Beruflich Dokumente
Kultur Dokumente
All intellectual property is protected by copyright. All trademarks and product names used or
referred to are the copyright of their respective owners. No part of this document may be
reproduced, stored in a retrieval system or transmitted in any form or by any means,
electronic, mechanical, chemical, photocopy, recording or otherwise without the prior written
permission of SafeNet.
SafeNet makes no representations or warranties with respect to the contents of this document
and specifically disclaims any implied warranties of merchantability or fitness for any
particular purpose. Furthermore, SafeNet reserves the right to revise this publication and to
make changes from time to time in the content hereof without the obligation upon SafeNet to
notify any person or organization of any such revisions or changes.
We have attempted to make these documents complete, accurate, and useful, but we cannot
guarantee them to be perfect. When we discover errors or omissions, or they are brought to
our attention, we endeavor to correct them in succeeding releases of the product.
SafeNet invites constructive comments on the contents of this document. These comments,
together with your personal and/or company details, should be sent to the address below.
SafeNet, Inc.
4690 Millennium Drive
Belcamp, Maryland 21017
USA
Technical Support
If you encounter a problem while installing, registering or operating this product, please make
sure that you have read the documentation. If you cannot resolve the issue, please contact
your supplier or SafeNet support.
SafeNet support operates 24 hours a day, 7 days a week. Your level of access to this service is
governed by the support plan arrangements made between SafeNet and your organization.
Please consult this support plan for further information about your entitlements, including the
hours when telephone support is available to you.
Technical Support Contact Information:
Phone: 800-545-6608 (US)
Phone: 410-931-7520 (International)
Email: support@safenet-inc.com
www.safenet-inc.com
Important Note:
Please note that the contents of this guide may change from time to time, to accommodate
new features, corrections, etc. The most recent product documentation can be found in the
following location: www.esafe.com/support/eSafeDocuments.asp
Table of Contents
Table of Contents
Chapter 1: Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Using this guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Graphical conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
What’s new in this version? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
About eSafe SmartSuite . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Web Security Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Mail Security Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Management and Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Flexible Platforms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Product Types and Deployment Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10
Working with eSafe on VMwareTM . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16
Chapter 2: Installing the eSafe Appliance . . . . . . . . . . . . . . . . . . . . . . . . . 17
Pre-deployment Checklist . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18
Installing the Appliance in Transparent Bridge Mode . . . . . . . . . . . . . . . . . . . . .19
Connecting the eSafe Appliance to a Workstation . . . . . . . . . . . . . . . . . . .19
Accessing the Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19
Using the Setup Wizard to Configure the Appliance . . . . . . . . . . . . . . . . . .19
Installing the Appliance in Proxy Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .24
Connecting the eSafe Appliance to a Workstation . . . . . . . . . . . . . . . . . . .24
Accessing the Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .24
Using the Setup Wizard to Configure the Appliance . . . . . . . . . . . . . . . . . .24
Additional Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .32
Installing the eSafe Appliance in Mail Mode . . . . . . . . . . . . . . . . . . . . . . . . . . .33
Connecting the eSafe Appliance to a Workstation . . . . . . . . . . . . . . . . . . .33
Accessing the Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .33
Using the Setup Wizard to Configure the Appliance . . . . . . . . . . . . . . . . . .33
Installing the eSafe Appliance in Router Mode . . . . . . . . . . . . . . . . . . . . . . . . .39
Connecting the eSafe Appliance to a Workstation . . . . . . . . . . . . . . . . . . .39
Accessing the Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .39
Using the Setup Wizard to Configure the Appliance . . . . . . . . . . . . . . . . . .39
Installing the eSafe Appliance in SSL Mode . . . . . . . . . . . . . . . . . . . . . . . . . . .44
Connecting the eSafe Appliance to a Workstation . . . . . . . . . . . . . . . . . . .44
Accessing the Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .44
Using the Setup Wizard to Configure the Appliance . . . . . . . . . . . . . . . . . .44
Installing the eSafe Appliance in ICAP Mode . . . . . . . . . . . . . . . . . . . . . . . . . .49
Connecting the eSafe Appliance to a Workstation . . . . . . . . . . . . . . . . . . .49
Accessing the Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .49
Welcome to the eSafe SmartSuite Deployment Guide. This guide provides you
with the necessary information to deploy eSafe in your network, along with
information on how to use eSafe to monitor traffic, perform maintenance, and get
technical assistance.
Contents:
• Preface
• What’s new in this version?
• About eSafe SmartSuite
• Product Types and Deployment Modes
Preface
Graphical conventions
Please take note of the following conventions used in this guide:
• Text that you must enter appears as follows: example
• A button that needs to be clicked appears in bold, as do menu paths in the
menus. For example: Select Administration | Warning Messages |
Outgoing. Click the Add button.
• The names of menus, dialog boxes, and fields appear in italics: In the Settings
menu, type hello in the Name text box and then click Apply.
• Archived files
• New options allow taking specific actions when detecting data that matches the
DLP dictionaries, including:
• Report: Logs all file properties in the event log.
• Block: Blocks outgoing files/email.
• Notify sender: Sends a notification to the email sender (for mail events
only).
Central Management:
• Improved Central Management experience allows getting an instant overview
of what’s happening on the gateway by monitoring traffic, getting alerts,
investigating events, and taking immediate action. The central management
features include:
• Single sign-on
When installing eSafe in a multiple eSafe machine environment (more than one
machine), the central management/log server must be installed as a regular
eSafe machine or as a separate central management/log server. Do not use more
than one central management machine.
P2P issue: By default, the eSafe Security Center connects to the central machine
which allows monitoring and managing all machines in the organization. In case
of an emergency or if you need to manage a specific machine NOT via the eSafe
Security Center management server, you can connect to the machine directly
(with limited capabilities), using the following eSafe management command:
"C:\Program Files\eSafe\eSafeMNG\8.5\esafemng.exe" /log /p2p
Productivity Improvements
• This version includes various Productivity Improvements, including:
• Controlling and blocking streaming traffic per URL category with profile and
streaming properties (RTSP, RTP, MMS, Flash, etc.).
• New warn/gray URL filter categories per policy and overriding rules
(Coaching).
• Support for non-inspected SSL sites per URL category. (Only eSafe Web
SSL)
Dashboard Enhancements
• Enhanced Dashboard graphic charts with drill-down capabilities by double-
clicking on the chart or legend to see actual events for a specific query.
• Support for “4Eye” log viewing. When viewing information in the Dashboard
and Track & Care screens, users will see anonymous details. In order to see
real data, a secondary administration password is defined (4Eye), allowing
viewing of actual information. For further details, see “4Eye View” on page 87.
User Management
• Proxy authentication to support multiple AD Domains.
• Added a new feature that allows end users to view quarantined email via Web-
based reports, and manage/release quarantined email. This Web-based
quarantine report supports NTLM Authentication and multiple domains.
Globalization Support
• This version includes Unicode support to allow globalization of the Security
Center UI and data.
Performance Enhancements
• This version includes a new results scanning cache.
• Improved web performance using real-time HTTP gzip compression allows
content real-time extraction and data analysis of content reaching eSafe in
compressed format.
• Improved URL Filter performance using internal cache and restructuring.
• Restructured the AppliFilter engine to improve efficiency and performance.
Note:
This version supports two USBs in all appliances except HG200 which only
recognizes SanDisk 4GB. The GA release will only support one USB.
optimize your security policy, identify the source of attacks, and focus on trouble
spots with both user and group views.
Flexible Platforms
eSafe XG appliance family is a turn-key secure solution available on a wide range
of platforms that meet your business needs. eSafe is also available as a virtual
appliance for 3rd party certified hardware or as a VMWare™ virtual appliance pre-
built solution. All eSafe XG appliances are designed to be:
• Simple: eSafe XG appliances are pre-configured with best practices security
policy settings, straightforward setup, and fully customizable to your needs.
• Reliable: Purpose-built, robust and highly reliable, eSafe XG appliances
include high availability and failover technology with a built-in fail bypass
option, as well as firmware restore and upgrade.
• Scalable: A single eSafe XG appliance can support thousands of users, and a
patented, inline cluster mode allows connection of multiple appliances for
transparent load balancing.
• Manageable: eSafe XG appliances feature centralized management through
an intuitive interface console, which provides clear reporting data and access
to essential tools for ongoing review and analysis of network traffic, employee
productivity and policy compliance.
Several eSafe appliances can be installed in-line and together serve as a network
bridge. In case an appliance fails, its bypass NIC will fail open and other devices
in the cluster will automatically re-synchronize in order to inspect the traffic
instead of the appliance that failed. This mode can be used for eSafe Web and for
eSafe Gateway products.
Proxy Mode
eSafe in Proxy mode allows deploying eSafe as a proxy server that includes all of
eSafe’s content security features. In this mode, eSafe scans HTTP and FTP (over
HTTP) traffic, and has the ability to scan SMTP traffic too. Application control is
possible for HTTP-based applications. This mode allows for seamless integration
with Active Directory and LDAP for authentication of all HTTP traffic.
This mode is easy to implement and does not require any changes to the
network, and physically separates browsing users from the Internet. All users’
browsers need to be configured to browse through the appliance. Scalability is
achieved by using standard round-robin proxy load-balancing methods or via
third party load balancers.
SSL Mode
eSafe in SSL mode is suited to organizations that demand extra security and
acknowledge the fact that an encrypted connection does not guarantee that the
data being transmitted, or the content of an encrypted web page, is free of
malicious code. This mode provides transparent inspection of all encrypted
(HTTPS, SSL, TLS) web traffic and policy based certificate authorization at the
gateway, also blocking anonymizer technologies and tunneling attempts. With
eSafe in SSL mode, all encrypted packets such as encrypted web pages, web-
based email, instant messaging, and chat content, are inspected and blocked if
found to be malicious, before being allowed to enter the enterprise network.
eSafe in SSL mode is installed as a SSL/HTTPS proxy. All users’ browsers must be
configured to use this proxy for surfing encrypted HTTPS/SSL websites. eSafe can
inspect both HTTP and HTTPS traffic on one appliance, for up to 500 users. For
more than 500 users, eSafe must be installed on a dedicated appliance that will
check HTTPS traffic, in addition to the regular eSafe Web appliance that will
inspect unencrypted HTTP.
Router Mode
In this mode, eSafe acts as a router and requires creating a subnet and
reassigning the LAN’s Default Gateway to the internal NIC of the eSafe machine.
The eSafe machine operates as the default gateway and traffic is forwarded to the
firewall and then to the Internet. eSafe transparently scans HTTP, FTP, SMTP, and
POP3 traffic between the LAN and the Internet.
If you want to replace an existing router or combine eSafe with third party load
balancers - especially in complex networks - we recommend using Router Cluster
Mode. This mode provides seamless deployment and transparent inspection of
HTTP, FTP, SMTP, and POP3 traffic, as well as application control (for example,
P2P and streaming traffic), and ensures that the network is secured even in the
event that all machines are down.
In this mode, several eSafe appliances are installed in parallel and together work
as a cluster. One of the appliances serves as a master router and redirects traffic
to other eSafe appliances for inspection. In case an appliance in the cluster fails,
the master appliance will stop redirecting traffic to it. If the master fails, the next
eSafe appliance will automatically assume the role of the master. This mode can
be used for eSafe Web and for eSafe Gateway products and requires some
changes to the network configuration.
ICAP Mode
Networks that include proxy servers that support ICAP (for example Blue Coat
and Cisco) can benefit from eSafe’s Web Security Suite by installing eSafe in ICAP
mode. This can be used in conjunction with proxy servers that support ICAP to
provide content scanning and filtering, and block Internet-based malicious code.
The proxy server (ICAP client) sends content to the eSafe appliance (ICAP server)
where it is inspected for malicious content. Since the ICAP protocol includes built-
in provisioning for load-balancing, several eSafe appliances can be connected to
create a cluster which can support a large number of users.
