Esafe Smart Suite Deployment Guide

© 2010 SafeNet, Inc. All rights reserved.
SafeNet is a registered trademark and SafeNet is a trademark of SafeNet, Inc.

All other product and company names may be the property of their respective owners.
SafeNet Proprietary
Document name: eSafe SmartSuite Deployment Guide
Document revision: 5/17/10, Rev. 8.5.0
Software Version: 8.5.0.25
All intellectual property is protected by copyright. All trademarks and product names used or
referred to are the copyright of their respective owners. No part of this document may be
reproduced, stored in a retrieval system or transmitted in any form or by any means,
electronic, mechanical, chemical, photocopy, recording or otherwise without the prior written
permission of SafeNet.
SafeNet makes no representations or warranties with respect to the contents of this document
and specifically disclaims any implied warranties of merchantability or fitness for any
particular purpose. Furthermore, SafeNet reserves the right to revise this publication and to
make changes from time to time in the content hereof without the obligation upon SafeNet to
notify any person or organization of any such revisions or changes.
We have attempted to make these documents complete, accurate, and useful, but we cannot
guarantee them to be perfect. When we discover errors or omissions, or they are brought to
our attention, we endeavor to correct them in succeeding releases of the product.
SafeNet invites constructive comments on the contents of this document. These comments,
together with your personal and/or company details, should be sent to the address below.
SafeNet, Inc.
4690 Millennium Drive
Belcamp, Maryland 21017
USA
Technical Support
If you encounter a problem while installing, registering or operating this product, please make
sure that you have read the documentation. If you cannot resolve the issue, please contact
your supplier or SafeNet support.
SafeNet support operates 24 hours a day, 7 days a week. Your level of access to this service is
governed by the support plan arrangements made between SafeNet and your organization.
Please consult this support plan for further information about your entitlements, including the
hours when telephone support is available to you.
Technical Support Contact Information:
Phone: 800-545-6608 (US)
Phone: 410-931-7520 (International)
Email: support@safenet-inc.com
www.safenet-inc.com
Important Note:
Please note that the contents of this guide may change from time to time, to accommodate
new features, corrections, etc. The most recent product documentation can be found in the
following location: www.esafe.com/support/eSafeDocuments.asp
Table of Contents
Table of Contents
Chapter 1: Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Using this guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Graphical conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
What’s new in this version? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
About eSafe SmartSuite . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Web Security Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Mail Security Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Management and Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Flexible Platforms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Product Types and Deployment Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10
Working with eSafe on VMwareTM . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16
Chapter 2: Installing the eSafe Appliance . . . . . . . . . . . . . . . . . . . . . . . . . 17
Pre-deployment Checklist . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18
Installing the Appliance in Transparent Bridge Mode . . . . . . . . . . . . . . . . . . . . .19
Connecting the eSafe Appliance to a Workstation . . . . . . . . . . . . . . . . . . .19
Accessing the Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19
Using the Setup Wizard to Configure the Appliance . . . . . . . . . . . . . . . . . .19
Installing the Appliance in Proxy Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .24
Additional Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .32
Installing the eSafe Appliance in Mail Mode . . . . . . . . . . . . . . . . . . . . . . . . . . .33
Installing the eSafe Appliance in Router Mode . . . . . . . . . . . . . . . . . . . . . . . . .39
Installing the eSafe Appliance in SSL Mode . . . . . . . . . . . . . . . . . . . . . . . . . . .44
Installing the eSafe Appliance in ICAP Mode . . . . . . . . . . . . . . . . . . . . . . . . . .49
eSafe SmartSuite Deployment Guide i

Table of Contents
Using the Setup Wizard to Configure the Appliance . . . . . . . . . . . . . . . . .49

Configuration Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
eSafe Web in ICAP Mode with Load Balancing and Fail Over Capabilities . . . 55
Installing the eSafe Appliance in Router Cluster Mode . . . . . . . . . . . . . . . . . . . .56
Connecting the eSafe Appliance to a Workstation . . . . . . . . . . . . . . . . . . . 56
Using the Setup Wizard to Configure the Appliance . . . . . . . . . . . . . . . . .56
Chapter 3: Managing the Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .55
About the Appliance Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .56
Accessing the Appliance Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
Status Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
eSafe Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .57
System Info . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .58
Network Info . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Spool Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
Settings Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .61
IP Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
Host Name and DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .63
Setting the Time and Date . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .64
Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
Log Redirect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .68
Support Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .69
General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
eSafe Security Center . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .71
Viewing Links to eSafe on the Web . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
Testing Connectivity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .73
Help Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
Connecting the eSafe Appliance to the Network . . . . . . . . . . . . . . . . . . . . . . . .75
Adding Firewall Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
Chapter 4: Working with Security Center . . . . . . . . . . . . . . . . . . . . . . . . . .77
Installing the eSafe Security Center . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
Logging on to the eSafe Security Center . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
The eSafe Security Center Main Window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
Task Bar / Task Buttons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .81
Appliance Tree . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .81
Managing appliances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .82
Dashboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .83
4Eye View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .87
Track & Care . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
Selecting a report type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
ii eSafe SmartSuite Deployment Guide

Table of Contents
Creating queries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .90

Creating Smart Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .90
Policy Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .91
Task Buttons in the Policy Settings Screens . . . . . . . . . . . . . . . . . . . . . . .91
Getting Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .92
User Access and Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
Info . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
Licensing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
Troubleshoot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
Appendix A: Policy Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
Getting Started in Policy Settings Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
Config Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
Protocol Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
Anti-spam . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
Spyware/Adware Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
Content Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151
Email . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174
Objects Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
FTP and HTTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196
SMTP and POP3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200
Known Vandal File Names . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202
Files for Blocking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203
URL Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204
Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204
Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206
Profile Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210
AppliFilter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211
DLP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214
Alerts Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220
AppliFilter/Virus Warning Message . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220
URL Filter Warning Message . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221
Gray List Warning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222
Miscellaneous Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223
Smart Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224
Updates Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226
Backing Up and Restoring Data in eSafe . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229
Appendix B: Policy Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229
Backing up via the SmartSuite Security Center . . . . . . . . . . . . . . . . . . . . . . . 230
Backing up data via the eSafe Appliance Manager . . . . . . . . . . . . . . . . . . . . . 231
eSafe SmartSuite Deployment Guide iii

Table of Contents
Restoring Backed Up Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232

Backing up and restoring via the Command Line . . . . . . . . . . . . . . . . . . . . . . 233
Backing up to an external location . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233
iv eSafe SmartSuite Deployment Guide

Chapter 1
Introduction
Welcome to the eSafe SmartSuite Deployment Guide. This guide provides you
with the necessary information to deploy eSafe in your network, along with
information on how to use eSafe to monitor traffic, perform maintenance, and get
technical assistance.
Contents:
• Preface
• What’s new in this version?
• About eSafe SmartSuite
• Product Types and Deployment Modes
eSafe SmartSuite Deployment Guide 1

Chapter 1 - Preface
Preface
Using this guide

This guide is divided into the following chapters:
• Chapter 1 - Introduction provides an overview of eSafe SmartSuite,
including information on new features in this release, and describes the various
deployment modes.
• Chapter 2 - Installing the eSafe Appliance provides details on installing
the appliance in the various deployment modes.
• Chapter 3 - Managing the Appliance provides details on managing the
appliance via the web-based eSafe Appliance Manager.
• Chapter 4 - Working with eSafe Security Center provides details for
working with eSafe’s management console.
• Appendix A - Policy Settings provides detailed information on the options in
the Policy Settings screen in the Security Center.
Graphical conventions
Please take note of the following conventions used in this guide:
• Text that you must enter appears as follows: example
• A button that needs to be clicked appears in bold, as do menu paths in the
menus. For example: Select Administration | Warning Messages |
Outgoing. Click the Add button.
• The names of menus, dialog boxes, and fields appear in italics: In the Settings
menu, type hello in the Name text box and then click Apply.
2 eSafe SmartSuite Deployment Guide

Chapter 1 - What’s new in this version?
What’s new in this version?

eSafe SmartSuite includes the following new features and enhancements:
DLP:
• New DLP capabilities with enhanced features for enforcement, monitoring, and
classification of sensitive files sent via email.
• Supports analysis of more than 150 file types, including:
• MS Office documents, Open Office, and PDF files
• HTML, email, source code files
• Archived files
• New options allow taking specific actions when detecting data that matches the
DLP dictionaries, including:
• Report: Logs all file properties in the event log.
• Block: Blocks outgoing files/email.
• Notify sender: Sends a notification to the email sender (for mail events
only).
• Archive: Archives the file/email in a special repository for later

investigation.
• Forward file/email by email: Forwards the file/email to a special DLP

inspector email address.
• Includes more than 20 predefined out-of-the-box dictionaries that support

Unicode.
• Includes predefined out-of-the-box DLP alerts with predefined Smart Alerts.
Central Management:
• Improved Central Management experience allows getting an instant overview
of what’s happening on the gateway by monitoring traffic, getting alerts,
investigating events, and taking immediate action. The central management
features include:
• Single sign-on
• Centralized machine tree with easy navigation between machines
• Support of data aggregation and statistics for sites/groups/clusters.
• Central log server
• Real-time indicators about machine status
• Advanced role-based administration

Note: Since this version uses the central management and log server, when
installing an eSafe machine, the central management feature must be enabled.

When installing eSafe in a multiple eSafe machine environment (more than one
machine), the central management/log server must be installed as a regular
eSafe machine or as a separate central management/log server. Do not use more
than one central management machine.
P2P issue: By default, the eSafe Security Center connects to the central machine
which allows monitoring and managing all machines in the organization. In case
of an emergency or if you need to manage a specific machine NOT via the eSafe
Security Center management server, you can connect to the machine directly
(with limited capabilities), using the following eSafe management command:
"C:\Program Files\eSafe\eSafeMNG\8.5\esafemng.exe" /log /p2p
Productivity Improvements
• This version includes various Productivity Improvements, including:
• Controlling and blocking streaming traffic per URL category with profile and
streaming properties (RTSP, RTP, MMS, Flash, etc.).
• New warn/gray URL filter categories per policy and overriding rules
(Coaching).
• Support for non-inspected SSL sites per URL category. (Only eSafe Web
SSL)
Monitoring and Reporting

• Enhanced Smart Alerts with granular DLP alerts.
• Allowing fast Smart Alert rule creation when viewing Track & Care events.
Dashboard Enhancements
• Enhanced Dashboard graphic charts with drill-down capabilities by double-
clicking on the chart or legend to see actual events for a specific query.
• Support for “4Eye” log viewing. When viewing information in the Dashboard
and Track & Care screens, users will see anonymous details. In order to see
real data, a secondary administration password is defined (4Eye), allowing
viewing of actual information. For further details, see “4Eye View” on page 87.
User Management
• Proxy authentication to support multiple AD Domains.
• Added a new feature that allows end users to view quarantined email via Web-
based reports, and manage/release quarantined email. This Web-based
quarantine report supports NTLM Authentication and multiple domains.
Globalization Support
• This version includes Unicode support to allow globalization of the Security
Center UI and data.

Performance Enhancements
• This version includes a new results scanning cache.
• Improved web performance using real-time HTTP gzip compression allows
content real-time extraction and data analysis of content reaching eSafe in
compressed format.
• Improved URL Filter performance using internal cache and restructuring.
• Restructured the AppliFilter engine to improve efficiency and performance.
Note:
This version supports two USBs in all appliances except HG200 which only
recognizes SanDisk 4GB. The GA release will only support one USB.

Chapter 1 - About eSafe SmartSuite
About eSafe SmartSuite

eSafe SmartSuite delivers on the promise of a realtime smart and simple web and
mail gateway security solution that protects against threats, Web 2.0
cybercriminals and competition. It’s simple and yet powerful. eSafe SmartSuite is
an enterprise-class security solution that is simple to integrate and manage, and
drives business value for organizations. From its initial stage of set up and
through its new fluid task oriented security management center and to advanced
capabilities such as dual security engine and data leak prevention (DLP), eSafe
SmartSuite helps businesses focus on achieving their required results. Offering
realtime, smart inspection of all Web and mail traffic, eSafe SmartSuite also
delivers unmatched performance and scalability. Flexible and robust, eSafe
SmartSuite offers unprecedented reporting and analytics – allowing businesses to
truly customize their security posture and keep their enterprise productive.
Web Security Gateway

The changing Web threat landscape makes it more challenging for organizations
of all sizes to enforce acceptable use policy, ensure protection from malware, and
enable secure access to necessary information. Unfortunately, static technologies
like URL filtering, categorization or signature-based antivirus are no match for
today’s adaptive threats, especially when most malware resides on legitimate
websites.
eSafe Web Security Gateway is the only solution that provides complete
protection. By conducting deep packet inspection of ALL inbound HTTP and FTP
traffic, including legitimate sites with proprietary technologies, eSafe Web
Security Gateway detects and defends against suspicious and malicious code in
realtime without over-blocking. eSafe Web Security gateway prevents all types of
Web-based malicious code from entering the network - spyware, Trojans, viruses,
targeted attacks, worms, and blended threats. eSafe Web Security Gateway
includes the following modules:
AppliFilter™
The tools and technologies that make collaboration and communication easier for
users now provide a new platform for malicious attacks. Because Web-enabled
applications like P2P or IM can bypass existing security solutions, they provide
not only a productivity and data loss concern, but a prime entry point for
malicious threats. eSafe AppliFilter can help your organization control access to
these tools and help protect your valuable network resources from compromise.
AppliFilter detects, tracks and controls Internet traffic and application protocols as
well as malicious software running in your organization, in over 500 categories,
including P2P, IM, and Skype, protecting against Internet-enabled application
threats by providing control over both inbound and outbound communications,
regardless of the port.
URL Filtering
URL filtering is a core part of your security policy, setting business rules and
ensuring that your users are productive during business hours and protected from
the legal liabilities associated with visiting inappropriate sites. eSafe enables you
to enforce your acceptable use policy and keep your employees protected by
categorizing and filtering websites and web pages using one of the largest, most
accurate databases of categorized URLs. A database of over 90 million websites
and 70 categories helps protect users from accessing suspicious and unproductive
websites.

eSafe Data Leak Prevention (DLP)

eSafe Data Monitor is an easy-to-use solution for passive monitoring of business
communications, both external and internal, including Web and mail. It includes
built-in policy templates for data protection and regulatory compliance and for
out-of-the box information forensics.
eSafe assists in identifying who is sending what data where and how, and
provides actionable intelligence to reduce the risk of data loss and to manage
compliance.
Unbeatable Circumvention Prevention
eSafe proactively blocks anonymizers and security circumvention tools based on
their site code and behavior – even if encrypted by SSL protocols. eSafe is the
only solution that completely defeats anonymizers, protecting the integrity of
your network, safeguarding your investment in security and limiting your liability
from employee abuse of resources. Part of a complete Web Solution, eSafe is able
to block 100%* of anonymizers in combination with Web SSL, AppliFilter, and
URL Filtering.
*Aladdin’s Attack Intelligence Research Center (AIRC) blocked 100 percent of
anonymizers in repeated lab tests. Competitive solutions did not stand up to
proxy threats and allowed users to leave the protected network.
eSafe Web SSL
Today, encrypted traffic accounts for up to 30% of Web traffic – traffic that is
invisible to virtually every security product, and represents a growing security
gap for organizations. While encryption does imply greater security, it is no
guarantee of protection. Cybercriminals have now realized that most security
products are blind to encrypted sites, making these sites prime targets for
malware. eSafe SSL provides a complete solution for analyzing encrypted Web
content and includes the capabilities to:
• Enforce acceptable use policy – control access to websites and Web 2.0
applications over a secure connection
• Provide transparent inspection of all encrypted (HTTPS, SSL, TLS) Web traffic
and policy-based certificate validation and authorization
• Control application usage by inspecting and blocking unwanted applications
over SSL.

Mail Security Gateway

For most organizations, email is a vital business tool and one of the primary
methods of business communication and collaboration. Controlling growing
attacks and mitigating mail malware are now critical business issues, and
although most companies have implemented some type of messaging security
solution, incomplete strategies can expose your organization to malware exploits,
as well as create performance and productivity issues.
eSafe Mail Security gateway provides comprehensive messaging security
solutions that block sudden spam, malicious worms and malware outbreaks in
realtime, as they emerge. As an industry leader, award winning solution of 99%
spam block, eSafe Mail Security gateway protects against virtually all spam and
malware, without blocking legitimate email.
In addition, comprehensive anti-phishing protection prevents targeted attacks as
phishing elements are stripped from all suspicious email. eSafe innovative spam
management and quarantine self-provisioning features help to reduce both TCO
and IT staff requirements.
Advanced Anti-Spam
eSafe’s Advanced Anti-Spam module provides complete protection, total control
and increased productivity. An industry first, eSafe’s Dual Anti-spam Engines
combine both realtime reputation and deep content analysis technologies into a
single, integrated solution. eSafe Advanced Anti-spam provides best-of-breed
detection and blocking - checking both the context and the content of email
messages for spam attributes and distribution patterns, while providing the only
realtime solution to blocking sudden spam and malware outbreaks as they
emerge.
Management and Reporting

Advanced Reporter
Periodic review and analysis of network traffic is a critical component of your
security program. By monitoring your existing security solution you can identify
areas where you might need to modify your configuration or implement additional
security measures to protect against new threats. eSafe Advanced Reporter
provides you and your security team with the tools you need to evaluate your
current content security, assess your Web policy compliance, and easily
communicate any security issues and justify new requirements. eSafe Advanced
Reporter is based on a centralized system with a graphically rich and easy to use
user interface, and includes interactive dashboards and reports with sophisticated
analysis capabilities. eSafe Advanced Reporter provides over 200 pre-defined
reports, as well as the flexibility to create focused user and group reports,
delivering a robust, out-of-the-box reporting solution to evaluate risks, assess
productivity, and ensure Web policy compliance.
Enterprise-Ready Management and Control
A single security center management platform integrates your security solutions
and data to give you realtime information, so that you can make the right
security decision. Through a streamlined eSafe Security Center and robust
management features, eSafe delivers critical insight into your network, your
users and your policy which allows for enhanced productivity. With centralized
data management and analysis, role-based administration and logging, you can

optimize your security policy, identify the source of attacks, and focus on trouble
spots with both user and group views.
Flexible Platforms
eSafe XG appliance family is a turn-key secure solution available on a wide range
of platforms that meet your business needs. eSafe is also available as a virtual
appliance for 3rd party certified hardware or as a VMWare™ virtual appliance pre-
built solution. All eSafe XG appliances are designed to be:
• Simple: eSafe XG appliances are pre-configured with best practices security
policy settings, straightforward setup, and fully customizable to your needs.
• Reliable: Purpose-built, robust and highly reliable, eSafe XG appliances
include high availability and failover technology with a built-in fail bypass
option, as well as firmware restore and upgrade.
• Scalable: A single eSafe XG appliance can support thousands of users, and a
patented, inline cluster mode allows connection of multiple appliances for
transparent load balancing.
• Manageable: eSafe XG appliances feature centralized management through
an intuitive interface console, which provides clear reporting data and access
to essential tools for ongoing review and analysis of network traffic, employee
productivity and policy compliance.

Chapter 1 - Product Types and Deployment Modes
Product Types and Deployment Modes

When installing the appliance, you must decide which product and deployment
mode you wish to install. The product determines the type of traffic that will be
inspected: web traffic, email traffic, or both. The following products are available:
• The Web Security Gateway relies on deep packet inspection of ALL inbound
HTTP and FTP traffic, including legitimate sites, to provide complete protection
against dynamic Web threats. eSafe Web Security Gateway uses proprietary
technologies to detect and defend against suspicious and malicious code in
realtime without over-blocking. eSafe Web Security Gateway prevents all
types of Web-based malicious code from entering the network including
spyware, Trojans, viruses, targeted attacks, worms, and blended threats.
• The Mail Security Gateway provides comprehensive messaging security
solutions that block sudden spam, malicious worms and malware outbreaks in
realtime, as they emerge. eSafe Mail Security Gateway protects against
virtually all spam and malware, without blocking legitimate email.
In addition, comprehensive anti-phishing protection prevents targeted attacks
as phishing elements are stripped from all suspicious email. eSafe innovative
spam management and quarantine self-provisioning features help to reduce
both TCO and IT staff requirements.
After deciding on the product, you must decide on the deployment mode. The
eSafe Appliance can be deployed in the network in the following modes:
• Transparent Bridge Mode
• Proxy Mode
• SSL Mode
• Router Mode
• Forwarding Proxy Mode
• ICAP Mode
• Mail Mode
A description of these modes follows.

Transparent Bridge Mode

Inline bridge mode provides seamless deployment and transparent inspection of
HTTP, FTP, SMTP, and POP3 traffic, as well as application control (for example,
P2P and streaming traffic). Installation is “plug-and-play” and no changes to the
network configuration are necessary. This mode provides scalability and allows
load balancing when installed as a Security Cluster.
In typical networks, eSafe is installed in-line between the firewall and the LAN
and functions as a network bridge or a router, transparently scanning traffic
before forwarding it to the firewall and then to the Internet.
Transparent Bridge Cluster
Several eSafe appliances can be installed in-line and together serve as a network
bridge. In case an appliance fails, its bypass NIC will fail open and other devices
in the cluster will automatically re-synchronize in order to inspect the traffic
instead of the appliance that failed. This mode can be used for eSafe Web and for
eSafe Gateway products.

Proxy Mode
eSafe in Proxy mode allows deploying eSafe as a proxy server that includes all of
eSafe’s content security features. In this mode, eSafe scans HTTP and FTP (over
HTTP) traffic, and has the ability to scan SMTP traffic too. Application control is
possible for HTTP-based applications. This mode allows for seamless integration
with Active Directory and LDAP for authentication of all HTTP traffic.
This mode is easy to implement and does not require any changes to the
network, and physically separates browsing users from the Internet. All users’
browsers need to be configured to browse through the appliance. Scalability is
achieved by using standard round-robin proxy load-balancing methods or via
third party load balancers.

SSL Mode
eSafe in SSL mode is suited to organizations that demand extra security and
acknowledge the fact that an encrypted connection does not guarantee that the
data being transmitted, or the content of an encrypted web page, is free of
malicious code. This mode provides transparent inspection of all encrypted
(HTTPS, SSL, TLS) web traffic and policy based certificate authorization at the
gateway, also blocking anonymizer technologies and tunneling attempts. With
eSafe in SSL mode, all encrypted packets such as encrypted web pages, web-
based email, instant messaging, and chat content, are inspected and blocked if
found to be malicious, before being allowed to enter the enterprise network.
eSafe in SSL mode is installed as a SSL/HTTPS proxy. All users’ browsers must be
configured to use this proxy for surfing encrypted HTTPS/SSL websites. eSafe can
inspect both HTTP and HTTPS traffic on one appliance, for up to 500 users. For
more than 500 users, eSafe must be installed on a dedicated appliance that will
check HTTPS traffic, in addition to the regular eSafe Web appliance that will
inspect unencrypted HTTP.

Router Mode
In this mode, eSafe acts as a router and requires creating a subnet and
reassigning the LAN’s Default Gateway to the internal NIC of the eSafe machine.
The eSafe machine operates as the default gateway and traffic is forwarded to the
firewall and then to the Internet. eSafe transparently scans HTTP, FTP, SMTP, and
POP3 traffic between the LAN and the Internet.
Router Cluster Mode
If you want to replace an existing router or combine eSafe with third party load
balancers - especially in complex networks - we recommend using Router Cluster
Mode. This mode provides seamless deployment and transparent inspection of
HTTP, FTP, SMTP, and POP3 traffic, as well as application control (for example,
P2P and streaming traffic), and ensures that the network is secured even in the
event that all machines are down.
In this mode, several eSafe appliances are installed in parallel and together work
as a cluster. One of the appliances serves as a master router and redirects traffic
to other eSafe appliances for inspection. In case an appliance in the cluster fails,
the master appliance will stop redirecting traffic to it. If the master fails, the next
eSafe appliance will automatically assume the role of the master. This mode can
be used for eSafe Web and for eSafe Gateway products and requires some
changes to the network configuration.

Forwarding Proxy Mode

eSafe serves as a non-caching HTTP proxy in front of an existing caching proxy.
All users’ browsers are configured to browse through this proxy, which in turn
redirects traffic to another caching proxy. This mode is suitable for eSafe Web
only. Unless absolutely necessary, we recommend using either ICAP or Inline with
Proxy modes instead.
ICAP Mode
Networks that include proxy servers that support ICAP (for example Blue Coat
and Cisco) can benefit from eSafe’s Web Security Suite by installing eSafe in ICAP
mode. This can be used in conjunction with proxy servers that support ICAP to
provide content scanning and filtering, and block Internet-based malicious code.
The proxy server (ICAP client) sends content to the eSafe appliance (ICAP server)
where it is inspected for malicious content. Since the ICAP protocol includes built-
in provisioning for load-balancing, several eSafe appliances can be connected to
create a cluster which can support a large number of users.

Mail Mode
eSafe in SMTP relay mode provides comprehensive email security to protect
organizations from email-borne security threats and maximize productivity. eSafe
detects and blocks viruses, exploits, malicious code, spam, cookies, malicious
content found in Office documents, and hacker attacks; without blocking
legitimate emails. This mode provides flexibility by allowing granular control of
the varying security needs of different groups or users within the company.
In this mode, the eSafe Appliance is installed in the DMZ (demilitarized zone) as a
secure SMTP relay, effectively shielding the internal network and mail servers
from the outside world. All inbound and outbound email is inspected before being
forwarded to the destination. In addition to the regular mail relay functions, it
also includes anti-relay/spamming/bombing mechanisms.
Working with eSafe on VMwareTM

eSafe is available as a pre-built VMwWare™ virtual appliance solution. Installing
eSafe on VMware makes it possible to “virtually” support any new VMware-
supported HW platform (with minimum hardware requirements). Currently eSafe
supports operation with VMware ESXi 3.5.
The following deployment modes can be installed on VMware:
• eSafe Mail
• eSafe SSL
• eSafe Proxy
Installing eSafe on VMware is especially suited to small to medium organizations.
In the chapters that follow, you will find instructions for installing each of the
deployment modes described in this section.

