Escolar Documentos
Profissional Documentos
Cultura Documentos
ens
e
TRI
TONSol
ut
i
on
Techni
calEnabl
ementPr
ogr
am
E
S
GAv
7.
6Cour
s
e201
S
t
udentGui
de
Rev
.
691267
Websense and the Websense logo are registered trademarks of Websense, Inc. in the United States and
other countries. TRITON is a trademark of Websense, Inc. in the United States and other countries. All
other trademarks are properties of their respective owners.
Table of Contents
Websense Email Security Gateway Initial Setup. . . . . . . . . . . . . . . 7
ESG Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
ESG Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Personal Email Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Policy Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
Advanced Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
Clustering Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
Archive . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
ESG Log and Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
Troubleshooting Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
This chapter focuses on the initial setup and configuration of the Email Security
Gateway (ESG) module in a Websense V-Series appliance.
Prior to the physical and logical deployment of the appliance within the network, you
need to understand the fundamental concepts behind email security. Much of the
initial setup has to do with your email domains and ensuring only authorized users can
send and receive email through the ESG appliance.
During the initial setup of ESG, the wizard requires you to define:
1. Email server IP address: The IP address of the mailboxes server, which stores,
receives and sends email to and from local users.
You can add additional email server after the initial setup.
2. Protected domain address: This is the email domain where the mailboxes reside.
For example, if the email is salestraining@websense.com then the protected
domain is websense.com.
You can add additional protected domain after the initial setup.
3. Trusted IP address: In this field you enter the IP address of the hosts which are
allowed to send email (inbound connection) through ESG and not be subject to IP
filtering rules.
4. Data security server IP address: In this field you enter the IP address of the DSS
server so you can take advantage of the DLP integration offered by ESG.
5. Log server IP address: In order for ESG to be able to generate reports, you need
to configure it to talk to an off-box log server. The log server should be installed
before you commence the ESG initial setup.
6. Notification email address: A valid email address is required which will serve as
the default address for all notifications from ESG.
This email address should be a shared mailbox that is available to multiple
administrator level individuals. This ensures maximum supportability for your
environment.
Slide 1:1
Protected domain
Trusted IP address
Shared mailbox (or account) where ESG can send all email alerts and notifications
Slide 1:2
Protected Domains
The concept of a protected domain has a slightly different meaning when you refer to
inbound messages and outbound messages.
An inbound message is defined as a message sent from outside your company domain
to an account within your company domain. The filtering of inbound messages is
fairly simple. The ESG reads the recipient address and if it does not match any of the
configured protected domains, the email is immediately rejected.
For example, if an ESG appliance configured with websense.com and surfcontrol.com
as protected domains receives an message sent from johndoe@gmail.com to
pippo@yahoo.com, it will immediately reject the message because pippo@yahoo.com
does not match either websense.com or surfcontrol.com.
In ESG, there are four directions defined:
Slide 1:3
Email Relay
During the ESG configuration wizard, you have entered some key data, which makes
the ESG a closed relay. Only the following email messages are routed (relayed):
From any sender (coming from any IP) to the protected domain
From permitted IP (typically the internal email servers) and from a sender in the
protected domain to any recipient
The idea is to ensure the ESG only routes valid email and does not become an open
relay. Hackers and spammers often use open relays and misconfigured email servers
to launch an attack or send out massive amounts of emails, in relative security. All
traffic points back to the compromised email server.
Slide 1:4
Required Components
Two domains inside ESG appliance
Any appliance running ESG has at least two domains configured:
Well bring more details about the ESG domains in the ESG Architecture chapter.
Administrator
cant access ESG domain directly, but through TRITON console running on
an off-box server to set ESG configuration and policies
can access the PEM module in ESG domain directly without TRITON
console
Important
There is no direct administrative access to ESG module.
Administrators have to install TRITON console off-box to
be able to configure ESG domain.
The TRITON Management Server can communicate directly with the ESG
module at IP address 172.16.90.100
The administrator can configure the appliance settings by pointing the browser the
IP address 172.16.90.101
An end user can access the PEM module by pointing the browser directly to the IP
address of the ESG module at 172.16.90.100
Tip
Any appliance running ESG needs at least two interfaces
with two separate IP addresses: one bound to ESG domain,
the other to Appliance Manager.
Slide 1:5
Network Interfaces
The V5000 appliance has 4 NIC and the V10000 has 6 NIC. The Appliance Manager
domain always binds to the C interface.
On the V10000
E1 and E2 interfaces are bound to the ESG domain. You can use one or both
interfaces depending on your environment. You could only use E1; and you could
use E1 as internal interface and E2 as external interface too.
ESG Deployment
ESG is typically deployed in DMZ zone. While other deployment options are
possible, this is the most common and the one that Websense recommends.
By design, ESG can process both incoming and outgoing messages. Some companies
may decide to process only incoming messages; however it is most common to
process messages in both directions.
When processing inbound messages, the ESG appliance receives the email from the
Internet (or possibly the Intranet, for large scale complex deployments), scans the
messages, and forwards them to company internal mail server.
The incoming messages can be directed to the ESG appliances in a variety of ways,
depending on the customer preferences and final objectives:
MX Record re-configuration
In order to process outbound messages from inside the company, there are two main
possible configuration options. The options mostly depend on the mail client settings:
Clients not using SMTP - the mail administrator configures the SMTP server to
relay all outbound traffic to the ESG appliance. This is the most common
configuration.
Clients with configured SMTP server - the mail administrator can configure all
clients to point to ESG directly. Then the ESG routes the messages as necessary.
This setting, while not very common enables filtering of all internal email
messages.
Typically, it is easier to assign the IP address of the SMTP server to the ESG
appliance and then assign a new IP address to the SMTP server.
Warning
All configurations require firewall re-configuration.
ESG Deployment
Slide 2:1
ESG Deployment
The simplest deployment for an email appliance is to put in on premise and configure
the firewalls or the DNS (or both) to direct incoming mail to the newly deployed
appliance.
You then configure the existing email server (or the client, in rare cases) to send all the
outbound email through the ESG appliance.
In addition to the on premises deployment, you can integrate ESG with the cloud
solution and you can pre-filter all incoming email in the cloud; this reduces
significantly the amount of email that the ESG has to process on premises.
To scale to any size environment, the ESG supports clustering. This advanced feature
also ensures that email filtering is always up and running in your network.
ESG Deployment
Slide 2:2
ESG Deployment
4. The email server receives the messages which passed the ESG filtering. This
email server can have actual mailbox on it or be a bridgehead server, which
distributes the messages to other mail servers based on internal routing policies.
The messages are now available for pick/delivery by the end users.
For outbound messages, you can reverse the process. The users send the messages to
the mail server that is configured to forward all outbound messages to the ESG
appliance. All messages that pass the filtering policies on the ESG, flow from the VSeries appliance, through the firewall to the Internet, where they reach their final
destination.
ESG Deployment
Slide 2:3
ESG Deployment
values. The sending server should always pick the one with lowest preference
value. When more entries have the same preference value the sending server
should process them in the order received, till find the one responding.
2. The email server connects to the next hop in the chain. This can be:
- A server in the cloud
- A perimeter firewall
- An ESG appliance
In the this example, the MX record returns the IP address of one of the routable
interfaces on the firewall.
3. The messages arrive to the premise firewall. Permitted traffic is allowed through.
4. The firewall permits the messages to reach the V10000 appliance in the DMZ.
5. The ESG processes the messages and matches them against the running policies.
Permitted messages flow to the email server.
6. The email server received the messages which passed the ESG filtering. This
email server can have actual mailbox on it or be a bridgehead server, which
distributes the messages to other mail servers based on internal routing policies.
The messages are now available for pick/delivery by the end users.
ESG Deployment
Slide 2:4
ESG Deployment
Slide 2:5
ESG Components
This slide represents a V10000 appliance installed in dual mode; both WSG and ESG
domains are running.
The various components operate as follows:
1. Admin
Administrators can configure the WSG domain through the same IP address
(different port).
3. ESG domain
ESG Deployment
ESG domain sends and receives email messages on the E1 and E2 (if
configured) interfaces. You can use, in most cases the E1 interface for both
sending and receiving email. Alternatively, you can configure E1 to send and
receive on the LAN side and E2 to send and receive on the DMZ side.
ESG domain stores logs and statistics into SQL Database Server in order to
generate reports and dashboard charts.
ESG Deployment
Slide 2:6
Clustering details
Each ESG in a cluster has one of three roles:
ESG Deployment
Primary
The primary node when working in cluster mode. Every cluster can have only
1 primary ESG. The primary is the only node in cluster to be configured via
TRITON console.
Secondary
The secondary node can not be configured via TRITON console directly.
The secondary nodes synchronize the configuration from the primary node.
The secondary nodes and the primary process mail traffic based on the same
policies.
Standalone
Any appliance that is not set as primary and not negotiated to be a secondary
stays in the role of standalone.
Important
One cluster has a maximum of 8 nodes.
All nodes of cluster must be the same appliance type: you
cannot mix V10000 with V5000 in the same cluster.
All nodes of cluster should have same applications
deployed on the appliance: all appliance are either single
mode (ESG only) or dual mode (ESG and WSG).
Tip
When cluster negotiation does not succeed, the primary
node will not become standalone automatically. The
administrator will need to change this manually.
Important
When you have more than one ESG appliances, clustering
is not a requirement. You can have all ESG appliances be
in standalone mode; however, you will have to configure
each ESG individually. This is not recommended and leads
easily to inconsistent policy settings.
ESG Deployment
Slide 2:7
Configure the MX record in DNS to return three routable IP addresses which bind
to the external interface of the firewall. Each record should have the same
preference value, so that the traffic is evenly distributed on the basis of number of
incoming connection requests. The firewall maps the external IP addresses to the
internal one of the corresponding E1 interfaces on the ESG appliances (1-to-1
NAT)
Configure the MX record in DNS to return three routable IP addresses which bind
to each of the E2 interfaces of the ESG. The E2 interfaces are in the DMZ. The E1
interfaces are on the LAN side.
The DNS returns three IP addresses with the same preference value.
ESG Deployment
The email server connects to the first IP address in the list (the other addresses
are used if the first one does not respond).
The DNS returns the information about the next hop as well.
