directQuarantine 2.1 Administration Guide

Administration Guide

Vircom copyright statement

The contents of this manual are for informational use only and are subject to change without notice. Neither Vircom nor anyone else who has been involved in the creation or production of this manual assumes any responsibility or liability for any errors or inaccuracies that may occur in this manual, nor for any loss of anticipated profit or benefits, resulting from the use of this manual.

This manual is protected by copyright laws and international treaties. Your right to copy this manual is limited by copyright law and the terms of your software license agreement. As the software licensee, you may make a reasonable number of copies or printouts, provided they are for your own use. Making unauthorized copies, adaptations, compilations or derivative works for any type of distribution is prohibited and constitutes a punishable violation of the law.

Any references to names of actual companies, products, people and/or data used in screenshots are fictitious and are in no way intended to represent any real individual, company, product, event and/or data unless otherwise noted.

directQuarantine™, modusGate™, modusMail™, modus™ and Sequential Content Analyzer (SCA)™ are all trademarks of Vircom Inc. Windows, Windows Server 2003/2008/2012/2012R2, IIS, Internet Information Server, Windows Exchange Server, Active Directory, Windows SQL and Microsoft Outlook are either registered trademarks or trademarks of Microsoft® Corporation in the United States and/or other countries. Norman, Norman Virus Control and NVC are trademarks of Norman® ASA. McAfee is a registered trademark of McAfee® Inc. All other products or services mentioned in this document are identified by the trademarks or service marks of their respective companies or organizations.

modusGate/modusMail is based on the Professional Internet Mail Services product licensed from the University of Edinburgh.

Certain algorithms used in parts of this software are derived from the RSA Data Security, Inc. MD5 Message-Digest Algorithm.

Copyright © 1995-2013 Vircom Inc.

Vircom Inc., 460 St. Catherine W, Suite 600, Montreal, QC, Canada, H3B 1A7

For more information, contact Customer Support at +1 514.845.8474, Toll-free at 1.888.484.7266, Sales at +1.514.845.1666, Ext. 1 or visit our website at www.vircom.com

Copyright © 2013 by Vircom Inc. All Rights Reserved. 2

www.vircom.com

Introduction

About this manual Introduction

About this manual

Intended audience

This document is written for administrators who will be installing and configuring Vircom’s directQuarantine application in a Windows client-server environment.

Formatting conventions

The following formatting conventions are used in this document.

Acronyms

The following acronyms are used in this guide.

AD = Active Directory

DC = Domain Controller

dQ = directQuarantine

GPO = Group Policy Object

OU = Organizational Unit

VM = Virtual Machine

The text attribute Is used for

Bold New terms defined for the first time.

Hyperlink Clickable links to the referenced topic.

Italic Titles used in cross-references and other Vircom documents.

Franklin Gothic Book font

All output, text labels from a graphic user interface, and for anything you would type into the user interface.

<Key> Keyboard keys, like <Ctrl>, <Alt>, <Shift>, <Del>, etc.


Help and support Introduction

Help and support

Contact Vircom Technical Support team

If you have specific questions concerning the use of one of our products, please contact the Technical Support team at Vircom Inc.

Knowledge Base

For additional information, please see Vircom’s Knowledge Base at: http://kb.vircom.com/kbase

The Knowledge base contains the most recent versions of all modusGate documents, bulletins, fixes and patches, known issues and configuration how-to’s.

Related documents

The documentation set for modusGate can be found on your desktop or by going to Start > Programs > Vircom > modusGate:

modusGate Quick Install Guide

modusGate Release Notes

modusGate Administration Guide

WebQuarantine User Guide

Note that the Select Text button on tool bar at the bottom of this reader program provides the ability to select text for copying and pasting instructions.

