Filter. SurfControl Filter 5.0 for SMTP Getting Started Guide. The World s #1 Web & Filtering Company

(1)

(2)

SurfControl E-mail Filter for SMTP 5.0 Getting Started Guide ii

CONTENTS

I

NTRODUCTION

About This Document ...2

Product Overview ...2

What’s New in Version 5.0 ...3

How SurfControl E-mail Filter Works ...5

B

EFORE

Y

OU

B

EGIN System Requirements ...8

Minimum Requirements ...8

Other Requirements...11

Installation Decisions ...12

Location of E-mail Filter on the Network ...13

Database Size and Location ...13

Load Balancing Methods...14

Server Size...15

I

NSTALLATION In This Chapter ...18

Running the Setup Wizard ...19

E-mail Filter Components...20

Typical Installation ...21

Custom Installation - Administration Client ...27

Custom Installation - Report Central ...31

C

ONFIGURATION

W

IZARD In This Chapter ...36

Running the Configuration Wizard ...37

Next Steps ...46

Launching E-mail Filter...46

Launching Report Central ...46

Upgrading from a Previous Release...47

D

EPLOYMENT In This Chapter ...50

Deployment Options ...51

Deployment Option 1: E-mail Filter Installed on the Mail Server ...51

Deployment Option 2: Simple Dedicated Server ...53

Deployment Option 3: In a DMZ ...55

Deployment Option 4: A Protected Network ...57

(3)

(4)

Chapter 1 Introduction

(5)

About This Document

This document explains how to install and configure SurfControl E-mail Filter so that you can protect your

system against e-mail threats as quickly as possible.

Product Overview

SurfControl E-mail Filter is a comprehensive filtering solution that deals with current and evolving threats:

Table 1 Enterprise Threat Protection

Threat How You’re Protected

Phishing and Fraud The E-mail Filter Threat Database contains the digital signatures of thousands of known phishing e-mails and fraudulent URLs. Because E-mail Filter uses Adaptive Threat Intelligence, it can also detect when an e-mail has phishing characteristics - protecting you against new and emerging threats.

Spam The Anti-Spam Agent comprises four separate tools that work independently to offer a complete solution. As well as a

comprehensive database of known spam, E-mail Filter’s advanced heuristics tools can detect new outbreaks of spam and stop them before they reach your inbox.

Corporate Confidentiality Regulations such as Sarbanes-Oxley, Gramm-Leach-Bliley and HIPAA demand absolute protection of network data. The Virtual Learning Agent is a powerful tool that you can train to recognize and protect your organization’s specific confidential data.

(6)

SurfControl E-mail Filter 5.0 Getting Started Guide 3

INTRODUCTION

What’s New in Version 5.0

1

What’s New in Version 5.0

Table 2 explains the new features in version 5.0

Table 2 New Features in Version 5.0

Feature What It Does

Quicker Setup

New Setup Wizard The new Setup Wizard makes E-mail Filter quicker to download and install.

Configuration Wizard After the Setup Wizard has installed E-mail Filter, the Configuration Wizard will guide you through the configuration process step by step so that you can begin filtering e-mail as quickly as possible.

Advanced Anti-Spam Protection

Enhanced Anti-Spam Agent _{Digital Fingerprinting, Heuristics, LexiRules, and Neural Net tools} provide industry-leading anti-spam effectiveness with zero administration cost.

Directory Harvest attack detection Prevents spammers stealing your e-mail addresses by brute-force attacks.

Web Threat Protection

URL Category List Protects against inappropriate and fraudulent Web links in e-mails. Confidential Data Protection

Expanded Dictionaries support 10 pre-packaged language packs, including: English, French, Spanish, Dutch, Italian, German, Portuguese, Japanese, Traditional Chinese and Simplified Chinese.

Easier Virtual Learning Agent Uses Real-time Threat Intelligence to understand and protect your confidential data.

Improved Security

Denial of Service protection Detects and manages suspicious SMTP connections and offers fine-tuning of all SMTP connections, internal and external. Secure Remote Access Locks down remote administration by user logon.

Expanded Scalability

Unlimited Connection Threads Supports unlimited simultaneous connections, scaling up to meet requirements of the most demanding mail gateways.

Pipelining and Chunking (eSMTP) Significantly improves mail throughput between mail servers that support these commands, such as MS Exchange and Lotus Domino. LDAP Organizational Units Tailors message-processing rules based on organizational structures

(7)

Easier Administration

Grouping of Rules Organizes your rules by the type of e-mail threats being managed. The default rule set includes anti-spam, network security, and other useful groupings.

Expanded Filtering in Rules Supports inbound/outbound “Who” functionality, filtering of PDF, TNEF, and RTF, and supports Office 2003 and Web Archive formats. Redesigned Server Configuration Offers a more powerful way to configure any server and view settings

by service.

E-mail notifications of failed events Instant awareness that any scheduled event has not been successful. Report Central Provides web-based reporting of filtering activity, with ability to lock

down reporting access by user.

Single Management Console Allows easy administrative access to each SurfControl server within the organization, providing a single portal view of multiple SurfControl E-mail & Web Filter deployments.

Table 2 New Features in Version 5.0

(8)

INTRODUCTION

How SurfControl E-mail Filter Works

1

How SurfControl E-mail Filter Works

Figure 1 explains how E-mail Filter processes messages:

(9)

SurfControl E-mail Filter’s functionality is managed by four software services:

• Receive Service

• Rules Service

• Send Service

• Administration Service

The services fit together like this

Figure 2 E-mail Filter Services

During the installation and configuration process you will:

• Install the services to your server or servers.