ESG Deployment
Slide 2:8
ESG Deployment
Slide 2:9
Firewall Configuration
You need to configure your firewall as the slides on this and next page show.
ESG Deployment
On-box update module and feedback module connect to 80 listened by offbox DDS Server
Tip
DDS, developed by Websense, performs utilized
downloadable databases for various Websense products.
The databases include URL filtering database, real time
update database, real time security scanning database, etc.
Well talk about DDS again in ESG Architecture chapter.
On-box authentication component connects to 389 and 636 listened by offbox LDAP Server. 636 is the secure LDAP port.
Port 389 and 636: permit outgoing traffic on 389 and 636
On-box SSL Proxy component listens on 6671 to communicate with offbox TRITON Unified Security Center
On-box PEM component connects to 6671 listened by SSL Proxy
component on another appliance
ESG Deployment
Slide 2:10
Firewall Configuration
On-box PEM component listens on 9449 for end users to manage their
personal messages
ESG Deployment
Slide 2:11
Sample Deployment
The slides shows two of our sample deployments:
A. ESG with Hybrid service
B. ESG without Hybrid service
ESG Architecture
V10000:
V5000:
ESG Architecture
Slide 3:1
ESG Architecture
Slide 3:2
Appliance Modules
Both V10000 and V5000 run the Appliance Manager module, which is the domain to
configure hardware settings for appliances.
The difference between V10000 and V5000 is that a V10000 appliance can run ESG
and WSG modules at the same time, while a V5000 appliance can run either ESG or
WSG.
The WSG module consists of three sub-modules:
1. Websense Content Gateway (WCG): the web proxy component of WSG.
2. Web Security Suite (WSS): the content filtering component of WSG, also called
Web Security Enterprise (WSE).
3. Network Agent (NA): the component used to monitor and control protocols other
than HTTP, HTTPS, and FTP.
Except for the Appliance Manager module runs on Dom0 in V-Series appliance, all
other modules run on DomU.
ESG Architecture
Slide 3:3
CPU Allocation
A V10000 G2 appliance can have three different configuration options when it has the
ESG module running:
1. ESG only
2. ESG plus WSG without Network Agent
3. ESG plus WSG with Network Agent running
In option 1, you have 12 CPUs dedicated to ESG. In options 2 and 3 you are limited to
four CPUs for ESG as the other eight are allocated to WSG. Depending on the volume
of web and email traffic, dual mode may or may not be the preferred option.
From a CPU standpoint, having Network Agent running or not has no impact on the
ESG module; it only affects the WSG module.
ESG Architecture
Slide 3:4
Memory Allocation
Similar to CPU allocation, the amount of RAM assigned to each module depends from
the specific appliance configuration. When running in dual mode, the V10000
allocates the same amount of memory as the V5000 has.
The Network Agent configuration has no impact on the amount of memory allocated
to the ESG; it only affects the balance of memory allocated within the specific WSG
components.
ESG Architecture
Slide 3:5
ESG Architecture
Slide 3:6
Quarantined
Dropped/Discarded
PEM, running on the ESG appliance, is for end users to manage their quarantined
emails.
ESG Architecture
TRITON - Email Security and PEM communicate directly with the off-box database
to fetch log information.
Appliance Interface receives and processes the requests from Appliance Manager,
dom0 of the appliance.
SSL Interface is a SSL proxy which provides secure communication between on-box
module and off-box module. The ESG management UI and the on-box Config module
connect to SSL Interface.
Authentication provides four functions: maintaining different types of user groups,
authenticating message sender, message recipient, and end user to access PEM.
Config consists of a policy module and a cluster module. The policy module receives
configuration requirements from the ESG management UI and simple command line
from back end, and stores the configuration files on the appliance. The cluster module
synchronizes configuration files from primary ESG to secondary ESG in cluster
mode.
PEM loads and balances traffic to multiple PEM UIs, and reduce the stress for single
PEM UI. It also provides the single entry for all end users to manage quarantined
messages.
Quarantine isolates messages which failed in going through the antivirus engine or
antispam engine.
Alert provides multiple methods (dashboard, email, pop-up and SNMP) for system
services to report exceptions.
Log receives all kinds of logs from other on-box modules, stores the system logs and
audit logs to the on-box log database, and forwards the message logs to the off-box
Log Server.
PostgreSQL Database, the on-box log database server, saves system logs and audit
logs from the Log module.
The off-box Log Server runs on windows Operation System. It receives the message
logs from the on-box Log module save them to the database.
Hybrid provides the supports for the protected domain to register to Hybrid service
automatically, synchronizes the communication token and pulls hybrid logs to the log
database.
Policy Engine is the component installed on ESG which talks to the DSS Manager for
registration and receives the policy pushed out by the DSS Manager. DLP Filter
enables Policy Engine register to the DSS Manager, which is integrated with TRITON
Unified Security Center.
Scan Engine performs five types of filtering: hybrid, antivirus, antispam, disclaimer
and DLP.
ESG Architecture
Slide 3:7
External Components
As mentioned before, ESG interacts with administrators, end users, and various offbox components. The slide displays the key components that are responsible for
communication between inside and outside ESG.
1. The Log Database and the Log Server are two different entities, which can be
installed on the same physical server.
2. The Encryption Service can be on-premises or on-demand in the cloud.
Currently the ESG supports integration with the Voltage encryption gateway. It
also supports natively TLS encryption. Well cover the encryption with more
details later in the specific chapter.
3. Messages go through a pre-filtering analysis where the email sender (IP address
and domain) runs through the Real-time Blackhole List Server (RBL Server)
lookup and the Websense Reputation Service Server (WRS Server). The
objective is to reduce the amount of messages that need to be analyzed early on in
the process. RBL Server and WRS Reputation Server can easily identify and
reject a large number of spam messages.
4. The ESG administrator needs connect to the ESG through the TRITON
Management Server, which runs on an off-box server. The TRITON
Management Server communicates with the SSL interface as described earlier.
ESG Architecture
ESG Architecture
Slide 3:8
DLP Integration
The DLP Filter receives the messages for scanning in standard email format (RFC 822
compliant). The PE parses the message before scanning according to the policy.
Integrating DLP into ESG:
1. Register ESG with the DSS Manager and transfer DLP incident logs to the DSS
Manager.
2. Configure and deploy DLP policies, e.g. fingerprint, on the DSS Manager. The
policies are pushed out to the DLP Filter.
3. Configure DLP policies (active/disable/block/monitor) on ESG.
Your organization will leverage the TruEmail DLP capability with patented PreciseID
fingerprinting and natural language processing technologies.
Note
To let the DLP Filter work, you need to make sure ESG
subscription for DLP is valid; otherwise the message will
not be send to the DLP Filter for scanning.
ESG Architecture
The DSS Manager itself needs a subscription for normal operations, which is an XML
file. However for the DLP Filter, the DSS subscription is not a prerequisite. That is,
even if no subscription is imported into the DSS Manager, or the DSS subscription is
expired, the ESG registered into DSS manager could still be able to make scanning. In
another word, the DLP scanning of ESG does NOT need the DSS subscription, but
needs the ESG subscription for DLP.
ESG Architecture
Slide 3:9
Hybrid Integration
ESG hybrid mode allows the user to integrate the on-premise Email Security Gateway
with Websense Hosted Email Security (HES) service, to deliver easy deployment and
high-capacity email security. The workflow sequences are shown in the slide above.
HES service to each ESG box is based on hybrid account. All ESG hybrid
configuration will be sent to HES cluster and stored as the hybrid account settings.
The account ID is ESG license key, and the account password is transparent to the
customer and is maintained by ESG/HES internally. Whenever ESG talks to HES
Sync Server (HSS), the account and password is required for authentication.
If the hybrid mode is enabled, an HES account will be created.
HES can provide hourly refreshed statistical data in last week. The statistical data is
used to show the Value of Hybrid Mode on the dashboard reports.
The data includes:
ESG Architecture
The ESG filters out the messages that do not comply with the policies.
C.
The messages that comply with policies are delivered to the intended recipient.
Note
In this scenario, Hybrid service filters the inbound traffic
only.
ESG Architecture
Slide 3:10
Policy Processing
ESG listens on port 25, receives SMTP messages, and filters the message according to
its configuration.
If the message is not coming from a protected domain (inbound message), the ESG
first checks the sender IP address, domain, and other information against the RBL,
WRS and any custom Always Block List. This step already filters a majority of the
messages.
Next, the recipients are validated against the directory service. This is an important
step to prevent Directory Harvest Attacks (DHA).
The last three steps are the most typical of any email filtering product. The messages
is checked against size limits, spam content, virus content, and other malicious threats
(file types of the attachments, compressed files, password protected archives, etc.)
Outbound messages do not have to be checked against the RBL, WRS, and other
block lists; by definition, they come from trusted source.
However, outbound messages need be checked for possible viruses. While viruses
should not be there (most company run multilayer AV in their infrastructure), it is
good practice to ensure that you are not responsible for spreading an outbreak.
ESG Architecture
More importantly, and mostly unique to the ESG solution, you implement DLP
policies for all outbound messages. The cost of information leakage, both financially
and in terms of a tarnished reputation, can be devastating.
ESG Architecture
Slide 3:11
ESG Architecture
3. Quarantined: The message did fail one or more of the security and policy
scanning. However the content is not such that is should not ever be released to
the recipient, but may need to be retrieved by administrators or end users.
Quarantined messages are stored in the local (ESG file system) quarantine queue.
Information about quarantine is stored in the log database.
Tip
Recipients of a quarantined message can retrieve it through
PEM management UI.
ESG Architecture
Slide 3:12
Filter queue
The messages that pass through pre-filtering will be placed into priority based
filter queues.
If quarantined messages are to be re-processed (scanned again), the messages will
be put back to filter queue.
Incoming queue
The messages processed by Filter Daemon are moved from filter queue to
incoming queue.
Besides, the messages that should not be filtered (bounce/delivery request from
PEM) are put in the incoming queue.
Deferred queue
If a message failed in being delivered for some transient reasons (it might succeed
later), the message is placed in the deferred queue.
Active queue
The messages in the active queue will be sent to SMTP Client and delivered.
ESG Architecture
ESG Architecture
Slide 3:13
ESG Architecture
Configuring queues
Language support
PEM includes adaptive language support for Spanish, Portuguese, Italian, and
German.
