xcs_v10_0_studentguide_qms

1WatchGuard XCS TrainingStudent Guide

Quarantine Management ServerRedirect Spam to a Quarantine Server Appliance

This training is for:

What You Will Learn

The Quarantine Management Server (QMS) is a dedicated appliance that stores and manages quarantined messages from the WatchGuard XCS. Because spam filters occasionally result in false positives (legitimate email classified as spam), end users can log in to the QMS to manage their own quarantined spam messages and Trusted/Blocked Senders List.

In this training module, you learn how to:

Configure Quarantine Management Server spam quarantine and digest settings Configure the WatchGuard XCS to send spam to the Quarantine Management Server Manage trusted and blocked senders lists Monitor the QMS system Enable users to log in

NoteIt is not necessary to have a separate Quarantine Management Server to store user-accessible spam. You can use the User Spam Quarantine feature of the WatchGuard XCS without the purchase of a Quarantine Management Server, if it meets your needs. For more information about user spam

quarantine on the WatchGuard XCS, see the WatchGuard XCS Basics Student Guide.

Overview

The Quarantine Management Server is similar to the User Spam Quarantine feature of the WatchGuard XCS. The main difference is that the storage and processing requirements are moved to a separate appliance. The Quarantine Management Server also supports different end users from multiple email domains, while the integrated User Spam Quarantine feature on the WatchGuard XCS only supports a single end-user notification domain.

The Intercept Anti-Spam engine on the WatchGuard XCS device can redirect messages for a specific spam classification to the Quarantine Management Server. For example, messages in the Probably Spam category can be quarantined to allow users to review them at a later time and either delete them or release them to their inbox.

The Quarantine Management Server periodically sends spam digest notifications to end users. End users can log in to the Quarantine Management Server to review, delete, or release quarantined messages, manage their specific quarantine settings, configure spam digest settings, and manage their trusted and blocked senders lists.

Devices All WatchGuard XCS and QMS device models

Device OS versions WatchGuard XCS v10.0, QMS v3.0

2 WatchGuard XCS Basics

The Quarantine Management Server can support organizations with a single domain or end users from multiple domains. The steps to install the Quarantine Management Server are very similar to the WatchGuard XCS installation steps described in the Installation training module). See the WatchGuard Quarantine Management Server Installation Guide for detailed installation instructions.

QMS WizardThe QMS Wizard is a utility on the WatchGuard XCS that guides you through the required configuration to integrate the WatchGuard XCS with the WatchGuard QMS (Quarantine Management Server).

Note

You must configure the WatchGuard QMS before starting the QMS Wizard:

You can access the QMS Wizard on the Frequent Tasks page of the WatchGuard XCS.

For the purposes of this training module, the following sections describe the manual steps for integrating the WatchGuard XCS with the QMS.

Quarantine Management Server DeploymentYou deploy the Quarantine Management Server on the same network as your WatchGuard XCS device.

The WatchGuard XCS processes incoming mail, and redirects any spam to be quarantined to the Quarantine Management Server. The Quarantine Management Server sends spam digest notifications and released messages through the WatchGuard XCS to the internal mail servers, where they are delivered to the end user. End users log in to the Quarantine Management Server to review quarantined messages, and manage their quarantine settings.

You can also deploy the Quarantine Management Server and WatchGuard XCS as a hosted deployment to manage quarantined messages for multiple email servers in different domains.

Create User Accounts

Quarantine Management Server 3

Create User Accounts

The Quarantine Management Server must have an account for each user to store their quarantined spam messages. There are three ways to create user accounts on the Quarantine Management Server:

Manually create Local Accounts You can manually add each local user account. We recommend this method only for small deployments with a manageable number of users.

Automatically create Local Accounts If the Quarantine Server receives a message to be quarantined for a user account that does not already exist, the Quarantine Server can automatically create a local account for the recipient. We recommend this method for organizations that do not use LDAP directory services, but do support multiple independent domains.

A user cannot log in to an automatically created account until the administrator assigns a password to the account, or sets up the Quarantine Server to automatically generate a password for the user.