• Install the SQL databases

(10)

Chapter 2 Before You Begin

System Requirements page 8

Minimum Requirements page 8 Other Requirements page 11

Installation Decisions page 12

Location of E-mail Filter on the Network page 13 Database Size and Location page 13 Load Balancing Methods page 14

(11)

System Requirements

M

INIMUM

R

EQUIREMENTS

During installation, the System Checker will check your system to see if it meets the minimum requirements

for SurfControl E-mail Filter to be installed correctly. Tables 1 to 3 show the Minimum Requirements

Table 1 SurfControl E-mail Filter SMTP

Processor Intel Pentium III processor 600MHz or higher Memory 512MB RAM minimum, 1024MB recommended Operating

System Windows 2000 Server with Service Pack 4_{Windows 2000 Advanced Server with Service Pack 4} Windows Server 2003 with Service Pack 1

Disk Space 200MB Minimum Disk Space 500MB is recommended.

Display Super VGA (800 x 600) or higher resolution video adaptor and monitor Web Browser Microsoft Internet Explorer 5.0 or later

Networking TCP/IP installed and configured with an Internet connection DNS Internal or External DNS configured

E-mail E-mail system with SMTP gateway or MTA installed

MDAC Microsoft Data Access Components MDAC 2.7 (Service Pack 2) or later

Database Microsoft SQL Server 2000. If this is not installed on your system, SurfControl E-mail Filter can install MSDE 2000 Service Pack 3.

(12)

BEFORE YOU BEGIN

System Requirements

2

Table 2 SurfControl E-mail Filter for SMTP Admin Client

Processor Intel Pentium III processor 600MHz or higher. Operating

System

Windows 2000 Server with Service Pack 4

Windows 2000 Advanced Server with Service Pack 4 Windows Server 2003 with Service Pack 1

Windows 2000 Professional with Service Pack 4 Windows XP

Display Super VGA (800 x 600) or higher resolution video adaptor and monitor.

Web Browser Microsoft Internet Explorer 5.0 or later.

(13)

Report Central Minimum Requirements

The computer where you are installing Report Central must meet the requirements listed in Table 3. The

computer must be part of a network that meets the requirements listed in Table 4.

Table 3 Basic requirements

Operating

System Windows 2000 Server Service Pack 4_{Windows 2000 Advanced Server Service Pack 4} Windows Server 2003 Standard Edition Windows Server 2003 Enterprise Edition Processor Pentium III or higher

Memory 512 MB Disk space 1GB

Applications Internet Explorer 5.0 or higher

Adobe Reader 6.0 or later to read reports in PDF format Other The SQL Server tembDB transaction log file should have a

capacity of more than 5MB. 15MB is recommended. To allocate more memory to this file, consult the E-mail Filter Administrator’s Guide. You can do this after you have installed Report Central.

Table 4 Network requirements

Operating

System Windows 2000 Server SP4_{Windows 2000 Advanced Server SP4} Windows Server 2003 Standard Edition Windows Server 2003 Enterprise Edition Database Microsoft MSDE Service Pack 3

Microsoft SQL Server 2000 Applications SurfControl E-mail Filter 5.0

Microsoft Internet Explorer 5.0 or higher

(14)

System Requirements

2

O

THER

R

EQUIREMENTS

Please note the following:

• None of the E-mail Filter components can be installed via a terminal server client.

• You must have full administrative rights to install E-mail Filter.

You will also need the following information:

• Your mail system’s pre-registered domain name.

• The IP address or host name of your e-mail system’s SMTP gateway or MTA.

• The e-mail address of your e-mail system security administrator.

• Your Activation Key as supplied by SurfControl.

• The HTTP port number (default 8181) to install and start the Administration Service.

(15)

Installation Decisions

Before you begin installing SurfControl E-mail Filter you need to make decisions about the following:

• Location of SurfControl E-mail Filter on your network.

(16)

Installation Decisions

2

L

OCATION

OF

E-

MAIL

F

ILTER

ON

THE

N

ETWORK

Before you install E-mail Filter on your network, consider

• Whether you will install E-mail Filter on the mail server / MTA or on a dedicated server.

• Whether the mail server uses MX records for domain name resolution, or whether the mail server passes

this task to a relay host.

• Where the E-mail Filter server will be located in relation to your firewall or DMZ.

Chapter 5 describes a range of deployment options for different sized enterprises.

D

ATABASE

S

IZE

AND

L

OCATION

SurfControl E-mail Filter stores all configuration data and filtering policies in a SQL database called

STEMConfig. All logging data is stored in a SQL database called STEMLog.

SQL Server vs. MSDE

MSDE, included with the SurfControl E-mail Filter download, is the run-time version of SQL. MSDE

databases have a 2 GB size limit and few management tools, but it is an effective database for small

environments.

Although you can install a SQL database onto the SurfControl server, SurfControl recommends that large

environments install a fully licensed version of SQL onto a separate, dedicated server.

Dedicated vs. Centralized

If your network requires multiple SurfControl servers, you have two database options: dedicated or centralized.

A dedicated database stores data for a single SurfControl server in a single database; a centralized database

stores the data for multiple SurfControl servers in a single database.