When an end-user or administrator logs into the PEM facility, they can determine the
language displayed in the user interface.
Slide 4:1
Slide 4:2
Slide 4:3
Mail Queues
Quarantine messages are isolated into different quarantine queues (folders) in terms of
their different attributes. By default, there are six built-in queues:
1. Virus: Used to store messages, which contain a virus.
2. Spam: Used to store messages, which triggered one of the spam filters.
3. Exception: Used to store exceptional emails (failed several non specific filters).
4. Encryption-fail: Used to store messages that did not encrypt correctly.
5. Decryption-fail: Used to store messages that did not decrypt successfully.
6. Archive: Used to store all incoming messages.
Tip
These 6 queues cannot be deleted. However, user can edit
their properties or add new queues.
As mentioned before, messages in each queue can be stored locally (on ESG box) or
on a remote storage. ESG supports two remote storage types:
NFS
On the Blocked Message page, users can see the quarantine queue list.
Slide 4:4
Queues Monitor
Every 30 seconds, ESG will perform a checking on queue status, including remote
queue availability and available disk space check.
If the remote queue is found unavailable, the queue storage status will be marked
as "mounted error", and ESG will generate a corresponding alert. If the remote
queue is available again, the "mounted error" status will be cleared as "ok" and the
alert will be cleared too.
If the remote storage is unavailable, trying to move the queue with copying the
messages will fail.
If the disk is available, ESG will check the space usage of the queue. If the
percentage of free disk space is less than 10%, ESG will mark the queue status as
"disk space low" and send an alert. Also, if a queue's free disk space is return to
more than 10%, the status will be cleared and alert will also be cleared.
Slide 4:5
Queues Configuration
In cluster mode, the "Queue list" page is similar to standalone mode. The "volume" is
the sum of all machines' volumes, and the "size/total" is the sum of all machines' size
and size limit. For example, there a 2 machines in a cluster, both of which has a 10GB
size limit (Their limits are always same because the configuration is synced between
cluster).
Machine 1 has 10 files in it and its size is 5MB, machine 2 has 5 files in it and its size
is 3MB. In this case, the "volume" and "size/total" displayed in the UI will be "15" and
"8MB/20GB".
Compared with standalone mode, the error status description of the queue is more
complex. In standalone mode, if the hard disk space of the queue is low, there will be
an icon displayed which shows "hard disk low". In cluster mode, if the storage type is
locally, the content displayed will be a list of "Device X.X.X.X: hard disk low",
because maybe more than 1 device has no enough free disk space; if the storage type
is remote, the content displayed will be "Remote hard disk low".
Regarding the "remote storage invalid" status, if a queue of at least one machine is in
this status, the WebUI should show "remote storage invalid".
Slide 4:6
PEM Components
PEM is composed by two sides: the admin side and the end user side:
Admin side - PEM general configuration: the PEM digest settings, the end-user
access control and the user authentication mode.
End user side - PEM management: the end user can manage the messages
processed by ESG and take the actions allowed he/she prefer.
Slide 4:7
Notification Message
The ESG PEM enables end users to configure the notification message that will be
sent out from the ESG when any of the emails, with the recipients or senders as
themselves, are blocked.
End users are able to configure the notification message in the following aspects:
Max messages
The maximum number of the message digests in the notification email to the end
user. Such as, if set to 10, then, only 10 message digests will be in the notification
message even if the end user has more than 10 quarantine or spam messages. The
maximum value of this setting is 100 and the default is 10.
Every day
Every weekday
The slide show the screen when setting the notification message:
1. Set the max number of messages per notification and the actions available in the
notification that the end user are able to take.
2. Configure the information of the notification:
Company
Define the brief info to the customer company displayed in the digest message
Description
Define the brief info to the ESG which the customer prefers.
Sender
Define the sender email address of the digest notification message to the end
user. The address format is username@domaininfo, such as
postmaster@websense.com, meaning that the sender of the digest message
will be this address. This is ONLY one email address.
Subject
Define the subject of the digest message. The maximum length of this value is
100 characters.
Slide 4:8
Queues Actions
Quarantine message logs will be stored on a remote SQL server database, together
with ESG message logs.
By clicking the queue name in "Queue list" page, user can view all messages of the
queue. User can view the messages by date, and can also search messages by sender,
recipients, subject and policy.
User can delete, download, reprocess, continue reprocess, deliver (release) the
message(s) or forward the message(s) to one or more email addresses. User can also
report a false-positive to Websense, or add the sender of a message into ESG global
Always Permit/Block List.
Sometimes when a queue operation is ongoing, some of the message operations will
return a failure of "retry later".
The following actions are supported:
Reprocess: Delete the message from the queue and reprocess it, just like it has
been received by ESG again. It's useful when sometimes technical support team
and development team want to debug false-positives of filter. They can turn on the
debug, reprocess the message and find why this message is captured by filter.
Forward: Forward the message to one or more recipients, the forwarded message
will be embedded in the forward mail as an attachment. The subject of the forward
mail is "Fw: Forward Message(s)".
Add to Always Block List: Will add the message sender to Always Block List.
Add to Always Permit List: Will add the message sender to Always Permit List.
Download: Download the message in .eml format. If more than one message is
downloaded together, they will be compressed in a zip file.
Clear queue: Clear the whole queue, all messages in the queue will be deleted.
Continue Process: Sometimes a message contains both virus and spam info.
Assume it's captured by spam filter and quarantined, then administrator finds that
it's a false-positive and decides to deliver (release) it. In this case, the message will
bypass the virus scanning. To prevent this, there is another action "Continue
Process" provided to make sure the message will be scanned by other filters
before it is delivered.
Not Spam: Clicking this button will cause two actions: to send a copy of this email
to esg-fp@websense.com for false positive research, then release the email to its
original recipients.
Slide 4:9
3. The recipient, which has been notified that she has received an message being
isolated, connects to the PEM module. The link in the notification points to the
TRITON - Email Security.
4. The primary ESG looks up the message details in the log database. Using the ID
of the machine, which isolated the message, can connect to that ESG (in this case
ESG #1)
5. The primary ESG communicates with the ESG #1, retrieves the message, and
sends it over to the user who requested it.
Policy Management
Policy is the pipeline that message flows go through. ESG defines 3 types of policies
based on traffic directions:
Inbound policy
Outbound policy
Internal policy
How the ESG policy works could be described in the following steps:
1. Messages are divided into 3 categories: inbound, outbound, and internal.
2. In each category, messages match the condition based on the addresses of the
senders and recipients respectively.
3. The specific filter, defined in the rule of the matched policy, scans the messages.
4. The messages filtered out are processed according to the action.
Policy Management
Slide 5:1
Key Features
Policy rules comprise the filters and filter actions that determine how a message that
matches a policys sender/recipient conditions is handled.
Filters provide the basis for email scanning for viruses and spam, and filter actions
determine the final disposition of a message when it triggers a particular filter. Define
new filters, or copy and edit an existing filter to suit your organizations needs.
Add and define new actions or customize default actions as needed. After you have
created and configured filters and filter actions, they are available for inclusion in your
policies.
Policy Management
Slide 5:2
Protected domain
Filters are individual scanning modules which define how messages in the
policy pipeline are scanned.
Policy Management
Slide 5:3
Policy Directions
An Email Security Gateway policy is applied based on defined sender/recipient
conditions and the direction of the email. You can apply a different policy to different
groups of senders and recipients. For example, you might apply a policy to a
marketing department group in your organization and a different policy to a human
resources group. After you define a set of senders and recipients in a policy, you can
add the policy rules (a combination of filter and filter action) to apply when the
sender/recipient conditions of the email match the policy. Email Security has 3 general
types of policies, depending on the direction of the email inbound, outbound, or
internal.
Message direction is determined on the basis of an organizations protected domains:
Inbound - The sender address is not from a protected domain, and the recipient
address is in a protected domain
Outbound - The sender address is from a protected domain, and the recipient
address is not in a protected domain
Internal - Both the sender and recipient addresses are in a protected domain.
ESG has one predefined default policy for each email direction, as well as a default
Data Security policy for each direction. Data Security policies may be applied to email
in any direction. These policies are configured in the Data Security module of
TRITON Unified Security Center and can only be enabled or disabled in ESG. You
Policy Management
need to register Email Security with the Data Security management server and click
Deploy in the Data Security module for the policies to be active.
Policy Management
Slide 5:4
Policy Conditions
Match conditions define the entry criteria of a policy.
Each match condition consists of a pair of sender and recipient envelope addresses,
marked as From address and To address. The address can be a simple address like
john@company.com, or can be a wildcard address *@somewhere.com, or can be just
* for any address. When the envelope sender address of the message matches the
From address of a match condition and the recipient address matches To address of a
match condition, then this match condition is considered matched and the message
goes into this policy.
If the message has multiple envelope recipient addresses, it is possible that a message
is split into different policies. The address in match condition can also be from certain
User Directory, which is logic group of addresses. A policy can have multiple match
conditions, and messages will try to match these match conditions one by one, from
top to bottom.
The order of match conditions in policy is not important. When match conditions are
empty, the policy will be skipped directly.
There are at most 32 match conditions per policy.
Policy Management
Slide 5:5
Rules
Rules define message scanning process of policy. If the sender and the recipients of a
message match any match condition of a policy, then messages will try to match rules
one by one, from top to bottom. If one rule is matched, the rest will be skipped. Rules
cannot be deleted/added, but can be edited.
Rules contain the following:
Antivirus
Antispam
Disclaimer
Policy Management
Slide 5:6
Filters
Email Security Gateway has three predefined default filter types: virus, spam, and
disclaimer.
The virus filter analyzes an email message and its attachments for the presence of
viruses and other threats. The spam filter scans email content and compares it against
a database of known spam characteristics. You can select from a variety of antispam
tools, including the Websense Web Security URL scanning tool. If you want to add
text at the beginning or end of a message, use the disclaimer filter.
Filters are created and managed via the Main > Policy Management > Filters page.
Click Add to open the Add Filter page and set the properties of your new filter.
You can also copy a filter whether or not it is in use by a policy. A filter can be deleted,
as long as it is not in use by any policy. However, you cannot copy or delete an Email
Security default filter.
Up to 32 filters can be assigned per policy.
