Proofpoint Administration Guide

(1)

Proofpoint

Administration

Guide

Proofpoint Protection Server®

Proofpoint Messaging Security Gateway™

Proofpoint Messaging Security Gateway™ Virtual Edition

Release 7.0

(2)

Website: www.proofpoint.com Toll-free telephone: 1-877-64POINT

Technical support: https://support.proofpoint.com

Administration Guide Proofpoint Protection Server®

Proofpoint Messaging Security Gateway™ February 2012

(3)

Proofpoint Protection Server Copyright and Trademark Notices

The Proofpoint Protection Server is proprietary software licensed to you for your internal use by Proofpoint Inc. This software is © Copyright 2002 - 2012 Proofpoint Inc. The copying, modification or distribution of the Proofpoint Protection Server is subject to the terms of the Proofpoint Software License, and any attempt to use this software except under the terms of that license is expressly prohibited by U.S. copyright law, the equivalent laws of other countries, and by international treaty.

Proofpoint and Proofpoint Protection Server are trademarks of Proofpoint Inc.

McAfee is a registered trademark of McAfee, Inc. and/or its affiliates in the US and/or other countries. Virus Scanning capabilities may be provided by McAfee, Inc.

VMware, the VMware “boxes” logo, GSX Server, ESX Server, Virtual SMP, VMotion and VMware ACE are trademarks (the “Marks”) of VMware, Inc.

MariaDB licensing information is available in the directory ${PROOFPOINT_ROOT}/opt/mariadb. Apache 2.2 licensing information is available at http://www.apache.org/licenses.

Perl (Practical Extraction and Report Language) is copyrighted by Larry Wall.

It is free software and it is redistributed by Proofpoint under the terms of the “Artistic License” that comes with the Perl Kit, Version 5.0. Source is available athttp://www.perl.com.

Regular expression support is provided by the PCRE library package, which is open source software, written by Philip Hazel, and copyright by the University of Cambridge, England.

Source is available at ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/. Some database support in this solution is provided by MySQL.

Permission to use, copy, and distribute this software and its documentation for any purpose with or without fee is hereby granted, provided that the above copyright notice appear in all copies and that both that copyright notice and this permission notice appear in supporting documentation.

Permission to modify the software is granted, but not the right to distribute the complete modified source code. Modifications are to be distributed as patches to the released version. Permission to distribute binaries produced by compiling modified sources is granted, provided you

1. distribute the corresponding source modifications from the released version in the form of a patch file along with the binaries, 2. add special version identification to distinguish your version in addition to the base release version number,

3. provide your name and address as the primary contact for the support of your modified version, and 4. retain our contact information in regard to use of the base software.

Permission to distribute the released version of the source code along with corresponding source modifications in the form of a patch file is granted with same provisions 2 through 4 for binary distributions.

This software is provided "as is" without express or implied warranty to the extent permitted by applicable law.

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.

3. Neither the name of the developer nor the names of contributors may be used to endorse or promote products derived from this software without specific prior written permission.

THIS SOFTWARE IS PROVIDED BY THE DEVELOPER ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE DEVELOPER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,

PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS

(4)

Portions copyright © 1996, 1997, 1998, 1999, 2000, 2001, 2002 by Boutell.Com, Inc. Portions relating to GD2 format copyright © 1999, 2000, 2001, 2002 Philip Warner. Portions relating to PNG copyright © 1999, 2000, 2001, 2002 Greg Roelofs.

2002, Thomas G. Lane. This software is based in part on the work of the Independent JPEG Group. See the file README-JPEG.TXT for more information.

Permission has been granted to copy, distribute and modify gd in any context without fee, including a commercial application, provided that this notice is present in user-accessible supporting documentation.

This does not affect your ownership of the derived work itself, and the intent is to assure proper credit for the authors of gd, not to interfere with your productive use of gd. If you have questions, ask. “Derived works” includes all programs that utilize the library. Credit must be given in user-accessible documentation.

This software is provided “AS IS.” The copyright holders disclaim all warranties, either express or implied, including but not limited to implied warranties of merchantability and fitness for a particular purpose, with respect to this code and accompanying

documentation.

Although their code does not appear in gd 2.0.4, the authors wish to thank David Koblas, David Rowley, and Hutchison Avenue Software Corporation for their prior contributions.

