Configuring Connection Settings

To enable the scanner to receive messages, configure the connection settings.

Procedure

Go to Administration → IMSVA Configuration → Connections.

The Components tab appears by default.
Under Settings for All Policy Services, configure the following:
- Protocol: Select the type of protocol the scanner uses to communicate with the policy service (HTTP or HTTPS).
- Keep-alive: Select the check box to enhance policy retrieval by maintaining a constantly active connection between the scanner and policy services.
- Maximum number of backlogged requests: Specify a number that represents the maximum number of requests IMSVA will preserve until it can process them later.
Click Save.

About LDAP Settings

Configure LDAP settings for user-group definition, administrator privileges, or end-user quarantine authentication.

Configure multiple and mixed type LDAP servers from the Administration → IMSVA Configuration → Connections | LDAP screen. You cannot configure more than one LDAP server from the Configuration Wizard.

If more than one LDAP server is used, IMSVA synchronizes the account information from the LDAP servers to the IMSVA local cache. The time required for synchronization between the servers depends on the number of accounts on your LDAP servers. When synchronization completes, the time and date appear in the Last Synchronized column. IMSVA automatically synchronizes the accounts daily. You can manually trigger synchronization by clicking Save & Synchronize.

Note

If more than one LDAP server is enabled, End-User Quarantine using LDAP authentication and EUQ single sign-on cannot be enabled.

If the LDAP settings on the Administration → Connections → LDAP screen are not configured, the following LDAP related features will not work:

Policy → Internal Addresses → [Search for LDAP groups]
Policy → [any rule] → [Sender to Recipient] → [Search for LDAP user and groups]
Administration → End-User Quarantine → User Quarantine Access → [Select LDAP groups to enable access]
Administration → Admin Accounts → Add → [LDAP authentication]

LDAP Server Types

LDAP Server	LDAP Admin Account (examples)	Base Distinguished Name (examples)	Authentication Method
Active Directory	Without Kerberos: user1@domain.com (UPN) or domain\user1 With Kerberos: user1@domain.com	dc=domain, dc=com	Simple Advanced (with Kerberos)
Active Directory Global Catalog	Without Kerberos: user1@domain.com (UPN) or domain\user1 With Kerberos: user1@domain.com	dc=domain, dc=com dc=domain1,dc=com (if mutiple unique domains exist)	Simple Advanced (with Kerberos)
OpenLDAP	cn=manager, dc=test1, dc=com	dc=test1, dc=com	Simple
Lotus Domino	user1/domain	Not applicable	Simple
Sun iPlanet Directory	uid=user1, ou=people, dc=domain, dc=com	dc=domain, dc=com	Simple

Adding LDAP Servers

Procedure

Go to one of the following to access the LDAP tab:
- Administration → IMSVA Configuration → Connections | LDAP
- Administration → IMSVA Configuration → Configuration Wizard | Step 6: LDAP Settings
Click Add.

The LDAP Settings screen appears.
Specify a meaningful description for the LDAP server.
Next to LDAP server type, select the type of LDAP servers on your network:
- Domino
- Microsoft Active Directory
- Microsoft AD Global Catalog
- OpenLDAP
- Sun iPlanet Directory
Next to Enable LDAP 1, select the check box.
Next to LDAP server, specify the server name or IP address.
Next to Listening port number, specify the port number that the LDAP server uses to listen to access requests.
Configure the settings under LDAP 2 if necessary.
Under LDAP cache expiration for policy services and EUQ services, specify the Time to live in minutes.

Time To Live: Determines how long IMSVA retains the LDAP query results in the cache. Specifying a longer duration enhances LDAP query during policy execution. However, the policy server will be less responsive to changes in the LDAP server. A shorter duration means that IMSVA has to perform the LDAP query more often, thus reducing performance.
Under LDAP admin, specify the administrator account, the corresponding password and the base distinguished name.

Refer to LDAP Server Types for assistance.
Select an authentication method:
- Simple
- Advanced: Uses Kerberos authentication for Active Directory. Configure the following:
  - Kerberos authentication default realm: Default Kerberos realm for the client. For Active Directory use, the Windows domain name must be upper case (Kerberos is case-sensitive).
  - Default domain: The Internet domain name equivalent to the realm.
  - KDC and admin server: Hostname or IP address of the Key Distribution Center for this realm. For Active Directory, it is usually the domain controller.
  - KDC port number: The associated port number.
Select the Enable encrypted communication between IMSVA and LDAP check box and click Browse to upload a CA certificate file to verify the certificate used by the LDAP server.