Policy Management
Slide 5:7
Actions
A filter action determines a messages final disposition. ESG scans messages and their
attachments then performs an action based on applicable policy settings. Actions are
created in the Main > Policy Management > Actions page. You can add a defined
action to a policy rule when you configure your email policies.
Create a new filter action by clicking Add and selecting action properties.
You can remove a filter action by marking the check box to the left of the filter name
to select it and clicking Delete. You can delete a filter action only if its current status is
Not in use. A filter action that is in use does not have a check box for selection.
Note
You cannot remove an Email Security default filter action.
There are at most 32 actions per policy.
Policy Management
Slide 5:8
Summary
1. All traffics are divided into 3 directions: inbound, outbound, and internal.
2. Messages match the specific conditions.
3. Filters are triggered for the messages of the conditions.
4. Actions are performed if the filters are matched.
Advanced Encryption
Advanced Encryption
Slide 6:1
Advanced Encryption
Slide 6:2
TLS introduction
Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), are
cryptographic protocols that provide communications security over the Internet. TLS
and SSL encrypt the segments of network connections above the Transport Layer,
using symmetric cryptography for privacy and a keyed message authentication code
for message reliability.
Several versions of the protocols are in widespread use in applications such as web
browsing, electronic mail, Internet faxing, instant messaging and voice-over-IP
(VoIP).
TLS is an IETF standards track protocol, last updated in RFC 5246 and is based on the
earlier SSL specifications developed by Netscape Corporation.
Advanced Encryption
Slide 6:3
TLS Encryption
TLS is an Internet protocol that provides security for all email transmissions
inbound, outbound, and internal. The client and server negotiate a secure connection
for the transmission to occur, provided both the client and the server support the same
version of TLS. The ESG uses a TLS encryption level of 128 bits.
The ESG uses 2 levels of TLS: Opportunistic TLS and Mandatory TLS.
Opportunistic TLS
It is used during the message routing process. You can enable TLS for a specified
message route on the Settings > Receive/Send > Mail Routing page. Create a new
route that uses the TLS delivery option or edit an existing mail route to add the TLS
option. At the bottom of the page, mark the Use Transport Layer Security (TLS) check
box to use opportunistic TLS for message routing.
With opportunistic TLS, the protocol must be implemented on both sides of a
connection for an encrypted transfer. If a connection attempt is made using the TLS
protocol, the connection recipient must provide appropriate TLS credentials for an
encrypted data transfer. If the TLS handshake fails, the data transfer is made via
plain text, rather than encrypted text. In either case, the data transfer is successfully
accomplished.
Advanced Encryption
Mandatory TLS
Mandatory TLS is the default encryption method that is enabled on the Settings >
Inbound/Outbound > Encryption page.
For mandatory TLS, both sides of an email connection must use the protocol. An
encrypted data transfer occurs when the TLS handshake process is successful. Unlike
opportunistic TLS, if the handshake fails during the connection attempt, the
connection is terminated and no data transfer occurs.
A. If the next hop MTA has the ability of TLS, the encrypted email will be sent out.
B. Mandatory TLS: if the next hot MTA does not support TLS, the email is placed in a
deferred message queue for a later delivery attempt
B. Opportunistic TLS: if the client and server cannot negotiate a secure connection,
the message will be sent to the recipient.
Advanced Encryption
Slide 6:4
Advanced Encryption
Equifax Premium CA
Equifax Secure CA
GlobalSign Partners CA
GlobalSign Root CA
Thawte Server CA
ValiCert Class 1 VA
ValiCert Class 2 VA
ValiCert Class 3 VA
Advanced Encryption
Verisign/RSA Commercial CA
Advanced Encryption
Slide 6:5
Advanced Encryption
IP address of ESG
Sender domain
TLS state
If the message contains X-ESG-HYBRID header, but fails in any of the other 3
criterions, the Hybrid Filter will bounce the message. IP addresses of ESG are pushed
to the Hybrid Filter during Hybrid configuration; and later changes of IP addresses or
network topology are notified to the Hybrid Filter too.
If encryption fails, the message is placed in a deferred message queue for a later
delivery attempt.
If the Hybrid Filter detects a spam or virus in an encrypted outbound message, the
mail is bounced to the message sender.
Bounce means the Hybrid Filter returns a 5.x.x permanent failure to ESG on SMTP
conversation; or generates an NDR message (with return of content) depending on the
original message and delivers it to ESG on SMTP opportunistic TLS. ESG should
always advertise STARTTLS to the Hybrid Filter and accept TLS handshake from the
Hybrid Filter.
Messages sent from ESG to the Hybrid Filter for encryption may be put in the Hybrid
Filter queue for some time.
Advanced Encryption
Slide 6:6
Virus x-header
Advanced Encryption
Spam x-header
The ESG always advertise STARTTLS to the Hybrid Filter and accept TLS handshake
from the Hybrid Filter.
Advanced Encryption
Slide 6:7
Advanced Encryption
Administrators configure x-headers to add to an outbound message via TRITON Email Security. These x-headers facilitate communications between the ESG
appliance and third party gateway and they must match the corresponding settings in
third party gateway.
Deliver messages
Drop messages
If third party encryption gateway is not configured, ESG will generate an alert (invalid
third party encryption gateway).
Advanced Encryption
Slide 6:8
Advanced Encryption
Advanced Encryption
Slide 6:9
Advanced Encryption
Administrators can configure x-headers for messages sent to third party encryption
gateway via TRITON - Email Security. These x-headers facilitate communications
between ESG and third party gateway and they must match the corresponding settings
in third party gateway.
Clustering Details
In this chapter you will learn about the details of linking multiple ESG nodes together
to form a cluster to share traffic load or function as a single virtual ESG. Clustering
benefits you in balancing process work among different ESG nodes when traffic is
heavy, consolidating messages received in all separate ESG nodes for PEM, and
easing management and configuration.
If you have multiple ESG appliances running, clustering is not a requirement. You
could have all of the appliances be as standalone and managed by one TRITON
Management Server. In this way, the type of appliances and the running mode could
mix with each other. This is not recommended, for it leads to inconsistent policy
settings easily.
Primary: the primary node when working in cluster mode. Every cluster can have
only 1 primary ESG. The primary is the only node in cluster to be configured via
TRITON console.
Secondary: the secondary node when working in cluster mode. Every cluster can
have 1 to 7 secondary ESGs. The secondary ESG can not be configured via
TRITON console directly. The configuration is synchronized from the primary
ESG.
After cluster negotiation succeeds, the primary and secondaries will work in cluster
mode. If cluster negotiation does not succeed, all nodes in cluster will be standalone.
One cluster is composed of up to 8 ESG nodes: one as the primary and others as
secondaries. All the nodes within one cluster must be the same type of appliance and
run in the same mode. For example, a V10000 and a V5000 cannot cluster together, a
V10000 in dual mode and a V10000 in ESG mode too.
All the ESG nodes within one cluster share the same configuration and same log
database, accept mail traffic and deliver to destination mail server according to the
same policies.
Clustering Details
Slide 7:1
Clustering Details
Slide 7:2
Clustering details
Each ESG in a cluster has one of three roles:
Clustering Details
Primary
The primary node when working in cluster mode. Every cluster can have only
1 primary ESG. The primary is the only node in cluster to be configured via
TRITON console.
Secondary
The secondary node can not be configured via TRITON console directly.
The secondary nodes synchronize the configuration from the primary node.
The secondary nodes and the primary process mail traffic based on the same
policies.
Standalone
Any appliance that is not set as primary and not negotiated to be a secondary
stays in the role of standalone.
Important
One cluster has a maximum of 8 nodes.
All nodes of cluster must be the same appliance type: you
cannot mix V10000 with V5000 in the same cluster.
All nodes of cluster should have same applications
deployed on the appliance: all appliance are either single
mode (ESG only) or dual mode (ESG and WSG).
Tip
When cluster negotiation does not succeed, the primary
node will not become standalone automatically. The
administrator will need to change this manually.
Important
When you have more than one ESG appliances, clustering
is not a requirement. You can have all ESG appliances be
in standalone mode; however, you will have to configure
each ESG individually. This is not recommended and leads
easily to inconsistent policy settings.
Clustering Details
Slide 7:3
Configure the MX record in DNS to return three routable IP addresses which bind
to the external interface of the firewall. Each record should have the same
preference value, so that the traffic is evenly distributed on the basis of number of
incoming connection requests. The firewall maps the external IP addresses to the
internal one of the corresponding E1 interfaces on the ESG appliances (1-to-1
NAT)
Configure the MX record in DNS to return three routable IP addresses which bind
to each of the E2 interfaces of the ESG. The E2 interfaces are in the DMZ. The E1
interfaces are on the LAN side.
The DNS returns three IP addresses with the same preference value.
Clustering Details
The email server connects to the first IP address in the list (the other addresses
are used if the first one does not respond).
The DNS returns the information about the next hop as well.
Clustering Details
Slide 7:4
Centralized Management
Under cluster mode, the primary and all secondary nodes are managed centrally.
1. The administrator log on TRITON Unified Security Center to configure the
primary node.
2. The configuration of the primary is synchronized to all secondaries.
Note
Only the primary has read/write privilege for ESG
configuration.
3. The primary and all secondaries of the cluster performs process inbound and
outbound emails based on the same policies.
4. All off-box logs generated from different ESG nodes will be sent to same log
server and stored to same database.
Note
Only the primary has privilege to view ESG dashboard/
logs and generates reporting, the scope of reporting data
covers all ESG nodes in cluster.
Clustering Details
Note
The secondary only has the privilege to filter emails and
report everything to the primary.
When the primary is down, all secondaries will keep working and filtering as
secondaries; no one will switch to the primary automatically. Administrator can reconfigure the cluster to pick a secondary to act as the new the primary via TRITON
Console. As the configuration is synchronized among the cluster nodes, the new
cluster will work in the same manner. The only lost is the emails in primary work
queue, which can not be recovered.
When a secondary appliance is down, the cluster is not affected. Cluster machines
continue to process mail traffic and share a configuration.
Clustering Details
Slide 7:5
Standard Deployment
A load balance device is deployed in front of ESG cluster. It redirects mail traffic to
different ESG nodes with certain traffic balancing algorithm. This needs to be done by
customer when ESG is deployed as cluster mode.
