advertisement
WatchGuard
®
XCS
Extensible Content Security v9.0 Installation Guide
WatchGuard XCS
170, 370, 570, 770, 970, 1170
Notice to Users
Information in this guide is subject to change without notice. Companies, names, and data used in examples herein are fictitious unless otherwise noted. No part of this guide may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of WatchGuard Technologies, Inc.
Part Number: 275-3729-001
Document Version: 1.1
Revised: 11/25/09
Copyright, Trademark, and Patent Information
Copyright © 2009 WatchGuard Technologies, Inc. All rights reserved. All trademarks or trade names mentioned herein, if any, are the property of their respective owners.
Complete copyright, trademark, patent, and licensing information can be found in the Copyright and Licensing Guide, available online: http://www.watchguard.com/help/documentation/
This product is for indoor use only.
ABOUT WATCHGUARD
Since 1996, WatchGuard has been building award-winning unified threat management
(UTM) network security solutions that combine firewall, VPN and security services to protect networks and the businesses they power. We recently launched the next generation: extensible threat management (XTM) solutions featuring reliable, all-inone security, scaled and priced to meet the unique security needs of every sized enterprises. Our products are backed by 15,000 partners representing WatchGuard in
120 countries. More than a half million signature red WatchGuard security appliances have already been deployed worldwide in industries including retail, education, and healthcare. WatchGuard is headquartered in Seattle, Washington, with offices throughout North America, Europe, Asia Pacific, and Latin America.
For more information, please call 206.613.6600 or visit www.watchguard.com
.
ADDRESS
505 Fifth Avenue South
Suite 500
Seattle, WA 98104
SUPPORT
www.watchguard.com/support
U.S. and Canada +877.232.3531
All Other Countries +1.206.521.3575
SALES
U.S. and Canada +1.800.734.9905
All Other Countries +1.206.613.0895
ii WatchGuard XCS
Table of Contents
Installation Guide iii
iv WatchGuard XCS
1
Getting Started
Before you begin
Before you begin the installation process, make sure you do the tasks described below.
Verify basic components
Make sure that you have these items:
A computer with an Ethernet network interface card and a web browser installed
WatchGuard XCS device
Keyboard and monitor
Ethernet cables
Power cables
Hardware installation
Follow the instructions in the Hardware Setup Guide included in the shipping box to install the WatchGuard
XCS device in an equipment rack.
Physical location
The WatchGuard XCS will handle all of your inbound and outbound messages. It is important that some consideration is given to its physical security to protect against unauthorized tampering that could compromise system security. WatchGuard recommends the following:
The system should be installed in a secure location, preferably in a locked equipment rack or secure server room.
Make sure that the network connections are secure, and that network hubs and switches are located within the same equipment rack or secure server room. Any network patch cables should be of the appropriate length, preferably as short as possible.
If a monitor and keyboard are attached to the system for console use, ensure that they are connected directly to the system to prevent the possibility of keystroke logging devices from being introduced in the keyboard connection.
Use the Web UI in a secure location and restrict its use to trusted workstations. Never use the Web UI in locations where the administrative session could be monitored physically or electronically in any manner.
Installation Guide 1
Getting Started
Connect the monitor and keyboard
For the initial installation, a monitor and keyboard (USB or PS/2) are required to operate the system console.
After the initial console configuration is complete, the system can be managed remotely using the Web UI.
Connect the network interfaces
Before installation, you should ensure that at least one of the network interfaces is physically connected to the network. You will be able to more easily confirm that you have correctly identified the system on the network and ensure connectivity.
For all hardware models, it is recommended that you use the first onboard Ethernet network interface (NIC 1) on the left of the device during the installation process as the LAN-facing interface. This is the first default interface assigned by the system during the installation. After the installation is complete, you can configure an additional network interface as your external Internet-facing interface.
Get a WatchGuard device feature key
A feature key is a license that enables you to activate your purchased feature set on your WatchGuard XCS.