Mail Mode
eSafe in SMTP relay mode provides comprehensive email security to protect
organizations from email-borne security threats and maximize productivity. eSafe
detects and blocks viruses, exploits, malicious code, spam, cookies, malicious
content found in Office documents, and hacker attacks; without blocking
legitimate emails. This mode provides flexibility by allowing granular control of
the varying security needs of different groups or users within the company.
In this mode, the eSafe Appliance is installed in the DMZ (demilitarized zone) as a
secure SMTP relay, effectively shielding the internal network and mail servers
from the outside world. All inbound and outbound email is inspected before being
forwarded to the destination. In addition to the regular mail relay functions, it
also includes anti-relay/spamming/bombing mechanisms.
Contents:
• Pre-deployment Checklist
• Installing the Appliance in Transparent Bridge Mode
• Installing the Appliance in Proxy Mode
• Installing the eSafe Appliance in Mail Mode
• Installing the eSafe Appliance in Router Mode
• Installing the eSafe Appliance in SSL Mode
• Installing the eSafe Appliance in ICAP Mode
• Installing the eSafe Appliance in Router Cluster Mode
Pre-deployment Checklist
Before you proceed, take note of the following questions that will assist you in
deciding which product and deployment mode you wish to install.
Do you require comprehensive Follow this link to learn more about the
security reports? eSafe Advanced Reporter.
3. Accept the security alert in order to continue. The Login page appears.
4. Log in to the Appliance Manager using the default username (admin), and
password (esafe).
The Configuration Wizard will start automatically and the Welcome screen will
appear.
• In the Choose Product and Deployment Mode page, you need to decide
which traffic you want to scan and how you want to deploy your appliance.
3. Under Choose Product, select the Secured Gateway check box and then
select Web Security Gateway and/or Mail Security Gateway, in order to
inspect web and/or mail traffic.
5. Select the Central Management Server check box if you want this machine
to be a central machine.
Note:Depending on the type of appliance, you may be able to connect to the appliance via
network cards other than Eth0.
7. Define the following network settings to enable the eSafe Appliance to
communicate with the network:
9. In the Password page, change the appliance’s “admin” user default password.
This password will also be used to access the eSafe Security Center. You will
also be prompted to change the root password (first time installation only).
11.Define the current date and time, and the time zone in which the appliance will
operate. Click Next to display the Registration page.
12.Enter your contact details in order to register your eSafe Appliance. This
allows you to receive security updates and important eSafe news.
15.Click Apply and Shutdown. The appliance is now ready for connection to the
network.
3. Accept the security alert in order to continue. The Login page appears.
4. Log in to the Appliance Manager using the default username (admin), and
password (esafe).
The Configuration Wizard will start automatically and the Welcome screen will
appear.
• In the Choose Product and Deployment Mode page, you need to decide
which traffic you want to scan and how you want to deploy your appliance.
3. Under Choose Product, select the Secured Gateway check box and then
select Web Security Gateway.
4. From the Choose deployment mode drop-down list, select eSafe Proxy.
5. Select the Central Management Server check box if you want this machine
to be a central machine.
• Under Appliance IP settings, enter the IP address and netmask that you
have assigned to the eSafe Appliance. This must be a valid IP address
from the network/DMZ.
• Next to Default Gateway, enter the IP address of the gateway device that
is used to forward traffic to destinations beyond the local network.
• The Reset unused interfaces option is enabled by default and clears all
NIC information. (It is especially useful when reconfiguring the
appliance.)
• Under Name Resolution, enter the hostname of the eSafe Appliance to
enable identification of the appliance in the network, and the IP
addresses of the DNS servers in the network that will be used to resolve
machine names.
9. In the eSafe Proxy Parameters page, you must define settings for connecting
to the proxy:
• Listening Port: This is the port on which the proxy will listen. The default is
8080.
• Enable Parent Proxy: Select this option to enable use of a parent proxy.
Define the proxy hostname and port.
• Click the Force using parent proxy checkbox if the eSafe machine does
not have a direct Internet connection and requires a parent proxy.
• Enable Cache: Select this checkbox to enable caching of traffic. Define the
maximum size of the cache.
• Basic Realm: Part of the text the user will see when prompted their
username and password.
• Server Location: Define the IP address of the Active Directory or LDAP
server.
• Base DN: Define the distinguished name of the root from which user/
group details will be taken.
• Bind DN: Define a user name to allow access to the LDAP server.
• Bind Password: Define the password to connect to the server.
• Search filter: Define expressions to search the user data.
• Basic (Text): This method uses a standard Linux user name and password
file.
Note:Please refer to the information at the end of this section regarding Creating a “Flat
File” for authenticating users with eSafe Proxy mode.
11.Define the settings and click Next. The Password page appears.
12.In the Password page, change the appliance’s “admin” user default password.
This password will also be used to access the eSafe Security Center. You will
be prompted to change the root password (first time installation only).
14.Define the current date and time, and the time zone in which the appliance will
operate. Click Next to display the Registration page.
15.Enter your contact details in order to register your eSafe Appliance. This
allows you to receive security updates and important eSafe news.
18.Click Apply and Shutdown. The appliance is now ready for connection to the
network.
Additional Information
Creating a “Flat File” for authenticating users in eSafe Proxy mode
In scenarios were the user credential information is not available as part of a
supported directory service (such as Open LDAP or Active Directory), eSafe
supports user authentication for browsing through the Proxy server based on an
internal user and password list file known as a “Flat File”.
When using eSafe Proxy mode with the “Flat File” authentication method, please
note the following points and guidelines in order for the authentication to work.
properly:
1. The flat file should be created with a program that creates htpasswd. There are
various programs and websites that can create *.passwd files (for example
http:/ /www.htaccesstools.com/htpasswd-generator-windows/)
2. After creating the flat file, it should be copied to eSafe under: /opt/eproxy/
3. Permissions for the flat file should be changed to: chmod 666 users.htpasswd
4. Restart the Squid service (service squid restart) and then restart the
eSafe service (service esafe restart).
5. In order for eSafe to identify the authenticated users (for profiles), define
“manual” users via the eSafe Security Center, that have the same credentials
as in the flat file.
When a user attempts to browse the Internet, a prompt for entering their user
name and password will automatically appear.
Please note that any time the flat file is updated, the Squid and eSafe services
should be restarted as outlined in step 4 above.
3. Accept the security alert in order to continue. The Login page appears.
4. Log in to the Appliance Manager using the default username (admin), and
password (esafe).
The Configuration Wizard will start automatically and the Welcome screen will
appear.
• In the Choose Product and Deployment Mode page, you need to decide
which traffic you want to scan and how you want to deploy your appliance.
3. Under Choose Product, select the Secured Gateway check box and then
select Mail Security Gateway, in order to inspect web and/or mail traffic.
In the Choose deployment mode drop-down list, the SMTP Relay option will
be selected automatically.
4. Select the Central Management Server check box if you want this machine
to be a central machine.
Note:Depending on the type of appliance, you may be able to connect to the appliance via
network cards other than Eth0.
6. Define the following network settings to enable the eSafe Appliance to
communicate with the network:
• Under Appliance IP settings, enter the IP address and netmask that you
have assigned to the eSafe Appliance. This must be a valid IP address
from the network/DMZ.
• Next to Default Gateway, enter the IP address of the gateway device that
is used to forward traffic to destinations beyond the local network.
• The Reset unused interfaces option is enabled by default and clears all
NIC information. (It is especially useful when reconfiguring the
appliance.)
• Under Name Resolution, enter the hostname of the eSafe Appliance to
enable identification of the appliance in the network, and the IP
addresses of the DNS servers in the network that will be used to resolve
machine names.
• Under SMTP Client Identification, define the string the appliance will use
for identification purposes when communicating with SMTP clients that
use the helo command. It is recommended that this string is the same
as the appliance name.
7. Click Next. The Mail Servers page appears. You must define all the network's
internal mail servers to enable scanning SMTP traffic. You must also include
the port number that will be used to listen to SMTP traffic (the default is port
25). If the server has a backup machine, you can define more than one IP
address for that server.
• Click Add to define the domain name and IP address(es) of each mail server
in the network that will be protected.
9. In the Password page, change the appliance’s “admin” user default password.
This password will also be used to access the eSafe Security Center. You will
also be prompted to change the root password (first time installation only).
11.Define the current date and time, and the time zone in which the appliance will
operate. Click Next to display the Registration page.
12.Enter your contact details in order to register your eSafe Appliance. This
allows you to receive security updates and important eSafe news.
15.Click Apply and Shutdown. The appliance is now ready for connection to the
network.
3. Accept the security alert in order to continue. The Login page appears.
4. Log in to the Appliance Manager using the default username (admin), and
password (esafe).
The Configuration Wizard will start automatically and the Welcome screen will
appear.
• In the Choose Product and Deployment Mode page, you need to decide
which traffic you want to scan and how you want to deploy your appliance.
3. Under Choose Product, select the Secured Gateway check box and then
select Web Security Gateway.
4. From the Choose deployment mode drop-down list, select Other Modes. In
the page that appears, select eSafe Router from the drop-down list.
5. Select the Central Management Server check box if you want this machine to
be a central machine.
Note:Depending on the type of appliance, you may be able to connect to the appliance via
network cards other than Eth0.
7. Define the following network settings to enable the eSafe Appliance to
communicate with the network:
• Under Appliance IP settings, enter the IP address and netmask that you
have assigned to the eSafe Appliance. This must be a valid IP address
from the network/DMZ.
• Next to Default Gateway, enter the IP address of the gateway device that
is used to forward traffic to destinations beyond the local network.
• Select the Disable High Availability NIC features check box if you do
not want to allow the fail open feature when the appliance is down.
• The Reset unused interfaces option is enabled by default and clears all
NIC information. (It is especially useful when reconfiguring the
appliance.)
• Under Name Resolution, enter the hostname of the eSafe Appliance to
enable identification of the appliance in the network, and the IP
addresses of the DNS servers in the network that will be used to resolve
machine names.
8. Click Next. The Password page appears.
9. In the Password page, change the appliance’s “admin” user default password.
This password will also be used to access the eSafe Security Center. You will
also be prompted to change the root password (first time installation only).
11.Define the current date and time, and the time zone in which the appliance will
operate. Click Next to display the Registration page.
12.Enter your contact details in order to register your eSafe Appliance. This
allows you to receive security updates and important eSafe news.
15.Click Apply and Shutdown. The appliance is now ready for connection to the
network.
3. Accept the security alert in order to continue. The Login page appears.
4. Log in to the Appliance Manager using the default username (admin), and
password (esafe).
The Configuration Wizard will start automatically and the Welcome screen will
appear.
• In the Choose Product and Deployment Mode page, you need to decide
which traffic you want to scan and how you want to deploy your appliance.
3. Under Choose Product, select the Secured Gateway check box and then
select Web Security Gateway.
4. From the Choose deployment mode drop-down list, select Other Modes. In
the page that appears, select eSafe Web SSL from the drop-down list.
5. Select the Central Management Server check box if you want this machine
to be a central machine.
• Under Appliance IP settings, enter the IP address and netmask that you
have assigned to the eSafe Appliance. This must be a valid IP address
from the network/DMZ.
• Next to Default Gateway, enter the IP address of the gateway device that
is used to forward traffic to destinations beyond the local network.
• The Reset unused interfaces option is enabled by default and clears all
NIC information. (It is especially useful when reconfiguring the
appliance.)
• Under Name Resolution, enter the hostname of the eSafe Appliance to
enable identification of the appliance in the network, and the IP
addresses of the DNS servers in the network that will be used to resolve
machine names.