Import LDAP User Accounts The administrator can import user account information from an LDAP directory, and mirror the accounts locally on the Quarantine Server. If you enable remote authentication, users who log in to the Quarantine Server are automatically authenticated to the LDAP directory server.

Spam Quarantine Configuration and Digests

The WatchGuard XCS can redirect spam messages to the local quarantine storage area on the Quarantine Management Server. The Quarantine Management Server periodically sends a digest of the new quarantined message to users. You must configure global settings that control how the device handles quarantined messages and you can create custom templates for the spam digest message.

Quarantine Global SettingsYou can configure global settings that control the overall operation of the Quarantine Management Server. Some of the things you can configure in the global settings are:

The number of days a message remains in quarantine before the system automatically deletes it

Per user spam quota, and what action to take when a users quarantined mail exceeds the quota

Disk quota, and what action to take when the disk quota is exceeded

What action to take if a message is received for an unknown user

Message digest settings, such as how often to send a digest email to users, how many and what type of messages to include in the digest, and which digest template to use.

To configure global quarantine settings, select Configuration > Quarantine > User Spam Quarantine.

Configure the Default Mail RelayTo integrate the WatchGuard XCS with the Quarantine Management Server, you must set the Default Mail Relay for the Quarantine Management Server to the IP address or host name of the WatchGuard XCS device. To configure the mail relay, select Configuration > Mail > Delivery.

Spam Digest TemplatesFrom the Quarantine Management Server, you can customize the templates for the spam digest message. You can also use policies to apply separate spam digest templates for different domains or users. Templates are also available for different languages.

The system comes with a set of default message digest templates in different languages. You can edit the default templates or create your own. You customize the Subject and From fields for the digest


message, and the message text. The spam digest message is highly customizable and can contain conditional text, to change the content of the message based on conditions you set. The spam digest message can also contain variables that display information about the quarantined messages, the message quota, or details about individual quarantined messages.

You can also add custom action URL variables to the digest message so a user can take an action directly from the message. For example, a spam digest message could contain links to allow the user to:

See the content of a quarantined mail message

Delete a message from quarantine

Release a message from quarantine to the end user, and add the sender to the Trusted Senders list

Add a message sender to the users Trusted Senders list

Add a message sender to the users Blocked Senders list

Configure the WatchGuard XCS


Configure the WatchGuard XCS

After you have set up your QMS, you must configure the WatchGuard XCS device to send spam messages to the QMS and to trust messages received from the QMS.

QMS Integration WizardFrom the WatchGuard XCS, you can run the QMS Integration Wizard that automatically configures your WatchGuard XCS to send spam messages to the QMS.

To run the QMS Integration Wizard, select Activity > Frequent Tasks > QMS Integration Wizard.

The wizard performs these tasks:

Adds a Mail Route for the QMSFor the WatchGuard XCS to send messages to the Quarantine Management Server, you must add a mail route on the WatchGuard XCS device to the Quarantine Management Server.

Redirects Spam Messages to the Quarantine Management ServerYou must configure the Intercept Anti-Spam action on the WatchGuard XCS device to redirect spam messages to the Quarantine Management Server. You can configure Intercept Anti-Spam actions for three message categories: Certainly Spam, Probably Spam, and Maybe Spam. You can set the Action to take for each category.

Though you can choose to redirect messages from any of these categories to the Quarantine Server, we recommend that you quarantine the messages in the Probably Spam category.

Trusts Mail from the QMSFor the WatchGuard XCS device to trust mail from the Quarantine Server, you must configure a Specific Access Pattern on the WatchGuard XCS device to make sure that mail from the Quarantine Server, such as spam digest notifications and released quarantined messages, is not scanned for spam or content issues. You add a new pattern that contains the IP address of the Quarantine Management Server, and if the pattern matches, set the action to Trust.

Prevents training on spam digest notificationsThe spam quarantine digest messages sent by the QMS contain subject headers from the actual spam messages. If the trusted spam digest messages are used for training, it can cause errors in the training database configuration. To make sure that the WatchGuard XCS Intercept Anti-Spam feature does not train on spam digest notification messages, you can use pattern-based message filtering to recognize these messages, and not use them for training.