Web: http://www.vircom.com

E-mail: [email protected]

Phone: 1.514.845.8474

Toll free: 1.888.484.7266

Fax: 1.514.845.6922

Working hours: 7:30 AM to 6:00 PM EST, Monday-Friday


http://kb.vircom.com/kbase

http://www.vircom.com/

http://www.vircom.com

http://kb.vircom.com/kbase

Application Overview

directQuarantine for Outlook Application Overview

directQuarantine for Outlook

Introduction

directQuarantine is Vircom’s proprietary Outlook add-on that presents a live view of the quarantined messages and all the necessary tools to manage them, using controls that are built right into Outlook. By using directQuarantine, users no longer have to wait hours for summary reports, log into the WebQuarantine to check the contents, or to rely on administrators to release messages on their behalf.

modusGate users who currently receive Quarantine Reports and use WebQuarantine can continue to do so: installing directQuarantine does not replace or disable either application.

Full or trial version

The directQuarantine server application is included with the modusGate installation package, and is installed by default. The program is available for use by licensed users, but also provides a free 30-day trial version.

If you are interested in buying the product, please contact our Sales department at: [email protected].

Upgrading directQuarantine

The upgrade process differs, depending on your current version of directQuarantine. Please check your current version and follow the appropriate instructions below.

Upgrading from version 1.1 or 1.2 > 2.0

You must first uninstall the original client file. If the program had been installed manually, uninstall it manually from the users’ machines before installing the new file.

If the client had been deployed by GPO, use the following instructions:

1 Uninstall the client file using the procedure described at the end of this document: see “Uninstall the application” on page 30.

2 Remove the client file from the shared folder and replace it with the new dQ Client.msi file.

3 Follow the steps outlined in “Install directQuarantine client via a GPO” on page 19 to deploy the new file.

Upgrading from version 2.0 and above

If the client had been deployed by GPO, there’s no need to uninstall the previous version. Please use the following instructions:

1 Place a copy of the new dQ Client.msi file in a shared folder

2 On the Active Directory server, open Group Policy Management

3 Locate and right-click the directQuarantine GPO > Edit

4 Expand User Configuration > Software Settings


directQuarantine for Outlook Application Overview

5 Right-click Software Installation > New > Package., select the newest dQ Client.msi file > Open

6 In Deploy Software: select Advanced > OK

7 In Deployment: select Assigned, Install this application at logon, and Basic > OK

8 In Upgrades: select Required upgrade for existing packages > OK

When users next login, the Outlook clients will receive the new package.

If the client had been installed manually, simply install the new client version to update.

Upgrading from version 1.0

Please contact Vircom’s Technical Support. See “Contact Vircom Technical Support team” on page 5.


Deploying directQuarantine on your network Application Overview

Deploying directQuarantine on your network

Overview

The directQuarantine application is based on a client-server distributed architecture that is designed to support multiple network configurations: both on-premise (local) and hosted. Deployment requires the following modules:

• The directQuarantine server

• The directQuarantine client

The directQuarantine server module must be installed on the modusGate server. It provides a service that establishes a connection between the Microsoft Outlook client and the modus server, and communicates with the quarantine database. Installation is supported on a physical modusGate server or a Virtual Machine.

The directQuarantine client module is installed on the client (or users’) computers. It can be deployed using a Group Policy Object (GPO) in an Active Directory environment, or by manually installing the application. Note that manual client installation is required if using a Terminal Server.

The following sections illustrate the most frequently-used configurations.

On premise modusGate and mail server

In this configuration, both the modusGate and the mail server are located on the local network. directQuarantine Server is installed on the modusGate server, and end-users’ (client) machines are configured to communicate directly with directQuarantine Server using their email address and network login password.

modusGate and Mail Server on the same LAN



Hosted modusGate server

Illustrated in the figures below, the mail server is housed on the client’s own network, and connects to the hosted modusGate server through a firewall.

1: High level view of a hosted network

2: Close-up view of hosted network with remote Active Directory lookup

Requirements for supporting this environment include the following:



• Each client network should have its own Active Directory/Domain Controller server.

– Note: It is possible to deploy the program without AD: please contact [email protected] for details.

• Communication between modusGate and the Active Directory server is handled through port 389 (LDAP) or 3268 (the Global Catalog).

• The client must open the following ports on the local firewall to accept communication from modusGate:

– Inbound Port 389 or 3268 (accordingly): for Active Directory authentication requests

– Port 9000 (or a custom port number): for communication between the client machines and directQuarantine Server (for details, see “Verify the modus server configuration” on page 15).

