Clearswift SECURE Exchange Gateway Installation & Setup Guide. Version 1.0

Full text

(1)

Clearswift SECURE Exchange Gateway

Installation & Setup Guide

Version 1.0

(2)

Copyright

Revision 1.0, December, 2013 Published by Clearswift Ltd.

© 1995–2013 Clearswift Ltd.

All rights reserved.

The materials contained herein are the sole property of Clearswift Ltd unless otherwise stated.

The property of Clearswift may not be reproduced or disseminated or transmitted in any form or by any means electronic, mechanical, photocopying, recording, or otherwise stored in any retrievable system or otherwise used in any manner whatsoever, in part or in whole, without the express permission of Clearswift Ltd.

Information in this document may contain references to fictional persons, companies, products and events for illustrative purposes. Any similarities to real persons, companies, products and events are coincidental and Clearswift shall not be liable for any loss suffered as a result of such similarities.

The Clearswift Logo and Clearswift product names are trademarks of Clearswift Ltd. All other trademarks are the property of their respective owners. Clearswift Ltd. (registered number 3367495) is registered in Britain with registered offices at 1310 Waterside, Arlington Business Park, Theale, Reading, Berkshire RG7 4SA, England. Users should ensure that they comply with all national legislation regarding the export, import, and use of cryptography.

Clearswift reserves the right to change any part of this document at any time.

(3)

Contents

Copyright ii

Contents iii

About this guide v

Prerequisites 1

Software requirements 1

Hardware requirements 1

Supported browsers 1

Configuration values 1

Exchange Interceptor requirements 2

Install your Gateway 3

Install your Exchange Gateway on pre-configured hardware 3

Mount the Exchange Gateway 3

Connect your computer to the Exchange Gateway 3

Complete the setup wizard 3

Connect the Gateway to your network 4

Start using the Exchange Gateway 4

Install your Exchange Gateway on a computer or virtual machine 5

Install using DVD or ISO image 5

Change the default IP address 6

Complete the installation 6

Install your Clearswift SXG Interceptor 8

Exchange Gateway 8

Exchange Server 8

Install your Clearswift SXG Interceptor 9

Complete the installation 10

Validate the SXG Interceptor installation 11

Test your SXG Interceptor 12

Troubleshoot your SXG Interceptor 13

Display information about the Interceptor 13

Check that the SXG Interceptor is installed as a transport agent 13

Set the logging level 13

Supplementary Information 14

Reinstall the Exchange Gateway 14

Replicate the SXG Interceptor configuration store 14

- iii -

(4)

Uninstall the SXG Interceptor and configuration store 15

Appendix 16

Configuration Values 16

(5)

About this guide

The Clearswift SECURE Exchange Gateway and the Clearswift SXG Interceptor together provide a way for you to apply email content policies to your Microsoft Exchange Servers.

You can install the SECURE Exchange Gateway on:

n Preconfigured Clearswift hardware

n A VMware vSphere, ESX/ESXi or Microsoft Hyper-V virtual machine

n Your own hardware

This guide tells you how to complete the following:

n Install the Exchange Gateway on preconfigured hardware

n Install the Exchange Gateway on a computer or a virtual machine

n Install the Clearswift SXG Interceptor on a Microsoft Exchange Server

In this document, the terms Exchange Gateway , SECURE Exchange Gateway, and SXG Gateway are interchangeable.

- v -

(6)

Prerequisites

This section describes minimum system requirements for Gateway and SXG Interceptor installation. It includes:

n Software requirements

n Hardware requirements

n Supported browsers

n Guidance of what information you need to supply during the installation process

n Supported versions of Microsoft Exchange and Windows Server

Prerequisite steps for installing the SXG Interceptor depend upon successful Gateway installation and are described in the section Install your Clearswift SXG Interceptor.

Software requirements

There are no software requirements for the Clearswift SECURE Exchange Gateway.

The Exchange Gateway runs on the Clearswift Linux operating system. Both the Exchange Gateway application software and the Clearswift Linux operating system are included in the installer.

