Configuring Connection Settings Parent topic

To enable the scanner to receive messages, configure the connection settings.

Procedure

  1. Go to AdministrationIMSVA ConfigurationConnections.
    The Components tab appears by default.
  2. Under Settings for All Policy Services, configure the following:
    • Protocol: Select the type of protocol the scanner uses to communicate with the policy service (HTTP or HTTPS).
    • Keep-alive: Select the check box to enhance policy retrieval by maintaining a constantly active connection between the scanner and policy services.
    • Maximum number of backlogged requests: Specify a number that represents the maximum number of requests IMSVA will preserve until it can process them later.
  3. Click Save.

About LDAP Settings Parent topic

Configure LDAP settings for user-group definition, administrator privileges, or end-user quarantine authentication.
Configure multiple and mixed type LDAP servers from the AdministrationIMSVA ConfigurationConnections | LDAP screen. You cannot configure more than one LDAP server from the Configuration Wizard.
If more than one LDAP server is used, IMSVA synchronizes the account information from the LDAP servers to the IMSVA local cache. The time required for synchronization between the servers depends on the number of accounts on your LDAP servers. When synchronization completes, the time and date appear in the Last Synchronized column. IMSVA automatically synchronizes the accounts daily. You can manually trigger synchronization by clicking Save & Synchronize.
Note
Note
If you configure only one LDAP server, IMSVA directly queries data from the remote LDAP server. If you have multiple LDAP servers configured, IMSVA synchronizes all data from the remote LDAP servers to the local OpenLDAP server. In this case, the LDAP settings cannot support End-User Quarantine authentication, and performance issues may occur during data synchronization when there is a large number of LDAP servers.
Therefore, Trend Micro recommends you configure no more than 5 LDAP servers. If you want to configure more than 5 LDAP servers, use unified directory services such as Global Catalog to manage queries so that IMSVA does not need to synchronize data to the local server.
If more than one LDAP server is enabled, End-User Quarantine using LDAP authentication and EUQ single sign-on cannot be enabled.
If the LDAP settings on the AdministrationConnectionsLDAP screen are not configured, the following LDAP related features will not work:
  • PolicyInternal Addresses[Search for LDAP groups]
  • Policy[any rule][Sender to Recipient][Search for LDAP user and groups]
  • AdministrationEnd-User QuarantineUser Quarantine Access[Select LDAP groups to enable access]
  • AdministrationAdmin AccountsAdd[LDAP authentication]

LDAP Server Types Parent topic

LDAP Server Types

LDAP Server
LDAP Admin Account (examples)
Base Distinguished Name (examples)
Authentication Method
Active Directory
Without Kerberos: user1@domain.com (UPN) or domain\user1
With Kerberos: user1@domain.com
dc=domain, dc=com
Simple
Advanced (with Kerberos)
Active Directory Global Catalog
Without Kerberos: user1@domain.com (UPN) or domain\user1
With Kerberos: user1@domain.com
dc=domain, dc=com
dc=domain1,dc=com (if mutiple unique domains exist)
Simple
Advanced (with Kerberos)
OpenLDAP
cn=manager, dc=test1, dc=com
dc=test1, dc=com
Simple
Lotus Domino
user1/domain
Not applicable
Simple
Sun iPlanet Directory
uid=user1, ou=people, dc=domain, dc=com
dc=domain, dc=com
Simple

Adding LDAP Servers Parent topic

Procedure

  1. Go to one of the following to access the LDAP tab:
    • AdministrationIMSVA ConfigurationConnections | LDAP
    • AdministrationIMSVA ConfigurationConfiguration Wizard | Step 6: LDAP Settings
  2. Click Add.
    The LDAP Settings screen appears.
  3. Specify a meaningful description for the LDAP server.
  4. Next to LDAP server type, select the type of LDAP servers on your network:
    • Domino
    • Microsoft Active Directory
    • Microsoft AD Global Catalog
    • OpenLDAP
    • Sun iPlanet Directory
  5. Next to Enable LDAP 1, select the check box.
  6. Next to LDAP server, specify the server name or IP address.
  7. Next to Listening port number, specify the port number that the LDAP server uses to listen to access requests.
  8. Configure the settings under LDAP 2 if necessary.
  9. Under LDAP cache expiration for policy services and EUQ services, specify the Time to live in minutes.
    Time To Live: Determines how long IMSVA retains the LDAP query results in the cache. Specifying a longer duration enhances LDAP query during policy execution. However, the policy server will be less responsive to changes in the LDAP server. A shorter duration means that IMSVA has to perform the LDAP query more often, thus reducing performance.
  10. Under LDAP admin, specify the administrator account, the corresponding password and the base distinguished name.
    Refer to LDAP Server Types for assistance.
  11. Select an authentication method:
    • Simple
    • Advanced: Uses Kerberos authentication for Active Directory. Configure the following:
      • Kerberos authentication default realm: Default Kerberos realm for the client. For Active Directory use, the Windows domain name must be upper case (Kerberos is case-sensitive).
      • Default domain: The Internet domain name equivalent to the realm.
      • KDC and admin server: Hostname or IP address of the Key Distribution Center for this realm. For Active Directory, it is usually the domain controller.
      • KDC port number: The associated port number.
  12. Select the Enable encrypted communication between IMSVA and LDAP check box and click Browse to upload a CA certificate file to verify the certificate used by the LDAP server.
  13. Click Add.
    If you are using the Configuration Wizard, click Next.
    Note
    Note
    Only Active Directory and Active Directory Global Catalog support Kerberos Authentication.
  14. Under LDAP Email Address Attribute, select the LDAP attribute from which IMSVA retrieves user email addresses.
    • mail: This is the default LDAP attribute that stores email addresses.
    • proxyAddresses: This is the recommended attribute to choose if you use Microsoft Exchange Server.
    • Other attribute: Specify an LDAP attribute that stores email addresses.
  15. Click Save & Synchronize.

