ca gateway security

CA Gateway Security

Implementation Guide r8.1

This documentation and any related computer software help programs (hereinafter referred to as the “Documentation”) is for the end user’s informational purposes only and is subject to change or withdrawal by CA at any time.

This Documentation may not be copied, transferred, reproduced, disclosed, modified or duplicated, in whole or in part, without the prior written consent of CA. This Documentation is confidential and proprietary information of CA and protected by the copyright laws of the United States and international treaties.

Notwithstanding the foregoing, licensed users may print a reasonable number of copies of the Documentation for their own internal use, and may make one copy of the related software as reasonably required for back-up and disaster recovery purposes, provided that all CA copyright notices and legends are affixed to each reproduced copy. Only authorized employees, consultants, or agents of the user who are bound by the provisions of the license for the Product are permitted to have access to such copies.

The right to print copies of the Documentation and to make a copy of the related software is limited to the period during which the applicable license for the Product remains in full force and effect. Should the license terminate for any reason, it shall be the user’s responsibility to certify in writing to CA that all copies and partial copies of the Documentation have been returned to CA or destroyed.

EXCEPT AS OTHERWISE STATED IN THE APPLICABLE LICENSE AGREEMENT, TO THE EXTENT PERMITTED BY APPLICABLE LAW, CA PROVIDES THIS DOCUMENTATION “AS IS” WITHOUT WARRANTY OF ANY KIND, INCLUDING WITHOUT LIMITATION, ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NONINFRINGEMENT. IN NO EVENT WILL CA BE LIABLE TO THE END USER OR ANY THIRD PARTY FOR ANY LOSS OR DAMAGE, DIRECT OR INDIRECT, FROM THE USE OF THIS DOCUMENTATION, INCLUDING WITHOUT LIMITATION, LOST PROFITS, BUSINESS INTERRUPTION, GOODWILL, OR LOST DATA, EVEN IF CA IS EXPRESSLY ADVISED OF SUCH LOSS OR DAMAGE.

The use of any product referenced in the Documentation is governed by the end user’s applicable license agreement.

The manufacturer of this Documentation is CA.

Provided with “Restricted Rights.” Use, duplication or disclosure by the United States Government is subject to the restrictions set forth in FAR Sections 12.212, 52.227-14, and 52.227-19(c)(1) - (2) and DFARS Section 252.227-7014(b)(3), as applicable, or their successors.

All trademarks, trade names, service marks, and logos referenced herein belong to their respective companies.

Copyright © 2008 CA. All rights reserved.

Contents

Contents 3

Chapter 1: Introduction 7 Distinctive Features and Functionality ...................................................................................... 8

Comprehensive Protection................................................................................................. 8 Email Anti-Spam and Content Security Filtering ................................................................... 8 Web Content Security and URL Filtering .............................................................................. 8 Spyware and Phishing Prevention....................................................................................... 9 Antivirus Protection.......................................................................................................... 9 Data Confidentiality Monitoring.......................................................................................... 9 Malicious Mobile Code Defense ........................................................................................ 10 Easy Administration ....................................................................................................... 10 Real-time User Self-Management ..................................................................................... 10 Comprehensive Reporting ............................................................................................... 10 Extensive Automated Actions and Alerts............................................................................ 11

Complete Content Management ............................................................................................ 11 Email Content Management............................................................................................. 11 Web Content Management .............................................................................................. 13

The Purpose of This Guide .................................................................................................... 13 Related Documentation........................................................................................................ 13

Chapter 2: Implementation Planning 15 Security Considerations ....................................................................................................... 15

Establish Security Guidelines ........................................................................................... 15 Incident Response Planning............................................................................................. 17 Security Level Assessment .............................................................................................. 17

Email and Email Server Considerations................................................................................... 18 Email Delivery............................................................................................................... 18 Email Traffic Direction Rules............................................................................................ 20 Domain Route List ......................................................................................................... 20

Web Considerations............................................................................................................. 22 DNS Considerations ....................................................................................................... 22 Proxy Server Chaining.................................................................................................... 23

Firewall Considerations ........................................................................................................ 23 Intranet-Side Installation................................................................................................ 24 Internet-Side Installation................................................................................................ 25

Contents 3

Network Considerations ....................................................................................................... 25 Content Filtering and Network Load ....................................................................................... 26 Authentication Method Considerations.................................................................................... 27

NTLM Basics ................................................................................................................. 27 NTLM Authentication and Integrated Windows Authentication............................................... 28 Configure NTLM Proxy-based Authentication ...................................................................... 28 NTLM Considerations and Recommendations...................................................................... 29

Pre-installation ................................................................................................................... 33 Pre-installation Checklist................................................................................................. 34 Installation Scenarios ..................................................................................................... 35

Upgrade from Previous Releases ........................................................................................... 38 Upgrade Considerations.................................................................................................. 39

Chapter 3: Installing CA Gateway Security 41 Start the Installation ........................................................................................................... 41

Specify Language and User, Drive, and Location Information ............................................... 42 Option 1 - SMB Scenario................................................................................................. 44 Enterprise Installation Scenario ....................................................................................... 44 Specify HTTP and SMTP Server Ports ................................................................................ 45 Select Email Notification ................................................................................................. 45 Configure SMTP Relay Settings ........................................................................................ 45 Configure Traffic Direction .............................................................................................. 48 Select Web Server ......................................................................................................... 48 Select Database ............................................................................................................ 48 Specify Quarantine Expiration Settings ............................................................................. 49 Set Authentication Method .............................................................................................. 50 Complete the Installation................................................................................................ 50 License and Register CA Gateway Security ........................................................................ 51 Test the Installation ....................................................................................................... 52

Individual Component Installation ......................................................................................... 53 Install Role-based Support .............................................................................................. 54 Install the Desktop Email Option ...................................................................................... 55

Chapter 4: Configuring Your Implementation 57 The Manager Console .......................................................................................................... 57

Start the Manager Console.............................................................................................. 58 Manager Console Information.......................................................................................... 58 Manager Console Settings............................................................................................... 59

Initial Filtering Settings........................................................................................................ 59 Modify Local Settings ..................................................................................................... 59 Modify Enterprise Settings .............................................................................................. 66

4 Implementation Guide

SMTP Authentication............................................................................................................ 73 Extended SMTP Support ................................................................................................. 74 SMTP Authentication Mechanisms..................................................................................... 75 Chunking...................................................................................................................... 75 Transport Modes............................................................................................................ 76

Embedded IAM ................................................................................................................... 76 Configure Embedded IAM from the Server Configuration Utility ............................................ 77 Define Users in the Embedded IAM Database..................................................................... 78 Change Users Role Group ............................................................................................... 79 Change Group Action Permissions .................................................................................... 79 Remove Users from Role Groups and the EIAM Database..................................................... 80 Start the Embedded IAM Utility........................................................................................ 80 Specify Global Users and Global Group Settings ................................................................. 81 Role Management Using Embedded IAM............................................................................ 81

CA Gateway Security Email Server Configuration Considerations ................................................ 87 Installation on a Dedicated Computer ............................................................................... 87 How to Configure CA Gateway Security on a Dedicated Computer ......................................... 88 Mail Server Installation................................................................................................... 91

Browser Proxy Configuration................................................................................................. 96 Configure Browsers for Manual Proxies ............................................................................. 97

Chapter 5: Implementation Modes 103 Phase 1 - Alert Mode ..........................................................................................................103 Phase 2 - Notification Mode .................................................................................................104 Phase 3 - User Self Management Mode..................................................................................104 Phase 4 - Blocking Mode .....................................................................................................105

Chapter 6: Troubleshooting 107 Correct an Incomplete DNS Configuration..............................................................................107 Prevent Loop-back Problems................................................................................................108 Manager Console or Quarantine Manager Terminates Suddenly.................................................109 Firewall Ports Verification ....................................................................................................109 CA Antivirus Product Conflicts with Antivirus Realtime Scanner .................................................110 Outgoing SMTP Rules Applied to Incoming Emails ...................................................................111 Unblock a Website..............................................................................................................111

Appendix A: Using Microsoft SQL Server with CA Gateway Security 113 Prerequisites .....................................................................................................................113 Create the Quarantine and Reports Databases........................................................................114 Create and Associate MS SQL Users......................................................................................114

Contents 5


Glossary 117

Index 123

Chapter 1: Introduction

The scope and complexity of IT security has greatly increased in recent years. Global organizations now depend heavily upon the Internet, intranets and their network infrastructures to effectively conduct business, so maintaining the security and integrity of the data shared across these environments is crucial. The proliferation and diversity of the content entering the workplace, however, is changing today's enterprise security requirements. Unfortunately, it is now easier than ever for spam, spyware, phishing attacks, viruses, and malicious mobile code to plague and potentially cause harm to an enterprise.

CA Gateway Security is the first truly multifaceted solution for enterprise security, geared to the content revolution. It is a highly scalable, business-driven, integrated solution that ties content management and security functions together to resolve and manage virtually every security issue facing an enterprise today. It addresses the increasing complexity of the content security challenge, as well as the emergence of new threats such as spyware and phishing attacks, which requires a more comprehensive security solution. CA Gateway Security builds on the strengths of CA's award-winning antivirus technology while taking content security to the next level - offering the best all-around protection for corporate networks.

CA Gateway Security provides enterprise policy-based, content security filtering of Simple Mail Transfer Protocol (SMTP), Hypertext Transfer Protocol (HTTP), and File Transfer Protocol (FTP) content. CA Gateway Security helps prevent virus infections, spam, browsing of inappropriate or non-productive sites, access to spyware or phish websites, confidentiality breaches, mobile code threats and computer resource abuse. In the event of a policy violation, CA Gateway Security can respond automatically with a wide range of customized actions.

In the event of a policy violation, CA Gateway Security can respond automatically with a wide range of customized actions:

■ Conventional content management actions such as logging, blocking, alerting, and curing

■ Actions that work together with other applications such as CA Security Command Center and Unicenter.

■ Spam prevention actions such as quarantining, parking (to perhaps delay emailing large messages until off-peak hours), denying, user management of quarantined email and adding disclaimers to email for protection against legal liability

The integrated Log Viewer and Reporter tools provide a sophisticated level of real-time statistics analysis of email and web traffic.

Chapter 1: Introduction 7

Distinctive Features and Functionality

Distinctive Features and Functionality CA Gateway Security provides a rich set of tools and functionality to provide comprehensive security for your enterprise.

Comprehensive Protection

CA Gateway Security provides intelligent, customizable, policy-driven email (SMTP) and Web (HTTP, FTP) traffic scanning to meet your business needs and address virtually every content threat.

■ Integrated Management Console. Enables you to monitor all content threats, whether from email or the Web.

Email Anti-Spam and Content Security Filtering

CA Gateway Security protects against unwanted, unsolicited, and inappropriate email, increasing business productivity and network bandwidth.

■ Comprehensive Email Filtering. CA Gateway Security uses a multilayered approach to differentiate between spam and valid email, providing a high spam detection rate and a low rate of email falsely identified as spam. The solution includes sender reputation, Bayesian analysis, embedded URL filtering, and malformed email detection that help protect you from unwanted email, while improving business productivity.

■ Automatic Spam Updates. To protect you against the latest threats, CA Gateway Security provides automatic spam updates.

■ Incoming and Outgoing Email Traffic Filtering. All email is scanned using the policies and rules you define to match your business requirements.

Web Content Security and URL Filtering

CA Gateway Security screens outgoing traffic and URL addresses for business-appropriate websites based on the business rules your company defines.

■ Reduced Liabilities. Policy-based URL filtering reduces the risk of legal liability should an employee visit an inappropriate website.

■ Reduced Costs. CA Gateway Security improves business productivity and increases network bandwidth by minimizing non-productive web surfing and file downloads during business hours.



Spyware and Phishing Prevention

CA Gateway Security provides an added layer of security by preventing employees from unknowingly accessing known phishing or spyware sites.

■ Reduced Risks. CA Gateway Security provides proactive protection against phishing and spyware-infested Web sites, ensuring that your confidential business information stays private and your systems run efficiently.

■ Reduced Costs. Spyware programs can clog your PCs and slow down your network, resulting in increased help desk calls. CA Gateway Security protects against spyware, enabling your IT department to focus on strategic business initiatives.

Antivirus Protection

CA Gateway Security builds on and includes CA's award-winning perimeter antivirus protection.

■ Reduced Costs. CA Gateway Security scans for viruses at the gateway before they can enter your network and cause costly damage and downtime.

■ Easy Administration. Automated signature downloads for the gateway complement your existing desktop antivirus protection and provide another layer of security.

Data Confidentiality Monitoring

CA Gateway Security screens outgoing email according to your policies and rules in order to help prevent loss of confidential data.

■ Reduced Information Leaks. CA Gateway Security helps safeguard against the transmission of proprietary, controlled or company-confidential information outside your organization. In addition to email, you can filter content in Microsoft Word and Adobe PDF attachments.

■ Improved Regulatory Compliance. CA Gateway Security helps you comply with government laws and regulations, such as the Child Internet Protection Act (CIPA), Health Insurance Portability and Accountability Act (HIPAA), Gramm-Leach-Bliley Act (GLBA) and California's SB 1386, which mandates that certain pieces of personal information be proactively protected from misuse or even suspected compromise.

■ Reduced Penalties and Reputation Safeguarded. CA Gateway Security helps reduce the risk of costly penalties and possible consumer lawsuits for failure to implement the necessary protections and policies. In addition, it safeguards against serious damage to your organization's reputation and profitability.



Malicious Mobile Code Defense

CA Gateway Security intelligently screens incoming traffic to proactively protect users against malicious mobile code.

■ Proactive Protection. CA Gateway Security protects against both known and unknown threats as well as a variety of active code attacks, such as those based on Java, ActiveX and VBScript, that can automatically execute when visiting certain websites or using email.

■ Easy Implementation. CA Gateway Security Gateway scans for malicious active code using predefined threat levels (low, medium and high) - simplifying administration.

Easy Administration

CA Gateway Security is an integrated, comprehensive content solution that enables you to address all email and Web content threats and manage them remotely, for complete control over your content protection, enterprise-wide.

■ Easy Implementation. Implementing one, integrated, solution to address all email and Web content threats instead of implementing multiple point solutions considerably eases the workload required.

■ Flexible Deployment. CA Gateway Security is a fully integrated, yet completely modular solution, enabling you to select the right level of security to meet your organization's unique business requirements.

■ Reduces Management Overhead. CA Gateway Security provides central policy management which allows you to write a keyword policy for an email filter and to reuse it in a filter for website content.

Real-time User Self-Management

This function allows your users to access their quarantined email via a Web-based interface and add senders to their personal allow or deny lists.

■ False Positive Reduction. CA Gateway Security helps reduce the incidence of false positive matches on spam by allowing end users to manage their quarantined email.

Comprehensive Reporting

CA Gateway Security provides over 30 predefined reports on email and Web filtering activities, and custom reports can be created from them and saved.


Complete Content Management

Extensive Automated Actions and Alerts

Automated, customizable actions, such as block and quarantine, can be defined for each policy so that there is an immediate response when an object matches the policy criteria.

If you attempt to access an inappropriate website, the URL can be immediately blocked and an email can be automatically generated to the network administrator.

Complete Content Management CA Gateway Security provides comprehensive email content management and web content management as described in the topics that follow.

Email Content Management

The SMTP Content Filtering engine includes the following features:

■ Spam prevention based on the following:

– CA Gateway Security Advanced Spam Filter

– Realtime Blackhole List (RBL) providers

– Embedded web links (URL Filtering)

■ Aggressive RBL checking, in which the engine looks for spam servers in the email header

■ Spam prevention based on regular expression string search in the email body, header, and attachments

■ Spam prevention based on an internal deny list for mail servers, relays, and email users and domains for a configurable time

■ Spam prevention based on a pre-defined spam dictionary

■ Allow lists for trusted mail servers, relays, and email users and domains for a configurable time

■ Profanity prevention

■ User self-management, enabling users to manage and control their personal quarantine folders and tune private email lists

■ An Industrial strength antivirus scanning engine with the ability to cure and strip infected attachments

■ Hoax virus detection based on a keyword regular-expression dictionary

■ Extraction of compressed attachments


Complete Content Management

■ Email logging activities and content

■ Attachment type recognition based on attachment extension or content

■ Attachment size identification with larger, smaller, between, exact settings

■ Attachment file type, ID number, and file name identification

■ Attachment keyword scan for MS Word and Adobe PDF

■ Attachment scan for binary patterns

■ Partial message detection

■ PGP and S\Mime encrypted message detection

■ Disclaimer message additions

■ Large message delay or parking until off-peak hours

■ Email quarantines

■ DOS prevention for compressed attachments and nested emails

■ A wide range of actions, including adding to a deny list or alerting by fax, pager, and email

■ Long subject or attachment detection and prevention

■ Spam detection and prevention based on LDAP to avoid the acceptance of incoming emails intended for invalid recipients and to limit the number of invalid recipients on a single SMTP session


The Purpose of This Guide


Web Content Management

The HTTP/FTP content filtering engine and the categories URL filtering feature include the following web content filtering capabilities:

■ URL Categories detection with more than 60 predefined categories and 10 user defined categories

■ Match URL detection

■ Dynamic mobile code engine for threat prevention and digital certificate verification of signed objects

■ Industrial strength antivirus scanning engine

■ NTLM Authentication support

■ Download logging and logging of other activities

■ File type recognition based on file extension or file content

■ Regular expression keyword search in the HTML body, title, and downloads

■ Compressed type extraction

■ File size identification with larger, smaller, between, exact settings

■ File type identification

■ File name identification

■ DOS prevention for compressed types

■ Token based customizable notification of HTML pages upon rule violation

■ A wide range of actions including fax, pager, and email

■ Automatic detection of proxy settings (using a PAC file)

The Purpose of This Guide This guide describes how to implement CA Gateway Security. It is designed to help you plan, install, and make post-installation configuration changes to CA Gateway Security to meet your needs.

