. McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 33: Email Reports Overview
Reports | Email Reports You can generate a report based on a set of predefined filters, or edit the filters, test the results, and save the report as a new report. McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 34 Displays results in a pie chart and table format for each filter criteria, or for all filters. Displays all results in a table format. Results are shown for each detection in the Detail view report results. McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 35 Displays the protocols you want to view, such as SMTP. Traffic Displays traffic, whether inbound or outbound. In a simple network, you might see reports on compliancy for outbound traffic and reports on spam for inbound traffic. McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 36 Save the report as a new favorite report to be run again in the future • Set up a schedule to send the report regularly to the email administrator Subtask — Run a standard email activity report McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 37: Interactive Reporting - Total View
Reports | Web Reports | Web Interactive Reporting | Total View The information is displayed in a horizontal bar chart. If you see no information, click Apply on the Filter tab, or change the period and click Apply. McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 38: Interactive Reporting - Time View
Use this page to see the details of every detected threat. Reports | Email Reports | Email Interactive Reporting | Itemized View Reports | Web Reports | Web Interactive Reporting | Itemized View The information is displayed in a pie chart. McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 39: Interactive Reporting - Detail View
If you see no information, click Apply on the Filter tab, or change the period and click Apply. For information about the Filter or Favorites section on the right, click its tab, then click the Help button (?). McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 40: Selection - Favorites
Use this section of the page to refine or “filter” the information in the report. Reports | Email Reports | Selection | Filter Reports | Web Reports | Selection | Filter McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 41 When clicked, shows the options below. Show Advanced To hide the options again, click Hide Advanced. Source Domain Filter traffic based on the domain that the messages are being sent from. McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 42 All, you see further choices. For example, if you select Content, you can further select Mail Size. Extra categories appear here if you have installed any optional software. McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 43: Web Reports Overview
There are four tabs beneath Web Interactive Reporting that each provide different views on a reports results. See View types: • Total view • Time view • Itemized view • Detail view There are two pages beneath Selection: McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 44 24 hours Blocked (SiteAdvisor) Displays results in Total view by default. Results show the web requests blocked by the McAfee SiteAdvisor program due to a detected threat over the previous 24 hours McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 45 • set up a schedule to send the report regularly to the web administrator Subtask — Run a standard web activity report McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 46: Interactive Reporting - Total View
Reports | Web Reports | Web Interactive Reporting | Total View The information is displayed in a horizontal bar chart. If you see no information, click Apply on the Filter tab, or change the period and click Apply. McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 47: Interactive Reporting - Time View
Use this page to see the details of every detected threat. Reports | Email Reports | Email Interactive Reporting | Itemized View Reports | Web Reports | Web Interactive Reporting | Itemized View The information is displayed in a pie chart. McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 48: Interactive Reporting - Detail View
If you see no information, click Apply on the Filter tab, or change the period and click Apply. For information about the Filter or Favorites section on the right, click its tab, then click the Help button (?). McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 49: Selection - Favorites
Use this section of the page to refine or “filter” the information in the report. Reports | Email Reports | Selection | Filter Reports | Web Reports | Selection | Filter McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 50 When clicked, shows the options below. Show Advanced To hide the options again, click Hide Advanced. Source Domain Filter traffic based on the domain that the messages are being sent from. McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 51 All, you see further choices. For example, if you select Content, you can further select Mail Size. Extra categories appear here if you have installed any optional software. McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 52: System Reports
Benefits of creating system reports Keeping up-to-date with McAfee threat detection updates is vital to the continued and successful running of your organization. Generate system reports to get information about threat detection files update status, user logon statistics, and network and hardware status .
Page 53 In Event, select URL filter update failed, and click Apply to filter the data accordingly. Click Save, type a name for the report, and click OK. The report appears in the list of Favorites. McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 54: Interactive Reporting - Detail View
Use this page to run an existing favorite report immediately, or build a list of links to reports that you have already saved. Reports | Email Reports | Selection | Favorites Reports | Web Reports | Selection | Favorites McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 55: Selection - Filter
Displays information about one sender, such as user@example.com When selected, the advanced options, Source domain and Source ID, further specify the sender's domain or IP address, such as server1.example.com and 192.168.254.200. McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 56 Displays the protocols you want to view, such as HTTP. User login Displays information about one user. When selected, the advanced options, Source domain and Source IP, further specify the domain or IP address, such as server1.example.com and 192.168.254.200. McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 57 Displays reports about particular event types. For example, issues concerning the Event type Network. Select individual events based on the chosen Event type. Event Reason Select individual reasons based on the chosen Event. McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 59: Overview Of Email Features
Real-time Blackhole Lists (RBL) Sender Authentication Settings — RBL Configuration on page EHLO/MAIL FROM Permit Sender Permit and Deny Lists on page Deny Sender Permit and Deny Lists on page McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 60 Anti-spam Anti-Spam Settings — Basic Options on page 119 Anti-Spam Settings — Advanced Options on page 120 Anti-Spam Settings — Blacklists and Whitelists on page 120 Anti-phish Anti-Phish Settings on page McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 61 When passing through the scanning stage, the next step that the email message takes depends on the scanners that are triggered and the primary actions defined for each scanner. Primary actions are prioritized as follows: • Deny connection • Refuse McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 62: Message Search
• Did the message bounce? • Was the message quarantined? • Is the message queued pending further action? You can use a wide range of different criteria to search on, including: McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 63 To search for a literal *, ? or \ character within these fields, use the backslash (\) character before the search term. For example, use: \* to search for the asterisk character. McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 64 You can multi-select to search for messages in more than one category. See Quarantine Options on page 159 to find out how the categories relate to those reported in McAfee Quarantine Manager. All Dates / You can search on All Dates , or you can specify a Date Range , using From and To dates and times.
Page 65 Click to search the appliance for email messages that match your search parameters, or Search/ to refresh the list if you have changed any of the parameters. Refresh Clear Resets all search parameters to their default states. Parameters McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 66 • Retry selected — Only available if all selected messages are queued. • Retry all If you have configured your appliance to perform off-box quarantining using McAfee Quarantine Manager, you cannot make release requests from within Message Search. To retry the delivery of a queued item and to then show the results of the SMTP Real-Time conversation with the target MTA, click Real-Time Retry .
Page 67 The appliance is trying to deliver this message. The appliance has a release request pending for this message. Queued for delivery to your McAfee Quarantine Manager server. Task — Find out which email messages are quarantined To view a list of all messages that have been quarantined: Click Email | Message Search.
Page 68 For a single message, click View Message, and then select the Retry button. • To retry the sending of the messages and then see the results within the page, click Real-Time Retry. McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 69 12 In the To time field, enter '23:59'. 13 Click Search/Refresh. Information about all messages sent on the selected date from "user@domain", with the subject "abc", are displayed in the lower part of the page. McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 70: Email Overview
(potentially unwanted programs). Show the top [number] records When selected, changes your view of the information. For example, view for the past [period] the top 20 records for the past week. McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 71: Email Configuration