You must register the device serial number on the WatchGuard LiveSecurity® web site and retrieve your feature key.
To activate a serial number and obtain a feature key:
1. Open a web browser and go to https://www.watchguard.com/activate .
If you have not already logged in to LiveSecurity, the LiveSecurity Log In page appears.
2. Enter your LiveSecurity user name and password.
The Activate Products page appears.
3. Enter the serial number for the product as it appears on your hardware device, including the hyphens.
4. Click Continue .
The Choose Product to Upgrade page appears.
5. In the drop-down list, select the WatchGuard XCS device.
6. Click Activate .
The Retrieve Feature Key page appears.
7. Copy the full feature key to a text file and save it on your computer.
8. Click Finish .
2 WatchGuard XCS
Getting Started
Gather network addresses
Gather the following information about your networking environment before you start the installation.
Record your network information in the following table before you configure your WatchGuard device.
Hostname
The hostname assigned to the WatchGuard XCS, such as hostname in the FQDN (Fully Qualified
Domain Name) hostname.example.com
.
Domain Name
The domain name associated with the assigned hostname. This is typically the domain that messages are being processed for, such as example.com
.
Internal IP Address
Select an IP address for the internal LAN-facing trusted network interface. This address will be used to connect remotely to the system using the Web UI.
External IP Address
Select an IP address for the external network interface. This is the WAN-facing interface that will be connected to a public network such as the Internet.
Subnet Mask
The subnet mask for the IP addresses you have chosen.
Gateway Address
The default gateway for the system. In most cases this is your network router.
Mail Domains
The mail domains the WatchGuard XCS will be processing messages for.
Internal Mail Servers
The domain name or IP address of your internal mail servers that will be receiving and sending messages via the WatchGuard XCS.
Optional Network Cards
The IP address, Subnet Mask, and Gateway Address for any additional network cards required by your choice of deployment.
DNS Servers
The addresses of your DNS (Domain Name Service) name servers, including a primary and secondary server.
NTP Servers
The addresses of your NTP (Network Time Protocol) servers for time synchronization, including a primary and secondary server.
Table 1: Basic Network Settings
Hostname
_____________________
Domain Name
_____________________
Internal IP Address
(LAN, Trusted)
Subnet Mask
_____._____._____._____
_____._____._____._____
External IP Address
(WAN) _____._____._____._____
Example hostname example.com
10.0.1.10
255.255.0.0
100.100.100.10
Installation Guide 3
Getting Started
Table 1: Basic Network Settings
Subnet Mask
_____._____._____._____
Gateway Address
_____._____._____._____
Mail Domains
_____________________
_____________________
_____________________
Internal Mail Servers
Optional Network Cards
_____._____._____._____
_____._____._____._____
DNS Servers
_____._____._____._____
_____._____._____._____
_____._____._____._____
_____._____._____._____
_____._____._____._____
NTP Servers
_____._____._____._____
_____._____._____._____
Example
255.255.0.0
10.0.1.1
example.com
example1.com
10.0.2.25
10.0.3.25
10.0.5.10
10.0.2.53
10.0.3.53
10.0.2.123
10.0.3.123
4 WatchGuard XCS
Getting Started
WatchGuard XCS deployments
The WatchGuard XCS is designed to be situated between internal email servers and clients, and external servers on the Internet so that there are no direct connections between external and internal systems.
The WatchGuard XCS is typically installed in one of three locations:
On the DMZ (Demilitarized Zone) of a network firewall
In parallel with a network firewall
Behind the existing firewall on the internal network
Messaging traffic is redirected from either the external interface of the network firewall or from the external router to the system. When the message is accepted and processed, the system initiates a connection to the internal mail servers to deliver the messages.
WatchGuard XCS on the DMZ of a network firewall
The most common deployment strategy for the WatchGuard XCS is to be situated on the DMZ of a network firewall. This type of deployment prevents any direct connections from the Internet to the internal mail servers, and makes sure the WatchGuard XCS is located on a secure network behind the firewall.