• The directQuarantine client can either be pushed to the end-users machines using a GPO, or by manually installing the file on the individual machines.

NOTE In a modusGate blockade configuration, directQuarantine must be installed on each modusGate server.

Hosted email service provider network

In this scenario, the Email Service Provider hosts both the modusGate and the Mail Server. The clients communicate with the Mail Server through a firewall.

Hosted modusGate and Mail Server with remote AD/DC Server

Requirements for supporting this environment include the following:



• Each client network should have its own Active Directory/Domain Controller server.

– Note: It is possible to deploy the program without AD: please contact [email protected] for details.

• Communication between modusGate and the Active Directory server is handled through port 389 (LDAP) or 3268 (the Global Catalog).

• The client must open the following ports on the local firewall to accept communication from modusGate:

– Inbound Port 389 or 3268 (accordingly): for Active Directory authentication requests

– Port 9000 (or a custom port number): for communication between the client machines and directQuarantine Server (for details, see “Verify the modus server configuration” on page 15).

• The directQuarantine client file can be installed manually on the individual machines.


Installation

Installing the application Installation

Installing the application

Overview

The directQuarantine installation is composed of two parts: the server and client applications.

• The server application is an installation option with modusGate 5.1 or greater, and is installed by default.

• The client application must be installed and configured separately using the instructions below.

Software requirements

The minimum software requirements for installing the directQuarantine application are depicted in the following table. These requirements are for the server and client applications:

Applicable to Software Description

Server modusGate Must have version 5.1 or greater installed on the server.

.NET Framework Both .NET Framework versions 3.5 SP1 and 4.0 Extended must be installed on the modus server.

directQuarantine Configured to use SQL server version 2005, 2008, 2008 R2, 2012 or SQL Server 2005 Express Edition. The SQL server can either be installed on the modus server or separately.

Active Directory/Domain Controller

Configured on the local or the client network.

Client Microsoft Outlook 2003, 2007, 2010, 2013

Outlook versions 2003 SP3, 2007 SP2, 2010 SP1, 2013 (32-bit and 64-bit) are supported.

.NET Framework Both .NET Framework versions 3.5 SP1 and 4.0 Extended must be installed on the users’ computers where directQuarantine is to be installed.


Installing directQuarantine Installation

Installing directQuarantine

Verify the modus server configuration

Follow the directions below to ensure that your modus server is properly configured to communicate with the client machines.

Step Action

9 Open your modus Administration Console to System > Quarantine Reports.

10 In the WebQuarantine URL field, enter http://127.0.0.1/quarantine (or http://localhost/quarantine if your Network Interface Card is only configured for IPv4 formatted IPs)

• Click Test URL to verify that the connection tests successfully

• If connection is successful click Apply.

• You may instead replace ‘localhost’ with the web server’s IP, or enter an actual web address according to your configuration in IIS. Examples: http://10.10.10.10/quarantine, or http://www.mycompany.com/quarantine.

– This operation is required to support the WebQuarantine link provided in the directQuarantine toolbar in Outlook.

11 directQuarantine server service uses a dedicated port number. By default port 9000 is used. If you must change the port number, follow the remaining steps below. If no change is required, go to the next section, Client install prerequisites.

12 To change the port, use Windows Notepad or another text editor to open the following file, located on your C: drive.

C:\ProgramFiles\Vircom\directQuarantine Server\directQuarantine Server.exe.config

13 Replace 9000 in the line below with the port number that you want to use:<add baseAddress=”http://localhost:9000/modusquarantine”/>

14 Replace 9000 in the line below with the port number that you want to use:<add baseAddress=”http://localhost:9000/authenticate”/>

15 Save the changes and close the file.

• Make note of the port number used: it will be required in the following steps.

16 Open the modusGate Administration Console to System > Services, stop and restart MODUSDQ.



Client install prerequisites

Before beginning the client install, you must configure the following prerequisite settings:

Step Action

1 These steps must be completed before installing the client file - whether it will be done manually or by GPO.

2 Ensure that both .NET 3.5 SP1 and .NET Framework 4.0 Extended are installed on the users’ computers where directQuarantine is to be installed.