Related Documentation For more information, see the following related documentation:

■ The CA Gateway Security Administrator Guide provides information about maintaining CA Gateway Security in your enterprise.

■ The CA Gateway Security online help system provides useful task-related information for using CA Gateway Security.

Chapter 2: Implementation Planning

CA Gateway Security provides content security filtering for SMTP and HTTP/FTP data. CA Gateway Security also provides central management of SMTP policies, HTTP/FTP policies, and remote management of CA Gateway Security servers. Before you start planning the implementation, thoroughly review the concepts and other useful information in this chapter.

Security Considerations Planning a CA Gateway Security installation requires a review of your organization's structure, policies and procedures, and security goals.

Establish Security Guidelines

A security policy is a living document. You will revise it as necessary due to changes in applicable laws, regulatory requirements, industry guidelines, and company practices.

The steps for establishing a security policy include:

1. Determine expectations. Clearly document your expectations for appropriate and authorized use in a concise and understandable fashion.

2. Review acceptable risks. Evaluate what are your most important assets to protect and what are the costs involved.

3. Study the existing infrastructure. Study your infrastructure to determine the type of policies you need in place and create an Incident Response Plan.

4. Document the procedure and the policy. Acceptable Use Policies (AUP) are one of the many basic and easily understood standardized policies that must be in effect in your organization for audit and enforcement purposes.

5. Test the procedure and the policy. After you have determined the components of your company’s security policy, you must test the policy in an Incident Response Plan. One of the most effective methods for testing a network is to violate the security policy to determine if the network is protected.

Chapter 2: Implementation Planning 15

Security Considerations

6. Secure host servers. Secure all host servers in order to secure the perimeter of your network.

7. Enforce the security policy. Enforce the security policy by clearly defining your strategy. Consider setting up a response team and determining the responsibilities of each member of the team. Also, define which members should be notified when security is breached. As a precaution, deploy technology to aid in compliance and the detection of violations. You should also create guidelines on how to act on non-compliance and/or violations.

8. Inform your staff. Create awareness of any new and existing policies for all levels of employees. Employees need to be aware of your company's Acceptable Use Policy. Security awareness is an important part of enforcing the policy.

When training employees on spam avoidance, ensure that they know the following:

■ Never reply to spam. If you reply to spam, you are validating your e-mail address to the spammer and they may pass it on to other spammers.

■ Avoid placing your e-mail address on public websites. One of the ways that spammers gather e-mail addresses is by going through message boards, chatrooms, and online directories.

■ Do not purchase any product from a spammer. Doing so supports their business and makes them profitable.

Note: Depending on your organization type, other laws may govern your business practices (such as CIPA, HIPAA, or ISO17799). Consult your legal department when creating your Acceptable Use Policy.


Security Considerations

Incident Response Planning

An incident response plan provides your organization with detailed guidelines and escalation procedures to follow if an adverse security event or policy breach occurs.

The plan also identifies response team members and roles and establishes a chain-of-command for communication with law enforcement, the public, and the media.

You can categorize incidents according to business operation impact and/or reputation damage using these severity levels:

Low

Incident impact is minimal.

Medium

Incident significantly impacts business activity. It may, for example, delay the ability of the enterprise to perform critical functions or provide data.

High

Incident severely impacts the enterprise. It may, for example, disrupt business processes or compromise the integrity of proprietary or confidential data.

Security Level Assessment

Organizations in highly regulated industries such as the financial and healthcare fields should establish secure IT environments. In addition to security guidelines, policies, and procedures, you should also define a basic level of security for your network environment. You need to continually update this security baseline as you identify new threats or introduce new technology.

Security assessment tools allow you to determine where you are now and what steps you need to take to comply with either the regulations that govern your industry or ensure that you are in line with your guidelines and policies and procedures. Audits frequently require proof of forward progression toward protecting your environment and data.


Email and Email Server Considerations

Email and Email Server Considerations Effectively manage and defend your network by establishing a security policy that provides parameters for legitimate email use. Afterward, use CA Gateway Security to apply and enforce your security policies.

CA recommends that CA Gateway Security and the mail server be installed on separate computers. This allows the CA Gateway Security SMTP filtering engine to review and forward all acceptable emails to the mail server without requiring any modification to the mail server configuration. For the mail server to forward inbound traffic to CA Gateway Security, you might need to modify the DNS MX records. Changes must be made to the mail server. You must also modify the mail server so that it can forward outbound traffic to CA Gateway Security.

If you are running CA Gateway Security and the mail server on the same computer, a Denial of Service (DoS) attack on the mail system may affect external mail and internal mail as well. When CA Gateway Security and the mail server are located on the same machine, you must modify the mail server configuration so that it does not listen to the default port of 25 on the TCP/IP address that the CA Gateway Security is using.

Email Delivery

Email messages are routed between your organization's computers and the Internet using the Domain Name System (DNS). The DNS is a dynamic database for mapping the host name of a computer on the TCP/IP network to the computer's IP address.

To apply content filtering on outgoing email before delivering the email, configure your local mail servers to forward all outgoing email to the CA Gateway Security SMTP computer. See your mail server documentation for more information on how to do this.



MX Records Configuration for Fail-Over and Load Balancing

Each entry in the DNS table stores a relationship between MX records and host names and IP addresses. MX records are DNS entries that contain the names of the mail servers in a given domain.

You can set priorities for multiple mail servers in a domain by using MX record preference settings: the lower the number, the higher the priority. Two MX records with the same priority number share email workload equally. A server with a higher priority number is contacted only when servers with lower numbers are unavailable. This allows the administrator to build redundancy so that email can flow automatically through backup systems if primary systems are unavailable.

Configure your MX records on your local DNS server to point to the CA Gateway Security computer rather than to your local mail servers. This ensures that incoming email is first delivered to the CA Gateway Security computer and then scanned for SMTP Content Filtering before the mail is delivered to local mail servers.

MX Records and Multiple Computers

When installing multiple CA Gateway Security computers, you can create or change MX records to provide a fail-over covering system and basic load balancing functionality.

For example, you can apply a high numeric MX number to a CA Gateway Security backup computer and apply low numeric MX numbers to all other CA Gateway Security computers. During normal operation, the backup computer processes a minimal amount of email, and the other computers process most of the email. When other computers are unavailable, the backup computer processes most of the email.

You can use the same concept to tune your environment for load balancing. Simply split the network traffic across several CA Gateway Security computers and use a different MX record for each computer.



Email Traffic Direction Rules

CA Gateway Security classifies SMTP rules according to the following email traffic directions. You can find the configuration menu for this function under Manager Console, Filtering, Content Manager Rules, SMTP. The rules for email traffic direction include the following:

■ Inbound rules specify content filtering for inbound email traffic. These rules apply to email that originates outside your organization.

■ Outbound rules specify content filtering for outbound email. These rules apply to email sent from your organization to addresses outside your organization.

■ Internal checking rules apply to email sent to and from users within your organization. All email that originates from your configured subnets is processed as outgoing traffic even if the destination is internal.

Domain Route List

CA Gateway Security provides an email routing schema that distinguishes between incoming and outgoing email routing based on email address domains. This is comparable to nslookup MX logic.

For incoming and outgoing email, you can define domain-specific email servers or email servers for all domains or other domains not explicitly defined in the SMTP Relay Configuration dialog. You can define one or more email (relay) servers for each domain.

If you specify more than one relay server, CA Gateway Security processes the list in the specified order until relaying to a server succeeds.

Email Delivery

Email delivery starts by attempting to connect to email servers defined in the list. CA Gateway Security processes connection attempts in the specified order. When CA Gateway Security establishes a connection to one of the listed servers, the relay server lookup process is treated as successful and communication continues according to the SMTP protocol.

The relay list entry MX functions in a different way - instead of connecting to a specific email server, CA Gateway Security tries to determine the actual relay list by MX lookup and starts to connect to the appropriate servers after the check.



Delivery Retry Option

Use the Retry check box in the SMTP Relay Configuration dialog to specify how to handle email that is not delivered in the first attempt.

If you enable retry, CA Gateway Security starts additional delivery attempts using TBD (to be delivered) logic. Instead of using global settings for the retry interval and number of attempts, you can specify values for each domain. Email that CA Gateway Security cannot deliver based on the retry interval and attempt settings is sent back to sender.

If you disable retry, CA Gateway Security does not start any additional delivery attempts and immediately sends the email back to the sender. Email that CA Gateway Security cannot return to the sender is placed in the deadmail queue.

Relay Control and Open Relay Prevention

You should not use CA Gateway Security as an open relay. If CA Gateway Security is accessible from outside your organization, spammers can use it as a transport server for spam email. As a result, your organization could be put on Real-time Blackhole Lists (RBL) as a spam source.

To protect against becoming a spam transport server, define the domains to which CA Gateway Security can route incoming emails so that any incoming emails not intended for these domains are rejected. This can be done during installation or post installation. Post installation from the Manager Console, navigate to Filtering, Settings, <Engine>, SMTP Engine, Relay Servers Configuration.

You can establish open relay protection by not specifying a domain (*) entry for incoming email. The incoming domain list should contain only domains belonging to the intranet with appropriate relay servers or MX entries in the relay list.

Multiple Email Recipients

CA Gateway Security processes multiple recipient email using the following logic:

1. CA Gateway Security groups recipients by domain.

2. CA Gateway Security then sends a copy of the original email to each recipient group. In other words, each email is duplicated as necessary for further processing if recipients belong to more than one domain.

3. If CA Gateway Security cannot deliver these duplicated emails, the retry logic described in Retry or Return to Sender (see page 21) is activated.


Web Considerations

Web Considerations When planning your implementation, carefully consider a variety of DNS, proxy server, and firewall issues.

DNS Considerations

Good DNS security is paramount to a secure network. Use the following to address DNS-related security concerns:

Cache Poisoning

This occurs when a name server makes a recursive query and caches false/forged data for a domain name. This can result in a Denial of Service (DoS) attack. To prevent this vulnerability, modify DNS server properties by enabling the Secure cache against pollution option.

Disabling Recursive Queries

By default, a Windows DNS server performs recursive queries. However, a recursion can be used as a DoS attack that is used to shut down a name server to make it inaccessible to users. A recursive query requires that the queried host attempt and exhaust all means of acquiring the information being asked of it, until the name query fails.

In contrast, an iterative query asks a server for an answer. If the server has the answer in its cache, it replies or else provides a referral, which is a name of another server that may have the answer.

Set local DNS servers to perform iterative requests. In the Command Prompt, use the following command to disable recursion: dnscmd <server name> /Config NoRecursion 1

Using a Single Interface

By default, DNS listens and responds to ports on all of the configured interfaces. If a server is multihomed (multiple NICs), a security breach might occur on several IP addresses. This also increases the complexity of your access control lists on your routers and switches.

Configure the DNS server to listen to only one IP address by modifying your network interface settings according to your OS guidelines. Ensure that you are only allowing TCP/UDP port 53 traffic to and from your DNS server.


Firewall Considerations

Proxy Server Chaining

CA Gateway Security is installed as a proxy server. It traps web requests before they are sent to the remote server. It also traps web content before sending it to the local end user.

If a proxy server is deployed on your network, you can chain it to the CA Gateway Security proxy server. The most common ways to chain proxies are the Upstream and Downstream proxy methods:

■ In the Upstream proxy configuration, CA Gateway Security is chained to another proxy server. This configuration uses the chained proxy as a caching server. We recommend this implementation. CA Gateway Security enforces the content filtering policies on cached or non-cached content.

■ In the Downstream proxy configuration, the Downstream proxy server is chained to the CA Gateway Security proxy server. This method is not recommended because cached objects can be sent directly to the user without having the content filtering policies applied to them. However, if you use a Downstream proxy, we recommend that you disable Downstream proxy caching.

Firewall Considerations CA Gateway Security must communicate through the firewalls deployed on your network. The perimeter firewall typically performs a static Network Address Translation (NAT) that associates the CA Gateway Security private address with a live Internet IP address. Depending on the DNS MX method that you use, the firewall administrator may need to move the static NAT from the corporate mail system to CA Gateway Security.

You must also allow some TCP ports through the firewall to enable communication between clients to CA Gateway Security and between CA Gateway Security and its components.

■ Port 1882 is used for CA common services

■ Port 445 is used for Active Directory file sharing

Lock down these ports to the specific machines that need them. Configure firewall rules for egress filtering to prevent internal users from bypassing CA Gateway Security scanning.


Firewall Considerations

Intranet-Side Installation

For optimal security, CA recommends that you install CA Gateway Security on the intranet side of your firewall according to your security policies and your network architecture as shown in the following illustration:


Network Considerations

Internet-Side Installation

If you deploy CA Gateway Security on the Internet side of your firewall, you can configure your firewall to direct the traffic directly to CA Gateway Security, as shown in the following illustration. With this configuration, users do not need to configure their browser to use a CA Gateway Security proxy.

Important! CA does not recommend this implementation because it exposes the CA Gateway Security proxy server to external threats from the Internet.

Network Considerations CA Gateway Security requires one network interface card (NIC) on the computer on which it is installed.

CA Gateway Security does not need to be a default gateway or a physical buffer between the external and internal network. CA Gateway Security acts as an HTTP and FTP proxy and is actually a relay server for SMTP. You can install CA Gateway Security on any computer in your organization as long as the computer can access the following:

■ DNS for MX queries

■ Company SMTP mail server

■ Internet for mail access


Content Filtering and Network Load

■ User's proxy connections

■ Antivirus signature updates and all subscription updates (for example URL filtering and dictionaries)

Note: To enable web updates, your firewall must allow an FTP connection from the CA Gateway Security computer to the Internet to obtain antivirus signature updates and an HTTPS connection from the CA Gateway Security computer to the Internet to obtain URL filtering updates.

For network connections between CA Gateway Security components, consider the following:

■ When there is firewall buffering between different components of CA Gateway Security, verify that each CA Gateway Security component has access to TCP/IP port 1882. CA Gateway Security components use this port for internal communication.

■ For CA Gateway Security components installed on different computers, make sure that all CA Gateway Security computers have a valid reverse name resolution, which is necessary for internal communication between CA Gateway Security components. This capability is used in a network configuration in which some components are installed on the DMZ and other components are installed on your local network.

Content Filtering and Network Load You typically configure your web content and request filtering using the settings in your browser. However, when using CA Gateway Security as a proxy server, CA Gateway Security traps web requests before forwarding the requests to the remote server and traps web content before forwarding the content to the local end user.

Consider the following about content filtering and network load:

■ Determine the type of content you want to filter and estimate the network load for each protocol type.

■ The installation requests a valid mail server address and a valid email user account on the server. This account is used by the engine as a transport layer when CA Gateway Security invokes the email action.

■ Install the web content filtering engine to control web content.

■ Install the Central Reporter option, to generate reports. You should also install a printer, which can be a dummy printer, on the computer for the reporter to work properly. You can then generate reports in text or HTML format. To generate reports in Microsoft Word or Excel format, install Microsoft Office.


Authentication Method Considerations

If you are using several content filtering servers, consider the following:

■ Install Central Quarantine Manager and Central Reporter on a dedicated computer to better handle the entire organization's quarantine objects and reports.

■ The Manager Console connects to the Control Center which allows creating Content Filtering rules, and distributing them to multiple engines (local and remote). The real time status of each remote content filtering engine is also presented in the Manager Console which is connected to the Control Center.

Authentication Method Considerations Rule processing for specific users or user groups is part of content filtering functionality in CA Gateway Security. CA Gateway Security uses Windows NT standard NTLM (NT LAN Manager) technology. The following sections provide information that you should consider when implementing NTLM authentication.

NTLM Basics

NTLM uses an encrypted challenge/response protocol to authenticate a user without sending the user's password over the wire. Instead, the system requesting authentication must perform a calculation that proves it has access to the secured NTLM credentials.

A challenge-response mechanism consists of three messages, commonly referred to as Type 1 (negotiation), Type 2 (challenge) and Type 3 (authentication response).

Here is a summary of the NTLM process:

1. The client sends a Type 1 message to the server. The message contains the domain and host name and a list of features supported by the client.

2. The server responds with a Type 2 message that contains a 16-byte random number, known as a challenge.

3. The client encrypts the user's password using server challenge, known as a response. The client replies with a Type 3 message that contains a calculated response and several pieces of information about the client, which includes the domain name and username.

4. The server sends the user name, server challenge, and client response to the domain controller.

The domain controller uses the same calculation to decrypt the password. If the decoded password matches the password obtained from the Security Account Manager (SAM) database, the client is authenticated.



NTLM Authentication and Integrated Windows Authentication

With Integrated Windows authentication, NTLM authentication does not initially prompt for a user name and password. Instead, Integrated Windows authentication uses the information for the user currently logged onto the client computer.

Note: If necessary, you can configure Microsoft Internet Explorer versions 4.0, 5.0, and 6.0 to initially prompt for user information. For more information, see the Internet Explorer Help.

If the authentication exchange initially fails to identify the user, the browser prompts the user for a Windows account user name and password, which it processes using Integrated Windows authentication.

The browser displays prompts until you enter a valid user name and password or close the prompt dialog.

Configure NTLM Proxy-based Authentication

When configured for NTLM Authentication, CA Gateway Security uses the NTLM authentication method and this protocol for gathering user names and their domains. CA Gateway Security associates the user names and domains to corresponding Content Filter NTLM rules for the users.

To use NTLM proxy-based authentication

1. Open the Manager Console and select Proxy Server Settings.

The Proxy Server Settings dialog appears.

2. Click Authentication.

The Authentication dialog appears.

3. Select NTLM (Integrated Windows Authentication).

4. Configure a rule that will use a network object based on NTLM. Follow these steps:

■ Select Client, Workstation User, NTLM (or ANY)

■ Click Select or manually provide a user name and domain.

For example:

Type = Any

Domain = My Domain

Name = My User Name

Note: To use an NT User token, add the NT User Name token to the rule action.