Many customers choose to use the centralized database option, which provides the advantages of centralized

policy management and message administration, plus the ability to run reports from a single repository.

However, the size of a centralized database grows in direct relation to the number of SurfControl servers that

write to it. Depending on the size of your environment and the number of e-mails that pass through your

network, a centralized database can require additional administration. In this case, you may choose to use a

dedicated database for each SurfControl server.

Database Size

The size of the database depends on the number of e-mails your organization receives per day, and the length

of time you plan to retain the logged data for message administration and reporting purposes. To size your

database appropriately, SurfControl estimates that each e-mail generates approximately 1KB of log data stored

in the database. (This calculation can also be helpful when determining whether MSDE is sufficient for your

environment.)

(17)

L

OAD

B

ALANCING

M

ETHODS

You can load balance SurfControl E-mail Filter using MX records. On the DNS server hosting your domain,

create an MX record for each primary SurfControl server using the same MX preference, while giving the

failover server a higher number (which gives it a lower preference). Table 5 provides an example of MX

preference assignments for load-balancing and failover using MX records. Figure 1 further shows this method.

Figure 1 Using MX records for load balancing.

Table 5 MX Records for Load Balancing.

Mail Exchanger IP Address MX Preference

(18)

Installation Decisions

2

In Figure 1, e-mail sent to siteA.com round-robins between mail exchangers 1, 2, and 3, because each

SurfControl server has the same MX preference of 5. (A lower MX preference number means that it has a

higher priority -- 5 having a higher priority than 10.) The same thing happens for e-mails sent to siteB.com. If

site A is down (e.g., with a network failure), the sending mail server will route e-mail to the fourth (failover)

MX record, which is the address of a server in a different physical location.

For the described failover to work properly, SurfControl servers in site A are configured to accept messages for

site B, and SurfControl servers in site B are configured to accept messages for site A. The failover servers also

have static routes configured so that SurfControl knows where to route the e-mails.

In addition to load balancing and failover using MX records, there are also sophisticated load balancing

switches that can be used for these purposes. These switches offer a variety of load balancing algorithms, in

addition to round-robin delivery, which provide efficient load distribution and timely failover. Although this is

not a required component for a SurfControl implementation, the use of load balancing switches may improve

the overall efficiency of your SMTP infrastructure.

S

ERVER

S

IZE

Table 2 shows SurfControl’s server recommendations, depending on how many e-mails per hour your

organization typically handles.

Table 6 Server Recommendations.

E-mails Per Hour Server Recommendations

< 10K e-mails PIII 1Ghz + 1 GB RAM. < 25K e-mails Dual Xeon 2GB RAM.

<40K e-mails Quad Xeon, 2GB RAM, 3 or more HDDs (10,000 + RPM) for e-mail processing.

< 120K e-mails 3-Quad Xeon, 2GB RAM, 3 or more HDDs (10,000 + RPM) for e-mail processing.

< 240K e-mails 6-Quad Xeon, 2GB RAM, 3 or more HDDs (10,000 + RPM) for e-mail processing.

(19)

Partitioning the Server

You can optimize E-mail Filter’s performance by installing onto a server capable of fast disk I/O and

configured to support multiple HDDs. Figure 2 shows the optimal HDD and partitioning configuration for

SurfControl. Because SurfControl frequently reads from and writes to disk as it processes e-mail, SurfControl

recommends that you have a server capable of fast disk I/O.

Figure 2 shows a server with five SCSI HDDs. Two of the HDDs are in a RAID1 configuration and are

divided into three partitions: a partition for the operating system, a partition for the page file, and a partition

for the SurfControl application.

The other three HDDs each have a single partition and are capable of fast disk I/O. The first drive contains

the In folder where SurfControl stores the received e-mails. The second drive contains the Work folder.

SurfControl retrieves e-mails from the In folder and moves them to the Work folder, where the e-mails are

processed against the configured rule set. SurfControl then moves the e-mail to a quarantine folder for review

or to the Out folder for delivery. The third drive contains the Out folder where SurfControl relays processed

messages to the intended recipient.

Figure 2 Partitioning the SurfControl server.

(20)

Chapter 3 Installation

In This Chapter page 18 Running the Setup Wizard page 19

(21)

In This Chapter

Once you have made the installation decisions discussed in the previous chapter, you are ready to begin

installing SurfControl E-mail Filter. There are two stages to complete before SurfControl E-mail Filter can

begin filtering e-mail:

• The Setup Wizard will install the files on your computer.

(22)

INSTALLATION

Running the Setup Wizard

3

Running the Setup Wizard

There are two ways to install SurfControl E-mail Filter:

• Typical Installation

A typical installation will install all the SurfControl E-mail Filter Core Components. If you run a typical

installation, everything that SurfControl E-mail Filter needs to begin filtering e-mail will be installed on the

same server.

• Custom Installation

You can select which e-mail filter components you want to install. This is useful if you want to access the

E-mail Filter server from a remote location. Figure 1 shows the Monitor installed as an Administration

Client on the administrator’s workstation, which enables the administrator to view e-mail traffic passing

through the E-mail Filter server in real time.

Figure 1 Using the Administration Client for remote access

(23)

E-

MAIL

F

ILTER

C

OMPONENTS

Table 1 describes the E-mail Filter Components.

If you install the Server Components, the Administration Clients are also installed automatically. You can

install the Administration Clients without the Server Components and specify the remote location of the

Server Components so that the Administration Clients can connect to them.