Click Add.

If you are using the Configuration Wizard, click Next.

Note

Only Active Directory and Active Directory Global Catalog support Kerberos Authentication.

Under LDAP Email Address Attribute, select the LDAP attribute from which IMSVA retrieves user email addresses.
- mail: This is the default LDAP attribute that stores email addresses.
- proxyAddresses: This is the recommended attribute to choose if you use Microsoft Exchange Server.
- Other attribute: Specify an LDAP attribute that stores email addresses.
Click Save & Synchronize.

Enabling and Disabling LDAP Servers

LDAP servers can be enabled or disabled depending on the requirements for your network.

Procedure

Go to Administration → IMSVA Configuration → Connections → LDAP to access the LDAP tab.
Click a server that you want to enable or disable in the LDAP server table.

The LDAP Settings screen appears.

Under LDAP server type, select or clear the Enable LDAP 1 and Enable LDAP 2 check boxes to enable or disable the LDAP server.

Note

LDAP 1 and LDAP 2 refers to backup servers for each other. If you select only one check box, the LDAP server status is enabled, but its backup server is not enabled.

Click Save.

Configuring POP3 Settings

In addition to SMTP traffic, IMSVA can scan POP3 messages at the gateway as your clients retrieve them.

Tip

To use the POP3 message filter, enable Accept POP3 connection from System Status screen. This option is not selected by default.

Procedure

Go to Administration → IMSVA Configuration → Connections.

The Components tab displays by default.
Click the POP3 tab.
To configure a connection from unknown POP3 servers on the Internet, specify the port number IMSVA uses for incoming POP3 connections under Generic POP3 Connection.
To configure connections from specific POP3 servers, do the following:
1. Click Add under Dedicated POP3 Connections.
  
  The Dedicated POP3 Connection window appears.
2. Specify the port IMSVA uses for incoming POP3 connections, the POP3 server IP address, and the POP3 server port number.
3. Click OK.
4. To modify an existing connection, click the connection name.
Under Message Text, modify the message that IMSVA sends to users if messages that they are trying to receive trigger a filter and are quarantined or deleted.

Click Save.

Note

The incoming port on your scanners must be idle or the IMSVA daemon might not function properly.

Configuring POP3 Generic Services

For a generic POP3 service, the POP3 client logs on using the USER command and specifies the actual POP3 server and optional port number along with the user's name using the UserServerSeparator character to separate the values.

Example 1: To connect user "User1" to server "Server1", and the UserServerSeparator character is "#", the client issues the following USER command:

USER User1#Server1

Example 2: To connect to port 2000 on Server1, the following command is used:

USER User1#Server1#2000

Note

If you do not specify a port number, IMSVA uses the default value of 110.

The following example shows how to configure generic POP3 settings for Outlook:

Procedure

Specify the POP3 server address with IMSVA scanner IP 192.168.11.147.
Specify user name test123#192.168.11.252.
Set POP3 port to 110.

Configuring POP3 Dedicated Services

For a POP3 dedicated service, the POP3 service always connects to a specific POP3 server. IMSVA uses this service for a POP3 logon and for any type of logon using the AUTH command. For this service, a separate port on the proxy has to be set up for each specific POP3 server that any client might want to connect.

The following example shows how to configure dedicated POP3 settings in Microsoft Outlook:

Procedure

Specify the POP3 server address with IMSVA scanner IP 192.168.11.147.
Specify user name test123.
Set the POP3 port to 1100, which is the port that the IMSVA dedicated POP3 service is listening on.

Configuring Database Settings

Configure the database connection settings so IMSVA can save messages and data.

Procedure

Go to Administration → IMSVA Configuration → Connections.

The Components tab displays by default.

Click the Database tab.

The IMSVA admin database type, server IP address, port number, user name and database name appear at the top of the table.