This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/)

This software is provided “as-is”, without any express or implied warranty. In no event will the authors be held liable for any damages arising from the use of this software.

Permission is granted to anyone to use this software for any purpose, including commercial applications, and to alter it and redistribute it freely, subject to the following restrictions:

1. The origin of this software must not be misrepresented; you must not claim that you wrote the original software. If you use this software in a product, an acknowledgment in the product documentation would be appreciated but is not required.

2. Altered source versions must be plainly marked as such, and must not be misrepresented as being the original software. 3. This notice may not be removed or altered from any source distribution.

Jean-loup Gailly [email protected] Mark Adler [email protected]

Unifont copyright Paul Hardy of Unifoundry.com ([email protected]) released under the terms of the GNU General Public License (GNU GPL) version 2.0.

Java JRE, JDK, JavaMail, Sun JavaServerFaces – Copyright © 1997, 2011, 2012, Oracle and/or its affiliates. All rights reserved. JBoss RichFaces – Copyright Red Hat ®. Red Hat is a registered trademark of Red Hat, Inc.

Proofpoint gratefully acknowledges contributions of the open source community to the Proofpoint Protection Server. References to open source software used with the Proofpoint Protection Server is collected into a single repository which can be found in the installed Proofpoint Protection Server package in src/opensource/OPENSOURCE. That repository, consisting of the contributions from open source projects – but not including the proprietary Proofpoint Protection Server software referred to above – is a collective work that is © Copyright 2002 - 2012 Proofpoint Inc. You will find in this repository copies of the source code, or references of where to find, every open source program not referenced in this copyright notice, that was used in the Proofpoint Protection Server.

(5)

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. Neither the name of Google Inc. nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

Permission to use, copy, modify, and distribute this software for any purpose with or without fee is hereby granted, provided that the above copyright notice and this permission notice appear in all copies.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND

NONINFRINGEMENT OF THIRD PARTY RIGHTS. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR

OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

Except as contained in this notice, the name of a copyright holder shall not be used in advertising or otherwise to promote the sale, use or other dealings in this Software without prior written authorization of the copyright holder.

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the

License.You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

(6)

(7)

Matching Entries ... 250 Match Any Entries ... 250 Viewing Entries by Type ... 250 Importing Entries ... 250 Exporting a Global List ... 252 Introduction to Policies and Rules ... 252 Spam Policies ... 252 Additional Rules ... 252 Default Spam Policy and Rules ... 253 Default Policy Rules ... 253 Adding Rules to the Default Policy ... 254 Creating Spam Policies and Rules ... 254 Create a Policy ... 254 Adding Rules to a Policy ... 255 Editing a Spam Rule ... 255 Deleting a Spam Rule ... 255 Custom Spam Classifications ... 255 Enabling a Spam Detection Rule ... 256 Adding Custom Rules ... 256 Editing a Spam Rule ... 257 Deleting a Spam Rule ... 257

Chapter 14 - Smart Search ... 259

About Smart Search ... 259 Client-Server Architecture ... 259 Smart Search Settings ... 259 Finding Messages with Smart Search ... 259 Search Criteria ... 260 Final Action ... 261 Examples ... 262 Multiple Values in a Search Field ... 262 Recent Searches ... 262 Viewing Details for a Message ... 263 Viewing MTA Data from the Logs ... 264 Exporting Search Results Data ... 264

Chapter 15 - Rules and Delivery Dispositions ... 265

(23)

(24)

Email Firewall Module, Spam Detection Module, Regulatory Compliance Module, and Policy Routes ... 280 Spam Detection Module - Global Safe Lists and Blocked Lists ... 283 Zero-Hour Anti-Virus Module... 283 Email Firewall Module, Spam Detection Module, and SMTP Rate Control ... 283 Matching Document Type ... 284 Using Regular Expressions ... 284 Metacharacters ... 284 Operators ... 286

Chapter 16 - Data Loss Prevention (DLP) ... 289

(25)