Installation Guide 5
Getting Started
WatchGuard XCS in parallel with the firewall
Deploying the WatchGuard XCS in parallel with an existing network firewall is another secure method of deployment configuration. The system’s inherent firewall security architecture eliminates the risk associated with deploying an appliance on the perimeter of a network. This parallel deployment eliminates any messaging traffic on the network firewall and decreases its overall load. A second network interface must be configured to connect to the Internet-facing network.
WatchGuard XCS on the internal network
The WatchGuard XCS can also be deployed on the internal network. Although this configuration allows a direct connection from the Internet into the internal network, it is a legitimate configuration when required by existing network resources.
6 WatchGuard XCS
Getting Started
Additional configuration
When you have decided on a deployment strategy, the following information about your environment needs to be gathered to ensure a smooth implementation.
Determine which ports need to be opened on the network firewall (if the system is deployed behind a firewall)
Determine appropriate DNS settings for mail routing
Identify changes required to the internal mail servers for routing outbound email messages via the
WatchGuard XCS
Network firewall configuration
For the WatchGuard XCS to process messages effectively when located behind a network firewall, various networking ports need to be configured on the network firewall to ensure connectivity.
The following table describes the list of ports required for each service. If you are not using some of the features listed in the following table, the corresponding ports can remain closed:
Port
21
Description From
Internet
To
Internet
From
Internal
Network
To
Internal
Network
X
Protocol
TCP
22
25
53
80
80
80
110
123
143
389
443
FTP for System
Backups
SCP (Backup or
Offload)
SMTP (standard port for sending and receiving of mail)
DNS and
ReputationAuthority
Queries
Anti-Virus Updates
(also requires port
443)
URL Categorization
Updates
Web Mail Access
(OWA, iNotes, etc.)
See port 443 for
Secure WebMail access.
POP3
Network Time
Protocol (NTP)
IMAP Proxy
LDAP
WatchGuard XCS
Software Updates
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
TCP
TCP
TCP/UDP
TCP
TCP
TCP
TCP
UDP
TCP
TCP
TCP
Installation Guide 7
Getting Started
Port Description From
Internet
To
Internet
From
Internal
Network
To
Internal
Network
Protocol
TCP 443
443
443
443
514
636
993
995
1812
5500
10101
10106
Anti-Virus Updates
(also requires port 80)
Secure Web Mail
Access
Web UI connections
ReputationAuthority
Statistics Sharing
Syslog
LDAPS
Secure IMAP
Secure POP3
RADIUS Server
RSA Secure ID ACE
Server
Support Access
Centralized
Management
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
TCP
TCP
TCP
UDP
TCP
TCP
TCP
UDP
UDP
TCP
TCP
DNS configuration for mail routing
DNS services are used to route mail messages from the Internet to the WatchGuard XCS. DNS configurations can be quite complex and are usually dependant on your specific site’s networking environment.
The following instructions represent the minimum changes required to facilitate mail routing.
Add an MX (mail exchanger) record to your DNS configuration to forward incoming messages to the
WatchGuard XCS: example.com. IN MX 0 hostname.example.com
Add an "A" record to resolve the domain name to an IP address: hostname.example.com. IN A 10.0.1.10
Add a PTR record to allow reverse look-ups to succeed and prevent messages sent from the
WatchGuard XCS being marked as suspected spam:
10.1.0.10.in-addr.arpa. IN PTR hostname.example.com
Consider keeping an MX record with a higher preference pointed at your current mail server during the integration phase. If the WatchGuard XCS is taken out of service, the messages will automatically route directly to the mail server. This entry should be deleted before you move to a production environment as spammers could find this alternate route and bypass the WatchGuard XCS.
example.com. IN MX 10 mailserver.example.com
8 WatchGuard XCS
Getting Started
Outbound mail routing
While DNS entries are required to route inbound messages through the WatchGuard XCS, changes are required to the existing internal mail servers to route outbound messages via the WatchGuard XCS.