Clustering Details
Slide 7:6
Configuration Synchronization
Configuration synchronization is handled by Config Daemon. The following tasks are
synchronized:
Log: In-box logs are synchronized from secondaries to the primary; off-box logs
are saved on the same external systems, no need to synchronize.
Quarantine: All quarantine related database and files are synchronized from
secondaries to the primary.
DSS registration: The primary registers with DSS Manager; DSS registration is
synchronized to secondaries.
Clustering Details
Note
Only when the primary has the same version and platform,
and run in the same mode with the secondary,
configuration will be synchronized. Otherwise the node
status would be not synchronized with an alert being
sent.
License synchronization
The same license can be imported to each node of the cluster before negotiating, and
the license can be imported after negotiating too: to the primary at first then
synchronized to all the secondaries automatically.
Customers must assure licenses of each cluster node are either same or empty. If
different licenses are imported to the nodes of a cluster, the cluster negotiation will
fail.
Clustering Details
Slide 7:7
The primary and secondaries point to same DSS manager and log & reporting
server
Clustering Details
Slide 7:8
PEM
Under cluster mode, the end user can log on either the primary or secondaries to
utilize PEM functions. ESG cluster provides 2 options to deploy PEM:
End users log on PEM of the primary only: The primary will redirect to the
relative node for PEM, which is transparent for end users.
End users log on the specific ESG nodes for PEM: End users are assigned to
different PEM address, which point to respective nodes in cluster.
The slide takes the first option as an example. The process of retrieving isolated
messages via PEM proceeds as follows:
1. ESG #1 (not the primary) receives a message, which is going to be isolated.
2. The ESG #1 writes an entry in the log about this message. As mentioned before, a
key field in the database is the ID of the ESG who isolated the message.
3. The recipient, which has been notified that he/she has received an message being
isolated, connects to the PEM of the primary node. The link in the notification
points to the TRITON - Email Security.
4. The primary ESG looks up the message details in the log database. Using the ID
of the machine, which isolated the message, can connect to that ESG (in this case
ESG #1)
Clustering Details
5. The primary ESG communicates with the ESG #1, retrieves the message, and
sends it over to the user who requested it.
Archive
As businesses develop, many organizations face the email issues in storage, discovery,
and retention:
Storage Management: Quota limits on mailboxes frustrate end users- yet unlimited
mailbox storage is costly for IT to provide and will only get worse as email traffic is
expected to grow to 507 billion messages per day by March 2013.
Discovery: 87% of U.S. companies faced law suits and 56% of companies have been
ordered to produce employee email by a court or regulatory body- yet only one in
seven organizations can recover email that is older than one year.
Retention and Compliance: Many laws and regulations require retention of email for
extended periods of time. Only 31% of organizations are moderately prepared to
comply.
Websense Email Archive is an add-on feature to ESGA. It is a full software-as-aservice (SaaS) email archiving solution that integrates with email servers to
accumulate email messages and provides quick, searchable access to users. It features
comprehensive e-discovery and compliance capabilities, which administrators can
setup for select users to access within the system.
ESG has the basic archive feature: saving all incoming messages to an archive queue
locally or remotely. This feature is different with the add-on archie that we are going
to talk about in this chapter.
Archive
Slide 8:1
Websense Email Archive: Provides end users unlimited mailbox size and allows
them to quickly and easily access their personal archived email.
The three add-ons are available for all Websense email security products (ESGA,
ESG, HES, WES). Customers must have one of the following products to purchase
email archive add-ons:
Archive
Slide 8:2
Websense Email Archive Suite with Hosted Continuity: Websense Email Archive
+ Discovery Archive + Email Continuity
Archive
Websense Email Archive Solutions add-ons are available as a service in the cloud and
does not require the cost and complexity of any on-premise equipment.
Note
Websense Email Continuity cannot be orderable as an
individual add-on. It must be combined with Websense
Email Archive (Websense Email Archive with Hosted
Continuity or Websense Email Archive Suite with Hosted
Continuity).
License
For each email archive add-on, customers purchase a subscription license based on the
number of mailboxes/users. Flat rate pricing for all user bands.
The number of license users for Websense Email Archive Solutions doesnt need to
match the number of users for the Websense email security product.
Customer could purchase a subset of users. For example, customers may purchase
licenses for a defined group of internal users (i.e. HR, Legal) rather than for the entire
email user population.
The minimum number of users/mailboxes that could be purchased is 25.
Archive
Slide 8:3
User Account: All new users of the archive can be granted access to their own
Personal Archive which will give them the ability to search their own
historical emails.
Account Manager: This role can be customized to set up new accounts, reset
passwords, and have additional privileges.
Policy Manager: The Policy Manager can view and update policy settings
(e.g., set time zones, specify storage of emails based on email direction).
Role Manager: The Role Manager can view and modify privileges of other
users.
Archive
Users can access their archives from Microsoft Outlook, IBM Lotus Notes,
Outlook Web Access, Lotus Notes Web Client, BlackBerry devices and
through a browser-based, secure website, which is a convenient option for
employees working from home or on the go.
Users only have to enter the usernames and passwords one time when opening
Personal Archive through Outlook. After one successful login, they will
automatically be logged in on all subsequent visits to the archive.
The Advanced Search option gives the users the ability to customize their
searches based on a variety of criterion, such as message keywords, to, from,
subject, date(s), attachments, etc.
6. Search Filter
Search Filters help further hone searches, allowing users to drill into specific
categories, such as sender, date, tags and attachments.
Unlimited Mailbox
Websense Personal Archive gives an unlimited mailbox and allows users to quickly
and easily access their archived emails directly from Microsoft Outlook or Lotus
Notes. For added convenience, Folder Sync keeps users Outlook folders intact in the
archive for easier search and retrieval.
Restoring lost or deleted emails gives end users the power to restore lost emails
themselves- even things they may have deleted from their desktop, laptop,
BlackBerry device or Windows Phone 7.
Reducing the need for PSTs/NSFs eliminates free-range email files (PST/NSF), and
minimizes the burden on IT staffs and/or help desk
Improving server performance improves performance by reducing the footprint on
customers mail servers, and shrink backup windows
Archive
Boost Productivity
Do you know how much time people spend sorting and filing their emails? Almost 9
out of 10 Internet users spend seven hours a week managing email. Thats a lot of lost
productivity! Plus, 95% of the email sitting in your inbox will never be looked at
again.
With the Email Archive, users can delete email with confidence and stop wasting time
managing the inbox.
Archive
Slide 8:4
Store and index every email, attachment, IM and BlackBerry message (SMS
text, PIN-to-PIN, call log) in a centralized, online, and tamper-proof repository.
Accelerate legal discovery and HR inquiries with real-time search and retrieval
and multiple export capabilities. Search the entire contents of archived emails and
attachments.
Archive
Discription
Single-Instance Storage
Unlimited Storage
Replicated Storage
Secure Storage
Tamper-Proof Storage
(Optional)
Description
Archive
Description
Re-Forward or Print
Saved Searches
Policy Alerts
Description
Attorney-Client Privilege
Tagging
Administrators and reviewers can flag attorneyclient privileged communications, which are
excluded from e-discovery requests.
Archive
Description
User Groups
Mail Servers
Archive
Slide 8:5
Users can easily create, reply to and forward messages during outage with
Outlook Look and Feel
Email Restore supports Microsoft Exchange, IBM Lotus Notes and Novell
Groupwise
All emails sent or received during the outage are automatically routed back to the
email server after the outage
Overcome email server breakdowns, stay productive and protect customers business
with Websense Email Continuity.
Archive
Slide 8:6
Archive
Slide 8:7
Archive
Slide 8:8
Legacy Data
Legacy data is a generally referred to as information stored in an old or obsolete
format (or computer system) that is, therefore, difficult to access or process. In the
email archiving world, legacy data refers to email data sitting on:
Backup tapes
By ingesting your legacy email into Websenses archiving solutions, you have a
complete, living record of all your email history, both past and present for that
ingested email. But, it is critical to preserve the chain of custody when you move your
email data from one store to another.
Archive
Chain of Custody
If chain of custody is a new or a vague concept to you, you are not alone. In the
simplest terms, a proper chain of custody establishes the integrity of a piece of
evidence, showing that it wasnt tampered with or otherwise altered since it was first
collected. Chain of custody has significant practical implications for IT managers and
other professionals.
Chain of custody plays a critical function in litigation, especially when opposing
counsel is challenging the authenticity of evidence particularly where digital
evidence and emails are involved. Weve found that very few organizations adequately
account for chain of custody or understand its importance until the authenticity is called
into question.
The services are one-time fee based on a per GB basis. They arent performed at
customers sites. Customers merely ship all storage media desired to be archived to
Websense. Websense will then import/export the data.
Archive
The following table lists the descriptions for the supported formats:
Description
PST
EML
MSG
NSF
Physical Media:
Format
If the volume of data is less than 10 GB, send the data on CD/DVD, Flash
Drive or via S-FTP (secure FTP).
If the data volume is greater than 10 GB, send the data via a USB hard
drive (high speed USB 2.0 with external power recommended).
Encryption: Websense requires a basic level of encryption (i.e., passwordprotected zip file) for all email data transferred and strongly recommends
using TrueCrypt Freeware (truecrypt.org) or PGP (pgp.com) to encrypt data
before shipping it to us as a best practice. Zipping the data with a password is
also acceptable, but less desirable, since it delays the import. We do not accept
password-protected PSTs, since they are generally not secure and cannot be
processed by our legacy upload system.
2. Shipment
During this phase of the project, Websense outlines the key steps for the customer
project. This includes having the customer complete our Legacy Upload Order
Form, which captures key chain of custody information, such as the date and time
sent, number of files, number of emails, format of legacy data (e.g., PSTs),
amount of data and contact information. Then the customer ships the data along
with the Legacy Upload Order Form to us, addressed to the attention of the
Websense Data Import Center.
3. Verification
Upon receipt of the data, we log, initial and date the Chain of Custody Form (part
of the Legacy Upload Order Form) under received data. The case is then assigned
to one of our specialists, who reviews the details and adds the customer project to
our schedule. The completion date is based on the current volume of legacy
Archive
uploads in our queue. In the meantime, Websense places the data in its current
format in our data vault for safe storage.
After the data is extracted and uploaded, the specialist from the customer verifies
that the data volumes match the information they provided on the Chain of
Custody Form and updates the customer any deviations. If there is a material
difference in the email received/extracted vs. the data on the form, we then
explore the reasons for the missing data.