Note

If you want to change the password for the admin database, run the following script:

/opt/trend/imss/script/dbupdate.sh setpw newPassword

Under EUQ Database, perform operations to manage EUQ databases as required.

Note

For detailed operations, see Managing EUQ Databases.

Configuring TMCM Settings

To use Trend Micro Control Manager (TMCM) to manage IMSVA, enable the Control Manager/MCP agent on the IMSVA server and configure Control Manager server settings. If a proxy server is between the Control Manager server and IMSVA, configure proxy settings. If a firewall is between the Control Manager server and IMSVA, configure port forwarding to work with the firewall's port-forwarding functionality.

Note

For additional information about Control Manager, see the Control Manager documentation.

Procedure

Go to Administration → IMSVA Configuration → Connections.

The Components tab displays by default.
Click the TMCM Server tab.

Under TMCM Server Settings, specify the following parameters:

Option	Description
Enable MCP Agent	Select the check box to enable the agent.
Server	Specify the Control Manager IP address or FQDN.
Communication protocol	Select HTTP or HTTPS and specify the corresponding port number. The default port number for HTTP access is 80, and the default port number for HTTPS is 443.
Web server authentication	Specify the credentials to access the Control Manager web server.

Under Proxy Settings, specify the following parameters:

Option	Description
Enable proxy	Select the check box to enable the proxy server.
Proxy type	Select the protocol that the proxy server uses: HTTP, SOCKS4, or SOCKS5.
Proxy server	Specify the proxy server FQDN or IP address, port number, and the user name and password.
Port	Specify the port for the proxy server.
User name	Specify the user name to access the proxy server.
Password	Specify the password for the user name.

Under Suspicious Object List Settings, do the following:

If you want IMSVA to detect suspicious files, select the Suspicious file list check box and specify the interval to synchronize the suspicious file list from Control Manager. The default synchronization interval is 5 minutes, and the minimum interval is 1 minute.

If you want IMSVA to detect suspicious URLs, select the Suspicious URL list check box.

Note

IMSVA detects suspicious URLs based on Web Reputation Services available through Smart Protection Servers. Make sure you have properly configured Web Reputation settings and Smart Protection Servers.

Click Save.

If you are using the Configuration Wizard, click Next.

If you enabled the agent, it will soon register to the Control Manager server. If you disabled the agent, IMSVA will soon log off from the Control Manager server. Verify the change on the Control Manager management console.

Note

In addition, make sure that your Control Manager version is 6.0 SP3 Patch 1 or later and the Smart Protection Server version is 3.0 Patch 1 or later.

Providing IMSVA Logon Credentials in Control Manager

To make your settings effective, provide your IMSVA logon credentials for authentication on the Control Manager management console.

Procedure

Log on to the Control Manager management console.
Go to Administration → Manager Servers.
Next to Server Type, select InterScan Messaging Security Virtual Appliance.
Find your IMSVA server and click the Edit icon in the Actions column.

The Edit Server screen appears.

Under Authentication, provide your IMSVA logon credentials.

Note

Trend Micro recommends that you create a separate administrator account other than the default "admin" account for Control Manager to manage IMSVA. The account is required for authentication on the Control Manager management console.

Click Save.

Unregistering from Control Manager

Procedure

Go to Administration → IMSVA Configuration → Connections.

The Components tab displays by default.
Click the TMCM Server tab.
Click the Un-register All Agents button.

Configuring NTP Settings

The Network Time Protocol (NTP) synchronizes the clocks of computer systems across the Internet. To synchronize the computer clock of an IMSVA device with the clock of an NTP server, configure the NTP setting.

Procedure

Go to Administration → IMSVA Configuration → Connections.

The Components tab displays by default.
Click the NTP Setting tab.
Select the Enable NTP check box.
Specify the domain name or IP address of the NTP server.
Click Save.

Configuring Child IP Settings

Devices in the Child IP address list can access each other for internal communications in a group. Add all IP addresses of child devices in the current group to this list before you register these child devices to the parent.

Procedure

Go to Administration → IMSVA Configuration → Connections.

The Components tab displays by default.
Click the Child IP tab.
Under Add IP Address, specify the child device IP address.
Click >>.

The address appears in the table.
Click Save.

$('#title').html($('meta[name=description]').attr('content'));