• These applications are not included in the directQuarantine client installation package.

3 Create a shared folder on your network that can be accessed by all client machines.

4 Go to Start > (All) Programs > Vircom > modusGate > directQuarantine Client Install, locate the dQ Client.msi file and copy it to the shared folder created in Step 3.

5 Log in to the Domain Controller Server to create a directQuarantineServer ‘user’ account. This account is required to store the modusGate server IP and the port number for the directQuarantine service.

• To add this new user to the Users group, continue with the steps below.

• After completing the setup, you may optionally create a new Organizational Unit (OU) to store this special user account. For these instructions, see Optional: Create an OU for the directQuarantineServer account.

6 Click Start > Programs > Administrative Tools > Active Directory Users and Computers.

7 Expand the domain name to which you want to install the program.

8 Right-click Users and select New > User.

NOTE On SBS Server, the new user account will be added to the Users> SBS Users folder.

9 Enter the following information using the exact names and syntax as given:

• Enter directQuarantineServer in First Name

• Copy and paste it to User Logon Name and click Next.

10 Enter a password of your choice and click Next through the remaining screens to finish the setup.



NOTE It is possible to deploy the client program without AD: please contact [email protected] for details.

11 Right-click the directQuarantineServer user and select Properties > Telephones.

12 Enter the IP address of the modusGate server and the port number to be used by the directQuarantine service in IP phone. For example, 192.168.30.131:9000.

• If you had modified the port number, replace 9000 with your new port number.

• Optional: you can enter additional text in Notes.

Step Action



Optional: Create an OU for the directQuarantineServer account

If you wish to isolate directQuarantineServer from the main Users group, you can create a new Organizational Unit and move the account into the OU. Follow the procedures below:

Firewall configuration

If your are configuring directQuarantine in a Service Provider or hosted environment, the following ports must be open on the firewall:

• Port 9000 (or your custom port number: for remote access to directQuarantine Server.

• Port 389/3268 (as applicable): for remote access to the Active Directory/Domain Controller Server.

Step Action

1 While still in Active Directory Users and Computers, right-click the domain name and select New > Organizational Unit.

2 Enter ExternalApplicationsRepository in Name and click OK.

• You must enter the name and syntax as specified.

3 Do the following:

• Right-click the directQuarantineServer user account

• Select Move > ExternalApplicationsRepository

• Click OK.


Install directQuarantine client via a GPO Installation

Install directQuarantine client via a GPO

Follow the procedure below to create a Group Policy Object (GPO) for installing the directQuarantine client.

It is recommended to deploy the directQuarantine client on a single machine in order to test the installation and connectivity. Once it is successful, deploy it to multiple machines.

Step Action

1 On the Domain Controller Server, open Active Directory > Users and Computers.

2 You may optionally deploy directQuarantine to the domain as a whole, or use an Organizational Unit (OU) that contains the names of the specific users where directQuarantine will be installed.

To deploy to the domain, continue at Step 3 below.

To create a new OU for directQuarantine users, do the following:

• Right-click the domain name and select New > Organizational Unit.

• Enter a name, e.g. directQuarantine, and click OK.

• Right-click the directQuarantine OU, add the user names and click OK.

3 Click Start > Programs > Administrative Tools > Group Policy Management.

4 Right-click the domain name or the directQuarantine OU, select Create and Link a GPO here and click New.

5 Enter a name in New GPO. For example, enter Vircom Addin Client, and click OK.

6 Click the Vircom Addin Client and then click Edit to open the Group Policy Object Editor.

7 Expand User Configuration > Software Settings.

8 Right-click Software Installation > New > Package.

9 Enter the full network path to the dQ Client.msi file. For example, enter \\servername\sharedpath\dQ Client.msi.

10 Select Advanced in Deploy Software and click OK.


Install directQuarantine client via a GPO Installation

Test client-server connectivity

Deploying the client GPO on a single machine provides a setup to test the client-server connectivity. If you experience such a problem, then it is recommended to uninstall the client GPO and then reinstall it again.