8. Click Next. You will be prompted to define SSL proxy parameters.
• Next to eSafe Web SSL Proxy Port, enter the proxy port.
• Select whether the proxy Internet connection is Direct or via a Parent Proxy
or IP address.
If you select parent proxy, define the IP address and port that will be used to
connect to the parent proxy.
9. Click Next. The Password page appears.
10.In the Password page, change the appliance’s “admin” user default password.
This password will also be used to access the eSafe Security Center. You will
also be prompted to change the root password (first time installation only).
12.Define the current date and time, and the time zone in which the appliance will
operate. Click Next to display the Registration page.
13.Enter your contact details in order to register your eSafe Appliance. This
allows you to receive security updates and important eSafe news.
16.Click Apply and Shutdown. The appliance is now ready for connection to the
network.
Important Note:
In order to avoid errors when accessing the eSafe Appliance Manager in the
future, follow by the steps below:
1. Run Internet Explorer.
2. Select Tools | Internet Options | Connections | LAN settings | Advanced.
3. Under Exceptions, add the eSafe machine IP address to the exceptions list.
3. Accept the security alert in order to continue. The Login page appears.
4. Log in to the Appliance Manager using the default username (admin), and
password (esafe).
The Configuration Wizard will start automatically and the Welcome screen will
appear.
• In the Choose Product and Deployment Mode page, you need to decide
which traffic you want to scan and how you want to deploy your appliance.
3. Under Choose Product, select the Secured Gateway check box and then
select Web Security Gateway.
4. From the Choose deployment mode drop-down list, select Other Modes. In
the page that appears, select eSafe ICAP from the drop-down list.
Note:By default, eSafe Web is configured to listen for ICAP traffic on port 1344. If
necessary, it is possible to change this port via the esafenipca.ini file, located in Program
Files/eSafe. In the [proxy] section, change the value next to the [proxylisten port] key.
5. Select the Central Management Server check box if you want this machine
to be a central machine.
• Under Appliance IP settings, enter the IP address and netmask that you
have assigned to the eSafe Appliance. This must be a valid IP address
from the network/DMZ.
• Next to Default Gateway, enter the IP address of the gateway device that
is used to forward traffic to destinations beyond the local network.
• The Reset unused interfaces option is enabled by default and clears all
NIC information. (It is especially useful when reconfiguring the
appliance.)
9. In the Password page, change the appliance’s “admin” user default password.
This password will also be used to access the eSafe Security Center. You will
also be prompted to change the root password (first time installation only).
11.Define the current date and time, and the time zone in which the appliance will
operate. Click Next to display the Registration page.
12.Enter your contact details in order to register your eSafe Appliance. This
allows you to receive security updates and important eSafe news.
15.Click Apply and Shutdown. The appliance is now ready for connection to the
network.
16.Follow the steps in the next section to configure the Blue Coat proxy server to
work with eSafe.
Configuration Procedures
The proxy server (ICAP client) must be configured to send all HTTP traffic to the
eSafe Web (ICAP server) machine for scanning.
eSafe Web for ICAP supports operation with the Blue Coat proxy server. Use the
instructions that follow to configure the proxy server.
Configuring the Blue Coat Systems Proxy Server
Make sure that you install the latest version of the Blue Coat Systems proxy
server, or upgrade to the latest version (SGOS: 2.1.10 – Release ID: 20570, or
higher).
To install the proxy server, follow the instructions in the relevant Blue Coat
Systems documentation. Once installed, you must configure the ICAP service.
3. In the ICAP service name field, enter an alphanumeric name. Click OK.
4. Select the new ICAP service name and click Edit. The Edit ICAP Service dialog
appears.
5. Next to Service URL, enter the ICAP server URL (i.e. the eSafe Web IP
address), written in the following format: icap://(eSafe IP)/respmod, as
illustrated in the picture above.
6. Click the Sense Settings button. This will allow the server to automatically
acquire all defaults settings that are required to communicate with eSafe.
8. Repeat steps 2-7; in step 5, enter the ICAP server URL as follows:
icap://(eSafe IP)/reqmod. Select request modification as the method
supported.
3. Accept the security alert in order to continue. The Login page appears.
4. Log in to the Appliance Manager using the default username (admin), and
password (esafe).
The Configuration Wizard will start automatically and the Welcome screen will
appear.
• In the Choose Product and Deployment Mode page, you need to decide
which traffic you want to scan and how you want to deploy your appliance.
3. Under Choose Product, select the Secured Gateway check box and then
select Web Security Gateway.
4. From the Choose deployment mode drop-down list, select Other Modes. In
the page that appears, select eSafe Router Cluster from the drop-down list.
• Under Appliance IP settings, enter the IP address and netmask that you
have assigned to the eSafe Appliance. This must be a valid IP address
from the network/DMZ.
• Next to Default Gateway, enter the IP address of the gateway device that
is used to forward traffic to destinations beyond the local network.
• The Reset unused interfaces option is enabled by default and clears all
NIC information. (It is especially useful when reconfiguring the
appliance.)
• Under Name Resolution, enter the hostname of the eSafe Appliance to
enable identification of the appliance in the network, and the IP
addresses of the DNS servers in the network that will be used to resolve
machine names.
7. Click Next. The Cluster VIP Settings page appears. The eSafe Security Cluster
in Router mode operates with Virtual IP Addresses (VIP). At least two VIPs are
needed; one for each side of the cluster. These VIPs will be the external
identity of the eSafe Cluster. The VIPs will be available as long as at least one
node in the cluster remains healthy.
Define the internal and external VIPs that will be used by the eSafe Cluster.
Note that all eSafe Cluster member machines must have the same VIP
definitions.
8. Click Next. The Password page appears.
9. In the Password page, change the appliance’s “admin” user default password.
This password will also be used to access the eSafe Security Center. You will
also be prompted to change the root password (first time installation only).
11.Define the current date and time, and the time zone in which the appliance will
operate.
13.Enter your contact details in order to register your eSafe Appliance. This
allows you to receive security updates and important eSafe news.
15.Click Apply and Shutdown. The appliance is now ready for connection to the
network.
Note:Initially defining a cluster requires logging on to eSafe Security Center via the central
machine, defining a new cluster, dragging the central machine (which appears under the
“ALL” branch in the machine tree) to the cluster, and then defining the other cluster
members.
Contents:
• About the Appliance Manager
• Accessing the Appliance Manager
• Status Menu
• Settings Menu
• Support Menu
• Connecting the eSafe Appliance to the Network
• Adding Firewall Rules
3. Log in to the Appliance Manager using the default username (admin), and the
password defined in the eSafe Appliance Setup Wizard.
Status Menu
The Appliance Status menu includes the following options:
• eSafe Status—displays the status of eSafe and its add-ons.
• System Info—displays system related information.
• Network Info—displays information about the eSafe Appliance’s network
card(s), and the routing table.
• Spool Manager—displays information about messages in the Spool Manager.
A description of these options follows.
eSafe Status
In the eSafe Appliance Status page you can see the status of the eSafe product
being used, as well as the status of any add-ons.
Type: Shows the type of eSafe product installed and the add-
ons available.
System Info
The System Information page displays information about the CPU and memory,
and the amount of free storage space. Under Advanced, you can view the
contents of the system log files.
CPU and Memory Displays the CPU's vendor name, model, speed, RAM,
Information: and swap memory.
System Log Files Click Advanced to view system log files. Click on a log
file to download the file and view information about
appliance/system events.
Network Info
Displays the type of network interface card(s) being used, the status of the link,
and routing table information. Click on a specific card to view additional detailed
information about that card and its driver.
Note:eSafe automatically negotiates the network type and speed. The default setting
should only be changed in the event that eSafe is connected to an unsupported network
device or if the auto-negotiate feature does not operate properly.
Refresh button: Click Refresh to update the network card and routing
table information.
Spool Manager
When the SMTP service is enabled, this page shows the number of messages in
the Spool Manager, and the date and time the messages entered the spool.
Messages that appear in the Spool Manager for extended periods of time could
indicate a problem.
Settings Menu
The Settings menu includes the following options:
• IP Settings—allows defining the eSafe Appliance’s IP address.
• Host Name and DNS—allows defining name resolution parameters.
• Time and Date—allows changing the eSafe Appliance’s time and date
settings.
• Passwords—allows changing the admin and root account passwords.
• Access Control—allows defining settings to control access to the eSafe
Appliance.
• SNMP—allows enabling or disabling use of the SNMP service, and defining a
management station.
• eSafe Proxy—only available when working with eSafe Proxy and allows
viewing and editing proxy server settings, including defining the authentication
type.
• Domain Registration—only available when working with eSafe Proxy and
allows registering the eSafe Proxy Machine in the domain.
• SSL Settings—only available when working with eSafe Web SSL and allows
you to view and edit SSL proxy settings.
• Configuration Wizard—provides access to the eSafe Appliance Setup Wizard.
IP Settings
Depending on the type of eSafe product installed, one or two network interface
cards may exist. You can change the status of a network interface card, define a
new network interface card, define the default gateway, and add a static route.
Bypass is ACTIVE/ This message shows the status of the bypass feature.
NOT ACTIVE:
Static Routes: Click the Advanced button to view or add static routing
information for the appliance. Add the routing
information below the current table and click Add.
Apply and Restart Click the Apply and Restart Networking button to
Networking apply any changes that were made, and restart eSafe
button: and networking services.
Apply: Click the Apply button to apply any changes that were
made.
Time, Date and Shows the time, date and time zone. Make sure that
Time Zone: these settings are correct.
Password
You can change the admin account password, defined using the eSafe Appliance
Setup Wizard, at any time. You can also enable/disable the root account and
define a password for the account.
The default password for the root account is: kn1TG7psLu. It is recommended to
change the root account password, or disable the root account.
Access Control
The eSafe Appliance communicates with internal and external networks in one of
two ways:
• By accepting connections on all defined IP addresses.
or
• By accepting connections on a specific IP address only.
In addition, you can configure which external IP addresses will be able to
establish a connection with the Appliance.
Log Redirect
eSafe enables sending alerts, via SNMP traps, to SNMP servers. This allows using
third party applications to monitor the eSafe Appliance. All events that are written
to the syslog file (Linux message file), will be sent to the SNMP server.
When SNMP is enabled, you can save and send system logs that are related to
eSafe to the management station, in standard format.
It is also possible to redirect (and copy) syslog files to an alternate server.
Support Menu
The Support menu includes the following options:
• General—enables providing information to eSafe technical support and allows
uploading service packs to the eSafe Appliance machine.
• eSafe Security Center—allows downloading the eSafe Security Center
executable file.
• eSafe on the Web—enables quick access to eSafe-related links on the web.
• Test Connectivity—enables checking the connection between the appliance
and the Internet.
• Help Index—displays links to the help topics.
A description of these options follows.
General
The Support Features page allows creating comprehensive reports that can be
supplied to the eSafe Technical Support department for troubleshooting
purposes.
After setting the required troubleshooting level and allowing eSafe to gather
information, files can be sent to technical support for analysis.
Consult with the eSafe technical support team prior to making any changes to
these parameters.
Create and Allows creating files for technical support. You can either
download eSafe create and save the files, or create the files and
Support Info file: automatically upload them to the eSafe technical
support site.
Create and Allows collecting session log files. In the page that
download eSafe appears, you can choose to only collect files, collect and
Session Log files: upload, or clear the log files. It is also possible to
schedule automatic log file collection.
Any changes to the .ini files will only take effect after
restarting eSafe.
Download eSafe Allows you to save the executable file and run it after
Security Center from the download is complete.
eSafe Appliance:
Testing Connectivity
This page enables performing the following tests:
• Pinging to an FTP site.
• Checking connectivity with the eSafe site for updates to the add-ons.
• Checking connectivity with the License Center site for add-ons.
• Checking DNS resolving capabilities.