Viewing Incident Details in the Asset Folder ... 301 Viewing Incident Details in the Regulation Folder ... 301 Selecting a View for the Details Pane ... 301 Selecting Incidents ... 302 Selecting Individual Incidents ... 302 Selecting Incidents on a Display Page ... 302 Selecting All of the Incidents from a Query ... 302 Deleting Incidents and Restoring Deleted Incidents ... 302 Emptying the Deleted Folder... 303 Viewing and Restoring Deleted Incidents ... 303 Restoring Incidents ... 303 Moving Incidents between Folders ... 303 Folder Options ... 303 Releasing, Redirecting, and Resubmitting Incidents ... 304 Releasing Incidents ... 304 Redirecting Incidents ... 304 Resubmitting Incidents for Filtering ... 305 Incident Options ... 305 Updating the Virus Status... 305 Downloading Incidents to a CSV or XML File ... 306 Adding a Comment or Status to an Incident ... 306

Chapter 17 - Smart Send ... 307

About Smart Send ... 307 Using Smart Send ... 307

Chapter 18 - Encryption ... 309

(26)

Network Configuration Options ... 313 Secure Reader Settings ... 313 Domain Restrictions ... 314 Secure Reader Allowed Domains ... 314 Secure Reader Save Message ... 314 Authentication Cache ... 315 Premium Outlook Plug-in Settings ... 315 Diagnostics for Proofpoint Encryption ... 316 Creating Domain Profiles ... 316 About Trusted Partner Encryption ... 317 General Trusted Partner Encryption Settings ... 317 Managing Trusted Partner Encryption Partners... 317 Managing Response Profiles ... 318 Adding a Response Profile ... 318 General Parameters ... 318 Reply Parameters ... 318 Forward Parameters ... 319 Overriding Response Profiles with Rules ... 320 Finding and Managing Encryption Keys ... 320 Search Criteria for Keys ... 320 Viewing Details for a Message Encryption Key ... 321 Disabling Message Access ... 321 Deleting a Key ... 321 Changing the Key Expiration ... 322 Configuring the Secure Reader Proxy ... 322 Proofpoint Encryption on Software Installations ... 323

Chapter 19 - ICAP (Internet Content Adaptation Protocol) ... 325

About ICAP... 325 Creating DLP Rules for HTTP Content ... 325 Delivery Options ... 326

Chapter 20 - Regulatory Compliance Module ... 327

(27)

Privacy Rules and Compressed Archives ... 329 Regulatory Compliance Settings ... 329 Disabling the Regulatory Compliance Module ... 329 Selecting Policy Routes... 329 Business Partners ... 330 Smart Identifiers ... 330 Smart Identifier Details ... 331 Smart Identifiers and Delimiters ... 331 Importing a Custom Smart Identifier ... 331 Adding and Managing Compliance Dictionaries ... 332 Adding a Dictionary ... 332 Deleting a Dictionary ... 332 Checking for Dictionary Updates ... 333 Adding Words to a Custom Compliance Dictionary ... 333 Deleting Words ... 333 Adding a Regular Expression Match Compliance Dictionary ... 334 Deleting Words from a Compliance Dictionary ... 334 Editing Words, Weights, or Conditions in a Compliance Dictionary ... 334 Importing Words into a Compliance Dictionary ... 335 Exporting Words from a Compliance Dictionary ... 336 Creating Regulatory Compliance Privacy Rules ... 336 Creating a Rule ... 337 Business Partner Condition... 338 Protocol Condition ... 338 Dictionary Score Condition... 339 Smart Identifier Score ... 339 Smart Identifier Match Term ... 340 Smart Identifier Match Data ... 340 Proximity Match Condition ... 341

Chapter 21 - Digital Assets Module ... 343

(28)

General WebDav Data Connector Settings ... 346 Creating Document Source Profiles ... 346 Document Filter Settings ... 347 Documentum Enterprise Data Connector Settings and Profiles ... 347 Documentum Enterprise Data Connector Requirements ... 347 Documentum Enterprise Data Connector Settings ... 348 Creating Document Source Profiles ... 348 Document Filter Settings ... 349 Digital Assets Settings ... 349 Setting Enforcement Levels and Content Parameters ... 349 Creating and Managing Categories ... 349 Adding a Negative Case Category ... 350 Deleting a Category ... 351 Managing Documents in the Repository ... 351 Uploading Documents to the Repository ... 351 Searching for Documents ... 351 Viewing Documents ... 352 Moving Documents between Categories ... 352 Deleting a Document ... 352 Guidelines for Creating Digital Assets Rules ... 353 Creating Digital Assets Rules... 353 Creating a Rule ... 354 Deleting and Modifying Digital Assets Rules ... 355 Deleting a Digital Assets Rule ... 355 Changing a Digital Assets Rule ... 355 Disabling a Digital Assets Rule ... 355