Table 1 E-mail Filter Components

Component Description

Server Components E-mail Filter services Manages the processing of e-mail. See “E-mail Filter Services” on page 6.

Scheduler Schedules the updating of the Threat Management Database and other management tasks.

Administration client Manages communication between the components. Administration

Clients E-mail Monitor Displays the progress of e-mails through E-mail Filter in real time. Rules Administrator Displays and manages the rules you set up to enforce your

organization’s Acceptable Use Policy. Message

(24)

INSTALLATION

3

T

YPICAL

I

NSTALLATION

A typical installation will install all of the E-mail Filter components on your computer. Follow Procedure 1.

Procedure 1: Typical Installation

Step Action

1 Double click the setup.exe icon to start the Setup Wizard. 2 Specify where you want the Setup Wizard to

copy the SurfControl installation files. Click Next to continue.

3 The Welcome page will display. Click Next to continue.

4 You will be asked to agree to the SurfControl License Agreement.

Select I accept the terms of the license

(25)

5 You will be asked to accept the GNU public license agreement.

agreement and click Next.

6 You will be asked to select a Setup Type. Choose

Typical.

Click Next.

7 You will see that the core components are selected by default.

By default, Report Central is also selected. You need Report Central to create reports on e-mail use in your organization.

You cannot deselect any of the core components but you can choose not to install Report Central. To change which core components are installed, click Back to return to step 6, and select a

Custom installation.

Procedure 1: Typical Installation

(26)

INSTALLATION

3

8 The System Checker will check that your computer meets the recommended requirements.

If your computer meets the minimum requirements but not the recommended requirements, the system checker will display a warning, but you can continue the installation process. If your computer does not have MDAC the Setup Wizard will install it automatically when you click Next.

If your computer does not meet the minimum requirements you will be asked to abort the installation.

To continue installing, click Next.

If you plan to create the E-mail Filter databases on the local computer, proceed to step 9. If you plan to create the E-mail Filter databases on a remote computer, proceed to step 15.

Creating local E-mail Filter databases

9 The Setup Wizard will check whether a valid SQL Server is installed on your computer: • If a SQL Server is present, you can use it to create the E-mail Filter databases on the local

computer. See step 10.

• If SQL Server is not present, you can install MSDE and use it to create the E-mail Filter databases on the local computer. See steps 11- 14.

10 To create the databases on an existing SQL Server, select Create SurfControl E-mail Filter

databases on this computer.

Click Next. Proceed to step 17

Procedure 1: Typical Installation

(27)

11 To install MSDE select Install MSDE and create

SurfControl E-mail Filter databases on this computer.

12 Specify the location of the MSDE database. By default this is

C:\Program files\Microsoft SQL Server Click Browse… to change the path. Click Next to proceed.

13 Specify a password for the SQL Server administrator account SA

Enter a password for the SA account, then enter it again to confirm.

Click Next

Procedure 1: Typical Installation

(28)

INSTALLATION

3

14 When the MSDE setup program has finished, you will be asked to restart your computer. When the computer has restarted the Setup Wizard will resume where it left off. Select Create SurfControl E-mail Filter

databases on this computer and click Next.

Creating the E-mail Filter databases on a Remote SQL Server

15 Select Create SurfControl E-mail Filter

databases on another computer.

16 Specify the server name of the SQL Server where you want to install the E-mail Filter databases. Choose how the SurfControl E-mail Filter server will connect to the SQL Server:

• Windows NT Authentication • SQL Authentication

Enter a user name and password to log into the SQL Server.

Click Next.

Procedure 1: Typical Installation

(29)

Once you have finished installing SurfControl E-mail Filter the Configuration Wizard will begin immediately.

See “Configuration Wizard” on page 35

17 The summary screen will now display, showing the options you have chosen.

To proceed with the installation, click Next. Click

Back to amend your settings.

18 When the installation is complete, you will see the final screen of the Setup Wizard.

Click Finish.

Procedure 1: Typical Installation

(30)

INSTALLATION

3

C

USTOM

I

NSTALLATION

- A

DMINISTRATION

C

LIENT

Procedure 2 describes how to use a Custom Installation to install the Administration Client components of

your choice. See “E-mail Filter Components” on page 20 for a description of each component.

Procedure 2: Installing the Administration Client

Step Action

1 _{Double click the setup.exe icon to start the Setup Wizard.} 2 Specify where you want the Setup Wizard to

copy the SurfControl installation files. Click Next to continue.

3 The Welcome page will display. Click Next to continue.

(31)

5 You will be asked to accept the GNU public license agreement.

6 Select the Custom setup type.

7 Select the components you want to install.

Note: You can install the E-mail Filter Client without the E-mail Filter Server, but you cannot install the E-mail Filter Server without the E-mail Filter Client.

Procedure 2: Installing the Administration Client

(32)

INSTALLATION

3

8 The System Checker will check that your computer meets the recommended requirements.

If your computer meets the minimum requirements but not the recommended requirements, the system checker will display a warning, but you can continue the installation process. If your computer does not have MDAC the Setup Wizard will install it automatically when you click Next.

If your computer does not meet the minimum requirements you will be asked to abort the installation.

To continue installing, click Next.

9 Specify the location of the E-mail Filter server. Enter:

• The server name or IP address of the computer where the E-mail Filter Server Component is installed.