Chapter 2
Installing the eSafe Appliance
This chapter provides details on installing the eSafe Appliance in various

deployment modes; from connecting a workstation for initial setup to placing the
appliance in the network after installation. Follow the instructions specific to the
mode you wish to install. Before you install the appliance, we recommend
completing the checklist to help you get started.
Contents:
• Pre-deployment Checklist
• Installing the Appliance in Transparent Bridge Mode
• Installing the Appliance in Proxy Mode
• Installing the eSafe Appliance in Mail Mode
• Installing the eSafe Appliance in Router Mode
• Installing the eSafe Appliance in SSL Mode
• Installing the eSafe Appliance in ICAP Mode
• Installing the eSafe Appliance in Router Cluster Mode

Chapter 2 - Pre-deployment Checklist
Pre-deployment Checklist
Before you proceed, take note of the following questions that will assist you in
deciding which product and deployment mode you wish to install.
Do you want to inspect Web, Mail • Web

or Web and Mail traffic?
• Mail
If you want to inspect both Web
and Mail traffic, do you want to • Web & Mail
do this on the same appliance or
on two dedicated appliances?
Which deployment mode would Deployment mode:

you like to use? For more details
on the various modes, see the
“Product Types and Deployment
Modes” section.
Allocate an IP address to the Appliance IP address:

eSafe Appliance, and for the
management interface
(mandatory).
Management IP address:
Note: XG110 does not require a
management address.
What is the IP address of your DNS IP address:

network’s DNS?
What is the IP address of your DG IP address:

network’s Default Gateway?
Which directory services (e.g. LDAP/AD Server IP address:

LDAP) are used in your network
and where are the containers
located?
What is the IP address of the Mail server IP address:

organization’s mail server?
What is the administrator’s email Administrator email address:

address for receiving alerts?
Do you require comprehensive Follow this link to learn more about the
security reports? eSafe Advanced Reporter.

Chapter 2 - Installing the Appliance in Transparent Bridge Mode
Installing the Appliance in Transparent Bridge

Mode
In Transparent Bridge Mode, the appliance is connected to the network via two
network ports as an inline connection between the internal network and the
Internet ports, and via a dedicated management port. In this mode, eSafe
transparently scans traffic before forwarding it to the firewall and then to the
Internet. This mode requires minimal configuration.
Note:To install eSafe in Transparent Bridge Cluster mode, follow the instructions for
installing in regular bridge mode.
Connecting the eSafe Appliance to a Workstation

Connect the appliance to a workstation in order to perform basic configuration.
1. Prepare a Windows-based workstation/laptop for initial configuration with
IE 6.0 or above.
2. Plug one end of a crossover cable into the MNG (management) port (Eth0) on
the appliance and the other end of the crossover cable into the Ethernet port of
the workstation you prepared in the previous step.
3. Connect the power cable to the appliance and to a power source.
4. Turn on the appliance and the workstation.
Accessing the Appliance

Note:The appliance’s default IP address is 10.0.0.1/24.
1. Verify that the workstation’s IP address is in the same subnet as the appliance.
2. On the workstation, open the browser (IE v.6 or above) and access the
appliance at https://10.0.0.1:37233. A security alert appears.
3. Accept the security alert in order to continue. The Login page appears.
4. Log in to the Appliance Manager using the default username (admin), and
password (esafe).
The Configuration Wizard will start automatically and the Welcome screen will
appear.
Using the Setup Wizard to Configure the Appliance

1. In the Welcome screen, click Next to display the License Agreement page.
2. Read the License Agreement and click I Accept. Click Next to display the
Choose Product and Deployment Mode page. Take note that:
• In the Choose Product and Deployment Mode page, you need to decide
which traffic you want to scan and how you want to deploy your appliance.
• The Central Management Server option allows defining a central eSafe

machine that collects all eSafe events (traffic, system, DLP, etc.) from
multiple eSafe machines and saves them to a local database in-depth

monitoring and analysis.
3. Under Choose Product, select the Secured Gateway check box and then
select Web Security Gateway and/or Mail Security Gateway, in order to
inspect web and/or mail traffic.
4. From the Choose deployment mode drop-down list, select Transparent

Bridge.
5. Select the Central Management Server check box if you want this machine
to be a central machine.

6. Click Next to display the Network Settings page.
Note:Depending on the type of appliance, you may be able to connect to the appliance via
network cards other than Eth0.
7. Define the following network settings to enable the eSafe Appliance to
communicate with the network:
• Under Appliance IP settings, enter the management IP address and

netmask that you have assigned to the eSafe Appliance. This must be a
valid IP address from the network/DMZ.
• Next to Default Gateway, enter the IP address of the gateway device that
is used to forward traffic to destinations beyond the local network.
• Select the Disable High Availability NIC features check box if you do
not want to allow the fail open feature when the appliance is down.
• The Reset unused interfaces option is enabled by default and clears all
NIC information. (It is especially useful when reconfiguring the
appliance.)
• Under Name Resolution, enter the hostname of the eSafe Appliance to
enable identification of the appliance in the network, and the IP
addresses of the DNS servers in the network that will be used to resolve
machine names.
8. Click Next. The Password page appears.

9. In the Password page, change the appliance’s “admin” user default password.
This password will also be used to access the eSafe Security Center. You will
also be prompted to change the root password (first time installation only).
10.Click Next to display the Set Time and Date page.

11.Define the current date and time, and the time zone in which the appliance will
operate. Click Next to display the Registration page.
12.Enter your contact details in order to register your eSafe Appliance. This
allows you to receive security updates and important eSafe news.
13.Select the Enable Extended HB Information check box to allow the

appliance to send information on the status of the eSafe components to the
eSafe Operations Center for analysis.
14.Click Next to display the Finish page.
15.Click Apply and Shutdown. The appliance is now ready for connection to the
network.

Chapter 2 - Installing the Appliance in Proxy Mode
Installing the Appliance in Proxy Mode

In this mode, eSafe is deployed as a proxy server that harnesses eSafe’s content
security features. eSafe scans HTTP and FTP (over HTTP) traffic, and can also
scan SMTP traffic. Application control is possible for HTTP-based applications. This
mode allows for seamless integration with Active Directory and LDAP for
authentication of all HTTP traffic.

IE 6.0 or above.

password (esafe).
appear.



select Web Security Gateway.
4. From the Choose deployment mode drop-down list, select eSafe Proxy.


• Under Appliance IP settings, enter the IP address and netmask that you
have assigned to the eSafe Appliance. This must be a valid IP address
from the network/DMZ.
appliance.)
machine names.

8. Click Next. You will be prompted to define proxy parameters.
9. In the eSafe Proxy Parameters page, you must define settings for connecting
to the proxy:
• Listening Port: This is the port on which the proxy will listen. The default is
8080.
• Enable Parent Proxy: Select this option to enable use of a parent proxy.
Define the proxy hostname and port.
• Click the Force using parent proxy checkbox if the eSafe machine does
not have a direct Internet connection and requires a parent proxy.
• Enable Cache: Select this checkbox to enable caching of traffic. Define the
maximum size of the cache.
• Enable WCCP: WCCP support enables transparent redirection of traffic to

eSafe via Cisco, and other routers and switches. Select the Enable WCCP
check box to enable traffic redirection. You will then be prompted to choose
the relevant radio button to define whether traffic will be redirected to a
switch or router.
• Next to WCCP machine name, enter the IP address of the switch/router.

• Next to WCCP port, enter the port that eSafe will listen to.

10.Click Next. You will be prompted to select the authentication type.
From the drop-down list, select the authentication method:

• No authentication: When authentication is disabled, the proxy is open and
available to all machines where eSafe is defined as a proxy server. eSafe is
unable to identify users in this case.
• NTLM Authentication Settings: Allows integrating/authenticating against

the Microsoft Active Directory. Only domain users are able to connect to
eSafe Proxy. Define the following:
• Host Name: Define the eSafe machine name.

• Domain Name: Define the domain in which eSafe will be located.
• AD Server: Define the Active Directory server name along with the
password server name and Wins server name. (These values are usually
the same.)
• Samba Group: Define the workgroup name.
• Password Server: Usually the domain controller.

• Wins Server: Wins server of company. Usually the domain controller.
• Basic (LDAP): Allows connecting the organization's LDAP server and

validating credentials at the server. Define the following:
• Basic Realm: Part of the text the user will see when prompted their
username and password.
• Server Location: Define the IP address of the Active Directory or LDAP
server.
• Base DN: Define the distinguished name of the root from which user/
group details will be taken.
• Bind DN: Define a user name to allow access to the LDAP server.
• Bind Password: Define the password to connect to the server.
• Search filter: Define expressions to search the user data.
• Basic (Text): This method uses a standard Linux user name and password
file.
• File path: Enter the path to the file.
Note:Please refer to the information at the end of this section regarding Creating a “Flat
File” for authenticating users with eSafe Proxy mode.
11.Define the settings and click Next. The Password page appears.

12.In the Password page, change the appliance’s “admin” user default password.
be prompted to change the root password (first time installation only).


network.

Additional Information
Creating a “Flat File” for authenticating users in eSafe Proxy mode
In scenarios were the user credential information is not available as part of a
supported directory service (such as Open LDAP or Active Directory), eSafe
supports user authentication for browsing through the Proxy server based on an
internal user and password list file known as a “Flat File”.
When using eSafe Proxy mode with the “Flat File” authentication method, please
note the following points and guidelines in order for the authentication to work.
properly:
1. The flat file should be created with a program that creates htpasswd. There are
various programs and websites that can create *.passwd files (for example
http:/ /www.htaccesstools.com/htpasswd-generator-windows/)
2. After creating the flat file, it should be copied to eSafe under: /opt/eproxy/
3. Permissions for the flat file should be changed to: chmod 666 users.htpasswd
4. Restart the Squid service (service squid restart) and then restart the
eSafe service (service esafe restart).
5. In order for eSafe to identify the authenticated users (for profiles), define
“manual” users via the eSafe Security Center, that have the same credentials
as in the flat file.
When a user attempts to browse the Internet, a prompt for entering their user
name and password will automatically appear.
Please note that any time the flat file is updated, the Squid and eSafe services
should be restarted as outlined in step 4 above.

Chapter 2 - Installing the eSafe Appliance in Mail Mode
Installing the eSafe Appliance in Mail Mode

This mode allows deploying eSafe as an MX email relay at the gateway providing
anti-spam, antivirus, anti-malware and deep content security features. In this
mode, eSafe scans all incoming and outgoing SMTP traffic. This mode allows for
seamless integration with Active Directory and LDAP for assigning different user
and group policies for antispam and content filtering.

IE 6.0 or above.

password (esafe).
appear.



select Mail Security Gateway, in order to inspect web and/or mail traffic.
In the Choose deployment mode drop-down list, the SMTP Relay option will
be selected automatically.

appliance.)
machine names.
• Under SMTP Client Identification, define the string the appliance will use
for identification purposes when communicating with SMTP clients that
use the helo command. It is recommended that this string is the same
as the appliance name.
7. Click Next. The Mail Servers page appears. You must define all the network's
internal mail servers to enable scanning SMTP traffic. You must also include
the port number that will be used to listen to SMTP traffic (the default is port

25). If the server has a backup machine, you can define more than one IP
address for that server.
• Click Add to define the domain name and IP address(es) of each mail server
in the network that will be protected.



network.

Chapter 2 - Installing the eSafe Appliance in Router Mode
Installing the eSafe Appliance in Router Mode

In this mode, eSafe is installed in-line between the firewall and the LAN and
functions as a network router. This mode requires definition of the appliance
interfaces and some configuration changes.

IE 6.0 or above.

password (esafe).
appear.



4. From the Choose deployment mode drop-down list, select Other Modes. In
the page that appears, select eSafe Router from the drop-down list.
5. Select the Central Management Server check box if you want this machine to
be a central machine.
• Select the Disable High Availability NIC features check box if you do

not want to allow the fail open feature when the appliance is down.
appliance.)
machine names.



network.

Chapter 2 - Installing the eSafe Appliance in SSL Mode
Installing the eSafe Appliance in SSL Mode

This mode provides transparent inspection of all encrypted (HTTPS, SSL, TLS)
web traffic and policy based certificate authorization at the gateway, also blocking
anonymizer technologies and tunneling attempts. eSafe in SSL mode is installed
as a SSL/HTTPS proxy. All users’ browsers must be configured to use this proxy
for surfing encrypted HTTPS/SSL websites.

IE 6.0 or above.

Note: The appliance’s default IP address is 10.0.0.1/24.
password (esafe).
appear.



the page that appears, select eSafe Web SSL from the drop-down list.


appliance.)
machine names.
8. Click Next. You will be prompted to define SSL proxy parameters.
• Next to eSafe Web SSL Proxy Port, enter the proxy port.
• Select whether the proxy Internet connection is Direct or via a Parent Proxy
or IP address.
If you select parent proxy, define the IP address and port that will be used to
connect to the parent proxy.

10.In the Password page, change the appliance’s “admin” user default password.


network.
Important Note:
In order to avoid errors when accessing the eSafe Appliance Manager in the
future, follow by the steps below:
1. Run Internet Explorer.
2. Select Tools | Internet Options | Connections | LAN settings | Advanced.
3. Under Exceptions, add the eSafe machine IP address to the exceptions list.

Chapter 2 - Installing the eSafe Appliance in ICAP Mode
Installing the eSafe Appliance in ICAP Mode

Internet Content Adaptation Protocol (ICAP) is an open HTTP-based protocol that
enables dynamic scanning and modification of web content. To achieve this, ICAP
clients pass HTTP based content to the ICAP servers for manipulation. The
content is standardized and can be leveraged to help deliver value-added
services, such as content filtering, virus scanning, and content translation.
eSafe Web can be used in conjunction with proxy servers that support ICAP (such
as Blue Coat Systems) to provide content scanning and filtering, and repair
Internet-based malicious code. The proxy server (ICAP client) sends content to
the eSafe Web machine (ICAP server) for scanning, based on the rules defined in
eSafe. This mode allows creating a cluster for scalability.

IE 6.0 or above.

password (esafe).
appear.



the page that appears, select eSafe ICAP from the drop-down list.
Note:By default, eSafe Web is configured to listen for ICAP traffic on port 1344. If
necessary, it is possible to change this port via the esafenipca.ini file, located in Program
Files/eSafe. In the [proxy] section, change the value next to the [proxylisten port] key.

appliance.)


machine names.



network.
16.Follow the steps in the next section to configure the Blue Coat proxy server to
work with eSafe.
Configuration Procedures
The proxy server (ICAP client) must be configured to send all HTTP traffic to the
eSafe Web (ICAP server) machine for scanning.
eSafe Web for ICAP supports operation with the Blue Coat proxy server. Use the
instructions that follow to configure the proxy server.
Configuring the Blue Coat Systems Proxy Server
Make sure that you install the latest version of the Blue Coat Systems proxy
server, or upgrade to the latest version (SGOS: 2.1.10 – Release ID: 20570, or
higher).
To install the proxy server, follow the instructions in the relevant Blue Coat
Systems documentation. Once installed, you must configure the ICAP service.
To create and configure an ICAP service using the Management Console:

1. In the Blue Coat Systems proxy server, select Management Console | External
Services| ICAP Services.
2. Click New. The Add List Item dialog appears.
3. In the ICAP service name field, enter an alphanumeric name. Click OK.

4. Select the new ICAP service name and click Edit. The Edit ICAP Service dialog
appears.
5. Next to Service URL, enter the ICAP server URL (i.e. the eSafe Web IP
address), written in the following format: icap://(eSafe IP)/respmod, as
illustrated in the picture above.
6. Click the Sense Settings button. This will allow the server to automatically
acquire all defaults settings that are required to communicate with eSafe.
7. Click OK to save the settings and then click Apply.
8. Repeat steps 2-7; in step 5, enter the ICAP server URL as follows:
icap://(eSafe IP)/reqmod. Select request modification as the method
supported.
9. To improve eSafe ICAP performance and reliability, we recommend only

scanning necessary file/MIME types, and bypassing unnecessary types
(e.g. .gif, .jpg, .pdf). This can be configured in the ICAP client Policy Manager.

eSafe Web in ICAP Mode with Load Balancing and Fail

Over Capabilities
Most ICAP clients include the ability to work with multiple ICAP servers to provide
load balancing and fail over capabilities. To enable load balancing and fail over
with eSafe Web in ICAP mode, you can install multiple eSafe machines and then
configure the ICAP client to perform load balancing and fail over between the
various machines.
Detailed information on configuring the ICAP client to perform load balancing and
fail over can be found in the proxy server manufacturer’s documentation.

Chapter 2 - Installing the eSafe Appliance in Router Cluster Mode
Installing the eSafe Appliance in Router Cluster

Mode
This mode allows installing several eSafe appliances in parallel to work together
as a cluster, ensuring that the network is secured even in the event that all
machines are down. This mode provides seamless deployment and transparent
inspection of web and/or mail traffic, as well as application control. This mode
supports operation with third-party load balancers.

IE 6.0 or above.

password (esafe).
appear.



the page that appears, select eSafe Router Cluster from the drop-down list.

appliance.)

machine names.
7. Click Next. The Cluster VIP Settings page appears. The eSafe Security Cluster
in Router mode operates with Virtual IP Addresses (VIP). At least two VIPs are
needed; one for each side of the cluster. These VIPs will be the external
identity of the eSafe Cluster. The VIPs will be available as long as at least one
node in the cluster remains healthy.
Define the internal and external VIPs that will be used by the eSafe Cluster.
Note that all eSafe Cluster member machines must have the same VIP
definitions.

operate.

12.Click Next to display the Registration page.

eSafe Operations Center for analysis. Click Next to display the Finish page.
network.
Note:Initially defining a cluster requires logging on to eSafe Security Center via the central
machine, defining a new cluster, dragging the central machine (which appears under the
“ALL” branch in the machine tree) to the cluster, and then defining the other cluster
members.

Chapter 3
Managing the Appliance
The eSafe Appliance Manager is a web-based application that allows you to

change the settings defined using the eSafe Appliance Setup Wizard, view
information, and perform additional management actions. This section provides
details for accessing the Appliance Manager application and provides a description
of all menus and options available in the Appliance Manager.
Contents:
• About the Appliance Manager
• Accessing the Appliance Manager
• Status Menu
• Settings Menu
• Support Menu
• Connecting the eSafe Appliance to the Network
• Adding Firewall Rules

Chapter 3 - About the Appliance Manager
About the Appliance Manager

The eSafe Appliance Manager is a web-based application that provides you with
the tools to change the settings defined using the eSafe Appliance Setup Wizard,
view information, and perform additional actions.
Accessing the Appliance Manager

Follow the steps below to access the eSafe Appliance Manager.
1. Open Internet Explorer and connect to the IP address of the eSafe Appliance
as configured using the eSafe Appliance Setup Wizard. For example,
https://x.x.x.x:37233, where x.x.x.x is the IP of the eSafe Appliance.
Note! The eSafe Appliance uses secure HTTP protocol. Make sure that you
enter HTTPS and not HTTP.
A security alert appears.
3. Log in to the Appliance Manager using the default username (admin), and the
password defined in the eSafe Appliance Setup Wizard.
4. Click Login. The eSafe Appliance Status page appears.

Chapter 3 - Status Menu
Status Menu
The Appliance Status menu includes the following options:
• eSafe Status—displays the status of eSafe and its add-ons.
• System Info—displays system related information.
• Network Info—displays information about the eSafe Appliance’s network
card(s), and the routing table.
• Spool Manager—displays information about messages in the Spool Manager.
A description of these options follows.
eSafe Status
In the eSafe Appliance Status page you can see the status of the eSafe product
being used, as well as the status of any add-ons.
The following information appears:
Type: Shows the type of eSafe product installed and the add-
ons available.
Status: Shows the status of the eSafe product being used:
• Up: The appliance is up and running.
• Installed: The product is installed.
• Click to Activate: When add-ons are installed, you

can select this option to activate the add-on.

Product version: Shows the version of the product installed.
Update version: Shows the version of the latest update.
Last updated: Shows when the software was last updated.
License: Shows license details.
Registered to: Shows details of who the product is registered to.
Expiry date: Shows the date that the license expires.
You can perform the following actions:
Click to Activate: Click on this link to activate the specific add-on.
Stop/Start eSafe Click this button to toggle between stopping and

button: starting the eSafe product installed. (Note: When the
add-ons are disabled via the Status screen, eSafe must
be restarted in order for the changes to take effect.)
Advanced: Click this button to shut down or reboot the appliance.
System Info
The System Information page displays information about the CPU and memory,
and the amount of free storage space. Under Advanced, you can view the
contents of the system log files.

CPU and Memory Displays the CPU's vendor name, model, speed, RAM,
Information: and swap memory.
Storage Space: Displays the amount of free space available in the

various partitions.
System Log Files Click Advanced to view system log files. Click on a log
file to download the file and view information about
appliance/system events.
Network Info
Displays the type of network interface card(s) being used, the status of the link,
and routing table information. Click on a specific card to view additional detailed
information about that card and its driver.
Note:eSafe automatically negotiates the network type and speed. The default setting
should only be changed in the event that eSafe is connected to an unsupported network
device or if the auto-negotiate feature does not operate properly.
Refresh button: Click Refresh to update the network card and routing
table information.
Restart Click the Restart Networking button to restart eSafe

Networking and networking services. (Note that eSafe will only be
button: restarted if it was already operational when the Restart
Networking button is clicked.)

Spool Manager
When the SMTP service is enabled, this page shows the number of messages in
the Spool Manager, and the date and time the messages entered the spool.
Messages that appear in the Spool Manager for extended periods of time could
indicate a problem.
You can do the following:
Advanced button: Click the Advanced button to display a list of all

messages in the spool. An option for deleting messages
is available, but is not recommended and should only
be used after consulting with eSafe technical support.
Warning:Deleting messages from the spool is irreversible!

Chapter 3 - Settings Menu
Settings Menu
The Settings menu includes the following options:
• IP Settings—allows defining the eSafe Appliance’s IP address.
• Host Name and DNS—allows defining name resolution parameters.
• Time and Date—allows changing the eSafe Appliance’s time and date
settings.
• Passwords—allows changing the admin and root account passwords.
• Access Control—allows defining settings to control access to the eSafe
Appliance.
• SNMP—allows enabling or disabling use of the SNMP service, and defining a
management station.
• eSafe Proxy—only available when working with eSafe Proxy and allows
viewing and editing proxy server settings, including defining the authentication
type.
• Domain Registration—only available when working with eSafe Proxy and
allows registering the eSafe Proxy Machine in the domain.
• SSL Settings—only available when working with eSafe Web SSL and allows
you to view and edit SSL proxy settings.
• Configuration Wizard—provides access to the eSafe Appliance Setup Wizard.
IP Settings
Depending on the type of eSafe product installed, one or two network interface
cards may exist. You can change the status of a network interface card, define a
new network interface card, define the default gateway, and add a static route.

IP addresses for Displays IP address, netmask, and status of each

Network network interface card. You can add a new interface
Interfaces: card by entering the details below the current table and
clicking Add.
Default Gateway: Shows the IP address of the gateway machine that is

used to forward traffic to destinations beyond the local
network, and via which interface the appliance connects
to the default gateway.
Disable High By default, the appliance’s high availability NIC features

Availability NIC are enabled and allow traffic to pass through without
features: interception/scanning in case of a power or software
failure.
Bypass is ACTIVE/ This message shows the status of the bypass feature.
NOT ACTIVE:
Static Routes: Click the Advanced button to view or add static routing
information for the appliance. Add the routing
information below the current table and click Add.
Advanced (or Click Advanced to view or define static routing

Basic) button: information.
Apply and Restart Click the Apply and Restart Networking button to
Networking apply any changes that were made, and restart eSafe
button: and networking services.
Reset button: Reverts the configuration to the previous settings.

Host Name and DNS

The settings in the Host Name and DNS page enable you to define name
resolution parameters. These parameters allow the eSafe Appliance to recognize,
and be recognized by, the network.
Host Name: The eSafe Appliance's host name.
DNS Servers: The IP addresses of the DNS servers in the network.

The DNS servers will be used to resolve DNS names to
IP addresses when queried by the Appliance.
Advanced (or Click Advanced to define search domains and hosts:

Basic) button:
• In the Search Domains box, enter domain names
that will be appended automatically when searching
for a host name that does not include the full domain
name.
• Under Hosts, enter the IP address and host name of

all host machines. Click Add to include the host in
the Hosts list.
Apply: Click the Apply button to apply any changes that were
made.
Reset button: Reverts the configuration to the previous settings.

Setting the Time and Date

By default, the eSafe Appliance is not pre-configured with the date and time. We
recommend setting the exact time and date since this information will be used in
all logs and reports related to the product. It is also possible to define an NTP
server.
If you did not set the date and time using the eSafe Appliance Setup Wizard, you
should do so now.
Time, Date and Shows the time, date and time zone. Make sure that
Time Zone: these settings are correct.
Advanced button: Click the Advanced button to define a Network Time

Protocol (NTP) Server.
• Use an NTP server checkbox: Select this checkbox

to enable using the NTP server.
• Define NTP Server: Enter the IP address of the NTP

server.
The NTP Server is based on UTC and therefore it is

important to choose the relevant time zone.

Password
You can change the admin account password, defined using the eSafe Appliance
Setup Wizard, at any time. You can also enable/disable the root account and
define a password for the account.
The default password for the root account is: kn1TG7psLu. It is recommended to
change the root account password, or disable the root account.
The following options are available:
Change eSafe Allows you to change the admin password. Enter

Appliance Manager the new password and then re-enter it to confirm.
admin password:
Advanced button: Click the Advanced button to change root account

settings.
• Enable eSafe Appliance root account check

box: This check box enables/disables use of the
root account.
• Change root account password: Allows you

to change the root account password.