Chapter 22 - Frequently Asked Questions ... 357

(29)

How do I support multiple domains for Proofpoint Encryption? ... 364

(30)

(31)

Chapter 1 - Welcome

Introduction to the Proofpoint Protection Server

Welcome to the Proofpoint Protection Server. The Proofpoint Protection Server is a powerful software application that integrates virus protection, spam detection, message encryption, regulatory compliance, and digital asset protection technologies into an extensible message management platform. The Proofpoint Protection Server is designed to fit easily into your corporate environment, taking advantage of the existing corporate messaging infrastructure. It provides efficient performance, accurate message analysis, and a web-based interface (the management interface) for reporting, configuration, and management tasks.

Product Overview

The Proofpoint Protection Server is comprised of these components:

• Filtering modules - the Email Firewall, Virus Protection, Spam Detection, and Regulatory Compliance Modules filter SMTP messages for envelope criteria, connection criteria, virus infections, spam, and message content. The Digital Assets Module protects your organization from accidental or deliberate disclosure of confidential information or trade secrets.

• The Data Loss Prevention (DLP) dashboard provides a centralized and consolidated overview of DLP activity across your organization with custom views of DLP reports and an incident manager console. Administrators and security practitioners can view real-time DLP statistics and trends as well as manage current incidents. Data can be viewed in high level reports or as detailed incidents so that administrators can quickly focus on the critical areas of interest. The DLP dashboard consolidates data from the Regulatory Compliance Module and the Digital Assets Module. You will not see the DLP Dashboard in the management interface if you have not licensed the Regulatory Compliance and Digital Assets modules.

• If you have an ICAP-enabled web proxy server (Internet Content Adaptation Protocol) on your network, you can also filter and block HTTP content for data loss prevention by enabling rules for HTTP content in the Regulatory Compliance and Digital Assets modules.

• Proofpoint Encryption - provides a fully integrated message encryption and decryption solution. • Administrators have granular control over the filtering policies and dispositions of messages that are

infected, designated as spam, or contain inappropriate or confidential content. Messages designated as suspicious can be stored in a Quarantine folder or an Incident Queue for further analysis and disposition. • Message Processing Hub – this multi-protocol hub accepts all incoming messages and commands, passes

messages to the Analysis Modules, exposes the functions of the Management Services, and handles final message dispositions.

• Management Services – centralized management services include administration, message tracing, reporting, and monitoring.

Licensing Overview

Administrators purchase licenses for the modules they want to use in their Proofpoint deployments. Once you activate the product, the management interface displays only the parameters and navigation links for the modules for which you are licensed to use. The basic license includes the Email Firewall Module and all of the system

administration, Reporting, Logging, Digest, and Quarantine functions.

Proofpoint Messaging Security Gateway

(32)

organizations. The unwanted traffic results in lowered productivity and consumes valuable IT resources. This impact is particularly worse on businesses that maintain in-house mail servers and have limited administrative resources. The Proofpoint Messaging Security Gateway (appliance) is an affordable and compact solution ideal for mid-sized organizations looking for a turn-key solution to address spam, virus, and other message-borne threat protection capabilities. Without the hassle of configuring hardware and operating systems, the Proofpoint Messaging Security Gateway is pre-installed with the Proofpoint Protection Server software, can be up and running quickly, and is easily maintained by a single administrator.

Clusters and Services

You can deploy several Proofpoint Protection Servers or appliances in a cluster and assign them to different services. For example, one system can serve as the master administration console (the Config Master) and the other systems as filtering services.

Related Topics:

See Master, Agents, Clusters, and Instances for definitions of these Proofpoint Protection Server terms.

Master, Agents, Clusters, and Instances

You can deploy several Proofpoint Protection Servers to provide various services. For example, you can install the Proofpoint Protection Server software on three systems, deploy one system as the master Management Services console (the Config Master), and deploy the other two systems as the filtering services (agents). The system running the administrative interface is designated as master during installation, and the two systems running the filtering services are designated as agents during installation. The master server pushes configuration changes to the agent servers.