NTLM Considerations and Recommendations

Consider the following when implementing NTLM as an authentication method.

Compatibility

Only Microsoft Internet Explorer, Mozilla version 1.4 and higher, Mozilla Firefox support NTLM.

Mixed Mode Domains

When implementing NTLM, never use mixed mode domains. Windows NT 4.x domain controllers are not aware of Windows 2000 transitive trusts and will not authenticate across transitive trusts in a mixed mode Windows 2000 domain.



Upstream Web Proxy

You cannot use the CA Gateway Security proxy NTLM when CA Gateway Security is chained to an upstream proxy which is configured to require integrated authentication NTLM.

Incorrect Configuration

Browser --> CA Gateway Security (with NTLM) --> Proxy (with NTLM) --> Internet

Correct Configuration

Browser --> CA Gateway Security (with an NTLM request) --> Proxy --> Internet

■ Upstream proxy NTLM authentication:

Configuration:

Browser --> CA Gateway Security --> Proxy (with an NTLM request) --> Internet

To receive the NT username from a chained upstream proxy that requires NTLM authentication (for example, euproxy.ca.com), go to Settings, select HTTP Engine, Proxy Settings, Authentication. Select Chained Proxy Authentication and select Use Chained Proxy Authentication.

Note: For a situation in which the proxy authenticates using the token described above, the NT username is not used for applying rules. It is used only for logging alerts and reporting because of an NTLM protocol limitation in which the first GET request does not contain the NT user name).

■ Per Microsoft, there is a known issue with the web browser when an Internet Security and Acceleration (ISA) Server 2000 is chained to an upstream web proxy server as described in the following configuration:

User Browser --> ISA (with NTLM authentication) --> CA Gateway Security --> Internet

If the ISA Server 2000 is chained to an upstream web proxy server, you may experience problems such as unexpected delays, incomplete pages, or random authentication warning messages when you browse the Web.



CA Gateway Security and Users on Different Domains

When end users and CA Gateway Security are logged into different Active Directory Server (ADS) domains, a trust can be created between the domains. Trusts between the domains could be established through a Point-to-Point Tunneling Protocol (PPTP) tunnel, which limits the number of ports that the firewall needs to open.

Ports that need to be opened for PPTP would be:

Client Ports

1024-65535/TCP

Server Ports

1723/TCP

Protocol

PPTP

You also need to enable IP Protocol 47 (GRE).

When the client sends an authentication request to CA Gateway Security, it queries its domain. Since a trust is created between both of the domains, the user is authenticated successfully. As a result, only the following four ports are kept open on the firewall:

■ 53 (DNS)

■ 1723 (PPTP)

■ 47 (GRE)

■ 135 (msrpc)

NTLM Authentication Across a Firewall

Following is the list of ports required to be opened on firewall:

■ DNS port 53

■ PPTP port 1723

■ GRE port 47

■ HTTP PROXY 8080

■ HTTP 80 (depending upon HTTP access required through the firewall)



Perform NTLM Authentication Across a Firewall Through CA Gateway Security

To perform NTLM authentication across a firewall and through CA Gateway Security, follow these steps:

1. Configure two separate Windows domain controllers (for example, inetrust1.com and inetrust2.com) on two separate servers with each server on a different network.

Note: This step depends upon the network configuration on the user's side.

2. Establish a trust relationship between these two domains and validate the domain relationships before continuing.

Note: The network configuration required determines the type of trust relationship used between the domain controllers.

3. Start Routing and Remote Access service on one of the servers.

The PPTP tunnel between the two domains configured earlier is set up.

4. Start Routing and Remote Access service on the server. This provides more security according to the user’s network configuration.

5. Switch to the other domain controller.

6. Open the Network Connections window from the Control Panel.

7. Double click New network connection.

8. Begin creating a PPTP connection between the two domain controllers.

9. Click Next. Select the Connect to the network at my workplace radio button.

10. Click Next. Enter your organization's name or the name of a connection.

11. Click Next. Enter a domain name, host name, or the IP address of another domain controller.

12. Click Next. Finish creating the PPTP connection.

13. Right click on the newly created connection. Select Properties.

14. Select the Networking tab. Select PPTP VPN from the type of VPN drop down.

15. Configure other network settings according to the Routing and Remote Access service on the other domain controller.

16. Double-click on the newly created connection. Enter your user Name and password and domain name, if required.


Pre-installation

17. Click Connect. Confirm that a proper tunnel is established between the two domains. If you do not confirm this information, the trusts between the two domain controllers can be affected.

18. The PPTP connection between two domain controllers is now established.

Note: PPTP also requires the GRE port 47 to be opened on the firewall.

Pre-installation This section provides a pre-installation checklist that you can use for guidance before installing CA Gateway Security.

CA Gateway Security provides data analysis engines and management services. The component architecture is flexible and can accommodate small and medium size businesses (SMB) or large enterprise installations. You can install all data analysis engines and management services on one server (SMB) or distribute the management services and analysis engine installations on as many servers as necessary (for example, in a large enterprise with high volumes of data).

The main components of CA Gateway Security are:

■ HTTP/FTP Content Engine: Performs analysis of Web content, FTP over the HTTP proxy, and URL filtering.

■ SMTP Content Engine: Performs analysis of SMTP content and spam filtering.

■ Control Center: The main management service that concentrates data, distributes policies, and provides connectivity between all CA Gateway Security components. Typically, there should be a single instance of the Control Center in an environment.

■ Quarantine Manager: A tool and service that manages messages that were quarantined based on SMTP Content Engine analysis. Install only a single instance of the Quarantine Manager in an environment.


Pre-installation

■ Central Reporter: A tool and service that provides over time reporting based on data collected by the Content Engines. Install only a single instance of the Central Reporter in an environment.

■ Manager Console: The main management user interface that connects to the Control Center and allows policy and environment settings to be configured on the Content Engines. Also enables real time monitoring of Engines and Enterprise activities.

Some of these components depend on the following additional components that are installed automatically or are installed with additional manual input:

■ Embedded IAM (EIAM): A tool used by the Control Center to connect to an Active Directory, and associate logged on users to their role-based privileges.

■ iGateway: Part of the EIAM package. Used as the web server powering the Self Managed Quarantine Manager.

■ Microsoft SQL Database: A relational database required when installing Embedded IAM components or the Quarantine Manager or Reporter components in large scale environments.

Pre-installation Checklist

You should identify a scenario which is as similar as possible to your environment and install CA Gateway Security similarly according to the examples provided in this manual. It is very important that you identify all of the following environment items before installing CA Gateway Security:

■ Mail Servers

■ HTTP Proxies (if available)

■ DNS MX settings, and the process of adjusting them in your organization

■ Servers that you will use to install CA Gateway Security

■ Individual CA Gateway Security components that you will install on each server

■ Active Directory (AD) in your organization. You must have an AD for the features that use Embedded IAM (CA Gateway Security Rules, Quarantine Manager, Role Based Administration) to function properly

■ LDAP access parameters. LDAP is used through AD for email account management

■ NTLM availability. You can create HTTP rules using NTLM user/groups


Pre-installation

■ Networking structure, including the location of the existing servers and where you will locate the CA Gateway Security Servers.

■ Microsoft SQL Server database to use for the Quarantine Manager and the Reporter.

The sections that follow address these two typical installation scenarios:

■ SMB Installation

■ Enterprise Installation

Installation Scenarios

Determine whether you are installing CA Gateway Security as a Small to Medium Business (SMB) installation or as an Enterprise installation. An SMB installation is designed to fit smaller scale installations.

SMB Installation Scenario

Use this scenario in any of the following situations:

■ Less than 1,000 users and you are performing mail (SMTP) and Web (HTTP/FTP) filtering

■ Less than 1,000 users and you are performing only Web (HTTP/FTP) filtering

■ Less than 10,000 users, you are performing mail (SMTP) filtering only, and do not have a very high volume of email

Enterprise Installation Scenario

Use this scenario in any of the following situations:

■ More than 1,000 users and you are performing mail (SMTP) and Web (HTTP/FTP) filtering

■ More than 5,000 users and you are performing mail filtering for a high traffic volume

Note: Separating the Management components and Content Engines onto different machines is always recommended, even in the SMB scenario. This approach results in the best performance, though in the SMB scenario it is not mandatory.


Pre-installation

SMB Installation Scenario

In this scenario, the following components are installed on the same computer:

■ SMTP Content Engine

■ HTTP/FTP Content Engine

■ Central Reporter

■ Quarantine Manager

■ Control Center

■ Manager Console

This computer should be a dedicated computer, but if necessary, you can install CA Gateway Security on the same computer as the company's mail server. If you do this, be sure to chain the CA Gateway Security server to the local mail server.

The following illustration shows a typical SMB installation:


Pre-installation


In the enterprise installation scenario, you distribute the CA Gateway Security installation across two or more servers. For example, all of the management components (the Control Center, Quarantine Manager, and the Reporter) are installed on one server and the Data Analysis engines on one or more servers. The number of servers that you use depends on the amount of traffic and the size of your organization.

The following illustration shows a typical Enterprise installation where the engine components are distributed on separate servers:


Upgrade from Previous Releases

Upgrade from Previous Releases When you upgrade from earlier releases of CA Gateway Security, use the BackupRestore utility to back up existing data from the earlier release and import this data into the current release of CA Gateway Security.

To upgrade your installation

1. Insert the CA Gateway Security installation CD into the computer on which the earlier version of CA Gateway Security is installed.

2. Navigate to \Support\BackupRestore. This folder contains 2 files:

■ BackupRestore.exe

■ BackupRestore.dll

3. Copy these files into the Bin folder in the directory in which the earlier version of CA Gateway Security is installed.

This directory should be c:\Program Files\CA\CA Gateway Security\Bin.

4. From the Windows menu bar, select Start, Run.

5. On the command line, enter BackupRestore -b to back up your existing data.

A success message appears when the backup process completes. The BackupRestore.exe utility creates a CA Gateway Security Backup folder.

Note: Alternately, if you are upgrading from CA Gateway Security r8, you can back up your database when you uninstall CA Gateway Security r8. During the uninstallation process, you are prompted to back up the database. Select Yes. This option is not available for releases earlier than CA Gateway Security r8.


Upgrade from Previous Releases


6. Uninstall the earlier version of CA Gateway Security from your computer.

7. Use one of the following methods to restore and import the data backed up from earlier versions into CA Gateway Security:

During the Control Center installation

During the CA Gateway Security installation, if the installer finds data backed up from the earlier version of CA Gateway Security, you are prompted to restore this data. If you answer yes, the installer runs the BackupRestore utility to restore the data.

This restore operation should be done only on the CA Gateway Security server running the Control Center. If there are multiple CA Gateway Security computers, only the Control Center should be upgraded. CA Gateway Security distributes the restored databases later to all CA Gateway Security engines.

Manually

After the installation is complete, you can run the BackupRestore utility with the parameter -r to restore your backed up data. Confirm that the Manager Console is not running when you perform the restore. The utility is located in the Bin folder in the directory in which you installed CA Gateway Security. The utility displays a success message when the restore completes successfully.

Note: You can only restore your data on the same computer on which you performed the backup of your data from the earlier version of CA Gateway Security.

Upgrade Considerations

When upgrading your installation, consider the following:

■ The current version of CA Gateway Security contains predefined content filters for new filtering technologies such as Malformed Content for SMTP, Popup Blocking Filter for HTTP URL filtering, and others.

The BackupRestore utility restores your existing policies and makes them operational, but it does not add these new filters. To use these new capabilities, you must add the content filters that did not exist in earlier versions of CA Gateway Security.

To add these filters, after you upgrade, manually create new content filters for the filtering technology you want to use and tie these content filters to the appropriate policy filters.

Chapter 3: Installing CA Gateway Security

This section explains how to install CA Gateway Security. See Installing Individual Components Only (see page 53) for issues to be aware of when installing only individual CA Gateway Security components.

Note: If you plan to use Microsoft SQL Server as the database for the Quarantine and Reporter, you must install and configure MS-SQL Server databases before starting the CA Gateway Security installation. See Installing and Configuring Microsoft SQL Server (see page 113), and then continue with the steps described in this chapter.

Start the Installation To begin the installation, follow these steps:

1. Log onto your computer using administrator or domain administrator privileges.

2. Insert the CA Gateway Security product CD into your CD-ROM drive.

If autorun is enabled on your computer, the installation procedure begins automatically and the product installation browser appears.

Note: If autorun is not enabled on your computer, the installation does not begin automatically. You can start the installation manually by browsing the CD's root directory and double-clicking the Launch.exe file.

The first link leads to a complete CA Gateway Security installation. When you select this option, all CA Gateway Security options appear in the next step.

The second link provides the capability to install the CA Gateway Security Netload accessories. You can use Netload, which is a utility and not a product option, to scale the installation.

3. Click Install CA Gateway Security.

The main installation page appears.

Chapter 3: Installing CA Gateway Security 41

Start the Installation

4. Select Install CA Gateway Security (full product).

CA Gateway Security provides the following installation options:

CA Gateway Security (Full Product)

This is the default installation package. Use this option for most SMB or Enterprise scenario installations. This package includes all CA Gateway Security management components and all analysis engines.

If you did not purchase the full CA Gateway Security gateway solution, or plan to use only certain analysis engines, select one of the following packages. These packages include all management components, but only one of the analysis engines.

CA Gateway Security Antivirus Gateway

Includes all management components, the Antivirus Gateway analysis engine, and mobile code defense.

CA Gateway Security Anti-Spam

Includes all management components, SMTP analysis, and Antivirus Gateway engine.

CA Gateway Security Web Filter

Includes all management components, Web URL Filtering, HTTP Filtering, and Antivirus Gateway engine.

CA Gateway Security Manager Console Viewer

Includes only the management components for product administration.

Specify Language and User, Drive, and Location Information

After you select Install CA Gateway Security (Full Gateway Product), the Choose Setup Language dialog appears. Continue the installation by following these steps:

1. Select the language for the installation and click OK.

The InstallShield Wizard starts and the CA Gateway Security Installer Welcome dialog appears.

2. Click Next.

A terms and conditions dialog appears.

3. Read the agreement, accept the terms, and click Next.

The Installation Drive dialog appears.

Note: The Installation Drive dialog suggests a drive for the installation based on available disk space. We recommend that you use this drive.



4. Click Yes to accept the default installation drive and continue or click No to specify an alternate drive.

The Choose Destination Location dialog appears.

5. Click Next to accept the default location in which to install the CA Gateway Security components or click Browse, specify a different folder, click OK, and click Next.

A workspace location dialog appears.

6. Click Next to accept the default workspace location folder in which CA Gateway Security stores data files created while CA Gateway Security is in use, or click Browse, specify a different folder, click OK, and click Next.

The Architecture page appears.

7. Click Next to continue with the installation.

The Select Components dialog appears.

8. Identify how you want to install CA Gateway Security's main components.

Note: You can choose to install these components individually at the beginning of the installation process.

You can install the components as follows:

■ SMB Installation Scenario - All components installed on one computer: In an SMB installation scenario, you install all components on the same computer. See the topic Option 1 - SMB Installation Scenario (see page 44) for information to help you continue with your SMB installation.

■ Enterprise Installation Scenario - Components distributed across several computers

In an Enterprise installation scenario, you can install components across different computers. Before proceeding, confirm which types of components you will install on the current computer - management services or data analysis engines.

See the topic Option 2 - Enterprise Installation Scenario (see page 44) for information to help you to continue with your Enterprise installation.

Note: Be sure to determine a scenario and have a clear installation plan in place before continuing.

When you have finished, click Next to continue with the installation.



Option 1 - SMB Scenario

To continue with an SMB installation scenario and install all components on the same computer, follow these steps:

1. Check the box for both the HTTP/FTP and SMTP scanning engines.

2. Check the Install Locally checkboxes for all of the management services.

3. Click Next.

4. Proceed to HTTP / SMTP Server Ports (see page 45), and continue the installation.


Enterprise installations provide several options. You can install all of the components as many times as necessary and install as many analysis engines as you need on multiple computers. You can also install the management components Central Reporter, Quarantine Manager, and Control Center) on separate servers.

The following example installs management services on one server and data analysis services on another server.

First Server

In this step, install all management services on the first server, 10.10.10.1.

1. Leave the HTTP/FTP and SMTP checkboxes unchecked.

2. Check the Install Locally checkboxes for all three management services.

3. Proceed to HTTP / SMTP Server Ports (see page 45), and continue the installation on the first server.

Second Server

After you finish installing on the first server, begin a new installation on the second server as follows:

1. Check the checkboxes for the HTTP/FTP and SMTP services.

2. For each of the three management services, check the Remote IP Address checkbox and type in the 10.10.10.1 IP address to point to the first server.

3. Proceed to HTTP / SMTP Server Ports (see page 45), and continue the installation on the second server.



Specify HTTP and SMTP Server Ports

Perform the following steps to finish the installation.

After you select the components to install on one or more servers, the HTTP/SMTP Server Ports dialog appears.

Use this dialog to specify the ports on which CA Gateway Security listens for the two main services, HTTP and SMTP.

1. Use the default ports provided or modify the port numbers.

2. Click Next.

Select Email Notification

After you specify HTTP / SMTP server ports, the Email Notification dialog appears.

Use this dialog to specify the SMTP server that transports email notifications and the email address to which to send the email notifications. CA Gateway Security sends notifications when rules concerning such matters as inappropriate user activity or spam detection are met.

1. Enter the SMTP server name.

2. Enter the Email Account name.

3. Click Next.

Configure SMTP Relay Settings

After you specify email notification information, the SMTP Relay Configuration dialog appears.

Configure these settings to specify incoming and outgoing email parameters. Relay configuration settings are also applied to the Quarantine Manager for notifications and report delivery.