After the installation is complete, all internal systems must be configured to use the WatchGuard XCS for delivery. This allows outbound message content to be processed for attachments and suspect files to prevent the spread of viruses introduced locally, and improves the spam detection capabilities of the system’s Anti-
Spam features.
your internal mail servers with the WatchGuard XCS after the system is installed.
Installation Guide 9
Getting Started
10 WatchGuard XCS
2
Install the WatchGuard XCS
Install the system using the console
To install the system using the console:
1. Unpack the system, cables, and documentation from the shipping carton.
2. Connect the power cable to the system and a power source, preferably via a UPS (Uninterruptible
Power Supply).
3. Connect a monitor and keyboard to the system.
You can use a USB or PS/2 type keyboard.
4. Connect the first onboard Ethernet network interface on the left of the device (NIC 1) to the network.
During the initial installation, only the internal LAN-facing network interface needs to be connected to be able to connect to the system via a web browser. Additional network interfaces, if required, can be configured after the installation.
5. Turn on the system.
6. The following options are displayed at startup:
F1 Install — The Install option is used to reinstall the system to factory default settings.
F2 System — The System option will load the existing installation. This option is chosen by default after a few seconds.
Installation Guide 11
Install the WatchGuard XCS
7. Press F2 System or wait for the option to be automatically selected.
8. Press Return or Enter to continue with the installation.
9. Select the disk installation type.
12
Auto — Default values for disk space allocation for log file storage, message storage, backup area, and database area are used.
Custom — Allows you to modify values for disk space allocation. To edit the default space allocation values, select Custom .
A custom partition may be required if you need to increase the size of the backup partition to accommodate large backups with log and reporting data.
The hard disk will be detected and identified. Select Continue .
Select Edit to edit the disk layout.
Use the arrow keys to move between fields.
Press Enter to use the displayed action such as "+ 100" or "+ 1000".
The values are in megabytes. You will need to decrease the amount allocated to one file system before increasing another.
When finished, select Done , and then OK to exit the disk layout screen.
10. Select Yes to proceed with erasing the hard disks.
WatchGuard XCS
Install the WatchGuard XCS
11. Click OK to configure a network interface.
You will use this network interface and IP address to connect to the system using a web browser when the console installation is complete. It is recommended that you configure the internal LAN interface first and use this interface to complete the installation process. Use the first onboard Ethernet connector on the left of the device (NIC 1). Additional interfaces can be configured using the network settings configuration screen when the installation is complete.
12. Select the Interface to configure, such as em0 in this example.
This is the first onboard Ethernet connector on the left of the device (NIC 1).
13. Enter the Hostname for the system, such as hostname in the fully qualified domain name hostname.example.com
.
14. Enter your Domain , such as example.com
.
15. Enter the IP Address for this interface, such as 10.0.1.10
.
16. Enter the Subnet mask , such as 255.255.0.0
.
17. Enter the Gateway (typically the router) for your network, such as 10.0.1.1
.
18. Enter the IP address of your DNS Name Server , such as 10.0.2.53
.
19. Select OK to continue.
20. Set the region and time zone appropriate for your location.
Installation Guide 13
Install the WatchGuard XCS
21. The initial configuration is complete and the system console screen is displayed.
You will see a message warning that the “Mail System is stopped!”. This message is normal because messaging services have not been started yet.
You must now connect to the system using a web browser to continue with the remainder of the installation.
14 WatchGuard XCS
Install the WatchGuard XCS
Starting the Web UI Setup Wizard
For the remainder of the configuration process, you must connect to the system via the Web UI to run the
Setup Wizard.
