Messaging Gateway

The following are settings recommended by Symantec Enterprise Technical Support.

• Always use the global catalog port (3268) to connect to the Microsoft Active Directory source
   
• Test the query manually using ldp.exe or ldapsearch before adding them to the GUI to make sure they work and that you do not run into any timeout or other issues.
  For LDAPSearch, read the Symantec knowledge base article:
  http://service1.symantec.com/SUPPORT/ent-gate.nsf/docid/2005111407150263
  For LDP.exe read the Microsoft article:
  http://support.microsoft.com/kb/224543
   
• Use a pagesize of (1000),
  For additional information read the Microsoft article:
  http://technet.microsoft.com/en-us/library/cc976703.aspx
  This value can also be changed by using ntdsutil but (1000) is the default value for Microsoft Active Directory LDAP environments.
  If you want to check the current values for your Microsoft Active Directory server, you can run this command line locally on the server:
  C:\ntdsutil "LDAP Policies" "connections" " co t s localhost " q "show values"
  For more information on NTDSUTIL, read the Microsoft article: http://technet.microsoft.com/en-us/library/cc976717.aspx
   
• Given the potential amount of information to be transmitted, it is highly recommended that you keep the number of network hops between the scanners and the Control Center as minimum as possible.
   
• Use an external DNS server or a DNS sitting on their DMZ if available. Avoid as much as possible to use internal AD servers as DNS for either the Symantec Brightmail Gateway or Symantec Mail Security for SMTP 5.0.x.
   
• If the environment has multiple Microsoft Active Directory domains we recommend splitting the queries and adding multiple sources for sync and it is also a good idea to see how the Microsoft Active Directory looks like (How many users, groups, distribution-lists).
   
• Tune up the operating system that has our software installed (if you are running Symantec Mail Security for SMTP 5.0.x) and also the Microsoft Active Directory server to make sure you have enough throughput when needed between these servers, below you can find some basic tuning information that can help to increase a network performance on both ends.
   
• When using authentication sources, make sure the domain is not the FQDN domain
  Example: if your domain is example.com, you should use the NETBIOS name such as "EXAMPLE".
   
• For Synchronization queries, you can use under the User query this filter to exclude "Disabled Accounts from Active Directory"
  (&(proxyAddresses=smtp*)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
   
• If you are using synchronization to achieve only "Drop Invalid Recipients" and you also do not want to use Active Directory groups within our product, you might want to exclude them from the synchronization process by using a filter like:
  (&(syncToSBG=true)(!(proxyAddresses=smtp*)))

Settings recommended for Windows 2003/2000 servers in general:

Basic tuning for Microsoft Windows 2000/2003 TCP stack, Windows by default does not install these keys.

Create the keys and reboot the server to apply the values.

Open regedit and add the following keys:

HKLM\System\CurrentControlSet\Services\TcpIP\Parameters\MaxUserPort ->
Type DWORD -> value: 65534 (DEC)
For more information read the Microsoft article: MaxUserPort.

HKLM\System\CurrentControlSet\Services\TcpIP\Parameters\TcpTimedWaitDelay
Type DWORD -> value: 30 (DEC)
For more information read the Microsoft article:TcpTimedWaitDelay.

--

For tuning information on Symantec Mail Security for SMTP on Windows:
http://service1.symantec.com/SUPPORT/ent-gate.nsf/docid/2007091910075154

For tuning information on Symantec Mail Security for SMTP on Linux:
http://service1.symantec.com/SUPPORT/ent-gate.nsf/docid/2008011614301354

For tuning information on Symantec Mail Security for SMTP on Solaris:
http://service1.symantec.com/SUPPORT/ent-gate.nsf/docid/2008013009293754