Windows AD LDS must be installed on the Microsoft Exchange Server. You can add it by using Windows Server Manager or Powershell. If you use Powershell, type the following from the PowerShell Management Shell:

Import-Module ServerManager

Add-WindowsFeature ADLDS

Hardware requirements

Your computer or virtual machine will need at least 4GB RAM and an 80GB hard drive.

Supported browsers

One of the following browsers is required to access the Exchange Gateway interface:

n Google Chrome (version 18 or later)

n Microsoft Internet Explorer version 7, 8, 9 or 10

n Mozilla Firefox (version 10 or later)

Configuration values

You will need to supply some basic information about your SECURE Exchange Gateway and network configuration in the Clearswift Installation Wizard.

(7)

The required information with supporting notes and space for your own values can be found in the Configuration values table in theappendix.

Before you start, print the table, and then gather the information in it.

Exchange Interceptor requirements

The Clearswift Exchange Interceptor supports the following versions of Microsoft Exchange Server and Microsoft Windows Server.

Version Supported operating system(s)

Exchange Server 2007 SP3 Windows Server 2008 RTM Windows Server 2008 SP2 Windows Server 2008 R2 RTM Windows Server 2008 R2 SP1

Exchange Server 2010 RTM Exchange Server 2010 SP1 Exchange Server 2010 SP2 Exchange Server 2010 SP3

Windows Server 2008 SP2 Windows Server 2008 R2 RTM Windows Server 2008 R2 SP1

Exchange Server 2010 SP3 Windows 2012 RTM

Exchange Server 2013 CU1 Exchange Server 2013 CU2 Exchange Server 2013 CU3

Windows Server 2008 R2 SP1 Windows 2012 RTM

Key

SP = Service Pack

RTM = Release To Manufacturing (initial release) CU = Cumulative Update

- 2 -

(8)

Install your Gateway

The section contains instructions on:

n Installing your Exchange Gateway on pre-configured hardware

n Installing your Exchange Gateway on a computer or virtual machine using a Clearswift installation DVD or ISO image.

Depending on your organization's preferred configuration, you only need to perform one of these installations.

Install your Exchange Gateway on pre-configured hardware

Mount the Exchange Gateway

The Exchange Gateway application software and Clearswift Linux operating system are already loaded on the Exchange Gateway .

1. If required, mount your Gateway in a system rack.

2. Connect the Gateway to a power supply, turn it on, and then allow the installation to complete.

This stage takes approximately 10 minutes. When finished, the Gateway restarts.

Connect your computer to the Exchange Gateway

The default Network Interface Card on the Exchange Gateway (NIC1) is set by default to an IP address of 192.168.10.10.

To connect your computer to the Exchange Gateway:

1. Configure the computer with these TCP/IP settings:

n Static IP address: 192.168.10.5

n Subnet mask: 255.255.255.0

2. Connect the computer to NIC1 on the Gateway using a switch, hub, or Ethernet crossover cable.

Complete the setup wizard

1. After your computer is connected to the Exchange Gateway , use a supported browser to go to https://192.168.10.10.

The welcome page of the Clearswift Installation Wizard is displayed.

If you cannot see the installation wizard, you might need to disable the proxy in your browser.

(9)

2. Follow the instructions in the installation wizard.

Information required by the wizard is found in the Configuration values table in theappendix.

Connect the Gateway to your network

1. Disconnect your computer from the Exchange Gateway.

2. Connect the Gateway to your network using NIC1 (and NIC2 if you configured the second NIC).

Start using the Exchange Gateway

1. Use a supported browser to go to https://xxx.xxx.xx.xx where xxx.xxx.xx.xx is the IP address you configured for your Gateway.

2. Log on to the Exchange Gateway using the Web User Interface (admin) account.

The installation process might not be available while the wizard completes the installation process. If you cannot access the Gateway, wait for a few minutes before retrying.

3. For general Gateway configuration considerations, seeFirst Stepsin the online help.

4. For Exchange Gateway configuration requirements when setting up with an Exchange Server and SXG Interceptor, seeConfigure Gateway to Exchange Server communication.

- 4 -

(10)

Install your Exchange Gateway on a computer or virtual machine

Install using DVD or ISO image

This section contains instructions for installing your Clearswift SECURE Exchange Gateway using a Clearswift installation DVD or ISO image.