The server root is the directory location for the Proofpoint Protection Server software. This location is arbitrary, and varies from installation to installation. For documentation purposes, this directory is referred to as

${PROOFPOINT_ROOT}.

A cluster is a collection of instances managed as one logical unit.

An instance is an instantiation (working process) of the Proofpoint Protection Server software.

Proofpoint supports one instance per server root, and one server root per host configuration. Internally, the Proofpoint Protection Server identifies a fully qualified instance name by hostname, administration port number (one per server root), and instance name.

Administrators can give an instance a display name - an alphanumeric string that identifies the instance by a name that makes sense. If there is no display name for the instance, the fully qualified instance name appears in the web-based management interface by default.

Related Topics:

For information about adding agents to a cluster, see Adding and Deleting Agents.

Navigating the Management Interface

(33)

Collapsed Navigation Pane

Click a top-level navigation link to expand it

Links on Every Page

The following links appear by default on each page of the management interface.

• _{Logged in as – displays the name of the administrator currently logged in to the management interface.}

(34)

• Switch to Advanced Mode – displays all of the navigation links in the management interface. Toggles between the Advanced and Basic modes.

• Switch to Basic Mode – hides the more advanced configuration links. Toggles between the Advanced and Basic modes.

• Add Shortcut – adds a shortcut to the bottom of the navigation pane for the page that is currently displayed. Shortcuts are displayed with a shortcut icon. You can have up to five shortcuts at a time. Older shortcuts are moved off the list as you add new ones. Tooltips provide more detailed information about each shortcut.

• Refresh Config – if more than one administrator is making changes to the configuration, this link ensures that all changes are applied before anyone logs out of the management interface. If only one administrator is making configuration changes, this link ensures the changes are applied immediately.

• Enter Search - searches the Call Tracking System forums for the word you enter into the field. • Help – provides context-sensitive help for the current page.

Display and Hide Icons

The Display and Hide icons display or hide the navigation pane.

Expand and Collapse Navigation Pane Icons

The Expand and Collapse icons expand and collapse the links under each top-level entry in the navigation pane.

Minimize and Maximize Panes on a Page

The Minimize and Maximize icons hide and display panes on a page.

Paging through Entries

Use the Previous, Next, First and Last icons to page through entries on a page or in a pane.

Expanding and Collapsing the Menus

Click the up-arrow or down-arrow to display or hide the menus for each entry in the navigation pane. See Admin

Server Settings.

Refresh Page Icon

(35)

Editing or Viewing Table Elements

To make changes to an element in a table or on a page, click the name of the element. For example, to view or make changes to an administrator, a server, a rule, or a Policy Route, click its name. To view message details for a message in a Quarantine folder, click the message.

Selecting Items in a Table on a Page

If you want to select all of the items in a table displayed on a page, select the all check box. There are two all check boxes: one is labeled All, and the other one is not labeled.

Click this check box to select all items displayed in a table or list.

Click this check box to select all of the items returned from a query, whether or not they are displayed in a table or list.

Persistent Views

When an administrator logs off from the management interface, then logs back in, his or her view from the previous session will display. For example, if an administrator was working on the System > Settings > SMTP page when the administrator logs off, this is the page that displays when the administrator logs back in to the management interface. Persistent views are stored per browser and per user.

If you are working in Basic Mode, and then switch to Advanced Mode and go to a link exposed in Advanced Mode, when you switch back to Basic Mode, the link from the Advanced Mode will appear in the Basic Mode. That is, navigation links that you view in Advanced Mode are promoted to Basic Mode.

You can enable or disable persistent views and change the persistence expiration period on the System > Settings > Admin Server page.

Managing Your Proofpoint Portal

The Proofpoint Portal allows administrators to organize their views for status, reporting, and management of a cluster of Proofpoint Protection Servers or appliances.

Administrators can customize and save unique views of information and functionality by creating a portal to the Proofpoint cluster. A portal is comprised of one or more customized workspaces. Each workspace is comprised of one or more pages of information. Each page contains widgets - a widget is a UI element (management interface element) that serves as a container for functionality.

For details on how to create, delete, and manage workspaces, see Creating and Managing Workspaces

and Working with Pages and Widgets.