• The port number that the E-mail Filter client will use to communicate with the server. • A user name and password that the E-mail

Filter client will use to log in to the E-mail Filter Server.

Click Next to continue

10 The summary screen will show the installation choices you have made. Click Next to proceed.

Procedure 2: Installing the Administration Client

(33)

11 The Installation Complete screen will display. Click Next to launch SurfControl E-mail Filter. If you selected to install Report Central, the Report Central installation process will now begin.

Procedure 2: Installing the Administration Client

(34)

INSTALLATION

3

C

USTOM

I

NSTALLATION

- R

EPORT

C

ENTRAL

If you install Report Central as part of a full installation, the Setup Wizard will install all the files you need

automatically. If you install Report Central as part of a custom installation, you will need to follow further steps

in the setup wizard that are specific to Report Central.

Procedure 3: Installing Report Central

Step Action

1 _{If you have already installed any E-mail Filter} Components, you will be asked whether you want to

• Install Report Central v1.5 • Uninstall SurfControl E-mail Filter

Select Install Report Central v1.5 and click Next.

2 If you are installing Report Central without any SurfControl E-mail Filter components, select Custom from the Setup Type screen.

Click Next to continue.

(35)

5 Specify the folder where you want to install Report Central.

6 Select the server where the SurfControl E-mail Filter logging database is installed.

7 Specify how Report Central will authenticate itself to the E-mail Filter logging database. Choose one of the following:

• Windows Authentication • SQL Authentication

Enter the user name and password of an account to log into the SQL Server. Click Next to continue.

Procedure 3: Installing Report Central

(36)

INSTALLATION

3

8 Create a username and password for the Report Central administrator account. When you run Report Central for the first time, you will need this account to log in.

9 Select the database that Report Central will connect to. Report Central will use this database to generate reports.

If you want to choose a database later, leave the

Database field blank.

10 The Setup Wizard is now ready to begin installing.

Click Install to continue.

Procedure 3: Installing Report Central

(37)

11 When the Setup Wizard has finished copying the files, you will see the Installation Complete screen.

Click Finish to launch Report Central.

Procedure 3: Installing Report Central

(38)

Chapter 4 Configuration Wizard

In This Chapter page 36 Running the Configuration Wizard page 37 Next Steps page 46

(39)

In This Chapter

This chapter explains how to use the Configuration Wizard to set up SurfControl E-mail Filter and begin

filtering e-mail.

Once you have finished installing E-mail Filter the Configuration Wizard will begin immediately. It will guide

you through a basic configuration process that will protect your primary domain against common threats.

Once the Configuration Wizard has finished, E-mail Filter will be up and running, and you can fine-tune the

configuration to suit your needs.

The Configuration Wizard has four stages.

• Your Organization

(40)

CONFIGURATION WIZARD

Running the Configuration Wizard

4

Running the Configuration Wizard

The Configuration Wizard will launch automatically after you finish the installation process. Follow Procedure

1:

Procedure 1: Configuration Wizard

Step Action

1 As soon as you have finished installing SurfControl E-mail Filter, the Configuration Wizard will launch.

Your Organization

2 Enter your contact information to register with SurfControl.

(41)

3 If you are evaluating E-mail Filter, select I am

evaluating SurfControl E-mail Filter.

If you have purchased SurfControl E-mail Filter, select I have purchased a license and enter your license key.

4 If you have entered a license key, you will be asked if you have license keys for any of the Adaptive Threat Intelligence components. If you have license keys, enter them here.

System Information

5 The System Details introduction screen will display. Click Next.

Procedure 1: Configuration Wizard (Continued)

Step Action

(42)

4

6 Enter the following:

• User name and password of a Windows user account with administrative privileges. E-mail Filter will use this account to log its services on to Windows.

• The domain or machine name of the server where the Windows user account is defined. Click Next to continue.

7 If you have not yet installed Report Central, you can opt to install it now.

Alternatively, if you want have installed Report Central on another server and want to use it for reporting on e-mail activity, enter the machine name and port number of the server where Report Central is running.

Note: If you are running SurfControl Report Central for Web Filter on the remote server, you need to install Report Central for E-mail Filter there as well.

8 If you installed Report Central during the Installation process, or if you opted to install Report Central in step 7, create a username and password for the Report Central administrator account. When you run Report Central for the first time, you will need this account to log in.

Procedure 1: Configuration Wizard (Continued)

Step Action

(43)

Mail Routing

9 The Mail Routing introduction will display. Click

Next.

10 Specify the SMTP port that SurfControl E-mail Filter will use to receive inbound e-mail. This is usually port 25.

The Configuration Wizard will check that the port you specify is available. If it is being used, either disable the service using it, or choose another port.

Procedure 1: Configuration Wizard (Continued)

Step Action

(44)

4

11 Enter the following information about your primary local domain:

• Local domain name

The domain for which you want to filter e-mail. If you have more than one domain in your organization, you can add others once E-mail Filter is up and running.

• Postmaster e-mail address

The e-mail address of the postmaster for your primary local domain.

• Name or IP address of mail server The machine name or IP address of your mail server.

• Mail Server SMTP Port

The port that the E-mail Filter server will use to communicate with the domain’s mail server.

To test the connectivity between the E-mail Filter server and the mail server, click Test. 12 Specify how you want E-mail Filter to route

outbound mail. E-mail Filter can route e-mail in two ways:

• By sending it directly to the internet. E-mail Filter will perform a DNS lookup to resolve the e-mail address.