11 Click Properties > Deployment and click to select all of the following settings:

• Assigned in Deployment Type

• Install this application at logon in Deployment options

• Basic in Installation user interface options

Click OK to proceed.

12 Click OK to close the Group Policy Object Editor.

• The GPO will execute immediately to push the files to the specified user(s).

Step Action


Install directQuarantine client manually Installation

Install directQuarantine client manually

An alternate method to using a GPO deployment is to install the directQuarantine client manually on the users’ computers. To do this:

NOTE If using a Terminal Server, the client file must be installed manually.

Step Action

1 Complete the prerequisite configuration outlined in Client install prerequisites.

2 On the client machine, log in with an account that has Administrator privileges.

3 Locate the shared folder containing the dQ Client.msi file.

4 Ensure that Outlook is closed and click the dQ Client.msi file to launch the install. Click Next through the remaining screens to finish the install.


Getting Started

Using directQuarantine Getting Started

Using directQuarantine

Initial login

After directQuarantine is installed, users will be prompted to enter their email address and network login password to establish the connection for their email account. The system will auto-display the first email address detected, but if users have multiple email accounts on the local network, they can specify which account to use here.

Quarantine client interface

The directQuarantine application for Outlook enables users to manage their quarantined messages directly from Outlook. The Vircom folder is a mailbox that connects to the modusGate quarantine database.

About quarantine mailbox

The directQuarantine client creates a new mailbox PST file that communicates directly with the modusGate quarantine database. The Vircom root folder connects to a web page that contains the How-To Guide. The directQuarantine sub folder contains the list of quarantined messages. The message list is automatically synchronized and refreshed in the background.

NOTE We recommend disabling Microsoft Outlook’s native Junk email feature on the client machines to avoid conflicting filter behavior and potential confusion.



Viewing message content

Message content can be viewed in the preview pane (if enabled) or by double-clicking the message to open it. Potentially dangerous content such as viruses, phishing, URL links, images and attachments are blocked from view.

When a message contains attachments, the filenames can be seen by clicking on Click here to see attachment information.htm and then the Preview file button.

Deleting messages

Messages can be deleted using the <Delete> key on the keyboard, by using Outlook’s Delete button in the toolbar or the context menu. Deleted messages are moved to the custom Deleted Items folder within the Vircom mailbox. This folder is cleaned automatically during the synchronization process, at which point messages are permanently removed.

NOTE Messages in Deleted Items cannot be undeleted or moved back into the directQuarantine folder. The entire (current) message list can be emptied manually by right-clicking the directQuarantine folder and selecting Empty ‘directQuarantine’ (Outlook 2007) or Delete All (Outlook 2010, 2013). This function is not supported in Outlook 2003.

Message types

Messages inside the directQuarantine folder are categorized by the following list of types. The type value determines which messages can be released using the Outlook interface:

Users with special permission to release Phishing or Forbidden Attachment types of messages must either use the Quarantine Report or the ‘Go to WebQuarantine’ shield icon in the toolbar.

Type Behavior

Spam User is able to release a Spam message.

Phishing User is not able to release a Phishing message. The release option is disabled.

Virus User is not able to release a Virus message. The release option is disabled.

Forbidden Attachment

User is not able to release Forbidden Attachment message. The release option is disabled.

Blocked Sender This is a black-listed email address.

User is not able to release Blocked Sender message. The release option is disabled.

Blocked by Rules This is a custom filter created by the administrator.

User is not able to release Blocked by Rules message. The release option is disabled.



Probability sort order

Messages are visually divided into 2 groups based on the probability of spam content: Low and High. The High group contains typical spam content and is displayed using the default text color (usually black). The Low group, however, is highlighted by the use of blue text to draw users’ attention: this group may contain some false positives.

NOTE Due to limitations with Outlook 2003, the Low/High grouping and blue-highlighted text are not supported. However, the messages are labelled by probability to help users pinpoint items that need attention.

Users can easily release messages from either group by using the release options in the toolbar or the context menu, depending on the type category outlined above.