POP3 email messages, Anti-relay settings, Recipient authentication, Permit and deny lists, as well as other areas such as DKIM signing, delivering email domains and fallback relays. Contents Protocol Configuration Receiving Email Sending Email McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 72: Protocol Configuration
The default value is 25. Transparent interception ports Specifies a port number. The default value is 25. Specifies the type of port. The default value is 465. Secure ports SMTPS uses a secure port. McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 73 These settings are configured by default to provide the best SMTP performance with most appliances and network configurations. Changing these settings can affect performance. If you are not sure about the impact of making any changes, ask your network expert. McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 74 78 transparent operating modes — transparent router or transparent bridge mode. Address parsing options on page Use this area to configure options relating to the parsing of email addresses. McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 75 (.) command. Default value is No limit. Accepts an empty From address. Allow null senders Default value is Yes. Default value is No. Reject recipient if the domain is not routable McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 76 Maximum number of MX records used excessively. Default value is 100. Maximum number of A records Specifies the response to messages that use A (address) records excessively. used Default value is 100. McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 77 Otherwise performance will be affected. Default value is No. Provides information for troubleshooting. Select only if instructed to Dump output email to disk do so. Otherwise performance will be affected. Default value is No. McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 78 Add a Received Adds Received (RCPT) commands to the email headers. header to email Default value is Yes. McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 79 Send and receive email for general enquiries using an anonymous address such as info@example.com, instead of one person’s specific address. • Redirect email for several people to one person. • Modify the email headers to hide information about your internal domains. McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 80 Mail headers to search Specifies any new mail headers for outgoing email. You need only add new headers if your mail server attaches its own unique headers, or extra headers are defined in new email specifications. McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 81 Use this area to manage TLS digital certificates that are needed for the secure transfer of email. TLS options (advanced) on page 84 Use this area to specify the type of ciphers for TLS encryption. McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 82 Use this area to manage TLS digital certificates that are needed for the secure transfer of email. Certificates typically have a lifetime of several months or years, so they do not need to be managed often. McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 83 Transport Layer Security. Email | Email Configuration | Protocol Configuration | Transport Layer Security (SMTP) | Certificate management When requesting that your TLS certificates be created, McAfee recommends that you include the hostname and the IP address for the appliance that will be decrypting the TLS-encrypted email. If your...
Page 84 By default, ciphers with a full range of strengths are supported. If necessary, the range of supported cipher strengths can be limited to 128-bit or greater. If selected, ciphers without encryption are supported. McAfee does not Allow no encryption recommend using unencrypted TLS connections, so this setting is disabled by default.
Page 85 Maximum wait times when talking server that receives the email message. Default values: to a POP3 server • Establishing a connection — 60 seconds • Completing data transfer — 60 seconds McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 86: Receiving Email
Use this page to build a list of IP addresses, networks and users that are permitted, blocked or temporarily blocked from connecting to the appliance. Email | Email Configuration | Receiving Email | Permit and Deny Lists The page has these sections: McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 87 Once you have configured the permitted connections list for one of your appliances, you can export the permitted connections list, to be imported onto other appliances. The file is created in comma separated variables (CSV) format. McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 88 Browse to Email | Email Configuration | Receiving Email | Permit and Deny Lists | Permitted and blocked connections | Permitted connections. Click Add. Type the IP address and the netmask for the connection that you want listed as permitted. Save the changes. McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 89 You also have a network from which you accept messages, such as 192.168.0.0/24. The anti-relay feature checks the contents of three lists to determine whether a recipient is acceptable. McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 90 • Local domain — These are the domains or networks for which email is accepted for delivery. For convenience, you can import a list of your local domain names using the Import Lists and Export Lists options. McAfee recommends that you add all domains or networks that are allowed to relay messages as local domains.
Page 91 SMTP 421 (Temporarily unavailable service due to potential threat message), then closes the connection. • Accept and ignore the recipient — sends an acceptance code, SMTP 250 (OK). McAfee does not recommend this option because it suggests to the sender that the message was received as intended.
Page 92 Type the domain name that you want to deny using a wildcard, such as *example.dom to reject all messages sent to that domain. In Category, select Denied domain, and click OK. McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 93 Use this page to prevent attacks from zombie networks, bogus recipient names, and directory harvesting. Email | Email Configuration | Receiving Email | Recipient Authentication The page has these sections: • Greylisting • Recipient Checks • Directory harvest prevention McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 94 Specifies the maximum number of greylisted records. When the number of records Maximum number of approaches this value, the appliance starts deleting old records. The range is records 50,000 to 2,000,000. Default value is 2000000. McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 95 Default value is Deny connection. When the appliance is in • None — takes no action. proxy mode • Deny connection — adds the sender to the Denied Connections list. Default value is Deny connection. McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 96 — all the appliances need information about the signature seeds and signature lifetime. To distribute the information between your appliances, use the import and export features in the interface. McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 97: Sending Email
Specifies how long the signature seed will be used to sign outgoing email. Mail Signature lifetime servers typically try to deliver mail for up to four days. McAfee recommend a value of 4–7 days. Specifies a seed for signing the sender's address.
Page 98 IP addresses for delivery. Delivery will be attempted to host names returned by the MX lookup in the order of priority given by the DNS server. McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 99 Email Configuration Postmaster address McAfee recommends that you assign a postmaster, so that queries from your users are handled promptly. The postmaster must be someone who reads email regularly. You can use the name of a single user or a distribution list.
Page 100 Maximum open connections and Specifies other options that control the rate for delivering email to this domain. Emails per connection Task — Deliver all email using MX record delivery Use the default settings. McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 101: Email Policies
Email | Email Policies Web | Web Policies Policies are collections of rules or settings that can be applied to specific types of traffic or to groups of users. McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 102 • McAfee Anti-Spyware • Packer detection • Spam, including: • Phish • Compliance, including: • Mail size filtering • Scanner Options, including: • Scanning limits • Content handling • Alert settings McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 103: Email Scanning Policies Menu
Sender Use these pages to manage the use of authentication systems such as DKIM and SPF. Authentication Compliance Email | Email Policies | Scanning Policies [Compliance] McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 104 (PUPs), which are any software that a cautious network administrator might want to be informed of, and possibly remove, such as password crackers. Adware, too is among these nuisances, because it distracts employees from their normal work. McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 105 Removing these potentially unwanted programs may prevent their hosts from working. Review the license agreement for these host programs for further details. McAfee does not encourage nor condone breaking any license agreements. Read the details of license agreements and privacy policies carefully before downloading or installing any software.
Page 106 Potentially unwanted programs (PUPs) are not considered to be malware like viruses and Trojan horses. Email | Email Policies | Scanning Policies [Anti-Virus] McAfee Anti-spyware Some software programs written by legitimate companies might alter the security or privacy of the computer where they are installed.
Page 107 Email | Email Policies | Scanning Policies [Anti-Virus] -- Anti-Virus | Basic options This approach cannot detect a new virus because its signature is not yet known. Therefore another technique, known as heuristic analysis, is employed. McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 108 The appliance can handle any mass-mailer virus separately from other types of virus. You example, you can choose to discard the detected document immediately, and thereby suppress any alert messages that will otherwise be generated. McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 109: About Protocol Presets