Help Index
The Help option in the Support menu displays the online help table of contents
with links to all help topics. In addition, the help button in the top right-hand
corner of each page provides information about the page you are currently
viewing.
• For eSafe Proxy: Ensure that the eSafe Appliance IP address is the IP
address of the proxy machine, as defined in the client browser settings, and
that a new IP address was assigned to the parent proxy.
• For eSafe ICAP: Ensure that the eSafe Appliance IP address is the IP
address of the ICAP client (proxy machine).
At this point your eSafe Appliance is physically connected to the network with a
default configuration. In order to operate properly, eSafe needs to connect to
various ports and sites. Follow the instructions in the section that follows to
enable connecting to these ports/sites.
213.252.152.103 213.252.152.106
195.127.173.190 195.127.173.180
213.252.152.118 213.252.152.101
213.252.152.105
213.252.152.81
The eSafe Security Center is an intuitive management console that allows you to
configure and enforce the corporate content security policy throughout the
network.
eSafe Security Center provides task oriented tools that allow you to monitor
traffic, view reports, fine-tune the organizational security policy, perform product
maintenance, get support, and define access permissions.
Contents:
• Installing the eSafe Security Center
• Logging on to the eSafe Security Center
• The eSafe Security Center Main Window
• Dashboard
• Track & Care
• Policy Settings
• Support
• User Access and Permissions
• Getting Started
• Click on the Download eSafe Security Center link, save the executable file
and run it after the download is complete.
1. In the dialog box that appears, enter the default user name and password:
• Username: admin
• Password: esafe
2. From the Connect to Host drop-down list, select the machine you want to
connect to.
Warning:We recommend that you change the default password as soon as possible.
Tip: Run eSafe with the default settings and test its operation before making changes to
the configuration.
When you log on to an appliance, the first window that appears provides a
graphical presentation of current web traffic statistics. You can use the various
tabs to switch between viewing statistics on web traffic, email traffic, DLP data,
Applications traffic, content, and traffic per protocol. A description of the main
screen follows.
Appliance Tree
The top, left panel of the GUI allows you to define the list
of eSafe appliances that you want to manage.
You can define sites, clusters, groups, and standalone
machines. Both clusters and groups support deploying
configurations to ensure that all machines in the cluster/
group are identical.
The buttons at the top of the tree allow you to:
At the bottom of the panel, you can see details of the selected machine,
including: name, product type, product version, CPU, memory, and expiration
date.
Managing appliances
Managing appliances is done via the right-mouse menu that appears when you
click on an item in the appliance tree. A description of the options in this menu
follows:
• Connect: Connects to the
selected appliance.
• Add an eSafe appliance:
Allows adding an eSafe
appliance to the tree.
• Add an eSafe Cluster:
Allows adding an eSafe
cluster.
• Add a group of appliances:
Allows defining a group to
which appliances can be
added.
• Add a new site: Allows defining a new site container.
• Delete eSafe appliance(s): Allows deleting items from the tree.
• Synchronize cluster machine: Synchronizes the configuration between the
appliances in the cluster.
• Synchronize machines: Synchronizes the configuration between the
appliances in the group.
Dashboard
The Dashboard provides an on-the-fly view of the current state of network traffic
including statistics on web traffic usage, email statistics, the status of sessions
that pass through eSafe, and the status and results of files that pass through
eSafe, per protocol.
When viewing the data, you can click on a part of the graph to drill down and see
more information on that specific query.
You can then double click on a log and create a Smart Alert based on that
condition. For more information, see “Smart Alerts” on page 224.
You can switch between the following modes: Web, Mail, Content, and Traffic. A
description of each mode follows.
• Which web applications are being used that expose the network to security
risks.
Allows resetting
the traffic
statistics
4Eye View
The 4Eye principle is applicable per site and can only be defined by an
administrator. When the 4Eye View is enabled at a site, identification data will be
“scrambled” in the logs. In order to view the actual data, a second administrator
or user with viewing permissions must log on with their user name and password.
To enable 4Eye Viewing:
1. In the appliance tree, right-click on a site where you want to enable 4Eye
Viewing.
The 4Eye Login link appears at the top of the window. When viewing logs and
data, all identifying information will be "scrambled", as can be seen below. In
order to view the information regularly, a second user with the necessary
permissions must log in via the 4Eye Login link.
Creating queries
After selecting the report type, you can create a query/queries to view specific
data. Use the options in the drop-down lists to define the conditions for the query.
Then:
• Use the and buttons to add or remove a condition from the query.
Policy Settings
eSafe’s default security policy provides a high level of security that is suited to
most organizations. To get started, you must perform the following actions:
• Define LDAP Settings
• Define alert recipients
• Define warning message and redirect text
• Define internal networks
• Activate the Data Leakage Prevention feature (optional)
• Fine tune the URL Filter settings to suit your organization’s security needs
• Fine tune AppliFilter settings to suit your organization’s security needs
A detailed description of performing these actions follows. In addition, you can
further fine tune the policy in order to align eSafe with your organization’s unique
requirements. Detailed descriptions of the various options available in the Policy
Settings mode are available in Appendix A.
Getting Started
This section provides details for performing various actions that will help get you
started working with eSafe.
Note: The MS ADSI Edit Tool allows you to view and edit Active Directory® directory
service attributes through the Active Directory Services Interfaces (ADSI) protocol. You
can install this tool from the MS support tools CD (\support\tools\supptools.msi). Once
installed, a shortcut is available in the Programs menu. It is also possible to add the ADSI
Edit Tool as a snap-in to the Microsoft Management Console (MMC).
Select server type: Select the type of server you want to connect to.
Backup of: If this is a backup server, select the server for which it
acts as a backup server.
Connection port: The port eSafe uses to connect to the LDAP server
(usually 389).
Intervals for sync: The rate at which eSafe will synchronize itself with the
LDAP server.
The Nodes and Expressions tab allows performing search queries for users,
groups, and hosts when working with Microsoft LDAP servers. When using other
LDAP server types, these values are mandatory for operation.
Nodes allow you to define from which node in the LDAP structure user information
will be extracted.
User root nodes Defines the distinguished name (DN) of the root from
which user details will be taken. (For example,
CN=Users,DC=esafe5,DC=us).
Group root nodes Defines the distinguished name (DN) of the root from
which group details will be taken.
(For example, OU=Domain
Controllers,DC=esafe5,DC=us).
Host root nodes Defines the distinguished name of the root from which
host details will be taken.
Expressions allow searching the AD data for specific users, groups, or hosts. The
various search expressions can be used to filter this data in order to restrict the
search results. A simple filter looks like this: (objectClass=person). In this
example, the search query will only return results for entities that have been
specified as 'person'. A description of the expressions and examples of arguments
that can be used follows:
Attributes: Each object in the LDAP/AD server consists of one or more attributes
that are used to uniquely identify this object in the Directory Information Tree.
Each attribute has a value associated with it. Although there are a few standard
attribute-value pairs, different LDAP servers may use different values per
attribute. The following attribute-value pairs can be used to narrow the results
when defining search queries:
• The sender email address that will be used by eSafe to send alerts. (This is
also the string that is displayed when connecting to the eSafe SMTP server.)
• The outgoing SMTP mail server address that eSafe will use to send alerts.
3. Next to eSafe sender mail address, enter the address eSafe will use to send
alerts.
4. Next to Outgoing SMTP mail server, click the List link to view the SMTP Mail
Relay page. In this page you must define:
• Host name for HELO command: This defines the host name that will be
used for the HELO command. This string will be used by eSafe for
identification purposes when it communicates with other SMTP servers.
Enter the host name in the text box.
• Outgoing SMTP Mail Relay Server: This setting allows you to define
when to use an outgoing SMTP mail relay server and which outgoing SMTP
mail relay server to use.
From the drop-down list, you can select one of the following options:
• Allow eSafe to send email directly to the Internet: eSafe will not use the
mail relay server and will send the mail directly to the Internet instead.
• Use outgoing SMTP mail relay server, as listed below: eSafe will use one
of the outgoing mail relay servers defined in the list at the bottom of the
page.
• Use outgoing SMTP mail relay server, in case of error sending directly to
Internet: eSafe will only use the outgoing mail relay server if it is unable
to send the mail directly to the Internet.
6. Next to Alert Subject, enter the text you want to appear in the subject of email
alerts, for example: Important eSafe Alert.
• Send email notification when email is blocked: Allows sending a new email
message to recipients to notify them that email destined to them was
blocked by eSafe.
You need to select the warnings that you want eSafe to add to the email
messages and then you can edit the default text if necessary.
2. Select To Senders.
3. Select the check boxes next to the notifications you want eSafe to send.
3. From the drop-down list, you need to define where you want to add the
disclaimer:
4. Click the Define disclaimer message button to edit the default disclaimer
and select the domain for which the disclaimer will apply.
5. From the drop-down list, select the domain for which the disclaimer will apply.
(The domains are defined under Config | Email Settings | SMTP Settings |
SMTP Internal Domains.)
Note that, if you do not define a specific disclaimer per domain, the default
disclaimer will be used.
6. If necessary, edit the default disclaimer message in the HTML Disclaimer or
Text Disclaimer text box.
• In the HTML Disclaimer text box you can type the message as it will appear
if the email notification is sent in HTML format.
• The Convert HTML to Text button allows converting the HTML message
into plain text, and removes any formatting.
3. Select the Redirect users to a predefined URL or HTML page check box to
activate this option.
(Note: If this option is not selected, the session will be blocked and a standard
browser notification will appear.)
• Redirect to a page with the following text: Select this option to redirect
users to an HTML page with the default text defined in the text box. You can
modify this text as you see fit. The default text includes the following
scripts:
<SCRIPT language=JavaScript>document.write(OriginalURL);</SCRIPT>
<SCRIPT language=JavaScript>document.write(BlockCause.substr(10));</
SCRIPT>
where:
OriginalURL is the URL of the blocked site.
BlockCause.substr(10) is the reason access to the site was blocked.
The default text displays a page that looks like the example below:
5. Select the Only redirect blocked HTML pages check box if you only want to
redirect blocked HTML pages. (If this option is not selected, users will be
redirected each time any HTTP session is blocked.)
2. Under Exclusion List, click the Add icon to define individual IP addresses or IP
address ranges that will not be inspected by eSafe. All traffic to and/or from
these addresses will be ignored.
3. Under Trusted Subnets, click the Add icon to define subnets that will not be
inspected by eSafe. All traffic between machines in these subnets will be
ignored.
4. Next to Exclude Ports, you can define individual TCP ports or ranges of ports
that will not be inspected by eSafe.
3. Defining DLP Settings: Allows enabling DLP and defining repository settings.
Enabling DLP
DLP Profiles are created by associating DLP policies and network entities. Network
entities define “who” the DLP profiles will apply to. Note that each row in the
Profiles list represents a specific profile.
To define profiles:
1. In the Policy Settings mode, select DLP | DLP Profiles.
2. Click the Add network entity button to view the Network Entities Handler
dialog box.
4. Select the policy from the drop-down list. Under Profile activation status, select
when the policy will be active:
The DLP Policy defines for which file types the policy will be enabled/disabled and
which dictionaries will be used when searching files/traffic for sensitive content.
2. Click the Add policy button to add a new policy. In the dialog box that appears,
enter a name for the policy. Make sure that the policy name does not include
spaces.
4. In the Monitor tab, select the required radio button to set the status of the
policy:
6. Next to Apply to, select the types of traffic to which the policy will apply: Mail,
Web, and/or FTP.
7. Click the Dictionary tab to select the dictionaries eSafe will use when
monitoring files for sensitive content, and the action it will take if the content
matches the dictionary.
8. In the Dictionaries list, select the dictionaries that eSafe will use to monitor
content.