Important! Configure these options carefully to ensure proper mail communication between CA Gateway Security and your organization's mail server. By default, CA Gateway Security provides the Any object which indicates any domain. CA does not recommend using Any as it allows the email for any domain to be relayed through CA Gateway Security. This condition exposes the CA Gateway Security server to open relay status and might overload CA Gateway Security. If you choose to use Any, CA Gateway Security displays a warning message prompting you that this option can be a problem.



To properly configure mail routing, configure the settings for each domain in your company. Any domain not in the list is not allowed to relay email through CA Gateway Security. This is called open relay prevention.

Configure Incoming Email

To configure incoming email, follow these steps:

1. Click Add.

The New Domain dialog appears.

2. Type the name of the domain and configure the email relay servers the domain will use.

Note: You can also select to use MX as the relay method. If you use a combination of servers and MX, CA Gateway Security tries the servers in the list in order. If the first server does not respond, CA Gateway Security tries the second server, then the third.



Configure Outgoing Email

To configure outgoing email, follow these steps:

1. Click Add.

The New Domain dialog appears.

2. Type the name of the domain and configure the mail relay servers the domain will use.

Note: You can also select to use MX as the relay method. If you use a combination of servers and MX, CA Gateway Security tries the servers in the list in order. If the first server does not respond, CA Gateway Security tries the second server, then the third.

Adjust Retry Settings

You can adjust mail delivery retry settings if necessary. By default, a message expires if CA Gateway Security cannot deliver it within 24 hours.

Note: After installing and properly configuring email routing settings, you should modify the DNS MX listing to allow routing of external email to the CA Gateway Security server, rather than to your main mail server. In addition, you should configure your mail server to forward outgoing email to CA Gateway Security.

When you are finished configuring the mail relay settings, click OK.



Configure Traffic Direction

In the Traffic Direction Classification dialog, in the right pane, CA Gateway Security displays a listing of subnets found on the computer. Selecting subnets that are part of the environment handled by CA Gateway Security allows CA Gateway Security to distinguish between internal and external communications.

To configure traffic direction, follow these steps:

1. Click a subnet on the left side of the dialog, and then click Add.

CA Gateway Security adds the subnets to the list of subnets that determine traffic location.

2. Repeat step 1 for all subnets that you want to add.

3. Click Next.

Select Web Server

After you have configured traffic direction, the Web Server Types dialog appears, allowing you to specify the web server to use for quarantine management.

Select either CA iTechnology iGateway or the Microsoft IIS Extension Plug-in.

Select Database

Select the database to use with the Quarantine and Reporter.

1. Select MS-SQL Server or MS SQL Server Express, and click Next.

Note: If you have selected this option, you are prompted to use the databases you have created in the pre installation steps.

2. The SQL Quarantine Server dialog appears.

3. Enter the following information for the Quarantine database, and click Next:

Server

Enter the name of the machine on which the SQL Server resides. Alternatively, you can use the browse option to view all available SQL Servers. When SQL resides on the same machine on which you are installing CA Gateway Security, select (local).

Username

Enter the database user name you have configured in the SQL Enterprise Manager.



Password

Enter the password you have configured for the user above, in the SQL Enterprise Manager.

Database

Enter the database name, or click Browse to select the database from the server you have defined above. This is the database you have defined in the SQL Enterprise Manager for usage with the Quarantine.

If connection is successful, the installation wizard prepares the SQL Server for use with Quarantine.

The SQL Reporter Server dialog appears.

4. Enter the information for the Reporter Database. All fields are similar to those described for the Quarantine Manager, except for the Database. You should select the Database you have created for the Reports.

The installation wizard connects to the SQL Server and prepares the database for use with the Reporter.

Specify Quarantine Expiration Settings

After you select the database, specify the settings governing how long emails are retained in quarantine on the Quarantine Expiration Settings page.

To specify quarantine expiration settings

1. In the Supervisor fields, enter the number of days and hours emails are to be kept in quarantine.

2. Use the drop-down list to specify the action CA Gateway Security takes for emails in quarantine after the quarantine period expires.

3. In the Self Admin section, enter the number of days and hours emails are to be kept in self-managed quarantine.

4. Use the drop-down list to specify the action CA Gateway Security takes for emails still in self-managed quarantine after the period expires.

5. Click Next.



Set Authentication Method

After you specify your quarantine expiration settings, identify the method to use to authenticate the user logging in to the CA Gateway Security self-managed web server.

CA Gateway Security supports the following authentication methods:

■ LDAP Authentication: Performs user verification against the LDAP server. If a recipient does not exist, no further processing of the email takes place. If the email is sent to multiple recipients, processing continues only for those recipients that are verified as valid.

■ NTLM Authentication: Uses an encrypted challenge and response protocol to authenticate users without sending the user passwords over the wire. Instead, the system requesting authentication must perform a calculation that proves it has access to the secured NTLM credentials.

To set your authentication method

1. Specify one of the following authentication methods:

■ LDAP and NTLM Authentication

■ LDAP Authentication

■ NTLM Authentication

2. Click Next.

Complete the Installation

When prompted, license and register the software as described in Licensing and Registering CA Gateway Security (see page 51). You can also perform these steps up to 30 days after installation.

When prompted, restart the computer. The computer will not function properly if not restarted.



License and Register CA Gateway Security

For CA Gateway Security to function properly, you must license and register CA Gateway Security either during installation or within 30 days following installation.

There are two ways to license and register CA Gateway Security:

■ During installation, using the Licensing and Registration dialogs.

■ After Installation, using one of these methods:

■ Run the Licensing utility by selecting Start, Programs, CA, Gateway Security, Licensing.

■ Run the Registration utility by selecting Start, Programs, CA, Gateway Security, Registration.

Licensing and Registering During or Post-Installation

License and register CA Gateway Security using the License and Registration dialogs. These dialogs display near the end of the CA Gateway Security installation process, and you can also launch then post-installation.

License Type Dialog

CA products offer the following types of licensing. Depending on how you purchased the software, a different license type is required. When prompted, select the type of license you were provided.

If this is a trial installation, or if you have purchased but did not receive a license yet, select Live Trial. This permits 30 days of functionality. At the end of the 30 days you must license the product, or functionality ceases.

If you select ALP Certificate, you are directed to the CA support site for downloading and installing the license.

License Verification Dialog

If you select a 25 character key, the License Verification dialog appears.

CA Gateway Security provides several license types, depending on the features you have purchased. These licenses are keycodes that you need to enter into the Licensing utility. The keycodes are then applied to the software.



Product component options that are each controlled by a separate license code:

CA Gateway Security

The fully featured product that includes AV Gateway, Anti-Spam, Web URL filtering and Malicious Mobile Code Defense

CA Gateway Security Antivirus Gateway Option

AV Gateway and Malicious Mobile Code Defense

CA Gateway Security Anti-Spam Option

Anti-Virus Gateway and Anti-Spam features

CA Gateway Security Web Filtering Option

Web URL Filtering, HTTP filtering, and Anti-Virus Gateway

The following subscription update options require separate license codes:

■ CA Gateway Security Antivirus Subscription

■ CA Gateway Security Spam Subscription

■ CA Gateway Security URL Subscription

Registration Dialog

Next, you are prompted to register your software with CA Registration dialog.

Enter your identification information, and click Register.

Test the Installation

Test the installation by opening up the CA Gateway Security Manager Console after the computer on which the Manager Console is installed finishes restarting.

1. From the Start menu, select Programs, CA, Gateway Security, Manager Console.

The Manager Console Login dialog appears.

2. Enter Admin into the User Name field.


Individual Component Installation

3. Enter Admin into the Password field.

Note: By default, CA Gateway Security provides Admin as both the user name and password.

4. Enter the IP address of the computer on which you are working into the CA Gateway Security Control Center field, and click OK.

Note: This IP address is usually the same as the address in the Local Machine IP field.

The Manager Console appears.

If the Manager Console appears, the installation has completed successfully. If not, see Troubleshoot the CA Gateway Security Installation (see page 107).

Individual Component Installation The beginning of this chapter explained how to install a full version of CA Gateway Security on one server (SMB installation) and on multiple servers (enterprise installation). This section highlights the activities required when installing only individual CA Gateway Security components.

Installing Only the Spam or Web Options

When you install only the Spam option, you cannot select the HTTP option. When you install the Web option, you cannot select the SMTP option.

Installing Only the CA Gateway Security Console Viewer

You can install the CA Gateway Security Console Viewer on any computer. When you install, you are prompted to identify the location of the Control Center.



Install Role-based Support

When you install CA Gateway Security, you can choose to install the software in a role based scenario in which you can assign roles to different users in the system (for example, administrator, power user, or user). You can, however, skip this option and not install in role based support.

Role-based management allows you to control and restrict administration task activities based on assigned roles to enhance identity and access policy management. The CA Gateway Security Role-based Manager allows you to use the database on the Embedded Identity and Access Management (EIAM) server to manage users, user groups, and access policies.

To install the Role-based Manager

1. Click launch.exe to launch the CA Gateway Security product installation browser.

The CA Gateway Security installation browser appears.

2. Select Install CA Gateway Security Accessories and then select Install CA Gateway Security Role-based Support.

The CA Gateway Security Role-based Manager installation wizard appears.

3. On the Welcome page, click Next

The license agreement appears.

4. Read the license agreement, select I accept the terms of the License Agreement, and click Next.

The Destination Location page appears.

5. Accept the default installation destination in which to install the setup files (c:\..\CA\SharedComponents\Rolebased) or click Browse to select an alternate location. Click Next.

The Embedded IAM Server dialog appears.

6. Specify whether to install the Embedded Identity and Access Manager Server locally or to use a remote server.

If you specify a remote server, enter the IP Address or host name of the remote server in the Location field.

Note: The Location field is only enabled if you select the Use Remote EIAM Server option.

7. Click Next.

The EIAM Password Setup dialog appears.

8. Enter your EIAM password and click Next.

CA Gateway Security begins to install the database layer for Embedded IAM installation. When the installation is complete, CA Gateway Security installs Embedded IAM.




You are prompted when EIAM is installed.

9. Specify whether to restart your computer now or later and click Finish.

You must restart your computer to complete the installation.

Install the Desktop Email Option

The desktop email plug-in incorporates CA Gateway Security r8.1 Personal Quarantine capabilities into Microsoft Outlook desktop software. Once the plug-in is installed, the desktop option places a menu bar below the standard Outlook tool bar. Users can then view quarantined email, manage Allow and Deny Lists, and perform other maintenance.

Organizations with a limited number of users may want to install this capability on each user's computer, using the installation image provided on the CA Gateway Security r8.1 installation CD. Larger organizations can record a silent installation image, and then update user login scripts to execute the installation. The next time each user logs in, the plug-in capabilities appear in Outlook.

You can also use a silent installation process (for example, CA TNG) that pushes the software to users and then performs the installation automatically.

To install the Desktop Email Option from the Installation CD

1. Insert the CA Gateway Security r8.1 installation CD into your CD drive.

2. Navigate to the Desktop folder.

3. Double click setup.exe.

4. Follow the instructions provided by the installation wizard.

Note: During the installation, you can specify email accounts to which spam and non-spam email is sent. To better manage spam and non-spam, you may want to set up separate email accounts from these options.

Chapter 4: Configuring Your Implementation

This section explains how to begin using the Manager Console to specify parameters for your enterprise. Before running CA Gateway Security in production, ensure that all required settings are configured to allow CA Gateway Security to properly handle your network content

The Manager Console The Manager Console is the main CA Gateway Security GUI and it provides central access to the content management databases and tools (the Central Quarantine Manager and the Central Reporter). It allows you to locally view the analysis of content filtering events, receive real-time alerts, and determine how the content management engines will run. You can also configure the local content filtering settings such as spam, URL filtering, and automatic updates from the Internet.

The settings affect the workload on the engines and, as a result, analysis time. The optimal settings for your system depend on a number of parameters, including traffic load, number of rules, type of content filtering, depth of analysis, and processing power of your computer.

The Manager Console handles the content rules and filters, as well as distributes policies to local and remote machines. The Manager Console lets you view for Last/Average/Minimum/Maximum statistics for main functionality points of each analysis engine, including the following:

HTTP

■ Inbound/Outbound/Internal Files Processed/Min

■ Total Inbound/Outbound/Internal Files Processed

■ Inbound/Outbound/Internal Files Blocked

■ Inbound/Outbound/Internal Viruses Detected

■ URLs Blocked

■ URLs Checked and Reported

Chapter 4: Configuring Your Implementation 57

The Manager Console

SMTP

■ Inbound/Outbound/Internal Messages Processed/Min

■ Total SMTP Inbound/Outbound/Internal Messages Processed

■ Inbound/Outbound/Internal Queue Size

■ Inbound/Outbound Viruses Cured

■ Total SMTP Messages Infected/Quarantined/Parked/Blocked by RBL Service

Start the Manager Console

To start the Manager Console, click Start/Programs/CA/Gateway Security/Manager Console.

Manager Console Information

The Manager Console provides four kinds of information:

Engine Protocol Tree (Left Pane)

Displays the name and IP address of the computer running CA Gateway Security and the available content filtering engine protocols. Clicking a protocol displays realtime protocol statistics in the right pane.

Engine Protocol Status/Statistics (Right Pane)

Displays the statistics for the engine protocol selected in the left pane. If there is no engine protocol selected in the left pane, the CA Gateway Security status displays in the pane. Engine statistics display in real time.

Realtime Alerts (Bottom Pane)

Displays policy violation incidents as they occur. The HTTP/FTP, URL, and SMTP rules that you define and activate trigger policy violations. The violations display in real time.

Realtime Enterprise Activity (Bottom Pane)

Displays a running log of significant activities performed by the user currently logged into the Manager Console.


Initial Filtering Settings

Manager Console Settings

After installation, review and modify some of the default settings to meet your needs. There are two types of settings:

Local Engine Settings

Settings that are specific to one analysis Engine (SMTP or HTTP)

Enterprise Settings

Global settings that are applied to all analysis engines in the CA Gateway Security environment

Initial Filtering Settings The topics that follow describe the steps you must modify before you put CA Gateway Security into production.

For more information about the options in any of the dialogs in this chapter, use the Manager Console to navigate to the dialog and click the Help button.

Modify Local Settings

You can modify your local settings from the Settings dialog.

To modify local settings

1. Select Filtering, Settings.

The settings dialog appears.

2. From the drop-down at the top of the dialog, select the IP address of the local computer for which you would like to modify settings.

3. Modify the appropriate settings and click OK.

HTTP Engine Settings

Use the HTTP node to define parameters for the HTTP content filtering. If you want to modify the default settings for General, File Settings, or Advanced, see the online help for each of the options in the HTTP Engine node.



Define Proxy Settings

When working with CA Gateway Security as an HTTP proxy, you must configure some settings depending on your implementation. For instance, If you are chaining CA Gateway Security to another proxy (upstream or downstream), you must configure the chained proxy location and port.

To define proxy server settings, follow these steps:

1. Click HTTP Engine, Proxy Settings, Proxy Server.

The Proxy Server settings dialog appears.

2. Modify the default values as appropriate.

Proxy Port

Specify the CA Gateway Security Proxy Server listening port. Typically, accept the default port 8080.

Chained Proxy

To chain one proxy server to another, check Chained Proxy box and enter the chained proxy's name or IP address and the proxy port.

Authentication

Check the Integrated Windows Authentication (NTLM) box if you want the HTTP Proxy to perform NTLM (NT-LAN Manager) authentication.

NTLM is a shared secret user challenge-response authentication protocol that supports pass-through authentication to a domain controller in the server's domain, or in a domain trusted by the current domain's domain controller.

When configured to use NTLM authentication, CA Gateway Security uses the NTLM authentication method and this protocol for gathering user names and their domains. It associates them to corresponding content filter NTLM rules based (if any are defined) on these specific users.

3. Click OK to save the proxy server parameters and close the dialog.

LDAP Settings

Use the LDAP (Lightweight Directory Access Protocol) settings to specify all parameters for identifying and managing LDAP servers for use in SMTP filtering and quarantined email.

Important! Ensure that all of the following settings are correctly configured. Test the connection when you are finished.



Define LDAP Server Settings

You can define Enterprise LDAP settings from the Settings dialog.

To define specific settings

1. In the Settings dialog, select Enterprise Settings from the drop-down list.

2. In the left pane, select LDAP Templates.

The default template appears in the right pane.

3. Select the default template and click Edit.

The LDAP Template dialog appears. The LDAP Template dialog provides a number of tabs to help you define a template for your LDAP server settings.

4. On the Servers tab, set the login account and password for the LDAP server.

You must provide a valid login account and password. CA Gateway Security does not support Anonymous logins.

Note: Active Directory LDAP server supports the Domain\User format rather than a full user name.

Define Local Engine LDAP Settings

You can define specific settings for a local engine rather than using the CA Gateway Security default settings defined in the LDAP node of the Enterprise Settings.

To configure LDAP settings for local engines

1. In the Settings dialog, select the local engine from the drop-down list.

2. In the right pane, select LDAP Usage.

The LDAP usage dialog appears in the left pane.

3. Select the Default template.

4. Specify the appropriate settings in the left pane and click OK to enable your settings.



Specify Quarantine LDAP Settings

You can specify LDAP settings related to quarantining email from the Settings dialog.

To define Quarantine LDAP settings

1. In the Settings dialog, select Enterprise Settings from the drop-down list.

2. In the left pane, select Quarantine.

The LDAP usage dialog appears in the right pane.

3. Select the Default template.

4. Specify the required settings and click OK.

Test LDAP Settings

LDAP settings should be tested to verify that all settings are properly defined.

To test your LDAP settings

1. In the LDAP Template dialog, select the Test tab.

The LDAP Test tab appears.



2. Enter either a single person email address, or a distribution list email address.

3. Click Send Query.

In a few moments the query results appear.

4. Review the information in the Result pane. If the configuration is correct, the test was successful. If the results show a failure, repeat the previous configuration steps and check for any errors.