Supported web browsers
The following web browsers are supported for use at a minimum screen resolution of 1024x768:
Internet Explorer 6 (Windows XP, Windows 2000, Windows 2003)
Internet Explorer 7 (Windows XP, Windows 2000, Windows 2003, Windows Vista)
Firefox 3.0 and greater (Windows, Linux, Mac)
Connect to the Web UI
To connect to the Web UI:
1. Launch a web browser on your computer and enter the IP address of the WatchGuard XCS as the URL in the location bar, such as http://10.0.1.10
The login screen is displayed.
A security certificate notification appears in the browser because the system uses a self-signed certificate. It is safe to ignore the warning (Internet Explorer) or to add a certificate exception
(Mozilla Firefox).
2. Enter the default Username and Password .
When accessing the system for the first time after installation, the default settings are admin for the
Username, and admin for the Password.
Installation Guide 15
Install the WatchGuard XCS
3. Enter an Organization Name and Server Admin Email address for this system.
The server admin email address will receive all system alerts and notifications.
4. Click Complete Step 1 to continue.
5. You must change the default admin password after you log in.
It is recommended that you choose a secure password of at least 8 characters in length and include a mixture of upper and lowercase alphabetic characters, numbers, and special characters.
6. Click Complete Step 2 to continue.
7. Specify the initial level of aggressiveness for the system’s Intercept Connection Control and
Intercept Anti-Spam .
16 WatchGuard XCS
Install the WatchGuard XCS
The following table describes the levels of aggressiveness for Intercept Connection Control :
Feature
Reject on unknown sender domain
Reject on missing sender MX
Reject on non FQDN sender
Reject on unauth pipelining
Reject on missing addresses
Reject on missing reverse DNS
Reject on ReputationAuthority
Reputation
Reject on infection
(ReputationAuthority)
Reject connections from dial-ups
(ReputationAuthority)
Reject on DNSBL
Lenient
X
X
X
Standard
X
X
X
X
(Threshold: 99)
X
(Threshold: 2)
Aggressive
X
X
X
X
(Threshold: 85)
X
X
X
(Threshold: 1)
The following table describes the levels of aggressiveness for Intercept Anti-Spam :
Intercept Option
Certainly Spam
Probably Spam
Maybe Spam
Decision Strategy
Spam Words
Mail Anomalies
DNS/URL Block List
ReputationAuthority
Token Analysis
SPF
DomainKeys
Lenient
Modify Subject
Header
Modify Subject
Header
Just Log
Heuristic 1
X
X
X
Standard
Reject
Modify Subject
Header
Just Log
Heuristic 1
X
X
X
X
X
Aggressive
Reject
X
X
X
X
Modify Subject
Header
Modify Subject
Header
X
X
Heuristic 2
X
X
8. Click Complete Step 3 to continue.
9. Click Done to complete the installation.
You must license your system and configure your basic message delivery settings, as detailed in the following sections, before you start the messaging system.
Installation Guide 17
Install the WatchGuard XCS
18 WatchGuard XCS
3
Licensing and Software
Updates
Licensing the WatchGuard XCS
A feature key is a license that enables you to activate your purchased feature set on your WatchGuard XCS.
You must register the device serial number on the WatchGuard LiveSecurity® web site and retrieve your feature key before adding it to the WatchGuard XCS.
If you have not yet obtained a feature key, see “Get a WatchGuard device feature key” on page 2.
Adding a feature key to your WatchGuard XCS
To add a new feature key:
1. Select Administration > System > Feature Key .
The Licensing page appears.
Installation Guide 19
Licensing and Software Updates
2. Click Update .
The Update Feature Key page appears.
3. Copy the text of the feature key file and paste it in the text box.
4. Click Update Key .
The Feature Key page reappears with the new feature key information.
20 WatchGuard XCS
Licensing and Software Updates
Enable Security Connection
The Security Connection is a service that polls WatchGuard’s support servers for new updates, security alerts, and Anti-Spam database updates. When new information and updates are received, a notification can be sent to the administrator.
WatchGuard recommends that you enable Security Connection to make sure you automatically receive notifications for the latest software updates. Security Connection should be run immediately after the initial installation of the product.