You install the Exchange Gateway either on your own hardware or on a VMware vSphere or Microsoft Hyper-V virtual machine.

1. At the computer or virtual machine where you want to install the SECURE Exchange Gateway, do one of the following:

n Insert the Clearswift Installation DVD into the disk drive.

n Mount the Clearswift Installation ISO image file.

2. Restart the computer or virtual machine.

3. On the boot screen, select Gold CD, and then press Enter.

4. At the Selection prompt, type 1 to select installation Phase 1, and then press Enter.

5. At the Make selection prompt, select a hard disk in the list by typing its number, and then press Enter.

The computer or virtual machine's hard disk is partitioned and formatted.

6. When formatting is finished, press Enter.

The Gold CD disk image is copied to a Factory partition on the computer or virtual machine's hard disk.

7. When copying is finished, do one of the following:

n Eject the Clearswift DVD.

n Unmount the ISO image file.

8. Restart the computer or virtual machine.

9. On the boot screen, select Factory partition, and then press Enter.

Clearswift Linux and the SECURE Exchange Gateway are installed.

The computer or virtual machine restarts, and then continues setup.

10. On the boot screen, select Live root partition, and then press Enter.

The Exchange Gateway is initialized.

The prewizard.local login is displayed.

The SECURE Exchange Gateway is ready for you to change the default IP address, if required.

(11)

Change the default IP address

By default, the IP address 192.168.10.10 is assigned to the NIC1 interface during installation. This is the IP address that you use to access the Exchange Gateway interface in a browser from an Exchange Gateway.

When installing the Exchange Gateway on a computer or virtual machine, you might want to change the default IP address.

To change the default IP address:

1. At the prewizard.local login prompt, log on using the Console User (console) account.

The default console password is console.

2. On the Clearswift SECURE Exchange Gateway Console menu, select NIC1, and then press Enter.

To select an option, do one of the following:

n Use the arrow keys.

n Press the access key (for example, press the N key to select NIC1).

3. In the IP Address box, type the address that you will use to access the Exchange Gateway interface in your browser.

4. Move the text cursor to the next box by pressing the Down Arrow key.

5. In the Netmask box, type the subnet mask for the address that you will use to access the Exchange Gateway interface in your browser.

6. Choose one of the following options to close the dialog box:

n To confirm your entries, press Alt-O.

n To cancel, press Alt-C.

7. On the Clearswift SECURE Exchange Gateway Console menu, select Routes, and then press Enter.

8. Select Set default gateway, and then press Enter.

9. In the Default gateway box, type the IP address of the network gateway and select OK.

10. Close the IP Route Management dialog box.

The Exchange Gateway is ready for you to complete the installation.

Complete the installation

You complete the Exchange Gateway installation by using a wizard in your browser.

- 6 -

(12)

1. Using HTTPS in a supported browser, go to one of the following IP addresses:

n The default IP address 192.168.10.10

n The IP address that you defined earlier for the Exchange Gateway web interface (for example, 192.0.2.3)

The welcome page of the Clearswift Installation Wizard appears.

If you cannot see the installation wizard, you may need to disable the proxy in your browser.

2. Follow the instructions in the installation wizard.

Information required by the wizard is found in the Configuration values table in theappendix.

3. For general Gateway configuration considerations, seeFirst Stepsin the online help.

4. For Exchange Gateway configuration requirements when setting up with an Exchange Server and SXG Interceptor, seeConfigure Gateway to Exchange Server communication.

(13)

Install your Clearswift SXG Interceptor

Depending on your organization's requirement and infrastructure you have the following options:

n Single Microsoft Exchange Server, single SXG Interceptor, and single Gateway

n Single Microsoft Exchange Server, single SXG Interceptor, and multiple Gateways

n Multiple Microsoft Exchange Servers, multiple SXG Interceptors, and multiple Gateways The steps in the guide assume a Single Microsoft Exchange Server, single SXG Interceptor, and single Gateway configuration.