Subscription Settings

You can request a CA subscription to update subscription lists from the web on a regular basis. When you subscribe to an update, you receive a license code that enables the subscriptions.

Subscription settings let you configure automatic updates for subscriptions. The time and version of the last successful update appears at the top of the settings for each subscription item.

You can configure subscription updates for the following:

Antivirus

Use these settings to specify how to obtain automatic updates for antivirus signature files. These files are used by a powerful antivirus engine that scans both HTTP and SMTP traffic for viruses.

Spam Rules

Use these settings to specify how to obtain automatic updates for spam rules. Spam rules are used by the SMTP engine to determine whether or not incoming email contains spam.

URL Filtering

Use these settings to specify how to obtain automatic updates for URL categories. With URL filtering by category and regular expressions, you can designate URLs that users should not visit. For example, you can designate URLs dealing with pornography, gambling, online sales or merchandising, and so on.

To define subscription settings, click Subscriptions. The Anti-Virus Subscription settings appear.



Modify Antivirus Settings

Use these settings to define how to handle antivirus rule updates on the local CA Gateway Security computer.

To modify antivirus settings, follow these steps:

1. Click Antivirus.

The Antivirus settings display.

2. The only parameters you should change are the proxy settings, if your traffic passes through a proxy. To change these settings, check the Use Proxy Server box and provide the following information:

■ The proxy server name or IP address

■ The proxy server port

■ Authentication information if your proxy requires authentication (for example, a user name and a password are required by the proxy server to grant web access). Check the Authentication box to allow you to enter the authentication user name and password.

3. Click OK to save the parameters and close the dialog.

If the Distribute Changes command is enabled, a dialog displays for distributing these parameter settings to other CA Gateway Security computers on your network enterprise.



Modify Spam Rules Settings

Use these settings to define how to handle spam rule updates on the local CA Gateway Security computer.

To modify spam rule settings, follow these steps:

1. Click Spam Rules.

The Spam Rules settings appear.

2. The only parameters you should change are the proxy settings, if your traffic passes through a proxy:

Use Proxy Server

By default, CA Gateway Security uses the proxy server provided at installation. Specify an alternate spam server name if necessary.

Port

Specify the port number for the spam server.

Authentication

Enter authentication information for the server.

Name and Password

By default, CA Gateway Security uses the user name and password provided at installation. Enter an alternate user name or password if necessary.




Modify URL Filtering Settings

Use these settings to define how to handle Web URL updates on the local CA Gateway Security computer.

To modify Web URL update settings, follow these steps:

1. Click URL Filtering.

The URL Filtering settings display.

2. The only parameters you should change are the proxy settings, if your traffic passes through a proxy:

Use Proxy Server

By default, CA Gateway Security uses the proxy server provided at installation. Specify an alternate spam server name if necessary.

Port

Specify the port number for the spam server.

Authentication

Enter authentication information for the server.

Name and Password

By default, CA Gateway Security uses the user name and password provided at installation. Enter an alternate user name or password if necessary.


Modify Enterprise Settings

To modify enterprise settings, follow these steps:

1. Select Filtering, Settings.

2. Select Enterprise Settings from the drop down box.

The Enterprise Settings dialog appears.

When you modify these settings, an option appears for you to distribute the settings to other CA Gateway Security computers in your enterprise.



Define Loop-back Settings

Use these general settings to prevent loop-back scenarios. You should add all local and remote computers on which CA Gateway Security is installed and also include any firewall or any other network devices.

To define Loop-back settings, follow these steps:

1. Click Loop-back Settings.

The Loop-back Settings appear.

2. To add a computer, firewall, or other network device, click Add.

The Server Properties dialog appears.

3. Enter a server or device name and its port.

4. Click OK.

Enterprise LDAP Settings

Use the LDAP (Lightweight Directory Access Protocol) Options to set up all parameters for identifying and managing LDAP servers for use in SMTP filtering and quarantined email.

Important! Correct LDAP configuration is a key factor for CA Gateway Security functionality. Ensure that all the following settings are configured, and that the connection is tested.

To define LDAP settings, click LDAP Templates. The LDAP General Settings appear.



Define Enterprise LDAP General Settings

To define settings for a specific engine, you must create and configure a new template and select the new template from the engine.

To define LDAP general settings

1. In the Enterprise Settings dialog, select LDAP Templates.

The default template appears in the right pane. You can edit this template or add a new template.

2. Select the Servers tab.

3. Select the Auto detect server option to allow CA Gateway Security to automatically detect LDAP servers in your network.

Note: This option works only with Microsoft LDAP servers (Microsoft Exchange or Microsoft Active Directory).

4. Enter the port for CA Gateway Security use to auto detect LDAP servers.

The port number value for a normal domain controller is 389. For the Global Catalog server, set the port value to 3268.



5. Use the Server list to explicitly define the LDAP server to use.

The LDAP server is usually the MS Exchange computer or an MS Active directory enabled Domain Controller. For a Microsoft Active directory, set the LDAP server name to the network domain controller Global Catalog server.

To allow high availability of LDAP, you can define more than one LDAP server in the list. CA Gateway Security uses the servers in the list from top to bottom. If the first server is unavailable, CA Gateway Security tries to use the second server, and so on.

6. From the Secure Type drop-down list, select the Secure Connection (SSL) option to ensure that you connect only through a secure connection.

7. Enter your login account and password for the LDAP servers. For Exchange, use one of the account names prefixed with CN= (for example, CN=admin). You can enter your login account directly without any prefix.

8. Click OK to enable your settings or select another tab.

Define Enterprise LDAP Dictionary Settings

You can define or update the predefined settings for the LDAP server. The default settings are for the MS Active Directory.

To define LDAP dictionary settings, follow these steps:

1. In the LDAP Templates dialog, select the Dictionary tab.

The LDAP Dictionary settings appear.

2. Modify the default values as appropriate. If the LDAP server definitions vary from the default values, review the LDAP schema and correct the values accordingly.

Base DN

The Active Directory server requires a specific company base distinguished name (base DN). Modify the Base DN field by entering the base DN name to reflect your company domain. Examples include the following:

■ linux.org usually has a base DN equal to dc=linux,cd=org

■ ca.com has a base DN equal to dc=ca,dc=com

Exchange

Use an account name prefixed with CN=. For example, CN=admin.



Other LDAP servers

Other LDAP servers usually require a complete distinguished name (DN). Examples include the following:

■ CN=Content Control

■ OU=Groups

■ OU=Europe Middle East Africa

■ DC=ca

■ DC=com

3. Click Test when you are finished to verify that all settings are correct. You can test using a single email address and a distribution list.

4. Click Load Default Values to specify whether to use Microsoft Exchange or Microsoft Active Directory (AD) as the LDAP server.




Define Enterprise LDAP Pool Settings

CA Gateway Security requires access to directory stored information to perform a number of tasks, including the following:

■ Validate email recipients

■ Retrieve distribution list owners

■ Query user memberships

To retrieve this information, CA Gateway Security opens a connection to an LDAP server, and, after successful authentication, initiates a query or a search for directory information. When the results are received, the CA Gateway Security LDAP module disconnects from the server.

To maximize the use of both server and client resources, you can configure CA Gateway Security to reuse open connections. To keep LDAP connections open for reuse, CA Gateway Security creates a generic connection pool to initiate new LDAP connections and track free and used connections.

To define LDAP pool settings

1. In the LDAP Templates dialog, select the Pool Settings tab.

2. Specify the maximum number of connections to maintain in the pool.

3. Specify whether to have CA Gateway Security create temporary connections if all pool connections are in use.

If you do not enable this option, CA Gateway Security waits until a pool connection becomes available.

4. Specify the maximum length of time to keep unused connections in the pool.

5. Click OK to enable your settings or select another tab to enter more settings.



Test Enterprise LDAP Settings

Enterprise LDAP settings should be tested to verify that all settings are properly defined.

To test Enterprise LDAP settings

1. In the LDAP Template dialog, select the Test tab.

The LDAP Test tab appears.

2. Enter either a single person email address, or a distribution list email address.

3. Click Send Query.

In a few moments the query results appear.

Review the information in the Result pane. If the configuration is correct, the test was successful. If the results show a failure, repeat the previous configuration steps and check for any errors.


SMTP Authentication

SMTP Authentication Typically, in company-based email systems, internal SMTP clients and CA Gateway Security machines belong to the same intranet (local or VPN-based). In SMTP authentication configurations, clients must be authenticated to be treated as internal.

In an SMTP topology, client machines use a CA Gateway Security machine as the SMTP server to send email. The clients are not necessarily part of the CA Gateway Security machine's internal subnet and can connect from external subnets (internet). The CA Gateway Security machine connects to the SMTP server and the SMTP server actually processes the email. As with the clients, it is not necessary for the CA Gateway Security machine to be part of the SMTP server's internal subnet.

To enable this topology, you must add the SMTP server to the Outgoing Relay List in the Relay Servers Configuration dialog on the CA Gateway Security machine.


SMTP Authentication

Extended SMTP Support

The SMTP extension, indicating an authentication mechanism or a transmission method, is defined by the command Auth during SMTP negotiation.

CA Gateway Security supports the following ESMTP extensions:

■ Plain SMTP authentication

■ Login SMTP authentication

■ 8Bitmime transport

■ Chunking transmission mode with or without Binarymime transport

To enable these extensions, select one or more extensions in the ESMTP Support list on the Connections dialog.


SMTP Authentication

SMTP Authentication Mechanisms

SMTP authentication mechanisms indicate how user names and passwords are sent from client to server during negotiation. When either supported mechanism is negotiated, user names and passwords are sent in plain text (base64 encoded) from the client to the server.

CA Gateway Security supports the following authentication mechanisms:

■ Login

■ Plain

With either mechanism, email sent from an external IP address is treated by CA Gateway Security in the same way as email received from an internal IP address after successful authentication.

Chunking

The SMTP transmission method indicates how data is sent from client to server. CA Gateway Security supports the Chunking transmission method.

Chunking is an SMTP transmission method in which the client sends chunks of binary email with defined sizes and the server confirms the receipt of each chunk before the client continues the transmission with the next chunk.

Chunking transmission is typically faster than the default method in which email bodies are sent and servers check for the email end sequence <CR><LF>.<CR><LF> at the end of each received package. In addition, Chunking transmission is more reliable, because transmission problems can be identified and fixed faster.

By default, chunking is not enabled. You must explicitly enable support for Chunking in your CA Gateway Security settings.


Embedded IAM

Transport Modes

The SMTP transport mode indicates the type of content to be transmitted in the email. CA Gateway Security supports the following transport modes:

■ 8Bitmime: The 8Bitmime extension supports the exchange of emails where the body consists of text containing octets outside of the US-ASCII octet range (hex 00-7F).

■ Binarymime: Binarymime transport mode enables files to be transferred in their original (binary) format by SMTP.

Important! You must enable the Chunking transmission method to use the Binarymime extension.

Email clients indicate binary content or content with characters outside US-ASCII octet range using extended Mail From commands. The syntax for these commands is identical to the general Mail command, except that a Body parameter must appear after the address, indicating the transport mode, as in the following examples:

MAIL FROM: <recipient_email_address> BODY=8BITMIME MAIL FROM: <recipient_email_address> BODY=BINARYMIME

Note: Only one Body parameter may be used in a single Mail command.

By default, 8Bitmime or Binarymime support is not enabled. You must explicitly enable support for 8Bitmime or Binarymime (and extended Mail From commands) in your CA Gateway Security settings.

Note: Emails received in binary format are encoded into base64 mime format for further processing by plug-in DLLs and delivering components. The CA Gateway Security SMTP Service, as a relay product, ensures that 8Bitmime and Binarymime emails received from clients are successfully sent to their final destinations, but CA Gateway Security cannot assume that the destination SMTP servers also support the 8Bitmime or Binarymime extension.

Embedded IAM Role-based management requires that you connect to the Active Directory through Embedded IAM.

You can configure this connection either from the Embedded IAM (EIAM) web GUI interface or using the Role-based Manager Server configuration from the Manager Console. You must adjust your settings to connect EIAM to the Active Directory.


Embedded IAM

Configure Embedded IAM from the Server Configuration Utility

You can use the Server Configuration utility to set up your Embedded IAM.

To use the Server Configuration utility

1. From the Start menu, select Programs, CA, Gateway Security, and select Manager Console.

The Manager Console appears.

2. Enter your password and click OK to log in to the Manager Console.

3. From the Tools menu, select Role based Manager and select Server Configuration.

The EIAM Server Configuration dialog appears.

4. From the drop-down menu, select Referenced from an external directory and enter the required information in the following fields:

■ Type: The type of external directory (for example, Microsoft Active Directory, eTrust Admin, and Novell eDirectory).

■ Host: The host of the external directory.

■ Port: The LDAP port to connect to on the external directory host.

■ Base DN: The LDAP DN used as the base. Only global users and groups discovered underneath this DN are mapped into EIAM.

Note: No spaces are allowed in the base DN.

■ User DN: The DN to attach to the external directory host.

■ Password: The password for the User DN used to attach to the external directory host.

5. Select the following options, as appropriate, to configure Active Directory properties:

■ Use Secure Socket Layer: Use SSL when making the LDAP connection to this external directory.

■ Cache Global Users: Have the EIAM server cache global users in memory, providing faster lookups, but reducing scalability.

Note: Global user groups are always cached.

■ Cache Update Time: Enter the time (in minutes) to update the cached groups (and optionally users).

■ Retrieve Exchange Groups as Global User Groups: Use Exchange groups as valid Global User Groups, allowing you to write policies against members of distribution lists.

Note: Available only for Microsoft Active Directory.

6. Click Apply and click OK.


Embedded IAM

Define Users in the Embedded IAM Database

To enable Active Directory users to log onto the CA Gateway Security Manager Console, you must define those users in the Embedded IAM database.

Note: Embedded IAM must be able to connect with Active Directory before you can add CA Gateway Security users.

CA Gateway Security uses Embedded IAM to validate users on the domain controller. If authentication is successful, the users can log onto the Manager Console with the assigned permission level.

To add Active Directory users to the Embedded IAM database

1. From the Start menu, select Programs, CA, Gateway Security, and select Manager Console.

The Manager Console Logon dialog appears.

2. Enter your CA Gateway Security Administrator name and password to log into the Manager Console.

3. In the Manager Console, from the Tools menu, select Role-based Manager and select User Management.

The CA Gateway Security Role-based Manager User Management dialog appears.

4. Select the group to which you want to add a user from the Roles Groups list in the left pane.

The right pane displays the actions and permissions for users in the selected group.

5. Click New User

The New Embedded IAM User dialog appears.

6. From the drop-down list, select the group to which to add the new user and enter the user name.

Note: The user name is the Active Directory User ID, not a combination of the new user's last and first names.

7. Click OK.

The New Embedded IAM User dialog closes and the new user appears in the Roles Groups list under the selected Group.

8. Click OK.

The new user is added to the EIAM database and can access CA Gateway Security.


Embedded IAM

Change Users Role Group

You can change the role group to which an individual user is assigned to change the permissions granted to that user.

To change a role group

1. In the left pane of the CA Gateway Security Role Based Manager dialog, click the current role group of the user and select the user name.

2. Click Properties.

The Embedded IAM User dialog appears.

3. Select the option I would like to move the user to the following group.

The drop-down list of role groups is enabled.

4. Select the new role group from the drop-down list and click OK.

The user is added to the specified group.

Change Group Action Permissions

You can change the permissions attached to specific actions for role groups.

To change action permissions

1. In the left pane of the CA Gateway Security Role Based Manager dialog, select the group to be changed.

The list of actions and permissions assigned to this group appears in the right pane.

2. Right-click the action you want to change and select the updated permission from the drop-down list.

3. Click OK.


Embedded IAM

Remove Users from Role Groups and the EIAM Database

When you remove users from role groups, those users are also deleted from the EIAM database.

To remove users

1. In the left pane of the CA Gateway Security Role Based Manager dialog, click the user's current role group and select the user from the list of users assigned to that group.

2. Click Remove.

3. Click Yes when prompted to confirm the deletion.

The user is deleted from the role group and from the EIAM database.

Start the Embedded IAM Utility

Start the Embedded IAM utility to access available functions.

To start Embedded IAM

1. Select Start, Programs, CA, Gateway Security, Embedded IAM UI.

The Embedded Identity and Access Management login web page appears.

2. Select the CA Gateway Security application from the drop down menu.

3. Enter the password that you defined when you installed CA Gateway Security and click Login.

The Embedded Identity and Access Management utility opens.


Embedded IAM

Specify Global Users and Global Group Settings

To use Embedded IAM with your organization's Active Directory, follow these steps:

1. Select the Embedded IAM server link from the Configure tab.

2. Select Global Users/Global Groups.

3. Select Reference from an external directory.

4. Configure the Active Directory properties. The following shows sample settings for Microsoft Active Directory:

5. Save your changes, using the Save button, and verify that a green checkbox status is highlighted next to both Status checks.

Role Management Using Embedded IAM

You can use Embedded Identity and Access Management (Embedded IAM) to add Active Directory users to an Embedded IAM database, define users, and assign CA Gateway Security access permissions to fit user roles within your organization.


Embedded IAM

Create the Embedded IAM Database

You need to create the Embedded IAM database before you can add users and assign user permissions.

To create the Embedded IAM Database

1. Open the CA Gateway Security Manager Console.

2. Select Tools, Embedded IAM, Database Actions.

The Embedded IAM Database Actions dialog appears.

3. Enter the Embedded IAM password and Embedded IAM server location that you defined when you installed CA Gateway Security.

4. Select the Action drop down and select Create Role based database.

5. Click Execute.

CA Gateway Security creates the database. When the process completes, a success or failure execution status appears in the Result field.

6. Click Close to complete the process.

Define Users in the Embedded IAM Database

To enable an Active Directory user to log onto the CA Gateway Security Manager Console, you need to define the user in the Embedded IAM database.