For security purposes, all Security Connection files are encrypted and contain an MD5-based digital signature which is verified after decrypting the file.
To enable and configure Security Connection:
1. Select Administration > Software Updates > Security Connection .
2. Select the Enabled option.
3. Specify the Frequency for how often to run the Security Connection service.
Choices are daily, weekly, and monthly.
4. Enable the Auto Download option to allow software updates to be downloaded automatically.
These updates will NOT be automatically installed. They must be installed manually via Software Updates.
5. Enable the Display Alerts option to display any Security Connection alert messages on the system console.
6. Enable the Send Email option to send an email to the address specified in the Send Emails To field.
7. In the Send Emails To field, enter an email address to receive notifications.
8. Click Apply .
9. Click the Connect Now button to run Security Connection immediately and check for new software updates.
Installation Guide 21
Licensing and Software Updates
Install software updates
To make sure your system software is up to date with the latest patches and upgrades, you must install any updates released for your version of software. The Security Connection, if enabled, will download any required software updates automatically.
To install software updates:
1. Select Administration > Software Updates > Updates .
The Software Updates screen shows updates that are Available Updates (loaded onto the system, but not applied) and Installed Updates (applied and active). You can install an available update, or delete a previously installed update. Software updates downloaded from Security Connection will appear in the Available Updates section.
2. If you downloaded your software update manually:
Click Browse .
Navigate to the downloaded software update on your local system.
Click Upload . The software update now appears in the Available Updates section.
3. Select the software update in the Available Updates section.
4. Click Install .
After applying any updates, you must restart the system.
22 WatchGuard XCS
4
Configure Message Delivery
Configure network settings
The basic networking information to get the system up and running on the network is configured during installation time. To perform more advanced network configuration and to configure other network interfaces, you must use the network interface settings screen.
If you make any modifications to your network settings, you must reboot the system. The system will prompt you to restart after changing the configuration.
To configure network settings:
1. Select Configuration > Network > Interfaces .
The network configuration page appears.
2. The Hostname , Domain , and Gateway were configured during the initial installation and can be modified on this page.
Installation Guide 23
Configure Message Delivery
Enter the Hostname (not the full domain name) of the system, such as hostname in the domain name hostname.example.com
.
Enter the Domain name, such as example.com
.
Enter the IP address of the default Gateway for this system.
This is typically the external router connected to the Internet or the network firewall’s interface if the system is located on the DMZ network.
3. Enter an optional IP address or hostname for a Syslog Host server that will receive logs from this system.
A syslog host collects and stores log files from many sources.
4. Enter the address of your primary and secondary DNS Name Servers .
The primary DNS Name Server was configured during the initial installation. At least one DNS Name
Server must be configured for hostname resolution and it is recommended that secondary name servers be specified in the event the primary DNS server is unavailable.
5. Leave the Enable DNS Cache and Block Reserved Reverse Lookups options enabled.
6. Enter the address of your primary and secondary NTP Servers to synchronize your system time with a reliable external time source.
NTP (Network Time Protocol) is critical for accurate timekeeping for the system. Secondary NTP servers should be specified in the event the primary NTP server is unavailable.
7. You can configure any other additional network interfaces you require.
For each network interface, you can configure the following options:
24
8. Enter an IP Address , such as
10.0.1.10
.
9. Enter the Netmask for this interface, such as 255.255.0.0
.
10. Select the Media type of the network card.
Use Auto select for automatic configuration.
11. Enable the Large MTU option that sets the MTU (Maximum Transfer Unit) to 1500 bytes.
This option can improve performance connecting to servers on the local network. The default MTU is 576 bytes.
12. Select any other options required for this interface:
Select the Respond to Ping and ICMP Redirect option to allow ICMP ping requests to this interface.
This option allows you to perform network connectivity tests to this interface, but will cause this interface to be more susceptible to denial of service ping attacks.