Email Policies McAfee Global Threat Intelligence This technique reduces the delay between McAfee's detection of a new malware threat and when a customer receives and installs a detection definitions (DAT) file. The delay can be 24 - 72 hours. The appliance scans each file, comparing its code against the information (or signatures) in the current detection definitions (DAT) file.
Page 110 From the Anti-Virus Settings page you can access: • Anti-Virus Settings — Basic Options • Anti-Virus Settings — McAfee Anti-Spyware • Anti-Virus Settings — Packers, and • Anti-Virus Settings — Custom Malware Options McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 111 • Mail Size Filtering Settings, including information on: • Mail Size Filtering Settings -- Message Size • Mail Size Filtering Settings -- Attachment Size • Mail Size Filtering Settings -- Attachment Count • Compliance Settings . McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 112 Select either SMTP or POP3 from the Select a protocol: drop-down list. The Email | Email Policies | Scanning Policies page refreshes to show the policies that have been defined for the selected protocol. McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 113 If the identified policy is either at the top of the evaluation order, or is next to the default policy, then one or other of the icons will not be available for selection. McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 114 • Directory group — if you have already imported groups from your LDAP servers. You will be prompted to select a directory group. • User group — for a complex combination of email addresses and groups. McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 115 Use this menu to include and exclude users and groups. Displays the value, such as an IP address. Move your mouse pointer over the option for Value help with the format of the value. McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 116 Remove all macros from documents are a popular target for virus writers. document files Enables McAfee Global Threat Intelligence file reputation on your appliance. Enable McAfee Global Threat Intelligence file reputation McAfee Global Threat Intelligence file reputation complements the...
Page 117 Use this page to specify the McAfee Anti-Spyware settings for anti-virus scanning. Email | Email Policies | Scanning Policies | Viruses: | Anti-Virus Settings | McAfee Anti-Spyware Web | Web Policies | Scanning Policies | Viruses: | Anti-Virus Settings | McAfee Anti-Spyware...
Page 118 When deselected, allows you to click the link, then change the text of the alert. And also Provides further actions to take. When selected, prevents further processing. Do not perform custom malware check if the object has already been cleaned McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 119 When clicked, opens another window where you can specify who the appliance annotated email options will notify when a threat is detected. Select whether to use the default alert text when an anti-spam action triggers, Alert settings or change it. McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 120 Table 91 Option definitions Option Definition Email Address Use this to make a list of users who often receive spam. Specifies each email address. You can use wildcards, for example: user_?@example.* McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 121 Use this to manage lists of blacklists and whitelists that have been submitted by users through quarantine digests. If the appliance is configured to use the McAfee Quarantine Manager, you can only view the lists. Anti-Spam Settings — Rules Use this page to remove any spam rules that are causing some email to be wrongly detected as spam.
Page 122 • Annotate and deliver original to x lists • Notification email options • Deliver to the recipient(s) of the original email • Deliver the notification to x lists To select several items, use Ctrl-click or click and Shift-click. McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 123 McAfee recommends that you place the RBL servers in the order that they are most likely to trigger to reduce the number of lookups the appliance carries out for each incoming connection.
Page 124 Provides actions to take. For example: If the sender fails the check Tarpit - delays the response to the email message. Add to score - combines the results of several methods of sender authentication. McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 125 Create new filtering rule want to detect. Change the default alert text If clicked, opens a further window where you can change the alert message that is issued after a detection. McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 126 When you create settings to control the use of any file, remember that some departments within your organization might need fewer constraints. For example, a marketing department might need large graphic files for advertising. This feature is not available to the POP3 protocol. McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 127 If an uploaded registered document contains embedded documents, their content is also fingerprinted so the combined content is used when calculating the percentage match at scan time. To have embedded documents treated individually, they must be registered separately. McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 128 On the Default Data Loss Prevention Settings dialog box, click Yes to enable the policy. Enable the consecutive signatures setting, and type the number of consecutive signatures against which the DLP policy will trigger a detection. The level is set to 10 by default. McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 129 Mail Size Filtering Settings — Attachment Size Use this page to specify how to handle large attachments within email messages. Email | Email Policies | Scanning Policies | Compliance | Mail Size Filtering McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 130 Provides a further action to take. To select several items, use Ctrl-click, or click and Shift-click. Compliance Settings Use this page to create and manage compliancy rules. Email | Email Policies | Scanning Policies | Compliance McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 131 On the Default Compliance Settings dialog box, click Yes to enable the policy. Click Create new rule to open the Rule Creation Wizard. Type a name for the rule, and click Next. In the Search field, type social. McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 132 Repeat steps 2 through 4 to create another new rule but name it Discontent - High and assign it a threshold of 40. In If the compliance rule is triggered, select Deny connection (Block). Click Finish. 10 Click OK and apply the changes. McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 133 Email | Email Policies | Dictionaries. Displays the maximum number of times that terms in that dictionary can Max Term Count contribute towards a threshold score. McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 134 And also such as quarantining the original or modified message, notifying the sender, and sending the message to other people. The options displayed differ according to the primary action that you select. McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 135 To select several items, use Ctrl-click, or click and Shift-click. Use the default alert When selected, issues the default alert upon detection. When deselected, allows you to click the link, then change the text of the alert. McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 136 Offers a choice of re-encoding if the message was cleaned. attachments Offers a choice of re-encoding. When re-encoding modified subject lines Offers a choice of re-encoding. If there's an error re-encoding a modified subject line McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 137 Email | Email Policies | Scanning Policies | Scanner Options | Content Handling | Email Options In spam and spoofed email, headers are sometimes altered to hide the identity of the sender. McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 138 MIME defines different ways of encoding the non-ASCII formats so that they can be represented using characters in the 7-bit ASCII character set. MIME also defines extra email headers that contain further information: • Version of MIME used. • Type of content in the MIME message. McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 139 Script elements to ActiveX components When selected, the item is removed. Flash objects are ActiveX objects, so you can choose to keep them. Comments to Raw HTML When selected, the items are scanned for inappropriate content. McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 140 Option Definition Provides a main action to take. If encrypted content is detected Provides several further actions to take. And also To select several items, use Ctrl-click or click and Shift-click. McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 141 • An external-body message. The message contains a reference to an external resource and the scheme (usually FTP) that retrieves that resource. McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 142 Use this page to control the format and appearance of the alert message that users receive when the appliance detects a threat. Email | Email Policies | Scanning Policies [Scanner Options] -- Alert settings Web | Web Policies | Scanning Policies [Scanner Options] -- Alert settings McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 143 Failed delivery Specifies the From address that the appliance uses when sending a response to the sender of email that cannot be delivered. McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 144 Route the email to an alternative SMTP relay Selects the relay from the list on the SMTP Relays page. Manage the list of relays When clicked, opens a window where you can make a list of SMTP relays. McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 145 Email List Specifies the name of the list. To edit the list, click the blue link to open the Edit List window. McAfee Global Threat Intelligence (GTI) Feedback Settings Use this page to submit threat detection feedback, and usage statistics from your product to McAfee. Email | Email Policies | Scanning Policies | Scanner Options | McAfee GTI feedback...