Note
If the data does not match the Chain of Custody Form or
the data is corrupt, the customer will be notified to inform
our findings and determine the next steps.
4. Data Import
After the legacy data is prepped, the specialist from the customer imports it into
the archive. Websense securely captures and indexes all messages (and
attachments) imported into one of our archiving solutions Discovery Archive or
Email Archive. Once indexed, administrators and users can quickly and easily
search the entire contents of archived emails and attachments, using a variety of
search criteria, including to, from, date, subject, message body, message
attachments and other message properties. As a final check, the specialist from the
customer verifies the data and signs off on the Chain of Custody Form.
5. Chain of Custody Documentation
Once the import is complete the customer will be notified with the results. Any
deviations from the original Chain of Custody Form prior to ingestion are noted
and reviewed.
6. Returned Data/Destroyed Data
The final step in the process involves Websense either returning the original data
to the customer or destroying it. In either case, we document the process and note
the date the media was either returned or destroyed per the customer wishes and
retain the final copy of the Chain of Custody Form in our locked data vault for
records.
Use of FTP: Websense recommends using the FTP option when shipping data for
only small data sets (i.e., less than 10 GB).
Archive
File Sizes: Websense can process PSTs up to 20 GB, but we prefer files that are 2
GB or less. Smaller PSTs have less chance of corruption and process faster.
Encryption: While Websense requires a basic level of encryption for email data
shipped to us, we do not accept password-protected PSTs, since they are generally
not secure and cannot be processed by our legacy upload system.
Mapping Archiving Accounts: When we import the PST files, we first scan them
to determine how to map the customer users to individual archive accounts. If a
senders email address is found in more than 80 percent of the messages in the
PST file, the emails are archived under the senders address. This process,
however, is error prone, so we recommend providing us with a CSV file for
mapping purposes. If a CSV file is not provided, the system automatically
determines the mapping.
Supported Message Types: We currently only archive post items. Non-post items,
such as calendars, contacts, system messages and voicemails, are not currently
supported.
Archive
Slide 8:9
Archive
Slide 8:10
http://www.websense.com/content/support/
library/email/shared/exchjour_2003_std/
first.aspx
Exchange 2003
Envelope Journaling
Guide
http://www.websense.com/content/support/
library/email/shared/exchjour_2003_env/
first.aspx
Exchange 2007
Journaling Guide
http://www.websense.com/content/support/
library/email/shared/exchjour_2007/first.aspx
Exchange 2010
Journaling Guide
http://www.websense.com/content/support/
library/email/shared/exchjour_2010/first.aspx
Archive
3. When prompted, point the email to the Websense address shown in the table.
EMEA servers
<your-domain>@WebsenseJournal.archivesuite.com
<your-domain>@WebsenseJournal.archivecloud.net
Archive
Slide 8:11
Archive
Slide 8:12
https://websense.archivesuite.com
https://websense.archivecloud.net
5. Mark the box Show home page by default for this folder.
6. Click OK.
7. Click the newly created folder.
After the Personal Archive is configured, end users are prompted only once for their
user name and password. Additional details for the end users are contained here:
Archive
http://www.websense.com/content/support/library/email/shared/email_archive/
WEA_end_user_guide.pdf
Note
Websense offers Websense CloudLink, an application to
help to deploy Outlook Web folders to all of the end users.
CloudLink is included with the Websense service.
Archive
Slide 8:13
Archive vs Backup
Backups are for disaster recovery, while archives are for retention and discovery.
Backups were never really intended to meet regulatory requirements and other
compliance needs. They most effectively serve as a short-term insurance policy to
facilitate disaster recovery (assuming they are kept off-site).
Archiving, on the other hand, is specifically designed to quickly and easily meet
regulatory requirements and other compliance needs. In addition, archiving serves
another important role. It can reduce the strain on customers in-house email servers.
With growing email volumes and skyrocketing storage costs, email archiving can:
For most modern organizations, the operational, legal and compliance challenges
of email necessitate going beyond simple backups.
ESG logs and collects data about email traffic and system activity to generate
presentation reports and dashboard charts and statistics for today and history. Records
of email filtering activities and system events are stored either in the on-box database,
that is, local PostgreSQL, or received by the off-box log server and then transferred to
the remote database, Microsoft SQL Server.
From TRITON - Email Security, ESG classifies the logs into: message log, audit log,
system log and console log; and catalogs the reports into: today dashboard, history
dashboard, and presentation report.
ESG log and reporting provide the facilities for administrators to configure the local
and remote log database and the database maintenance options, set report preferences,
and customize a report template, schedule and run a presentation report.
Now lets look at log and reporting in more details!
Slide 9:1
Primary Concepts
ESG logs
Message log records information about each inbound message received by ESG.
Message logs are collected from the ESG internal component: Filter Demon.
Audit log, only available for super administrators, shows which administrators
have accessed the Email Security module of TRITON console, as well as any
changes made to policies and settings. Audit logs are collected from the ESG
internal component: Config Daemon.
System log records all ESG system level events, along with any errors or
warnings produced. System logs are collected from each component inside the
ESG, such as the Filter Daemon, Update Daemon, Config Daemon, etc.
Console log records any administrator activities or changes made to the Email
Security module of TRITON console. Console logs are collected from TRITON Email Security, not from the ESG internal components.
ESG logs are searchable by predefined time periods or customized conditions. For
message logs, you can refine the search using conditions like email address, scanning
result, or message status and export the search results to an Excel, HTML, or XML
file. For other three types of log, you can exported to an Excel or HTML file.
Note
The maximum number of log entries exported cannot be
greater than 100,000.
ESG reporting
History dashboard of last 30 days, similar with today dashboard, get an overview
of email scanning activity for up to the past 30 days.
Presentation reports include a set of predefined charts and tabular report templates
with which you can generate graphical reports of Email Security Gateway
message traffic activities.
Slide 9:2
Slide 9:3
Message Log
The Message Log records information about each inbound message received by Email
Security. Access the Message Log on the Main > Status > Logs page. You can
configure the number of entries per log page, between 25 and 200, in the Per page
drop-down list in the log table banner. Scroll through Message Log pages by clicking
the back and next arrows in the banner, or enter a specific page number in the Page
field and click Go.
Message records are saved for 30 days. To preserve message records longer than 30
days, use the Export option to export the log on a regular basis. Exporting does not
remove records from the Message Log. It transfers log data to an Excel, HTML, or
XML file.
When the Message Log page appears, the most recent records are shown. Use the
View from/to fields to specify the date/time range for the log entries you want to see.
The calendar includes the following options:
Click the time in the lower left of the calendar to set the time in hours and
minutes.
If you click Clean and then Apply, the current date/time selection is removed.
The Message Log includes several search options, including date range or keyword
searches. Determine the date/time range for a search by selecting dates in the View
from/to field calendar controls. Default value for the from or to field is the date and
time that you open the log.
Slide 9:4
Audit Log
Websense Email Security provides an audit trail showing which administrators have
accessed TRITON - Email Security, as well as any changes made to policies and
settings. This information is available only to Super Administrators. Monitoring
administrator changes through the Audit Log enables you to ensure that system is
controlled responsibly and in accordance with your organization acceptable policies.
Click the Audit Log tab on the Main > Status > Logs page to view the Audit Log,
and to export selected portions of it to an Excel spreadsheet or an HTML file, if
desired. Audit records are saved for 30 days. To preserve audit records longer than 30
days, use the Export option to export the log on a regular basis. Exporting does not
remove records from the Audit Log. It transfers log data to an Excel or HTML file.
When the Audit Log page opens, the most recent records are shown. Use the View
drop-down list options located above the log to select the range of log entries you
want to see: All, One Day, One Week, One Month, or Custom. When you select
Custom, use the View from/to fields to specify the desired date/time range for the log
entries you want to see. The calendar includes the following options:
Click the time in the lower left of the calendar to set the time in hours and minutes
If you click Clean and then Apply, the current date/time selection is removed.
Slide 9:5
System Log
System Log records for Email Security Gateway reflect the current state of the system,
along with any errors or warnings produced. Click the System Log tab on the Main >
Status > Logs page to view the System Log, and to export selected portions of it to an
Excel spreadsheet or an HTML file, if desired. System Log records are saved for 30
days. To preserve System Log records longer than 30 days, use the Export option to
export the log on a regular basis. Exporting does not remove records from the System
Log. It transfers log data to an Excel or HTML file.
When the System Log page opens, the most recent records are shown. Use the View
drop-down list options located above the log to select the range of log entries you
want to see: All, One Day, One Week, One Month, or Custom. When you select
Custom, use the View from/to fields to specify the desired date/time range for the log
entries you want to see. The calendar includes the following options:
Click the time in the lower left of the calendar to set the time in hours and
minutes.
If you click Clean and then Apply, the current date/time selection is removed.
Slide 9:6
Console Log
The Console Log is a record of any administrator activities or changes made to the
Email Security module of the TRITON Unified Security Center. Click the Console
Log tab on the Main > Status > Logs page to view the Console Log, and to export
selected portions of it to an Excel spreadsheet or an HTML file, if desired.
Console Log records are saved for 30 days. To preserve Console Log records longer
than 30 days, use the Export option to export the log on a regular basis. Exporting
does not remove records from the Console Log. It transfers log data to an Excel or
HTML file.
When the Console Log page opens, the most recent records are shown. Use the View
drop-down list options located above the log to select the range of log entries you
want to see: All, One Day, One Week, One Month, or Custom. When you select
Custom, use the View from/to fields to specify the desired date/time range for the log
entries you want to see. The calendar includes the following options:
Click the time in the lower left of the calendar to set the time in hours and
minutes.
If you click Clean and then Apply, the current date/time selection is removed.
Slide 9:7
Dashboard
The Main > Status > Today: Health, Security and Value Since Midnight page
appears when you first log on to TRITON - Email Security. It displays alert messages
and graphical charts that show the current state of your email scanning software,
focusing on email traffic activity in your network. The charts on this page cover the
24-hour period beginning at 12:01 a.m. according to the time set on the Log Database
machine.
At the top of the page, two summary sections provide a quick overview of current
status:
1. The Health Alert Summary shows the status of your Websense software. Click an
error or warning alert message to open the Alerts page, where more detailed alert
information is available. Information in the Health Alert Summary is updated
every 30 seconds.
