Use the following instructions to configure Network Prevent Server to operate either in reflecting or forwarding mode.
To configure the Network Prevent Server :
Procedure Step 1 : Log on to the Enforce Server administration console for the Symantec Data Loss Prevention system you want to configure.
Procedure Step 2 : Select System > Servers > Overview to display the list of configured servers.
Procedure Step 3 : Click the name of the Network Prevent Server that you want to configure.
Procedure Step 4 : Click Configure.
Procedure Step 5 : Deselect Trial Mode to enable blocking of email messages that are found to violate Symantec Data Loss Prevention policies.
Procedure Step 6 : Configure reflecting mode or forwarding mode by modifying the following fields:
Next Hop Configuration :
Select Reflect to operate Network Prevent Server in reflecting mode. Select Forward to operate in forwarding mode.
Note: If you select Forward you must also select Enable MX Lookup or Disable MX Lookup to configure the method used to determine the next-hop MTA.
Enable MX Lookup :
This option applies only to forwarding mode configurations.
Select Enable MX Lookup to perform a DNS query on a domain name to obtain the mail exchange (MX) records for the server. Network Prevent Server uses the returned MX records to select the address of the next hop mail server.
If you select Enable MX Lookup, also add one or more domain names in the Enter Domains text box. For example:
companyname.comNetwork Prevent Server performs MX record queries for the domain names that you specify.
Note: You must include at least one valid entry in the Enter Domains text box to successfully configure forwarding mode behavior.
Disable MX Lookup :
This field applies only to forwarding mode configurations.
Select Disable MX Lookup if you want to specify the exact hostname or IP address of one or more next-hop MTAs. Network Prevent Server uses the hostnames or addresses that you specify and does not perform an MX record lookup.
If you select Disable MX Lookup, also add one or more hostnames or IP addresses for next-hop MTAs in the Enter Hostnames text box. You can specify multiple entries by placing each entry on a separate line. For example:
smtp1.companyname.com
smtp2.companyname.com
smtp3.companyname.comNetwork Prevent Server always tries to proxy to the first MTA that you specify in the list. If that MTA is not available, Network Prevent Server tries the next available entry in the list.
Note: You must include at least one valid entry in the Enter Hostnames text box to successfully configure forwarding mode behavior.
Procedure Step 7 : Click Save.
Procedure Step 8 : Click Server Settings to verify or configure these advanced settings:
RequestProcessor.ServerSocketPort :
Ensure that this value matches the number of the SMTP Listener port to which the upstream MTA sends email messages. The default is 10025.
Note: Many Linux systems restrict ports below 1024 to root access. Network Prevent cannot bind to these restricted ports. If the computer receives mail for inspection on a restricted port (for example, port 25), reconfigure the computer to route traffic from the restricted port to the non-restricted Network Prevent port (port 10025 by default).
See Second Last Paragraph to Configuring Linux IP tables to reroute traffic from a restricted port.
RequestProcessor.MTAResubmitPort :
Ensure that this value matches the number of the SMTP Listener port on the upstream MTA to which the Network Prevent Server returns mail. The default is 10026.
RequestProcessor.AddDefaultHeader :
By default, Network Prevent Server uses a header to identify all email messages that it has processed. The header and value are specified in the RequestProcessor.DefaultPassHeader field.
Change the value of this field to false if you do not want to add a header to each message.
RequestProcessor.AddDefaultPassHeader :
This field specifies the header and value that Network Prevent Server adds to each email message that it processes. The default header and value is X-CFilter-Loop: Reflected. Change the value of this field if you want to add a different header to each processed message.
If you do not want to add a header to each email message, set the AddDefaultPassHeader field to False.
Note: Always configure both RequestProcessor.ServerSocketPort and RequestProcessor.MTAResubmitPort, whether you implement reflecting or forwarding mode. With forwarding mode, RequestProcessor.ServerSocketPort specifies the SMTP Listener port on the detection server to which the upstream MTA sends email messages. RequestProcessor.MTAResubmitPort is the SMTP Listener port on the downstream MTA to which the detection server sends email messages.
Procedure Step 9 : Click Save.
Procedure Step 10 : Click Done.
Procedure Step 11 : If your email delivery system uses TLS communication in forwarding mode, each next-hop mail server in the proxy chain must support TLS and must authenticate itself to the previous hop. This means that Network Prevent Server must authenticate itself to the upstream MTA, and the next-hop MTA must authenticate itself to Network Prevent Server. Proper authentication requires that each mail server stores the public key certificate for the next hop mail server in its local keystore file.
Configuring Linux IP tables to reroute traffic from a restricted port :
Many Linux systems restrict ports below 1024 to root access. Network Prevent cannot bind to these restricted ports.
If the computer receives mail for inspection on a restricted port (for example, port 25), use the iptables command to route that traffic to a non-restricted port, such as the Network Prevent default port 10025. Then ensure that Network Prevent listens on the non-restricted port to inspect email.
Use the following instructions to configure a Linux system to route from port 25 to port 10025. If you use a different restricted port or Network Prevent port, enter the correct values in the iptables commands.
To configure route traffic from port 25 to port 10025 :
Procedure Step A] Configure Network Prevent to use the default port 10025 if necessary.
See Configuring Network Prevent Server for reflecting or forwarding mode :
Procedure Step B] In a terminal window on the Network Prevent computer, enter the following commands to reroute traffic from port 25 to port 10025:
iptables -N Vontu-INPUT
iptables -A Vontu-INPUT -s 0/0 -p tcp --dport 25 -j ACCEPT
iptables -I INPUT 1 -s 0/0 -p tcp -j Vontu-INPUT
iptables -t nat -I PREROUTING -p tcp --destination-port 25 -j REDIRECT --to-ports=10025
iptables-save > /etc/sysconfig/iptables
Note: If you only want to test local IP routing between the ports with Telnet, use the command: iptables -t nat -I OUTPUT -o lo -p tcp --destination-port 25 -j REDIRECT --to-ports=10025
If later you decide to delete the IP tables entry, use the command:
iptables -t nat -D OUTPUT -o lo -p tcp --destination-port 25 -j REDIRECT --to-ports=10025