Trusted and Blocked Senders Lists

End users can log in and create their own personal lists of trusted and blocked senders. These lists are saved locally on the Quarantine Management Server.

Trusted Senders ListActs as a whitelist for trusted senders. When a user adds a sender to the Trusted Senders list, no anti-spam actions are taken for email messages from that sender to this user.

Blocked Senders ListActs as a blacklist for senders the user does not want to receive mail from. When a user adds a sender to the Blocked Senders list, the WatchGuard XCS does not deliver messages from that email address to this user. If a sender is on the Blocked Senders List, the message can either be rejected with notification or discarded by the WatchGuard XCS.

NoteYou must configure the WatchGuard XCS to import the updated Trusted Senders and Blocked senders lists from the Quarantine Management Server on a regular schedule. The lists are applied to messages

as they arrive on the WatchGuard XCS.

If a message has several recipients, and only some recipients have blocked the sender, the message is delivered to those recipients that did not block the sender and the message is rejected for those who have blocked the sender.

The Trusted Senders List is processed before the Blocked Senders List. If a sender email address is on both the Blocked Senders and Trusted Senders List, the email is delivered.

End User Configuration and Access

Before end users can log in to their Quarantine Management Server accounts, you must enable user login on a network interface of the Quarantine Management Server. To do this, select Configuration > Network > Interfaces. Select the User login and tiered admin check box. The device must restart.

Log in to a Quarantine Management Server User AccountIf a user account is created automatically by the system, the user cannot log in until the administrator assigns the account a password.

To log in to the Quarantine Management Server, users can type the address of the Quarantine Management Server into a web browser. Or, if a link exists in the spam digest notification message, users can click that link to go to the Quarantine Management Server Login page. To log in, users type their email address and password.

After users log in, they can manage their quarantined messages, see and manage their trusted and blocked sites lists, change account settings, and change their password.

End User Configuration and Access


Spam QuarantineIn the Spam Quarantine tab, the user can select messages and then take one of these actions:

Delete Delete the selected messages.

Not Spam Release the selected messages from the quarantine area and send them to the user. This action also adds the sender email address to the Trusted Senders list for this user.

Trust Sender Add the sender email address to the Trusted Senders list for this user.

Block Sender Add the sender email address to the Blocked Senders list for this user.

The user could also choose to Delete All, to delete all their quarantined messages.

Trusted and Blocked listsIn the Trusted & Blocked List tab, the user can see and manage their Trusted Senders and Blocked Senders lists.

The WatchGuard XCS does not do Intercept Anti-Spam processing for messages from trusted senders to this user.

The WatchGuard XCS does not deliver mail from blocked senders to this user. If a sender is blocked, the WatchGuard XCS can be configured to reject the message with notification or to discard it.

Quarantine Settings and Administrative LinksIn the Settings tab, a user can configure several Quarantine Management Server account settings:

Select which language template to use for the spam digest message. This option is only available if the administrator has configured alternate language templates in the global settings.

Select when they want the system to send the next digest notification message. This temporarily overrides the global schedule for delivery of the spam digest message.

Select an alternate email address to receive the spam digest notification.

Select the number of message headers to display per page in Spam Quarantine tab.

If a user account has been assigned tiered administrative privileges, the user can click links in the Settings tab to perform delegated administrative tasks.

PasswordUsers can change their own password on the Quarantine Management Server. Users cannot change their password if the user account information is mirrored from an LDAP server. Those users must change their password directly on the LDAP server.


Monitor the Quarantine Management Server

As an administrator, you can use the Quarantine Management Server system Dashboard to monitor the quarantine activity and message statistics. You can also find and manage messages in all user quarantine mailboxes based on the sender, recipient, and subject fields.

DashboardThe Quarantine Management Server Dashboard provides a statistical summary of current system resource usage and recent activity.

To see the Dashboard, select Activity > Status > Dashboard.

The Dashboard displays information on two pages: Quarantine Statistics and Recent Mail Activity.