• Report: Logs the event in the eSafe session.log file. (Enabled by default)
• Notify sender: Sends an email alert to the sender in case of email traffic.
If you select this option, you must define the email recipients next to Define
email recipients for forwarded files. When defining multiple recipients, use
CSV format. Note that the recipients are defined per policy.
10.Apply the configuration.
The DLP Settings allow you to define a repository for saving files for future
analysis, and define settings that will be used when eSafe forwards files that
match the DLP policy.
After familiarizing yourself with the default policy, you can proceed to:
• Define customized policies to suit your organization
• Define customized profiles to suit your organization.
After installing the URL Filter add-on, you need to enable the service.
1. In the Policy Settings mode, select the URL tab and then select URL Filter.
2. Select the Enable URL Filter Service check box.
The Profile Settings page allows defining global working days and hours that are
used to define when the profiles will be active, allows ignoring HTTPS traffic, and
allows selecting filters that will block streaming content. Note that these settings
apply to ALL profiles.
4. Select the Ignore URL Filter for all HTTPS traffic check box if you do not
want eSafe to apply policies to HTTPS traffic.
To define profiles:
1. Select URL | URL Filter | Profiles.
Allows
defining the
priority of
the profiles
2. Click the Add network entity button to view the Network Entities Handler
dialog box.
3. Select or define the network entities. Click Select. The Change Profile dialog
box appears, prompting you to assign a policy to the network entity.
5. Under Profile activation status, select when the policy will be active:
• Active during working hours: The profile is only active during working
hours. These are defined under the Profile Settings.
The URL Filter Policy defines to which URLs and URL categories access will be
allowed/blocked, which streaming traffic will be allowed/blocked, and which sites
will be gray listed.
Note:The default policy applies to all users that are not assigned a specific profile. This
usually includes the majority of users and as such, it should be as comprehensive as
possible.
To define a URL Filter Policy, define a name for the policy, add a description, and
then define Browsing, Streaming, and Gray List definitions.
To define policies:
1. Select URL | URL Filter | Policies.
2. From the URL Filter Policy drop down list, you can select an existing default
policy and fine-tune the policy, or click the Add new URL Filter Policy button
to add a new policy. If you choose to add a new policy, the New Policy dialog
box appears.
3. Enter a name for the policy. Make sure that the policy name does not include
spaces. Click OK.
4. Next to Description, enter a description of the policy. This will help you
remember what the policy is about, for example: Block access to non-work
related categories.
• Block un-recognized URLs: Blocks access to web sites that are not
categorized.
• Ignore URL Filter for HTTPS traffic: When selected, eSafe will not apply
the policy to HTTPS traffic.
• Under Blocked/Allowed Categories and Blocked/Allowed URLs, define lists
of URLs/URL categories that will be blocked and allowed. These lists will
be specific to the currently selected policy.(When defining the URLs, you
can enter sub-domains.)
• Gray List: Gray lists are an intermediate option between blocking sites and
allowing sites. When users surf to sites that are gray listed, a warning
appears notifying them that the website violates organizational policy,
however the user is given the choice to continue. If the user chooses to
continue the website is displayed normally and users can continue viewing
the site for a specific period of time.
When using the Gray List feature, you can define which categories are
considered gray categories, and define specific URLs of hosts that will be
gray listed.
The following options are available:
• Block un-recognized hosts: Blocks access to hosts that are not
categorized.
• Gray Categories and Allowed Gray Categories: Define lists of URL
categories that will be gray listed and allowed.
Note: The "allowed" lists are used when a site has more than one category. In this
case, if one of the categories appears in the allowed list, the site will be allowed. For
example, if “Cinema / Television” is on the gray list, then www.cnn.com will be
blocked since it is categorized as: Cinema / Television, News / Magazines, Search
Engines / Web Catalogues / Portals.
• Gray URLs and Allowed Gray URLs: Define lists of URLs that will be
blocked and allowed. These lists will be specific to the currently selected
policy.(When defining the URLs, you can enter sub-domains.)
6. Apply the configuration.
Take note of
the color of the
bullets. See a
description Click this check
above. box to enable
the AppliFilter
service
In the Users Permissions List, define which users will be allowed to log in to eSafe
Security Center. Each user has a unique user/login name, password, and
permission type.
The following types of permission are available:
• Local Administrator: Provides full access rights.
• URL Filter Manager: Allows managing the URL Filter policies only.
• Viewer only: Provides read only permissions for all screens, without the
ability to apply the configuration or to release quarantined emails.
• Quarantine Help Desk: This is similar to the read only rights, but also
includes the ability to manage the Quarantine folder (delete, send, etc.).
• No Access
• Allow viewing DLP logs
In the IP Address Access List, define IP addresses and ranges from which users
can log in to Security Center.
Support
Support Mode provides tools to perform troubleshooting, allows you to view
information about the eSafe machine, network interfaces, and licensing
information, and provides links to various online resources.
Support Mode includes the following tabs:
• Info
• Licensing
• Troubleshoot
• Resources
A description of the options in each tab follows.
Info
Provides information about the eSafe machine and network interfaces including:
• eSafe version
• Operating system
• Last update
• Virus table & scan engine version
• Currently installed hotfix(es)
• URL filter version
• Last URL filter update
In addition, you can see information about the platform on which eSafe is
installed including:
• Brand
• Model
• CPU
• Memory
• HD
At the bottom of the page, you can see network interface information.
Export information
Print information
Licensing
The first time you start your eSafe software, a 30 day evaluation period begins.
This provides you with enough time to make all necessary changes to your
network, test eSafe operation, and register the product. During the evaluation
period, eSafe is fully functional (including updates).
At the end of this evaluation period, the evaluation license will expire and eSafe
will allow ALL traffic to enter the network without scanning or blocking. To ensure
uninterrupted network protection, you should register the product at the earliest
opportunity.
The Licensing page provides details of all licensed products including when the
license started and expires, and allows you to add licenses. Click the Add license
button if you need to add an additional license.
You will be prompted to enter your name, company name, and the license key
(available from your eSafe reseller or representative).
Note: When entering your details, make sure you do not use special characters in the
company name, for example: &&, $, %, etc.
Troubleshoot
This page provides tools for performing various diagnostic and debugging actions.
Warning: Use of the options in this page should be done in correlation with the eSafe
Support Team.
This page includes the following options:
• Support Troubleshoot Debug: Normally, you do not need to create
troubleshooting files. However, when a problem does occur, you can create
troubleshooting files that will help eSafe's technical support personnel
diagnose the cause of a problem and prepare a timely solution.
This feature is normally disabled because it can slow down network traffic.
To change the debug level, you can select a module and click the right-mouse
button to select the debug level from the options that appear. You can also use
the All high, All low or All off buttons to change the debug level for all
modules.
• Traffic Capture: In cases where the troubleshooting logs are not sufficient for
in-depth analysis, you may be required to capture traffic for a specific period of
time and upload this information to eSafe technical support for further
investigation.
• Tools: eSafe includes the following tools to assist you when working opposite
the support team, and also to quickly access the eSafe Appliance and Spool
Manager:
• Remote support allows the eSafe support team to connect to the
appliance remotely to perform troubleshooting. A wizard appears and
guides you through this process.
Resources
This page provides links to various resources that will assist you while working
with eSafe.
Attack Intelligence Opens the AIRC web page that lists the
Research Center: latest security threats by level of severity.
This appendix provides a detailed description of the options available in the Policy
Settings mode. The information is provided in an easy to use, reference format,
and mirrors the flow of the screens and options in the eSafe Security Center
graphical user interface.
Contents:
• Config Tab
• Objects Tab
• URL Tab
• APPs Tab
• DLP Tab
• Alerts Tab
• Updates Tab
Config Tab
The Config Tab allows fine-tuning the eSafe configuration by:
• Defining Protocol Rules
• Defining Anti-spam Settings
• Defining Spyware/Adware Protection Settings
• Defining Content Filters
• Fine-tuning the Email rules
• Defining profiles and policies for the URL Filter
• Defining the policy for DLP
• Defining settings for Email
Protocol Rules
Rules allow you to define how eSafe will treat traffic. In this section you will find a
description of the options in the Protocol Rules branch, information on creating
rules, and a list of various issues that you should take into consideration when
defining rules.
For email traffic, you can define profiles and policies, which determine how eSafe
will treat email traffic for various network entities.
Block
The Block branch allows you to enable or disable blocking traffic for the specific
protocol, choose lists that will be used when blocking is enabled, and define how
lists will be used if multiple lists are selected. A different set of block rules can be
defined for FTP and HTTP traffic.
The Block page is divided into the following sections:
Rule: Under Rule, select the block rule from the drop
down menu:
Block traffic that If you choose Block Selectively, you need to define
matches: which list(s) eSafe will use to decide whether to
block a file or email. When you select more than
one list, you must also decide how eSafe will use
the lists to block traffic. Under Block traffic that
matches, select one of the following options:
Lists used to apply When defining the rule, you can define the
the rule: following types of lists that determine what eSafe
will look for and block in the traffic:
• Servers
• Workstations
• File Types
Apply blocking This option allows eSafe to apply the block rules to
rules to traffic FTP and HTTP files in the process of being
being uploaded uploaded.
(FTP & HTTP):
Scan
Rule: Under Rule, select the scan rule from the drop
down menu:
Scan traffic that If you choose Scan selectively, you need to define
matches: which list(s) eSafe will use to decide whether to
scan a file. When you select more than one list, you
must also decide how eSafe will use the lists to
scan traffic. Under Scan traffic that matches, select
one of the following options:
Lists used to apply The List link next to each drop-down list allows
the rule: you to review and edit the lists available for the
specific rule. The following lists are available:
• Servers
• Workstations
• File Types
Apply scanning This option allows eSafe to apply the scan rules to
rules to traffic FTP and HTTP files in the process of being
being uploaded uploaded.
(FTP & HTTP):
Scan for When inspecting HTTP traffic, eSafe can scan the
undesirable traffic for specific keywords in HTML pages, for all
keywords (HTTP): sources, or for specific servers only. If a listed
keyword is found, eSafe will block the page.
Action
eSafe automatically scans all traffic that was not blocked, for vandals/viruses. If a
vandal/virus is detected, eSafe will block the traffic. In addition to blocking
infected traffic, eSafe can also add details of the server from which the infected
traffic originated to the Automatic Servers list for future blocking/scanning. In
future sessions, eSafe will use these lists to scan or block traffic from the listed
servers.
Add EXACT eSafe will block all future traffic from the exact
SOURCE to the list address from which the infected traffic originated.
of Automatic
Servers for This is the recommended setting. This option
BLOCKING protects against a clearly defined list of sources by
adding the exact path to the infected file. This
ensures that no user will succeed in downloading
the infected file, since eSafe will block the session
at connection time.
Add ENTIRE eSafe will scan all future traffic from the server
SERVER to the list from which the infected traffic originated.
of Automatic
Servers for This option provides a general level of protection
SCANNING by ensuring that everything coming from that
server is scanned, unless it is already blocked by
another rule. This setting is recommended when
there are sources that you cannot afford to block,
even if they may be the source of a virus.
FTP Security
For FTP traffic, eSafe allows preventing resumption of FTP downloads. Resuming
downloads can cause partial download of files or downloads that do not start from
the beginning of the file. eSafe is unable to thoroughly inspect incomplete files
and partially downloaded files for viruses, and therefore enables blocking these
files.
The following options are available:
• Block password protected archives: Blocks all archive files that require a
password for opening. If you do not select this option, password protected
archives are assumed to be safe.
• Activate file-spoof protection: File spoofing is a common technique used to
disguise Trojans. eSafe is able to validate the file's bit structure against a list of
valid file types and their extensions. If the bit structure DOES NOT correspond
with one of the extensions in the list, the file is considered as “spoofed” and
will either be blocked or scanned for malicious content (the default action is
“scan”).