Access Control
The eSafe Appliance communicates with internal and external networks in one of
two ways:
• By accepting connections on all defined IP addresses.
or
• By accepting connections on a specific IP address only.
In addition, you can configure which external IP addresses will be able to
establish a connection with the Appliance.

eSafe Appliance Defines which IP addresses on the eSafe Appliance will

accepts accept connections:
connections on:
• Select All IP addresses to accept connections on all
defined IP addresses.
• Select Specific IP to define a specific IP that will

accept connections.
• Next to Listen on port, define the port that the

appliance will use to listen to connections.
eSafe Appliance Defines from which IP addresses the eSafe Appliance

accepts will accept connections:
connections from:
• Select All IPs to allow connections from ALL IP
addresses.
• Select Listed IPs Only to define a specific list of IP

addresses from which connections will be allowed.
• Select All, except listed IPs to define an exclusion

list. This means that connections will be accepted
from all IP addresses EXCEPT those that appear in
the list.

Log Redirect
eSafe enables sending alerts, via SNMP traps, to SNMP servers. This allows using
third party applications to monitor the eSafe Appliance. All events that are written
to the syslog file (Linux message file), will be sent to the SNMP server.
When SNMP is enabled, you can save and send system logs that are related to
eSafe to the management station, in standard format.
It is also possible to redirect (and copy) syslog files to an alternate server.
SNMP Service: Allows you to enable/disable the SNMP service.
Management Allows defining the IP address of the SNMP

Station: management station to which the system logs will be
sent.
Syslog Redirect: Allows copying log files to an alternate server.
Syslog redirect: If you choose to enable syslog redirecting, enter the IP

address of the server to which the logs will be
redirected (copied).

Chapter 3 - Support Menu
Support Menu
The Support menu includes the following options:
• General—enables providing information to eSafe technical support and allows
uploading service packs to the eSafe Appliance machine.
• eSafe Security Center—allows downloading the eSafe Security Center
executable file.
• eSafe on the Web—enables quick access to eSafe-related links on the web.
• Test Connectivity—enables checking the connection between the appliance
and the Internet.
• Help Index—displays links to the help topics.
General
The Support Features page allows creating comprehensive reports that can be
supplied to the eSafe Technical Support department for troubleshooting
purposes.
After setting the required troubleshooting level and allowing eSafe to gather
information, files can be sent to technical support for analysis.
Consult with the eSafe technical support team prior to making any changes to
these parameters.

Change debug Select the level of troubleshooting (debug level)

level: required: off (default), low, or high.
Create and Allows creating files for technical support. You can either
download eSafe create and save the files, or create the files and
Support Info file: automatically upload them to the eSafe technical
support site.
Create and Allows collecting session log files. In the page that
download eSafe appears, you can choose to only collect files, collect and
Session Log files: upload, or clear the log files. It is also possible to
schedule automatic log file collection.
Create and Creates a backup of the configuration file. After creating

download eSafe the backup file, you can download the file to a location
Appliance of your choice. (To reload the configuration, access the
Configuration Configuration Wizard, enter the file details and then click
backup file: the Restore Appliance Configuration button.)
View eSafe Allows viewing the version number of the eSafe

Module Versions: modules.
Enable Extended Allows the appliance to send information regarding the

HB Information status of the eSafe components to the eSafe Operations
check box: Center for analysis.
Advanced: Allows viewing information about the following eSafe

files:
• eSafe log files: Displays a list of eSafe log files.

Click on a filename to open or download the file.
• eSafe .ini files: Displays a list of eSafe .ini files.

Click on a filename to open or download the file, or
click to edit the file.
Any changes to the .ini files will only take effect after
restarting eSafe.
RPM package Enter the path to upload a hotfix, or click Browse to

upload: locate the hotfix file. Click Install to install the hotfix.
(You can also upload hotfix files via eSafe Security
Center.)

eSafe Security Center

The eSafe Security Center page allows you to download and install eSafe Security
Center, and view the eSafe Deployment Guide.
eSafe Security Center is a remote management console that can be used to
manage all eSafe products over the local network or over the Internet. eSafe
Security Center is a Windows-based application that can run on any PC running a
supported Windows operating system.
Download eSafe Allows you to save the executable file and run it after
Security Center from the download is complete.
eSafe Appliance:
View the eSafe Allows viewing the eSafe SmartSuite Deployment

Deployment Guide: guide.

Viewing Links to eSafe on the Web

Use the links in this page to:
• Display the eSafe home page.
• Access the Attack Intelligence Research Center web site to view information on
the latest viruses and alerts, get the latest virus and content security updates,
and security news.
• Access the eSafe Support webpage and download product documentation.
• See information on eSafe products.
• Find an eSafe reseller or distributor in your area.
• View contact details.

Testing Connectivity
This page enables performing the following tests:
• Pinging to an FTP site.
• Checking connectivity with the eSafe site for updates to the add-ons.
• Checking connectivity with the License Center site for add-ons.
• Checking DNS resolving capabilities.

Help Index
The Help option in the Support menu displays the online help table of contents
with links to all help topics. In addition, the help button in the top right-hand
corner of each page provides information about the page you are currently
viewing.

Chapter 3 - Connecting the eSafe Appliance to the Network
Connecting the eSafe Appliance to the Network

The final stage of the installation is to actually connect the eSafe Appliance to the
network. Take note of the instructions for the operation mode you selected.
To connect the appliance to the network:
1. Place the eSafe Appliance in its physical location.
2. Power up the eSafe Appliance.
3. Follow the instructions for the mode you are installing:
For eSafe XG300 appliances in Transparent Bridge mode:

a. Connect the Eth2 NIC to the Internet.
b. Connect the Eth3 NIC to the LAN.
c. Connect the Eth0 NIC to the management machine.
c. Connect the Eth0 NIC to the management machine.
(Since there is no HA NIC, definition of the management interface is not
necessary.)
For eSafe in Proxy/SSL/Mail/ICAP mode:
• Connect the Eth0 NIC to the proxy/mail server.
For eSafe in Router/Router Cluster mode:
Note: Make sure that the appliance does not use the high availability NICs.
4. When using eSafe with a proxy server, or in Mail mode, you should perform
additional actions as follows:
• For eSafe Mail: In the organization’s MX records, configure eSafe Mail as

the incoming mail server. (Define the Eth2 and Eth3 IP addresses too.)
• For eSafe Proxy: Ensure that the eSafe Appliance IP address is the IP
address of the proxy machine, as defined in the client browser settings, and
that a new IP address was assigned to the parent proxy.
• For eSafe ICAP: Ensure that the eSafe Appliance IP address is the IP
address of the ICAP client (proxy machine).
At this point your eSafe Appliance is physically connected to the network with a
default configuration. In order to operate properly, eSafe needs to connect to
various ports and sites. Follow the instructions in the section that follows to
enable connecting to these ports/sites.

Chapter 3 - Adding Firewall Rules
Adding Firewall Rules

In order for eSafe to operate correctly, send email and receive updates, you must
enable the following permissions on your firewall.
• Allow the eSafe machine to connect to the following eSafe sites for updates:
For HTTP: (Port 80) For FTP: (Port 20 & 21)

upd1.esafe.com ftp.esafe.com
upd2.esafe.com ftp2.esafe.com
upd3.esafe.com ftp.protectme.com
upd4.esafe.com
• Make sure the following port is open: UDP 33333.

• Allow the eSafe machine to perform DNS queries (port 53).
• Allow eSafe to send email and alerts to the Internet and internal network
(port 25). If eSafe also serves as an SMTP relay, allow it to accept connections
on Port 25.
• Allow the eSafe machine to check license validity via the eSafe site (port 80).
• If you are using the eSafe Add-ons, enable the following addresses for HTTPS
(port 443) and HTTP (port 80):
For www.cobion.com: For license.cobion.com:
213.252.152.103 213.252.152.106
195.127.173.190 195.127.173.180
213.252.152.118 213.252.152.101
213.252.152.105
213.252.152.81
These IP addresses are subject to change. Before changing the rules, we

suggest that you make sure the above IP addresses are still relevant (e.g. use
the nslookup command).
Allow access to the following addresses:
resolver1.alad.ctmail.com
• If you have a firewall between your management machine (with eSafe Security
Center) and the eSafe machine, you will need to allow the eSafe management
protocol (UDP on port 43982 and TCP on port 43970). Also ensure that the
following ports are open: 5432, 8888, 37233, 22.

Chapter 4
Working with Security Center
The eSafe Security Center is an intuitive management console that allows you to
configure and enforce the corporate content security policy throughout the
network.
eSafe Security Center provides task oriented tools that allow you to monitor
traffic, view reports, fine-tune the organizational security policy, perform product
maintenance, get support, and define access permissions.
Contents:
• Installing the eSafe Security Center
• Logging on to the eSafe Security Center
• The eSafe Security Center Main Window
• Dashboard
• Track & Care
• Policy Settings
• Support
• User Access and Permissions
• Getting Started

Chapter 4 - Installing the eSafe Security Center
Installing the eSafe Security Center

You can install the eSafe Security Center on a machine that meets the following
minimum requirements:
Processor: Pentium 4 or above with a TCP/IP connection to the

network
RAM: 1 GB
Disk Space: 30 MB
Additional Drives: CD-ROM drive or Internet connectivity (for
installation)
Operating System: Windows 2003/XP/Vista/2007
Minimum screen 1024x768
resolution:
For your convenience, a link has been included in the eSafe Appliance Manager
that enables downloading the eSafe Security Center software.
• Click on the Download eSafe Security Center link, save the executable file
and run it after the download is complete.

Chapter 4 - Logging on to the eSafe Security Center
Logging on to the eSafe Security Center

After installation, an icon appears on the eSafe Security Center machine desktop.
Double click the icon to log on to the eSafe Security Center.
1. In the dialog box that appears, enter the default user name and password:
• Username: admin
• Password: esafe
2. From the Connect to Host drop-down list, select the machine you want to
connect to.
Warning:We recommend that you change the default password as soon as possible.
Tip: Run eSafe with the default settings and test its operation before making changes to
the configuration.

Chapter 4 - The eSafe Security Center Main Window
The eSafe Security Center Main Window

After logging in to the Security Center, the main window appears. In the appliance
tree, you can see the appliance you connected to. To start working, you can do
the following:
• Double-click on the appliance to access and manage the appliance
• Right-click All to see addtional options for managing appliances, including
adding an appliance, group, cluster or site. These options are described in
more detail later in this chapter. (See User Access and Permissions for more
information on the different types of users and user permissions.)
When you log on to an appliance, the first window that appears provides a
graphical presentation of current web traffic statistics. You can use the various
tabs to switch between viewing statistics on web traffic, email traffic, DLP data,
Applications traffic, content, and traffic per protocol. A description of the main
screen follows.

Task Bar / Task Buttons

The eSafe Security Center is task-driven. This means that you choose the
operational mode you want to work in based on the actions you want to perform:
• View the monitoring dashboard
• View reports
• View or adjust the security policy
• Perform maintenance or get support
• Define access permissions
To choose the operational mode, click the relevant button in the Task Bar in the
top, right corner of the GUI:
Dashboard Policy Settings Access Permissions
Track & Care Support
A description of the operational modes appears later in this chapter.
Appliance Tree
The top, left panel of the GUI allows you to define the list
of eSafe appliances that you want to manage.
You can define sites, clusters, groups, and standalone
machines. Both clusters and groups support deploying
configurations to ensure that all machines in the cluster/
group are identical.
The buttons at the top of the tree allow you to:
• Add an eSafe appliance
• Add an eSafe Cluster
• Add a group of appliances
• Add a new site
• Delete a machine, cluster, or group
These options are also available when clicking the right-

mouse button. For more options see Managing
appliances.

At the bottom of the panel, you can see details of the selected machine,
including: name, product type, product version, CPU, memory, and expiration
date.
The following symbols can appear on the appliance names:
A red icon with an "X" means that the appliance is not

available.
A blue "M" means that this appliance is a central

machine.
A green icon with a "V" means that the appliance is

connected.
Managing appliances
Managing appliances is done via the right-mouse menu that appears when you
click on an item in the appliance tree. A description of the options in this menu
follows:
• Connect: Connects to the
selected appliance.
• Add an eSafe appliance:
Allows adding an eSafe
appliance to the tree.
• Add an eSafe Cluster:
Allows adding an eSafe
cluster.
• Add a group of appliances:
Allows defining a group to
which appliances can be
added.
• Add a new site: Allows defining a new site container.
• Delete eSafe appliance(s): Allows deleting items from the tree.
• Synchronize cluster machine: Synchronizes the configuration between the
appliances in the cluster.
• Synchronize machines: Synchronizes the configuration between the
appliances in the group.

Chapter 4 - Dashboard
• Set as backup central machine: Allows setting this machine as a backup

machine for the central machine. In the event that the central machine is no
longer operational, this machine can be turned into the new central machine.
• Set as primary central machine: In the event that the original central
machine is no longer operational, this option allows turning the backup central
machine into the new central machine.
Dashboard
The Dashboard provides an on-the-fly view of the current state of network traffic
including statistics on web traffic usage, email statistics, the status of sessions
that pass through eSafe, and the status and results of files that pass through
eSafe, per protocol.
When viewing the data, you can click on a part of the graph to drill down and see
more information on that specific query.
You can then double click on a log and create a Smart Alert based on that
condition. For more information, see “Smart Alerts” on page 224.
You can switch between the following modes: Web, Mail, Content, and Traffic. A
description of each mode follows.

• Web: The Web Dashboard provides a graphic presentation of web usage

statistics including:
• Most popular URL categories visited
• Which users visited risky sites

• Which risky sites were visited
• Which web applications are being used that expose the network to security
risks.
Allows selecting for

which date the
statistics will be
displayed
Allows refreshing the

data
Double click on an item in

a graph in order to drill-
down.

• Mail: The Mail Dashboard provides a graphic presentation of email statistics,

including:
• Who received the most spam
• Who received and sent the most email

• Which email threats were most prevalent
• A breakdown of how email can be classified (blocked, tagged, rejected,

cleaned, modified)
• Which users received email viruses
• DLP: The DLP dashboard provides a graphic representation of events that

matched the DLP policy.

• APPs: The APPs dashboard provides a graphic representation of the use of

various applications, based on the AppliFilter rules.
• Content: The Content Dashboard provides a dynamic snapshot of the status

and results of files that pass through eSafe, per protocol.
Use the buttons to:
• Zoom in (reduce time

period)
• Zoom out (increase time

period)
• Define the rate at which

the graph will be updated

• Traffic: The Traffic Dashboard provides a dynamic snapshot of the status of

sessions that pass through eSafe, per protocol.
Allows resetting
the traffic
statistics
4Eye View
The 4Eye principle is applicable per site and can only be defined by an
administrator. When the 4Eye View is enabled at a site, identification data will be
“scrambled” in the logs. In order to view the actual data, a second administrator
or user with viewing permissions must log on with their user name and password.
To enable 4Eye Viewing:
1. In the appliance tree, right-click on a site where you want to enable 4Eye
Viewing.
2. Select Properties | Enable 4Eye View.

The 4Eye Login link appears at the top of the window. When viewing logs and
data, all identifying information will be "scrambled", as can be seen below. In
order to view the information regularly, a second user with the necessary
permissions must log in via the 4Eye Login link.
To log in to a machine where 4Eye viewing is enabled:

1. Select the machine you want to log in to.
2. Click on the 4Eye Login link at the top of the Security Center window.
3. Enter a second user name and password. Click OK.

Chapter 4 - Track & Care
Track & Care

Track & Care mode displays logs for all traffic and system events including:
• Web traffic
• Mail traffic
• Application traffic
• System alerts
• Quarantine events
• DLP events
Allows saving the Allows selecting for Refreshes the data

current query as a log which dates you want
to view the query
file
Select the type of report you

want to view Use the options in the
drop-down lists to create a
query
Select an entry and click

Double click an entry to the right-mouse button to
define a Smart Alert based perform the following
on that condition actions:
• Select all log entries
• Copy the log entries to

the Clipboard
Allows you to scroll Define the number of
between the tables of data lines you want to display • Add an empty column
displayed
in the current view

Chapter 4 - Track & Care
Selecting a report type

For each traffic type you can select a predefined report type from the Report
drop-down list in the top left corner. For example, for web traffic you can view a
report that includes logs for all traffic, or all violations, or virus/malware traffic.
• Click the button to view the requested logs.
Creating queries
After selecting the report type, you can create a query/queries to view specific
data. Use the options in the drop-down lists to define the conditions for the query.
Then:
• Use the and buttons to add or remove a condition from the query.
• Click the button to define the relationship between the values.
• Click the button to run the query.
Creating Smart Alerts

When viewing a report, you can double click on an entry to create a Smart Alert
based on that condition. For more information, see “Smart Alerts” on page 224.

Chapter 4 - Policy Settings
Policy Settings
eSafe’s default security policy provides a high level of security that is suited to
most organizations. To get started, you must perform the following actions:
• Define LDAP Settings
• Define alert recipients
• Define warning message and redirect text
• Define internal networks
• Activate the Data Leakage Prevention feature (optional)
• Fine tune the URL Filter settings to suit your organization’s security needs
• Fine tune AppliFilter settings to suit your organization’s security needs
A detailed description of performing these actions follows. In addition, you can
further fine tune the policy in order to align eSafe with your organization’s unique
requirements. Detailed descriptions of the various options available in the Policy
Settings mode are available in Appendix A.
Task Buttons in the Policy Settings Screens

While working in Policy Settings mode, the following buttons are available:
A description of the buttons follows.
Revert to deployed configuration: Allows you to undo the

most recent changes to the parameters.
Import configuration: Use this button to import a saved

configuration. After importing the configuration, you should
click the Apply/deploy configuration button (below) in order to
apply the new configuration before continuing.
Export configuration: Use this button to export the current

configuration (for backup purposes). eSafe will save the
relevant configuration files (esafecfg.ini, eSafeNIpca.ini,
applifilter2.ini, LDAP settings and structure) in a zip file. Note
that the files included in the zip file depend on the type of
product installed.
Apply/deploy configuration: Use this button to apply

changes made to the configuration of a standalone machine, or
to automatically deploy changes when working with a machine
in a group or cluster.
Previous: Displays the previously viewed screen.

Getting Started
This section provides details for performing various actions that will help get you
started working with eSafe.
Note: The MS ADSI Edit Tool allows you to view and edit Active Directory® directory
service attributes through the Active Directory Services Interfaces (ADSI) protocol. You
can install this tool from the MS support tools CD (\support\tools\supptools.msi). Once
installed, a shortcut is available in the Programs menu. It is also possible to add the ADSI
Edit Tool as a snap-in to the Microsoft Management Console (MMC).
Defining LDAP Settings

eSafe allows defining different policies for managing email traffic and web access.
To allow this, you need to define the LDAP settings that eSafe will use to import
your organization’s LDAP user and group structure. This allows defining different
profiles per user/group.
Before proceeding, it is important to note that eSafe is configured with default
LDAP settings that should be sufficient for most organizations. However, it may be
necessary to tailor the LDAP configuration to suit your organization’s schema in
cases where user/group data is not extracted successfully. Before changing the
default settings, we recommend verifying that the problem is not with the LDAP
connection and indeed with the data/schema. Furthermore, only change these
settings if you are familiar with the LDAP server schema.
The LDAP server settings are defined under in the LDAP Configuration page,
under the Objects tab. Based on the defined settings, it is possible to view LDAP
information by groups, users, or users and groups. You can then select users from
these lists.

The LDAP Configuration page includes three tabs:

• Basic Settings: Allows defining parameters that will be used to connect to the
LDAP/Active Directory server.
• Nodes and Expressions: Allows performing queries and searches in the
LDAP/Active Directory server information. However, when working with other
LDAP types (e.g. Novell), defining these fields is mandatory and should be
done based on the organization’s schema.
• Attributes: Allows defining specific attributes that will be queried in order to
retrieve relevant user and group information.
A description of the fields in the Basic Settings tab follows:
Select server type: Select the type of server you want to connect to.
Backup of: If this is a backup server, select the server for which it
acts as a backup server.
LDAP server The address of the LDAP server on the network.

address:
Connection port: The port eSafe uses to connect to the LDAP server
(usually 389).
User name: A user name to allow access to the LDAP server.

(For example,
CN=Administrator,CN=Users,DC=esafe5,DC=u).

Password: A password to connect to the server.
Intervals for sync: The rate at which eSafe will synchronize itself with the
LDAP server.
The Nodes and Expressions tab allows performing search queries for users,
groups, and hosts when working with Microsoft LDAP servers. When using other
LDAP server types, these values are mandatory for operation.
Nodes allow you to define from which node in the LDAP structure user information
will be extracted.
User root nodes Defines the distinguished name (DN) of the root from
which user details will be taken. (For example,
CN=Users,DC=esafe5,DC=us).
Group root nodes Defines the distinguished name (DN) of the root from
which group details will be taken.
(For example, OU=Domain
Controllers,DC=esafe5,DC=us).
Host root nodes Defines the distinguished name of the root from which
host details will be taken.
Expressions allow searching the AD data for specific users, groups, or hosts. The
various search expressions can be used to filter this data in order to restrict the
search results. A simple filter looks like this: (objectClass=person). In this
example, the search query will only return results for entities that have been
specified as 'person'. A description of the expressions and examples of arguments
that can be used follows:
Users search Allows searching for specific users.

expression: For example:
(&(|(objectClass=person)(objectClass=contact)(object
Class=organizationalPerson))(!(objectClass=computer)
))
Groups search Allows searching for specific groups.

expression: For example: (objectClass=group)
Hosts search Allows searching for specific hosts.

expression: For example: (objectClass=computer)
Attributes: Each object in the LDAP/AD server consists of one or more attributes
that are used to uniquely identify this object in the Directory Information Tree.
Each attribute has a value associated with it. Although there are a few standard
attribute-value pairs, different LDAP servers may use different values per

attribute. The following attribute-value pairs can be used to narrow the results
when defining search queries:
Account name saMAccountName

attribute:
Display name name

attribute:
Mail alias proxyAddresses

attribute:
Primary mail alias mail

attribute:

Defining Parameters for Sending Alerts

Alerts inform you when certain events occur, such as: detection of a virus,
software updates, or disk space approaching capacity. In order to send event
details via email, you must define alert recipients. You can also define the subject
for email alerts.
To define an email recipient for alerts:

1. In the Policy Settings mode, click the Alerts tab.
2. Select the Miscellaneous Parameters option in the Alerts tab to define:
• The sender email address that will be used by eSafe to send alerts. (This is
also the string that is displayed when connecting to the eSafe SMTP server.)
• The outgoing SMTP mail server address that eSafe will use to send alerts.
• The alert subject.
3. Next to eSafe sender mail address, enter the address eSafe will use to send
alerts.
4. Next to Outgoing SMTP mail server, click the List link to view the SMTP Mail
Relay page. In this page you must define:
• Host name for HELO command: This defines the host name that will be
used for the HELO command. This string will be used by eSafe for
identification purposes when it communicates with other SMTP servers.
Enter the host name in the text box.
• Outgoing SMTP Mail Relay Server: This setting allows you to define
when to use an outgoing SMTP mail relay server and which outgoing SMTP
mail relay server to use.
From the drop-down list, you can select one of the following options:
• Allow eSafe to send email directly to the Internet: eSafe will not use the
mail relay server and will send the mail directly to the Internet instead.

• Use outgoing SMTP mail relay server, as listed below: eSafe will use one
of the outgoing mail relay servers defined in the list at the bottom of the
page.
• Use outgoing SMTP mail relay server, in case of error sending directly to
Internet: eSafe will only use the outgoing mail relay server if it is unable
to send the mail directly to the Internet.
5. Save the settings and return to the Miscellaneous Parameters page.
6. Next to Alert Subject, enter the text you want to appear in the subject of email
alerts, for example: Important eSafe Alert.
7. Apply the changes.
Defining Warning Messages

eSafe allows notifying senders and recipients that email they sent or received was
scanned and, where applicable, that a specific action was taken (such as
removing hostile content or blocking the email). The following types of warnings
can be defined:
• For incoming email, a message can be added to email destined to the sender
or recipient.
• For outgoing email, a message can be added to email destined to the sender,
and a disclaimer can be defined, if necessary.
Defining warning messages for incoming email
eSafe can send email notifications/add warning messages to incoming email, as

follows.
• For Senders: eSafe allows sending email to the senders of infected email
notifying them that eSafe detected hostile content in the email they sent.

• For Recipients: The following warning messages/notifications can be sent to

recipients of incoming email:
• Add scan results to clean mail (only if it contains attachment): Allows
notifying the recipient of incoming email containing an attachment(s), that
eSafe scanned the email and found it to be “clean”.
• Add scan results to modified email: Allows notifying the recipient of

incoming email that the email was modified by eSafe.
• Send email notification when email is blocked: Allows sending a new email
message to recipients to notify them that email destined to them was
blocked by eSafe.
You need to select the warnings that you want eSafe to add to the email
messages and then you can edit the default text if necessary.
To define warning messages for outgoing email:

1. Select Config | Email Settings | Warning Messages | Outgoing Email.
2. Select To Senders.
3. Select the check boxes next to the notifications you want eSafe to send.
4. Edit the default message text if necessary.
5. Apply the configuration.

Defining a disclaimer for outgoing email
eSafe allows adding a default, user-defined disclaimer at the beginning or end of

all outgoing email. Disclaimers usually include an official statement from the
company that reflects the company’s policy regarding outgoing email.
It is also possible to define different disclaimers for different domains. The
domains are defined under Config | Email Settings | SMTP Settings | SMTP
Mail Relay and are automatically added to the list of domains in the Disclaimer
to Recipient page.
To define disclaimers for outgoing email:

1. In the Policy Settings mode, select the Config tab.
2. Select Email Settings | Warning Messages | Outgoing Email |
Disclaimer.
3. From the drop-down list, you need to define where you want to add the
disclaimer:
• No disclaimer (A disclaimer will not be added)
• Add disclaimer at the beginning of the email message
• Add disclaimer at the end of the email message.