• By sending it to another mail server. The mail server will handle domain name resolution and any further routing.

Select how you want outbound messages to be routed. If you want to route outbound mail via a mail server, fill in the fields as follows:

• Host Name or IP

Enter the host name or IP address of the mail server to which you want to forward e-mails.

• Port

Enter the port that SurfControl E-mail Filter will use to communicate with the mail server.

Once E-mail Filter is up and running you can add further mail servers.

Procedure 1: Configuration Wizard (Continued)

Step Action

(45)

13 The Filtering Options introduction screen will display. Click Next.

14 SurfControl E-mail Filter has a set of standard rules so that you can begin filtering e-mail as soon as possible. Select which rule groups you want to activate. You can choose one or all of the following:

• Spam Filtering rules. • Virus protection rules. • Network security rules.

When you have chosen which rule groups to activate, click Next.

15 Specify where the queue folders that hold isolated e-mail will be located. The Configuration Wizard will automatically select the drive with the most disk space as the default.

Click Next.

Procedure 1: Configuration Wizard (Continued)

Step Action

(46)

4

16 If messages build up in the Isolate queues it can impair E-mail Filter’s performance. You can automatically delete each e-mail from the Virus or Spam queues once it has been held there for a set number of days.

You can delete:

• E-mails over 7 days old from the Virus queue.

• E-mails over 14 days old from the Spam queue.

Once E-mail Filter is up and running you can set up automatic management for other queues, and change the number of days after which e-mails are deleted.

17 E-mail activity is recorded in the STEMLog database. If this database becomes too large, it can slow down the processing and delivery of e-mail.

To maintain efficiency, you should schedule regular database updates. Select Purge

database once a month to set up a regular

database purge.

Once E-mail Filter is up and running, you can use the Scheduler to specify when database purges take place.

18 E-mail Filter can send notifications via e-mail to your domain’s systems administrator to notify them of system events.

Enter the e-mail address of a system

administrator for your protected domain who you want to be notified of system events. Click Next.

Procedure 1: Configuration Wizard (Continued)

Step Action

(47)

19 The Configuration Wizard is now ready to complete the configuration tasks. Click Start to begin configuring.

20 The Configuration Wizard will work through the list of tasks. When a task is complete it will be marked with a green check.

If there is a problem with the configuration process, you will see a red exclamation point next to the task. If this happens the Back button will become enabled so that you can amend your settings if necessary.

21 SurfControl strongly recommends that you exclude the E-mail Filter work folder and its subfolders from scanning by your resident anti-virus solution.

Click Check folders to check that the correct folders are excluded from anti-virus scanning. The Configuration Wizard uses the Eicar test pattern to test the response of your anti-virus software. The Eicar test pattern is not a virus and will not damage your system in any way. Click Next to continue.

Procedure 1: Configuration Wizard (Continued)

Step Action

(48)

4

22 The Configuration Wizard is now complete. The Monitor will launch automatically. Use the Server Configuration Console to fine-tune your configuration to suit your needs.

Procedure 1: Configuration Wizard (Continued)

Step Action

(49)

Next Steps

SurfControl E-mail Filter is now protecting your primary e-mail domain using the standard rules you specified.

You now need to launch E-mail Filter and fine-tune the configuration settings. You can:

• Add other protected domains: if you have an additional e-mail domain, it will not receive any e-mail until

you add it to the protected domains list in the Server Configuration Console.

• Change the timing of scheduled events: use the Scheduler to change how frequently database purges and

other events take place.

• Create additional rules: use the Rules Administrator to create, amend and group rules to suit your

Acceptable Use Policy.

Consult the Administrator’s Guide for more information.

L

AUNCHING

E-

MAIL

F

ILTER

When the Configuration Wizard is finished, the Monitor will start automatically.

At other times, you can launch E-mail Filter from the Start menu.

Now consult the E-mail Filter Administrator’s Guide for more information.

L

AUNCHING

R

EPORT

C

ENTRAL

From the Start menu, select Programs > E-mail Filter 5.0 Reports.

(50)

Next Steps

4

U

PGRADING

FROM

A

P

REVIOUS

R

ELEASE

If you have upgraded from a previous release of E-mail Filter, your existing rule set will be preserved. The

standard rules shipped with Version 5.0 will be saved to the root of the SurfControl E-mail Filter folder. To

import the new rules, follow Procedure 2:

Procedure 2: Upgrading the Rule Set

Step Action Action

1 _{Launch the Rules Administrator}

2 From the File menu, select Import Rules... The

Open dialog will display.

3 Select Default.rul and click Open. A list of rules in the file will display

4 Select the ones you want and click Import to transfer them into the Rules Administrator.

5 You will see the rules you selected in the Rules Administrator. Imported rules are initially disabled. Check the boxes of the rules you want to enable.

(51)

Dictionary Upgrades

When you upgrade to version 5.0, the new dictionaries are automatically installed. However, only new words

are added to your existing dictionaries, so any dictionary scores you have changed or words you have added will

be preserved.

Retraining the Virtual Learning Agent

(52)

Chapter 5 Deployment

(53)

In This Chapter

This chapter offers five sample deployment options for enterprises of differing size and complexity:

Table 1 Deployment Options

Option Description Find out more

(54)

DEPLOYMENT

Deployment Options

5

Deployment Options

D

EPLOYMENT

O

PTION

1: E-

MAIL

F

ILTER

I

NSTALLED

ON

THE

M

AIL

S

ERVER

SurfControl recommends that you install E-mail Filter on a dedicated server for optimum performance.