The Quarantine Statistics page shows message processing, delivery and storage statistics, and a summary of recent message expiration and digest generation activity.

The Mail Queue section shows the number of messages that have not yet been delivered.

A single message to multiple users is counted as multiple messages in the Dashboard statistics and reports.

Queued Messages currently in the mail queue to be processed.

Deferred Messages that have not been delivered because the destination mail server is unavailable. The server will try to deliver these messages at a later time.

Delivered message statistics appear in the top right section of the Quarantine Statistics page. This section shows the total number of messages delivered in the last Hour, Day, and Week. Delivered message counts are the total number of spam messages received from the WatchGuard XCS, plus the total number of spam digest messages, notifications, and released mail sent by the Quarantine Management Server.

The bottom 3 sections of the Quarantine Statistics page show additional statistics:

System statistics (updated every 5 minutes) The number of user accounts, the total number of messages, the average number of messages per user, and the number of domains.

Message expiry statistics The start and stop time, duration, and the number of messages expired the last time the expiry process ran.

Message digest statistics The start and stop time, and the process duration for the most recent time that message digests were generated and sent to users.

The Recent Mail Activity page shows information about the most recent mail messages that have passed through the server. The data updates every 60 seconds or when you refresh the page.



Quarantine ManagementAs an administrator, there could be times when you need to manage quarantined messages for your users. You can search for and manage quarantined messages based on the sender, recipient, or subject fields, and you can look for messages in a selected date range. For each message that matches the search criteria, you can see the date, sender address, recipient address, and message subject. For each message in the search results you can take an action, such as View, Release, or Delete.

To manage quarantined messages, select Activity > History > Manage Quarantine.


Exercise 1: Configure Quarantine and Digest Settings

The Successful Company has installed a Quarantine Management Server and created user accounts. Now the administrator is ready to enable and configure User Spam Quarantine. In this exercise you enable the user spam quarantine, and configure the quarantine and digest message settings.

On the Quarantine Management Server:

1. Select Configuration > Quarantine > User Spam Quarantine.The User Spam Quarantine page appears.

2. Select the Enable User Spam Quarantine check box.

If you do not enable user spam quarantine, the Quarantine Management Server still receives and stores quarantine messages, but it does not send spam digest notifications, or enable users to log in.

3. In the Expiry Time (days) text box, type 31. The system automatically deletes any mail quarantined for longer than the number of days you specify.

4. From the Per user spam quota drop-down list, select a size limit of 50 MB.This restricts the maximum amount of stored quarantined mail for each user.

5. Set the Quota exceeded action to Discard. This discards new messages received if the user has exceeded their Per user spam quota setting.

6. Keep the Reserved disk space set to the default value of 1000000 KB, and the Disk full action set to the default action, Discard.If a message is received and the free disk space is less than the Reserved disk space, the message is discarded.

7. From the Unknown User Action drop-down list, select Discard message. This discards new quarantine messages addressed to a recipient who does not have a user account.

8. Select the Enable digest email check box. This sends a digest email to users who have new messages their quarantine folders.

9. Select the New Messages only check box.When you select this option, the digest email that users receive includes only new messages that have arrived since the last digest, not older messages.

10. In the Maximum messages per digest text box, type 200 (this is the default).This limits the number of messages to include in the digest email.



11. In the Digest source email address text box, type [email protected].

12. From the Generate digests drop-down lists, choose to generate digests Every day at 6am.

The spam digest process starts at the time you select, but the users do not receive the digest email until the process finishes, which can be several hours later.

The expiry process, which deletes expired messages, runs nightly at 12:10 AM. We recommend that you schedule the Generate digests time at least a few hours later than that, to give the expiry process time to complete before the digest process starts. You can see the start and end time for the most recent expiry process on the Dashboard.

13. From the Default Template drop-down list, select the default template to use for the digest email.

14. From the Alternate template drop-down lists, select other templates to make available to users. Users can select from these templates the one they want to use for the digest email that they receive.