• Prevent FTP download resume: Resuming downloads can cause partial
download of files or downloads that do not start from the beginning of the file.
eSafe is unable to thoroughly inspect incomplete files and partially downloaded
files for viruses.
HTTP Security
For HTTP traffic, eSafe allows you to enable the following options:
• Block password protected archives: Blocks all archive files that require a
password for opening. If you do not select this option, password protected
archives are assumed to be safe.
• File Type Spoofing: File spoofing is a common technique used to disguise
Trojans. eSafe is able to validate the file's bit structure against a list of valid file
types and their extensions. If the bit structure DOES NOT correspond with one
of the extensions in the list, the file is considered as “spoofed” and will either
be blocked or scanned for malicious content (the default action is “scan”).
• Prevent HTTP download resume: Resuming downloads can cause partial
download of files or downloads that do not start from the beginning of the file.
eSafe is unable to thoroughly inspect incomplete files and partially downloaded
files for viruses.
• Prevent HTTP content disposition: Content Disposition means that a server
can send a command to the system, telling it to use another program to open
downloaded files. Using this option will prevent servers from changing the type
of application that will be used to open downloaded files. Usually, file types are
associated with a specific application, for example, .doc files are handled by
MS Word.
• Prevent HTTP data compression: Prevent sending HTTP data in GZIP
compressed form. Such data cannot be correctly inspected by eSafe. (This
option is enabled by default.)
Note: This is different from downloading compressed ZIP files, which are
allowed.
SMTP Profiles
SMTP Policies
Policy name: Allows entering a name for a new policy. (Note that the
policy name can not include spaces.)
The Network Entities Handler displays user and group information taken from the
organizational LDAP server. You can use this information “as is” to create profiles,
or define new network entities manually.
Note:When defining users, you will be prompted to enter the user’s password and email
address.
1. Click the relevant tab to define a new entity. Depending on the type of entity
you are defining, you should either:
• Enter the entity details (for example: IP address, IP address range).
Or,
• In the specific Name text box, enter a name for the network entity (for
example: group, user, VLAN, host, domain).
Note: You can also use the button to import predefined lists of users/
groups. The entries in the list must be separated by a “|”. For example,
(<username>|<password>|<email>). When adding more than one email
address, use a semi-colon to separate the addresses.
2. Click the Add! button to add the entity. (When defining users, you will be
prompted to enter the user’s password and email address.)
3. Select the entity and click Select. The Change Profile dialog box appears.
4. From the drop-down list select the URL filter policy that you want to associate
with the selected network entity. You can choose a manually defined policy, or
select one of the predefined policies:
• Active during working hours: The profile is only active during working
hours. These are defined under the Profile Settings.
Action
SMTP Security
Block incoming Allows defining a list of senders from which email will
email from be blocked.
external senders:
Do not scan email Allows defining a list of senders from which email will
from external be allowed, without scanning.
senders:
Block non-existent Allows blocking email to internal recipients that are not
email recipient listed in the organization's LDAP server. Internal
according to domains or specific recipients that are not listed at the
LDAP/AD server: LDAP server should be excluded in the list below, to
prevent eSafe from blocking email to these recipients/
domains.
Block invalid SMTP Allows blocking email messages that contain invalid
email address: characters in the email address (such as @@) which
are often used in exploits and relays.
Max. emails in spool: Defines the maximum number of email messages that
are allowed in the spool at any time.
Max. recipients per Lets you limit the number of recipients (incoming and
email: outgoing mail) to a reasonable number. The use of
email with a large number of recipients is a common
bombing technique that leverages your SMTP server to
multiply the volume that it handles by the number of
recipients in each email.
Max. message size Defines the maximum size of a message that can be
(KB): received. eSafe will block email that exceeds the size
defined. If the value is zero, the anti-bombing option
ignores this parameter.
POP3 Security
Scan traffic from Allows scanning traffic from specific POP3 servers.
specific POP3
servers:
Do not allow POP3 This option enforces protocol compliance and blocks
log-in using AUTH POP3 users that log-in using the AUTH command
command without without a user name.
user name:
Anti-spam
There are several techniques to fight spam; none can completely eliminate spam
without blocking any legitimate email as well. However, using a combination of
techniques, spam can be reduced to the lowest possible minimum and yet not
block legitimate email.
eSafe includes various features that enable blocking spam from entering your
organization. Two types of anti-spam services are available: the Basic Anti-spam
Service and the Advanced Anti-spam Service.
Basic Anti-spam Service
This service is installed with eSafe and is available to all users. The basic anti-
spam service allows checking email for spam by verifying the email header,
checking the validity of the mail server and checking the validity of the sender/
server at the DNS.
The Basic Anti-spam Service includes the following options:
• Email Header Verification
• Mail Server Validation (RBL)
• DNS Lookup
Search email Select which lists eSafe will use when checking the
headers according email headers. You can select one of the following
to drop-down list: options:
List link: Allows you to define the Restricted and Trusted lists.
eSafe provides default lists of strings that are
associated with spam email. You can modify these lists
by using the Add, Edit and Delete buttons.
Check if mail eSafe checks if the mail server used to send incoming
server is in RBL for email appears in an RBL.
INCOMING email:
Check if mail eSafe checks if the mail server used to send outgoing
server is in RBL for email appears in an RBL. (This option is especially
OUTGOING email: useful to Internet service providers that want to ensure
that their service users are not know spammers.)
List link: Click the List link to view the list of RBL servers that
eSafe uses when checking the validity of the mail
server, and the necessary response.
Choose action: Under Choose action, you can select the action eSafe
will perform if it discovers that the sending server is
blacklisted:
Check mail server Under Check mail server IP address, you can define
IP address: when eSafe will check the RBL server validity:
DNS Lookup
Server Validation
Select the action you want eSafe to perform if it finds that the mail server or
sender domain is not registered at the DNS:
• Block email: eSafe will block the entire email.
• Add tag to email subject: eSafe will add text to the email subject notifying
the recipient that the email was detected as spam. You can change the default
text as necessary.
• Drop email detected as spam: Allows dropping email that is considered
spam. Dropped email will not enter the eSafe quarantine folder and the user
will not see dropped spam emails in the Quarantine report.
Sender Validation
Select the action you want eSafe to perform if it finds that the mail server or
sender domain is not registered at the DNS:
• Block email: eSafe will block the entire email.
• Add tag to email subject: eSafe will add text to the email subject notifying
the recipient that the email was detected as spam. You can change the default
text as necessary.
• Drop email detected as spam: Allows dropping email that is considered
spam. Dropped email will not enter the eSafe quarantine folder and the user
will not see dropped spam emails in the Quarantine report.
Anti-spam Configuration
• Flow control: eSafe searches for identical email messages over a specific
time frame. Email messages which appear multiple times during this period
but originate from different sources are noted, and if the number of
occurrences exceeds a predefined threshold value, the email is blocked as
spam.
• URL categories: eSafe searches for URL links in email messages and checks
which category the URL belongs to. Click the List link to define which
categories you want to block, and which specific URLs you want to block or
allow (unblock).
• Known spam URLs: eSafe identifies links to web sites known to belong to
spammers.
Honey Pot
You can also choose the action eSafe will perform when it detects one of the
honey pot addresses in incoming email:
• Block spam email: Blocks the entire email as spam.
• Add tag to spam email subject: Adds a tag to the subject of the email
message and allows the email message to continue to the intended recipient.
• Drop email detected as spam: Allows dropping email that is considered
spam. Dropped email will not enter the eSafe quarantine folder and the user
will not see dropped spam emails in the Quarantine report.
Exclusion Lists
A detailed description of the options available for each type of list follows.
• Under Spam exclusion lists defined manually by administrator, you can
manually define lists of email addresses/mail server addresses that will
determine what eSafe checks for spam. Select a combination of the following
options:
• Exclude specified email addresses from spam check: Allows defining a list of
source and/or destination email addresses that eSafe will not check for
spam. Click on the List link to define a list of email addresses.
• Exclude specified mail servers from RBL & Server DNS validation check:
Allows defining a list of mail servers that eSafe will not validate at the RBL
and DNS servers. All traffic from these servers will not be checked for spam.
Click on the List link to define a list of mail servers.
• Exclude email with specified keywords from spam check: Allows defining a
list of keywords that, if found in email, will prevent the message from being
classified as spam. Click on the List link to define a list of keywords.
addresses) in email that is sent from within the organization to the outside.
This is based on the fact that it is unlikely that internal network users will
send email to spam addresses, and therefore these addresses can be
assumed as non-spammers. Click on the List link to view and edit the
automatically generated list of recipient addresses.
• Do not auto learn addresses of email with specific keywords in subject: This
option is only available if the Auto learn outgoing email recipient address
and exclude from checking option, above, was selected. It allows defining
keywords that, if found in outgoing email, will exclude/prevent learning of
the recipient address (see previous bullet). Click on the List link to define
the list of keywords.
Click on the List link to view or edit the list of email addresses.
Spyware/Adware Protection
Config Tab | Spyware/Adware Protection
In this page you can define which spyware/adware and other malicious objects
eSafe will block or strip. If necessary, you can exclude specific VIP servers/
workstations from spyware/adware checking. VIPs are excluded under the HTTP
scan and block rules.
Click the List link to view and edit the list of Restricted
and Trusted ActiveX objects.
Content Filters
eSafe allows blocking traffic according to specific content filters, or stripping
items that are considered suspicious.
The real threats posed by web browsing are malicious active code, spyware and
exploits embedded in the HTTP protocol and HTML content, which try to
automatically install themselves or run on a user's machine. eSafe not only
inspects downloadable files, but also provides full inspection of HTML content as
well as scanning of all image files for known JPG and BMP format exploits.
When inspecting SMTP/POP3 traffic using the Content Filters, eSafe is able to
either block traffic, or strip the malicious content from the email file and allow the
modified file to continue to the intended recipient.
Content filters can be protocol specific, or may apply to all protocols — you should
review the various content filters and decide which features you want to activate.
The following Content Filters are available:
• Active Content and Cookies
• SmartScript™ Filters
• Archives
• MS Office Files
• File Type Spoofing
• XploitStopper™
• Email Security
• Phishing Prevention
• Kaspersky Anti-Malware
Active Content: Under Active Content, select the check boxes of the
objects you wish to allow or strip:
Java Applets: Under Java Applets, you can enable the following
option:
SmartScript™ Filters
Strip forbidden Strips only the forbidden functions or those scripts that
functions: contain forbidden functions. When selecting this option,
you can edit the list of Forbidden Functions at the
bottom of the page.
Archives
Max. levels text Enter the maximum number of levels eSafe will open to
box: scan for vandals and viruses in the archive file.
If last level Define what to do with the archive once this limit is
contains an archive reached. Select one of the following options:
file:
• Allow: eSafe will allow these files without scanning.
Block: eSafe will block any archive file that exceeds the
size limit.
Max. archive size Enter the maximum size of archive files that eSafe will
text box: scan.
If archive file Select the action eSafe will take if an archive file
exceeds maximum exceeds this limit. Select one of the following options:
size:
• Allow: eSafe will allow these files without scanning.
This option is based on the assumption that, since
malicious code is characterized by small file sizes, it is
highly unlikely that an exceptionally large sized
archive file will contain malicious code.
Block corrupted Allows blocking archive files that are corrupted and/or
and unknown have an unknown file type.
archives:
Block dangerous eSafe will block dangerous files inside archive files.
file extensions: Define which file extensions will be considered
dangerous. You can enter specific extensions separated
with a comma, without wildcards. The file will be blocked
if the extension is found inside the archives.
MS Office Files
MS Office Documents
eSafe can inspect MS Office files for all sources or based on Restricted/Trusted
sources.