Page 146: Dictionaries
Overview of Email features Email Policies exploits, and malicious zombie senders generating spam and web attacks. McAfee Labs' team of more than 350 researchers in 30 countries is dedicated to providing the most relevant security information by tracking and analyzing the latest threats.
Page 147 Import dictionaries When clicked, imports a file to replace your existing dictionaries. Export dictionaries When clicked, exports the dictionaries as an XML file. You can send the file to other appliances, ensuring that content scanning is consistent. McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 148 Score Displays the score attributed to the term. To make the dictionary score-based, click Add. To find out more about using thresholds and scores, see the tasks in Compliance Settings. McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 149 • Within a block — Set the proximity within which the terms must be found. • Word or phrase — The list of terms. Removes the term from the dictionary. Delete McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 150 Individual term lists can apply to different contexts. For example, one term list might look for terms within message bodies whilst another might look for terms within the subject line. McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 151 OK in the Term Details window, the appliance adds the term to the dictionary and next to the selected term. Both terms have the same condition. Introduction to regular expressions Characters match themselves except for the following metacharacters: McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 152 Click Add Dictionary and specify its details: • Type the name of the dictionary • Optionally provide a description • Select whether you want to match simple strings or regular expressions McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 153 Task — Add a complex term to find the word Poker only when it is close to the word Game Go to Email | Email Polices | Dictionaries. Either create a new or select an existing non-score-based dictionary (indicated by a red book). McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 154 Select how the appliance matches terms within this dictionary. Select what the term applies to. Applies to Click the link and select from the available options. Enter the term that you want the appliance to search for. Term McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 155: Registered Documents
Displays the number of data loss policies that use this category. Displays the number of documents to which this content category applies. Documents Create a content category. Clear Selection Click to not have any category selected. McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 156 The number of policies that have this file in the exclusion list. Excluded by Referenced by The number of categories that contain this document. Signatures The number of signatures representing this document. The date the document was registered. Trained on McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 157 The Character Encoding drop-down list allows you to specify the character set used for filenames. To upload files in .TXT format, McAfee recommends that you save them using Unicode or UTF-8 formats. Copy existing Click to copy an existing document from other categories into the selected category.
Page 158 In the Compliance area, select the Data Loss Prevention policy. Expand the policy that contains the excluded document. Click the Delete icon next to the appropriate document in the Exclusions list. McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 159: Quarantine Configuration
When you select Use an off-box McAfee Quarantine Manager (MQM) service, the Quarantine Digest Options and Digest Message Content tabs are removed from the user interface. The following table shows what you will see in the McAfee Quarantine Manager queue for each Email and Web Security category detection:...
Page 160: Quarantine Digest Options
We recommend that you assign someone who reads email regularly. You can use the name of a single user or a distribution list. Specifies the format of the digest message. For interactive digests, choose Message format HTML. McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 161: Digest Message Content
Digest Message Content Use this page to design the appearance of quarantine digests and the responses to users' requests. Email | Quarantine Configuration | Digest Message Content Options McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 162 When clicked, opens a window where you can edit the text of the response message, if it is in HTML format. You can edit the HTML content directly or at source. McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 163: Overview Of Web Features Web Configuration
Web | Web Configuration | HTTP | Connection Settings Changing these settings can affect scanning performance. If you are not sure about the impact of making any changes, ask your network expert. The page has these sections: McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 164 You do not normally need to change the following settings. Advanced settings Request Verbs Request verbs are acted on to start the authentication redirect process. This is normally set to GET. McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 165: Http Protocol Settings
Handoff host • Client alert messages • Header blocking and modifications • Download status pages and data trickling • Protocol details • Download status messages • Request permissions • FTP over HTTP McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 166 • Display page every — 5 seconds • Display the elapsed time — No • Use Javascript based HTML pages — No If the comfort pages do not display correctly in some browsers, deselect the Javascript option. McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 167 A typical port number is 80. Header blocking and modifications Use this section to: • Block some request and response headers. • Add Via headers to HTTP requests and responses. McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 168 This field is normally blank, and therefore this appliance is used. information pages Authentication types not These settings are required for NTLM. requiring persistence These settings are not required for Kerberos. McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 169: Icap Connection Settings
Web | Web Configuration | ICAP | Connection Settings Changing these settings can affect scanning performance. If you are not sure about the impact of making any changes, ask your network expert. The page has these sections: McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 170 Service path Specifies a vendor and product name that can be added to the OPTIONS response. The Service String used by default depends on the type of appliance. Default value is /REQMOD. McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 171: Icap Authentication
Specifies the group name. Typically this is in plain text or by default, Base 64. encoding Specifies a regular expression that enables the appliance to extract the group Authenticated group name from the text of the Authenticated groups header. pattern Default value is ^(?:.*/)?(?:([^=]*)|.*ou=([^\s,=]+).*)$ McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 172: Icap Protocol Settings
Offers a full list of events such as Request type forbidden and Unable to scan data. When clicked, opens a window where you can modify the text of the alert. Edit McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 173 CONNECT verb when trying to initiate a HTTPS connection running over SSL. The entry 1025- means port number 1025 or above. Typical values are 443 (HTTPS) and 563 (SNEWS). McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 174: Ftp Connection Settings
Web | Web Configuration | FTP | Connection Settings Changing these settings can affect scanning performance. If you are not sure about the impact of making any changes, ask your network expert. McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 175: Ftp Protocol Settings
Use for features such as data trickling and the keep-alive interval. Web | Web Configuration | FTP | Protocol Settings The page has these sections: • Data processing • Download status and data trickling McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 176 However, 8-bit ASCII can contain different character codes and formatting, depending on the computer systems in use, so viruses can be concealed within its data. McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 177 FTP proxy server. For example, if your firewall has an FTP proxy server, use this option to redirect FTP requests to the firewall. McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 178: Web Policies
The appliance provides the following features when scanning the ICAP protocol: Web | Web Policies | Scanning Policies ICAP • Anti-virus • URL filtering • Scanner control The appliance can also handle the following types of content: McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 179: Web Scanning Policies
Anti-Virus Settings page is used within Email | Email Policies | Scanning Policies and also by Web | Web Policies | Scanning Policies. This provides you with an interface that is familiar to you. McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 180 Each link within the URL Filtering area of each policy opens a separate page containing the features and options you need to configure your policy. • URL Blacklisting and Whitelisting • HTTPS Web Categorization - McAfee GTI Web Categorization • Web Reputation and Categorization Settings (HTTP), including • SiteAdvisor Web Reputation •...