Managing event logs Getting Started

Managing event logs

Manage quarantine events

The directQuarantine events are logged in text files. Logs are set to report trouble events generated by the client machines and the modusGate server. The file types are categorized by:

• Server logs

• Client logs

• Audit logs

Server logs

The server log file name is composed of the following format: DQ<yyyymmdd>.log, where <yyyymmdd> represent the date when the log file is created. The DQ<yyyymmdd>.log is stored at the following directory:

C:\Program Files\Vircom\directQuarantine Server\log

By default, the log files are configured with the following properties:

• The maximum size of the file is set at 40 MB. A new log file is created when limit is reached.

• A maximum of 10 logs are reported at one time. This limit is set to preserve disk space.

The server log records the following events by default:.

Type Description

Server Service start and stop

Database connection Connection or synchronization issues with the modusQuarantine database

Client connection Communication and connection issues with the client machines.

Client authentication Client authentication issues.

Message action Client message action issues.

Action event Client or server failed action request.


Managing event logs Getting Started

Client logs

The client log file is stored on each client machine, and records only the directQuarantine error events. The Vircom.dQ.Client.log is stored in the user’s machine, at the following directory:

C:\Users\<username>\App Data\Local\Vircom\directQuarantine\Vircom.dQ.Client.log

NOTE User directories are hidden by default in Windows Explorer. To reveal them disable the Hide extensions for known file types feature in Tools > Folder Options then click View and Select the Show hidden files and folders option.

View audit logs

Audit logs are recorded only if the auditing trail is set in the modusGate server. Events of messages released by client requests are then recorded as an audit trail. See the modusGate Administration Guide.


Troubleshooting directQuarantine Getting Started

Troubleshooting directQuarantine

Troubleshooting techniques

The directQuarantine application is designed to log events initiated from the server, the client, the database and the network connections. These logs provide a tracking method to troubleshoot common problems.

Set log level option

Logs are set to record at Error level by default. For troubleshooting scenarios, you might want to track more events. You can do that by setting the log level to All or Debug to allow more details to be recorded.

Follow the procedure below to temporarily set a different log level.

Disable the directQuarantine client

As part of the troubleshooting process, the directQuarantine application can be disabled on a client machine. Follow the procedure to disable the directQuarantine application.

Step Action

1 Go to C:\Program Files\Vircom\directQuarantine Server.

2 Locate the log4net.config file and open it with Notepad or another text editor.

3 Locate the section marked Level, and change it from Error to either All or Debug, and save the change.

4 Stop and restart the MODUSDQ service after changing the level: open the modusGate Administration Console > System > Services.

5 All or Debug logging must be used only temporarily to investigate a specific issue. These settings will record all transactions on the server and client machines, and may cause performance issues while running.

After resolving the issue, you must reset the log to Error level and stop / restart the MODUSDQ service to register the change.

Step Action

1 On a client machine, open Microsoft Outlook.

2 Do the following:

• For Outlook 2007, click Tools > Trust Centre > Add-ins.

• For Outlook 2010, 2013, click File> Options > Add-ins.

• For Outlook 2003, click Tools > Options > Other > Avanced Options > COM Add-ins



3 Make sure that COM Add-ins appears in Manage. Click Go....

4 Uncheck directQuarantine in the list under Add-Ins available:,and click OK.

The Vircom and directQuarantine folders will become hidden.

5 If prompted to do so, restart Outlook.

Step Action



Uninstall the application

The following procedure uninstalls the directQuarantine application from the client computers:

Contact Vircom Support

If you require assistance with any issue, regarding directQuarantine, please contact Vircom’s Technical Support. See “Contact Vircom Technical Support team” on page 5.

Step Action

1 Log in to the Domain Controller Server.

2 Click Start > Programs > Administrative Tools > Group Policy Management.

3 Expand the domain name where the program was installed.

4 Right-click the Vircom Addin Client and select Edit to open the Group Policy Object editor.

5 Expand User Configuration > Software Settings and select Software Installation.

6 Right-click Vircom Addin Client and select All Tasks > Remove.

7 Click to select Immediately uninstall the software from users and computers and click OK.


directQuarantine 2.1 Administration Guide

Documents

Transcript of directQuarantine 2.1 Administration Guide