McAfee Email Gateway version 7.0 Appliances Installation Guide

More documents

Recommendations

Info

1Preparing to installDeployment strategies for using the device in a DMZDraft only - 9.13.11For example, an external mail server can communicate directly with the device, although traffic mightpass through several network servers before reaching the device. The perceived path is from theexternal mail server to the device.ProtocolsTo scan a supported protocol, you must configure your other network servers or client computers toroute that protocol through the device, so that no traffic bypasses the device.Firewall rulesExplicit proxy mode invalidates any firewall rules set up for client access to the Internet. The firewallsees only the IP address information for the device, not the IP addresses of the clients, so the firewallcannot apply its Internet access rules to the clients.Where to place the deviceConfigure the network devices so that traffic needing to be scanned is sent to the device. This is moreimportant than the location of the device.The router must allow all users to connect to the device.The device must be positioned inside your organization, behind a firewall, as shown in Figure 6:Explicit proxy configuration.Typically, the firewall is configured to block traffic that does not come directly from the device. If youare unsure about your network’s topology and how to integrate the device, consult your network expert.Use this configuration if:• The device is operating in explicit proxy mode.• You are using email (SMTP).For this configuration, you must:• Configure the external Domain Name System (DNS) servers or Network Address Translation (NAT)on the firewall so that the external mail server delivers mail to the device, not to the internal mailserver.• Configure the internal mail servers to send email messages to the device. That is, the internal mailservers must use the device as a smart host. Ensure that your client devices can deliver emailmessages to the mail servers within your organization.• Ensure that your firewall rules are updated. The firewall must accept traffic from the device, butmust not accept traffic that comes directly from the client devices. Set up rules to preventunwanted traffic entering your organization.Deployment strategies for using the device in a DMZUse this information to understand about demilitarized zones within your network, and how to usethem to protect your email servers.A demilitarized zone (DMZ) is a network separated by a firewall from all other networks, including theInternet and other internal networks. The typical goal behind the implementation of a DMZ is to lockdown access to servers that provide services to the Internet, such as email.Hackers often gain access to networks by identifying the TCP/UDP ports on which applications arelistening for requests, then exploiting known vulnerabilities in applications. Firewalls dramaticallyreduce the risk of such exploits by controlling access to specific ports on specific servers.14 McAfee ® Email Gateway 7.0 Appliances Installation Guide
Draft only - 9.13.11Preparing to installDeployment strategies for using the device in a DMZ 1The device can be added easily to a DMZ configuration. The way you use the device in a DMZ dependson the protocols you intend to scan.SMTP configuration in a DMZUse this information to understand how to configure SMTP devices within a demilitarized zone on yournetwork.The DMZ is a good location for encrypting mail. By the time the mail traffic reaches the firewall for thesecond time (on its way from the DMZ to the Internet), it has been encrypted.Devices which scan SMTP traffic in a DMZ are usually configured in explicit proxy mode.Configuration changes need only be made to the MX records for the mail servers.NOTE: You can use transparent bridge mode when scanning SMTP within a DMZ. However, if you do notcontrol the flow of traffic correctly, the device scans every message twice, once in each direction. Forthis reason, explicit proxy mode is usually used for SMTP scanning.Mail relayIf you have a mail relay already set up in your DMZ, you can replace the relay with the device.To use your existing firewall policies, give the device the same IP address as the mail relay.Mail gatewaySMTP does not provide methods to encrypt mail messages — you can use Transport Layer Security(TLS) to encrypt the link, but not the mail messages. As a result, some companies do not allow suchtraffic on their internal network. To overcome this, they often use a proprietary mail gateway, such asLotus Notes ® or Microsoft ® Exchange, to encrypt the mail traffic before it reaches the Internet.To implement a DMZ configuration using a proprietary mail gateway, add the scanning device to theDMZ on the SMTP side of the gateway.In this situation, configure:• The public MX records to instruct external mail servers to send all inbound mail to the device(instead of the gateway).• The device to forward all inbound mail to the mail gateway, and deliver all outbound mail usingDNS or an external relay.• The mail gateway to forward all inbound mail to the internal mail servers and all other (outbound)mail to the device.• The firewall to allow inbound mail that is destined for the device only.Firewalls configured to use Network Address Translation (NAT), and that redirect inbound mail tointernal mail servers, do not need their public MX records reconfigured. This is because they aredirecting traffic to the firewall rather than the mail gateway itself. In this case, the firewall must insteadbe reconfigured to direct inbound mail requests to the device.McAfee ® Email Gateway 7.0 Appliances Installation Guide 15
Page 1: Draft only - 9.13.11Installation Gu
Page 5 and 6: Draft only - 9.13.11PrefaceContents
Page 7 and 8: Draft only - 9.13.11PrefaceFinding
Page 9 and 10: Draft only - 9.13.111Preparing1to i
Page 11 and 12: Draft only - 9.13.11Preparing to in
Page 13: Draft only - 9.13.11Preparing to in
Page 17 and 18: Draft only - 9.13.112Installingthe
Page 19 and 20: Draft only - 9.13.11Installing the
Page 53 and 54: Draft only - 9.13.113Atour of the D
Page 55 and 56: Draft only - 9.13.11A tour of the D
Page 57 and 58: Draft only - 9.13.1144Testingthe co
Page 59 and 60: Draft only - 9.13.115Exploring5the
Page 61 and 62: Draft only - 9.13.11Exploring the a
Page 63 and 64: Draft only - 9.13.11Exploring the a
Page 65 and 66:
Draft only - 9.13.11Exploring the a
Page 67 and 68:
Draft only - 9.13.11IndexAabout thi
Page 69:
700-3349A0000Draft only - 9.13.11
show all

McAfee Email Gateway version 7.0 Appliances Installation Guide

Create successful ePaper yourself

Delete template?

Save as template?