Step 4: Enabling End-User Access Parent topic

Enable end user access to allow the users to access quarantined spam items that IMSVA might have misidentified as spam. The clients use LDAP authentication to access the IMSVA EUQ service.
Note
Note
To allow users to manage messages on the EUQ management console, add their individual and distribution list email addresses to the list of users on your LDAP server.

Procedure

  1. Navigate to AdministrationEnd-User Quarantine.
    The End-User Quarantine screen appears.
  2. Click the User Quarantine Access tab.
  3. Select Enable access.
  4. Select Enable management of distribution list EUQ to allow users to manage the EUQ of distribution lists that they belong to.
  5. Select Allow end user to deliver quarantined mail in EUQ directly to allow end users to deliver quarantined messages directly to the recipient. The message bypasses all rules except virus scanning rules.
  6. Select Allow end users to retrieve quarantined email messages with alias email addresses to allow end users to retrieve quarantined messages using alias email addresses configured in Microsoft Exchange.
  7. Select Control the "auto-add" approved sender behavior when an end user reprocesses a message and select a value from the drop-down list.
  8. Select Enable NTLM to allow end users single sign-on access the EUQ management console using the NTLM authentication protocol.
  9. To enable Kerberos single sign-on:
    1. Select Enable Kerberos to allow end users single sign-on access to the EUQ management console using Kerberos authentication protocol.
    2. Create a new user account in your domain for the host on which IMSVA is installed.
    3. On the Active Directory domain controller, use the following command to generate a keytab file for IMSVA:
      C:\>ktpass.exe -out filename -princ HTTP/instance@REALM -mapuser account -ptype KRB5_NT_PRINCIPAL -pass password
      Where:
      filename is where the generated keytab file will be stored. For example, C:\test.keytab.
      instance is the hostname of the computer where IMSVA is installed. For example, imsva.test.com.
      REALM is the uppercase name of the realm you want to authenticate with, normally the same with the domain name on DNS server. For example, TEST.COM.
      account is the account created for IMSVA. For example, user@test.com.
      password is the password of the account.
    4. Click Browse… to locate the generated keytab file.
    5. Click Upload to upload the keytab file to IMSVA.
      If ktpass.exe is not found, you can install support tools using the Windows server installation CD/DVD or download the file from the Microsoft website.
      If Kerberos single sign-on is enabled, use the hostname for IMSVA when accessing the EUQ management console.
  10. Select the number of days to keep quarantined spam.
  11. Select the maximum number of approved senders for each end-user.
  12. Specify a logon page message that appears on the user's browser when he/she starts to access the quarantined messages.
  13. Under Select LDAP groups, select the check box next to Enable all to allow all LDAP group users to access quarantined spam.
  14. To add individual LDAP groups, clear the Enable all check box and do either of the following:
    • Search for groups:
      1. From the drop-down list, select Search LDAP groups.
      2. Specify the group name.
      3. Click Search. The groups appear in the table below.
      4. Click the LDAP groups to add.
      5. Click >>. The groups appear in the Selected Groups table.
    • Browse existing groups:
      1. From the drop-down list, select Browse LDAP groups. The groups appear in the table below.
      2. Click the LDAP groups to add.
      3. Click >>. The groups appear in the Selected Groups table.
  15. Click Save.