Note: Embedded IAM must be able to connect with Active Directory before you can add a CA Gateway Security user. See the CA Gateway Security Implementation Guide r8 for more information on connecting to the Embedded IAM with Active Directory.

To add Active Directory users to the Embedded IAM database

1. Select Start, Programs, CA, Gateway Security, Embedded IAM UI.

The Embedded Identity and Access Management logon dialog appears.

2. Select Application, Gateway Security.

3. Enter the Embedded IAM user name and password that you specified when installing CA Gateway Security, and then click Log In.

The Embedded IAM web interface appears.

4. Select Manage Identities, Users.

The Manage Identities, Users sub tab appears.


Embedded IAM

5. Select a search attribute from the Attribute drop down and enter a matching value in the Value field. For example, to search by last name, select Last Name and then enter the user's last name in the Value field.

Note: User Name is the Active Directory UserID, not a combination of a user's first and last name.

6. Select an appropriate operator.

7. Click Go.

The user appears in the Users panel.

8. Assign permission levels to the user (see page 83) and then click Save.

The user is added to the Active Directory database and the user is ready for CA Gateway Security access.

Note: A user can log onto CA Gateway Security with an Active Directory user id only after you have defined the user in Embedded IAM and have logged out of the Embedded IAM web interface. CA Gateway Security uses Embedded IAM to validate the user on the domain controller. If authentication is successful, the user can log onto the Manager Console with the assigned permission level.

Assign User Permission Levels

To assign a permission level to a user, you add the user to an appropriate group.

Because CA Gateway Security data can be confidential, we recommend defining users and passwords to grant access to specific Manager Console capabilities. Administrator permissions provide unlimited access to CA Gateway Security for viewing data, creating rules, and changing parameters.

There are three types of users, each with specific access levels:

User/ Permissions

Configure Settings

Read Settings

View Data

Administrator Yes Yes Yes

Power User No Yes Yes

Standard User No No Yes


Embedded IAM

To assign a permission level to a user

1. Click the user name in the Users tree view.

2. Click Add Application User Details in the right pane.

3. Click an available user group to which to add the user, then click the right pointing arrow.

The group is added to the user's list of selected user groups.

4. Click Save.

The process is complete.

Change User Permission Levels

To change the permission levels for a user, you can remove the user from an appropriate group or add the user to different groups.

To change the permission levels for a user

1. Click the user name in the Users tree.

2. Add or remove the user to or from groups:

■ Click or Ctrl-click one or more selected user groups from which to remove the user, then click the left pointing arrow.

■ Click or Ctrl-click one or more available user groups to which to add the user, then click the right pointing arrow.

The user is added or removed from the selected groups.

3. Click Save.


Remove All Permission Levels From a User

To remove all permission levels for a user, effectively removing all of the user's access rights, you remove the user from all groups.

To remove all permission levels for a user

1. Click the user name in the Users tree.

2. Ctrl-click all of the selected user groups, then click the left pointing arrow.

The user is removed from all groups.

3. Click Save.



Embedded IAM

User Management with Embedded IAM

CA Gateway Security user management allows you to apply administrative roles to users and groups to organize users into separate, predefined roles, each with its own set of permissible actions. When you assign roles to users, you give those users permission to perform specific actions.

CA Gateway Security provides three predefined role groups: Administrators, Power Users, and Guests. Each predefined role group has a specific list of permissible actions associated with it. You can change permission for any of the predefined actions for a specific group from the CA Gateway Security Role Based Manager dialog.

By default, the following permissions are assigned:

Action Administrator Power User Guest

Download Anti-virus signatures

Allowed View only Not allowed

Manage Quarantine

Allowed View only Not allowed

Set definitions Allowed View only Not allowed

Specify rules Allowed Not allowed Not allowed

Specify options Allowed View only Not allowed

Configure reports Allowed View only Not allowed

Distribute settings Allowed View only Not allowed

Manage gateways Allowed Not allowed Not allowed

Start or stop services

Allowed Not allowed Not allowed

Manage EIAM Allowed Not allowed Not allowed

Log activity Allowed View only Not allowed

Specify settings Allowed View only Not allowed

Clear logs Allowed View only Not allowed

Back up or restore Allowed View only Not allowed

Schedule Allowed View only Not allowed


Embedded IAM

After you determine group permissions, you can manage user access to these roles as appropriate.

■ Click New user to add a user to a specific role group and enter the necessary information in the EIAM User dialog.

If your EIAM server uses external BD storage (Active Directory), you can only add existing Active Directory users.

■ Click Remove to remove a user from a specific role group.

If your EIAM server uses external BD storage (Active Directory), any user you remove is removed only from the assigned role group, not from the external storage.

■ Click Properties to modify a user password or group membership and enter the necessary information in the EIAM User dialog.

If your EIAM server uses internal BD storage (Active Directory), you cannot change user passwords.

Maintain the Embedded IAM Database

You can maintain the Embedded IAM database by purging and rebuilding the database or by exporting the database for use in another Embedded IAM installation.

1. Open the CA Gateway Security Manager Console.

2. Select Tools, Embedded IAM, Database Actions.

The Embedded IAM Database Actions dialog appears.

3. Enter the EIAM password and server location defined during installation.

4. Select one of the following actions:

Export Role-based database

Exports the Embedded IAM database so you can use it with another CA Gateway Security or Embedded IAM installation.

Import Role-based database

Imports an exported Embedded IAM database.

Delete Role-based database

Permanently deletes the currently installed Embedded IAM database.

Important! Once you delete a database, you cannot recover it.

Create Role-based database

Creates a new empty database if you have deleted the existing database.


CA Gateway Security Email Server Configuration Considerations

5. Click Execute.

When the process completes, a success or failure execution status appears in the Result field.

6. Click Close to complete the process.


You can install and configure CA Gateway Security with your mail server in two locations:

■ On a computer other than your mail server computer

■ On your mail server computer

The most direct way to configure CA Gateway Security is to install it on a computer other than the mail server. This configuration does not require any modification to your mail server, although you must modify your DNS information.

With this configuration, the CA Gateway Security SMTP filtering engine receives your emails, checks them according to rule filters, and forwards them to your mail server. Users on the Internet connect to your CA Gateway Security computer, so the location of your mail server remains unknown. If you are using a firewall to route incoming emails to your local mail server, you have to configure your firewall to forward the incoming emails to the CA Gateway Security computer rather than to your local mail server. With a firewall, you can further protect your mail server by disallowing any outside connections except to the CA Gateway Security computer.

Installing CA Gateway Security and your mail server on the same computer requires that you modify your mail server configuration so that it does not listen to port 25 on the TCP/IP address that CA Gateway Security uses. Your mail server must listen on a different TCP/IP port so that CA Gateway Security can forward email to its port.

Installation on a Dedicated Computer

When installing CA Gateway Security on a dedicated computer other than your mail server, configure CA Gateway Security to receive email at the CA Gateway Security computer and configure the mail server to forward outgoing emails to CA Gateway Security.

Note: CA recommends that, until you understand your organization's email traffic patterns, you use only the CA Gateway Security default rule filters and alerting actions.



How to Configure CA Gateway Security on a Dedicated Computer

To configure CA Gateway Security on a dedicated computer, perform the following steps for your specific mail server:

For Exchange 5.5

1. Install CA Gateway Security to forward email to the Exchange computer.

2. Set connectors in Exchange to forward all email to CA Gateway Security.

3. Forward outgoing emails in Exchange 5.5 to CA Gateway Security.

For Exchange 2000



3. Forward outgoing emails in Exchange 2000 to CA Gateway Security.

For Domino 6.x

1. Install CA Gateway Security to forward email to the Lotus Domino computer.

2. Forward outgoing emails in Lotus Domino to CA Gateway Security.

Install CA Gateway Security on a Dedicated Computer

To install CA Gateway Security on a computer other than your mail server and receive email on your CA Gateway Security computer, follow these steps:

1. Start the CA Gateway Security installation on a dedicated computer that forwards email to the mail server computer.

During the installation, the Mail Relay Settings dialog appears.

2. Define relay settings as described in Domain Route List (see page 20).

3. Change the DNS name for your host so that email for your domains is sent to your CA Gateway Security computer. For example, if your domain name is company.com and your mail server name is mail.company.com, your existing DNS entry is probably as follows:

company.com. IN MX mail.company.com

4. Add an A-record for your CA Gateway Security computer that defines the IP address of the computer on which CA Gateway Security is installed. For example:

CA Gateway Security.company.com. IN A 10.1.1.5

5. Change the MX record for your domain from using mail.company.com to use CA Gateway Security.company.com. For example:

company.com. IN MX CA Gateway Security.company.com



Forward Email in Exchange 5.5

When CA Gateway Security is installed on a computer other than your mail server, you must forward outgoing email to CA Gateway Security. To configure Exchange 5.5 to forward outgoing email to CA Gateway Security, follow these steps:

1. On the Microsoft Exchange Server, run Microsoft Exchange Administrator.

2. Select Configuration, Connections, Internet Mail Service.

The Internet Mail Service (STREAM) Properties dialog appears.

3. Click the Connections tab.

4. Under Message Delivery, select Forward all messages to host and enter the IP address of your CA Gateway Security server. For example, enter 10.10.10.1.

5. Click OK.

6. From the Services Manager in the Control Panel, stop and start the Microsoft Exchange Internet Mail Service.

Forward Email in Exchange 2000

When CA Gateway Security is installed on a computer other than your mail server, you must forward outgoing email to CA Gateway Security. To configure Exchange 2000 to forward outgoing email to CA Gateway Security, follow these steps:

1. Open the Exchange System Manager.

2. Select Servers, Server Name, Protocols, SMTP.

3. Right-click Virtual Server and choose Properties.

The Default SMTP Virtual Server Properties dialog appears.

4. Click the Delivery tab and click the Advanced button.

The Advanced Delivery dialog appears.

5. In the Smart Host field, enter in brackets the IP address of the CA Gateway Security server (for example [10.10.10.1] ).

6. Uncheck the Attempt direct delivery before sending to smart host checkbox.

7. Click OK on both dialogs.



Set Connectors in Exchange

If your site uses SMTP Exchange connectors, you must configure the connectors to forward email to the CA Gateway Security server. To do this, follow these steps:

1. Open the Exchange System Manager and select Connectors, SMTP Connector.

The CA Gateway Security Properties dialog appears.

2. On the General tab, select Forward all mail through this connector to the following smart hosts.

3. Enter, within brackets, the IP address of the CA Gateway Security server (for example: [10.10.10.1]), and click OK.

Forward Email in Lotus Domino

When CA Gateway Security is installed on a computer other than your mail server, you must forward outgoing email to CA Gateway Security. To configure Lotus Domino r6 to forward outgoing email to CA Gateway Security, follow these steps:

1. Open the Notes Administrator.

2. Click the Configuration tab.

3. Select Messaging, Messaging Settings, Message settings, Basis.

4. Specify the IP address of the CA Gateway Security machine in Relay Host for messages leaving the local internet domain.

Note: The next two steps cause the changes to take effect by stopping and restarting the Domino SMTP service. Instead of performing the next two steps to restart, you can use a remote session from the Domino Administrator.

5. From the Domino server console, enter:

Tell SMTP quit

6. When the SMTP service stops, enter:

load SMTP

7. To check the SMTP listening port enter:

sh tasks



Mail Server Installation

Most mail servers can be configured to run with CA Gateway Security SMTP on the same computer. However, CA recommends that you install CA Gateway Security and your mail server on different computers. If that is not possible, try at least to separate the CA Gateway Security HTTP/FTP engine, the CA Gateway Security quarantine server, and the report server for installation on a different computer by using the CA Gateway Security distributed management capabilities.

Running CA Gateway Security and your mail server on the same computer can be an easy way to start if you have enough capacity on your mail server. This configuration only requires one computer and does not require that you modify your MX information. In an SMB environment, this configuration can work well. You do not need to change the port number that the mail server listens to, however.

How to Configure CA Gateway Security on Your Email Server

By default, CA Gateway Security uses the same port for SMTP email as Microsoft Exchange and Lotus Domino. To configure CA Gateway Security to run on the same computer as Microsoft Exchange or Lotus Domino, perform the following steps for your specific mail server:

For Exchange 5.5

1. Forward outgoing email in Exchange 5.5 to CA Gateway Security.

2. Change the port number in the Exchange 5.5 services file.



For Exchange 2000

1. Change the port number in Exchange 2000.

2. Forward outgoing email in Exchange 2000 to CA Gateway Security.



For Domino 6.x

1. Change the port number in Lotus Domino.

2. Forward outgoing email in Lotus Domino to CA Gateway Security.

3. Install CA Gateway Security to forward email to the Exchange/Domino computer.



Forward Email in Exchange 5.5

To configure Exchange 5.5 to forward outgoing emails to CA Gateway Security when it is on the same server as Exchange, follow these steps:

1. On the Microsoft Exchange Server, run Microsoft Exchange Administrator.

2. Select Configuration, Connections, Internet Mail Service.

The Internet Mail Service (STREAM) Properties dialog appears.

3. Click the Connections tab.

4. Under Message Delivery, select Forward all messages to host and enter the fully-qualified domain name of the local host or an IP address (do not use 127.0.0.1).

5. Click OK.

6. From the Services Manager in the Control Panel, stop and start the Microsoft Exchange Internet Mail Service.

Change the Port in the Exchange 5.5 Services File

This procedure changes the default port that Exchange 5.5 uses to listen for inbound SMTP email. You change the port number in the Windows NT services file.

To edit the services file and change the default port, follow these steps:

1. With a text editor (such as notepad) open this file: Winnt\system32\drivers\etc\services

2. Locate the following line:

smtp 25/tcp mail

3. Change the port number. For example:

smtp 2525/tcp mail

Note: Be sure that the port number you choose does not conflict with another service on the same computer.

4. Save the services file.

5. From the Services Control Panel, stop and start the Microsoft Exchange Internet Mail Service.



Change the Port in Exchange 2000

When CA Gateway Security is on the same computer as your mail server, you must change the default port that Exchange 2000 listens to. To change the default port number, follow these steps:




4. Click the General tab and click the Advanced button.

The Advanced dialog appears.

5. Click Edit and change the TCP port to any available port on the local computer except port 25.


Forward Email in Exchange 2000

When CA Gateway Security is on the same computer as your mail server, you must forward outgoing email to CA Gateway Security in Exchange 2000.

To forward outgoing email, follow these steps:




4. Click the Delivery tab and click the Advanced button.

The Advanced Delivery dialog appears.

5. In the Smart Host field, enter the fully-qualified domain name of the local host or a unique IP address in brackets (do not use [127.0.0.1]).

6. Clear this option: Attempt direct delivery before sending to smart host.




Set Connectors in Exchange

If your site uses SMTP Exchange connectors, you must configure the connectors to forward all email to the CA Gateway Security server. To do this, follow these steps:

1. Open the Exchange System Manager and select Connectors, SMTP Connector.

The CA Gateway Security Properties dialog appears.

2. On the General tab, select Forward all mail through this connector to the following smart hosts.

3. Enter, within brackets, the fully-qualified domain name of the local host or a unique IP address. Do not use [127.0.0.1].

Change the Port in Lotus Domino

When CA Gateway Security is on the same computer as your mail server, you must change the default port that Lotus Domino listens to. To change the default port number, follow these steps:

1. Open the Domino Server Administrator.

2. Select a Domino server.


4. Select Server, Current Server Document.

5. Click the Ports tab, the Internet Ports tab, and the Mail tab.

6. Change the Mail SMTP Inbound port to 2525.



Tell SMTP quit


load SMTP


sh tasks or Telnet <IP ADDRESS> 2525



Forward Email in Lotus Domino

When you install CA Gateway Security on the same computer as your mail server, you must forward outgoing email to CA Gateway Security in Lotus Domino. To forward outgoing email, follow these steps:

1. Open the Notes Administrator.


3. Select Messaging, Messaging Settings, Message settings, Basis.

4. Specify the IP address of the CA Gateway Security machine, in Relay Host for messages leaving the local internet domain.



Tell SMTP quit


load SMTP


sh tasks

Install CA Gateway Security to Forward Email

You must install CA Gateway Security to forward email to your Exchange or Domino computer:

1. Start the CA Gateway Security installation on the same computer on which your mail server is running.

During the installation, the Mail Relay Settings dialog appears.

2. Configure the mail relay settings as explained in Domain Route List (see page 20). The Mail Server address is the physical machine’s address, but you should specify the new port you have defined for your mail server. (CA Gateway Security uses port 25.)

3. Enter the physical IP address and the port number of your mail server. You can use any port number except 25, which is the default SMTP port.

4. Finish the installation wizard.


Browser Proxy Configuration

Browser Proxy Configuration To enable CA Gateway Security proxy web filtering, you must run the client browser through a CA Gateway Security HTTP/FTP proxy server. You can take one of the following approaches to configuring and distributing client browser configurations to match updated proxy configurations in your network environment.

You can configure web browsers to use a web cache in the following ways:

Name

With manual configuration, each browser is configured to route Internet traffic through the proxy. The proxy hostname, IP address, and port settings are entered explicitly for each protocol, with any exclusion for sites that can always be accessed directly.

This option is available with all but the very early browsers that predated web proxy use and cache servers.

Proxy Automatic Configuration Script

With automatic proxy configuration, you can control browser settings on client computers from one central location. You can configure a single URL that identifies a configuration script that tells the browser which proxy to use for each request; the choice can potentially vary by request URL. CA Gateway Security executes the auto-configuration script file whenever a network request is made. Within the script, you can configure multiple proxy servers for each protocol type; if a proxy server connection fails, the browser automatically attempts to connect to another proxy server that you have specified.

This functionality requires browser JavaScript support; very early web browser versions may not support it.

Automatically Proxy Detection

The automatic detection feature enables automatic configuration and automatic proxy when a user connects to a network for the first time. With automatic detection turned on, the browser is automatically configured when it is started, even if you did not customize the browser. Automatic detection of browser settings is based on Web Proxy Auto-Discovery protocol (WPAD) and is supported by both Dynamic Host Configuration Protocol (DHCP) and Domain Name System (DNS).