4. Click the Define disclaimer message button to edit the default disclaimer
and select the domain for which the disclaimer will apply.
5. From the drop-down list, select the domain for which the disclaimer will apply.
(The domains are defined under Config | Email Settings | SMTP Settings |
SMTP Internal Domains.)
Note that, if you do not define a specific disclaimer per domain, the default
disclaimer will be used.
6. If necessary, edit the default disclaimer message in the HTML Disclaimer or
Text Disclaimer text box.
• In the HTML Disclaimer text box you can type the message as it will appear
if the email notification is sent in HTML format.
• The Convert HTML to Text button allows converting the HTML message
into plain text, and removes any formatting.
7. Click Close to save the disclaimer.

Defining Redirect Text

When eSafe blocks an HTML page that is being viewed by a user, it can notify the
user that the session was blocked, using one of two methods:
• By redirecting users to a specific URL that will display a predefined page with a
relevant notification message.
• By displaying an HTML page with text that can defined via eSafe.
To redirect users to a predefined page:

1. In the Policy Settings mode, select the Config tab.
2. Select Alerts | URL Filter Warning.
3. Select the Redirect users to a predefined URL or HTML page check box to
activate this option.
(Note: If this option is not selected, the session will be blocked and a standard
browser notification will appear.)
4. Select one of the following options:
• Redirect to URL: Select this option to redirect users to a pre-defined URL.

Enter the entire URL string in the space provided. You should prepare a
company web page with an appropriate notification, preferably on the local
web server or in the DMZ.
• Redirect to a page with the following text: Select this option to redirect
users to an HTML page with the default text defined in the text box. You can
modify this text as you see fit. The default text includes the following
scripts:
<SCRIPT language=JavaScript>document.write(OriginalURL);</SCRIPT>
<SCRIPT language=JavaScript>document.write(BlockCause.substr(10));</
SCRIPT>

where:
OriginalURL is the URL of the blocked site.
BlockCause.substr(10) is the reason access to the site was blocked.
The default text displays a page that looks like the example below:
5. Select the Only redirect blocked HTML pages check box if you only want to
redirect blocked HTML pages. (If this option is not selected, users will be
redirected each time any HTTP session is blocked.)
Defining Internal Networks

eSafe allows defining specific IP addresses, ranges of networks, and ports for
which traffic will NOT be inspected.
To define ranges of networks that will NOT be inspected by eSafe:

1. In the Policy Settings mode, select Config | NitroInspection Configuration.
2. Under Exclusion List, click the Add icon to define individual IP addresses or IP
address ranges that will not be inspected by eSafe. All traffic to and/or from
these addresses will be ignored.
3. Under Trusted Subnets, click the Add icon to define subnets that will not be
inspected by eSafe. All traffic between machines in these subnets will be
ignored.

4. Next to Exclude Ports, you can define individual TCP ports or ranges of ports
that will not be inspected by eSafe.

Activating Data Leakage Prevention (DLP)

eSafe allows reducing the risk of data loss and managing compliance with its data
leakage prevention feature that identifies who is sending what data where and
how.
The DLP feature monitors outgoing mail/Web/FTP traffic and includes built-in
policy templates for data protection and regulatory compliance and for out-of-the
box information forensics.
Activating the DLP feature consists of the following steps:
1. Defining DLP Profiles: WHO will be associated with WHICH policy.
2. Defining DLP Policies: Which file types will be monitored.
3. Defining DLP Settings: Allows enabling DLP and defining repository settings.
Enabling DLP
1. In the Policy Settings mode, select the DLP tab.

2. At the bottom of the DLP page, click the Enable DLP check box and Apply the
configuration.

Defining DLP Profiles
DLP Profiles are created by associating DLP policies and network entities. Network
entities define “who” the DLP profiles will apply to. Note that each row in the
Profiles list represents a specific profile.
To define profiles:
1. In the Policy Settings mode, select DLP | DLP Profiles.
2. Click the Add network entity button to view the Network Entities Handler
dialog box.
Click the Reload DB

button to get the latest
LDAP information.
The Network Entities Handler dialog box displays information on users/groups

derived from the LDAP server. You can use this information “as is” to create
profiles, or define new network entities manually.
3. Select or define the network entities. Click Select. The Change Profile dialog
box appears, prompting you to assign a policy to the network entity.
4. Select the policy from the drop-down list. Under Profile activation status, select
when the policy will be active:
• Not active: The profile is not enabled.
• Always active: The profile is always active.


Defining DLP Policies
The DLP Policy defines for which file types the policy will be enabled/disabled and
which dictionaries will be used when searching files/traffic for sensitive content.
To define the DLP policy:

1. In the Policy Settings mode, select DLP | DLP Policies.
2. Click the Add policy button to add a new policy. In the dialog box that appears,
enter a name for the policy. Make sure that the policy name does not include
spaces.
3. Next to Description, enter a description of the policy.
4. In the Monitor tab, select the required radio button to set the status of the
policy:
• Enabled for all outgoing traffic
• Enabled for file types selected below
• Disabled for file types selected below

5. If you select Enabled for file types selected below or Disabled for file
types selected below, you must select for which files and extensions the
policy will apply. To do this, click the check box next to the file type.

6. Next to Apply to, select the types of traffic to which the policy will apply: Mail,
Web, and/or FTP.
7. Click the Dictionary tab to select the dictionaries eSafe will use when
monitoring files for sensitive content, and the action it will take if the content
matches the dictionary.
8. In the Dictionaries list, select the dictionaries that eSafe will use to monitor
content.
9. Under Action, you can select the following actions:
• Report: Logs the event in the eSafe session.log file. (Enabled by default)
• Block: Blocks the file.

• Archive to repository: Archives the file in the repository.
• Notify sender: Sends an email alert to the sender in case of email traffic.
• Forward file by email: Forwards a copy of the file by email to a predefined

list of email addresses, and adds a prefix to the email subject. (The prefix is
defined under DLP Settings.)
If you select this option, you must define the email recipients next to Define
email recipients for forwarded files. When defining multiple recipients, use
CSV format. Note that the recipients are defined per policy.
10.Apply the configuration.

Defining DLP Settings
The DLP Settings allow you to define a repository for saving files for future
analysis, and define settings that will be used when eSafe forwards files that
match the DLP policy.

• Max. repository size: Allows you to define the maximum size of the
repository.
• Prefix for email subject: Allows defining a prefix that will automatically be
added to the subject of all email that is sent when the Forward file by email
option is selected in the Dictionary tab, under DLP Policies.
• Max. attachment size: The maximum size of attachments.

Fine Tuning the URL Filter Settings

eSafe’s URL Filtering module allows controlling access to web pages by defining
which users can access which URLs or URL categories, and when these pages can
be accessed. The URL Filtering module is an add-on service that requires a
separate license. After installation, you should do the following to get started:
• Make sure the URL Filter is enabled
• Review the default policy settings and fine-tune them to suit your organization
• Review the default policy
After familiarizing yourself with the default policy, you can proceed to:
• Define customized policies to suit your organization
• Define customized profiles to suit your organization.
URL Filter operation is based on the following principles:

• A URL is first checked against the Allowed URL list; if it appears in the list, it is
allowed and continues to be checked by the other non-URL Filter policies.
• If the URL does not appear in the list, it is then checked against the Blocked
URL list:
• If it appears in the list the URL will be blocked.
• If it is not found, it is checked against the Allowed URL categories; if it

appears in the list, the URL is allowed and checked for the other non-URL
Filter policies. If not found, it is checked against the Blocked URL
categories; if it appears in the list, the URL will be blocked.

Enabling the URL Filter Add-on
After installing the URL Filter add-on, you need to enable the service.
1. In the Policy Settings mode, select the URL tab and then select URL Filter.
2. Select the Enable URL Filter Service check box.
Defining Profile Settings
The Profile Settings page allows defining global working days and hours that are
used to define when the profiles will be active, allows ignoring HTTPS traffic, and
allows selecting filters that will block streaming content. Note that these settings
apply to ALL profiles.
To define working hours:

1. Select URL | URL Filter | Profile Settings.
2. Select those days considered working days.

3. Set the morning and afternoon working hours.
4. Select the Ignore URL Filter for all HTTPS traffic check box if you do not
want eSafe to apply policies to HTTPS traffic.
5. Under Select streaming filters to activate, select which types of streaming

traffic will be blocked.
Creating URL Filter Profiles
A profile is created by associating a policy with a network entity.
To define profiles:
1. Select URL | URL Filter | Profiles.
Allows
defining the
priority of
the profiles
2. Click the Add network entity button to view the Network Entities Handler
dialog box.
Click the Reload

DB button to get
the latest LDAP
information.
The Network Entities dialog box displays information on users/groups derived

from the LDAP server. You can use this information “as is” to create profiles, or
define new network entities manually.

3. Select or define the network entities. Click Select. The Change Profile dialog
box appears, prompting you to assign a policy to the network entity.
4. Select the policy from the drop-down list.
5. Under Profile activation status, select when the policy will be active:

• Active in report mode (no blocking): The profile will always be active,
but will only report policy violations.
• Active during working hours: The profile is only active during working
hours. These are defined under the Profile Settings.
• Active during nonworking hours: The profile is active during nonworking

hours.

6. Click OK. The new profile appears in the list of profiles.

Creating URL Filter Policies
The URL Filter Policy defines to which URLs and URL categories access will be
allowed/blocked, which streaming traffic will be allowed/blocked, and which sites
will be gray listed.
Note:The default policy applies to all users that are not assigned a specific profile. This
usually includes the majority of users and as such, it should be as comprehensive as
possible.
To define a URL Filter Policy, define a name for the policy, add a description, and
then define Browsing, Streaming, and Gray List definitions.
To define policies:
1. Select URL | URL Filter | Policies.
2. From the URL Filter Policy drop down list, you can select an existing default
policy and fine-tune the policy, or click the Add new URL Filter Policy button
to add a new policy. If you choose to add a new policy, the New Policy dialog
box appears.
3. Enter a name for the policy. Make sure that the policy name does not include
spaces. Click OK.
4. Next to Description, enter a description of the policy. This will help you
remember what the policy is about, for example: Block access to non-work
related categories.
5. The following tabs are available:
• Browsing: This tab allows you to define your organization's browsing

policy. The following options are available:
• Block un-recognized URLs: Blocks access to web sites that are not
categorized.
• Ignore URL Filter for HTTPS traffic: When selected, eSafe will not apply
the policy to HTTPS traffic.
• Under Blocked/Allowed Categories and Blocked/Allowed URLs, define lists

of URLs/URL categories that will be blocked and allowed. These lists will
be specific to the currently selected policy.(When defining the URLs, you
can enter sub-domains.)
• Streaming: This tab allows you to define your organization's policy

regarding streaming traffic. The following options are available:
• Allow all streaming: Allows all streaming traffic.

• Block all streaming: Blocks all streaming traffic.
• Block/Allow by following: Blocks or allows streaming traffic per category
or URL.
• Gray List: Gray lists are an intermediate option between blocking sites and
allowing sites. When users surf to sites that are gray listed, a warning
appears notifying them that the website violates organizational policy,
however the user is given the choice to continue. If the user chooses to

continue the website is displayed normally and users can continue viewing
the site for a specific period of time.
When using the Gray List feature, you can define which categories are
considered gray categories, and define specific URLs of hosts that will be
gray listed.
• Block un-recognized hosts: Blocks access to hosts that are not
categorized.
• Gray Categories and Allowed Gray Categories: Define lists of URL
categories that will be gray listed and allowed.
Note: The "allowed" lists are used when a site has more than one category. In this
case, if one of the categories appears in the allowed list, the site will be allowed. For
example, if “Cinema / Television” is on the gray list, then www.cnn.com will be
blocked since it is categorized as: Cinema / Television, News / Magazines, Search
Engines / Web Catalogues / Portals.
However, if “News / Magazines” appears in the "allowed list", www.cnn.com will be

allowed. Pure "Cinema / Television” sites will be gray listed.
• Gray URLs and Allowed Gray URLs: Define lists of URLs that will be
blocked and allowed. These lists will be specific to the currently selected
policy.(When defining the URLs, you can enter sub-domains.)

Fine Tuning the AppliFilter Settings

AppliFilter™ is an add-on service that allows realtime filtering of malicious
Internet content as it enters the network. After installation, the service is fully
functional for 30 days after which the license needs to be renewed.
To get started:
• Make sure that the AppliFilter service is enabled
• Review the various application families to see which applications will be
blocked, and which will operate in warning mode. Change the filters as
necessary.
Take note of the bullets next to the application name:
• Grey: The specific filter is not enabled.
• Yellow: The specific filter is enabled in warning

mode.
• Red: The specific filter is enabled.
To enable use of the AppliFilter service:

1. Select APPs | AppliFilter. When operating AppliFilter for the first time, it will
take a few seconds for the screen to “load”.
2. Make sure that the Enable AppliFilter Service option, at the bottom of the
screen, is enabled.
Take note of
the color of the
bullets. See a
description Click this check
above. box to enable
the AppliFilter
service
The following check boxes are available:

• Enable SmartInspection Acceleration check box: This check box is
available in the main AppliFilter page and allows excluding inspection of .jpg
and .gif files, for improved performance. This is based on the assumption that
it is unlikely that these files will be accessed directly without a leading HTML
page. This option affects all subsidiary filters.

• Operate in Warning Mode (report without blocking): Warning mode

enables eSafe to identify applications and log details of these events in the
Report, without blocking actual communication. This option is usually used for
evaluation purposes.
When this check box is selected, this option will also be enabled for all
subsidiary filters (application families and family members). The option can be
turned off for individual filters.
• Notify infected/blocked users: This option allows sending a warning
message to users when they try to access a blocked application. Click the
Settings link to view the warning message that will appear. You can customize
this message if necessary.
Note: eSafe is supplied with default parameters that provide a high level of security that
suits most organizations. After performing the actions in this section, we recommend
allowing eSafe to operate in the network, and for you to monitor the various statistics and
reports that eSafe provides, prior to making any changes to the configuration.

Chapter 4 - User Access and Permissions
User Access and Permissions

eSafe allows defining different types of users with different access rights (ranging
from full administrative rights to read-only and viewing rights), and also allows
defining from which machines users are allowed to access eSafe Security Center.
User access details are recorded in the eSafe log.
In the Users Permissions List, define which users will be allowed to log in to eSafe
Security Center. Each user has a unique user/login name, password, and
permission type.
The following types of permission are available:
• Local Administrator: Provides full access rights.
• URL Filter Manager: Allows managing the URL Filter policies only.
• Viewer only: Provides read only permissions for all screens, without the
ability to apply the configuration or to release quarantined emails.
• Quarantine Help Desk: This is similar to the read only rights, but also
includes the ability to manage the Quarantine folder (delete, send, etc.).
• No Access
• Allow viewing DLP logs
In the IP Address Access List, define IP addresses and ranges from which users
can log in to Security Center.

Chapter 4 - Support
Support
Support Mode provides tools to perform troubleshooting, allows you to view
information about the eSafe machine, network interfaces, and licensing
information, and provides links to various online resources.
Support Mode includes the following tabs:
• Info
• Licensing
• Troubleshoot
• Resources
A description of the options in each tab follows.
Info
Provides information about the eSafe machine and network interfaces including:
• eSafe version
• Operating system
• Last update
• Virus table & scan engine version
• Currently installed hotfix(es)
• URL filter version
• Last URL filter update
In addition, you can see information about the platform on which eSafe is
installed including:
• Brand
• Model
• CPU
• Memory
• HD

Chapter 4 - Support
At the bottom of the page, you can see network interface information.
Use the buttons as follows:
Export information
Print information

Chapter 4 - Support
Licensing
The first time you start your eSafe software, a 30 day evaluation period begins.
This provides you with enough time to make all necessary changes to your
network, test eSafe operation, and register the product. During the evaluation
period, eSafe is fully functional (including updates).
At the end of this evaluation period, the evaluation license will expire and eSafe
will allow ALL traffic to enter the network without scanning or blocking. To ensure
uninterrupted network protection, you should register the product at the earliest
opportunity.
The Licensing page provides details of all licensed products including when the
license started and expires, and allows you to add licenses. Click the Add license
button if you need to add an additional license.
You will be prompted to enter your name, company name, and the license key
(available from your eSafe reseller or representative).
Note: When entering your details, make sure you do not use special characters in the
company name, for example: &&, $, %, etc.

Chapter 4 - Support
Troubleshoot
This page provides tools for performing various diagnostic and debugging actions.
Warning: Use of the options in this page should be done in correlation with the eSafe
Support Team.
This page includes the following options:
• Support Troubleshoot Debug: Normally, you do not need to create
troubleshooting files. However, when a problem does occur, you can create
troubleshooting files that will help eSafe's technical support personnel
diagnose the cause of a problem and prepare a timely solution.
This feature is normally disabled because it can slow down network traffic.
To change the debug level, you can select a module and click the right-mouse
button to select the debug level from the options that appear. You can also use
the All high, All low or All off buttons to change the debug level for all
modules.
• Traffic Capture: In cases where the troubleshooting logs are not sufficient for
in-depth analysis, you may be required to capture traffic for a specific period of
time and upload this information to eSafe technical support for further
investigation.

Chapter 4 - Support
• Tools: eSafe includes the following tools to assist you when working opposite
the support team, and also to quickly access the eSafe Appliance and Spool
Manager:
• Remote support allows the eSafe support team to connect to the
appliance remotely to perform troubleshooting. A wizard appears and
guides you through this process.
• Connect to appliance allows you to open a terminal session with the

appliance, or connect to the appliance via the web-based appliance
manager.
• Troubleshooting files allows you to get files for troubleshooting and

upload them to the eSafe support site, and/or save them in a specific folder.
• Spool Manager allows viewing email files in the Spool Manager.
Resources
This page provides links to various resources that will assist you while working
with eSafe.
eSafe on the Web: Opens the eSafe home page.
eSafe Technical Support: Opens the Technical Support home page.
eSafe License Center: Opens the eSafe Licensing Center home

page.
eSafe Documentation: Opens a page with links to eSafe

documentation.

Chapter 4 - Support
Attack Intelligence Opens the AIRC web page that lists the
Research Center: latest security threats by level of severity.
Feedback and Feature Allows you to send feedback or a request

Requests: to the eSafe team for a specific feature.
Available Updates: Provides information about the most

recent update.
End User License Displays eSafe’s End User License

Agreement: Agreement.
Check/submit URL Allows submitting a URL for classification

Classification: or checking to which category(ies) the
URL belongs.
The following check boxes are available:

• Enable Live Watch: Select this option to allow eSafe to send information
about risky and suspicious security events to the eSafe security team. This
information refers to risky websites/URLs and scanning results and does not
include any internal, confidential data (e.g. user names, IP addresses, etc.).
• Enable HeartBeat: This service provides vital information about the status of
eSafe’s components, as well as abnormal system behavior. This information is
periodically sent to the eSafe Operations Center for analysis. Based on this
information, we can provide you with realtime maintenance and preventive
services, including suggestions on how to ensure uninterrupted eSafe
operation and keep your software up-to-date.

Appendix A
Policy Settings
This appendix provides a detailed description of the options available in the Policy
Settings mode. The information is provided in an easy to use, reference format,
and mirrors the flow of the screens and options in the eSafe Security Center
graphical user interface.
Contents:
• Config Tab
• Objects Tab
• URL Tab
• APPs Tab
• DLP Tab
• Alerts Tab
• Updates Tab

Appendix A - Getting Started in Policy Settings Mode
Getting Started in Policy Settings Mode

While working in Policy Settings mode, the following buttons are available:
A description of the buttons follows.
Revert to deployed configuration: Allows you to undo the

most recent changes to the parameters.
Import configuration: Use this button to import a saved

configuration. After importing the configuration, you should
click the Apply/deploy configuration button (below) in order to
apply the new configuration before continuing.
Export configuration: Use this button to export the current

configuration (for backup purposes). eSafe will save the
relevant configuration files (esafecfg.ini, eSafeNIpca.ini,
applifilter2.ini, LDAP settings and structure) in a zip file. The
files included in the zip file depend on the type of product
installed.
Apply/deploy configuration: Use this button to apply

changes made to the configuration of a standalone machine, or
to automatically deploy changes when working with a machine
in a group or cluster.
Previous: Displays the previously viewed screen.

Appendix A - Config Tab
Config Tab
The Config Tab allows fine-tuning the eSafe configuration by:
• Defining Protocol Rules
• Defining Anti-spam Settings
• Defining Spyware/Adware Protection Settings
• Defining Content Filters
• Fine-tuning the Email rules
• Defining profiles and policies for the URL Filter
• Defining the policy for DLP
• Defining settings for Email
Protocol Rules
Rules allow you to define how eSafe will treat traffic. In this section you will find a
description of the options in the Protocol Rules branch, information on creating
rules, and a list of various issues that you should take into consideration when
defining rules.
For email traffic, you can define profiles and policies, which determine how eSafe
will treat email traffic for various network entities.
Block
Config Tab | Protocol Rules | FTP or HTTP | Block
The Block branch allows you to enable or disable blocking traffic for the specific
protocol, choose lists that will be used when blocking is enabled, and define how

lists will be used if multiple lists are selected. A different set of block rules can be
defined for FTP and HTTP traffic.
The Block page is divided into the following sections:
Rule: Under Rule, select the block rule from the drop
down menu:
• No blocking: eSafe will not block traffic for the

specific protocol.
• Block Selectively: Blocks traffic according to

selected lists. You can also exclude VIP
Destinations, if necessary.
• Block All: Blocks all traffic for the specific

protocol. You can also exclude VIP Destinations,
if necessary.
• Exclude VIPs from Blocking Rules: If you choose

Block Selectively or Block All, decide whether to
exclude VIP destinations. VIP destinations are IP
addresses/email addresses that will be excluded
from this rule. You can click on the List link to
the right to edit the VIP list.
Block traffic that If you choose Block Selectively, you need to define
matches: which list(s) eSafe will use to decide whether to
block a file or email. When you select more than
one list, you must also decide how eSafe will use
the lists to block traffic. Under Block traffic that
matches, select one of the following options:
• All selected lists: eSafe will only block traffic

that matches the conditions in ALL selected lists.
For example, if all three check boxes are
selected, eSafe will only block specific file types
from specific workstations and specific servers.
• At least one selected list: If eSafe detects a

server/workstation/file type that appears in any
of the lists, the traffic will be blocked.

Lists used to apply When defining the rule, you can define the
the rule: following types of lists that determine what eSafe
will look for and block in the traffic:
• Servers
• Workstations
• File Types
To define the list, click on the List link next to the

check box. Each list includes a restricted and a
trusted list:
• Restricted (block if listed): eSafe will block

anything that appears in the Restricted list. Use
the Restricted List if you know exactly what you
want to block.
• Trusted (block if NOT listed): eSafe will block

anything that DOES NOT appear in the Trusted
list. Use the Trusted list if you know what you do
not want to block.
Apply blocking This option allows eSafe to apply the block rules to
rules to traffic FTP and HTTP files in the process of being
being uploaded uploaded.
(FTP & HTTP):

Block file Allows blocking files from being uploaded in FTP

uploading (FTP): mode. Selectively blocking FTP uploads from
unauthorized PCs can reduce the chance of
outbound Trojan traffic.
Configure warning When eSafe blocks an HTML page that is being

message (HTTP): viewed by a user, it can notify the user that the
session was blocked, using one of two methods:
• By redirecting users to a specific URL that will

display a predefined page with a relevant
notification message.
• By displaying an HTML page with text that can

be defined via eSafe.

Scan
Config Tab | Protocol Rules | FTP or HTTP | Scan

The Scan branch allows you to enable or disable scanning traffic for the specific
protocol, choose lists that will be used when scanning is enabled, and define how
lists will be used if multiple lists are selected.
The Scan page is divided into the following sections:
Rule: Under Rule, select the scan rule from the drop
down menu:
• No scanning: Nothing will be scanned for the

specific protocol.
• Scan Selectively: Scans traffic according to

selected lists. You can also exclude VIP
Destinations from Content Filter checking, if
necessary.
• Scan All: Scans all traffic for the specific

protocol. You can also exclude VIP Destinations
from Content Filter checking, if necessary.
• If you choose Scan Selectively or Scan All,

decide whether to Exclude VIP Destinations from
Content Filter checking. VIP destinations are IP
addresses/email addresses that will be excluded
from this rule. Click on the List link to the right
to edit the VIP list.
Scan traffic that If you choose Scan selectively, you need to define
matches: which list(s) eSafe will use to decide whether to
scan a file. When you select more than one list, you
must also decide how eSafe will use the lists to
scan traffic. Under Scan traffic that matches, select
one of the following options:
• All selected lists: eSafe will only scan traffic that

matches the conditions in ALL selected lists.
For example, if all three check boxes are

selected for FTP, eSafe will only scan specific file
types from specific workstations and specific
servers.

• At least one selected list: If eSafe detects a

server/workstation/file type that appears in any
of the lists, the traffic will be scanned.
Lists used to apply The List link next to each drop-down list allows
the rule: you to review and edit the lists available for the
specific rule. The following lists are available:
• Servers
• Workstations
• File Types
Each list includes a restricted and a trusted list:
• Restricted (act if listed): eSafe will scan

anything that appears in the Restricted list. Use
the Restricted List if you know exactly what you
want to scan.
• Trusted (act if NOT listed): eSafe will scan

anything that DOES NOT appear in the Trusted
list. Use the Trusted list if you know what you do
not want to scan.