However, in small environments where cost is a consideration, you can install SurfControl E-mail Filter on a

Windows-based mail server.

This deployment is not recommended for large environments. In this scenario, SurfControl E-mail Filter is

installed on the mail server. The E-mail Filter server accepts traffic from the firewall on port 25. It filters the

e-mail and relays it to itself on port 26. The mail server then delivers the e-mail to the e-mail users.

(55)

To perform this installation, follow Procedure 1:

Procedure 1: Installing E-mail Filter on the Mail Server

Step Action

1 On the mail server, run the SurfControl E-mail Filter Setup Wizard, selecting typical install. See “Typical Installation” on page 21.

2 When you have finished installing the product, the Configuration Wizard will run. It will ask you to enter:

• The IP address of your mail server: enter the IP or machine name of the mail server where E-mail Filter is installed.

• The SMTP Port of the mail server: change the port number from 25 to a different number, e.g. 26. 3 Configure your firewall to accept internal SMTP connections only from the SurfControl E-mail Filter

server.

4 Configure the inbound port 25 tunnel on your firewall to the SurfControl E-mail Filter server.

POP3 Clients using External Mail Servers

(56)

DEPLOYMENT

5

D

EPLOYMENT

O

PTION

2: S

IMPLE

D

EDICATED

S

ERVER

This deployment is a simple, low cost solution, suitable for a small to medium sized environment. All E-mail

Filter components (including the SQL database) are installed on a single server. E-mail Filter is filtering all

inbound and outbound SMTP traffic.

Figure 2 Simple installation for small and medium sized environments.

Inbound e-mail travels from the Internet to E-mail Filter for filtering. E-mail Filter then routes the e-mail to

the next host, which is typically the SMTP service or the daemon of the internal mail server.

(57)

Follow Procedure 2

Procedure 2: Single Server Installation

Step Action

1 _{Run the SurfControl E-mail Filter Setup Wizard on the server where you want to install SurfControl} E-mail Filter, selecting Typical Installation.

Make sure that the SurfControl E-mail Filter databases are installed on the same server.

2 After you have finished the Setup Wizard, the Configuration Wizard will run. It will ask you to enter: • The IP address of your mail server: enter the IP or machine name of the mail server where E-mail

Filter is installed.

• The SMTP Port of the mail server: this should be the default port 25.

(58)

DEPLOYMENT

5

D

EPLOYMENT

O

PTION

3: I

N

A

DMZ

Many large organizations deploy SurfControl E-mail Filter in the DMZ, as shown in Figure 3

Figure 3 SurfControl E-mail Filter in a DMZ.

Figure 3 shows SurfControl E-mail Filter installed on hardened servers in the DMZ. In this scenario, the

E-mail Filter servers receive SMTP traffic for the organization, filter the e-mail accordingly, then route it to the

next host, which is typically a mail server, gateway, or bridgehead on the protected network..

Many deployment scenarios include two or more SurfControl servers, with no single point of failure. In these

scenarios, load balancing is typically achieved using DNS MX records with the same preference.

There are several different ways that SurfControl routes SMTP traffic in this type of deployment:

• SurfControl filters both inbound and outbound traffic. In this configuration, E-mail Filter Server 2 or

E-mail Filter Server 2 receives inbound SMTP traffic, depending on the MX record. It then statically

delivers all “allowed” messages to the internal mail server. When the mail server receives outbound e-mail,

it routes the e-mail to either E-mail Filter Server 1 or E-mail Filter Server 2 for outbound DNS name

resolution and delivery.

• E-mail Filter Server 1 primarily filters inbound traffic; E-mail Filter Server 2 primarily filters

outbound traffic. In this configuration, the E-mail Filter Server 1 acts as a back-up for outbound traffic

(59)

• E-mail Filter Server 1 and 2 for inbound filtering only. In this configuration, load balance E-mail Filter

using MX records. Outbound mail is completely separate and can be routed through additional

SurfControl servers, or through any existing outbound mail gateways. This configuration is typically used

when there is a high requirement to filter inbound e-mail (e.g. spam), but little or no requirement to filter

outbound e-mail.

SQL Placement

In Figure 3, the SQL Server is placed inside the protected network. Firewall rules permit E-mail Filter Server 1

and E-mail Filter Server 2 to communicate with the SQL Server over port 1433. Both E-mail Filter servers

share a single SQL database for policy management and logging, allowing E-mail Filter to be managed as a

single entity.

Alternatively, you could install SQL or MSDE directly onto each SurfControl server, though policy

management and message administration would not be centralized with this configuration. However, you can

easily export policies from one SurfControl server and import them to any other SurfControl servers. This

configuration is commonly used when SurfControl’s main objective is to discard spam, and you have no need

for centralized reporting.

Security Considerations

Because of its placement in a DMZ, install SurfControl E-mail Filter onto a hardened Windows 2000 or

Windows 2003 server, following Microsoft's OS hardening recommendations for a stand-alone server.

SurfControl servers are stand-alone servers (not part of a domain or AD) and use local accounts for services.

When communicating with the SQL database, SurfControl uses SQL authentication.