2. Under Business Value, see examples of how Websense Email Security has
protected your network today by blocking malicious email traffic, as well as the
total number of messages handled.
Below the summary information, up to four user-designated Flash charts provide
information about email scanning activities. These charts are available to Super
Administrators, and to other administrators who are granted permission to view
reports on the Today page. Click Customize to select the four charts you want
displayed. Information in these charts is updated every two minutes. You may need to
scroll down to see all of the charts.
Up to two buttons appear at the top of the Today page:
1. Customize, available to Super Administrators only, opens a page where you can
select which charts to display on the Today page.
2. Print, available to all administrators, opens a secondary window with a printerfriendly version of the charts on the Today page. Use browser options to print the
page.
Slide 9:8
Today Report
Use the Today > Customize page to select up to 4 charts for the Status > Today page.
Only Super Administrators with unconditional policy permissions can customize the
Today page.
Slide 9:9
History Report
Use the Status > History: Last 30 Days page to get an overview of email scanning
activity for up to the past 30 days. The four charts on the page are updated daily at
12:01 a.m. to incorporate data from the previous day, as determined by the time on the
Log Database machine. You may need to scroll down to see all the charts.
The exact time period covered by the charts and summary tables depends on how ESG
has been processing mail. During the first month that Websense software is installed,
the page shows data for the number of days since installation. After that, the reports
cover the 30 days prior to today. Depending on the reporting permissions granted to
the role, some administrators may not see the charts on the History page.
Slide 9:10
Presentation Reports
Presentation reports include a set of predefined charts and tabular report templates
with which you can generate graphical reports of Email Security Gateway message
traffic activities. You can run a report, customize a report template, or mark a
frequently used report as a Favorite. You can run any presentation report immediately,
or schedule it to run at a particular time or on a repeating cycle.
Not all report templates can be customized. Report templates that can be customized
display a different icon from reports that cannot be customized. If the Save As button
is enabled when you select a report name, then you can save and edit that report to suit
your needs. The Save As button is not enabled if you select a report that cannot be
customized.
Use the Main > Status > Presentation Reports page to generate charts and tabular
reports based on templates in the Report Catalog. The Report Catalog organizes a list
of predefined report templates and custom reports into groups. Expand a group to see
its corresponding templates and custom reports. Click on a template or report title to
see a brief description of what it includes.
Slide 9:11
Advanced Features
Log Database Option
Administrating the Log Database through TRITON Email Security involves
controlling many aspects of database operations, including the timing of maintenance,
the conditions for creating new database partitions, and which partitions are available
for reporting. Use the Settings > Reporting > Log Database page to manage Log
Database operations.
Database Partition
Database partition is the unit to store logs. You can create up to 70 partitions, with the
maximum size for each partition is 5120 Mega Bite.
Keep in mind that extremely large individual partitions are not recommended.
Reporting performance can slow if data is not divided into multiple, smaller partitions.
When a new database partition is created, reporting is automatically enabled for the
partition.
Database Roll over
Roll over is the process that the Log Database creates a new database partition. Use
the Roll over every option to indicate whether database partitions should roll over
based on size (MB) or date (weeks or months).
If the rollover begins during a busy part of the day, performance may slow during the
rollover process. To avoid this possibility, some environments choose to set the
automatic rollover to a long time period or large maximum size. Then, they perform
regular manual rollovers to prevent the automatic rollover from occurring.
Database Maintenance
Use the Maintenance Configuration to control certain aspects of database processing,
such as the time for running the database maintenance job, some of the maintenance
tasks performed, and deletion of database partitions and error logs.
Inbound Messages
Delivery Failure
System capacity
10
Troubleshooting Guide
This chapter talks about some basic troubleshooting techniques when working with
your ESGA deployments. The following topics are covered:
The latter sections will cover various areas of an ESGA implementation and discuss
issues in a question and answer format.
ESG: tells about the possible errors when connecting the TRITON - Email
Security to the ESG and discusses potential reasons.
Log Server & Log Database: covers the Log Server and the Log Database
installation and troubleshooting methods.
Cluster: discusses the problems that may arise during the cluster implementation.
Hybrid: involves Q&A about the Hybrid connection, debug, and synchronization.
DLP: talks about the issues of DLP registration, DLP deployment, and policies.
Appendix: includes the references to ESG Shell, System Diagnosis, and Health
Daemon.
Troubleshooting Guide
Slide 10:1
General Information
Before we start investigating the various areas of an ESGA implementation and
discuss various troubleshooting techniques, it is important to discuss certain
installation specifications.
The table above provides minimum requirements for each module. The information
below provides more detail surrounding some of the specific items such as database
versions and the location of certain log files.
Database version
Web (WSG) only:
SQL Server 2005, all editions except Express, all service packs, 32-bit and 64-bit,
not IA64
All products:
SQL Server 2008, all editions except Web, Express and Compact, all service
packs, 32-bit and 64-bit, not IA64
SQL Server 2008 R2, all editions except Web and Compact, all service packs, 32bit and 64-bit, not IA64
SQL Server Clustering, for all versions of SQL Server that we support
Troubleshooting Guide
Slide 10:2
Troubleshooting
From the ESG appliance command line, you can perform the initial configuration,
modify settings, check appliance status, start/stop the modules via the commands like
firstboot, ip dns, module start, etc. Run help to acquire the command
descriptions that the ESG appliance provids.
Furthermore, you can enalbe SSH to connect with the ESG shell to check logs and
turn on debug mode. This is an effective way for troubleshooting and often used by
Technical Support.
A: Enable SSH
1. From the ESG appliance console, enter the following command to enable SSH
access:
ssh enable
2. Enter the following command to get a temporary passcode:
local-access
Troubleshooting Guide
/var/log/maillog
/var/log/messages
To check the ESG Log Server issues: Windows system event view
Troubleshooting Guide
max_size
Value: 1 - 256
Unit: MB
wrap | nowrap
Troubleshooting Guide
Slide 10:3
Troubleshooting - Example
The slide is an example to troubleshooting via SSH (ESG shell). As the diagram
shows, the message with confidential data shall be dropped based on the DLP policy;
while it is delivered to the destination directly. The administrator troubleshoots the
issue in the following ways:
Via TRITON Unified Security Center. Check logs, policies, and configurations.
Via SSH
a. Log into the ESG shell
b. Check the log files
c. Turn on Debug mode to track the filtering and delivering process.
Troubleshooting Guide
Slide 10:4
License
Issue A: What is the behavior when the ESG user license is exceeded?
All features in a license key have the same expiration date with the key. E.g, if a key
has three features, AV/AS/DLP, and will expire by Dec 22, 2012, AV/AS/DLP will
expire on Dec 22, 2012 too. Even if customer adds another feature before Dec 22,
2012, the expiration date is still Dec 22, 2012.
UpdateD considers a key expired when DDS server returns the expired flag, which is
the unique way to judge the keys validation. So its useless to change system time.
ESG sends messages to ESG alert system according to the remaining days in service
period:
Troubleshooting Guide
Troubleshooting Guide
Slide 10:5
License Reset
You may need to perform an ESG subscription key reset after you have uninstalled a
fully licensed version of TRITON - Email Security, and then reinstalled the product.
An error message warns you that ESG is already licensed.
Troubleshooting Guide
Troubleshooting Guide
Slide 10:6
ESG Error
Issue A: Why Email Security could not be launched?
The screenshot indicates that TRITON - Email Security service either hasnt started or
met a starting issue.
Follow the steps to try to resolve this issue:
1. Log in to the machine where TRITON Unified Security Center is installed.
2. List all the services.
3. Restart the Websense TRITON - Email Security service.
4. Click Retry on TRITON - Email Security user interface.
Troubleshooting Guide
Slide 10:7
Check the statuses of all services in the appliance. If the network runs well,
the SSLProxy and config-daemon service issues would cause the connection
errors. Reset these services to fix the connection issue.
The TRITON - Email Security license does not match the appliance license:
The TRITON - Email Security version must be higher than the appliance:
Reset the appliance license on the appliance user interface, then set license to
the appliance.
Update the TRITON - Email Security or the appliance to the appropriate
version.
The TRITON - Email Security device ID does not match the appliance device ID:
Troubleshooting Guide
Slide 10:8
The database owner must have the membership in one of the following
roles in the MS SQL database:
SQLAgentUser role
SQLAgentReader role
SQLAgentOperator role
The database owner must have the membership in db_datareader role
The database owner must be a member of the dbcreator fixed server role
Login account
Troubleshooting Guide
Troubleshooting Guide
Slide 10:9
We recommend using a dedicated SQL Server to run the ESG off-box products, saying
mode 1, thus you can get the best performance.
Especially for mode 1, you need to install the SQL Server component Tools on
machine (A) in advance. In this way, the Log Server can work in BCP mode and speed
up the log record insertion.
Troubleshooting Guide
Slide 10:10
Issue B: What might cause the Log Server failed in receiving ESG log
records
The ESG failed to establish the connection with the Log Server.
Check settings from the TRITON - Email Security: Settings > Report Settings >
Log Server.
Troubleshooting Guide
Slide 10:11
The Log Database directory must be writable on the remote SQL Server.
The Log Database user must have the permission to run the scripts.
Issue C: What might cause the alert Log database extract, transform,
and load process is not functioning properly occurred?
The administrator modified the Log Database system time after installation.
ESGA v7.6 201 173
Troubleshooting Guide
Run the following command and check the value of timeusage (ms):
exec usp_esg_get_job_perf
Troubleshooting Guide
Slide 10:12
Troubleshooting Guide
Check the SQL Server log in the SQL Server management studio:
Troubleshooting Guide
Slide 10:13
The cluster communication IP address cant connected between the primary and
the secondary nodes.
Set the correct cluster communication IP address for the primary or the
secondary nodes.
Check if the primary and the secondary can reach each other on TCP port
6671.
The appliances within a cluster are not the same V-Series platforms (V10000 G2
or V5000 G2).
Check if the V10000 platforms and ESG versions are the same for all cluster
nodes:
Troubleshooting Guide
Troubleshooting Guide
Slide 10:14
Issue B: When the secondary ESG has crashed and cannot be recovered,
how to remove it from the cluster?
