Appliance

Network Interface Settings

After you log in, the data you entered during the initial setup appears on the Appliance > Network > Interface page.

If necessary, you can change the appliance network interface settings.

Providing or Changing Network Interface Settings for the Appliance To enter network interface data for the appliance:

1. If you have a cluster, select the server for which you want to enter or change network data from the Server drop-down list. Click Save Changes after making configurations for each server that you select from the drop-down list.

2. Enter or modify the following parameters for your network:

• Hostname - the name you entered during the initial setup appears For example, proofpointappliance.

Important: To change the hostname of a master Proofpoint Protection Server or an agent in a cluster, see Changing Hostnames for Masters and Agents in this topic.

• Domain Name - the name you entered during the initial setup appears. If necessary, enter a different domain name. Enter a Fully Qualified Domain Name (FQDN). For example, example.com. (Do not enter an IP address or hostname.)

• DNS Settings - Primary Name Server, Secondary Name Server, Tertiary Name Server. By default the IPv4 address for the public Primary Name Server appears or the address or addresses you entered during the initial setup. The secondary and tertiary name servers are optional. Change or add addresses as necessary. (Use IPv4 addresses; do not use domain names or IPv6

addresses.)

Depending upon how your network is set up, the DNS servers may not recognize the IP addresses or hostnames of the Proofpoint Protection Servers on your network. In this case, you will want to add the IP address and hostname or hostnames of each Proofpoint Protection Server to the Hostname Override text box. The data that you enter in the Hostname Override text box populates the /etc/hosts file on the appliance.

Enter the IP address first, and then a blank space followed by the hostname or hostnames for each Proofpoint Protection server. Entering a fully-qualified domain name (FQDN) is preferable, but the system will accept IP addresses and hostnames.

For example:

10.10.10.10 pps1 proofpointmaster

10.10.10.02 pps2 proofpoint2 proofpointagent 10.10.10.03 proofpoint3.proofpoint.com

You must enter an IP address and at least one hostname for each Proofpoint Protection Server.

Configuring Appliance Network Interfaces

The appliance supports a minimum of two network interfaces, network 1 and network 2, depending upon how the appliance hardware is configured. The IPv4 network address and netmask addresses you entered during the initial setup appear on the Appliance > Network > Interface page. Each Ethernet port installed on an appliance displays as a separate network interface on the Appliance > Network > Interface page. Configure each one separately.

Network 1 is always in use; it cannot be disabled. Network 2 is optional. If you do not enter an IPv4 network address and netmask for Network 2, or for any additional network interfaces, they will be disabled.

If you choose to bind Network 2 to Network 1, Network 2 will adopt the IPv4 address and netmask address of Network 1. Binding provides active-standby. Should Network 1 fail, Network 2 will take over operations. Both network interfaces need to be connected to the same subnet if you select binding for Network 2.

You also need to decide whether or not to use negotiation for each network interface. If you do not use auto-negotiation, enter your own parameters for speed and duplex. If you select binding for Network 2, it will not adopt the auto-negotiation selections made for Network 1; auto-negotiation selections are independent.

To configure each network interface for the appliance:

1. Enter the IPv4 address you want to assign to the network interface in the IPv4 Address field. (Use an IPv4 address; do not use a domain name.)

2. Enter the accompanying netmask address you want to assign to the network interface in the Netmask field.

(Use an IP address; do not use a domain name.)

3. For each Network Interface that appears on the Appliance > Network > Interface page, you have the option to select Manual Configuration for the Ethernet Interface parameter. If you select Manual Configuration, enter your own parameters for Speed and Duplex. However, Proofpoint strongly recommends that you leave Auto-Negotiation selected, unless you have specific network requirements.

4. To add IPv6 addresses to the network interface, enter each one into the IPv6 Address field and use the arrow buttons to populate the list. The Prefix variable is a decimal value that indicates the number of contiguous, higher-order bits of the addresses that make up the network portion of the address.

5. Click Save Changes.

The Link Status for each Network Interface will display Detected or Not Detected to indicate whether or not the network interfaces are connected correctly. Verify the Ethernet cables are properly connected to the ports on the appliance and to the network switch or hub.

The gateway address you entered during the initial setup appears in the Default Gateway field. Enter a new address if necessary. (Use an IP address; do not use a domain name.)

Configuring Static Routing for the Network Interfaces

To ensure connectivity for the appliance, configure the static network routes for each network interface on the appliance.

To configure routing for the appliance network interfaces:

Enter data for the IPv4 address, netmask, gateway, and select the network interface each of the routing parameters before adding them to the Routing List and then save your changes.

Click the right-arrow (>>) button to add all the data for a specific network interface to the Routing List at the same time.

Important: Be sure to enter the correct information when configuring static routes for the appliance. Also ensure that you do not enter information for a network interface that uses binding. Entering incorrect information can result in a lost connection.

IPv6 Network Routes

For every IPv6 address you add to the network interface, the network portion of the address displays in the IPv6 Routes box. The appliance listens to IPv6 router advertisements and displays them here. The "default via" address is the IPv6 gateway address discovered through an IPv6 router advertisement.