Page 181 Use this task to create a new scanning policy. Click Web | Web Policies | Scanning Policies. Select the required protocol using steps in Task — View policies for the HTTP, ICAP or FTP protocols. McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 182 To delete a previously created policy: Click Web | Web Policies | Scanning Policies. Identify the policy to be deleted. Click Confirm that you intend to delete the policy. The identified policy is deleted. McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 183 Displays the type of user. Examples of when to use this option: Rule type • Authenticated user — for authenticated users within your system. • User's directory group — for all users within a specified directory group. McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 184 Use this page to specify basic options for anti-virus scanning. Email | Email Policies | Scanning Policies [Anti-Virus] -- Anti-Virus | Basic options Web | Web Policies | Scanning Policies [Anti-Virus] -- Anti-Virus | Basic options McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 185 Anti-Virus Settings — McAfee Anti-Spyware Use this page to specify the McAfee Anti-Spyware settings for anti-virus scanning. Email | Email Policies | Scanning Policies | Viruses: | Anti-Virus Settings | McAfee Anti-Spyware McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 186 Overview of Web features Web Policies Web | Web Policies | Scanning Policies | Viruses: | Anti-Virus Settings | McAfee Anti-Spyware Table 175 Option definitions Option Definition Enable anti-virus scanning When selected, scans for viruses and other threats such as worms and spyware.
Page 187 However, the IP address, 123.123.123.123 resolves only to www.mcafee.com. If the list of denied URLs includes www.example.com but does not include www.mcafee.com, the appliance cannot block a secure HTTP connection to 123.123.123.123. McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 188 Use this page to compile lists of URLs (lists of website addresses) to which users will be denied or allowed access. This page contains the following tabs, each allowing you to define different lists: • Blacklisted URLs • Blacklisted URLs (Regex) McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 189 • Merge the new values with the current content. Export Lists Export the current list of URLs to a text file that can be saved to your local file system. This file can be imported to other McAfee Email and Web Security Appliances. SiteAdvisor Web Reputation ®...
Page 190 Web | Web Policies | Scanning Policies [Web reputation and Categorization] -- User Categorized URLs If you have selected Timed setting, you can also specify periods when the access to websites can vary. McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 191 Table 185 Option definitions Option Definition Select to activate the Compliance policy settings. Enable compliance Rules Lists the configured compliance rules. McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 192 Type a name for the rule, and click Next. Select two dictionaries to include in the rule, and click Next. Select a dictionary that you want to exclude from the rule in the exclusion list. McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 193 Compensation and Benefits dictionary. For such dictionaries, you can restrict how many times a term can contribute to the overall score. See Dictionaries to get information about the score McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 194 By default, no instant messaging service is blocked. Scanner Limits Use this page to set limits on scanning to prevent attacks and other performance issues. Email | Email Policies | Scanning Policies | Scanner Options | Scanning limits McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 195 Use this page to specify how the appliance handles certain elements and components embedded in HTML data. Email | Email Policies | Scanning Policies | Scanner Options | Content Handling | HTML Options McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 196 Email | Email Policies | Scanning Policies | Scanner Options | Content Handling | Protected files Web | Web Policies | Scanning Policies | Scanner Options | Content Handling | Corrupt or Unreadable Content | Protected files McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 197: Dictionaries
Scan the response header Select to scan the HTTP response body information. Scan the response body Dictionaries Use this page to view and edit compliance dictionaries. Email | Email Policies | Dictionaries McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 198 Import dictionaries When clicked, imports a file to replace your existing dictionaries. Export dictionaries When clicked, exports the dictionaries as an XML file. You can send the file to other appliances, ensuring that content scanning is consistent. McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 199 Score Displays the score attributed to the term. To make the dictionary score-based, click Add. To find out more about using thresholds and scores, see the tasks in Compliance Settings. McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 200 • Within a block — Set the proximity within which the terms must be found. • Word or phrase — The list of terms. Removes the term from the dictionary. Delete McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 201 Individual term lists can apply to different contexts. For example, one term list might look for terms within message bodies whilst another might look for terms within the subject line. McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 202 OK in the Term Details window, the appliance adds the term to the dictionary and next to the selected term. Both terms have the same condition. Introduction to regular expressions Characters match themselves except for the following metacharacters: McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 203 Click Add Dictionary and specify its details: • Type the name of the dictionary • Optionally provide a description • Select whether you want to match simple strings or regular expressions McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 204 Task — Add a complex term to find the word Poker only when it is close to the word Game Go to Email | Email Polices | Dictionaries. Either create a new or select an existing non-score-based dictionary (indicated by a red book). McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 205 Select how the appliance matches terms within this dictionary. Select what the term applies to. Applies to Click the link and select from the available options. Enter the term that you want the appliance to search for. Term McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 207: Overview Of System Features Appliance Management
System | Appliance Management | General The page has these sections: • Basic Settings • Network Interface Settings Some sections are relevant only when the appliance is in the appropriate mode. McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 208 If the appliance is operating in Transparent Bridge mode, and the Spanning Tree Protocol (STP) is running on your network, make sure that the appliance is configured according to STP rules. Additionally, you can set up a bypass device in transparent bridge mode. McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 209 Virtual When selected, the appliance treats this IP address as a virtual address. This option only appears in cluster configurations, or on a McAfee Content Security Blade Server. Add a new address, or remove a selected IP address. New Address/...
Page 210 When selected, the appliance accepts connections on that IP address. When selected, the appliance treats this IP address as a virtual address. This Virtual option only appears in cluster configurations, or on a McAfee Content Security Blade Server. New Address/Delete Add a new address, or remove a selected IP address.
Page 211 This option is unavailable by default if your appliance is running in transparent router mode, or is part of a cluster configuration, or running as part of a Blade Server installation. McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 212: Dns And Routing
If the first server cannot resolve the request, the appliance contacts the second server. If no servers in the list can resolve the request, the appliance forwards the request to the DNS root name servers on the Internet. McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 213 Adds a new server to the list, or removes one when, for example, when you need to Selected Servers decommission a server due to network changes. Selected by default. McAfee recommends that you leave this option selected because Only send queries it might speed up DNS queries as the appliance sends the queries to the specified to these servers DNS servers only.
Page 214: Time And Date
Ensure that the client computer is aware of any daylight savings adjustments. To find the setting on Microsoft Windows, right-click the time display in the bottom right corner of the screen. McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 215: Appliance Management - Remote Access
Use the out-of-band interface if you do not want the user interface or secure shell to be accessible on the same network as the data traffic that is being scanned. The page has these sections: • Secure Shell Configuration • User Interface Access Configuration • Out of Band Management McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 216 • IPv6: [2001:470:921b:7896::3c]. The [ ] must be typed. • hostname: host1.example.com (only allows host1 in the example.com domain to access the secure shell) To add individual hosts, netmasks can not be used. McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 217 IP Address / Specifies the IP address and network mask for the port. netmask You cannot type an IP address that is on the same subnet as the normal operational ports. McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 218 • Set the size of the MTU (1500 by default) • Use autonegotiation (on by default) • Check the connection speed (100 Mb by default) • Set the duplex state (Full by default) McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 219: Ups Settings
UPS information. The user name and password are those specified when you set up the master device. See Add UPS Device on page 221. McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 220 Task — Configure your appliance to accept UPS status requests from other appliances Ensure that your UPS is working (a green checkmark shows in the Status column) Go to System | Appliance Management | UPS Settings. McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 221 The length of time, in seconds, that the UPS waits before turning off the UPS after it receives the "turn off" command On delay The length of time, in seconds, that the UPS waits before restoring power after the mains power returns McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 222: Database Maintenance
