Introduction to the Proofpoint Protection Server
Welcome to the Proofpoint Protection Server. The Proofpoint Protection Server is a powerful software application that integrates virus protection, spam detection, message encryption, regulatory compliance, and digital asset protection technologies into an extensible message management platform. The Proofpoint Protection Server is designed to fit easily into your corporate environment, taking advantage of the existing corporate messaging infrastructure. It provides efficient performance, accurate message analysis, and a web-based interface (the management interface) for reporting, configuration, and management tasks.
Product Overview
The Proofpoint Protection Server is comprised of these components:
• Filtering modules - the Email Firewall, Virus Protection, Spam Detection, and Regulatory Compliance Modules filter SMTP messages for envelope criteria, connection criteria, virus infections, spam, and message content. The Digital Assets Module protects your organization from accidental or deliberate disclosure of confidential information or trade secrets.
• The Data Loss Prevention (DLP) dashboard provides a centralized and consolidated overview of DLP activity across your organization with custom views of DLP reports and an incident manager console.
Administrators and security practitioners can view real-time DLP statistics and trends as well as manage current incidents. Data can be viewed in high level reports or as detailed incidents so that administrators can quickly focus on the critical areas of interest. The DLP dashboard consolidates data from the Regulatory Compliance Module and the Digital Assets Module. You will not see the DLP Dashboard in the management interface if you have not licensed the Regulatory Compliance and Digital Assets modules.
• If you have an ICAP-enabled web proxy server (Internet Content Adaptation Protocol) on your network, you can also filter and block HTTP content for data loss prevention by enabling rules for HTTP content in the Regulatory Compliance and Digital Assets modules.
• Proofpoint Encryption - provides a fully integrated message encryption and decryption solution.
• Administrators have granular control over the filtering policies and dispositions of messages that are infected, designated as spam, or contain inappropriate or confidential content. Messages designated as suspicious can be stored in a Quarantine folder or an Incident Queue for further analysis and disposition.
• Message Processing Hub – this multi-protocol hub accepts all incoming messages and commands, passes messages to the Analysis Modules, exposes the functions of the Management Services, and handles final message dispositions.
• Management Services – centralized management services include administration, message tracing, reporting, and monitoring.
Licensing Overview
Administrators purchase licenses for the modules they want to use in their Proofpoint deployments. Once you activate the product, the management interface displays only the parameters and navigation links for the modules for which you are licensed to use. The basic license includes the Email Firewall Module and all of the system
administration, Reporting, Logging, Digest, and Quarantine functions.
Proofpoint Messaging Security Gateway
A common problem facing most email administrators and end users today is the growing proliferation of spam and virus. The flood of such unwanted email sent by spammers and hackers has large cost implications for corporate
organizations. The unwanted traffic results in lowered productivity and consumes valuable IT resources. This impact is particularly worse on businesses that maintain in-house mail servers and have limited administrative resources.
The Proofpoint Messaging Security Gateway (appliance) is an affordable and compact solution ideal for mid-sized organizations looking for a turn-key solution to address spam, virus, and other message-borne threat protection capabilities. Without the hassle of configuring hardware and operating systems, the Proofpoint Messaging Security Gateway is pre-installed with the Proofpoint Protection Server software, can be up and running quickly, and is easily maintained by a single administrator.
Clusters and Services
You can deploy several Proofpoint Protection Servers or appliances in a cluster and assign them to different services.
For example, one system can serve as the master administration console (the Config Master) and the other systems as filtering services.
Related Topics:
See Master, Agents, Clusters, and Instances for definitions of these Proofpoint Protection Server terms.
Master, Agents, Clusters, and Instances
You can deploy several Proofpoint Protection Servers to provide various services. For example, you can install the Proofpoint Protection Server software on three systems, deploy one system as the master Management Services console (the Config Master), and deploy the other two systems as the filtering services (agents). The system running the administrative interface is designated as master during installation, and the two systems running the filtering services are designated as agents during installation. The master server pushes configuration changes to the agent servers.
The server root is the directory location for the Proofpoint Protection Server software. This location is arbitrary, and varies from installation to installation. For documentation purposes, this directory is referred to as
${PROOFPOINT_ROOT}.
A cluster is a collection of instances managed as one logical unit.
An instance is an instantiation (working process) of the Proofpoint Protection Server software.
Proofpoint supports one instance per server root, and one server root per host configuration. Internally, the Proofpoint Protection Server identifies a fully qualified instance name by hostname, administration port number (one per server root), and instance name.
Administrators can give an instance a display name - an alphanumeric string that identifies the instance by a name that makes sense. If there is no display name for the instance, the fully qualified instance name appears in the web-based management interface by default.
Related Topics:
For information about adding agents to a cluster, see Adding and Deleting Agents.