Examples:

• You are the security officer for your organization. You are only interested in the data collected by the Regulatory Compliance Module. You create a workspace on the DLP Summary > Dashboard page named Security and choose the widgets for that workspace that report on messages that are sent to the Incident Queue because they triggered rules in the Regulatory Compliance Module.

• Your responsibility as a network administrator is to monitor and manage connections to your organization, and throttle IP addresses or domains that are sending spam to your organization or attacking your network. You create a workspace on the System > Summary page named Connections and select the widgets for that workspace that are relevant to your monitoring responsibilities. The portal you create only contains the information that is important to you.

You can access your portal from System > Summary or DLP Summary > Dashboard in the navigation pane. Creating a portal is a three-step process:

(36)

• Add pages to the workspace. • Add widgets to each page.

There is no limit to the number of workspaces you can add to your portal.

About Workspaces

A default workspace named Default view is already included with the Proofpoint Protection Server software. The default workspace contains preconfigured pages that you can modify or delete. You can also add new pages to the default workspace.

The following pages are included with the Default view for System > Summary:

• _{Server Status - displays summary status information for the entire cluster and for each Proofpoint}

Protection Server or appliance in the cluster individually. For details about the data displayed on the Server Status page, see Server Status in "System Summary."

• Message Traffic - for each analysis module, the table displays the number of messages processed by the rules for the module. The data in the tables is aggregated for all of the Proofpoint Protection Servers in the cluster. For the Quarantine, the table displays the number of messages sent to the Quarantine because they triggered rules in the filtering modules. The data is aggregated for all of the systems in a cluster and

summed for different time periods. For details about the data displayed on the Message Traffic page, see

Message Traffic in "System Summary."

• Reports - several preconfigured reports appear on this page. You can add more report widgets, delete report widgets, or re-arrange the reports.

• News - several preconfigured news articles and RSS (Really Simple Syndication) feeds appear on this page. You can add more news widgets, delete news widgets, and re-arrange the news articles on this page. The default DLP Dashboard view (DLP Summary > Dashboard) contains reports for Top Regulation Senders, Regulation Rule Trends, the Compliance Incident Manager, and trends for Proofpoint Encryption.

About Widgets

Widgets are the management interface (UI) elements that serve as containers for functionality. The Proofpoint Protection Server software includes a menu of widgets. When you select a widget in the menu a description or graphic describes the functionality for that widget.

Editing, Updating and Deleting Widgets

Each widget on a page has a title bar. If you place the mouse pointer over the title bar, the following icons appear: • Pad and pencil - displays an edit screen with the following choices (choices vary between widgets).

Cache. Enables or disables the internet cache. If enabled, the graph for the data is cached for one hour. If disabled, the graph is redrawn on the next Refresh.

Period. Select a time period for which you want collected data to be graphed. Refresh. Select a time period for the data in the widget to be automatically refreshed. Image Size. Select large or small icons for the widget.

Chart. Displays a list of available reports.

(37)

Chapter 2 - Evaluation

Start Filtering Email

This page is your starting point for filtering email to see how the Proofpoint Messaging Security Gateway (appliance) catches and quarantines spam and messages containing a virus.

You have these choices for getting email into the appliance:

• You can inject sample email provided by Proofpoint into the appliance. This is the fastest way to see messages in the Quarantine, and after an hour or so, you can view graphs and reports describing data collected from the Quarantine. To use this method, click the Filter sample email collection icon. • You can inject a corpus of email messages that you collected into the appliance. To use this method, you

must first create a zip archive that contains a collection of email messages in RFC 822 format. Click the Upload and filter your email icon if you want to use this choice.

• You can set up email forwarding directly from your personal POP account to the appliance for filtering. All email messages directed to your POP account (for example, [email protected], or [email protected]) are forwarded to the appliance, filtered, and then delivered to the email address that you specify for forwarded email. Click the Filter email from any POP account icon to use this method.

Filter Sample Email

Use this page to inject sample email provided by Proofpoint into the appliance.

Enter your email address into the Recipient Email Address field, and click the Start icon. Your email address will be added to the User Repository and you will receive a sample User Digest. The Digest lists the messages addressed to you that have been quarantined because they are spam or contain a virus.

When the message injection process finishes, click the View the Quarantine icon to go directly to the Quarantine to see your quarantined messages.

Note: You need to wait at least one hour before you can create reports.