Apply scanning This option allows eSafe to apply the scan rules to
rules to traffic FTP and HTTP files in the process of being
being uploaded uploaded.
(FTP & HTTP):
Scan for When inspecting HTTP traffic, eSafe can scan the
undesirable traffic for specific keywords in HTML pages, for all
keywords (HTTP): sources, or for specific servers only. If a listed
keyword is found, eSafe will block the page.
• Click the Keywords link to define a list of

keywords eSafe will scan for.
• From the drop-down list, select for which

sources (servers) you want to scan traffic:
• All sources: eSafe will scan traffic from all

servers for the defined keywords.
• Restricted Source (scan if listed): eSafe will
scan traffic from the servers listed in the
Restricted list only.
• Trusted Source (scan if NOT listed): eSafe
will scan traffic from all servers, except from
the servers that are listed.
Action
Config Tab | Protocol Rules | FTP or HTTP | Action

The Action branch allows you to define what eSafe will do if it finds malicious
content in a file/attachment. Different actions are available for Web traffic and
Email traffic.
eSafe automatically scans all traffic that was not blocked, for vandals/viruses. If a
vandal/virus is detected, eSafe will block the traffic. In addition to blocking
infected traffic, eSafe can also add details of the server from which the infected
traffic originated to the Automatic Servers list for future blocking/scanning. In

future sessions, eSafe will use these lists to scan or block traffic from the listed
servers.
No autoupdate. No action will be taken; details of the server will

not be added to the Automatic Servers list.
Use this option when you cannot afford to restrict

specific sites or senders that may occasionally be
the source of a virus.
Add EXACT eSafe will block all future traffic from the exact
SOURCE to the list address from which the infected traffic originated.
of Automatic
Servers for This is the recommended setting. This option
BLOCKING protects against a clearly defined list of sources by
adding the exact path to the infected file. This
ensures that no user will succeed in downloading
the infected file, since eSafe will block the session
at connection time.
Add ENTIRE eSafe will scan all future traffic from the server
SERVER to the list from which the infected traffic originated.
of Automatic
Servers for This option provides a general level of protection
SCANNING by ensuring that everything coming from that
server is scanned, unless it is already blocked by
another rule. This setting is recommended when
there are sources that you cannot afford to block,
even if they may be the source of a virus.

FTP Security
Config Tab | Protocol Rules | FTP | FTP Security

As a first line of defense, eSafe checks and enforces compliance with protocol
standards at connection time, to minimize exposure and possible exploitation by
malicious code. Non-standard utilization of protocol commands and properties will
be blocked.
For FTP traffic, eSafe allows preventing resumption of FTP downloads. Resuming
downloads can cause partial download of files or downloads that do not start from
the beginning of the file. eSafe is unable to thoroughly inspect incomplete files
and partially downloaded files for viruses, and therefore enables blocking these
files.
• Block password protected archives: Blocks all archive files that require a
password for opening. If you do not select this option, password protected
archives are assumed to be safe.
• Activate file-spoof protection: File spoofing is a common technique used to
disguise Trojans. eSafe is able to validate the file's bit structure against a list of
valid file types and their extensions. If the bit structure DOES NOT correspond
with one of the extensions in the list, the file is considered as “spoofed” and
will either be blocked or scanned for malicious content (the default action is
“scan”).
• Prevent FTP download resume: Resuming downloads can cause partial
download of files or downloads that do not start from the beginning of the file.
eSafe is unable to thoroughly inspect incomplete files and partially downloaded
files for viruses.

HTTP Security
Config Tab | Protocol Rules | HTTP | HTTP Security

As a first line of defense, eSafe checks and enforces compliance with protocol
malicious code. Non-standard utilization of protocol commands and properties will
be blocked.
For HTTP traffic, eSafe allows you to enable the following options:
• Block password protected archives: Blocks all archive files that require a
password for opening. If you do not select this option, password protected
• File Type Spoofing: File spoofing is a common technique used to disguise
Trojans. eSafe is able to validate the file's bit structure against a list of valid file
types and their extensions. If the bit structure DOES NOT correspond with one
of the extensions in the list, the file is considered as “spoofed” and will either
be blocked or scanned for malicious content (the default action is “scan”).
• Prevent HTTP download resume: Resuming downloads can cause partial
download of files or downloads that do not start from the beginning of the file.
eSafe is unable to thoroughly inspect incomplete files and partially downloaded
files for viruses.
• Prevent HTTP content disposition: Content Disposition means that a server
can send a command to the system, telling it to use another program to open
downloaded files. Using this option will prevent servers from changing the type
of application that will be used to open downloaded files. Usually, file types are
associated with a specific application, for example, .doc files are handled by
MS Word.
• Prevent HTTP data compression: Prevent sending HTTP data in GZIP
compressed form. Such data cannot be correctly inspected by eSafe. (This
option is enabled by default.)
Note: This is different from downloading compressed ZIP files, which are
allowed.

SMTP Profiles
Config Tab | Protocol Rules | Email | Incoming or Outgoing | Profiles

eSafe allows you to define email profiles by associating network entities
(predefined users, groups, IP addresses, IP address ranges, VLANs, hosts,
domains which are derived from the LDAP server) with a specific email policy.
Network entities define “who” the URL Filter Profiles will apply to:
• Users imported from an LDAP server
• Local, predefined users (using eSafe Client Agent). It is also possible to import
a list of predefined eSafe users.
• Groups of workstations based on the IP address, an IP address range,
hostname, or VLAN.
Note that each row in the Profiles list represents a specific profile.
In this page you can do the following:
• Click the button to add a network entity. (A description of the Network

Entities dialog box follows in the next section.)
• Use the “Up” and “Down” arrow buttons to move an item in the list in order to
determine the priority of the profiles.

SMTP Policies
Config Tab | Protocol Rules | Email | Incoming or Outgoing | Policies

When creating email profiles, you must define policies that will be applied to
users/groups of users. The policies consist of a name and description and lists of:
• Spam features that eSafe will search for
• Security features that eSafe will enforce
The Policy page includes the following options:
Policy name: Allows entering a name for a new policy. (Note that the
policy name can not include spaces.)
Default email policy: The default policy applies to all

users that are not assigned a specific profile. This
usually includes the majority of users and as such, it
should be as comprehensive as possible.
Description: Allows entering a description of the policy if necessary.
Spam Tab: A description of the check boxes in the Spam tab

follows:
• Email header verification: Blocks spam by

searching for specific strings of text in the incoming/
outgoing email header and then either blocking the
email or adding a tag to the email subject. If eSafe
detects spam, it can either block the email, add a tag
to the email subject, or drop the email. Select the
action at the bottom of the page.

• Check for keywords in email body: eSafe can

check incoming and outgoing email for spam words
in the message body. If eSafe detects spam, it can
either block the email, add a tag to the email
subject, or drop the email. Select the action at the
bottom of the page.
• Check for keywords in email subject: eSafe can

check incoming and outgoing email for spam words
in the message subject. If eSafe detects spam, it can
either block the email, add a tag to the email
bottom of the page.
• Classify email written in foreign text as spam:

eSafe will automatically classify email written in
foreign text as spam using the selected code page
conversion tables. To define the languages that will
be considered spam, click the Settings link; the
Spam Keywords - Foreign Text page appears.
If eSafe detects spam, it can either block the email,

add a tag to the email subject, or drop the email.
Select the action at the bottom of the page.
• Perform advanced anti-spam checks: Enables

advanced anti-spam features. If eSafe detects spam,
it can either block the email, add a tag to the email
bottom of the page.
• Choose action: For each spam detection method,

you can define the action eSafe will perform:
• Block email: Blocks email containing phishing

content.
• Strip & add tag to email subject: Strips the
phishing content, adds a tag to the email subject,
and allows the email to continue to the intended
recipient.
• Drop email detected as spam: Allows dropping
email that is considered spam. Dropped email will
not enter the eSafe quarantine folder and the user
will not see dropped spam emails in the
Quarantine report.

Content Security A description of the check boxes in the Content

Tab: Security tab follows:
• Scan Email for Viruses and Content: This check

box enables scanning for viruses and malicious
content in email. Selecting this option enables
additional check boxes.
• Strip all attachments: When defining rules to block

email traffic, you can also enable stripping
attachments from ALL incoming or outgoing email.
The option to strip all attachments is useful when

employees with no real need to send or receive non-
productive attachments tie up more bandwidth than
you want to allow. If only a limited number of
employees need to receive attachments normally
considered to be nonproductive, you can place them
on the VIP Email Addresses List and select Exclude
VIPs. For example, the vast majority of employees
may only need to receive .DOC, .XLS, .PPT, and .PDF
files as part of their daily work routine.

• Block specified file types: eSafe allows defining

lists of restricted and trusted file types for blocking.
eSafe will BLOCK file types in the restricted list, or
block all file types except those in the trusted list.
Click the List link to define lists of file types.
• Scan specified file types: eSafe allows defining

lists of restricted and trusted file types for scanning.
eSafe will SCAN file types in the restricted list, or
scan all file types except those in the trusted list.
Click the List link to define lists of file types.
• Activate file-type spoofing: Allows activating

protection against file-type spoofing. Because file
spoofing is a common technique used to disguise
Trojans, eSafe applies stricter standards to files
whose extensions do not match their bit structure.
• Block password protected archives: Blocks all

archive files that require a password for opening. If
you do not select this option, password protected
• Activate Content Filters: Activates the email

content filters. For descriptions of the various
content filters, see Content Filters.
• Activate phishing prevention: eSafe employs

various methods to combat phishing. You can choose
which items you want eSafe to search for in email
messages. Select one of the following actions:
• Block email: Blocks email containing phishing

content.
• Strip & add tag to email subject: Strips the
phishing content, adds a tag to the email subject,
and allows the email to continue to the intended
recipient.
• Drop email detected as spam: Allows dropping
email that is considered spam. Dropped email will
not enter the eSafe quarantine folder and the user
will not see dropped spam emails in the
Quarantine report.
• Block email bigger than X Kbytes: Blocks an

email message that exceeds the specified limit. The
default is 10000 Kbytes.

Network Entities Handler
The Network Entities Handler displays user and group information taken from the
organizational LDAP server. You can use this information “as is” to create profiles,
or define new network entities manually.
Note:When defining users, you will be prompted to enter the user’s password and email
address.
1. Click the relevant tab to define a new entity. Depending on the type of entity
you are defining, you should either:
• Enter the entity details (for example: IP address, IP address range).
Or,
• In the specific Name text box, enter a name for the network entity (for
example: group, user, VLAN, host, domain).
Note: You can also use the button to import predefined lists of users/
groups. The entries in the list must be separated by a “|”. For example,
(<username>|<password>|<email>). When adding more than one email
address, use a semi-colon to separate the addresses.
2. Click the Add! button to add the entity. (When defining users, you will be
prompted to enter the user’s password and email address.)
3. Select the entity and click Select. The Change Profile dialog box appears.
4. From the drop-down list select the URL filter policy that you want to associate
with the selected network entity. You can choose a manually defined policy, or
select one of the predefined policies:
• WebLock: Blocks access to all web sites.
• NoBlocking: Allows access to all web sites.

• Productivity: Blocks access to non-work related sites.
• HighSecurity: Blocks access to sites that include potential security risks

and unwanted content (e.g. gambling, pornography, violence, etc.)
5. Under Activation Status, select when the profile will be active.

• Active in report mode (no blocking): The profile will always be active,
but will only report about any policy violations.
• Active during working hours: The profile is only active during working
hours. These are defined under the Profile Settings.
• Active during nonworking hours: The profile is active during nonworking

hours.

9. Click OK.

Action
Config Tab | Protocol Rules | Email | Incoming or Outgoing | Action

When scanning email traffic, eSafe can perform various actions if it finds
malicious content in attached files. These actions differ for SMTP email and POP3
email.
The following options are available for SMTP:
• Strip attachment. eSafe will strip (remove) the attachment from the email
and allow the modified email file to continue to the recipient.
• Remove dangerous content. If it cannot be removed, strip the
attachment. eSafe will attempt to remove the dangerous content from the
attachment. If it is unable to remove the dangerous content, eSafe will strip
the attachment; the modified email file will continue to the recipient.
• Block entire email if it contains a dangerous attachment: eSafe will
block the entire email and all its attachments.
The following options are available for POP3:

• Strip attachment. eSafe will strip (remove) the attachment from the email
and allow the modified email file to continue to the recipient.
• Remove dangerous content. If it cannot be removed, strip the
attachment. eSafe will attempt to remove the dangerous content from the
attachment. If it is unable to remove the dangerous content, eSafe will strip
the attachment; the modified email file will continue to the recipient.
• Replace entire email content with warning: eSafe will remove the content
of the email and replace it with a warning; the modified email file will continue
to the recipient.

SMTP Security
Config Tab | Protocol Rules | Email | SMTP Security

As a first line of defense, eSafe can check and enforce compliance with protocol
malicious code. Non-standard utilization of protocol commands and properties
can be blocked.
The mail relay mechanism in eSafe is a full-feature mail server that includes all
the mechanisms that are essential in a mail server to prevent improper and
forbidden use of the eSafe mail server.
eSafe allows implementing the following options:
Block incoming Allows defining a list of senders from which email will
email from be blocked.
external senders:
Block outgoing Allows defining a list of recipients to which email will be

email to external blocked.
recipients:
Do not scan email Allows defining a list of senders from which email will
from external be allowed, without scanning.
senders:
Enable email anti- The anti-spoofing mechanism blocks incoming email

spoofing: which has a local sender in the Mail from field, but was
not sent from one of the IP addresses listed in the Local
Senders list.
If you want to allow employees to place their work

email addresses in the Sender field when they send
email from a remote site, you must deselect this
option.

The anti-spoofing mechanism cannot act on an email

message that does not have a sender (the Mail from
field is blank). Email that does not have a sender can
be legitimate, such as bounced emails.
Enable anti-relay The anti-relay option blocks attempts to use eSafe as a

protection: mail relay by external senders. Any email sent to a
recipient not listed in one of the organization’s domains
(defined under Email Settings | SMTP Settings | SMTP
Internal Domains) will be considered a mail relay
violation, and will be blocked.
When email contains more than one recipient, the

decision whether to send the email to each recipient is
taken separately. For example, an email is sent to two
addresses, one local (april_chase@mycompany.com)
and the other outside the organization
(james_crotty@anothercompany.com). If the sender is
not a local sender, the mail server will deliver to the
local recipient, but refuse to relay the email to the other
recipient.
The use of multiple mail relays enables hackers to make

spam and other email appear as if they were sent by
your organization. If you want to allow your mail server
to act as a relay, you need to deselect this option.
Click on the List link to define a list of local senders

that will be allowed to send email to the Internet, or
use the organization's domain (internal mail server) as
the sender.
Block non-existent Allows blocking email to internal recipients that are not
email recipient listed in the organization's LDAP server. Internal
according to domains or specific recipients that are not listed at the
LDAP/AD server: LDAP server should be excluded in the list below, to
prevent eSafe from blocking email to these recipients/
domains.
Block email Allows defining a specific list of email server IP

according to the addresses from which email will be blocked.
email server IP
address:

Authenticate SMTP Allows authentication of SMTP connections to enable

connections: authorized clients/remote users (travelling users, for
example) to send email from outside the organization,
without this email being considered a spoofing attempt
or unauthorized relay.
You can define a list of users and passwords that will

enable authentication of the users.
Block invalid SMTP Allows blocking email messages that contain invalid
email address: characters in the email address (such as @@) which
are often used in exploits and relays.
Anti-bombing The anti-bombing option regulates the flow of email to

(Limits the prevent an overload that can effectively shut down your
possibility of DoS email server. The anti-bombing feature monitors the
attacks): number of email sessions that are open at the same
time and the total number of email messages in the
spooler; each direction is monitored separately. When
eSafe reaches these limits, it temporarily stops
sending/receiving email until the levels drop below the
limit.
A description of the anti-bombing features follows:
Max. concurrent Allows defining the number of email messages that

connections: eSafe can simultaneously receive/send. Incoming
connections are rejected when either the maximum
number of incoming email sessions or the maximum
number of email files is reached.
This feature regulates the flow of email leaving the

server. Increasing the ratio of outgoing sessions vs.
incoming sessions increases the throughput, and vice-
versa. This feature significantly raises the mail server’s
tolerance to bombing attacks.
Max. emails in spool: Defines the maximum number of email messages that
are allowed in the spool at any time.

Max. recipients per Lets you limit the number of recipients (incoming and
email: outgoing mail) to a reasonable number. The use of
email with a large number of recipients is a common
bombing technique that leverages your SMTP server to
multiply the volume that it handles by the number of
recipients in each email.
This parameter also has the beneficial side effect of

blocking spam and pyramid mail that contain far more
recipients than can be expected in desirable email. If
the value is zero, the anti-bombing option ignores this
parameter.
Note: Even if the anti-bombing feature is not active,

email with more than 100 recipients (default value) is
still blocked.
Max. message size Defines the maximum size of a message that can be
(KB): received. eSafe will block email that exceeds the size
defined. If the value is zero, the anti-bombing option
ignores this parameter.

POP3 Security
Config Tab | Protocol Rules | Email | POP3 Security

POP3 traffic allows authenticated communications, which eSafe is unable to open
and scan. To avoid a situation where traffic is allowed to pass through eSafe
without being checked, it is possible to block all POP3 traffic, traffic from specific
servers, and authenticated POP3 traffic. It is also possible to scan traffic from
specific POP3 servers.
Block all POP3 traffic: Blocks all POP3 traffic.
Block traffic from Blocks traffic from specific POP3 servers.

specific POP3
servers:
Scan traffic from Allows scanning traffic from specific POP3 servers.
specific POP3
servers:
Do not allow POP3 This option enforces protocol compliance and blocks
log-in using AUTH POP3 users that log-in using the AUTH command
command without without a user name.
user name:

Anti-spam
There are several techniques to fight spam; none can completely eliminate spam
without blocking any legitimate email as well. However, using a combination of
techniques, spam can be reduced to the lowest possible minimum and yet not
block legitimate email.
eSafe includes various features that enable blocking spam from entering your
organization. Two types of anti-spam services are available: the Basic Anti-spam
Service and the Advanced Anti-spam Service.
Basic Anti-spam Service
This service is installed with eSafe and is available to all users. The basic anti-
spam service allows checking email for spam by verifying the email header,
checking the validity of the mail server and checking the validity of the sender/
server at the DNS.
The Basic Anti-spam Service includes the following options:
• Email Header Verification
• Mail Server Validation (RBL)
• DNS Lookup
Email Header Verification
Config Tab | Anti-spam | Basic Anti-spam | Email Header Verification

This feature enables fighting spam by searching for specific strings of text in the
email header and then blocking the email. You can define restricted or trusted
lists of strings that eSafe will use when inspecting traffic.
Search email Select which lists eSafe will use when checking the
headers according email headers. You can select one of the following
to drop-down list: options:
• Properties defined in Restricted List: eSafe will

only block the email if it encounters text in the email
header, that appears in the Restricted List.
• Properties defined in Trusted List: eSafe will

block ALL email, unless it encounters text in the
email header that appears in the Trusted List.
• Properties in Restricted List, unless they

appear in Trusted List: eSafe will block the email
according to the strings defined in the Restricted List
but will exclude strings that appear in the Trusted
List.

List link: Allows you to define the Restricted and Trusted lists.
eSafe provides default lists of strings that are
associated with spam email. You can modify these lists
by using the Add, Edit and Delete buttons.
You can also use the Import and Export buttons to

import a list of strings from an external text file; or to
export a list of strings to an external text file. The items
in lists that will be imported must be separated by a
comma or by using <Enter>.
(Tip: Export an existing list from eSafe and then open

the file to see how it is formatted.)
Mail Server Validation (RBL)
Config Tab | Anti-spam | Basic Anti-spam | Mail Server Validation (RBL)

The blacklist technique, commonly referred to as RBL (Realtime Blackhole List),
checks various RBL servers to verify that the sending server is not black listed as
a known source of spam or as an open mail relay that spammers can use to relay
spam. If the RBL server notifies eSafe that the sending server is black listed, the
email will be blocked or tagged (depending on the action selected).
Normally any secure mail server should refuse to relay (send) email from an
external sender to anybody outside its domain. This ensures that spammers
cannot hijack it and use it to send spam that will look like it is coming from a
legitimate mail server. Unfortunately some system administrators, for whatever
reason, fail to configure their mail servers to block such a relay.
Black lists like MAPS (www.mail-abuse.org) RBL (realtime black-hole list), ORDB
(open relay database; www.ordb.org) and others contain dynamic lists of IP
addresses of mail servers that are known to send spam (or which are hijacked by
spammers to relay spam). A complete list of the various Black Lists can be found
at: www.declude.com/junkmail/support/ip4r.htm.
Check if mail eSafe checks if the mail server used to send incoming
server is in RBL for email appears in an RBL.
INCOMING email:
Check if mail eSafe checks if the mail server used to send outgoing
server is in RBL for email appears in an RBL. (This option is especially
OUTGOING email: useful to Internet service providers that want to ensure
that their service users are not know spammers.)

List link: Click the List link to view the list of RBL servers that
eSafe uses when checking the validity of the mail
server, and the necessary response.
Choose action: Under Choose action, you can select the action eSafe
will perform if it discovers that the sending server is
blacklisted:
• Block email: eSafe will block the entire email.
• Add tag to email subject: eSafe will add text to the

email subject notifying the recipient that the email
was detected as spam. You can change the default
text as necessary.
• Drop email detected as spam: Allows dropping email

that is considered spam. Dropped email will not
enter the eSafe quarantine folder and the user will
not see dropped spam emails in the Quarantine
report.
Check mail server Under Check mail server IP address, you can define
IP address: when eSafe will check the RBL server validity:
• At connection time: When eSafe is the first mail

relay it receives email directly from senders and can
check the RBL validity as soon as it receives the
email.

• In the received line of the email header: When eSafe

is not the first mail relay, it must check the email
header to ascertain from which mail server the email
arrived, and to check this server at the RBL. The line
number represents each mail relay that precedes
eSafe.
From the drop-down list, select which line in the

email header eSafe will check to determine if the
sending mail server is listed in an RBL.
Note: It is recommended to periodically update the

RBL settings.
DNS Lookup
Config Tab | Anti-spam | Basic Anti-spam | DNS Lookup

eSafe checks the validity of the sender domain and the mail server used to send
mail at the Domain Name Server (DNS). When enabled, you can define a list of
servers that will be excluded from checking (see a description of the RBL and DNS
Exclusion List below).
Every legitimate email server has to be registered and recognized around the
world so other mail servers will be able to connect and transfer email destined to
it. Mail servers are registered to Directory Names Servers (DNS) that associate
the server Internet host name with an IP address.
The DNS lookup technique helps identify if the sending mail server is legitimate
and has a valid host name. DNS lookups eliminate spam sent by mail servers
using a dial-up line, as well as majority of ADSL and cable servers, simply
because their host names are not registered in any Domain Name Server (DNS).
When the DNS Lookup option is activated, eSafe inspects the host name of the
sending mail server, and then performs a DNS query to verify if the resolved IP
address is indeed the IP address of the incoming connection host name. If the IP
addresses do not match, eSafe refuses the incoming connection and the email will
not be received.
Note: Although rare, there are some, legitimate but incorrectly configured mail
servers which have a host name that is not registered in the DNS. Mail from such
servers will be denied.
DNS Lookup allows performing:
• Server Validation
• Sender Validation

Server Validation
Config Tab | Anti-spam | Basic Anti-spam | DNS Lookup | Server Validation

To check the validity of the mail server, select one of the following options:
• Check validity of mail server against the DNS record for INCOMING
email: eSafe checks if the mail server used to send incoming email appears at
the DNS.
• Check validity of mail server against the DNS record for OUTGOING
email: eSafe checks if the mail server used to send outgoing email appears at
the DNS.
Select the action you want eSafe to perform if it finds that the mail server or
sender domain is not registered at the DNS:
• Add tag to email subject: eSafe will add text to the email subject notifying
the recipient that the email was detected as spam. You can change the default
text as necessary.
• Drop email detected as spam: Allows dropping email that is considered
spam. Dropped email will not enter the eSafe quarantine folder and the user
will not see dropped spam emails in the Quarantine report.

Sender Validation
Config Tab | Anti-spam | Basic Anti-spam | DNS Lookup | Sender Validation

To check the validity of the sender domain, select one of the following options:
• Check validity of sender domain at the DNS server for INCOMING
email: eSafe checks if the domain of the mail server used to send incoming
email is registered at the DNS.
• Check validity of sender domain at the DNS server for OUTGOING
email: eSafe checks if the domain of the mail server used to send outgoing
email is registered at the DNS.
Select the action you want eSafe to perform if it finds that the mail server or
sender domain is not registered at the DNS:
• Add tag to email subject: eSafe will add text to the email subject notifying
the recipient that the email was detected as spam. You can change the default
text as necessary.

Advanced Anti-spam Service
Config Tab | Anti-spam | Advanced Anti-spam

This is an add-on service that requires a unique license key. The Advanced Anti-
spam Service branch includes the following options:
• Anti-spam Configuration: Allows configuring which engine eSafe will use to
search for spam.
• Honey Pot: Allows defining lists of email addresses that eSafe will search for
in incoming and outgoing email and subsequently block/tag.
Anti-spam Configuration
Config Tab | Anti-spam | Advanced Anti-spam | Anti-spam Configuration

The Advanced Anti-spam Service uses double anti-spam engines to provide best-
of-breed spam detection. In this page you can configure which engine eSafe will
use to search for spam and, when using the Spam content analysis engine, it is
also possible to select the actual methods eSafe will use to identify spam.
The following options are available on this page:
• Spam realtime reputation engine: This engine uses data collected by spam
bots and sensors installed at large customers and ISPs across the globe which
is then recorded at a central detection center. Some of this data is also stored
locally at the engine in an internal cache. The reputation of incoming email is
checked for spam against the cached data or by sending a realtime query to
the data center.
• Spam content analysis engine: This engine uses various methods to check
for spam in email. Click on the required check boxes to select the methods
eSafe will use to check for spam. A description of the methods follows:
• Smart signature matching: eSafe extracts hash signatures from incoming
email and compares them against a database of known spam email
messages. The signature database is updated several times a day with
information derived from realtime spam collectors.
• Text analysis: eSafe identifies spam based on statistics derived from

analyzing large collections of spam messages in real time.
• Flow control: eSafe searches for identical email messages over a specific
time frame. Email messages which appear multiple times during this period
but originate from different sources are noted, and if the number of
occurrences exceeds a predefined threshold value, the email is blocked as
spam.