Changing Hostnames for Masters and Agents

Before changing the hostname for a master in a cluster, you must first delete all of the agents. See Adding and Deleting Agents in "Proofpoint Protection Servers" for more information.

To change the hostname of a master in a cluster:

1. Delete all of the agents on the System > Servers page.

2. Change the hostname of the master on the Appliance > Network page. (Do not use an IP address or domain name.)

3. Re-add the agents to the cluster on the System > Servers page.

You cannot change the hostnames for agents in a cluster using the Appliance > Network page.

To change the hostname for an agent:

1. Use the management interface to delete the agent from the cluster on the System > Servers page.

2. Log in to the agent as admin with SSH or start the console from a terminal connected to the agent.

3. Start the Setup Assistant Guide to set up and re-configure the agent with a different hostname.

Important: The hostname must resolve to the correct IP address for the agent.

4. Use the management interface to re-add the agent to the cluster on the System > Servers page.

Network Precedence Settings

The Appliance > Network > Precedence page is the management interface to the /etc/gai.conf

(getaddrinfo) configuration file. When the appliance makes outbound network connections to other hosts which have multiple IP addresses, use the Precedence page to manage the order in which the IP addresses are used.

Host Firewall Selections

Use the Appliance > Host Firewall page to set up the firewall for an appliance by determining host access to the following ports:

• Admin Server (TCP Port 10000) - The Admin Server port allows access to the management interface (administrator interface) in a web browser. If you select Allow Specific Addresses, only connections from the IP addresses you specify will be allowed to log in to the appliance.

• Remote Access SSH (TCP Port 22) - The IP addresses that are allowed remote SSH access for support are listed in System Rules. These addresses are used by Technical Support to access your systems for purposes of troubleshooting problems. It is recommended that you leave these IP addresses enabled.

However, if you must disable the support IP addresses due to security policies or firewall rules, clear the Enable support access check box.

• SSH Disclaimer - If you want to display a disclaimer to anyone who logs in to the appliance using SSH, enter the text here. The disclaimer appears when a user provides his login name - before he provides a password. Here is an example of a typical disclaimer: "Property of <your_organization>. Do Not Attempt To Access Without Permission. This system belongs to <your_organization> and is for the exclusive use of

<your_organization's> employees. If you are not a <your_organization> employee, do not attempt to log in."

• SMTP (TCP Port 25) - The SMTP service receives email from email clients and other MTAs. Note that restricting the SMTP service will impact the ability of the appliance to filter email.

Note: If you select Deny All Addresses sendmail (bundled with the appliance) will lose its connection and the appliance will be unable to filter email.

• SNMP (TCP/UDP Port 161) - Should you want to restrict the SNMP connection, for example to the SNMP central manager, select Allow Specific Addresses and enter the IP address in the User Rules text box specific to the central manager. Use the Appliance > SNMP page to enable and configure SNMP for the appliance. See SNMP Configurations for more information.

• API Service (TCP Port 10010) - This port is the communication interface between the master and agents in a cluster. When you add an agent, Allow Specific Addresses becomes selected and the text boxes are populated with the hostname and IP address of the agent.

• Enduser Web (TCP Port 10020) - Access to the HTTP processor port allows users to view and manage their messages in the Quarantine using a web browser. Typically, Allow All Addresses should be selected.

• ICAP (TCP 1344) - This is the port used to accept connections from a proxy server. Typically you would select Allow Specific Addresses and enter the IP addresses for the proxy servers on your network.

• Database (TCP/UDP Port 3306) - This is the port used to communicate with the Proofpoint database that stores the Quarantine, User Repository, and log data tables. When you add an agent, Allow Specific Addresses becomes selected and the text boxes are populated with the hostname and IP addresses of the agent.

• Smart Search Queries (TCP Port 10946) - This port is required for searches, search results, and Smart Search settings.

• Smart Search Log Transfer (TCP Port 10947) - This port is required to transfer sendmail logs and filterd logs from a Log node (if applicable), or from the Config Master to Smart Search for indexing.

For each port, decide whether to Allow All Addresses, Deny All Addresses, or Allow Specific Addresses. If you added agent systems to a cluster, system rules and user rules will appear for each network interface when you select Allow Specific Addresses. You can change user rules, but you cannot change system rules.

The selections available on the Appliance > Host Firewall page vary depending upon whether you select an agent or master system to configure. If you select an agent, some selections will not be available to prevent you from disconnecting the agent from the master Proofpoint Protection Server.

To configure the firewall for the appliance:

1. Click the Host Firewall link under Appliance in the navigation pane.

2. If you have a cluster, select the name of the server for which you want to configure access information from the Server drop-down list. (Click Save Changes after making configurations for each server that you select from the drop-down list.)

3. Make selections from the following parameters for each port:

• Allow All Addresses - select if you want all hosts to have access to the port.

• Deny All Addresses - select if you want to deny all hosts access to the port.

• Allow Specific Addresses - select if you want to limit access to the port for a specific range of IP addresses.