Use this area to set the limits on the maximum time or number of reporting or message items retained within the database. System | Appliance Management | Database Maintenance | Retention Limits McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 223 Insert events into the that the database can fill quickly when reporting events are stored. database McAfee recommends that Content Security Blade Server users use the offbox syslog feature for reporting events and deselect this option. Insert only primary Select to add information only about primary reporting events into the events into the database database, such as virus detections.
Page 224 Type the password for the user to whom you gave access Press the Enter key to see the list of report view that you have available. Choose from: • Email_details • Web_details • Configuration_change_view. McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 225: Appliance Management - System Administration
When run, the maintenance tasks trim the contents of the reporting database and items identified using the Message Search feature according to the settings in the Retention Limits area. McAfee recommends that you clean up the reporting database and message search items regularly to prevent the database from becoming too large.
Page 226 Navigate to System | Appliance Management | System Administration | System Commands. Enter the system password next to the Reboot Appliance button. Click Reboot Appliance. The appliance commences its shut down process, and reboots after about 5 minutes. McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 227 Creating a bootable rescue image on a USB drive will result in the loss of all files located on the USB device. To prevent tampering or accidental stopping, you must type the appliance password to operate these features. McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 228 To check the currently stored rescue image: Click System | Appliance Management | System Administration | Manage Internal Rescue Image. Verify the version information displayed under Rescue image details, or from the About the Appliance window. McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 229 If you select either of the full installation options, you will need to take further action to import saved configurations, or to re-configure the appliance. • Install software preserving configuration and email messages Enter the appliance password. Click OK. McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 230 The appliance reboots, and uses the rescue image found on the USB drive to reimage the appliance, using the installation options you select in the standard license and console displayed on the monitor connected to the appliance. McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 231 You can create a bootable rescue image on a USB drive without using your appliance. You need a computer that has Internet access, your McAfee Grant Number for your Email and Web Security appliance, and third party software that enables you to create a bootable image onto a USB drive.
Page 232: Default Server Settings
To use this feature, you must click the link to generate a key file, which you must then copy and paste into your authorized keys file so that the appliance can perform the backup. Specify the following information to set up a remote backup server: McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 233: Cluster Management
Load Balancing Resilient Mode Backup and Restore Configuration Use this page to back up and restore the information about the appliance’s configuration. System | Cluster Management | Backup and Restore Configuration McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 234 • User — This is typically scmadmin or other users. To see the list of users, select System | Users, Groups and Services | Role-Based User Accounts in the navigation bar. • Session — A pid is a number that identifies a process. McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 235: Configuration Push
McAfee Quarantine Manager settings: • Quarantine Manager system identifier Remote Access Card settings: • IP address(es) assigned to DRAC Management port settings: • Whether out-of-band management is enabled (IP address, driver) McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 236: Load Balancing
If you have more than three appliances in a cluster, McAfee recommends that you do not enable scanning on the master appliance. You cannot configure the master or the failover blades of the McAfee Content Security Blade Server to scan traffic.
Page 237 • Cluster Failover — If the master fails, this appliance controls the scanning workload instead. Cluster identifier If you have more than one cluster or McAfee Content Security Blade Server on the same subnet, assign each a different Cluster identifier to ensure the clusters do not conflict.
Page 238 Table 229 Operating Mode — Option definitions Option Definition Select operating mode Select the mode of operation for the cluster of appliances, or for your McAfee Content Security Blade Server. When configuring a cluster in either explicit proxy mode or transparent...
Page 239: Resilient Mode
From the user interface, you can view or download the interconnect configuration files for both resilient and non-resilient mode operation for all the interconnects. To download all the configuration files, click interconnect_config.zip, as this file contains all the other configuration files. McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 240: Users, Groups And Services
The appliance authenticates connections using authentication groups. An authentication group is a means of referring to a group of authentication services. First define the authentication services that you need, then define the authentication groups. McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 241: Policy Groups
System | Users, Groups and Services | Role-Based User Accounts Use this page also to make a list of Kerberos realms or Active Directory domains, and set a timeout for each browser session. The page has these sections: McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 242 Table 237 Option definitions for creating Login services Option Definition Service Name Displays the user-configured name entered when setting up the service. The Service Type will show either RADIUS or Kerberos, depending on the service configured. Service Type McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 243 Select RADIUS or Kerberos, depending on the type of service you are adding. Service Type The host name or address of the RADIUS or Kerberos server, as applicable, to Server address connect to. You can only connect to IPv4 RADIUS servers. McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 244 Type-Specific Settings (Kerberos) Table 242 Option definitions Option Definition Enter the name of the Kerberos realm to authenticate against. Realm For example, EXAMPLE.COM Kerberos realm names are, by convention, specified in upper-case. McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 245 If the request fails, a warning icon and the message Authentication test failed is displayed. The Access-Reject or other message is returned from the RADIUS server in the Output field. McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 246 Network Time Protocol server. The appliance can also perform Kerberos authentication in a transparent mode. Browsers are configured to use transparent authentication using Kerberos with the appliance in a Windows 2003 Active Directory environment. McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 247 Directory Users and Computers, and double-click the account used. Select the Account tab. Verify that the fully qualified domain name (FQDN) for the Appliance is listed correctly. For example: HTTP/ scmgateway.mcafee.local. McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 248 Type the following details: Option Content Service name Name for the LDAP service such as ldap-service. Service address Fully qualified domain name of the Active Directory server. Active Directory Server type Base DN CN=Users,DC=mcafee,DC=local McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 249 Delete all identified duplicate accounts for the appliance in the Active Directory. Also ensure that Kerberos is running over TCP by following the instructions at http://support.microsoft.com/kb/244474. McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 250: Virtual Hosting
You can configure the virtual hosts and virtual networks that the appliance needs to scan. Contents Virtual Hosts Virtual Networks Virtual Hosts Use this page to add, edit, or delete virtual hosts and show available virtual hosts. System | Virtual Hosting | Virtual Hosts McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 251 The host name and the domain name is used in the SMTP greeting banner. If the host name is a FQDN (that is, it ends in a "."), then the domain name is not used in the greeting banner. McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 252 Virtual policies can be used as a template policy for similar kinds of virtual hosts. Go to System | Virtual Hosting | Virtual Hosts. Ensure that Enable virtual hosting on this appliance is checked. McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 253 Base protocol preset Offers a choice of presets from the physical host, or allows you to specify a new preset. Presets are the connection-based policies. Email relaying Configures the virtual host domain as a local relay domain. McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 254 These are the addresses on which the appliance will send scanned traffic. If you do not specify any output IP addresses, the appliance will use the physical host IP addresss. McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 255: Virtual Networks
To delete a single network, click the icon in its row. Edit Virtual Network Use this page to edit the virtual network settings. System | Virtual Hosting | Virtual Networks | Edit Virtual Network McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 256: Certificate Management