• Bayesian classification: eSafe used statistics derived from analyzing

collections of very large numbers of spam messages. The system can be
“trained” to specifically identify spam with a high identification rate and low
false-positives.
• Phishing: Uses a combination of techniques to determine whether or not an

email is a so-called “phishing” email.
• Fuzzy fingerprint: A new analysis method designed to combat the latest

spam techniques, where spam emails contain images with small
modifications (e.g. random pixels, corruption etc.).
• Meta-heuristics: eSafe identifies spam by searching for common spam

characteristics such as the usage of mixed foreign character sets, image
links that are server queries, use of a mixture of obscure and/or non-
printable characters, different encoding methods, etc. In addition to
identifying various spam characteristics, the heuristic system also cleans
email from junk characters and HTML tags so that hash-signatures can be
extracted and compared with the signature database. This method also
allows eSafe to identify polymorphic spam.
• URL categories: eSafe searches for URL links in email messages and checks
which category the URL belongs to. Click the List link to define which
categories you want to block, and which specific URLs you want to block or
allow (unblock).
• Known spam URLs: eSafe identifies links to web sites known to belong to
spammers.
• Structure analysis: These techniques analyze the HTML structure of the

email message to calculate unique signatures and check them against the
spam database.
• Finger print: Checks email attachment “fingerprints” (MD5 hashes) against

fingerprints stored in the database, to determine whether or not the email
contains known spam attachments (or embedded images).

Honey Pot
Config Tab | Anti-spam | Advanced Anti-spam | Honey Pot

Usually, spam email reaches the organization as a single email message with a
random list of recipients at the organization, some of which are legitimate and
some of which do not exist. By defining a Honey Pot List—usually a list of defunct
email addresses—eSafe is able to check incoming email for these addresses. If
the Honey Pot addresses are included in the list of recipients, the email is
considered spam and eSafe is able to either block or tag the email as spam for
ALL recipients.
In the Honey Pot Email Addresses list, you can click the Add icon to enter a new
honey pot address. You can use the * wildcard when defining the list of email
addresses. Use the Import and Export buttons to import a list of addresses from
an external text file; or to export a list of addresses to an external text file.
Modify the list using the Edit and Delete buttons.
You can also choose the action eSafe will perform when it detects one of the
honey pot addresses in incoming email:
• Block spam email: Blocks the entire email as spam.
• Add tag to spam email subject: Adds a tag to the subject of the email
message and allows the email message to continue to the intended recipient.

Exclusion Lists
Config Tab | Anti-spam | Exclusion Lists

When defining your spam prevention policy, you can define various lists of email
addresses/mail server addresses that eSafe will use when inspecting email. These
lists determine what will be included and excluded from spam checking.
You can define three types of lists:
• Manually defined lists
• Automatically generated lists
• Lists that are generated automatically, based on the actions users perform in
the Quarantine Report.
A detailed description of the options available for each type of list follows.
• Under Spam exclusion lists defined manually by administrator, you can
manually define lists of email addresses/mail server addresses that will
determine what eSafe checks for spam. Select a combination of the following
options:
• Exclude specified email addresses from spam check: Allows defining a list of
source and/or destination email addresses that eSafe will not check for
spam. Click on the List link to define a list of email addresses.
• Exclude specified mail servers from RBL & Server DNS validation check:
Allows defining a list of mail servers that eSafe will not validate at the RBL
and DNS servers. All traffic from these servers will not be checked for spam.
Click on the List link to define a list of mail servers.
• Exclude email with specified keywords from spam check: Allows defining a
list of keywords that, if found in email, will prevent the message from being
classified as spam. Click on the List link to define a list of keywords.
• Under Automatically learned spam exclusion lists, you can configure

eSafe to automatically create lists of recipient addresses and keywords that
are derived from outgoing email, and will not be checked in the future.
Select a combination of the following options:
• Auto learn outgoing email recipient address and exclude from checking:
Allows eSafe to automatically learn the recipient addresses (destination

addresses) in email that is sent from within the organization to the outside.
This is based on the fact that it is unlikely that internal network users will
send email to spam addresses, and therefore these addresses can be
assumed as non-spammers. Click on the List link to view and edit the
automatically generated list of recipient addresses.
• Do not auto learn addresses of email with specific keywords in subject: This
option is only available if the Auto learn outgoing email recipient address
and exclude from checking option, above, was selected. It allows defining
keywords that, if found in outgoing email, will exclude/prevent learning of
the recipient address (see previous bullet). Click on the List link to define
the list of keywords.
• Under Lists derived from Quarantine Report, based on user’s actions,

you can select the following option:
• Learn addresses of released email & exclude from checking: Allows learning
sender addresses in email that was quarantined and released by recipients
via the eSafe Spam Management Report. In future, eSafe will exclude these
addresses from spam checking.
Click on the List link to view or edit the list of email addresses.
Click on the Config link to configure the report.
• Mail servers excluded from spam checking:

• Exclude specific mail servers/subnets from spam check: This list contains
mail server IP addresses or internal subnets that should not be regarded as
spam senders. This list should include any internal mail server or
organization MX mail server that uses eSafe as a relay. (Note that this
option applies to the Reputation engine and modifies the Commtouch
configuration file.)

Spyware/Adware Protection
Config Tab | Spyware/Adware Protection
In this page you can define which spyware/adware and other malicious objects
eSafe will block or strip. If necessary, you can exclude specific VIP servers/
workstations from spyware/adware checking. VIPs are excluded under the HTTP
scan and block rules.
ActiveX and Select the Strip malicious/spyware/adware

Browser Helper ActiveX check box to enable stripping ActiveX objects
Objects: that are considered to be malicious, spyware, or
adware. From the drop-down list, select one of the
following options:
• Strip ActiveX in Restricted List (Normal sensitivity)
• Strip ActiveX in Restricted List (High sensitivity)
• Strip all ActiveX, except if in Trusted List
Click the List link to view and edit the list of Restricted
and Trusted ActiveX objects.
Spyware/Adware Select the Block access to known spyware/adware

Websites: websites check box to allow blocking access to
websites that are known to be sources of spyware/
adware.
It is also possible to exclude specific sites from

checking. To do this, click the Exclusion List link. In
the page that appears, click the Add button and enter
a URL which will be excluded from the spyware/adware
check.

Content Filters
eSafe allows blocking traffic according to specific content filters, or stripping
items that are considered suspicious.
The real threats posed by web browsing are malicious active code, spyware and
exploits embedded in the HTTP protocol and HTML content, which try to
automatically install themselves or run on a user's machine. eSafe not only
inspects downloadable files, but also provides full inspection of HTML content as
well as scanning of all image files for known JPG and BMP format exploits.
When inspecting SMTP/POP3 traffic using the Content Filters, eSafe is able to
either block traffic, or strip the malicious content from the email file and allow the
modified file to continue to the intended recipient.
Content filters can be protocol specific, or may apply to all protocols — you should
review the various content filters and decide which features you want to activate.
The following Content Filters are available:
• Active Content and Cookies
• SmartScript™ Filters
• Archives
• MS Office Files
• File Type Spoofing
• XploitStopper™
• Email Security
• Phishing Prevention
• Kaspersky Anti-Malware
Active Content and Cookies
Config Tab | Content Filters | Active Content and Cookies

Web pages and HTML file types contain a number of useful features that could
also pose security risks. For the optimum level of security and performance, you
need to deal with each threat separately according to your network needs.
eSafe allows stripping links that enable activation of cookies, Java applets and
ActiveX controls, for all sources or for specific sources. You can use Trusted and
Restricted lists to define lists of sources for which these objects will be allowed
and stripped.
Note: Cookies do not contain executable code, and therefore cannot launch an
attack by themselves. However, they do store confidential information that
scripts, Java applets and ActiveX objects can retrieve.

This page is divided into two main sections:
Active Content: Under Active Content, select the check boxes of the
objects you wish to allow or strip:
• Allow preinstalled ActiveX objects only: Only allows

activating ActiveX objects that were already installed
on network machines at the time that eSafe was
installed. eSafe will block any attempts to activate
other, newer ActiveX objects.
• Strip links to all ActiveX objects: eSafe will strip links

to all ActiveX objects.
• Strip scripts handling cookies, to prevent getting/

setting cookies: eSafe will strip scripts that are used
to allow downloading and setting cookies.
Java Applets: Under Java Applets, you can enable the following
option:
• Strip links to Java Applets: eSafe will strip links to

Java Applets. If you select to strip links or scripts,
you must define for which sources to do this. From
the drop-down list, select one of the following
options:
• All sources: eSafe will strip links/scripts for traffic

from all sources.
• Restricted source (strip if listed): eSafe will only

strip links/scripts for traffic from sources that
appear in the Restricted list.

• Trusted source (strip if NOT listed): eSafe will

strip links/scripts for traffic from all sources,
excluding sources that appear in the Trusted list.
List link: If you select to strip links/scripts for trusted/restricted

sources, you must now define the relevant list of
sources. Click the List link and then select the relevant
protocol when prompted to select the list type.
SmartScript™ Filters
Config Tab | Content Filters | SmartScript Filters

SmartScript Filters allow selectively stripping dangerous scripts from files and
downloads while leaving the rest of the file in tact. You can strip the following
types of scripts:
• VBscripts
• JavaScripts
• Other scripts and forbidden functions
Strip all scripts: Removes all scripts.

Strip forbidden Strips only the forbidden functions or those scripts that
functions: contain forbidden functions. When selecting this option,
you can edit the list of Forbidden Functions at the
bottom of the page.
Click the Add a forbidden function button to add a

function to the list.
Lists link: If you choose to strip scripts from trusted or restricted

sources, the List link is enabled, allowing you to define
lists of Trusted and Restricted sources. eSafe uses
these lists to strip program scripts according to the
source of the file.
Archives
Config Tab | Content Filters | Archives

eSafe is capable of scanning most of the popular compression formats including,
.zip, .arj, .cab, .jar, .tar, etc. By default, eSafe blocks suspicious password
protected archives (viruses and blocks multi-volume archives.
In addition eSafe can also block corrupted and unknown archives and prevent
blocking specific files inside an archive file.
In order to scan the archive files, eSafe must decompress all archive layers to
ensure that none of the archived files contain malicious code. Decompressing
multi-level and/or large archive files is a time, CPU, and memory consuming
process and may significantly deplete resources; even leading to DoS. For this
reason eSafe allows limiting the number of layers and the size of archive files that
will be decompressed.
When eSafe reaches the maximum level/file size, you can decide how it will treat
the archive file: allow or block.
The Archives page consists of the following options:
Max. levels text Enter the maximum number of levels eSafe will open to
box: scan for vandals and viruses in the archive file.
If last level Define what to do with the archive once this limit is
contains an archive reached. Select one of the following options:
file:
• Allow: eSafe will allow these files without scanning.
This option is based on the assumption that, since

malicious code is characterized by small file sizes, it is
highly unlikely that an exceptionally large sized
archive file will contain malicious code.

Block: eSafe will block any archive file that exceeds the
size limit.
Max. archive size Enter the maximum size of archive files that eSafe will
text box: scan.
If archive file Select the action eSafe will take if an archive file
exceeds maximum exceeds this limit. Select one of the following options:
size:
• Block: eSafe will block any archive file that exceeds

the size limit.
Block suspicious Blocks archive files that are suspected to contain

password protected viruses.
archives:
Block multi-volume Allows blocking partial archive files. In order to

archives: successfully scan an archive file, eSafe needs to re-
assemble the original file.
Block corrupted Allows blocking archive files that are corrupted and/or
and unknown have an unknown file type.
archives:

Do not block Allows excluding specific files contained in archive files,

specified files from blocking. This option is useful to exclude files that
inside archive file: would otherwise be considered questionable, bearing in
mind that eSafe will still scan these files for known
viruses.
Block dangerous eSafe will block dangerous files inside archive files.
file extensions: Define which file extensions will be considered
dangerous. You can enter specific extensions separated
with a comma, without wildcards. The file will be blocked
if the extension is found inside the archives.

MS Office Files
Config Tab | Content Filters | MS Office Files

eSafe can scan MS Office files for malicious content and strip macros and
embedded files if necessary. Since Office 2007 files differ from Office 2000/2003
files in that they have an archive file structure, separate policies are available for
dealing with each type of files.
This branch consists of the following sub-branches:
• MS Office Documents: Refers to the actual documents module.
• Office 2007/2010 Documents: Refers to the archive packaging envelop of
documents in Outlook 2007/2010.
MS Office Documents
Config Tab | Content Filters | MS Office Files | MS Office Documents

eSafe is able to inspect MS Office files (Word, Excel) for malicious content and
other embedded objects using eSafe’s proprietary MacroTerminator™ technology,
and strip files containing these objects. This prevents all macro viruses, known or
unknown, from reaching (or leaving) the network.
eSafe can inspect MS Office files for all sources or based on Restricted/Trusted
sources.
The MS Office Documents page consists of the following options:
Sources for which Select for which sources eSafe will check for malicious
eSafe will check MS content and embedded files in MS Office documents:
Office Files:
• All Sources: eSafe scans MS Office files from all

sources for macros and embedded files. (This option
is enabled by default.)
• Restricted Sources (scan if listed): eSafe only
scans MS Office files from the sources listed in the
Restricted list for malicious content and embedded
files.

• Trusted Sources (scan if NOT listed): eSafe scans

MS Office files from all sources except those in the
Trusted list for malicious content and embedded files.
List Link: Click the List link and then select a protocol when
prompted to do so. You can then define the Trusted and
Restricted lists.
Malicious Content: Select the action eSafe will perform when it discovers
macros in MS Office files:
• Scan for malicious content using

MacroTerminator ™: eSafe will scan the files for
malicious content.
• Strip all macros: eSafe will strip macros and

malicious content from email, and block documents
containing macros in FTP/HTTP.
Embedded Files: Select the action eSafe will perform if it discovers macros
in MS Office files:
• Strip all embedded files: eSafe will strip any

embedded file from documents attached to email, and
will block documents containing embedded files for
FTP/HTTP.
• Strip dangerous embedded files: eSafe will strip

dangerous embedded files from documents attached
to email, and will block documents containing
embedded files for FTP/HTTP. By default, eSafe lists
.exe and .pif files as dangerous. You can include
additional file types in the Dangerous files text box.
(This option is enabled by default.)
To do this, separate the file extensions using a comma

and do not use wildcards in this field, for example:
exe, pif.

Dangerous file eSafe will strip dangerous files inside Office 2007
extensions: documents. Define which files will be considered
dangerous. When defining this list, you can enter the
extensions in the following format: .xls, xls, *.xls. You
can separate a list of extensions with a comma, and use
the * wildcard.
Strip hidden Stripping metadata from MS Office documents prevents

Metadata from MS exposure of confidential information embedded in Office
Office files: files within the metadata. This can include, but is not
limited to:
• Your name
• Your initials
• Your company or organization name
• The name of your computer
• The name of the network server or hard disk where

you saved the document
• Other file properties and summary information such

as file size, date/time the file was created, modified or
accessed, and the location where the file is stored
• Non-visible portions of embedded OLE objects
• Document revisions
• Document versions
• Template information
• Hidden text
• Comments.

Office 2007/2010 Documents
Config Tab | Content Filters | MS Office Files | Office 2007/2010 Documents

Office 2007 files differ from Office 2000/2003 files in that they have an archive
file structure. By default, eSafe blocks suspicious password protected archives
(viruses) and blocks multi-volume archives. In addition eSafe can also block
corrupted and unknown archive files and prevent blocking specific files inside an
archive file.
In order to scan the archive files, eSafe must decompress all archive layers to
ensure that none of the archived files contain malicious code. Decompressing
multi-level and/or large archive files is a time, CPU, and memory consuming
process and may significantly deplete resources; even leading to DoS. For this
reason eSafe allows limiting the number of layers and the size of archive files that
will be decompressed.
When eSafe reaches the maximum level/file size, you can decide how it will treat
the archive file: allow or block.
The Office 2007 Documents page consists of the following options:
Max. levels text Enter the maximum number of levels eSafe will open to
box: scan for vandals and viruses.
If last level Define what to do with the archive once this limit is
contains an archive reached. Select one of the following options:
file:
• Block: eSafe will block the file.

Max. archive size Enter the maximum size of archive files that eSafe will
text box: scan.
If archive file Select the action eSafe will take if an archive file exceeds
exceeds maximum this limit. Select one of the following options:
size:
• Block: eSafe will block any archive file that exceeds

the size limit.
Block suspicious Blocks archive files that are suspected to contain viruses.
password protected (This option is enabled by default.)
archives:
Block corrupted Allows blocking archive files that are corrupted and/or
and unknown have an unknown file type.
archives:
Do not block Allows excluding specific files contained in archive files,

specified files from blocking. This option is useful, for example, to
inside archive file: exclude files that would otherwise be considered
questionable, bearing in mind that eSafe will still scan
these files for known viruses.
When defining this list, you can enter specific extensions

separated with a comma, without wildcards. The file will
not be blocked if the extension is found inside the
archives.

Block dangerous eSafe will strip dangerous files inside Office 2007
file extensions documents. Define which files will be considered
dangerous.
When defining this list, you can enter the extensions in

the following format: .xls, xls, *.xls. You can separate a
list of extensions with a comma, and use the * wildcard.

File Type Spoofing
Config Tab | Content Filters | File Type Spoofing

File spoofing is a common technique used to disguise Trojans. Therefore, eSafe
applies stricter standards to files whose extensions do not match their bit
structure.
When a rule does not block a specific file type, eSafe will confirm the file type
extension (if file-type spoofing protection is enabled), before allowing the file to
be scanned. eSafe inspects the file’s bit structure to make sure that it matches
that of one of the extension types listed in the File Type Spoofing lists:
• If the extension appears in one of the File Type Spoofing lists, the file’s
extension is confirmed, and eSafe acts according to the Scan rules.
• If the extension does not appear in one of the lists, eSafe will either block the
file entirely, or scan the file for malicious content, depending on the action
selected.
The lists of extensions are divided into the following file types:
• Executable files
• Object Link Embedded (OLE) files (usually Microsoft Office files)
• HTML files
• Archive files.
As new file extensions become available, you should add them to these lists. This
feature is enabled via the FTP Security and HTTP Security pages.

XploitStopper™
Config Tab | Content Filters | XploitStopper

XploitStopper includes advanced security features that proactively block viruses
and worms that try to exploit known security holes. XploitStopper detects
anomalies, abnormal protocols, and HTML structure that can lead to exploitation
of application and operating system security holes, and penetration and execution
of malicious code.
XploitStopper blocks the following types of exploits:
• Content Exploits
• FTP/HTTP Exploits
• Email Exploits
The XploitStopper rules are constantly and automatically updated whenever a
new security hole is discovered, even before a virus is available to exploit it and in
many cases before a patch is available from the application vendor.
Content Exploits
Config Tab | Content Filters | XploitStopper | Content Exploits

This page allows blocking web pages and email that contain HTML exploits based
on unique eSafe technology that analyzes and detects abnormal structures in
HTML pages. By default, eSafe will block HTML pages and email from all sources
that contain known HTML exploits.
A list of the threats that eSafe detects is also displayed. Select a threat and click
on the link at the bottom of the page to see additional information on the threat.
Click on the link at

the bottom of the
page to see
additional
information on the
threat
It is also possible to view a comprehensive list of the current threats and virus
alerts via eSafe's AIRC website: http://www.aladdin.com/airc/valerts.aspx. The
AIRC team constantly updates eSafe’s databases to enable up-to-date protection
against the latest security threats.
Warning:Before changing the default settings, make sure that this is absolutely necessary.

Block web pages The following options are available from the drop-down
containing known list:
HTML exploits:
• All sources: Blocks HTML pages containing known
HTML exploits for all sources.
• Restricted Source (block if listed): Only blocks

HTML pages containing known HTML exploits from
sources that are restricted. These sources are defined
in the Servers for Scanning list, in the Restricted
column.
• Trusted Source (block if NOT listed): Blocks HTML

pages containing known HTML exploits from all
sources except trusted sources. These sources are
defined in the Trusted column of the Servers for
Scanning list.
Block email The following options are available from the drop-down
containing known list:
HTML exploits:
• All sources: Blocks HTML email containing known
HTML exploits for all sources.
• Restricted Source (block if listed): Only blocks

HTML email containing known HTML exploits from
sources that are restricted. These sources are defined
in the Servers for Scanning list, in the Restricted
column.
• Trusted Source (block if NOT listed): Blocks HTML

email containing known HTML exploits from all
sources except trusted sources. These sources are
defined in the Trusted column of the Servers for
Scanning list.
List link: Click the List link to define lists of restricted or trusted
servers. When prompted, select the protocol for which
you want to define the sources.

HTTP Exploits
Config Tab | Content Filters | XploitStopper | HTTP Exploits

XploitStopper for HTTP searches for characteristics and events in web traffic that
can exploit security holes.
eSafe allows blocking the following:
Non-ASCII The RFC standard for URLs only allows valid ASCII
characters in URLs: characters. The presence of non-ASCII characters in
URLs can lead to security hole exploits or indicate
malicious intent.
Long URLs: Very long URLs can generate buffer overflows in

applications, which can lead to exploitation of security
holes or indicate malicious intent.
Long HTTP headers: HTTP headers usually contain a limited set of

parameters, such as cookies and session properties. Very
long HTTP headers can generate overflows in
applications, which can lead to exploitation of security
holes or indicate malicious intent.
Exploited image Infected images can be found on web/FTP servers, as

files (JPEG, ICO): part of web page content, and on FTP servers with links
to web pages. The code will be executed the moment the
image is viewed in an infected application such as
Internet Explorer.

Email Exploits
Config Tab | Content Filters | XploitStopper | Email Exploits

eSafe’s unique XploitStopper™ technology stops email-based malicious code from
exploiting security holes. This is done by analyzing email messages to proactively
detect any abnormalities that indicate an attempt to exploit security holes in the
operating system and applications such as email servers, email clients and
Internet browsers.
Block email The drop down list includes the following options:
containing iframe/
frame HTML tags: • Do not block: eSafe will not block email containing
iframe/frame HTML tags. (Not recommended.)
• Block email if an iframe/frame HTML tag

activates an attachment: eSafe will only block
email containing iframe/frame HTML tags that
activate an attachment. This is the default setting.
• Block email if it contains any iframe/frame

HTML tag: eSafe will block email that contains any
iframe/frame HTML tags. This option enables
tightening security against iframe/frame exploits by
blocking email containing any iframe/frame HTML tag.
It should be noted that this setting may block some
email newsletters.

Action if email The drop down list includes the following options:
contains IMG
exploits: • No action: eSafe will not take any action if it
encounters email containing image exploits.
• Strip all IMG tags: eSafe will strip all IMG tags in
email containing image exploits. The modified email
will be allowed to continue to the intended recipient.
• Strip IMG tag, if extension is an invalid IMG

extension: eSafe will only strip the IMG tag if the
extension is an invalid IMG extension. The modified
email will be allowed to continue to the intended
recipient.
• Block entire email, if extension is an invalid IMG

extension: eSafe will block the entire email if the
extension is an invalid IMG extension.
Block email if it eSafe prevents CLSID File Extension Exploits by blocking

contains an email that has an attachment with a class ID extension.
attachment with a
class ID extension:
Block email with an During the inspection process, eSafe checks the “From”
invalid MAIL FROM: address in the email body to ensure that the address
SMTP command: does not contain malicious code. eSafe also checks the
size of the “From” address to ensure that it does not
contain malicious code that can generate a buffer
overrun exploit.
Block known email This vulnerability exploits a security hole that allows a
MIME exploits: mismatched MIME attachment that is combined with an
IFRAME tag, to automatically execute any malicious code
upon message viewing.
Block suspicious Hackers are known to use specific packer applications

executable when compressing malicious executable files. eSafe can
attachments per block executable files thought to have been compressed
sensitivity level: using these applications. You can set the sensitivity level
eSafe will use to block these files: low, medium, high.
(Note that using the “high” level may result in a slightly

higher false-positive rate).

Block attachments Unconventional filenames are often used to trick users

with invalid into opening a file that they may contain malicious
filenames: content. For example, filenames could include numerous
spaces which result in the file extension not being visible
to users. Unsuspecting users may open the file without
paying attention to the actual file type.
Block attachments The use of multiple extensions is another well known

with multiple file trick used to fool users into thinking that the first
extensions: extension they see is the actual file type. Based on this,
users can open files that could be malicious. It should be
noted that multiple extensions also have legitimate uses,
for example, adding a date in a file a name:
report_13.02.05.xls. When this option is enabled, you
can define a list of extensions that will not be blocked if
they are the last extension in the multi-extension file
name.
Block exploited A vulnerability in the way that Microsoft software allows

image files (JPEG, viewing JPEG images can result in the execution of
ICO): exploits the moment the image is viewed in an infected
application such as Internet Explorer. Since image files
are usually considered safe, it is not necessary to scan
all image files, which is a resource consuming process.
eSafe will specifically look for known exploits in file types
that can be infected.

Email Security
Config Tab | Content Filters | Email Security

These options allow you to fine-tune how eSafe will inspect SMTP traffic for
content threats.
The following options are available in the Email Security page:
HTML-formatted Select those features that you want to enforce in HTML

email email.
• Convert HTML email to plain text: HTML pages can

contain various commands and scripts that could pose
a security threat. To eliminate any risks, eSafe can
convert the HTML email to plain text, which will
remove all scripts, tags, and formatting and leave
pure text only.
• Remove all HTML references to external

websites in email: This maximizes security by
removing any links to other websites which, if clicked,
could pose unnecessary security risks.
• Turn-off clickable hyperlinks in email: As in the

previous feature, this feature also allows defining a
more stringent security policy by preventing users
from clicking on hyperlinks in email.
• Remove web-beacons from email: Web-beacons

are used by spam and email marketing sources to
track viewed email messages. Removing web-beacons
helps maintain privacy and reduces spam.