Before you install your Clearswift SXG Interceptor, the following steps need to be completed on the Exchange Gateway and Exchange Server:

Exchange Gateway

1. Install and set up the SECURE Exchange Gateway.

2. Create a DNS entry for the Exchange Gateway.

3. Add your Exchange Server to the Exchange Servers page on the SECURE Exchange Gateway.

For information on how to do this, seeConfigure Gateway to Exchange Server communicationin the Exchange Gateway online Help.

4. Make a note of the Exchange Server's Client ID.

Exchange Server

You need to create a Universal security group and create a user that will be used to access the Configuration store.

1. Create the universal security group.

a. From Active Directory Users and Computers, create a group called Clearswift SXG Administrators in the root domain of the forest. Ensure Group scope is set to Universal.

2. Create the user to be used to access the Configuration Store.

a. From Active Directory Users and Computers, create a user in the root domain of the forest. Select the Password never expires check box.

3. Add the user to the Clearswift SXG Administrators group.

4. Add the user that will be performing the Interceptor install to the Clearswift SXG Administrators group.

5. Add any users that will be using the SXG Interceptor Powershell cmdlets to the Clearswift

- 8 -

(14)

SXG Administrators group.

6. Log out and then log in to ensure permissions are activated.

Install your Clearswift SXG Interceptor

1. Go tohttp://www.clearswift.com/products/evaluation.

2. Download the SXG Interceptor installer to a location on your Microsoft Exchange server.

3. Log on to your Microsoft Exchange server using a domain account with administrative rights.

4. Using Windows Explorer locate the downloaded SXG Interceptor installer and then run it.

5. Follow the instructions in the setup wizard.

You will find extra information about the wizard pages in the following table.

Wizard

page Extra information

Feature Selection

Select the following options for a first Interceptor install in a new deployment:

n Clearswift SXG Interceptor

n Clearswift SXG Interceptor Configuration Store

n Clearswift SXG Management Shell

Note: Any features that you choose not to install are offered when the installer is run again.

Clear the New instance check box if you do not want to install the configuration store on your Microsoft Exchange server.

Note: The configuration store must be installed on another server before you can install the Interceptor without a configuration store.

Prerequisite Checks

Make sure that all your versions of Exchange, PowerShell, Microsoft.Net and Act- ive Directory Lightweight Directory Services (AD LDS) are supported.

Installation Settings

If you are installing the SXG Interceptor, you must provide the Exchange server's client ID.

Tip: Copy and paste the client ID from the Exchange Server page on the Exchange Gateway.

If you haven't got a client ID at this stage, you can set one after you have installed the SXG Interceptor

For more information, see Set the client ID in the SXG Interceptor in the Manage your Exchange Server section of the Exchange Gateway online help.

Microsoft AD LDS Cre- dentials

Provide the user name that you created to access the configuration store in the format DOMAIN\username. The account should have rights to install, and then access, the new instance of the SXG Interceptor configuration store.

(15)

Complete the installation

You need to perform the following tasks, as a minimum, to complete the installation:

1. Add an SXG Gateway 2. Enable the SXG Gateway 3. Enable the SXG Interceptor Optionally, after these steps, you can:

n Add interception rules

n Enable monitor mode

n Configure performance counters

n Check that the installation is valid This section describes the mandatory tasks.

To add an SXG Gateway, you use the Add-SXGGateway cmdlet. To do this:

1. Click Start > All Programs > Clearswift SXG Interceptor > Clearswift SXG Interceptor Management Shell.

If using Windows Server 2012, go to the start screen and click the Clearswift SXG Interceptor Management Shell icon.

2. Add the Gateway. From the command line type the following:

Add-SXGGateway [[-Identity] <GatewayIdentity>] [<CommonParameters>]]

where:

n <GatewayIdentity> is the Gateway you want to add

n <CommonParameters> is a list of common parameters, for example, verbose, debug.