Navigating the Management Interface
The left side of the management interface provides the navigation pane. Each top-level link expands (to reveal) and contracts (to hide) the links to the Proofpoint Protection Server components. You will only see the modules for which you have purchased licenses.
Collapsed Navigation Pane
Click a top-level navigation link to expand it
Links on Every Page
The following links appear by default on each page of the management interface.
• Logged in as – displays the name of the administrator currently logged in to the management interface.
• Logout – logs the administrator out of the Proofpoint Protection Server management interface.
• Switch to Advanced Mode – displays all of the navigation links in the management interface. Toggles between the Advanced and Basic modes.
• Switch to Basic Mode – hides the more advanced configuration links. Toggles between the Advanced and Basic modes.
• Add Shortcut – adds a shortcut to the bottom of the navigation pane for the page that is currently displayed.
Shortcuts are displayed with a shortcut icon. You can have up to five shortcuts at a time. Older shortcuts are moved off the list as you add new ones. Tooltips provide more detailed information about each shortcut.
• Refresh Config – if more than one administrator is making changes to the configuration, this link ensures that all changes are applied before anyone logs out of the management interface. If only one administrator is making configuration changes, this link ensures the changes are applied immediately.
• Enter Search - searches the Call Tracking System forums for the word you enter into the field.
• Help – provides context-sensitive help for the current page.
Display and Hide Icons
The Display and Hide icons display or hide the navigation pane.
Expand and Collapse Navigation Pane Icons
The Expand and Collapse icons expand and collapse the links under each top-level entry in the navigation pane.
Minimize and Maximize Panes on a Page
The Minimize and Maximize icons hide and display panes on a page.
Paging through Entries
Use the Previous, Next, First and Last icons to page through entries on a page or in a pane.
Expanding and Collapsing the Menus
Click the up-arrow or down-arrow to display or hide the menus for each entry in the navigation pane. See Admin Server Settings.
Refresh Page Icon
The Refresh Page icon updates the page or table with the latest data.
Editing or Viewing Table Elements
To make changes to an element in a table or on a page, click the name of the element. For example, to view or make changes to an administrator, a server, a rule, or a Policy Route, click its name. To view message details for a message in a Quarantine folder, click the message.
Selecting Items in a Table on a Page
If you want to select all of the items in a table displayed on a page, select the all check box. There are two all check boxes: one is labeled All, and the other one is not labeled.
Click this check box to select all items displayed in a table or list.
Click this check box to select all of the items returned from a query, whether or not they are displayed in a table or list.
Persistent Views
When an administrator logs off from the management interface, then logs back in, his or her view from the previous session will display. For example, if an administrator was working on the System > Settings > SMTP page when the administrator logs off, this is the page that displays when the administrator logs back in to the management interface.
Persistent views are stored per browser and per user.
If you are working in Basic Mode, and then switch to Advanced Mode and go to a link exposed in Advanced Mode, when you switch back to Basic Mode, the link from the Advanced Mode will appear in the Basic Mode. That is, navigation links that you view in Advanced Mode are promoted to Basic Mode.
You can enable or disable persistent views and change the persistence expiration period on the System > Settings
> Admin Server page.
Managing Your Proofpoint Portal
The Proofpoint Portal allows administrators to organize their views for status, reporting, and management of a cluster of Proofpoint Protection Servers or appliances.
Administrators can customize and save unique views of information and functionality by creating a portal to the Proofpoint cluster. A portal is comprised of one or more customized workspaces. Each workspace is comprised of one or more pages of information. Each page contains widgets - a widget is a UI element (management interface element) that serves as a container for functionality.
For details on how to create, delete, and manage workspaces, see Creating and Managing Workspaces and Working with Pages and Widgets.
Examples:
• You are the security officer for your organization. You are only interested in the data collected by the Regulatory Compliance Module. You create a workspace on the DLP Summary > Dashboard page named Security and choose the widgets for that workspace that report on messages that are sent to the Incident Queue because they triggered rules in the Regulatory Compliance Module.
• Your responsibility as a network administrator is to monitor and manage connections to your organization, and throttle IP addresses or domains that are sending spam to your organization or attacking your network.
You create a workspace on the System > Summary page named Connections and select the widgets for that workspace that are relevant to your monitoring responsibilities. The portal you create only contains the information that is important to you.
You can access your portal from System > Summary or DLP Summary > Dashboard in the navigation pane.
Creating a portal is a three-step process:
• Create a workspace and give it a name.
• Add pages to the workspace.
• Add widgets to each page.
There is no limit to the number of workspaces you can add to your portal.
About Workspaces
A default workspace named Default view is already included with the Proofpoint Protection Server software. The default workspace contains preconfigured pages that you can modify or delete. You can also add new pages to the default workspace.
