Procedure

1. Navigate to Administration → End-User Quarantine.
   The End-User Quarantine screen appears.
2. Click the User Quarantine Access tab.
   The User Quarantine Access screen appears.
3. Select Enable access.
4. Select Enable management of distribution list EUQ to allow users to manage the EUQ of distribution lists that they belong to.
5. Select Allow end user to deliver quarantined mail in EUQ directly to allow end users to deliver quarantined messages directly to the recipient. The message bypasses all rules except virus scanning rules.
6. Select Allow end users to retrieve quarantined email messages with alias email addresses to allow end users to retrieve quarantined messages using alias email addresses configured in Microsoft Exchange.
7. Select Control the "auto add" approved Sender behavior when an end user reprocesses a message to allow or prevent end users from adding a sender automatically when a message is being processed.
8. Select Enable NTLM to allow end users single sign-on access the EUQ management console using the NTLM authentication protocol.
9. To enable Kerberos single sign-on:
   1. Select Enable Kerberos to allow end users single sign-on access the EUQ management console using Kerberos authentication protocol.
   2. Create a new user account in your domain for the host on which IMSVA is installed.
   3. On the Active Directory domain controller, use the following command to generate a keytab file for IMSVA:
      C:\>ktpass.exe -out filename -princ HTTP/instance@REALM -mapuser account -ptype KRB5_NT_PRINCIPAL -pass password

      Where:

      filename is where the generated keytab file will be stored. For example, C:\test.keytab.

      instance is the hostname of the computer where IMSVA is installed. For example, imsva.test.com.

      REALM is the uppercase name of the realm you want to authenticate with, normally the same with the domain name on DNS server. For example, TEST.COM.

      account is the account created for IMSVA. For example, user@test.com.

      password is the password of the account.
   4. Click Browse… to locate the generated keytab file.
   5. Click Upload to upload the keytab file to IMSVA.

   Note If ktpass.exe is not found, you can install support tools using the Windows server installation CD/DVD or download the file from the Microsoft website. If Kerberos single sign-on is enabled, use the hostname for IMSVA when accessing the EUQ management console.

10. Select the number of days to keep quarantined spam messages.
11. Select the maximum number of senders each end-user can approve when sifting through the quarantined messages.
12. Specify a logon page message that appears on the user's browser when he/she starts to access the quarantined messages.
13. Under Select LDAP groups, select the check box next to Enable all to allow all LDAP group users to access quarantined spam.
14. To add individual LDAP groups, clear the Enable all check box and do either of the following:
    • Search for groups:
      1. From the drop-down list, select Search LDAP groups.
      2. Specify the group name.
      3. Click Search. The groups appear in the table below.
      4. Click the LDAP groups to add.
      5. Click >>. The groups appear in the Selected Groups table.
    • Browse existing groups:
      1. From the drop-down list, select Browse LDAP groups. The groups appear in the table below.
      2. Click the LDAP groups to add.
      3. Click >>. The groups appear in the Selected Groups table.
15. Click Save.