- 10 -

(16)

Detailed cmdlet help is available from the Clearswift SXG Interceptor

Management Shell and each cmdlet has extended help options. For example, to see examples for Add-SXGGateway, type the following at the prompt:

get-help Add-SXGGateway -examples

For further technical information, type the following commands at the prompt:

get-help Add-SXGGateway -detailed

get-help Add-SXGGateway -full

To see a list of cmdlets, type the following at the prompt:

get-command -module SXGInterceptor

3. Enable the Gateway. From the command line type the following:

Set-SXGGateway [[-Identity] <GatewayIdentity>] -Enabled $true

n <GatewayIdentity> is the Gateway you want to enable

4. Enable the Interceptor. From the command line type the following:

Set-SXGInterceptor [[-Identity] <InterceptorIdentity>] -Enabled $true

n <InterceptorIdentity> is the SXG Interceptor on which to set the configuration

Interceptors can only use Exchange Gateways in the same peer group and in the same AD site.

For help including configuration tasks you need to perform on your Exchange Gateway,

interception rule creation, and performance monitoring, see theExchange Gateway online help.

Validate the SXG Interceptor installation

You can validate the SXG Interceptor installation by running the following commands from the Clearswift SXG Interceptor Management Shell:

Get-SXGSettings

Expected result: The AD LDS username and logging level should be displayed.

Get-SXGInterceptor

Expected result: Interceptor details should be displayed. Note that there will be no details if the first installation is a configuration store on a non-Exchange server.

(17)

Expected result: Default rules should be displayed.

Get-SXGGateway

Expected result: The reported sites should include the site Exchange is in.

Test your SXG Interceptor

1. On your Exchange Server computer, send a test email message using either Outlook or the Outlook Web App.

2. On your Exchange Gateway, go to the Home page, and then view the Recent Messages area.

3. View the SXG Interceptor log(s) located in C:\ProgramData\Clearswift\SXGInterceptor\logs 4. Using Event Viewer, view the Applications event log.

- 12 -

(18)

Troubleshoot your SXG Interceptor

The following can help you locate problems with your Exchange Interceptor installation.

Display information about the Interceptor

1. Open the Clearswift SXG Interceptor Management Shell.

2. Type the following:

Get-SXGInterceptor | Format-List

The following information is displayed with values applicable to your Interceptor:

Identity : HUB1.example.com

InterceptorIdentity : HUB1.example.com

State : Inactive

Enabled : True

ClientID : 94bbc203-81a2-45be-a5ff-54c6a3dadad3 MonitorModeEnabled : False

QueueLength : 0

Version : 3.7.0.n

Check that the SXG Interceptor is installed as a transport agent

1. Open the Clearswift SXG Interceptor Management Shell.

2. Type the following:

Get-TransportAgent

The following information is displayed.

Identity Enabled Priority

--- --- ---

Transport Rule Agent True 1

Text Messaging Routing Agent True 2

Text Messaging Delivery Agent True 3

ClearswiftSXGInterceptor True 4

Set the logging level

You can set the logging level by using the following command from the Clearswift SXG Interceptor Management Shell.

Set-SXGSettings -LogLevel [Off|Error|Warn|Info|Debug]

(19)

Supplementary Information

This section provides information on the following:

n Reinstalling your Exchange Gateway

n Replicating your Exchange Interceptor configuration store

n Uninstalling your Exchange Interceptor and configuration store

Reinstall the Exchange Gateway

You can reinstall the Exchange Gateway without having the Clearswift Installation DVD. To do this, you restore the Exchange Gateway to its factory default settings.

We recommend that you backup your configuration before performing a reinstall.

1. Restart the Exchange Gateway computer.

2. On the boot screen, press the Down Arrow key to select Factory partition, and then press Enter.

3. At the prompt, type iamsure, and then press Enter.

The Exchange Gateway is restored to its factory default settings.

The computer restarts, and then continues setup.

4. On the boot screen, select Live root partition, and then press Enter.

The Exchange Gateway is initialized and IP address 192.168.10.10 is assigned to the NIC1 interface.

The prewizard.local login prompt appears.

The Exchange Gateway is ready for you to configure the IP address, if required.

Replicate the SXG Interceptor configuration store

To provide a backup in case of server failure, you can install a replica instance of AD LDS on another Microsoft Exchange server or any other supported server (Windows Server 2008 or later).

We recommend that you do not use a domain controller.