Configure Browsers for Manual Proxies

You can configure CA Gateway Security proxy server and proxy bypass settings for either Internet Explorer or Netscape.

To specify proxy server and bypass settings for Internet Explorer 5.0 or 6.0

1. From the Internet Explorer menu bar, select Tools, Internet Options.

The Internet Options dialog appears.

2. Click the Connections tab, and then click LAN Settings.

The LAN Settings dialog appears.

3. In the Proxy server area, select Use a proxy server.

4. Type the Proxy IP Address and Port number for your proxy server:

5. Click OK and then click OK again.

To specify proxy server and proxy bypass settings for Netscape 7.0

1. Open Netscape.

2. Select Edit and then click Preferences.

The Navigator Preferences dialog appears.

3. Double click Advanced (at the bottom of the choice list at far left), and then select Proxies.

The Proxies dialog appears.

4. Select Manual Proxy Configuration and type the proxy IP Address and port number for each protocol (HTTP, FTP, SSL).

Configure Your Browser for Proxy Automatic Configuration (PAC)

The Proxy Automatic Configuration (PAC) method enables web clients to use automatic configuration script settings with Netscape and Internet Explorer browsers. Automatic proxy configuration support provides a form of transparency so that clients can configure a browser to point to a proxy automatic configuration (PAC) file rather than to a specific proxy server. As a result, the system administrator can modify the configuration with little impact to clients, who update their automatic configuration files and are automatically directed to the new configuration.

Server administrators can use this capability to reroute requests when servers are down, to balance workload, to send requests for specific URLs to specific proxies, or other reasons specific to their installation. Note that new PAC files are reloaded only when a browser is restarted.



PAC is a browser function that enables dynamic server selection. The PAC file is a JavaScript file that includes functions that the client browser calls before retrieving a URL. The functions return values indicating whether a proxy server, SOCKS server, or a direct connection is used to service the request. The file can also redirect the request if the initial connection to be used is down. When a client's browser is set to auto-proxy, it calls the JavaScript PAC file each time a URL is requested by the user.

The Proxy Auto-Configuration page lets you create a PAC file that contains some basic functions.

To configure your browser using PAC options, follow these steps:

1. Create a standard PAC file using WordPad.

2. Implement the JavaScript function FindProxyForURL (URL, host). You can use the PAC files in the examples provided below. For more information about PAC file format, visit http://wp.netscape.com/eng/mozilla/2.0/relnotes/demo/proxy-live.html.

3. Store the file in the document root directory of your web server under a meaningful name (for example, myfile.pac).

4. Confirm that a URL such as http://www.mywebsrv.com/myfile.pac displays the script text in the browser window.

5. Configure your client browser.

When using Internet Explorer 5.0 or 6.0, follow these steps:

1. Select Tools, Internet Options.




3. In the Automatic configuration area, select the Use automatic configuration script checkbox and type your proxy auto-configuration file URL.



When using Netscape 7.0, follow these steps:

1. Select Edit and then click Preferences.

The Preferences dialog appears.

2. Double click the Advanced item and then select Proxies.

The Proxies dialog appears.

3. Select Automatic proxy configuration URL and type your proxy auto-configuration file URL.

Note: You can use the CA Gateway Security proxy engine directory instead of the web server.

When using the CA Gateway Security proxy engine directory, be sure to do the following:

■ Store the configuration file in the engine directory of the CA Gateway Security HTTP proxy (for example, C:\Program Files\CA\Common\ScanGateway) under the name proxy.pac.

■ Configure your browser with the auto-configuration URL http://< CA Gateway Security HTTP proxy IP>:< CA Gateway Security HTTP proxy port>/proxy.pac.

PAC Files Examples //All clients through one proxy server for http/ftp requests: function FindProxyForURL(url, host) { //go through the CA Gateway Security proxy if ( url.substring (0, 5) == "http:" || url.substring (0, 4) == "ftp:" || url.substring (0, 6) == "https:" ) return "<CA Gateway Security HTTP/FTP proxy IP>:<proxy port>";

// Otherwise, go directly to the origin server return "DIRECT"; }

//Some clients through one proxy server for http/ftp requests: function FindProxyForURL(url, host) { // Make 130.119.*.* stations go through CA Gateway Security proxy if ( (url.substring (0, 5) == "http:" || url.substring (0, 4) == "ftp:" || url.substring (0, 6) == "https:" ) && isInNet(myIpAddress(), "130.119.0.0", "255.255.0.0") ) return "<CA Gateway Security HTTP/FTP proxy IP>:<proxy port>";



// Otherwise, go go through another proxy return "PROXY euproxy.ca.com:80; DIRECT"; }

Configure Your Browser for Web Proxy Automatic Discovery (WPAD)

Web Proxy Auto-Discovery (WPAD) enables web clients to automatically detect proxy settings without user intervention. The algorithm used by WPAD appends the hostname wpad to the fully-qualified domain name and progressively removes sub domains until it either finds a WPAD server answering the hostname, or reaches the third-level domain.

For example, web clients in the domain a.b.mydomain.com would query wpad.a.b.mydomain.com, wpad.b.mydomain.com, and then wpad.mydomain.com.

To configure your browser for WPAD, follow these steps:

1. Create a standard PAC file.

2. Store the file in the document root directory of your web server as wpad.dat. You should be able to use an HTTP redirect if you want to store the wpad.dat file in another location.

3. Ensure that a URL address such as http://www.mydomain.name/wpad.dat displays the script text in your browser window.

4. Create, install, or implement a DNS record so that wpad.mydomain.name resolves to the host above where you have a functioning auto configuration script running. You can use a Hosts file at your computer to create mapping, for example, wpad.mydomain.name <IP-address your web-server>.

5. Open Internet Explorer and select Tools, Internet Options.







7. To test your WPAD settings in the Automatic configuration area, select the Use automatic configuration script check box and type your WPAD URL, for example, http://www.mydomain.name/wpad.dat.Verify all working properly.

8. As shown in the Local Area network (LAN) Settings dialog, on the Automatic configuration area, uncheck the Use automatic configuration script check box and confirm that the Automatically detect settings check box is the only box checked.

Note: To force proxy configuration settings for individual client browsers, the administrator can push the browser settings in the login script. To distribute registry modifications across the network, you can use one of three methods: imported registration (.reg) files, regini.exe, or group or system policies. In the registration method, you determine the proper registry key for your version of IE, export the settings to a .REG file, and then use REGEDIT in the login script to push the settings to the PC.

For example, create a setprx.reg file that contains the following:

regedit KEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings AutoConfigURL"=http://www.mywebsrv.com/wpad.dat MigrateProxy"=dword:00000001 "ProxyEnable"=dword:00000001

Chapter 5: Implementation Modes

CA Gateway Security is installed with real-time network alerts and email recipient notification enabled. These settings provide you with the information you need to learn about content threats identified by CA Gateway Security. As you become more familiar with CA Gateway Security, you need to migrate your implementation from Alert, to Notification, and then to User Self-Management mode. You control the modes by modifying the default rules, creating new rules, and by specifying actions in these rules.

The CA Gateway Security Administrator Guide provides procedures on how to work with rules. As you get started, you should understand the following modes and the process of increasing the security level.

Phase 1 - Alert Mode In Alert mode, CA Gateway Security identifies spam and allows it to be delivered to the user. An alert is displayed on the Manager Console so that you can analyze the possible content threat. It does not block the content.

The network content alerts are displayed in real time. You can analyze network activities such as spam email rates, detected viruses, and statistical counters. Use this mode to learn about your enterprise network activities without blocking content.

Note: Because the RBL and Spam Filter engines are not run under a restrictive mode, you may encounter some false-negative alerts.

For websites, CA Gateway Security displays an alert on the Manager Console when a user tries to access a URL that triggers one of the content rules. By monitoring the alerts, you can decide which URLs to block.

Chapter 5: Implementation Modes 103

Phase 2 - Notification Mode

Phase 2 - Notification Mode In Notification mode, CA Gateway Security identifies the spam, and automatically notifies email users about spam detection. The Disclaimer action positions a custom message in the top of the email, at the bottom of the email, or as a new email with the original email "wrapped" as an attachment. You can also use the text areas to specify a disclaimer message to display as either plain text or as HTML.

Notification mode lets you receive feedback from email users and tune the allow list, deny list, RBL provider list, weights and Advanced Spam Filter accordingly, accordingly. Notifying email users about content detection lets them know that CA Gateway Security is filtering their email.

Notification mode does not apply to websites.

Phase 3 - User Self Management Mode In User Self Management mode, email recipients have control over quarantined emails instead of the administrator alone. In this mode, the Centralized Quarantine Manager controls emails suspected of being spam. At a configured time, or when the number of quarantined items for an email recipient exceeds a threshold value, the Centralized Quarantine Manager sends an email report back to the original email recipient. Depending on the administrator's preference, the email user can access quarantined email through a web interface or manage the quarantined email directly from within the self managed notification message.

If you decide to allow users to manage quarantined email using the web interface (recommended), they can review email, including the entire content and attachment, before deciding whether to release the email or delete it. Users can also manage their allow and deny lists and configure personal quarantine notification parameters.

For self managed reports, users can configure certain settings (for example, release, delete, leave, and not spam for RBL quarantine) or refine their private allow lists and submit the settings. The only limitation is that they cannot review the messages. This basic email report format consists of a sender address, subject, reason for quarantine, and expiration date, all followed by a CA Gateway Security action.


Phase 4 - Blocking Mode

Chapter 5: Implementation Modes 105

When the not spam setting is chosen, the email user's private allow list is updated. This ensures that future email from the same email sender is not detected as spam by the RBL engine, which is stored in the Centralized Quarantine Manager. The not spam setting also instructs the Centralized Quarantine Manager to release the message to the email user.

Note: CA recommends notifying email end users before operating CA Gateway Security in either of the two self management modes. CA recommends that you tune the advanced spam filter and RBL thresholds in this mode so the engine becomes more responsive in detecting spam detection.

User Self Management mode does not apply to websites.

Phase 4 - Blocking Mode After CA Gateway Security has been operating in user self management mode and all email users have had an opportunity to refine and personalize their private allow lists, you can consider configuring CA Gateway Security to block spam emails. This capability is useful if you prefer that end users not control the release of spam emails. You do this by specifying a block action in the rule. However, if the spam filters are not properly tuned, CA Gateway Security may block valid emails.

Similarly, a block action for a URL displays a notification that the website has been blocked and prevents the user from accessing the site.

Chapter 6: Troubleshooting

The topics in this section provide procedures to resolve issues when installing and configuring CA Gateway Security.

Correct an Incomplete DNS Configuration Issues can arise with TCP/IP computer name configuration. For example, emails can bounce back with an error message indicating an invalid host or CA Gateway Security may be unable to connect to your DNS and SMTP servers even though you have verified that the servers are up and running.

Issues can arise with TCP/IP computer name configuration. For example, emails can bounce back with an error message indicating an invalid host or CA Gateway Security may be unable to connect to your DNS and SMTP servers even though you have verified that the servers are up and running.

An incomplete DNS configuration is usually the cause. For CA Gateway Security to relay emails using MX, the TCP/IP host name on your computer must exist on your DNS server. Also, the TCP/IP addresses that your computer uses must themselves have names. This means that you need both forward and reverse DNS lookups installed on your system.

To correct an incomplete DNS configuration, follow these steps:

1. Check the host name/domain name that is set in your TCP/IP configuration. Verify that you can ping this full name, both from your computer and from another computer. You must have a DNS entry for your computer on your DNS server.

2. If you have multiple TCP/IP addresses, make sure that the first TCP/IP address on your system has a DNS name entry.

Using the program nslookup.exe (nslookup on UNIX computers), check if the DNS entries are set up correctly. For example, if your computer is named mail.company.com, enter the following:

nslookup mail.company.com

The nslookup should respond as follows:

Server: imdns.company.com (This is your DNS server name.) Address: 194.90.1.5 (This is your DNS server address.) Name: mail.company.com (This is your host name.) Address: 194.90.18.5 (This is your TCP/IP address.)

If your DNS is not set up correctly, nslookup may respond as follows:

*** imdns.company.com can't find mail.company.com: Non-existent host/domain

Chapter 6: Troubleshooting 107

Prevent Loop-back Problems

or nslookup may respond as follows:

Server: imdns.company.com Address: 194.90.1.5 DNS request timed out. timeout was 2 seconds. *** Request to imdns.company.com timed-out

3. If the DNS problem still occurs and you did not receive an error message, invoke a reverse lookup action by entering the TCP/IP address of your computer. For example, if the TCP/IP address of your computer is 194.90.18.5, enter the following:

nslookup 194.90.18.5

If your DNS is not set up correctly, reverse lookup may respond as follows:

*** imdns.company.com can't find 194.90.18.5: Non-existent host/domain

or nslookup may respond as follows:

Server: imdns.company.com Address: 194.90.1.5 DNS request timed out. timeout was 2 seconds. *** Request to imdns.company.com timed-out

4. If you have a DNS problem, contact the system administrator or your ISP provider responsible for your DNS.

Prevent Loop-back Problems A loop-back situation can occur when CA Gateway Security resolves an IP address through MX lookup. This can occur when network address translation (NAT) points back to the same CA Gateway Security computer or when MX lookup produces an address that points back to the same or another CA Gateway Security for SMTP computer.

Here are some possible scenarios:

■ CA Gateway Security is installed at IP address 10.0.0.2 and SomeDomain.com has only one MX record. This record, Mail.SomeDomain.com, has an A record that points to 1.2.3.4. The firewall translates 1.2.3.4 back to 10.0.0.2, which is the CA Gateway Security computer address.

■ CA Gateway Security is installed at IP address 10.0.0.0 and is listening on port 25. It tries to deliver a message, but the mail server rejects the message. This can happen for two reasons: The CA Gateway Security that is running on 10.0.0.0 performs an MX lookup that produces an IP address of 10.0.0.0, or it produces an address for a remote CA Gateway Security SMTP computer (10.0.0.1, port 25) that eventually causes a loopback.


Manager Console or Quarantine Manager Terminates Suddenly

To prevent loop-back problems, follow these steps:

1. Open the Manager Console on the Control Center.

2. Select Filtering, Settings, Enterprise Settings, Loop-back Settings, General.

The Loop-back Prevention pane appears.

3. Click Add.

A Server Properties dialog appears.

4. Enter the IP address and corresponding port of a CA Gateway Security computer to use as the SMTP computer.

5. Repeat the previous step, adding all local and remote CA Gateway Security computers to use as SMTP computers. You can also enter NAT devices that point to CA Gateway Security computers.

For the examples above, add the following:

1.2.3.4, Port 25 10.0.0.0, Port 25 10.0.0.1, Port 25

Manager Console or Quarantine Manager Terminates Suddenly

If the Manager Console or Quarantine Manager terminates suddenly, the product is probably not licensed. Look for an entry in the Manager Console or Quarantine Manager log that specifies that the CA Gateway Security is not licensed.

To license the CA Gateway Security, see Licensing and Registering CA Gateway Security (see page 51).

Firewall Ports Verification The following firewall ports must be open during installation:

■ TCP/IP port 1882 between CA Gateway Security modules.

■ The FTP port and HTTP/HTTPS ports (required for web updates) from CA Gateway Security towards the Internet.

■ TCP/IP port 8080 from end users toward the Quarantine Manager computer. If CA Gateway Security HTTP is already installed on a port other than 8080, use the port it is installed on.


CA Antivirus Product Conflicts with Antivirus Realtime Scanner

CA Antivirus Product Conflicts with Antivirus Realtime Scanner

Installing eTrust InoculateIT or CA Antivirus prior to installing CA Gateway Security causes the Antivirus Realtime Scanner to act on data before CA Gateway Security can analyze or use the data. This may interfere with Content Manager Engine functionality.

To avoid operational conflicts between CA Antivirus and CA Gateway Security, be sure to identify the CA Gateway Security processes that are running and add the processes to the CA Antivirus exclusions list.

Use the Windows Task Manager to locate the process names. Add the processes to the CA Antivirus exclusions list by following these steps:

1. Right click the CA Antivirus icon in the Windows task tray.

2. Select Realtime Options, Filters tab, and then click Process.

3. Enter the process name and add the name to the exclusions list.

The following list shows all possible CA Gateway Security processes that could be running for your CA Gateway Security installation.

Note: The exact list of processes depends upon the options installed when you installed CA Gateway Security.

■ icihttp.exe

■ icismtp.exe

■ DCollSrv.exe

■ DataBridge.exe

■ QmgrSrv.exe

■ CRepSrv.exe

■ ECSQDMN.exe

■ ECSSAFMGR.exe

■ eCCCleaner.exe

■ QMgr.exe


Outgoing SMTP Rules Applied to Incoming Emails


Outgoing SMTP Rules Applied to Incoming Emails If outgoing SMTP rules are inadvertently being applied to incoming emails, you must configure the intranet subnet list to exclude the IP address of the firewall or router which receives incoming email.

You can modify these settings in Subnets by navigating to Filtering , Settings, <local engine>, Subnets.

Unblock a Website To unblock a website, follow these steps:

1. Navigate to Filtering, Settings, Enterprise Settings, URL Customization.

2. Click Add.

3. Type in the web address the site being blocked and click OK.

4. Uncheck the default url category for the site in the Categories assigned to the URL list.

5. Scroll down and check <User Defined 1> and click OK.

6. Click Yes to distribute the changes.

7. Navigate to the URL rule that contains the blocking action you are trying to remedy.

8. Confirm that in the URL rule <User Defined 1> is not checked.

Appendix A: Using Microsoft SQL Server with CA Gateway Security

The CA Gateway Security Quarantine Manager and Reporter can use MS-SQL Server as the database layer.