Be sure to check your email account for a Digest sent to you by the appliance. The Digest contains a list of messages that are addressed to you and are stored in the Quarantine. (The Digest is sent to the email account that you entered into the Recipient Address field.)

Filter Your Email

Use this page to inject your own corpus of email messages into the appliance. Create a zip archive that contains a collection of email messages in RFC 822 format.

Before you create the zip archive, you should clean up the email headers in the corpus. For example, if the messages are addressed to no legitimate recipients, or to multiple recipients, that information is stored in the Quarantine along with the message. If you release a message from the Quarantine, or send Digests to all recipients who have messages in the Quarantine, you can potentially generate countless email bounces.

1. Enter a new email address for the recipient for the filtered email in your corpus. This is an optional but recommended step. For example, if you enter your email address into the Recipient email address (optional) field, the messages injected into the Quarantine from your corpus will be addressed to you, and will show up in your Digest.

2. Enter the directory path and filename for your zip archive into the Filename field, or use the Browse button to locate it.

3. Click the Start icon to begin injecting the messages.

When the message injection process finishes, click the View the Quarantine icon to go directly to the Quarantine to see your quarantined messages.

(38)

Be sure to check your email account for a Digest, sent to you by the appliance. The Digest contains a list of messages that are addressed to you. The Digest is sent to the email account that you entered into the Recipient email address (optional) field.

Filter Email from a POP Account

Use this page to set up email forwarding directly from your personal POP account to the appliance for filtering. All email messages directed to your personal POP account (for example, [email protected], or [email protected]) are forwarded to the appliance first, filtered, and then delivered to the email address that you specify for forwarded email.

Note: Some ISPs charge a fee for email forwarding. You need the following information:

• The name of the mail server for your POP account. • The user name and password for your POP account. • Some POP accounts require the port number. • Some POP servers require SSH for communication.

• A new address to which forwarded email messages will be sent.

To set up email forwarding from a POP account:

1. Fill in the fields according to the information you gathered above about your POP account and ISP. 2. Click Verify POP Settings to check if the appliance can connect to your POP account.

3. Enter a new email address into the Forward email address field. This address should not be the same as your POP account email address.

4. Click the Start icon to configure the POP forwarder.

You can create more than one email forwarding profile. For example, if you have several different POP accounts, you can create a forwarding profile for each one.

Check the Quarantine for messages that were forwarded and filtered by the appliance by clicking Quarantine > Messages in the navigation pane.

Note: You need to wait at least one hour before you can create reports.

Be sure to check your email account for a Digest, sent to you by the appliance. The Digest contains a list of messages that are addressed to you. (The Digest is sent to the email account that you entered into the Forward email address field.)

Disabling Email Forwarding from a POP Account

If you have more than one email forwarding profile, you can disable all of them at once. Follow these steps: 1. Log in to the appliance.

2. Click the Users link under Groups and Users in the navigation pane.

3. In the User List, click the entry for your email address to see the Attributes pop-up window. Or select the check box for your account in the User List and click Attributes.

4. Click the Attributes tab in the Attributes pop-up window. 5. Select No for the Enable Forwarder attribute.

6. Click Save Changes.

Follow these steps to disable email forwarding from a specific POP account: 1. Log in to the appliance.

2. Click the Users link under Groups and Users in the navigation pane.

3. In the User List, click the entry for your email address, or select the check box for your account and click Attributes.

(39)

6. Click the Off radio button for the Enable parameter. 7. Click Save Changes.

If several users in your organization have email forwarding profiles, you can disable all of the profiles at once by changing a Global attribute. Follow these steps:

1. Log in to the appliance, and be sure you are in the Advanced mode so you see all of the links in the navigation pane.

2. Click Global under Groups and Users in the navigation pane.

(40)

(41)

Chapter 3 - Appliance

Network Interface Settings

After you log in, the data you entered during the initial setup appears on the Appliance > Network > Interface page. If necessary, you can change the appliance network interface settings.

Providing or Changing Network Interface Settings for the Appliance To enter network interface data for the appliance:

1. If you have a cluster, select the server for which you want to enter or change network data from the Server drop-down list. Click Save Changes after making configurations for each server that you select from the drop-down list.

2. Enter or modify the following parameters for your network:

• Hostname - the name you entered during the initial setup appears For example,

proofpointappliance.