- System Rules text box. The IP addresses in System Rules ensure that Proofpoint Protection Server services can access each other correctly. The system rules are

automatically configured and are always on. You cannot delete or modify them. The system rules for the Admin Server guarantee that agents can communicate with the master Proofpoint Protection Server. The system rules for Remote Access SSH ensure that Proofpoint will be able to provide support to your appliance.

- User Rules text box. The range of IP addresses that appear in the User Rules is an addition to the system rules. They are a range of IP addresses for the internal network. For example, you may want to change the range of IP addresses for the user rules to make your firewall more secure. Refer to the CDIR standards for information about specifying a range of IP addresses.

4. After making access selections for each port, click Save Changes.

Inbound Mail Configurations

Use the System > Inbound Mail page to configure the inbound mail routes to which you want to apply filtering. If you are managing hundreds of inbound mail routes, you can use the search facility to display the route or routes you are interested in viewing or changing.

You need to determine which host, IP address, or domain will accept mail for filtering, and if necessary, decide which mail servers will be responsible for delivering the filtered mail.

Important: You must click Save Changes to save the inbound mail routes you add to the System >

Inbound Mail page. When you save the changes, any duplicate entries that already exist on the Outbound Mail Routes list are removed from the Outbound Mail Routes list - you are not allowed to save the same routes to both the Inbound Mail Routes list and the Outbound Mail Routes list. The entries on the Inbound Mail Routes list will always take precedence. New entries are appended to the list.

When you create or import new inbound mail routes, you have the option of creating a Domain Group for the domain or mail route. See Adding Domain Groups for Inbound Mail Routes in this topic.

A default_inbound Policy Route on the System > Policy Routes page is automatically created based on the information you provide for the Mail for Host/Domain and Route to Host(s)/Domain(s) fields. The default_inbound Policy Route determines which host and domain will accept email for filtering, and determines the destination host or hosts responsible for delivering the mail. Should you change the information, the default_inbound Policy Route is automatically updated. You cannot directly edit the default_inbound Policy Route, although you can create additional inbound Policy Routes on the System > Policy Routes page. See About Policy Routes for more information.

When you add or import entries to the System > Inbound Mail page, those entries are added to the sendmail relay_domains and mailertable tables. Note that only SMTP/ESMTP entries are added to the mailertable.

Note: The smart host is not available for Proofpoint Enterprise customers.

To configure filtering for inbound mail:

1. Click the Inbound Mail link under System in the navigation pane.

2. If you have a cluster, select the name of the server for which you want to enter or change routing information from the Server drop-down list. (Click Save Changes after making configurations for each server that you select from the drop-down list.)

3. Click Add.

4. Enter information or make selections for the following configurations on the System > Inbound Mail page:

• Mail for Host/Domain field - enter the hostname, IP address, or domain name that will accept inbound mail for filtering. After filtering, the mail is routed to the destination host (Route to Host(s)/Domain(s)). This field accepts both IPv4 and IPv6 addresses. You can enter multiple entries, one per line.

• Route By drop-down list - specify the mailer program for routing mail to the destination host (Route to Host(s)/Domain(s)).

- DNS. The mail route is determined by DNS to resolve the mail server used in the recipient's email address. (If you choose to use a smart host, DNS will no longer be available from the Route By drop-down list.)

- ESMTP. Route mail to a destination host that uses ESMTP. (Preferred routing protocol for inbound mail.)

- SMTP. Route mail to a destination host that uses SMTP.

- Smart Host. Route email for this host/domain to the server specified as the Smart Host on the Appliance > SMTP Settings > Advanced page. (Smart Host only appears in the Route By drop-down when the Smart Host value is configured.)

• Route to Host(s)/Domain(s) field - enter the hostname, IP address, or domain name to which filtered mail is routed. You can enter multiple entries, one per line. (The selection you make for the Route By parameter determines whether or not you need to enter information in this field.)

• Lookup By radio buttons - select a lookup method that will verify the name of the destination host.

(The selection you make for the Route By parameter determines the available lookup methods.) - A record only. Route mail for the domain directly to the specified server.

- MX and A records. Route to the mail server specified by the MX record lookup of the recipient's domain. This option is rarely used.

• Delivery Type radio buttons - select the delivery method for routing filtered mail to the destination host. (The selection you make for the Route By parameter determines the available delivery type methods.)

- Ordered. The appliance cycles through the list of destination hosts, in order, until it finds one to which the inbound mail can be delivered. If the end of the list is reached before successfully connecting to a destination host, mail delivery temporarily fails.

- Load Balanced. The list of destination hosts is cycled through in a continuous loop, until a connection is successful.

5. Click Save Changes.

To edit an entry, click on the information in any of the columns.

After making your configurations, you can select the number of entries you want to display in the Inbound Mail Routes table by making a selection from the Entries drop-down list.

Importing a List of Mail Routes

To import a text file that contains a list of mail routes, use the following format for the entries in the text file and separate each entry with a new line. When you enter multiple entries for Route to Host(s)/Domain(s), you can influence the Delivery Type by separating the entries with colons (Ordered) or commas (Load-Balanced).

Note: After import, the entries will be sorted in ascending order in the management interface, no matter what order they were in the text file.

Note: After import, the entries will be sorted in ascending order in the management interface, no matter what order they were in the text file.