The following pages are included with the Default view for System > Summary:
• Server Status - displays summary status information for the entire cluster and for each Proofpoint
Protection Server or appliance in the cluster individually. For details about the data displayed on the Server Status page, see Server Status in "System Summary."
• Message Traffic - for each analysis module, the table displays the number of messages processed by the rules for the module. The data in the tables is aggregated for all of the Proofpoint Protection Servers in the cluster. For the Quarantine, the table displays the number of messages sent to the Quarantine because they triggered rules in the filtering modules. The data is aggregated for all of the systems in a cluster and
summed for different time periods. For details about the data displayed on the Message Traffic page, see Message Traffic in "System Summary."
• Reports - several preconfigured reports appear on this page. You can add more report widgets, delete report widgets, or re-arrange the reports.
• News - several preconfigured news articles and RSS (Really Simple Syndication) feeds appear on this page. You can add more news widgets, delete news widgets, and re-arrange the news articles on this page.
The default DLP Dashboard view (DLP Summary > Dashboard) contains reports for Top Regulation Senders, Regulation Rule Trends, the Compliance Incident Manager, and trends for Proofpoint Encryption.
About Widgets
Widgets are the management interface (UI) elements that serve as containers for functionality. The Proofpoint Protection Server software includes a menu of widgets. When you select a widget in the menu a description or graphic describes the functionality for that widget.
Editing, Updating and Deleting Widgets
Each widget on a page has a title bar. If you place the mouse pointer over the title bar, the following icons appear:
• Pad and pencil - displays an edit screen with the following choices (choices vary between widgets).
Cache. Enables or disables the internet cache. If enabled, the graph for the data is cached for one hour. If disabled, the graph is redrawn on the next Refresh.
Period. Select a time period for which you want collected data to be graphed.
Refresh. Select a time period for the data in the widget to be automatically refreshed.
Image Size. Select large or small icons for the widget.
Chart. Displays a list of available reports.
• Update icon. Refreshes the data for the widget immediately.
• Delete icon. Removes the widget from the page.
Chapter 2 - Evaluation
Start Filtering Email
This page is your starting point for filtering email to see how the Proofpoint Messaging Security Gateway (appliance) catches and quarantines spam and messages containing a virus.
You have these choices for getting email into the appliance:
• You can inject sample email provided by Proofpoint into the appliance. This is the fastest way to see messages in the Quarantine, and after an hour or so, you can view graphs and reports describing data collected from the Quarantine. To use this method, click the Filter sample email collection icon.
• You can inject a corpus of email messages that you collected into the appliance. To use this method, you must first create a zip archive that contains a collection of email messages in RFC 822 format. Click the Upload and filter your email icon if you want to use this choice.
• You can set up email forwarding directly from your personal POP account to the appliance for filtering. All email messages directed to your POP account (for example, [email protected], or [email protected]) are forwarded to the appliance, filtered, and then delivered to the email address that you specify for forwarded email. Click the Filter email from any POP account icon to use this method.
Filter Sample Email
Use this page to inject sample email provided by Proofpoint into the appliance.
Enter your email address into the Recipient Email Address field, and click the Start icon. Your email address will be added to the User Repository and you will receive a sample User Digest. The Digest lists the messages addressed to you that have been quarantined because they are spam or contain a virus.
When the message injection process finishes, click the View the Quarantine icon to go directly to the Quarantine to see your quarantined messages.
Note: You need to wait at least one hour before you can create reports.
Be sure to check your email account for a Digest sent to you by the appliance. The Digest contains a list of messages that are addressed to you and are stored in the Quarantine. (The Digest is sent to the email account that you entered into the Recipient Address field.)
Filter Your Email
Use this page to inject your own corpus of email messages into the appliance. Create a zip archive that contains a collection of email messages in RFC 822 format.
Before you create the zip archive, you should clean up the email headers in the corpus. For example, if the messages are addressed to no legitimate recipients, or to multiple recipients, that information is stored in the Quarantine along with the message. If you release a message from the Quarantine, or send Digests to all recipients who have messages in the Quarantine, you can potentially generate countless email bounces.
1. Enter a new email address for the recipient for the filtered email in your corpus. This is an optional but recommended step. For example, if you enter your email address into the Recipient email address (optional) field, the messages injected into the Quarantine from your corpus will be addressed to you, and will show up in your Digest.
2. Enter the directory path and filename for your zip archive into the Filename field, or use the Browse button to locate it.
3. Click the Start icon to begin injecting the messages.
When the message injection process finishes, click the View the Quarantine icon to go directly to the Quarantine to see your quarantined messages.
Note: You need to wait at least one hour before you can create reports.