The MS Office Documents page consists of the following options:
Sources for which Select for which sources eSafe will check for malicious
eSafe will check MS content and embedded files in MS Office documents:
Office Files:
List Link: Click the List link and then select a protocol when
prompted to do so. You can then define the Trusted and
Restricted lists.
Malicious Content: Select the action eSafe will perform when it discovers
macros in MS Office files:
Embedded Files: Select the action eSafe will perform if it discovers macros
in MS Office files:
Dangerous file eSafe will strip dangerous files inside Office 2007
extensions: documents. Define which files will be considered
dangerous. When defining this list, you can enter the
extensions in the following format: .xls, xls, *.xls. You
can separate a list of extensions with a comma, and use
the * wildcard.
• Your name
• Your initials
• Document revisions
• Document versions
• Template information
• Hidden text
• Comments.
In order to scan the archive files, eSafe must decompress all archive layers to
ensure that none of the archived files contain malicious code. Decompressing
multi-level and/or large archive files is a time, CPU, and memory consuming
process and may significantly deplete resources; even leading to DoS. For this
reason eSafe allows limiting the number of layers and the size of archive files that
will be decompressed.
When eSafe reaches the maximum level/file size, you can decide how it will treat
the archive file: allow or block.
The Office 2007 Documents page consists of the following options:
Max. levels text Enter the maximum number of levels eSafe will open to
box: scan for vandals and viruses.
If last level Define what to do with the archive once this limit is
contains an archive reached. Select one of the following options:
file:
• Allow: eSafe will allow these files without scanning.
Max. archive size Enter the maximum size of archive files that eSafe will
text box: scan.
If archive file Select the action eSafe will take if an archive file exceeds
exceeds maximum this limit. Select one of the following options:
size:
• Allow: eSafe will allow these files without scanning.
This option is based on the assumption that, since
malicious code is characterized by small file sizes, it is
highly unlikely that an exceptionally large sized
archive file will contain malicious code.
Block suspicious Blocks archive files that are suspected to contain viruses.
password protected (This option is enabled by default.)
archives:
Block corrupted Allows blocking archive files that are corrupted and/or
and unknown have an unknown file type.
archives:
Block dangerous eSafe will strip dangerous files inside Office 2007
file extensions documents. Define which files will be considered
dangerous.
XploitStopper™
Content Exploits
It is also possible to view a comprehensive list of the current threats and virus
alerts via eSafe's AIRC website: http://www.aladdin.com/airc/valerts.aspx. The
AIRC team constantly updates eSafe’s databases to enable up-to-date protection
against the latest security threats.
Warning:Before changing the default settings, make sure that this is absolutely necessary.
Block web pages The following options are available from the drop-down
containing known list:
HTML exploits:
• All sources: Blocks HTML pages containing known
HTML exploits for all sources.
Block email The following options are available from the drop-down
containing known list:
HTML exploits:
• All sources: Blocks HTML email containing known
HTML exploits for all sources.
List link: Click the List link to define lists of restricted or trusted
servers. When prompted, select the protocol for which
you want to define the sources.
HTTP Exploits
Non-ASCII The RFC standard for URLs only allows valid ASCII
characters in URLs: characters. The presence of non-ASCII characters in
URLs can lead to security hole exploits or indicate
malicious intent.
Email Exploits
Block email The drop down list includes the following options:
containing iframe/
frame HTML tags: • Do not block: eSafe will not block email containing
iframe/frame HTML tags. (Not recommended.)
Action if email The drop down list includes the following options:
contains IMG
exploits: • No action: eSafe will not take any action if it
encounters email containing image exploits.
• Strip all IMG tags: eSafe will strip all IMG tags in
email containing image exploits. The modified email
will be allowed to continue to the intended recipient.
Block email with an During the inspection process, eSafe checks the “From”
invalid MAIL FROM: address in the email body to ensure that the address
SMTP command: does not contain malicious code. eSafe also checks the
size of the “From” address to ensure that it does not
contain malicious code that can generate a buffer
overrun exploit.
Block known email This vulnerability exploits a security hole that allows a
MIME exploits: mismatched MIME attachment that is combined with an
IFRAME tag, to automatically execute any malicious code
upon message viewing.
Email Security
Phishing
eSafe employs various methods to combat phishing. You can choose which items
you want eSafe to search for in email messages and define the action eSafe will
take if it detects these items.
Choose which items you want eSafe to search for in email messages to prevent
phishing. The following options are available:
Check for spoofed Identifies URLs that show a discrepancy between what
URLs: is displayed and the actual action or destination of the
URL the recipient clicks on.
Check for FORM Searches for tags in email where clicking a link in the
HTML tags: email results in submission of information.
Check for mapped Searches for hyperlinks that are activated when
IMG links: recipients move their mouse cursor over different parts
of an embedded image.
Kaspersky Anti-Malware
Select the check box to enable use of the Kaspersky Anti-Malware engine.
Email
Config Tab | Email Settings
This branch allows settings for inspection of email traffic. The following actions
are available:
• Warning Messages - allows defining a warning message that can be added to
incoming/outgoing email.
• Email Quarantine - allows defining conditions for quarantining email due to
spam or viruses, and defining Quarantine Report settings.
• Inspection Rules - allows enabling/disabling inspection of SMTP and POP3
email.
• Email Redirection - Allows redirecting email based on the email address or
domain, and allows sending a copy of email to another mailbox (for example,
for archiving purposes).
• SMTP Settings - allows enabling email inspection, defining the SMTP mail
relay, internal domains, and allows redirecting email to an alternate address.
Warning Messages
Define disclaimer Allows you to edit the default disclaimer and select the
message button: domain for which the disclaimer will apply.
Email Quarantine
• For spam:
Virus/Spam Report
Define quarantine Defines the settings for the end user quarantine report
report machines: that will be sent to users based on the schedule. This
report provides users with the ability to view and
manage their quarantined email if they have the
necessary permissions.
Do not learn from Allows ignoring requests from specific users. To define
requests submitted the list of users whose requests will be ignored, click the
by specific users: List link.
Send released & Allows sending email information to the data center used
learned email by eSafe’s anti-spam module in order to update the
information to the global lists.
Internet data
center:
Inspection Rules
Email redirection
This page allows redirecting or copying email, based on the email address or
domain, and allows sending a copy of email to another mailbox. This option is
useful for archiving purposes.
• Click on the Add new redirect rule button to view the following options:
• Enable email redirect/copy checkbox: Enables use of the email
redirect/copy feature.
• Define entity: Allows you to define for which network entity (email
address, domain user, full domain) email will be redirected/copied. Select
one of the following options:
• Full address
• Any domain user
• Domain
• In the text box that appears, enter the entity details.
• When entity is sender: Select this option to redirect/copy outgoing email
from the specified network entity. Select the Redirect or Copy radio button
to define whether to redirect or copy the email. In the text box, enter the
location to which email will be copied/redirected.
SMTP Settings
To allow proper sending and receiving of email from/to external addresses, you
need to define the following information:
• The host name to be used for the HELO command
• The outgoing SMTP mail relay server
• The domains for which eSafe is allowed to receive email
When eSafe is installed with Mail capabilities it uses this server in order to inspect
SMTP traffic. You can define the following settings in this page:
• Host name for HELO command defines the host name that will be used for
the HELO command. This string will be used by eSafe for identification
purposes when it communicates with other SMTP servers. Enter the host name
in the text box.
• Outgoing SMTP Mail Relay Server settings allows you to define when to use
an outgoing SMTP mail relay server and which outgoing SMTP mail relay server
to use.
From the drop-down list, you can select one of the following options:
• Allow eSafe to send email directly to the Internet: eSafe will not use the
mail relay server and will send the mail directly to the Internet instead.
• Use outgoing SMTP mail relay server, as listed below: eSafe will use one of
the outgoing mail relay servers defined in the list at the bottom of the page.
• Use outgoing SMTP mail relay server, in case of error sending directly to
Internet: eSafe will only use the outgoing mail relay server if it is unable to
send the mail directly to the Internet.
• When defining the list of mail relay servers you can add, edit, and delete
items from the list. It is also possible to import an external list of items into
the list/ export the list to an external file. The items in the list that will be
imported must be separated by a comma or by using <Enter>.
• The UP and DOWN arrows allow you to determine the order in which eSafe
will use the outgoing mail relay servers. This means that if the first server is
unavailable, eSafe will use the next server in the list.
You must define all the domain names in your organization and the IP addresses
of the internal mail servers associated with these domains. This list will also be
used by eSafe to identify internal and external mail servers.
You can also define the mail server’s SMTP port (default = 25) and a back-up/
alternative mail server that can be used if the first server does not answer.
When eSafe receives email, it uses the destination domain to identify the
direction of email. If the destination appears in the list of domains, the email is
internal. If the destination does not appear in the list, the email is external.
Click the Add icon to add an internal domain name and the internal SMTP mail
server IP.
NitroInspection Configuration
eSafe allows defining specific IP addresses, ranges of networks, and ports for
which traffic will NOT be inspected.
2. Under Exclusion List, click the Add icon to define individual IP addresses or IP
address ranges that will not be inspected by eSafe. All traffic to and/or from
these addresses will be ignored.
3. Under Trusted Subnets, click the Add icon to define subnets that will not be
inspected by eSafe. All traffic between machines in these subnets will be
ignored.
4. Next to Exclude Ports, you can define individual TCP ports or ranges of ports
that will not be inspected by eSafe.
LDAP configuration
When working with an LDAP server, you must define various settings to enable
eSafe communicate with the LDAP server.
Select a server from the LDAP servers drop down list or click the Add LDAP
server button to add a server, and then define the following information:
• Basic Settings
• Nodes and Expressions
• Attributes
Basic Settings
Define the following basic settings to get started working with the LDAP server:
Select server type: Select the type of server you want to connect to.
Backup of: If this is a backup server, select the server for which it
acts as a backup server.
Connection port: The port eSafe uses to connect to the LDAP server
(usually 389).
User name (DN): The name used to log into the LDAP/AD server. The
format is a full LDAP Distinguished Name (DN), for
example: CN=username,CN=users,dc=domain,dc=com
Intervals for sync: The rate at which eSafe will synchronize itself with the
LDAP server.
Use defaults: Click this button to return the LDAP configuration to the
default settings.
This page allows you to define parameters that will assist you in extracting LDAP
information.
Nodes
Nodes allow you to define from which node in the LDAP structure user information
will be extracted.
User root nodes: Defines the distinguished name of the root node from
which user details will be taken.
Group root nodes: Defines the distinguished name of the root node from
which group details will be taken.
Host root nodes: Defines the distinguished name of the root node from
which host details will be taken.
Expressions
Expressions allow searching the AD data for specific users, groups, or hosts. The
various search expressions can be used to filter this data in order to restrict the
search results. A simple filter looks like this: (objectClass=person). In this
example, the search query will only return results for entities that have been
specified as 'person'. A description of the expressions and examples of arguments
that cab be used follows:
• Users search expression: Allows searching for specific users. For example:
(&(|(objectClass=person)(objectClass=contact)(objectClass=organiza
tionalPerson))(!(objectClass=computer)))
• Groups search expression: Allows searching for specific groups. For
example: (objectClass=group)
• Hosts search expression: Allows searching for specific hosts. For example:
(objectClass=computer)
Attributes
Each object in the LDAP/AD server consists of one or more attributes that are
used to uniquely identify this object in the Directory Information Tree. Each
attribute has a value associated with it. Although there are a few standard
attribute-value pairs, different LDAP servers may use different values per
attribute.
The following attribute-value pairs can be used to narrow the results when
defining search queries:
• Account name attribute: saMAccountName
• Display name attribute: name
• Mail alias attribute: proxyAddresses
• Primary mail alias attribute: mail
Objects Tab
The Objects Tab allows you to manage various objects that are used when
configuring eSafe. This is where you are most likely to make changes as part of
normal system maintenance.