Select the Trusted Subnet option to consider all hosts on this subnet trusted for relaying and Anti-
Spam processing.
This setting should only be enabled on your internal LAN-facing interface that will be accepting trusted mail.
WatchGuard XCS
Configure Message Delivery
Select the Admin and Web User Login option to allow access to this interface for administrative purposes, such as Tiered Admin users and Web users.
This setting should only be enabled on your internal LAN-facing interface.
13. Click Apply .
The system must be rebooted to apply the network settings.
Configure static routes
Static routes are required if the messaging servers to which messages must be relayed are located on another network, such as behind an internal router, firewall, or accessed via a VPN.
To add a static route:
1. Select Configuration > Network > Static Routes .
2. Enter the Net address, such as 10.10.0.0
.
3. Enter a corresponding Mask , such as 255.255.0.0
.
4. Enter the Gateway , such as 10.10.0.1
.
5. Click New Route .
Installation Guide 25
Configure Message Delivery
Configure mail routing
Use the Mail Routing screen to configure domains to accept mail for and identify the destination mail servers to route the messages to.
To add and configure mail routes:
1. Select Configuration > Mail > Routing .
2. Select the Sub option to accept and relay mail for subdomains of the specified domain.
3. Enter the Domain for which mail is to be accepted, such as example.com
.
4. Enter the Route-to address for the server to which mail will be delivered, such as 10.0.2.25
.
This will be the address of an internal mail server.
5. Enter the Port on which to deliver mail to this server.
The default is SMTP port 25.
6. Select the MX option if you need to look up the mail routes in DNS before delivery.
If this option is not enabled, MX records will be ignored. You do not need to select this item unless you are using multiple mail server DNS entries for load balancing and failover purposes. By checking the
MX record, DNS will be able to send the request to the next mail server in the list.
7. Select the KeepOpen option to make sure that each mail message to the domain will not be removed from the active queue until delivery is attempted, even if the preceding mail failed or was deferred.
This setting ensures that local mail servers receive high priority.
The KeepOpen option should only be used for domains that are usually very reliable. If the domain is unavailable, it may cause system performance problems due to excessive error conditions and deferred mail.
8. Click Add .
9. Repeat the procedure for any additional domains and mail servers.
Uploading mail routes
A list of domains can also be uploaded in one text file. The file must contain comma or tab separated entries in the form:
[domain],[route],[port],[ignore_mx],[subdomains_too],[keepopen]
For example: example.com,10.0.2.25,25,on,off,off
The file (domains.csv) should be created in csv file format using a text editor. It is recommended that you download the domain file first by clicking Download File , editing it as required, and uploading it using the
Upload File button.
26 WatchGuard XCS
Configure Message Delivery
Trust internal mail servers
To allow internal mail systems to relay mail outbound via the WatchGuard XCS, a Specific Access Pattern must be configured. A Specific Access Pattern makes sure that your mail servers and their messaging traffic is trusted and not processed for spam.
To configure a Specific Access Pattern:
1. Select Configuration > Mail > Access .
2. Click Add Pattern .
3. Enter the IP address of the internal mail server, such as 10.0.2.25
.
A separate access pattern for each internal mail server must be configured.
4. Select Client Access .
5. Set the if pattern matches field to Trust .
6. Click Apply .
Installation Guide 27
Configure Message Delivery
Modify internal mail servers for outbound mail
Changes are required to your existing internal mail servers to route outbound mail through the WatchGuard
XCS. You must configure your internal mail servers to use the WatchGuard XCS’s hostname or IP address for
SMTP delivery of outbound mail. The procedure depends on the type of internal mail server you are using.
Please see the instructions for your particular mail server to route outgoing mail via the WatchGuard XCS.
The following instructions are for a Microsoft® Exchange mail server.