Email format Select those features you want to implement to ensure

standardization that email complies with industry accepted standards.
• Block fragmented email (email divided into

multiple email messages): These email messages
could include very large and malicious files that are
automatically reconstructed by MS Outlook and MS
Outlook Express.
• Reconstruct email according to RFC 1521 and

RFC 1522 standards: Non-standard email structure
can create security holes that can be exploited by
malicious code.
• Re-encode binary attachments: Non-standard

types of encoding used in attachments can create
security holes that can be exploited by malicious
code.
• Re-encode 8-bit ASCII text to 7-bit: Non-standard

types of encoding can create security holes that can
be exploited by malicious code.
• Convert MS TNEF format to MIME format: The MS

TNEF format can be incompatible with some mail
applications.
• Remove malformed attachments: Malformed

attachments could contain malicious code, or could be
the result of malicious code exploits.

Phishing
Config Tab | Content Filters | Phishing

Phishing attacks are designed to trick unsuspecting users from divulging critical
personal and financial details. By using spoofed email addresses and fraudulent
websites that mimic well-known banks, online retailers, and credit card
companies, phishers are able to con recipients into providing sensitive
information.
eSafe employs various methods to combat phishing. You can choose which items
you want eSafe to search for in email messages and define the action eSafe will
take if it detects these items.
Choose which items you want eSafe to search for in email messages to prevent
phishing. The following options are available:
Check for spoofed Identifies URLs that show a discrepancy between what
URLs: is displayed and the actual action or destination of the
URL the recipient clicks on.
Check for FORM Searches for tags in email where clicking a link in the
HTML tags: email results in submission of information.
Check for mapped Searches for hyperlinks that are activated when
IMG links: recipients move their mouse cursor over different parts
of an embedded image.
Check for known Searches for commonly spoofed URLs.

spoofed URLs:
Check for known Searches for known phishing URLs.

phishing URLs:

Kaspersky Anti-Malware
Config Tab | Content Filters | Kaspersky Anti-Malware

Kaspersky is a secondary anti-malware engine that inspects all files that were
found to be clean by the primary engine, as a second line of defense to ensure
the highest possible level of security.
Select the check box to enable use of the Kaspersky Anti-Malware engine.

Email
Config Tab | Email Settings
This branch allows settings for inspection of email traffic. The following actions
are available:
• Warning Messages - allows defining a warning message that can be added to
incoming/outgoing email.
• Email Quarantine - allows defining conditions for quarantining email due to
spam or viruses, and defining Quarantine Report settings.
• Inspection Rules - allows enabling/disabling inspection of SMTP and POP3
email.
• Email Redirection - Allows redirecting email based on the email address or
domain, and allows sending a copy of email to another mailbox (for example,
for archiving purposes).
• SMTP Settings - allows enabling email inspection, defining the SMTP mail
relay, internal domains, and allows redirecting email to an alternate address.
Warning Messages
Config Tab | Email Settings | Warning Messages

eSafe allows sending warning messages to users in the following instances:
• When incoming email is blocked or modified due to hostile content
• When outgoing email is blocked or modified due to hostile content
For further information, view the links below:

• Warning messages for incoming email
• Warning messages for outgoing email

Warning messages for incoming email
eSafe can send email notifications/add warning messages to incoming email, as

follows.
To Senders: eSafe allows sending email to the senders of infected

email notifying them that eSafe detected hostile content
in the email they sent.

To Recipients: The following warning messages/notifications can be

sent to recipients of incoming email:
• Add scan results to clean mail (only if it contains

attachment): Allows notifying the recipient of
incoming email containing an attachment(s), that
eSafe scanned the email and found it to be “clean”.
• Add scan results to modified email: Allows notifying

the recipient of incoming email that the email was
modified by eSafe.
• Send email notification when email is blocked: Allows

sending a new email message to recipients to notify
them that email destined to them was blocked by
eSafe.
You need to select the warnings that you want eSafe to

add to the email messages and then you can edit the
default text if necessary.

Warning messages for outgoing email
eSafe can send email notifications to senders of outgoing email, as follows.
To senders: • Send email notification when email is modified:

Allows sending an email notification to the sender of
email that was modified by eSafe.
• Send email notification when email is blocked: Allows

sending an email notification to the sender of email
that was blocked by eSafe.
Disclaimer: eSafe allows adding a default, user-defined disclaimer to

the top or bottom of all outgoing email. Disclaimers
usually include an official statement from the company
that reflects the company’s policy regarding outgoing
email.
It is also possible to define different disclaimers for

different domains. The domains are defined in the SMTP
Mail Relay page and are automatically added to the list
of domains in the Disclaimer to Recipient page.
In the Disclaimer options drop-down list, you need to

define where you want to add the disclaimer:
• No disclaimer (A disclaimer will not be added)
• Add disclaimer at the beginning of the email message
• Add disclaimer at the end of the email message.

Define disclaimer Allows you to edit the default disclaimer and select the
message button: domain for which the disclaimer will apply.
This page allows you to define a default disclaimer:
• Select for which domains the disclaimer will

apply: From the drop-down list, select the domain for
which the disclaimer will apply. Note that the domains
are defined in the SMTP Mail Relay page.
If you do not define a specific disclaimer per domain,

the default disclaimer will be used. To return a
disclaimer to the default, click the Use Default
button.
• HTML Disclaimer: In the HTML Disclaimer text box

you can type the message as it will appear if the
email notification is sent in HTML format. The
Convert HTML to Text button allows converting the
HTML message into plain text, and removes an n ny
formatting.
• Text Disclaimer: Allows defining a disclaimer in

plain text.

Email Quarantine
Config Tab | Email Settings | Email Quarantine

The Email Quarantine branch allows you to define a policy for placing email in the
quarantine folder. The Quarantine folder is divided into the following sub-folders:
• Quarantine for Viruses
• Virus Report
• Quarantine for Spam
• Spam Report
This enables defining under which circumstances email will be saved in the
Quarantine, based on whether the email was blocked due to a virus/vandal or
spam.
Quarantine for Viruses/Spam
eSafe allows defining when to quarantine email containing viruses/spam and

where to quarantine the email. By default eSafe will:
• Quarantine any email message that was blocked or modified due to a virus/
vandal, or blocked or tagged due to spam, in the local quarantine folder.
• Add a predefined subject to email released from quarantine.
• Automatically delete email from quarantine after seven days.
You can change the default settings, if necessary, as described below.
Define when to Allows you to select one of the following options:

quarantine email:
• For viruses/vandals:
• Do not quarantine: eSafe will not quarantine virus/

vandal infected email.
• Quarantine if email is blocked due to a virus: eSafe
will only quarantine virus/vandal infected email if it
was blocked.
• Quarantine if email is blocked or modified due to a
virus: eSafe will quarantine virus/vandal infected
email if it was either modified or blocked.

• For spam:
• Do not quarantine: eSafe will not quarantine spam

email.
• Quarantine if email is blocked due to spam: eSafe
will only quarantine spam email if it was blocked.
• Quarantine all spam email (Blocked or tagged):
eSafe will quarantine all spam email if it was either
tagged or blocked.
Define where to You can select one of the following options:

save quarantine
files: • Send to specified quarantine email address: Allows
you to define an email address to which all
quarantined email will be forwarded. (Note that the
Quarantine Report will not be available in this
instance.)
• Store in local quarantine folder: Stores the

quarantined email on the eSafe machine where eSafe
Security Center is installed. When this option is
enabled, it is also possible to view a report of all
quarantined email, define the subject that will be
used when email is released from quarantine, and the
number of days email will be quarantined before it is
automatically deleted (described in the next two
steps).

If you choose to store email in the local quarantine

folder, the following options become available:
• Prefix for the subject of email released from
Quarantine: Allows changing the default email
subject, that will be included in email that is
released from quarantine.
• Automatically delete items from Quarantine after X

days: Allows changing the period for which email
will be in quarantine, before it is automatically
deleted.

Virus/Spam Report
It is possible to create a single quarantine report that consolidates data from

various eSafe machines. This is done by defining a central quarantine report
machine to which “participating” machines will send the local quarantine report.
These machines must be defined at the central machine.
Note: When using the unified quarantine report, make sure your firewall allows
all eSafe machines to connect via port 43970 (eSafe Security Center protocol).
Separate reports are available for email quarantined due to viruses/vandals and
spam. Single/central reports can be sent daily at scheduled times (up to three
times a day), or can be produced and sent on-demand (manually). A description
of the options available in this page follows.
The page includes the following options:
• Define quarantine report machines:
• Configuring report settings:
Define quarantine Defines the settings for the end user quarantine report
report machines: that will be sent to users based on the schedule. This
report provides users with the ability to view and
manage their quarantined email if they have the
necessary permissions.
• Send user quarantine report to a central

machine: Select this option to send the current
machine's quarantine report to a central machine
where it will be used to create a consolidated report.
You need to define the central machine’s IP address.
(Remember to define this machine’s IP address at the
central machine too!)

• This is a single/central report machine: Select

this option if the current machine is a standalone or
central machine.
For a central machine, click the Define report

machine link to define the machines from which the
central machine will use data in order to create the
unified spam report. The machines must be defined
at the central machine and the central machine IP
address must be defined at each of these machines
(use the “Send user quarantine report to central
machine” option) in order for eSafe to successfully
collect the quarantine information.
If you are defining a single/central machine, you can

schedule report generation or click “Generate Now”
in order to create the report on-demand.
You can select one of the following options:
• Automatically generate report at: Allows selecting
the times at which a report will be automatically
generated and sent to the recipients. You can set
up to three instances.
• Automatically generate report every hour:
Automatically generates a report every hour.
• Click the Generate Now button to generate the
report manually.
• Web Quarantine: Allows viewing a web-based

spam/quarantine report.

Configuring report The following options are available when configuring

settings: quarantine report settings.
• Select report recipients from LDAP server and

from manual users list: Use the first drop-down list
to select report recipients from the LDAP server and
from the manual users list.

• Do not check LDAP users: Select this option if you
want to create a report for all users.
• Create one report per recipient while ignoring it’s
different domains: Select this option to create a
report per user name and for all domains (defined
in SMTP Internal Domains page).
• According to LDAP list/aliases and also for non-
LDAP users: Select this option to create one report
per user for all aliases defined.
• According to LDAP list/aliases only: Select this
option to create a single report per user and for all
aliases but only if they are defined in the LDAP
server.
• Select report recipients: You can either send

reports to all users (original recipients) or to specific
users by defining inclusion and exclusion lists.
Select one of the following options from the drop-

down list to define the report recipients:
• All users: eSafe will send a report to all original
recipients of email that is stored in quarantine.
• Users in inclusion list only: eSafe will only send a
report to recipients that are listed in the Inclusion
list. To define the list of recipients, click on the List
button. See the next step for details on creating
the list.

• All users, except those in Exclusion list: eSafe will

send a report to ALL recipients, with the exception
of those that are listed in the Exclusion list.
• Users in Inclusion list, unless appear in Exclusion
list: eSafe will send a report to recipients in the
Inclusion list, with the exception of those that are
listed in the Exclusion list.
If enabled, click on the List link to define lists of users.

Depending on the option you selected, you will need to
define either the inclusion or exclusion list, or both.
Allow “on-demand” Allows users to request a report on-demand.

report requests
check box: When defining settings for the Quarantine for Spam
report, it is also possible to define how eSafe will handle
requests from users to learn the email addresses in
quarantined email (when the “Learn and release” option
is selected in the eSafe Spam Quarantine Report sent to
users).
Do not learn Allows ignoring requests from specific domains. To

addresses of email define the list of domains for which requests will be
from specified ignored, click the List link.
domains:
Do not learn Allows ignoring requests to release email with specific

addresses of email keywords in the subject. To define the list of email
with specific addresses for which requests will be ignored, click the
keywords in List link.
subject:
Do not learn from Allows ignoring requests from specific users. To define
requests submitted the list of users whose requests will be ignored, click the
by specific users: List link.

Send released & Allows sending email information to the data center used
learned email by eSafe’s anti-spam module in order to update the
information to the global lists.
Internet data
center:
Report Properties Allows defining properties that will be displayed in the

button: report.
Note: The Quarantine for Spam Report includes

additional format options that are not available for the
Virus Report.
• Choose report format: You can select one of the

following options:
• Text: Sends the report as an email message in

plain text format.
• Email attachment: Sends the report as an
attachment.
• HTML: Sends the report as an email message in
HTML format.
Note: When defining the Spam Report format, it is also

possible to define an action when the report is sent as
an attachment, or in HTML format. The action allows
learning the address and domain.
• Sender Address and Report subject: You can

enter text that you want to display in the report.
• Localize: Click the Localize button to define settings

for changing the text in the report to another
language.

Inspection Rules
This page allows you to enable/disable inspection of incoming and/or outgoing

email. When inspection is enabled, the rules defined under Email in the Protocol
Rules branch will be applied.
The following options are available in this page:

• Enable POP3 inspection: Enables inspection of POP3 traffic (availability
depends on the product installed).
• Enable INCOMING SMTP inspection: Enables inspection of incoming SMTP
traffic.
• Enable OUTGOING SMTP inspection: Enables inspection of outgoing SMTP
traffic.
• SMTP Mail Server Exclusion List: Allows excluding traffic to/from the
defined mail servers from scanning. This traffic will be considered “safe” and
will not be checked at all. Click the Add mail server IP address icon and
define the IP address of the mail server you wish to exclude.
Email redirection
This page allows redirecting or copying email, based on the email address or
domain, and allows sending a copy of email to another mailbox. This option is
useful for archiving purposes.
• Click on the Add new redirect rule button to view the following options:
• Enable email redirect/copy checkbox: Enables use of the email
redirect/copy feature.

• Define entity: Allows you to define for which network entity (email
address, domain user, full domain) email will be redirected/copied. Select
one of the following options:
• Full address
• Any domain user
• Domain
• In the text box that appears, enter the entity details.
• When entity is sender: Select this option to redirect/copy outgoing email
from the specified network entity. Select the Redirect or Copy radio button
to define whether to redirect or copy the email. In the text box, enter the
location to which email will be copied/redirected.
• When entity is recipient: Select this option to redirect/copy incoming

email from the specified network entity. Select the Redirect or Copy radio
button to define whether to redirect or copy the email. In the text box,
enter the location to which email will be copied/redirected.
Note: The following email formats are valid: name@, @domain.com or

name@domain.com. You can enter more than one destination address, separated
by a comma.

SMTP Settings
Config Tab | Email Settings | SMTP Settings

When managing email traffic, you need to define mail relay servers and internal
domains. The following options are available in the Mail Settings branch:
• SMTP Mail Relay - allows defining when and which mail relay server to use.
• SMTP Internal Domains - allows defining from which domains eSafe is
allowed to receive email.
SMTP Mail Relay
To allow proper sending and receiving of email from/to external addresses, you
need to define the following information:
• The host name to be used for the HELO command
• The outgoing SMTP mail relay server
• The domains for which eSafe is allowed to receive email
When eSafe is installed with Mail capabilities it uses this server in order to inspect
SMTP traffic. You can define the following settings in this page:
• Host name for HELO command defines the host name that will be used for
the HELO command. This string will be used by eSafe for identification
purposes when it communicates with other SMTP servers. Enter the host name
in the text box.
• Outgoing SMTP Mail Relay Server settings allows you to define when to use
an outgoing SMTP mail relay server and which outgoing SMTP mail relay server
to use.
From the drop-down list, you can select one of the following options:
• Allow eSafe to send email directly to the Internet: eSafe will not use the
mail relay server and will send the mail directly to the Internet instead.

• Use outgoing SMTP mail relay server, as listed below: eSafe will use one of
the outgoing mail relay servers defined in the list at the bottom of the page.
• Use outgoing SMTP mail relay server, in case of error sending directly to
Internet: eSafe will only use the outgoing mail relay server if it is unable to
send the mail directly to the Internet.
• When defining the list of mail relay servers you can add, edit, and delete
items from the list. It is also possible to import an external list of items into
the list/ export the list to an external file. The items in the list that will be
imported must be separated by a comma or by using <Enter>.
• The UP and DOWN arrows allow you to determine the order in which eSafe
will use the outgoing mail relay servers. This means that if the first server is
unavailable, eSafe will use the next server in the list.
SMTP Internal Domains
You must define all the domain names in your organization and the IP addresses
of the internal mail servers associated with these domains. This list will also be
used by eSafe to identify internal and external mail servers.
You can also define the mail server’s SMTP port (default = 25) and a back-up/
alternative mail server that can be used if the first server does not answer.
When eSafe receives email, it uses the destination domain to identify the
direction of email. If the destination appears in the list of domains, the email is
internal. If the destination does not appear in the list, the email is external.
Click the Add icon to add an internal domain name and the internal SMTP mail
server IP.

NitroInspection Configuration
eSafe allows defining specific IP addresses, ranges of networks, and ports for
which traffic will NOT be inspected.
To define ranges of networks that will NOT be inspected by eSafe:

1. In the Policy Settings mode, select Config | NitroInspection Configuration.
2. Under Exclusion List, click the Add icon to define individual IP addresses or IP
address ranges that will not be inspected by eSafe. All traffic to and/or from
these addresses will be ignored.
3. Under Trusted Subnets, click the Add icon to define subnets that will not be
inspected by eSafe. All traffic between machines in these subnets will be
ignored.
4. Next to Exclude Ports, you can define individual TCP ports or ranges of ports
that will not be inspected by eSafe.
LDAP configuration
When working with an LDAP server, you must define various settings to enable
eSafe communicate with the LDAP server.
Select a server from the LDAP servers drop down list or click the Add LDAP
server button to add a server, and then define the following information:
• Basic Settings
• Nodes and Expressions
• Attributes

Basic Settings
Define the following basic settings to get started working with the LDAP server:
Select server type: Select the type of server you want to connect to.
Backup of: If this is a backup server, select the server for which it
acts as a backup server.
LDAP server The address of the LDAP server on the network.

address:
Connection port: The port eSafe uses to connect to the LDAP server
(usually 389).
User name (DN): The name used to log into the LDAP/AD server. The
format is a full LDAP Distinguished Name (DN), for
example: CN=username,CN=users,dc=domain,dc=com
Password: A password associated with the user name.
Note: Use a user name and password that do not expire!
Intervals for sync: The rate at which eSafe will synchronize itself with the
LDAP server.
Use defaults: Click this button to return the LDAP configuration to the
default settings.

Nodes and Expressions
This page allows you to define parameters that will assist you in extracting LDAP
information.
Nodes
Nodes allow you to define from which node in the LDAP structure user information
will be extracted.
User root nodes: Defines the distinguished name of the root node from
which user details will be taken.
Group root nodes: Defines the distinguished name of the root node from
which group details will be taken.
Host root nodes: Defines the distinguished name of the root node from
which host details will be taken.

Expressions
Expressions allow searching the AD data for specific users, groups, or hosts. The
various search expressions can be used to filter this data in order to restrict the
search results. A simple filter looks like this: (objectClass=person). In this
example, the search query will only return results for entities that have been
specified as 'person'. A description of the expressions and examples of arguments
that cab be used follows:
• Users search expression: Allows searching for specific users. For example:
(&(|(objectClass=person)(objectClass=contact)(objectClass=organiza
tionalPerson))(!(objectClass=computer)))
• Groups search expression: Allows searching for specific groups. For
example: (objectClass=group)
• Hosts search expression: Allows searching for specific hosts. For example:
(objectClass=computer)
Attributes
Each object in the LDAP/AD server consists of one or more attributes that are
used to uniquely identify this object in the Directory Information Tree. Each
attribute has a value associated with it. Although there are a few standard
attribute-value pairs, different LDAP servers may use different values per
attribute.
The following attribute-value pairs can be used to narrow the results when
defining search queries:
• Account name attribute: saMAccountName
• Display name attribute: name
• Mail alias attribute: proxyAddresses
• Primary mail alias attribute: mail

Appendix A - Objects Tab
Objects Tab
The Objects Tab allows you to manage various objects that are used when
configuring eSafe. This is where you are most likely to make changes as part of
normal system maintenance.
The objects consist of various lists. eSafe allows you to maintain separate lists for
HTTP/FTP and SMTP/POP3 traffic. The lists are also accessible via the List links
that appear in the various protocol rules pages. The lists are divided into separate
lists for Restricted and Trusted definitions. You should define and keep all lists up
to date. This enables you the flexibility to fine-tune your blocking and scanning
policies, and easily change the security vs. performance trade-off at any time.
• FTP and HTTP
• SMTP and POP3
• Known Vandal File Names
• Files for Blocking

FTP and HTTP

These lists enable you to define lists that eSafe will use when scanning FTP and
HTTP traffic. You can define the following types of lists:
VIP Servers/ This list contains workstations and servers that you can
Workstations: exempt from FTP/HTTP Block and Scan rules. This
feature allows you to maximize security for the
organization as a whole and selectively remove
restrictions for those users that require access to specific
sites, file types, etc. that are otherwise blocked or
scanned.
Click the Add icon and enter the IP address, an IP range,

or the name of the server you want to include in the VIP
list.
Servers: Lists of servers can be defined for HTTP/FTP Block rules

and Scan rules. For each rule type, there is a trusted and
a restricted list.
Each list contains the IP addresses or server names for

each server on the list.
• The Restricted List restricts only those items

appearing on the list. If one of the autoupdate options
is selected in FTP and HTTP Action rules, whenever a
vandal or virus is detected, the relevant Restricted
List is updated.

• The Trusted List restricts all servers not listed. You

should make this list as extensive as possible.
Note: When defining rules, you will choose one of the

lists only. The lists are not used in combination with each
other (as exclusion lists).
Click the Add icon and enter the IP address, an IP range,

or the name (e.g. desktop.google.com) of the server. If
you want to be more specific, you can limit the
Restricted or Trusted entry to a specific page or path.
You can use the * wildcard to block the entire site
instead of a specific page. (For example, desktop/
google/*)
Automatic Servers: The Automatic Servers list contains lists of servers from
which viruses/vandals originate. The servers are added
to the list automatically, provided that this was the
action defined when eSafe detects a virus/vandal. The
Automatic Servers list is limited to 100 servers based on
a first in, first out policy.
Note: You can only delete servers from the lists.
If you would like to add additional servers for blocking,

you can do so in the Servers list.
Workstations: eSafe includes lists of workstations for Block rules and

for Scan rules. Each list contains the IP addresses or
workstation names for each destination on the list.
These lists are used for both FTP and HTTP.
• The Restricted List restricts only those items

appearing on the list.
• The Trusted List restricts all destinations not listed.

You should make this list as extensive as possible.
To add to the list, click the Add icon and enter the IP
address, an IP range, or the name of the workstation.

File Types: eSafe enables defining separate lists of incoming and

outgoing file types that will be used for HTTP/FTP traffic
and SMTP traffic. Two separate pairs of lists are used for
each protocol type. Each list contains MIME types and
extensions of file types for Block rules and for Scan
rules.
• The Restricted List restricts only those items in the

list. This list is updated with files that the eSafe
security team has identified as potentially dangerous
content (if the Content Filter Security Rules and Lists
option is enabled under Updates).
• The Trusted List restricts all file types not listed. You
should make this list as extensive as possible.
• To add to the list, click the Add icon and select from
the list of MIME types. If the file type is not listed,
select Enter unlisted file type and enter the MIME type
and extension.
Note: When adding a file type, you must enter an

extension; use of a MIME type is optional.
HTML Keywords: eSafe can scan HTML pages for specific keywords and
block pages that contain these words. You can use
Trusted and Restricted lists to scan for keywords
according to the source of the HTML file.

• Undesirable keywords list: Click the Add button to

add a keyword to the list. You can also use the
Import and Export buttons to import a list from an
external text file, or to export a list to an external text
file. The items in lists that will be imported must be
separated by a comma or by using <Enter>.
(Tip: You can export an existing list from eSafe and
then open the file to see how it is formatted.)
• Options affect the way eSafe searches for all

keyword listings. The following options are available
when defining spam keywords:
• Match case: Select this option to make the list case

sensitive (XX includes XX, but not xx). If you do
not select this option, the CI ignores case (XX
includes XX, xx, Xx, and xX).
• Whole word only: Select this option to cause the CI

to look for the keywords or keyword strings that
are preceded and followed by a space or other non-
alphanumeric character. For example: The Adult
web show keyword will not cause !Adult web show
to be blocked if Whole word only is selected.
SMTP and POP3

These lists enable you to define lists that eSafe will use when scanning SMTP
traffic. You can define the following types of lists:
SMTP Senders for This list allows you to define SMTP senders from which
Blocking: email will be blocked. You can also use the * wildcard
and import a predefined list of senders.
To add to the list, click the Add icon and enter the email
address.
SMTP Recipients: Use this list to define a list of email addresses

(recipients) to which email will be blocked. When
defining the list, you can use the * wildcard. If you want
to create a list of recipients to import, make sure that
each recipient appears on a separate line in the text file.

To add to the list, click the Add icon and enter the email
address.
POP3 Servers: Allows defining lists of restricted and trusted POP3

servers to/from which eSafe will block or scan traffic.
Keywords in These lists let you filter out spam and other undesirable
Incoming Email: email that contains keywords not usually found in
legitimate incoming email. Two separate lists are used
for inspecting the body and the subject line of email.
• Spam Keyword List: Click the Add button to add a

keyword to the list. You can also use the Import and
Export buttons to import a list from an external text
file, or to export a list to an external text file. The
items in lists that will be imported must be separated
by a comma or by using <Enter>. (Tip: You can
export an existing list from eSafe and then open the
file to see how it is formatted.)



Keywords in These lists let you filter outgoing email for undesirable
Outgoing Email: text. Two separate lists are used for inspecting the body
and the subject line of email.