To implement this deployment option, follow Procedure 3

Procedure 3: Deploying SurfControl E-mail Filter in the DMZ

Step Action

1 _{Configure the external firewall to allow the following ports:} • Port 53 to accept E-mail Filter’s DNS requests.

• Port 25 to allow SMTP traffic.

• Port 80 to allow Threat Database updates from the Internet. 2 Configure the internal firewall to allow the following ports:

• Port 25 to allow traffic from the mail server.

• Port 8181 (or the alternative port of your choosing) for the administration service and remote access.

• Port 1443 if you want E-mail Filter to connect to a remote SQL database using SQL authentication.

• Port 389 if you want E-mail Filter to perform LDAP lookups for user and group information. 3 Run typical installations on SurfControl E-mail Filter Servers 1 and 2. See “Typical Installation” on

page 21

(60)

DEPLOYMENT

5

D

EPLOYMENT

O

PTION

4: A P

ROTECTED

N

ETWORK

Depending on your environment, there can be specific advantages to installing SurfControl E-mail Filter on

your protected network, such as enabling E-mail Filter to interact with existing user directories and filter

outbound e-mail. Figure 4 depicts this deployment, where an organization’s e-mail is routed to a mail relay or

anti-virus gateway and then routed to E-mail Filter servers on the protected network for additional filtering.

Figure 4 SurfControl E-mail Filter on the protected network.

(61)

As with installing in the DMZ, there are numerous ways that SMTP traffic is routed in this type of deployment:

• The gateway in the DMZ receives inbound e-mail and routes the e-mail to SEF1 or SEF2 using a

load balancer. SurfControl servers filter the content according to policy, then route any “allowed” e-mails

to the next internal mail host. Mail servers route outbound mail to SEF1 or SEF2 for filtering. SEF1 or

SEF2 can either resolve DNS to route outbound traffic, or route messages to the DMZ for any additional

filtering and delivery.

For inbound traffic, designate one (or more) SurfControl servers to primarily filter inbound e-mail. For

outbound traffic, designate one (or more) SurfControl servers to primarily filter outbound e-mail. When

receiving an increased volume of traffic, the load balancing hardware/software dynamically utilizes any

other available resources. In addition, you can use the load balancer to dynamically route outbound e-mail

to SurfControl depending on server availability, or other load balancing algorithms specific to the device.

• Inbound e-mail is the same as above. Outbound SMTP traffic can bypass SurfControl. Internal mail

servers may route mail directly to the Internet, or relay to the mail server/AV gateway for outbound

delivery.

SQL Placement

The database can be installed on a separate server or server cluster, on one of the SurfControl servers, or on

each of the SurfControl servers. Once again, server requirements depend entirely on message volume and

reporting requirements.

To implement this deployment option, follow Procedure 4

Procedure 4: Deploying E-mail Filter on a Protected Network

Step Action

1 _{Configure the external firewall to allow the following ports:} • Port 53 to accept E-mail Filter’s DNS requests.

• Port 25 to allow SMTP traffic.

• Port 80 to allow Threat Database updates from the Internet. 2 Configure the internal firewall to allow the following ports:

• Port 25 to allow traffic from the mail server.

• Port 8181 (or the alternative port of your choosing) for the administration service and remote access.

• Port 1443 if you want E-mail Filter to connect to a remote SQL database using SQL authentication.

• Port 389 if you want E-mail Filter to perform LDAP lookups for user and group information. 3 Run typical installations on SurfControl E-mail Filter Servers 1 and 2. See “Typical Installation” on

page 21

(62)

DEPLOYMENT

5

D

EPLOYMENT

O

PTION

5: M

ULTIPLE

S

ITES

Some larger organizations may have more than one geographic location with multiple E-mail Filter servers on

each site. If one site is unavailable or is seeing an increased volume of traffic, you can route overflow to a

different site for processing. You can accomplish this with MX records of different preferences, as shown in

Figure 5:

.

Figure 5 SurfControl E-mail Filter at multiple sites.

In Figure 5, e-mail intended for Site A is primarily delivered to the SurfControl servers physically residing at

Site A. However, in the unlikely event that Site A is unavailable, messages intended for Site A will be delivered

to Site B, because of the failover configuration (specified by the lower MX preference).

(63)

To implement this deployment option, follow Procedure 5.

For more detailed information about the Server Configuration Console and Routing, read the E-mail Filter

Administrator’s Guide.

Procedure 5: Deploying E-mail Filter Across Multiple Sites

Step Action

1 _{On each site, allow the following ports on the firewall:} • Port 53 to accept E-mail Filter’s DNS requests. • Port 25 to allow SMTP traffic.

• Port 80 to allow Threat Database updates from the Internet.

2 On each site, complete a full SurfControl E-mail Filter install on the E-mail Filter servers.

Configuring static routes

1 _{On the E-mail Filter server in site A, launch the Monitor.} 2 From the File menu select Server configuration. 3 In the left hand pane, select Send Service > Routing.

4 You will see that the mail server for your primary e-mail domain has already been added in the right hand pane.

5 Click Add… The Domain Route Properties dialog will display.

6 In the Domain Name for Static Route field, enter the name of the e-mail domain where the mail servers on site B are located.

7 In the Route Host for this Domain field, enter the IP address of one mail server on Site B. 8 In the IP Port to use for this SMTP Host, enter the port that the E-mail Filter Server will use to

communicate with the mail server. This is usually port 25.