Important: To change the hostname of a master Proofpoint Protection Server or an agent in a cluster, see Changing Hostnames for Masters and Agents in this topic.

• Domain Name - the name you entered during the initial setup appears. If necessary, enter a different domain name. Enter a Fully Qualified Domain Name (FQDN). For example,

example.com. (Do not enter an IP address or hostname.)

• _{DNS Settings - Primary Name Server, Secondary Name Server, Tertiary Name Server. By} default the IPv4 address for the public Primary Name Server appears or the address or addresses you entered during the initial setup. The secondary and tertiary name servers are optional. Change or add addresses as necessary. (Use IPv4 addresses; do not use domain names or IPv6

addresses.)

Depending upon how your network is set up, the DNS servers may not recognize the IP addresses or hostnames of the Proofpoint Protection Servers on your network. In this case, you will want to add the IP address and hostname or hostnames of each Proofpoint Protection Server to the Hostname Override text box. The data that you enter in the Hostname Override text box populates the /etc/hosts file on the appliance.

Enter the IP address first, and then a blank space followed by the hostname or hostnames for each Proofpoint Protection server. Entering a fully-qualified domain name (FQDN) is preferable, but the system will accept IP addresses and hostnames.

For example:

10.10.10.10 pps1 proofpointmaster

10.10.10.02 pps2 proofpoint2 proofpointagent 10.10.10.03 proofpoint3.proofpoint.com

You must enter an IP address and at least one hostname for each Proofpoint Protection Server.

Configuring Appliance Network Interfaces

(42)

If you choose to bind Network 2 to Network 1, Network 2 will adopt the IPv4 address and netmask address of Network 1. Binding provides active-standby. Should Network 1 fail, Network 2 will take over operations. Both network interfaces need to be connected to the same subnet if you select binding for Network 2.

You also need to decide whether or not to use negotiation for each network interface. If you do not use auto-negotiation, enter your own parameters for speed and duplex. If you select binding for Network 2, it will not adopt the auto-negotiation selections made for Network 1; auto-negotiation selections are independent.

To configure each network interface for the appliance:

1. Enter the IPv4 address you want to assign to the network interface in the IPv4 Address field. (Use an IPv4 address; do not use a domain name.)

2. Enter the accompanying netmask address you want to assign to the network interface in the Netmask field. (Use an IP address; do not use a domain name.)

3. For each Network Interface that appears on the Appliance > Network > Interface page, you have the option to select Manual Configuration for the Ethernet Interface parameter. If you select Manual Configuration, enter your own parameters for Speed and Duplex. However, Proofpoint strongly recommends that you leave Auto-Negotiation selected, unless you have specific network requirements. 4. To add IPv6 addresses to the network interface, enter each one into the IPv6 Address field and use the

arrow buttons to populate the list. The Prefix variable is a decimal value that indicates the number of contiguous, higher-order bits of the addresses that make up the network portion of the address. 5. Click Save Changes.

The Link Status for each Network Interface will display Detected or Not Detected to indicate whether or not the network interfaces are connected correctly. Verify the Ethernet cables are properly connected to the ports on the appliance and to the network switch or hub.

The gateway address you entered during the initial setup appears in the Default Gateway field. Enter a new address if necessary. (Use an IP address; do not use a domain name.)

Configuring Static Routing for the Network Interfaces

To ensure connectivity for the appliance, configure the static network routes for each network interface on the appliance.

To configure routing for the appliance network interfaces:

Enter data for the IPv4 address, netmask, gateway, and select the network interface each of the routing parameters before adding them to the Routing List and then save your changes.

Click the right-arrow (>>) button to add all the data for a specific network interface to the Routing List at the same time.

Important: Be sure to enter the correct information when configuring static routes for the appliance. Also ensure that you do not enter information for a network interface that uses binding. Entering incorrect information can result in a lost connection.

IPv6 Network Routes

For every IPv6 address you add to the network interface, the network portion of the address displays in the IPv6 Routes box. The appliance listens to IPv6 router advertisements and displays them here. The "default via" address is the IPv6 gateway address discovered through an IPv6 router advertisement.

Changing Hostnames for Masters and Agents

Before changing the hostname for a master in a cluster, you must first delete all of the agents. See Adding and