To replicate the Exchange Interceptor configuration store:

1. Log on to the Microsoft Exchange server using the account that you created in the pre- requisite steps.

2. Using Windows Explorer, locate the SXG Interceptor installer, and run it.

- 14 -

(20)

3. Follow the instructions in the setup wizard.

4. On the Feature Selection page, do the following:

n Clear the Clearswift Exchange Interceptor check box.

n Select the Clearswift SXG Interceptor Configuration Store and Clearswift SXG Inter- ceptor Management Shellcheck boxes.

5. On the Microsoft AD LDS Credentials page, type the credentials for an Active Directory account that has rights to install, and then access, the replicated instance of the configuration store.

You should use the same account details that were used to create the initial installation in the format DOMAIN\username.

6. Complete the wizard.

If a domain controller with the SCP of the original instance cannot be contacted during installation, the process might offer to install as a first instance. If this happens you should wait until either the domain controller is available or the information has replicated before installing.

Uninstall the SXG Interceptor and configuration store

Take the following steps to uninstall your SXG Interceptor and configuration store.

To prevent potential issues with reinstalling after an uninstall, you should ensure that the first Clearswift AD LDS instance installed in your network is running during the uninstall process.

1. Click Start > All Programs.

2. Click Clearswift SXG Interceptor.

3. Click Uninstall Clearswift SXG Interceptor.

When prompted, use the password for the configuration store account.

In some scenarios, an uninstall might not remove the Service Connection Point (SCP) for the AD LDS instance from Active Directory correctly, and might not remove the server details from other AD LDS instances. Subsequent installs on the same server will indicate that AD LDS is already installed. If you encounter this issue, please contact Clearswift Support.

(21)

Appendix

Configuration Values

You will need to supply some basic information about your SECURE Exchange Gateway and network configuration in the Clearswift Installation Wizard.

Item Your values Notes

Welcome to Clearswift

Installation Wizard You should have already received your product license key from either Clearswift or your Catalyst Partner.

To obtain an evaluation license key, visit www.clearswift.com/products/evaluation/free- product-evaluationon the Clearswift website.

Company Name

License Key

Serial Number

System Locale

This affects the format used to display dates, etc.

An example of a system locale is English (United Kingdom).

Time Settings The hostname or IP address of the NTP time

server you want to use.

If you choose not to use an NTP server, you can specify the current date and time manually.

Timezone

NTP Server

Network Settings

Primary Adapter (NIC1)

If you configure only one network adapter, use NIC1.

IP Address

Subnet Mask

Default Gateway IP Address

Secondary Adapter (NIC2)

If you are using both adapters, NIC2 must have a separate IP address.

IP Address

Subnet Mask

- 16 -

(22)

Item Your values Notes

Static Route

Define static routes as required by your net- work environment.

Network

Subnet Mask

Gateway

DNS Settings

Fully Qualified Host- name

A fully-qualified hostname has the format hostname.domain-name (for example, gateway.example.com). It is also known as the full computer name.

The fully qualified hostname must be in the Windows DNS so they can be resolved by the interceptors.

Primary Server

Provide the IP addresses of up to 3 DNS serv- Secondary Server ers.

Tertiary Server

Corporate Email

Domains All of your company's email domain names.

Corporate Mail Server

The IP address of the mail server that Exchange Gateway notification messages will be sent to.

Typically, this will be an internal email server.

Host

Port number

Routing for mail leav-

ing the company Details of the corporate mail server to use for Exchange Gateway notifications that are sent to Clearswift. Use either DNS or supply host and port detail.

Host

Port

System Email Addresses

Main Administrator The email address of the Web User Interface (admin) account on the Gateway.

Server The sender email address of messages such as

alerts.

(23)

Item Your values Notes

to mail delivery, such as non-delivery reports.

HTTP Proxy Settings

Provide these details if the Gateway needs to use an HTTP proxy to connect to the Clearswift update servers.

Proxy Host and Port

User Name and Pass- word

Initial System Pass- words

Passwords to be used for each of the standard Clearswift accounts.

Web User Interface (admin)

Console User (console):

System Administrator (system):

- 18 -

Figure

Updating...

Related subjects :