Enabling and Disabling LDAP Servers Parent topic

LDAP servers can be enabled or disabled depending on the requirements for your network.

Procedure

  1. Go to AdministrationIMSVA ConfigurationConnectionsLDAP to access the LDAP tab.
  2. Click a server that you want to enable or disable in the LDAP server table.
    The LDAP Settings screen appears.
  3. Under LDAP server type, select or clear the Enable LDAP 1 and Enable LDAP 2 check boxes to enable or disable the LDAP server.
    Note
    Note
    LDAP 1 and LDAP 2 refers to backup servers for each other. If you select only one check box, the LDAP server status is enabled, but its backup server is not enabled.
  4. Click Save.

Configuring POP3 Settings Parent topic

In addition to SMTP traffic, IMSVA can scan POP3 messages at the gateway as your clients retrieve them.
Tip
Tip
To use the POP3 message filter, enable Accept POP3 connection from System Status screen. This option is not selected by default.

Procedure

  1. Go to AdministrationIMSVA ConfigurationConnections.
    The Components tab displays by default.
  2. Click the POP3 tab.
  3. To configure a connection from unknown POP3 servers on the Internet, specify the port number IMSVA uses for incoming POP3 connections under Generic POP3 Connection.
  4. To configure connections from specific POP3 servers, do the following:
    1. Click Add under Dedicated POP3 Connections.
      The Dedicated POP3 Connection window appears.
    2. Specify the port IMSVA uses for incoming POP3 connections, the POP3 server IP address, and the POP3 server port number.
    3. Click OK.
    4. To modify an existing connection, click the connection name.
  5. Under Message Text, modify the message that IMSVA sends to users if messages that they are trying to receive trigger a filter and are quarantined or deleted.
  6. Click Save.
    Note
    Note
    The incoming port on your scanners must be idle or the IMSVA daemon might not function properly.

Configuring POP3 Generic Services Parent topic

For a generic POP3 service, the POP3 client logs on using the USER command and specifies the actual POP3 server and optional port number along with the user's name using the UserServerSeparator character to separate the values.
Example 1: To connect user "User1" to server "Server1", and the UserServerSeparator character is "#", the client issues the following USER command:
USER User1#Server1
Example 2: To connect to port 2000 on Server1, the following command is used:
USER User1#Server1#2000
Note
Note
If you do not specify a port number, IMSVA uses the default value of 110.
The following example shows how to configure generic POP3 settings for Outlook:

Procedure

  1. Specify the POP3 server address with IMSVA scanner IP 192.168.11.147.
  2. Specify user name test123#192.168.11.252.
  3. Set POP3 port to 110.

Configuring POP3 Dedicated Services Parent topic

For a POP3 dedicated service, the POP3 service always connects to a specific POP3 server. IMSVA uses this service for a POP3 logon and for any type of logon using the AUTH command. For this service, a separate port on the proxy has to be set up for each specific POP3 server that any client might want to connect.
The following example shows how to configure dedicated POP3 settings in Microsoft Outlook:

Procedure

  1. Specify the POP3 server address with IMSVA scanner IP 192.168.11.147.
  2. Specify user name test123.
  3. Set the POP3 port to 1100, which is the port that the IMSVA dedicated POP3 service is listening on.

Configuring Database Settings Parent topic

Configure the database connection settings so IMSVA can save messages and data.