15. Click Apply.

Exercise 2: Redirect Spam to the Quarantine Management Server

The Successful Company wants to send messages that are Probably Spam to the Quarantine Management Server. In this exercise, you first configure mail relays and routes, and then configure the WatchGuard XCS to redirect all messages that are Probably Spam to the Quarantine Management Server.

Configure the Default Mail Relay on the Quarantine Management ServerOn the Quarantine Management Server:

1. Select Configuration > Mail > Delivery.

2. In the Relay To text box, type 10.0.1.10. This is the IP address of the WatchGuard XCS.

3. Click Apply.

Add a Mail Route on the WatchGuard XCS DeviceOn the WatchGuard XCS device:

1. Select Configuration > Mail Routing.

2. In the Domain text box, type a name for the mail route. At the start of the name, type .. For this example, type .quarantine_reroute.

3. In the Route-to text box, type the IP address of the Quarantine Management Server. For this example, type 10.0.1.20.

4. In the Port text box, type 25, which is the default SMTP port.

5. Click Add.


Redirect Spam Messages to the Quarantine Management ServerOn the WatchGuard XCS device:

1. Select Security > Anti-Spam > Anti-Spam.The Intercept Anti-Spam page appears.

2. In the Probably Spam section, from the Action drop-down list, select Redirect to.

3. In the Action data text box, type quarantine_reroute.

This matches the Domain that you specified when you added the Quarantine Management Server mail route. Do not include the leading ..

4. Click Apply.



Exercise 3: Configure Trust and Training Settings

In this exercise you configure the WatchGuard XCS to trust mail from the Quarantine Management Server, and to not train on spam digest notification messages.

Trust Mail from the Quarantine Management ServerTo configure a Specific Access Pattern on your WatchGuard XCS device:

1. Select Configuration > Mail > Mail Access.2. Click Add Pattern.

3. In the Pattern text box, type 10.0.1.20.This is the IP address of the Quarantine Management Server.

4. Select the Client Access check box.5. From the If pattern matches drop-down list, select Trust.6. Click Apply.

Prevent Training on Spam Digest NotificationsOn the WatchGuard XCS device:

1. Select Security > Content Control > Pattern Filters.2. Click Add.

3. Select the Enable PBMF check box.4. From the Apply To drop-down list, select All Mail.5. From the Message Part drop-down list, select Subject.6. From the Pattern drop-down list, select Contains.7. In the Pattern text box, type Quarantined Email Summary.

The pattern you type must match the subject line configured for the spam quarantine notification messages on the Quarantine Server.

To see the subject line configured for the notification messages on the Quarantine Server, select Configuration > Quarantine > Spam Digest Templates. Click on the appropriate template to view its contents.

8. From the Priority drop-down list, select Medium.


9. From the Action drop-down list, select Do Not Train.10. Click Apply.

Exercise 4: Configure Trusted/Blocked Sender Downloads

In this exercise you configure the Quarantine Management Server and the WatchGuard XCS to automatically download the Trusted/Blocked Senders list from the Quarantine Management Server. Some configuration is required on both devices.

Configure the Quarantine Management Server to Allow DownloadsOn the Quarantine Management Server:

1. Select Configuration > Quarantine > Trusted/Blocked Senders.

2. Select the Permit Downloads check box.

If you have more than one WatchGuard XCS device you can type multiple IP addresses here, separated by commas. You can also leave this field blank to allow access from any host.

3. In the Allowed IPs text box, type 10.0.1.10.This is the IP address of the WatchGuard XCS device.

4. Click Apply.

Configure the WatchGuard XCS to Automatically Download the ListOn the WatchGuard XCS device:

1. Select Configuration > WebMail > Trusted/Blocked Senders.The Trusted and Blocked Senders page appears.

2. In the Imported Trusted/Blocked List section, select the Enable imported list check box.

3. In the List source URL text box, type the URL used to retrieve the trusted/blocked sites list on the Quarantine Management Server. The location is http:///getwblist.spl.

For this example, type http://qmshost/getwblist.spl.

4. Select the Automatic update check box to enable scheduled updates and select the daily time to retrieve the list.

5. Click Apply.

To start an immediate update of the Trusted/Blocked Senders list, click Update imported list now.