The objects consist of various lists. eSafe allows you to maintain separate lists for
HTTP/FTP and SMTP/POP3 traffic. The lists are also accessible via the List links
that appear in the various protocol rules pages. The lists are divided into separate
lists for Restricted and Trusted definitions. You should define and keep all lists up
to date. This enables you the flexibility to fine-tune your blocking and scanning
policies, and easily change the security vs. performance trade-off at any time.
The following options are available:
• FTP and HTTP
• SMTP and POP3
• Known Vandal File Names
• Files for Blocking
These lists enable you to define lists that eSafe will use when scanning FTP and
HTTP traffic. You can define the following types of lists:
VIP Servers/ This list contains workstations and servers that you can
Workstations: exempt from FTP/HTTP Block and Scan rules. This
feature allows you to maximize security for the
organization as a whole and selectively remove
restrictions for those users that require access to specific
sites, file types, etc. that are otherwise blocked or
scanned.
Automatic Servers: The Automatic Servers list contains lists of servers from
which viruses/vandals originate. The servers are added
to the list automatically, provided that this was the
action defined when eSafe detects a virus/vandal. The
Automatic Servers list is limited to 100 servers based on
a first in, first out policy.
To add to the list, click the Add icon and enter the IP
address, an IP range, or the name of the workstation.
• The Trusted List restricts all file types not listed. You
should make this list as extensive as possible.
• To add to the list, click the Add icon and select from
the list of MIME types. If the file type is not listed,
select Enter unlisted file type and enter the MIME type
and extension.
HTML Keywords: eSafe can scan HTML pages for specific keywords and
block pages that contain these words. You can use
Trusted and Restricted lists to scan for keywords
according to the source of the HTML file.
SMTP Senders for This list allows you to define SMTP senders from which
Blocking: email will be blocked. You can also use the * wildcard
and import a predefined list of senders.
To add to the list, click the Add icon and enter the email
address.
To add to the list, click the Add icon and enter the email
address.
Keywords in These lists let you filter out spam and other undesirable
Incoming Email: email that contains keywords not usually found in
legitimate incoming email. Two separate lists are used
for inspecting the body and the subject line of email.
Keywords in These lists let you filter outgoing email for undesirable
Outgoing Email: text. Two separate lists are used for inspecting the body
and the subject line of email.
You can only delete items from the Known Vandal File Names list, using the icon.
If you want to block a specific file, you can add this file to the Files for Blocking
list.
(Note that eSafe automatically adds file names to the Known Vandal File Names
list.)
To add to the list, click the Add button to add a file name. When defining the file
names, you can use the * wildcard.
URL Filter
URL Tab | URL Filter
This feature is only available to licensed users of the URL Filter database.
eSafe’s URL Filtering option allows controlling access to web pages by using
profiles to define which users can access which pages, and when these pages can
be accessed.
If Updates | Update Add-ons daily is selected when you update, the contents
of the URL filters are updated.
The URL Filter branch consists of the following options:
• Profiles
• Policies
• Profile Settings
A description of these options follows.
Profiles
URL Tab | URL Filter | Profiles
A profile is created by associating URL Filter Policies and network entities.
Network entities define “who” the URL Filter Profiles will apply to:
• Users imported from an LDAP server
• Local, predefined users (using the eSafe Client Agent). It is also possible to
import a list of predefined eSafe users.
• Groups of workstations based on the IP address, an IP address range,
hostname, or VLAN.
Note that each row in the Profiles list represents a specific profile.
In this page, you can click the Add network entity button to display the
Network Entities Handler.
The Network Entities Handler displays user and group information taken from the
network’s LDAP server. You can use this information to define new network
entities e.g. groups or IP address ranges.
Depending on the type of entity you are defining, you should either:
• Enter the entity details (for example: IP address, IP address range).
Or,
• In the specific Name text box, enter a name for the network entity (for
example: group, user, VLAN, host, domain).
After selecting the network entities, you will be prompted to select the policy for
the network entity:
Select policy drop- Select the policy from the drop-down list.
down list:
Profile activation Allows you to select when the profile will be active:
status:
• Not active: The profile is not enabled.
Policies
URL Tab | URL Filter | Policies
The URL Filter Policy defines the organization's policy regarding browsing,
streaming traffic, and allows defining gray lists:
• Browsing: Defines to which websites users can browse, based on lists of
URLs/URL categories that will be blocked and allowed.
• Streaming: Allows you to define your organization's policy regarding
streaming traffic.
• Gray List: Gray lists are an intermediate option between blocking sites and
allowing sites. When users surf to sites that are gray listed, a warning appears
notifying them that the website violates organizational policy, however the
user is given the choice to continue. If the user chooses to continue the
website is displayed normally and users can continue viewing the site for a
Note: The default policy applies to all users that are not assigned a specific
profile. This usually includes the majority of users and as such, it should be as
comprehensive as possible.
Browsing
A description of the Browsing tab follows.
URL Filter Policy Lists all the existing policies. Click the Add new URL
drop down list: Filter Policy button to add a new policy. In the dialog
box that appears, enter a name for the policy. Make sure
that the policy name does not include spaces.
Block un- Blocks access to web sites that are not categorized.
recognized URLs:
Ignore URL Filter When selected, eSafe will not apply the policy to HTTPS
for HTTPS traffic: traffic.
Blocked URLs: Allows you to define specific URLs that will be blocked.
You can enter the domain/subdomain (path) and define
specific files types that will be blocked for that domain.
Streaming
This tab allows you to define your organization's policy regarding streaming
traffic.
Allow all streaming: Blocks access to hosts that are not categorized.
Gray Lists
A description of the Gray List tab follows.
Gray Categories Define lists of URL categories that will be gray listed and
and Allowed Gray allowed.
Categories:
Gray URLs and Define lists of URLs that will be gray listed and allowed.
Allowed Gray URLs:
Note: The "allowed" lists are used when a site has more than one category. In this case, if
one of the categories appears in the allowed list, the site will be allowed.
For example: If “Cinema / Television” is on the gray list, then www.cnn.com will be
blocked since it is categorized as: Cinema / Television, News / Magazines, Search Engines
/ Web Catalogues / Portals.
Gray URLs and Allowed Gray URLs: Define lists of URLs that will be blocked and allowed.
These lists will be specific to the currently selected policy.(When defining the URLs, you
can enter sub-domains.)
Profile Settings
URL Tab | URL Filter | Profile Settings
The Profile Settings page allows defining global working days and hours that are
used to define when the profiles will be active. Note that these settings apply to
ALL profiles.
Select working Select those days considered working days, and then set
days: the morning and afternoon working hours.
Ignore policies for When selected, eSafe will not apply policies to encrypted
all encrypted traffic.
traffic:
AppliFilter
APPs Tab | AppliFilter
AppliFilter is an add-on service that requires a separate license. After installation,
the service is fully functional for a 30 day evaluation period after which a
permanent license should be used. AppliFilter™ technology allows realtime
filtering of malicious Internet content as it enters the network. AppliFilter
examines traffic, analyzes the content, and blocks traffic that is deemed
malicious, inappropriate, or otherwise restricted.
Operate in Warning Allows eSafe to identify application level threats and log
Mode: these events in the eSafe Report, without blocking the
traffic. (Based on these logs, you can decide which
communication to actually block.) When you select this
check box, all the filters will automatically operate in
warning mode for all application families.
You can then activate each application filter per family or individually. It is also
possible to “turn-off” the warning mode option for each application family/
individual filter. For each application family, the following options are available:
Activate Filter Select this option to activate/clear all the filters for the
(Entire family): specific family of filters.
Take note that the color of the bullets next to the application name represents the
status of the filter:
DLP
DLP Tab | DLP
eSafe allows protecting information assets and preventing data leakage by
monitoring the contents of outgoing traffic. You can define a policy for monitoring
outgoing content that includes:
• Defining Settings: Allows enabling DLP and defining repository settings.
• Defining Profiles: WHO will be associated with WHICH policy.
• Defining Policies: Which file types will be monitored.
DLP Settings
Enable DLP check Select this check box to enable the DLP feature.
box:
Enable repository: Enable repository: Allows you to save the files locally for
future analysis. When the information is requested, the
actual file will be opened from the repository.
DLP Profiles
Add network entity This button allows adding a network entity via the
button: Network Entities Handler dialog box.
After selecting or defining the network entities, the Change Profile dialog box
appears, prompting you to assign a policy to the network entity.
Select policy: Select the policy from the drop-down list that will apply
to the network entities you defined.
Profile activation Allows you to select when the policy will be active:
status:
• Not active: The profile is not enabled.
DLP Policies
Monitor:
Policy name drop Lists all the existing policies. Click the Add new policy
down list: button to add a new policy. In the dialog box that
appears, enter a name for the policy. Make sure that the
policy name does not include spaces
Radio buttons: The following radio buttons allow you to set the status of
the policy:
List of extensions: Allows selecting for which files and extensions the policy
will apply.
Apply to: Select the check box(es) to define for which types of
traffic the policy will apply.
Dictionaries:
Select the dictionaries eSafe will use when monitoring files for sensitive content,
and the action it will take if the content matches the dictionary.
Alerts Tab
The Alerts Tab provides various options that allow you to fine-tune how eSafe will
send alerts.
You can define the following:
• AppliFilter/Virus Warning Message
• URL Filter Warning Message
• Gray List Warning
• Miscellaneous Parameters
• Smart Alerts
Miscellaneous Parameters
This branch contains a variety of additional parameters that enable defining
report file properties, email parameters, and other alert-related settings.
Smart Alerts
Smart Alerts allow you to fine tune alert generation by defining specific conditions
for generating alerts. This is based on event analysis and allows generation of
alerts due to recurring events.
To define Smart Alerts:
There are two ways to define Smart Alerts:
• Via the Smart Alerts option in the Alerts tab: Click the Add alert button to
define alert details, thresholds, and the notification method.
• Via the "Dashboard" and "Track & Care" modes: When viewing reports in
Track & Care mode, or when drilling down to view logs in Dashboard mode,
you can double click on a log/event in order to view the Smart Alerts dialog
box, and define an alert based on that log/event.
Note: When defining system alerts, you can use the * wildcard option to send alerts for all
modules and actions.
• For which module you want to get an alert (e.g. anti-spam engine)
Note: The options available in the Module and Action drop-down lists depend on
the Severity setting, therefore various combinations are available.
• Thresholds: Define after how many occurrences the alert will be generated.
• Select the Enabled check box to enable use of the threshold.
• Define the maximum number of alerts that will be sent per hour or per day.
• Method: Allows you to select the alert method: email, SNMP, or Syslog. A
combination of methods can be used. If Email is selected, you must define the
email address of the alert recipient. (You can use a comma separated list to
add more than one recipient.)
Updates Tab
The eSafe update mechanism compares the relevant eSafe files with the latest
eSafe files on the Internet. The update mechanism then downloads the relevant
package needed to bring your eSafe machine up to date and installs the files.
• Software Upgrades
• Update daily at: Allows selecting the time at which the update will occur.
• eSafe auto-update interval: Defines the interval at which eSafe will check
for updates. If you want to update immediately, you can click Update Now at
any time. Allows you to decide at what time of the day the add-on (anti-spam,
URL filtering) components will be updated with the latest relevant information.
• Service Pack: Hotfixes/service packs are provided to specific clients who have
reported the issue involved. Hotfixes/service packs must only be downloaded
after obtaining permission to do so from eSafe Technical Support. Enter the
hotfix/service pack number in this field and then click Update Now to apply.
• The files included in the zip file depend on the type of product installed.
2. Click the Create and download eSafe Appliance Configuration backup file
option.
3. Define the location to which you want to download the backup file.