According to your needs, you can install a dedicated SQL Server on a remote machine, or install SQL Server on the same machine as the Quarantine Manager and/or Reporter.

Prerequisites Perform the following installations and checks before installing CA Gateway Security:

■ Install Microsoft SQL Server according to the product's documentation.

Important! Microsoft SQL Server must be installed before you install CA Gateway Security.

■ Confirm that SQL Server and Windows authentication is enabled in the SQL Enterprise Manager. To confirm this setting, do the following:

■ Open the SQL Enterprise Manager.

■ Right click on the local database, and click the Security tab.

■ Confirm that the Authentication, SQL Server and Windows radio button is selected.

Install CA Gateway Security after you have confirmed that these prerequisites have been met.

Appendix A: Using Microsoft SQL Server with CA Gateway Security 113

Create the Quarantine and Reports Databases

Create the Quarantine and Reports Databases To create the quarantine and reports databases, follow these steps:

Create the Quarantine Database

Perform the following steps to create the Quarantine database:

1. Open the SQL Enterprise Manager Snap-in and browse to the Database level.

2. Choose Database.

The default database appears in the right pane.

3. Right-click the right pane and select New Database.

The Database Properties dialog appears.

4. On the Database Properties dialog, enter a name for the container on the General tab, for example: CAGS_Quarantine_DB.

5. On the Data Files tab of the Database Properties dialog, adjust the default parameters if this is a heavily-used database. The defaults are fine for testing purposes. Click OK.

Create the Reports Database

To create the Reports database, repeat the steps in Create the Quarantine Database, with the exception of the database name:

1. On the Database Properties dialog, enter a unique name for the container on the General tab, for example: CAGS_Reports_DB.

2. On the Data Files tab of the Database Properties dialog, adjust the default parameters if this is a heavily-used database. The defaults are fine for testing purposes. Click OK.

Create and Associate MS SQL Users To create a MS SQL user and associate the user with the databases, follow these steps:

1. Open the SQL Enterprise Manager Snap-in, browse to the Security level, and select Logins.

2. Right-click and select New Login.

The SQL Server Login Properties - New Login dialog appears:

3. Create a new user using the SQL Server Authentication option. This user does not require administrative privileges anywhere except than for the Quarantine and Reports databases.


Create and Associate MS SQL Users

Appendix A: Using Microsoft SQL Server with CA Gateway Security 115

4. Click the Database Access tab, and select the databases to be accessed by this login as follows:

a. Select the CAGS_Quarantine_DB and specify the roles for the new database. In the Database roles, both public and db_owner should be selected, as this user must be the db_owner to create the tables properly.

b. Select the CAGS_Reports_DB and specify the roles for the new database. In the Database roles, both public and db_owner should be selected, as this user must be the db_owner to create the tables properly.

c. Click OK.

The Confirm Password dialog appears.

5. Enter the password you specified in the General tab again, to confirm it. Click OK.

You are now set up to use SQL Server with the Quarantine Manager and/or Reporter. Write down the database names, user and password you have created, as they will be required during the installation of CA Gateway Security.

Notes: There is no need to tune additional database parameters, create any tables, or set any ODBC settings. The CA Gateway Security installer will do so during the installation.

If you change the SQL database credentials after the CA Gateway Security installation, use the Manager Console to configure the new credentials. To do so, from the Manager Console's menu select Settings, Engine settings, Microsoft SQL Tab.

Glossary

ADS Active Directory Server.

Applet An applet is similar to an application but does not run in standalone mode. It complies with a set of conventions that allow it to run within a Java-compatible browser.

Application An application is a standalone program. It can be executed independently of any other program.

DMZ The DMZ is a computer or small subnetwork that sits between a trusted internal network, such as a corporate private LAN, and an untrusted external network, such as the public Internet. Typically, the DMZ contains devices accessible to Internet traffic, such as web (HTTP) servers, FTP servers, SMTP (email) servers, and DNS servers.

DNS The Domain Name System is an Internet service that translates domain names into IP addresses. Because domain names are alphabetic, they are easier to remember. The Internet, however, is based on IP addresses. Every time you use a domain name, a DNS service translates the name into its IP address. For example, the domain name www.example.com might translate to 198.105.232.4. The DNS is its own network. If one DNS server cannot translate a domain name, it queries other DNS servers to resolve the correct IP address.

Downloadable A downloadable is a file that is transmitted into an organization’s computer system. Downloadables may originate from the Internet, other locations in an organization’s intranet, or an extranet.

EIAM Embedded Identity Access Management

Executable A file that contains programs. This is a particular kind of file that is capable of being executed or run as a program in the computer. In a DOS or Windows operating system, an executable file usually has a file name extension of .bat, .com, or .exe. These types of executables, if downloaded, are executed automatically, often without the knowledge of the user. The only warning the user may receive is the regular browser warning that a package is about to be downloaded.

Glossary 117

Extranet A communication network of selected private companies, such as communications networks shared among banking organizations.

Firewall A firewall is a set of related programs located at a network gateway server, which protects the resources of a private network from users in other networks. (The term also implies the security policy that is used with the programs.) An enterprise with an intranet that allows its workers access to the wider Internet installs a firewall to prevent outsiders from accessing its own private data resources and for controlling what outside resources its own users have access to. Basically, a firewall working closely with a router program filters all network packets to determine whether to forward them toward their destination. A firewall may also include or work with a device that makes network requests on behalf of workstation users. A firewall is often installed in a specially designated computer separate from the rest of the network so that no incoming request can get directly at private network resources.

FTP File Transfer Protocol

Gateway A gateway is a network point that acts as an entrance to another network. On the Internet, in terms of routing, the network consists of gateway nodes and host nodes. The computers of network users and the computers that serve content (such as Web pages) are host nodes. The computers that control traffic within your company’s network or at your local Internet service provider (ISP) are gateway nodes.

HTTP Hypertext Transfer Protocol

HTTPS Hypertext Transfer Protocol Secure

Hub A hub is a hardware device that connects two separate LANs. A hub does not filter traffic moving between the two LANs.

Internet The global computer communications network that connects independent networks. The Internet is accessed through a service provider.

Intranet An intranet is a private network inside a company or organization that uses the same kinds of software as on the public Internet (for example, private LANs and WANs). It is only for internal use.


IP Address An internet protocol (IP) address is a 32-bit number that identifies each sender or receiver of information that is sent in packets across the Internet. When you request an HTML page or send email, the IP part of TCP/IP includes your IP address in the message and sends it to the IP address that is obtained by looking up the domain name in the URL you requested or in the email address you're sending a note to. At the other end, the recipient can see the IP address of the Web page requester or the email sender and can respond by sending another message using the IP address it received.

ISA Microsoft Internet Security and Acceleration Server.

LDAP Lightweight Directory Access Protocol.

Mail Exchange (MX) Record A mail exchange record is an entry in a DNS database that identifies the mail server that handles emails for that domain name. When more than one MX record exists for any single domain name that is using more than one mail server, the MX record has a preference number that indicates the order in which to use the mail servers. This enables the use of primary and backup mail servers.

Message digest algorithm Digital signatures and other applications, which need unique and unforgettable identifiers for digital data, frequently make use of digital fingerprints or message digests. These are produced using cryptographically secure message digest algorithms, also known as one-way hash algorithms. A message digest algorithm is a function, which takes arbitrary-sized input data (the message) and generates a fixed-sized output, known as a digest or hash.

MIME Multipurpose Internet Mail Extensions

NIC Network Interface Card.

NTLM Is an abbreviation for Windows NT LAN Manager. NTLM is an authentication protocol used in various Microsoft network protocol implementations. NTLM uses a challenge-response mechanism for authentication, in which clients prove their identities without sending a password to the server.

POP3 Post Office Protocol version 3. A protocol frequently used by email clients to receive emails that have been received and stored on a mail server.

Glossary 119

PPTP Point to Point Tunneling.

Proxy Server A proxy server is a server that acts as an intermediary between a workstation user and the Internet so that the enterprise can ensure security, administrative control, and caching service. A proxy server is associated with or part of a gateway server that separates the enterprise network from the outside network and a firewall server that protects the enterprise network from outside intrusion. The proxy server receives a request for an Internet service (such as a Web page request) from a user. If it passes filtering requirements, the proxy server, assuming it is also a cache server, looks in its local cache of previously downloaded Web pages. If it finds the page, it returns it to the user without forwarding the request to the Internet. If the page is not in the cache, the proxy server, acting as a client on behalf of the user, uses one of its own IP addresses to request the page from the server on the Internet. When the page is returned, the proxy server relates it to the original request and forwards it to the user. CA Gateway Security acts as a Proxy Server, though it does not have its own cache.

RBL Real-Time Black-Hole List. The RBL, is a list of TCP/IP addresses that have sent spam. The RBL bans email sent from a range of TCP/IP addresses.

Relay Server A relay server uses SMTP to send email messages between mail servers. The messages can then be retrieved with an email client using POP or IMAP from the mail management server such as Exchange Mail Server or Lotus Mail Server.

Router A router is a hardware item that transfers packets from one network to another. Every packet has a destination address stored in a header, and the router filters packets according to the destination address.

SMB Small to Medium-sized business.

SMTP Simple Mail Transfer Protocol

SNMP Simple Network Management Protocol


Glossary 121

Subnet Mask The subnet mask is the part of the IP address that distinguishes other computers on the same LAN from computers in other departments or outside of the organization. The subnet mask for your computer network is in the Network Protocols window under TCP/IP protocol properties.

TCP Transmission Control Protocol (TCP) works with Internet Protocol (IP) to send data in the form of message units between computers over the Internet. While IP handles the delivery of the data, TCP keeps track of the individual units of data (called packets) that a message is divided into for efficient routing through the Internet.

URL A uniform resource locator (URL) is the address of a file (resource) accessible on the Internet. The type of resource depends on the Internet application protocol. The URL contains the name of the protocol required to access the resource, a domain name that identifies a specific computer on the Internet, and a hierarchical description of a file location on the computer.

ZIP ZIP is probably the most common archive format for distributing and storing files. One or more files may be archived in a ZIP file and compressed to save space and download time. After downloading or receiving a zip file, you can extract and uncompress the original files.

EIAM Embedded Identity Access Management

Proxy Server A proxy server is a server that acts as an intermediary between a workstation user and the Internet so that the enterprise can ensure security, administrative control, and caching service. A proxy server is associated with or part of a gateway server that separates the enterprise network from the outside network and a firewall server that protects the enterprise network from outside intrusion. The proxy server receives a request for an Internet service (such as a Web page request) from a user. If it passes filtering requirements, the proxy server, assuming it is also a cache server, looks in its local cache of previously downloaded Web pages. If it finds the page, it returns it to the user without forwarding the request to the Internet. If the page is not in the cache, the proxy server, acting as a client on behalf of the user, uses one of its own IP addresses to request the page from the server on the Internet. When the page is returned, the proxy server relates it to the original request and forwards it to the user. CA Gateway Security acts as a Proxy Server, though it does not have its own cache.

Index 123

Index

A ADS • 121 Antivirus Protection • 9 Applet • 121 Application • 121 Assign User Permission Levels • 83 Authentication Method Considerations • 27

B Browser Proxy Configuration • 96

C CA Antivirus Product Conflicts with Antivirus

Realtime Scanner • 110 CA Gateway Security and Users on Different

Domains • 31 CA Gateway Security Email Server

Configuration Considerations • 87 Change Group Action Permissions • 79 Change the Port in Exchange 2000 • 93 Change the Port in Lotus Domino • 94 Change the Port in the Exchange 5.5 Services

File • 92 Change User Permission Levels • 84 Change Users Role Group • 79 Chunking • 75 Compatibility • 29 Complete Content Management • 11 Complete the Installation • 50 Comprehensive Protection • 8 Comprehensive Reporting • 10 Configure Browsers for Manual Proxies • 97 Configure Embedded IAM from the Server

Configuration Utility • 77 Configure NTLM Proxy-based Authentication •

28 Configure SMTP Relay Settings • 45 Configure Traffic Direction • 48 Configure Your Browser for Proxy Automatic

Configuration (PAC) • 97 Configure Your Browser for Web Proxy

Automatic Discovery (WPAD) • 100 Configuring Your Implementation • 57 Content Filtering and Network Load • 26

Correct an Incomplete DNS Configuration • 107

Create and Associate MS SQL Users • 114, 118 Create the Embedded IAM Database • 82 Create the Quarantine and Reports Databases

• 114, 118

D Data Confidentiality Monitoring • 9 Define Enterprise LDAP Dictionary Settings •

69 Define Enterprise LDAP General Settings • 68 Define Enterprise LDAP Pool Settings • 71 Define LDAP Server Settings • 61 Define Local Engine LDAP Settings • 61 Define Loop-back Settings • 67 Define Proxy Settings • 60 Define Users in the Embedded IAM Database •

78, 82 Delivery Retry Option • 21 Distinctive Features and Functionality • 8 DMZ • 121 DNS • 121 DNS Considerations • 22 Domain Route List • 20 Downloadable • 121

E Easy Administration • 10 EIAM • 121, 125 Email and Email Server Considerations • 18 Email Anti-Spam and Content Security Filtering

• 8 Email Content Management • 11 Email Delivery • 18, 20 Email Traffic Direction Rules • 20 Embedded IAM • 76 Enterprise Installation Scenario • 37, 44 Enterprise LDAP Settings • 67 Establish Security Guidelines • 15 Executable • 121 Extended SMTP Support • 74 Extensive Automated Actions and Alerts • 11 Extranet • 122

F License and Register CA Gateway Security • 51

M Firewall • 122 Firewall Considerations • 23

Mail Exchange (MX) Record • 123 Firewall Ports Verification • 109

Mail Server Installation • 91 Forward Email in Exchange 2000 • 89, 93

Maintain the Embedded IAM Database • 86 Forward Email in Exchange 5.5 • 89, 92

Malicious Mobile Code Defense • 10 Forward Email in Lotus Domino • 90, 95

Manager Console Information • 58 FTP • 122

Manager Console or Quarantine Manager Terminates Suddenly • 109 G

Manager Console Settings • 59 Gateway • 122 Message digest algorithm • 123

MIME • 123 H Mixed Mode Domains • 29

How to Configure CA Gateway Security on a Dedicated Computer • 88

Modify Antivirus Settings • 64 Modify Enterprise Settings • 66

How to Configure CA Gateway Security on Your Email Server • 91

Modify Local Settings • 59 Modify Spam Rules Settings • 65

HTTP • 122 Modify URL Filtering Settings • 66 HTTP Engine Settings • 59 Multiple Email Recipients • 21 HTTPS • 122 MX Records and Multiple Computers • 19 Hub • 122 MX Records Configuration for Fail-Over and

Load Balancing • 19 I N

Implementation Modes • 103 Implementation Planning • 15 Network Considerations • 25 Incident Response Planning • 17 NIC • 123 Individual Component Installation • 53 NTLM • 123 Initial Filtering Settings • 59 NTLM Authentication Across a Firewall • 31 Install CA Gateway Security on a Dedicated

Computer • 88 NTLM Authentication and Integrated Windows

Authentication • 28 Install CA Gateway Security to Forward Email •

95 NTLM Basics • 27 NTLM Considerations and Recommendations •

29 Install Role-based Support • 54 Install the Desktop Email Option • 55 O Installation on a Dedicated Computer • 87 Installation Scenarios • 35 Option 1 - SMB Scenario • 44 Installing CA Gateway Security • 41 Outgoing SMTP Rules Applied to Incoming

Emails • 111 Internet • 122 Internet-Side Installation • 25

P Intranet • 122 Intranet-Side Installation • 24

PAC Files Examples • 99 Introduction • 7

Perform NTLM Authentication Across a Firewall Through CA Gateway Security • 32

IP Address • 123 ISA • 123

Phase 1 - Alert Mode • 103

L Phase 2 - Notification Mode • 104 Phase 3 - User Self Management Mode • 104

LDAP • 123 Phase 4 - Blocking Mode • 105 LDAP Settings • 60 POP3 • 123


Index 125

PPTP • 124 Pre-installation • 33 Pre-installation Checklist • 34 Prerequisites • 113, 117 Prevent Loop-back Problems • 108 Proxy Server • 124, 125 Proxy Server Chaining • 23

R RBL • 124 Real-time User Self-Management • 10 Related Documentation • 13 Relay Control and Open Relay Prevention • 21 Relay Server • 124 Remove All Permission Levels From a User • 84 Remove Users from Role Groups and the EIAM

Database • 80 Role Management Using Embedded IAM • 81 Router • 124

S Security Considerations • 15 Security Level Assessment • 17 Select Database • 48 Select Email Notification • 45 Select Web Server • 48 Set Authentication Method • 50 Set Connectors in Exchange • 90, 94 SMB • 124 SMB Installation Scenario • 36 SMTP • 124 SMTP Authentication • 73 SMTP Authentication Mechanisms • 75 SNMP • 124 Specify Global Users and Global Group Settings

• 81 Specify HTTP and SMTP Server Ports • 45 Specify Language and User, Drive, and

Location Information • 42 Specify Quarantine Expiration Settings • 49 Specify Quarantine LDAP Settings • 62 Spyware and Phishing Prevention • 9 Start the Embedded IAM Utility • 80 Start the Installation • 41 Start the Manager Console • 58 Subnet Mask • 125 Subscription Settings • 63

T TCP • 125 Test Enterprise LDAP Settings • 72 Test LDAP Settings • 62 Test the Installation • 52 The Manager Console • 57 The Purpose of This Guide • 13 Transport Modes • 76 Troubleshooting • 107

U Unblock a Website • 111, 116 Upgrade Considerations • 39 Upgrade from Previous Releases • 38 Upstream Web Proxy • 30 URL • 125 User Management with Embedded IAM • 85 Using Microsoft SQL Server with CA Gateway

Security • 113, 117

W Web Considerations • 22 Web Content Management • 13 Web Content Security and URL Filtering • 8

Z ZIP • 125

ca gateway security

Documents