Exercise 5: Configure WebMail Access and Log In

In this exercise, you create a user account, enable users to log in, and log in as the user.

NoteFor the purpose of this exercise, you manually create a user account. In an actual deployment it is more likely that you would import the users from an LDAP server or configure the Quarantine

Management Server to automatically create accounts.

Add a Local User Account

1. Select Administration > Accounts > Local Accounts.

2. Click Add.

3. In the User ID text box, type the user name. For example, if the email address for the user is [email protected], type user.

4. In the Domain for user text box, type the email domain for this user. For example, if the email address for the user is [email protected], the email domain is example.com.

5. In the Set Password and Confirm Password text boxes, type a password for the user.

6. Click Create.

Enable User Login

1. Select Configuration > Network > Interfaces.

2. Select the User login and tiered admin check box.

3. Click Apply.The device must restart for this setting to take effect.


Log In as a User

1. In a web browser, type the address of the Quarantine Management Server.The Login page appears.

2. In the Email text box, type the full email address of the user.

3. Type the Password.

4. Click Login.The Spam Quarantine page for the user appears.

From here, you can manage quarantined messages, update the Trusted and Blocked Senders lists, and change the password and other settings.

Test Your Knowledge


Test Your Knowledge

Use these questions to practice what you have learned and exercise new skills.

1. How often does the Quarantine Management Server delete expired messages? (Select one.)

2. True or false? User accounts can be imported from an LDAP directory and mirrored locally on the Quarantine Management Server.

3. Which of the following must be enabled or configured on the WatchGuard XCS device to fully integrate it with the Quarantine Management Server? (Select all that apply.)

4. Which of the following Intercept Anti-Spam actions is used to send messages to the Quarantine Management Server? (Select one.)

5. True or false? If you do not enable user spam quarantine, the Quarantine Management Server still receives and stores quarantine messages, but it does not send spam digest notifications, or enable users to log in.

A) Weekly B) Daily C) Hourly D) At an interval you configure

A) Add a Mail Route to the Quarantine Management Server B) Configure an Intercept Anti-spam action to redirect mail to the

Quarantine Management Server

C) Add a Specific Access Pattern to trust mail from the Quarantine Management Server

D) Add a Pattern Based Message Filter so the WatchGuard XCS does not train on spam digest messages

E) Configure the WatchGuard XCS to import the Trusted/Blocked Senders List from the Quarantine Management Server

F) All of the above

A) Discard B) Redirect to C) Quarantine mail D) Add header

ANSWERS

1. B

2. True

3. F

4. B

5. True


Quarantine Management ServerWhat You Will LearnOverviewQMS WizardQuarantine Management Server Deployment

Create User AccountsSpam Quarantine Configuration and DigestsQuarantine Global SettingsConfigure the Default Mail RelaySpam Digest Templates

Configure the WatchGuard XCSQMS Integration Wizard

Trusted and Blocked Senders ListsEnd User Configuration and AccessLog in to a Quarantine Management Server User AccountSpam QuarantineTrusted and Blocked listsQuarantine Settings and Administrative LinksPassword

Monitor the Quarantine Management ServerDashboardQuarantine Management

Exercise 1: Configure Quarantine and Digest SettingsExercise 2: Redirect Spam to the Quarantine Management ServerConfigure the Default Mail Relay on the Quarantine Management ServerAdd a Mail Route on the WatchGuard XCS DeviceRedirect Spam Messages to the Quarantine Management Server

Exercise 3: Configure Trust and Training SettingsTrust Mail from the Quarantine Management ServerPrevent Training on Spam Digest Notifications

Exercise 4: Configure Trusted/Blocked Sender DownloadsConfigure the Quarantine Management Server to Allow DownloadsConfigure the WatchGuard XCS to Automatically Download the List

Exercise 5: Configure WebMail Access and Log InAdd a Local User AccountEnable User LoginLog In as a User

Test Your Knowledge

xcs_v10_0_studentguide_qms

Documents

Transcript of xcs_v10_0_studentguide_qms