In the TRITON - Email Security > Setting > General > Email Appliances page,
remove the crashed node from the cluster.
Troubleshooting Guide
Slide 10:15
Execute the command show cluster to show the current cluster status
Pay more attentions to the following fields:
Troubleshooting Guide
Check the system logs from TRITON - Email Security user interface.
Check the system alerts from TRITON - Email Security user interface.
b. \g
Troubleshooting Guide
Slide 10:16
Hybrid
Issue A: Check if the sync service is running
1. Log in to the ESG Shell as the root user.
2. Run the command ps aux|grep sync_daemon
The Console output displays like the follows if the sync service is running:
root
2905 0.0 2.6 157692 102220 ?
Sl
2010
0:01 /usr/local/sbin/sync_daemon
Troubleshooting Guide
Issue C: Check if the ESG can access the Hosted sync server
1. Log into the ESG Shell as the root user.
2. Run the command:
grep -i "HES_Sync_server" /usr/local/etc/hes_sync.conf
3. The Console output displays like below. This is the HES sync server name.
HES_Sync_server = t8-hsync-web.odd.blackspider.com
4. Telnet the sync server on port 443 like the below example:
telnet t8-hsync-web.odd.blackspider.com 443
Trying 172.16.167.146...
Connected to t8-hsync-web.odd.blackspider.com
(172.16.167.146).
Escape character is '^]'.
The Console output displays successful if the ESG can access the Hosted sync
server.
If not, configure the firewall settings to allow HTTPS traffic between the ESG and
HES servers.
Troubleshooting Guide
Slide 10:17
Username/Password
Account information
Troubleshooting Guide
Slide 10:18
If Eth0 of the ESG is reachable on port 5820, 8888, 8889 and 9080
If the Policy Engine (PE) service is running on the ESG by the PE service status
Troubleshooting Guide
Slide 10:19
Troubleshooting Guide
The message has been quarantined. Why the link to DSS incidence is not there in
ESG message log?
Mark the Audit incident option in the Action Plan of the rules.
Troubleshooting Guide
Slide 10:20
Quarantine Location
Quarantine Folders
All the quarantine relevant folders are located in the directory /var/spool/postfix/qd/.
They are either used to store quarantined messages, or to store information and
temporary files used by quarantine system.
The following table lists details of the quarantine folders.
qfolder
Refer to queue folders. All quarantined files are stored under this
folder. Each queue has a separate subfolder. For example, the spam
queue uses the qfolder/spam folder. If a queue is using a remote
storage, the subfolder will be a symbolic link with the same name. For
example, if the virus queue is using NFS storage, the qfolder/virus
will be a symbolic link to the mountpoint
qfile/qlink
All quarantine messages are stored here temporarily before they are
put into the destination queue folders. If there are many files under
this queue, probably the quarantine daemon stops processing
messages
blacklog
All quarantine requests from the filter module are stored here if the
quarantine daemon stops processing messages
Troubleshooting Guide
defer
All logs of "delayed messages" are queued here before they are
processed and inserted into SQL server database
dbsync
emls
delay
If a queue is moving, for example, from the local storage to the remote
NFS storage, the incoming emails to this queue will be temporarily
saved in this folder because the destination queue folder is
unavailable. After the queue moving is done, these mails will be
flushed into the associated queue folder
rdelay
failconf
Used to store the last configuration of a queue. If you see a file under
this folder, the queue is either moved, or failed to move
flusher, dlcache
Not used
Configuration File
The configuration file used by the quarantine daemon to connect to the Log Database
is /etc/freetds.conf.
Troubleshooting Guide
Slide 10:21
Yes.
It is likely to be a issue with the Log Database connection.
Run the below command to check whether the Log Database connects with
the quarantine daemon:
netstat anp | grep quarantine_daemon
a. The connection is well.
The SQL command for inserting quarantine logs may be failed. Start
debugging the quarantine daemon:
- Sent another email.
Troubleshooting Guide
No.
Log in to the SQL Server Management Studio to check whether the logs are
inserted into esglogdb76.dbo.esg_detail_quarantine_message and
esglogdb76.dbo.esg_detail_quarantine_recipient.
a. If yes, it is the TRITON - Email Security user interface problem.
Check the tomcat ogs on TRITON - Email Security for details.
b. If not, the quarantine daemon may fail to process messages.
Check whether there is message file under the /qfile/qlink folder;
Check whether there are core files under the /var/cores.
Why are the numbers of messages in queue list page and in message list
page different?
1. Log in to the ESG Shell as the root user.
2. Taking the spam queue as an example, run the following command to calculate the
total number of messages:
find /var/spool/postfix/qd/spam type f | wc -l
3. Compare the number with the queue list number and the message list number
If the number is the same as the queue list, but different with the message list,
some logs are probably not inserted into the Log Database successfully.
Check the dbsync folder to find these logs.
When I moved a queue from the local storage to NFS, TRITON - Email
Security user interface shows Data transfer ongoing for a very long
time. What happened?
If the ESG works in a cluster mode, perform as the follows:
1. Log in to the ESG Shell as the root user.
2. Run the command below to see the queue moving status of each cluster node:
show queuemovestatus
3. Debug the quarantine daemon to check whether the file copy is ongoing.
If you dont see any output of the file copy, cancel the data transfer from TRITON
- Email Security user interface and try again.
Troubleshooting Guide
Slide 10:22
System Counters
How to show counter in ESG?
1. Log in to the ESG Shell as the root user.
2. Run the following command:
[root@localhost filter]# counter
What is the difference between ESG persistent counters and ESG nonpersistent counters?
We can ignore the persistent counters. They have the same values as the non-persistent
counters.
Troubleshooting Guide
The below table lists the counters and the descriptions as the reference.
Counter Name
Description
received_msg
processed_msg
Delivered_msg
Dropped_msg
Quarantined_msg
In_queue_msg
In_deferred_queue
_msg
Queue_total/used/
freed_space
The 3 values indicate the disk space which can be used for message
processing
Inb_conn
Inb_reputation_rec
Inb_rbl_rec
Inb_rdns_rec
Inb_spf_rec
Av_hit
Av_clean
Av_err
As_hit
As_clean
As_err
Dlp_hit
Dlp_clean
Dlp_err
Filter_exception
Encrypt
Encrypt_success
Encrypt_fail
Decrypt
Decrypt_success
Decrypt_fail
Troubleshooting Guide
Counter Name
Description
Hes_dkim_verify
Hes_dkim_pass
The message has multiple recipients; different recipients have different policies;
e.g. some recipients are quarantined, and some recipients are delivered.
In this case, the counters will not match.
Exceptions
Some counters may be increased twice for a single mail.
Manual operations
For example, reprocess some messages from TRITON - Email Security > Main >
Message Management.
Troubleshooting Guide
Appendix
Troubleshooting Guide
The disk space and the network issues could be the most probable reasons.
Health Daemon
Service didnt start
Description
Trigger condition
Message
Alert
ALERT_TYPE_SERVICE_DOWN
The {%DyInfo} service is not available
Action
Recovery
No need
Description
Trigger condition
Message
Alert
ALERT_TYPE_SERVICE_DOWN
The {%DyInfo} service is not available
Action
Recovery
No need
Troubleshooting Guide
Trigger condition
Message
Restart service:name=%s
pid=%d,mem=%f,max=%d,max_ratio=%f,cmd=%s service
memory exceed the configured limitation, restart it by the
configured command
Alert
No
Action
Recovery
No need
Trigger condition
Message
Alert
No
Action
Recovery
No need
Trigger condition
Message
Alert
No
Troubleshooting Guide
Action
Recovery
No need
Description
/dev/xvda1 free space is too little. Health daemon will set disk stress
flag. Mta will not be process email
Trigger condition
Message
Alert
ALERT_TYPE_DISK_STRESS
Adequate amount of free disk space is not available
Action
Health daemon set the disk stress flag, mta will not process emails
Recovery
Description
/dev/xvda2 free space is too little. Health daemon will set disk stress
flag. Mta will not be process email
Trigger condition
Message
Alert
ALERT_TYPE_DISK_STRESS
Adequate amount of free disk space is not available
Action
Health daemon set the disk stress flag, mta will not process emails
Recovery
Description
/dev/xvda1 free inodes is too small. Health daemon will set disk
stress flag. Mta will not be process email
Trigger condition
Message
Alert
ALERT_TYPE_DISK_STRESS
Adequate amount of free disk space is not available
Action
Health daemon set the disk stress flag, mta will not process emails
Recovery
Release more disk space. Disk free space is bigger than 1024 * 300
Troubleshooting Guide
Description
/dev/xvda2 free inodes is too small. Health daemon will set disk
stress flag. Mta will not be process email
Trigger condition
Message
Alert
ALERT_TYPE_DISK_STRESS
Adequate amount of free disk space is not available
Action
Health daemon set the disk stress flag, mta will not process emails
Recovery
Release more disk space. Disk free space is bigger than 1024 * 300
Troubleshooting Guide
Log daemon can not send data to data base successfully. /log-defer
has files older than 3 days. Health daemon will set "log stress flag"
and generate warning messages in /var/log/messages. Mta will not
process emails
Trigger condition
Message
Alert
ALERT_TYPE_LOG_STRESS
Email Security log queues contain cache files older than 3 days
Action
Health daemon set the log stress flag, mta will not process emails
Recovery
Check the connection to data base. Clear all files (/log-defer) which
older than 3 days
Quarantine monitor
Description
Trigger condition
Message
DBsync files and sync time is older than 3 days, or files number is
bigger than %d, set quarantine stress
Alert
ALERT_TYPE_QUARANT_STRESS
Email Security quarantine queue contains cache files older than 3
days or too many files
Action
Health daemon set the quarantine stress flag, mta will not process
emails
Recovery
Filter update thread or scanning thread take too long running time.
Health daemon will kill filter and generate warning message in /
var/log/messages
Trigger condition
Message
Filter update running time too long. Current system time is [%lu],
filter update_start time is [%lu]
Filter update thread running time is longer than 20 minute. filter
service was killed by health daemon
Alert
No
Troubleshooting Guide
Action
Recovery
No need
Service share memory dead lock. Health daemon kill the service
Trigger condition
Same service and same function and same line hold the same share
memory lock for too long time
Message
Alert
No
Action
Recovery
No need
Troubleshooting Guide