Displays the certificate-issuing authority, such as Thawte and Verisign. Expires Displays the certificate's expiry date, such as May 15 2010 12:15:00. If this date has passed, the certificate is not valid. McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 257 TLS certificates and keys Use this page to manage digital certificates for the secure transfer of email using Transport Layer Security (TLS). System | Certificate Management | Certificates | TLS certificates and keys McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 258 Certificates typically have a lifetime of several months or years, so they do not need to be managed often. When requesting that your TLS certificates be created, McAfee recommends that you include the hostname and the IP address for the appliance that will be decrypting the TLS-encrypted email.
Page 259: Certificate Revocation Lists (Crls)
Useful web sites ISO 3166: http://www.iso.org/iso/country_codes.htm Certificate Revocation lists (CRLs) Use the linked pages to import, export and view the Certificate Revocation Lists on your appliance. Contents Installed CRLs CRL updates McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 260 If you do not want to use this feature, select Never. Use the default proxy If you intend to use a HTTP proxy that is not specified on the External Proxies settings page, deselect this checkbox. McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 261: Logging, Alerting And Snmp
Alert tokens for Email alert messages on page 262 for information on the usage of each substitution variable. McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 262 The type of corruption that has occurred (Corrupt Content) %DESTINATIONHOST%: Destination Hostname %DESTINATIONIP%: Destination IP address %DETECTIONS%: List of detections in the item %DICTIONARYGROUP%: The name(s) of the content scanning rule(s) that triggered (Compliance) %DLP_FINGERPRINTSOURCE%: Protected Document Name (DLP) McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 263 Description %ATTACHMENTNAME%: Name of the item being scanned %AVDATVERSION%: The DAT version used by the anti-virus engine %AVENGINENAME%: The name of the anti-virus engine %AVENGINEVERSION%: The version of the anti-virus engine McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 264 The maximum expiration delay in days %PRODUCT_NAME%: The product name of the appliance that generated the digest %POST_MASTER%: The email address of the postmaster %DIGEST_DATE%: The date on which the digest was generated McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 265 Source IP address %ICAP_SOURCEIP%: Source IP address for the ICAP server %SOURCEHOST%: Source host name %ICAP_SOURCEHOST%: Source host name for the ICAP server %DESTINATIONIP%: Destination IP address %DESTINATIONHOST%: Destination host name McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 266 The filtered category that matched the requested URL (URL) Aggregated data: %PRODUCT%: The product name %EVENT%: The name of the event %SMTPNUMMESSAGES%: The number of messages received via SMTP %SMTPVIRUSDETECTED%: The number of viruses detected (SMTP) McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 267 %ICAP_SOURCEIP%: Source IP address for the ICAP server %SOURCEHOST%: Source host name %ICAP_SOURCEHOST%: Source host name for the ICAP server %DESTINATIONIP%: Destination IP address %DESTINATIONHOST%: Destination host name %LOCALTIME%: Local time McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 268: Snmp Alert Settings
Store for configuration push (plain text). Be aware, however, that if you select this option, the configuration settings for the SNMP v3 protocol are stored on the appliance in plain text. McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 269: System Log Settings
The appliance cannot store the transport events produced by heavy traffic for long periods. We recommend that you use the off-box syslog option to forward the transport events to a central syslog server. McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 270 Event Description 50005 Logging of the email status during processing 50006 Logging of the email status during processing 50022 Logging of the email status during McAfee Quarantine Manager processing 180000 Anti-Virus Engine Detection 180001 Content rule detection 180002 Anti-spam classification...
Page 271 'DL': The file that triggered the DLP rule If cs5 is 'FF': The file rule that triggered the event If cs5 is 'PX': The content rule that triggered the event McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 272 Using the extended Syslog functions within the appliance, you can use external, third party software — such as Splunk — to generate Syslog reports. Table 272 Extended Syslog attributes for Splunk Syslog entry Notes Example Time and Appliance Name Dec 30 10:58:10 Appliance1 Protocol Smtp McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 273 Number of the recipients for the mail relay Address of the next MTA the 172.16.140.118 mail would be sent to if known subject The subject of the email A subject line here McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 274 Mail Size detection MS(Mail Size) 180031 URL has been blocked due to SA (Site Advisor) categorization reason_id Text Email Delivered Email Deferred Access to the requested URL is not permitted clean replace McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 275: Webreporter
Specifies the proxy server details if the Web Reporter software is hosted on a proxy server. Logging Configuration Use this page to specify which events are recorded in the appliance’s logs System | Logging, Alerting and SNMP | Logging Configuration McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 276: Component Management
System | Component Management | Update Status Benefits of using Update Status From the Update Status page, you can manage updates for the following scanning components: McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 277 This version of Email and Web Security Appliances no longer supports the v1 detection definition (DAT) files. The appliances now use the McAfee Agent to handle the updating of the v2 DAT files and scanning engine files — even without having an ePolicy Orchestrator server configured on your network.
Page 278 When you import the updates zip file, all updates that are contained within it are imported to your appliance. If you do not want a particular update to be applied, then McAfee recommends that you do not include that update when you export the update file.
Page 279 Management | Default Server Settings. In Select how the McAfee FTP update site should be used, select Not Used, and click Next. In Time to schedule update for, select the Daily option, and set the time to 0400, and click Finish.
Page 280 Use this page to set up scheduled updates. anti-virus, anti-spam, web categorization, and package updates. System | Component Management | Update Status Introduction to Scheduled update settings You can schedule updates for the following scanning components: McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 281 • Appliance software updates (HotFixes and patches) McAfee recommends that you update all scanning components on a new appliance using the Update Now feature, then use the Schedule feature for each component to create regular updates at a time when traffic is low, such as during the night.
Page 282: Package Installer
Hotfixes, and update them immediately to ensure that your appliance remains as up-to-date as possible. McAfee recommends that you update the software packages manually on a new appliance using the Update From File option, then go to the System |...
Page 283: Epo
Policy Catalog within ePolicy Orchestrator. Import ePO connection Click to browse to the ePolicy Orchestrator connection settings file, to import the settings ePolicy Orchestrator connection information into the appliance. McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 284: Setup Wizard
The Setup Wizard is available from the user interface to allow you to edit settings that you made in the configuration console when you first installed the appliance. System | Setup Wizard McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 285: Welcome
In Transparent Bridge mode, other network devices, such as mail servers, are unaware that the appliance has intercepted and scanned the email before forwarding it. The appliance's operation is transparent to the devices. McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 286 In Transparent Router mode, other network devices, such as mail servers, are unaware that the appliance has intercepted and scanned the email before forwarding it. The appliance's operation is transparent to the devices. McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 287 Standard Setup Use the Standard Setup wizard to set up your appliance in Transparent Bridge mode, and configure it to protect your network. The Standard Setup wizard consists of the following pages: McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 288 Web traffic includes HTTP traffic only. After installation: • The appliance protects your network against viruses, and uses McAfee SiteAdvisor when visiting websites. • To scan more types of traffic, you can enable each protocol from its page. From the navigation bar, select .
Page 289 When clicked, applies the date and UTC time that you specified in this row. Set Now Client Time Displays the time according to the client computer from which your browser is currently connected to the appliance. McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 290 Basic Settings - Standard setup on page 288 • Network Settings on page 292 • Cluster Management on page 293 • DNS and Routing on page 212 • Time Settings on page 295 McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 291 • Email traffic includes SMTP and POP3. You can also choose to enable protection against Potentially Unwanted Programs and to enable McAfee Global Threat intelligence. You can also configure the local relay domain for the appliance. •...
Page 292 LAN Interface Type Specifies the type of connection — copper wire or optical fiber. This option is available only with higher-speed appliances. McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 293 If you have more than three appliances in a cluster, McAfee recommends that you do not enable scanning on the master appliance. You cannot configure the master or the failover blades of the McAfee Content Security Blade Server to scan traffic.
Page 294 Definition Specifies the appliance address. Address to use for load balancing If you have more than one cluster or McAfee Content Security Blade Cluster identifier Server on the same subnet, assign each a different Cluster identifier to ensure the clusters do not conflict.