• Spam Keyword List: Click the Add button to add a

keyword to the list. You can also use the Import and
Export buttons to import a list from an external text
file, or to export a list to an external text file. The
items in lists that will be imported must be separated
by a comma or by using <Enter>. (Tip: You can
export an existing list from eSafe and then open the
file to see how it is formatted.)



Known Vandal File Names

eSafe’s Attack Intelligence Research Center (AIRC) constantly identifies malicious
files and adds them to the list of Known Vandal File Names. This list is maintained
by the AIRC and is automatically updated when eSafe updates.
You can only delete items from the Known Vandal File Names list, using the icon.
If you want to block a specific file, you can add this file to the Files for Blocking
list.

Files for Blocking

This list allows you to manually enter the names of files that you want to block for
all protocols.
(Note that eSafe automatically adds file names to the Known Vandal File Names
list.)
To add to the list, click the Add button to add a file name. When defining the file
names, you can use the * wildcard.

Appendix A - URL Filter
URL Filter
URL Tab | URL Filter
This feature is only available to licensed users of the URL Filter database.
eSafe’s URL Filtering option allows controlling access to web pages by using
profiles to define which users can access which pages, and when these pages can
be accessed.
If Updates | Update Add-ons daily is selected when you update, the contents
of the URL filters are updated.
The URL Filter branch consists of the following options:
• Profiles
• Policies
• Profile Settings
Profiles
URL Tab | URL Filter | Profiles
A profile is created by associating URL Filter Policies and network entities.
Network entities define “who” the URL Filter Profiles will apply to:
• Local, predefined users (using the eSafe Client Agent). It is also possible to
import a list of predefined eSafe users.
hostname, or VLAN.

Note that each row in the Profiles list represents a specific profile.
In this page, you can click the Add network entity button to display the
Network Entities Handler.
The Network Entities Handler displays user and group information taken from the
network’s LDAP server. You can use this information to define new network
entities e.g. groups or IP address ranges.
Click the Reload DB

button to get the
latest LDAP
information.
Depending on the type of entity you are defining, you should either:
• Enter the entity details (for example: IP address, IP address range).
Or,
• In the specific Name text box, enter a name for the network entity (for
example: group, user, VLAN, host, domain).

After selecting the network entities, you will be prompted to select the policy for
the network entity:
Select policy drop- Select the policy from the drop-down list.
down list:
Profile activation Allows you to select when the profile will be active:
status:
• Active in report mode (no blocking): The profile

will always be active, but will only report about any
policy violations.
• Active during working hours: The profile is only

active during working hours. These are defined under
the Profile Settings.
• Active during nonworking hours: The profile is

active during nonworking hours.
Policies
URL Tab | URL Filter | Policies
The URL Filter Policy defines the organization's policy regarding browsing,
streaming traffic, and allows defining gray lists:
• Browsing: Defines to which websites users can browse, based on lists of
URLs/URL categories that will be blocked and allowed.
• Streaming: Allows you to define your organization's policy regarding
streaming traffic.
• Gray List: Gray lists are an intermediate option between blocking sites and
allowing sites. When users surf to sites that are gray listed, a warning appears
notifying them that the website violates organizational policy, however the
user is given the choice to continue. If the user chooses to continue the
website is displayed normally and users can continue viewing the site for a

specific period of time.

When using the gray list feature, you can define which categories are
considered gray categories, and define specific URLs of hosts that will be gray
listed.
Note: The default policy applies to all users that are not assigned a specific
profile. This usually includes the majority of users and as such, it should be as
comprehensive as possible.
Browsing
A description of the Browsing tab follows.
URL Filter Policy Lists all the existing policies. Click the Add new URL
drop down list: Filter Policy button to add a new policy. In the dialog
box that appears, enter a name for the policy. Make sure
that the policy name does not include spaces.
Description: Allows entering a description of the policy if necessary,

or viewing an existing description.
Block un- Blocks access to web sites that are not categorized.
recognized URLs:
Ignore URL Filter When selected, eSafe will not apply the policy to HTTPS
for HTTPS traffic: traffic.
Blocked/Allowed Select the categories to which access will be blocked and

Categories: allowed.

Blocked URLs: Allows you to define specific URLs that will be blocked.
You can enter the domain/subdomain (path) and define
specific files types that will be blocked for that domain.
Allowed URLs: Allows you to define URLs that will be allowed.
Streaming
This tab allows you to define your organization's policy regarding streaming
traffic.

Allow all streaming: Blocks access to hosts that are not categorized.
Block all streaming: Blocks all streaming traffic.
Block/Allow by Blocks or allows streaming traffic per category or URL.

following:
Gray Lists
A description of the Gray List tab follows.
Block un- Blocks access to hosts that are not categorized.

recognized hosts:
Gray Categories Define lists of URL categories that will be gray listed and
and Allowed Gray allowed.
Categories:
Gray URLs and Define lists of URLs that will be gray listed and allowed.
Allowed Gray URLs:
Note: The "allowed" lists are used when a site has more than one category. In this case, if
one of the categories appears in the allowed list, the site will be allowed.
For example: If “Cinema / Television” is on the gray list, then www.cnn.com will be

blocked since it is categorized as: Cinema / Television, News / Magazines, Search Engines
/ Web Catalogues / Portals.
However, if “News / Magazines” appears in the "allowed list", www.cnn.com will be

allowed. Pure "Cinema / Television” sites will be gray listed.
Gray URLs and Allowed Gray URLs: Define lists of URLs that will be blocked and allowed.
These lists will be specific to the currently selected policy.(When defining the URLs, you
can enter sub-domains.)
Profile Settings
URL Tab | URL Filter | Profile Settings
The Profile Settings page allows defining global working days and hours that are
used to define when the profiles will be active. Note that these settings apply to
ALL profiles.
Select working Select those days considered working days, and then set
days: the morning and afternoon working hours.
Ignore policies for When selected, eSafe will not apply policies to encrypted
all encrypted traffic.
traffic:
Select streaming Select which types of streaming traffic will be blocked.

filters to activate

AppliFilter
APPs Tab | AppliFilter
AppliFilter is an add-on service that requires a separate license. After installation,
the service is fully functional for a 30 day evaluation period after which a
permanent license should be used. AppliFilter™ technology allows realtime
filtering of malicious Internet content as it enters the network. AppliFilter
examines traffic, analyzes the content, and blocks traffic that is deemed
malicious, inappropriate, or otherwise restricted.
The following options are available in this page:
Enable AppliFilter Select this check box to activate AppliFilter. By default

Service: eSafe will block access to various applications; you can
review the various filters and activate additional filters
manually. (Note that the grey bullet next to the
application name means that the filter is not enabled.)
Enable Smart Allows inspecting traffic without inspecting various

Inspection image files (e.g. jpg, gif), based on the fact that it is
Acceleration: unlikely that these types of files include malicious
content. Enabling this option improves performance.
Operate in Warning Allows eSafe to identify application level threats and log
Mode: these events in the eSafe Report, without blocking the
traffic. (Based on these logs, you can decide which
communication to actually block.) When you select this
check box, all the filters will automatically operate in
warning mode for all application families.

You can then activate each application filter per family or individually. It is also
possible to “turn-off” the warning mode option for each application family/
individual filter. For each application family, the following options are available:
A description of these options follows:
Operate in Warning Allows enabling/disabling the warning mode option for

Mode: this application family.
Notify infected/ This option allows sending a warning message to users

blocked users: when they try to access a blocked application. Click the
Settings link to view the warning message that will
appear. You can customize this message if necessary.
Settings: This option allows sending a warning message to users

when they try to access a blocked application. Click the
Activate Filter Select this option to activate/clear all the filters for the
(Entire family): specific family of filters.
For each individual filter, the following options are available:
Activate Filter: Allows enabling/disabling the individual filter. You can

then click the Advanced button to define for which
network entities this filter will apply.

Notify infected/ This option allows sending a warning message to users

blocked users: when they try to access a blocked application. Click the
Settings This option allows sending a warning message to users

when they try to access a blocked application. Click the
Take note that the color of the bullets next to the application name represents the
status of the filter:
• Red: The specific filter is enabled.
• Grey: The specific filter is not enabled.
• Yellow: The specific filter is enabled in warning

mode.

DLP
DLP Tab | DLP
eSafe allows protecting information assets and preventing data leakage by
monitoring the contents of outgoing traffic. You can define a policy for monitoring
outgoing content that includes:
• Defining Settings: Allows enabling DLP and defining repository settings.
• Defining Profiles: WHO will be associated with WHICH policy.
• Defining Policies: Which file types will be monitored.
DLP Settings
DLP Tab | DLP | DLP Settings

This page allows you to enable the Data Leakage Protection feature and define a
repository for saving transaction data for future analysis.
Enable DLP check Select this check box to enable the DLP feature.
box:
Enable repository: Enable repository: Allows you to save the files locally for
future analysis. When the information is requested, the
actual file will be opened from the repository.
Max. repository Allows defining the maximum size of the repository.

size:
Forwarded email Allows defining a prefix that will automatically be added

settings: to the subject of all email that is sent when the Forward
file by email option is selected in the Dictionary tab,
under DLP Policies. You can also define the maximum
size of attachments.

DLP Profiles
DLP Tab | DLP | DLP Profiles

DLP Profiles are created by associating DLP policies and network entities. Network
entities define “who” the DLP Profiles will apply to:
• Local, predefined users (using the eSafe Client Agent). It is also possible to
import a list of predefined eSafe users.
hostname, or VLAN.
Note that each row in the Profiles list represents a specific profile. The following
options are available:
Add network entity This button allows adding a network entity via the
button: Network Entities Handler dialog box.
Network Entities Displays information on users/groups derived from the

dialog box: LDAP server. You can use this information “as is” to
create profiles, or define new network entities manually.

• Filter drop down list: Use this option to view

default LDAP information that was downloaded from
the LDAP server, manually defined users and groups,
or all LDAP information (manual and default). Select
the Manual option if you want to define users, groups
or hosts manually.
• Enter name text box: This text box appears when

you define a new user, group or host manually and
allows you to enter a name for the network entity.
After entering the name, click the Add! button.
• Search: Allows you to search for specific entities.
• Reload DB: Click this button to get the latest LDAP

information.
After selecting or defining the network entities, the Change Profile dialog box
appears, prompting you to assign a policy to the network entity.
Select policy: Select the policy from the drop-down list that will apply
to the network entities you defined.

Profile activation Allows you to select when the policy will be active:
status:
• Active in report mode (no blocking): The profile

will always be active, but will only report about any
policy violations.
• Active during working hours: The profile is only

active during working hours. These are defined under
the Profile Settings.
• Active during nonworking hours: The profile is

active during nonworking hours.

DLP Policies
Config Tab | DLP | DLP Policies

The DLP Policy page allows defining a new policy, defining for which file and traffic
types the policy will be enabled/disabled, and which dictionaries will be used
when searching files/traffic for sensitive content.
Monitor:
Policy name drop Lists all the existing policies. Click the Add new policy
down list: button to add a new policy. In the dialog box that
appears, enter a name for the policy. Make sure that the
policy name does not include spaces
Description: Allows entering a description of the policy if necessary,

or viewing an existing description.
Radio buttons: The following radio buttons allow you to set the status of
the policy:
• Enabled for all outgoing traffic: The policy applies to

all outgoing traffic.
• Enabled for file types selected below: The policy only

applies to the traffic and file types selected below.
• Disabled for file types selected below: The policy

applies to all traffic and file types EXCEPT the file/
traffic types selected below.

List of extensions: Allows selecting for which files and extensions the policy
will apply.
Apply to: Select the check box(es) to define for which types of
traffic the policy will apply.
Dictionaries:
Select the dictionaries eSafe will use when monitoring files for sensitive content,
and the action it will take if the content matches the dictionary.
The following options are available under the Dictionaries tab:

• Dictionaries: Select the dictionaries that eSafe will use to monitor content.
• Action: The following actions are available:
• Report: Logs the event in the eSafe session.log file. (Enabled by default)
• Block: Blocks the file.
• Archive: Archives the file in the repository.
• Notify sender: Sends an email alert to the sender in case of email traffic.
• Forward file by email: Forwards a copy of the file by email to a predefined
list of email addresses, and adds a prefix to the email subject. The prefix is
defined under DLP Settings. The email recipients are defined at the bottom of
the Dictionary tab.
• Define email recipients for forwarded files: Allows defining to who the
files will be forwarded by email. When defining multiple recipients, use CSV
format. Note that the recipients are defined per policy.

Appendix A - Alerts Tab
Alerts Tab
The Alerts Tab provides various options that allow you to fine-tune how eSafe will
send alerts.
You can define the following:
• AppliFilter/Virus Warning Message
• URL Filter Warning Message
• Gray List Warning
• Miscellaneous Parameters
• Smart Alerts
AppliFilter/Virus Warning Message

eSafe can block browser sessions from machines where an AppliFilter violation
occurred or where a virus was detected. When this happens, eSafe can notify the
The Redirect Blocked Sessions page includes the following options:

• Display predefined URL or HTML page check box: Select this check box to
activate the redirect option. (If this option is not selected, the session will be
blocked and a standard browser notification will appear.)
• Display URL: Select this option to redirect users to a pre-defined URL. Enter
the entire URL string in the space provided. You should prepare a company
web page with an appropriate notification, preferably on the local web server
or in the DMZ.
• Display the following HTML text: Select this option to redirect users to an
HTML page with the default text defined in the text box. You can modify this
text as you see fit.
• Minimum minutes between warnings box: This text box allows you to
define the rate at which the message appears if the violation recurs.

URL Filter Warning Message

When eSafe blocks an HTML page that is being viewed by a user, it can notify the
The URL Filter Warning Message page includes the following options:
• Redirect users to a predefined URL or HTML page check box: Select this
check box to activate the redirect option. (If this option is not selected, the
session will be blocked and a standard browser notification will appear.)
• Redirect to URL: Select this option to redirect users to a pre-defined URL.

Enter the entire URL string in the space provided. You should prepare a
company web page with an appropriate notification, preferably on the local
web server or in the DMZ.
• Replace blocked page with the following HTML text: Select this option to
redirect users to an HTML page with the default text defined in the text box.
You can modify this text as you see fit.
• Only redirect blocked HTML pages check box: Select this check box if you
only want to redirect blocked HTML pages. (If this option is not selected, users
will be redirected each time any HTTP session is blocked.)

Gray List Warning

When eSafe blocks a page or file because it appears in the Gray List, eSafe can
notify the user of this by redirecting them to a predefined URL or HTML page.
The Gray List Warning page includes the following options:

• Redirect users to a predefined URL or HTML page check box: Select this
check box to activate the redirect option. (If this option is not selected, the
session will be blocked and a standard browser notification will appear.)
• Replace blocked page with the following HTML text: Select this option to
redirect users to an HTML page with the default text defined in the text box.
You can modify this text as you see fit.
• Only redirect blocked HTML pages check box: Select this check box if you
only want to redirect blocked HTML pages. (If this option is not selected, users
will be redirected each time any HTTP session is blocked.)

Miscellaneous Parameters
This branch contains a variety of additional parameters that enable defining
report file properties, email parameters, and other alert-related settings.
A description of the various options follows:

• Report file properties: By default eSafe saves and allows viewing reports for
the last ten days. If necessary, you can change this setting and define the
number of days for which you want to be able to view eSafe reports
• eSafe sender mail address: Allows you to define the sender email address
that will be used by eSafe to send alerts. This is also the string that is
displayed when connecting to the eSafe SMTP server.
• Outgoing SMTP mail server: Allows you to define which SMTP server eSafe
will use to send alerts. Next to Outgoing SMTP mail server, click the List link to
view the SMTP Mail Relay page. This page includes a list of mail relay servers
that are allowed to send email instead of eSafe. You can edit this list if
necessary.
• Alert subject: Allows defining the text that appears in the subject of email
alerts sent to alert recipients. Next to Alert Subject, enter the text you want to
appear in the subject of email alerts.
• Minimum free disk space (Mb) defines an amount of free disk space on the
eSafe machine. An alert is created when the free disk space drops below this
amount.
• Block email/file if an error occurs during scanning defines what to do
with a file or an email, if an error occurs while the file is being scanned. If you
select this option, the file will be blocked. If you do not select this option, the
file or email will be allowed to continue un-scanned.
Note: If you clear the Block email/file if an error occurs during scanning option,
eSafe will not scan the email/files. The email/files could contain malicious content
which would then be able to enter your network.
Email/files that eSafe is unable to open due to unrecognized or non-standard
formats, will result in a scan error. The email/files could contain malicious content
which would then be able to enter your network.

Smart Alerts
Smart Alerts allow you to fine tune alert generation by defining specific conditions
for generating alerts. This is based on event analysis and allows generation of
alerts due to recurring events.
To define Smart Alerts:
There are two ways to define Smart Alerts:
• Via the Smart Alerts option in the Alerts tab: Click the Add alert button to
define alert details, thresholds, and the notification method.
• Via the "Dashboard" and "Track & Care" modes: When viewing reports in
Track & Care mode, or when drilling down to view logs in Dashboard mode,
you can double click on a log/event in order to view the Smart Alerts dialog
box, and define an alert based on that log/event.
Note: When defining system alerts, you can use the * wildcard option to send alerts for all
modules and actions.
The following details are required:

• Alert name: Enter a name for the alert.
• Alert type: Decide if the alert will be for system related events or activity
related events.
• Alert details: This option is available when the System alert type is selected.

You can define the following options:

• The severity of the event (e.g. informative or critical)
• For which module you want to get an alert (e.g. anti-spam engine)
• The action that took place (e.g. connection problems, configuration

changes, etc.)
Note: The options available in the Module and Action drop-down lists depend on
the Severity setting, therefore various combinations are available.
• Thresholds: Define after how many occurrences the alert will be generated.
• Select the Enabled check box to enable use of the threshold.
• Define the number of occurrences after which an alert will be generated.
• Define the maximum number of alerts that will be sent per hour or per day.
• Method: Allows you to select the alert method: email, SNMP, or Syslog. A
combination of methods can be used. If Email is selected, you must define the
email address of the alert recipient. (You can use a comma separated list to
add more than one recipient.)

Appendix A - Updates Tab
Updates Tab
The eSafe update mechanism compares the relevant eSafe files with the latest
eSafe files on the Internet. The update mechanism then downloads the relevant
package needed to bring your eSafe machine up to date and installs the files.
The Update page includes the following options and information:

• Successfully updated shows the date and time the last successful update
occurred.
• Last time checked shows the most recent date and time that eSafe checked
for updates.
• Items to update: You can schedule eSafe to automatically update any of the
following items (if your eSafe license has expired, the Update feature will not
function):
• Virus signatures and Scan Engine
• Content Filter Security Rules and List
• Software Upgrades
• Anti-spam and URL Filtering Add-on Modules
• eSafe Appliance Platform (Linux)

When performing software upgrades and updating the anti-spam and URL
filtering add-on modules, you can define when to perform the update:
• Update according to eSafe auto-update interval (see description below)
• Update daily at: Allows selecting the time at which the update will occur.
• eSafe auto-update interval: Defines the interval at which eSafe will check
for updates. If you want to update immediately, you can click Update Now at
any time. Allows you to decide at what time of the day the add-on (anti-spam,
URL filtering) components will be updated with the latest relevant information.
• Service Pack: Hotfixes/service packs are provided to specific clients who have
reported the issue involved. Hotfixes/service packs must only be downloaded
after obtaining permission to do so from eSafe Technical Support. Enter the
hotfix/service pack number in this field and then click Update Now to apply.

• Update Now button: Allows updating manually on-demand.

• Connection Settings button: Click this button to define the update mode
(HTTP or FTP active or passive mode) and the proxy server settings.


Appendix B
Policy Settings
Backing Up and Restoring Data in eSafe

eSafe’s backup and restore procedures are performed via the Security Center or
the eSafe Appliance Manager. Take note that:
• Backing up the security policy is done via the SmartSuite Security Center. This
exports the relevant eSafe configuration files packaged as a Zip file.
• Backing up the appliance settings is done via the eSafe Appliance Manager.
This includes IP definitions, routing table information, machine status, etc. it is
also possible to back-up/restore via the CMD line, and to an external location.
Details on performing these actions follow.

Appendix B - Backing up via the SmartSuite Security Center
Backing up via the SmartSuite Security Center

In eSafe SmartSuite, exporting and loading the configuration is achieved with a
simple click of a button.
The following two buttons are available in the Security Center when working in
the Policy Settings mode:
• Export configuration: This option exports the eSafe configuration along with
the security policy settings. eSafe will save the relevant configuration files in a
zip file. The zip file includes the following files:
• Esdspsrv.dir.xml – Includes the LDAP settings
• Esdspsrv.dat – Includes the latest LDAP user and group lists
• eSafeNIpca.ini – This is the NitroInspection configuration file

• esafecfg.ini – This is the main eSafe configuration file
• applifilter2.ini – Includes AppliFilter rules
• alertsdef.xml – Includes definitions and filters for the Smart Alerts

Note:
• The files included in the zip file depend on the type of product installed.
• It is recommended to periodically export the configuration in order to back

up the eSafe configuration.
• Import configuration: Use this button to import a saved configuration. After

importing the configuration, you should click the Apply/deploy configuration
button ( ) in order to apply the new configuration before continuing.
Note: The Import Configuration feature replaces all the current files. Therefore, it is
possible to remove a file from the zip file if you do not want to replace that file.

Appendix B - Backing up data via the eSafe Appliance Manager
Backing up data via the eSafe Appliance

Manager
This option allows you to create a backup of all the appliance and policy settings
including IP definitions, routing table information, machine status, etc. It is
recommended to periodically back up the appliance to allow for easy recovery of
data in the event that the appliance is damaged, or replaced.
Note:The data can only be restored on an appliance with the same hardware as the
appliance at which the backup was performed.
Follow the steps below to back up the configuration:
1. In the eSafe Appliance Manager, select Support | General.
2. Click the Create and download eSafe Appliance Configuration backup file
option.
3. Define the location to which you want to download the backup file.

Appendix B - Restoring Backed Up Data
Restoring Backed Up Data

When restoring the appliance configuration make sure you restore the
configuration to an appliance with the same hardware as the appliance on which
the backup file was created.
Follow the steps below to restore the configuration:
1. Run the eSafe Appliance Setup Wizard.
2. In the Welcome page, under Restore eSafe Appliance Configuration, enter the
path and file name to reach a previously backed-up configuration file, or click
Browse to search for the file.
3. Click the Restore Appliance Configuration button.

Appendix B - Backing up and restoring via the Command Line
Backing up and restoring via the Command

Line
The Command Line allows backing up and restoring files using standard backup/
restore commands. It is also possible to schedule the backup using Crontab.
Run the following command to back files up manually:
/opt/eSafe/esgapi --createbackup
This creates the tar.gz file; the same file that is created when backing up via the
eSafe Appliance Manager.
It is also possible to create a scheduled task using Crontab that will automatically
perform the backup.
Backing up to an external location

Backing up to an alternate location can be done using an external device/tool
(e.g. uploading to FTP or saving to a USB stick). These actions require more in-
depth Linux knowledge. For more information on these options, please contact
the eSafe technical support team.

Appendix B - Backing up to an external location

Esafe Smart Suite Deployment Guide

Hochgeladen von

Dokumentinformationen

Originalbeschreibung:

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Esafe Smart Suite Deployment Guide

Hochgeladen von

Copyright:

Verfügbare Formate

© 2010 SafeNet, Inc. All rights reserved.

SafeNet is a registered trademark and SafeNet is a trademark of SafeNet, Inc.

eSafe SmartSuite Deployment Guide i

Using the Setup Wizard to Configure the Appliance . . . . . . . . . . . . . . . . .49

ii eSafe SmartSuite Deployment Guide

Creating queries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .90

eSafe SmartSuite Deployment Guide iii

Restoring Backed Up Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232

iv eSafe SmartSuite Deployment Guide

eSafe SmartSuite Deployment Guide 1

Using this guide

2 eSafe SmartSuite Deployment Guide

What’s new in this version?

• Archive: Archives the file/email in a special repository for later

• Forward file/email by email: Forwards the file/email to a special DLP

• Includes more than 20 predefined out-of-the-box dictionaries that support

• Centralized machine tree with easy navigation between machines

• Support of data aggregation and statistics for sites/groups/clusters.

• Central log server

• Real-time indicators about machine status

• Advanced role-based administration

eSafe SmartSuite Deployment Guide 3

Monitoring and Reporting

4 eSafe SmartSuite Deployment Guide

eSafe SmartSuite Deployment Guide 5

About eSafe SmartSuite

Web Security Gateway

6 eSafe SmartSuite Deployment Guide

eSafe Data Leak Prevention (DLP)

eSafe SmartSuite Deployment Guide 7

Mail Security Gateway

Management and Reporting

8 eSafe SmartSuite Deployment Guide

eSafe SmartSuite Deployment Guide 9

Product Types and Deployment Modes

10 eSafe SmartSuite Deployment Guide

Transparent Bridge Mode

Transparent Bridge Cluster

eSafe SmartSuite Deployment Guide 11

12 eSafe SmartSuite Deployment Guide

eSafe SmartSuite Deployment Guide 13

Router Cluster Mode

14 eSafe SmartSuite Deployment Guide

Forwarding Proxy Mode

eSafe SmartSuite Deployment Guide 15

Working with eSafe on VMwareTM

16 eSafe SmartSuite Deployment Guide

This chapter provides details on installing the eSafe Appliance in various

eSafe SmartSuite Deployment Guide 17

Do you want to inspect Web, Mail • Web

Which deployment mode would Deployment mode:

Allocate an IP address to the Appliance IP address:

What is the IP address of your DNS IP address:

What is the IP address of your DG IP address:

Which directory services (e.g. LDAP/AD Server IP address:

What is the IP address of the Mail server IP address:

What is the administrator’s email Administrator email address:

18 eSafe SmartSuite Deployment Guide

Installing the Appliance in Transparent Bridge

Connecting the eSafe Appliance to a Workstation

3. Connect the power cable to the appliance and to a power source.

4. Turn on the appliance and the workstation.