Procedure

  1. Go to AdministrationIMSVA ConfigurationConnections.
    The Components tab displays by default.
  2. Click the Database tab.
    The IMSVA admin database type, server IP address, port number, user name and database name appear at the top of the table.
    Note
    Note
    If you want to change the password for the admin database, run the following script:
    /opt/trend/imss/script/dbupdate.sh setpw newPassword
  3. Under EUQ Database, perform operations to manage EUQ databases as required.
    Note
    Note
    For detailed operations, see Managing EUQ Databases.

Configuring TMCM Settings Parent topic

To use Trend Micro Control Manager (TMCM) to manage IMSVA, enable the Control Manager/MCP agent on the IMSVA server and configure Control Manager server settings. If a proxy server is between the Control Manager server and IMSVA, configure proxy settings. If a firewall is between the Control Manager server and IMSVA, configure port forwarding to work with the firewall's port-forwarding functionality.
Note
Note
For additional information about Control Manager, see the Control Manager documentation.

Procedure

  1. Go to AdministrationIMSVA ConfigurationConnections.
    The Components tab displays by default.
  2. Click the TMCM Server tab.
  3. Under TMCM Server Settings, specify the following parameters:
    Option Description
    Enable MCP Agent
    Select the check box to enable the agent.
    Server
    Specify the Control Manager IP address or FQDN.
    Communication protocol
    Select HTTP or HTTPS and specify the corresponding port number. The default port number for HTTP access is 80, and the default port number for HTTPS is 443.
    Web server authentication
    Specify the credentials to access the Control Manager web server.
  4. Under Proxy Settings, specify the following parameters:
    Option Description
    Enable proxy
    Select the check box to enable the proxy server.
    Proxy type
    Select the protocol that the proxy server uses: HTTP, SOCKS4, or SOCKS5.
    Proxy server
    Specify the proxy server FQDN or IP address, port number, and the user name and password.
    Port
    Specify the port for the proxy server.
    User name
    Specify the user name to access the proxy server.
    Password
    Specify the password for the user name.
  5. Under Suspicious Object List Settings, do the following:
    • If you want IMSVA to detect suspicious files, select the Suspicious file list check box and specify the interval to synchronize the suspicious file list from Control Manager. The default synchronization interval is 5 minutes, and the minimum interval is 1 minute.
    • If you want IMSVA to detect suspicious URLs, select the Suspicious URL list check box.
      Note
      Note
      IMSVA detects suspicious URLs based on Web Reputation Services available through Smart Protection Servers. Make sure you have properly configured Web Reputation settings and Smart Protection Servers.
  6. Click Save.
    If you are using the Configuration Wizard, click Next.
    If you enabled the agent, it will soon register to the Control Manager server. If you disabled the agent, IMSVA will soon log off from the Control Manager server. Verify the change on the Control Manager management console.
    Note
    Note
    In addition, make sure that your Control Manager version is 6.0 SP3 Patch 1 or later and the Smart Protection Server version is 3.0 Patch 1 or later.

Providing IMSVA Logon Credentials in Control Manager Parent topic

To make your settings effective, provide your IMSVA logon credentials for authentication on the Control Manager management console.

Procedure

  1. Log on to the Control Manager management console.
  2. Go to AdministrationManager Servers.
  3. Next to Server Type, select InterScan Messaging Security Virtual Appliance.
  4. Find your IMSVA server and click the Edit icon in the Actions column.
    The Edit Server screen appears.
  5. Under Authentication, provide your IMSVA logon credentials.
    Note
    Note
    Trend Micro recommends that you create a separate administrator account other than the default "admin" account for Control Manager to manage IMSVA. The account is required for authentication on the Control Manager management console.
  6. Click Save.

Unregistering from Control Manager Parent topic

Procedure

  1. Go to AdministrationIMSVA ConfigurationConnections.
    The Components tab displays by default.
  2. Click the TMCM Server tab.
  3. Click the Un-register All Agents button.

Configuring NTP Settings Parent topic

The Network Time Protocol (NTP) synchronizes the clocks of computer systems across the Internet. To synchronize the computer clock of an IMSVA device with the clock of an NTP server, configure the NTP setting.

Procedure

  1. Go to AdministrationIMSVA ConfigurationConnections.
    The Components tab displays by default.
  2. Click the NTP Setting tab.
  3. Select the Enable NTP check box.
  4. Specify the domain name or IP address of the NTP server.
  5. Click Save.

Configuring Child IP Settings Parent topic

Devices in the Child IP address list can access each other for internal communications in a group. Add all IP addresses of child devices in the current group to this list before you register these child devices to the parent.

Procedure

  1. Go to AdministrationIMSVA ConfigurationConnections.
    The Components tab displays by default.
  2. Click the Child IP tab.
  3. Under Add IP Address, specify the child device IP address.
  4. Click >>.
    The address appears in the table.
  5. Click Save.