Page 295 Only send queries Selected by default. McAfee recommends that you leave this option selected because to these servers it might speed up DNS queries as the appliance sends the queries to the specified DNS servers only.
Page 296 Use the IP address shown here to access the interface. For example https://192.168.200.10. Note that the address begins with https, not http. When you first log onto the interface, type the user name, scmadmin and the password that you gave to this setup wizard. McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 297 Table 299 Option definitions Option Definition Browse Locate the configuration file to use as a basis for your new settings. The configuration filename is in the format: config_<date and time stamp>.zip McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 298 • Email traffic includes SMTP and POP3. You can also choose to enable protection against Potentially Unwanted Programs and to enable McAfee Global Threat intelligence. You can also configure the local relay domain for the appliance. •...
Page 299 Depending on the cluster mode you selected on the Basic Settings page, the text that appears on the Cluster Management page changes. When configuring a group of appliances or McAfee Content Security Blade Servers, the current master uses a "least used" algorithm to assign connections to the appliances or blades configured to scan traffic.
Page 300 If you have more than three appliances in a cluster, McAfee recommends that you do not enable scanning on the master appliance. You cannot configure the master or the failover blades of the McAfee Content Security Blade Server to scan traffic.
Page 301 Address to use for load balancing Specifies the appliance address. Provides a list of all subnets assigned to the appliance. Cluster identifier If you have more than one cluster or McAfee Content Security Blade Server on the same subnet, assign each a different Cluster identifier to ensure the clusters do not conflict.
Page 302 Password Use this page in the Custom Setup Wizard to specify a password for the appliance. For a strong password, include letters and numbers. You can type up to 15 characters. McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 303 • Password on page 296 • Summary — Standard setup on page 290 Contents Settings for ePO Management Basic Settings -- ePO Managed Setup Network Settings Cluster Management DNS and Routing McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 304 On the ePO server, install these extensions using Menu | Software | Extensions | Install Extensions. On the ePO server, save the connections settings from Menu | Gateway Protection | Email and Web Gateway | Actions | Export Connection Settings. McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 305 LAN Interface Type Specifies the type of connection — copper wire or optical fiber. This option is available only with higher-speed appliances. McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 306 Address to use for load balancing Specifies the appliance address. Provides a list of all subnets assigned to the appliance. Specifies an identifier. Range is 0-255. Cluster identifier Enable scanning on this appliance If not selected, this appliance distributes all scanning workload to the scanning appliances. McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 307 Only send queries Selected by default. McAfee recommends that you leave this option selected because it might speed up DNS queries as the appliance sends the queries to the specified to these servers DNS servers only.
Page 308 When you first log onto the interface, type the user name, scmadmin and the password that you gave to this setup wizard. The appliance is now managed by ePolicy Orchestrator. Log onto the ePO server to manage your appliance. McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 309 The value is probably not correct. Although the value is valid, it is not set according to best practice. Check the value before continuing. No value has been set. The value has not been changed from the default. Check the value before continuing. McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 311: Overview Of Troubleshoot Features
Contacting support. • Submitting a sample. • The Virus Information Library. • Additional resources, including links to a list of McAfee addresses and to the SNMP MIB definitions. Contents Troubleshooting Tools Troubleshooting Reports Tests Troubleshooting Tools Use these topics to learn about the troubleshooting tools included within the appliance.
Page 312: Ping And Trace Route
Swap Displays statistics on swap space, including total swap space, available swap space, and used swap space. Command - State Displays information about each process. McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 313: Route Information
• The route is available and operational. (U or Up) Metric Displays the preference given to the route. A low number indicates a high preference for that route. Displays the number of references to this route, and is usually 0. McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 314: Disk Space
Log Files Error Reporting Tool Minimum Escalation Report If requested by McAfee Technical Support, use this page to create a minimum escalation report to help them diagnose a problem with your appliance. Troubleshoot | Troubleshooting Reports | Minimum Escalation Report...
Page 315: Capture Network Traffic
Specifies how long to run the capture. Default value is 30 minutes. Specifies a limit to the size of the report. Maximum size of output file Default value is 50 MB. McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 316: Save Quarantine
Delete the report Log Files Use this page to save the log files for later analysis or to view them within the user interface. Troubleshoot | Troubleshooting Reports | Log Files McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 317 Click this link to move to the System | Logging, Alerting and SNMP | System Log Settings Configure off-box system logs and system log archive page, where you can configure your system logging options. McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 318: Error Reporting Tool
Overview of Troubleshoot features Tests Error Reporting Tool Use this page to create a report to help McAfee Technical Support diagnose any problems with your appliance. Troubleshoot | Troubleshooting Reports | Save Log Files McAfee Technical Support might ask for this report in addition to the Minimum Escalation Report. The report goes to a ZIP file and can take a few minutes to produce.
Page 319 ARP table Ping the DNS server States whether the appliance can contact the DNS servers. Query the DNS server for the States whether each DNS server can resolve the address www.mcafee.com into the correct set of IP addresses. external address ‘www.mcafee.com’...
Page 320 • Check that the appliance can send data to the ePO server. • Check that the number of ePO events waiting to be sent to the ePO server does not exceed a predefined threshold. McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 321: How Appliances Work With Epolicy Orchestrator
How appliances work with ePolicy Orchestrator This topic give a top-level overview of how you can integrate your McAfee Email and Web Security Appliance with your McAfee ePolicy Orchestrator server. With this release, you can monitor the status of your appliances and also manage your appliance from ePolicy Orchestrator.
Page 323: Configuring Your Appliance For Epolicy Orchestrator Management
Setup Wizard within Email and Web Security Appliances (System | Setup Wizard) includes a set of pages aimed specifically at configuring your appliance to be managed by ePolicy Orchestrator. McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 325: Managing Your Appliances From Within Epolicy Orchestrator
Use this topic to give an overview of the process to manage your Email and Web Security Appliances from within ePolicy Orchestrator. When you have configured your McAfee Email and Web Security Appliances to be managed by McAfee ePolicy Orchestrator, most configuration changes that you want to make to your appliances should be made via your ePolicy Orchestrator server.
Page 327: Index
Global Threat Intelligence compliance authentication component update icap schedule authentication services using FTP Kerberos using HTTP RADIUS component update (spam) autonegotiation using FTP component updates software package McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 328 McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 329 Dashboard instant messaging email blocking Email Scanning Policies integration with ePO reports intercept ports system interface troubleshoot common tasks interface, layout of message search Message Search retention limits virtual host name McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 330 POP3 event option settings smtp retention limits status reports email reports with virtual hosts favorite reports policy filter options anti-virus settings scheduled reports McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 331 UPS system tests SMTP tools content policies disk space smtp policies ping spam rules and engine updates route information special actions system load trace route McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 332 User Interface Access Configuration web detections external access to Universel Temps Coordinee web policies compliance web scanning add policy variables web status alert working with Email and Web Security Appliances substitution view log files McAfee Email and Web Security Appliances 5.6.0 Product Guide...
Page 336 700-2647A00-00...

This manual is also suitable for:

Web security appliance 5.6.0

McAfee MAP-3300-SWG - Web Security Appliance 3300 Product Manual

Preface

Overview of Dashboard Features

Overview of Reports Features

Overview of Email Features

Overview of Web Features Web Configuration

Overview of System Features Appliance Management

Overview of Troubleshoot Features

How Appliances Work with Epolicy Orchestrator

Configuring Your Appliance for Epolicy Orchestrator Management

Managing Your Appliances from Within Epolicy Orchestrator

Index

Quick Links

Troubleshooting

Need help?

Questions and answers

Related Manuals for McAfee MAP-3300-SWG - Web Security Appliance 3300

Summary of Contents for McAfee MAP-3300-SWG - Web Security Appliance 3300

This manual is also suitable for:

Table of Contents