Exchange 2000 and 2003
For Exchange 2000 and 2003 systems, use the following procedure to add the WatchGuard XCS to the outbound configuration:
1. Open Exchange System Manager.
2. Select Connectors .
3. Go to the Internet Mail SMTP Connector .
4. Select the Forward all mail through this connector to the following smart hosts: option.
5. Enter the IP address of your WatchGuard XCS system in square brackets, such as: [10.0.1.25]
To add multiple systems, separate them with commas such as: [10.0.1.25],[10.0.2.25]
6. Click OK .
Multiple Exchange server configuration
In an environment with multiple Microsoft Exchange servers (not in a clustered configuration), each system must be configured to route outbound mail via the WatchGuard XCS. This can be performed on a per-server basis using the SMTP connector configuration on each server as in the case of single Exchange server environments.
The outbound mail routing configuration can be more efficiently configured by adding an SMTP Connector to the Exchange Routing Groups configuration rather than the Servers configuration item. This Routing Group configuration applies to all your Exchange servers.
To configure the SMTP Connector in a Routing group of Exchange Servers:
1. Open the Exchange System Manager.
2. Select Routing Groups .
3. Select the First Routing Group .
4. Select Add .
5. Select SMTP Connector .
6. Enter a name for the SMTP Connector, such as XCSConnector .
7. Select the Forward all mail through this connector to the following smart hosts: option.
8. Enter the IP address of your WatchGuard XCS system in square brackets, such as:
[10.0.1.25]
To add multiple systems, separate them with commas such as: [10.0.1.25],[10.0.2.25]
9. Click Add in the Local bridgeheads section.
10. Add each Exchange server to the list that must send mail via the WatchGuard XCS.
Make sure you add all servers and not just the primary Bridgehead server.
11. Select the Address Space configuration tab.
12. Use the default values of Type: SMTP , Address: * , and Cost: 1 .
13. Click OK to save the connector configuration.
28 WatchGuard XCS
Configure Message Delivery
Exchange 2007
For Exchange 20007 systems, use the following procedure to add the WatchGuard XCS to the outbound configuration:
1. Open the Exchange Management Console.
2. Expand the Organization Configuration option.
3. Select Hub Transport .
4. Select the Send Connectors tab.
5. Right-click on the existing Send Connector .
6. Select Properties .
7. Go to the Network tab.
8. Select Route mail through the following smart hosts: .
9. Click Add .
10. Enter the IP address of the WatchGuard XCS system to forward outbound mail to, such as: 10.0.1.25
Repeat this procedure to add the addresses of all of your WatchGuard XCS systems.
11. Click OK .
Start messaging services
When the system is configured with your required networking information and mail routes, you can start the messaging system and begin processing messages.
To start the messaging system:
1. Select Activity > Status > Status & Utility .
2. Click Start in the Messaging System Control section.
The status will switch from “Messaging System is stopped” to “Messaging System is running”.
Installation Guide 29
Configure Message Delivery
Additional configuration
It is recommended that you enable and review the configuration for the Anti-Virus feature after the initial installation of the WatchGuard XCS. This makes sure that incoming and outgoing messages will be scanned for viruses when the system starts processing messages.
Enable Anti-Virus scanning
1. Select Security > Anti-Virus > Anti-Virus .
2. Select the Enable Kaspersky virus scanning option.
3. Select any additional options in the Treat As Virus section.
4. Select the Email Action to perform for both inbound and outbound mail.
Just log — Log the event and take no further action.
Reject mail — The message is rejected with notification to the sending system.
Quarantine mail — The message is placed into the administrative quarantine area. This is the default action.
Discard mail — The message is discarded without notification to the sending system.
5. Select the notifications you want to send when a virus is detected in a message, including the Sender,
Recipient, and Administrator.
6. Customize the inbound and outbound notification text as required.
7. Click Apply .
For more information
For more information about how to configure your WatchGuard XCS:
From the Web UI, select Support > Online Manual .
Go to http://www.watchguard.com/help/documentation/ and download the WatchGuard XCS User Guide.
30 WatchGuard XCS
advertisement
Related manuals
advertisement