proofpoint messaging security gateway virtual edition installation guide...

Proofpoint Messaging SecurityGateway™ Virtual EditionInstallation Guide

Release 6.3

Proofpoint, Inc.892 Ross DriveSunnyvale, CA 94089www.proofpoint.com

Website:www.proofpoint.comToll-free telephone: 1-877-64POINTTechnical support: https://support.proofpoint.com

Proofpoint Messaging Security Gateway Virtual Edition Installation GuideMarch 2011Revision A

Proofpoint Protection Server

Copyright and Trademark Notices

The Proofpoint Protection Server is proprietary software licensed to you for your internal use by Proofpoint Inc. This software is © Copyright 2002 - 2011 Proofpoint Inc. The copying, modification or distribution of the Proofpoint Protection Server is subject to the terms of the Proofpoint Software License, and any attempt to use this software except under the terms of that license is expressly prohibited by U.S. copyright law, the equivalent laws of other countries, and by international treaty.

Proofpoint and Proofpoint Protection Server are trademarks of Proofpoint Inc.

McAfee is a registered trademark of McAfee, Inc. and/or its affiliates in the US and/or other countries. Virus Scanning capabilities may be provided by McAfee, Inc.Copyright © 2011 McAfee, Inc. All Rights Reserved.

F-Secure Anti-Virus Copyright © 1993-2011, F-Secure Corp.

VMware, the VMware “boxes” logo, GSX Server, ESX Server, Virtual SMP, VMotion and VMware ACE are trademarks (the “Marks”) of VMware, Inc.

Voltage and Secure Messaging are registered trademarks of Voltage Security, Inc. Copyright © 2003-2011 Voltage Security, Inc. All Rights Reserved.

Apache 2.2 licensing information is available at http://www.apache.org/licenses.

Perl (Practical Extraction and Report Language) is copyrighted by Larry Wall. It is free software and it is redistributed by Proofpoint under the terms of the “Artistic License” that comes with the Perl Kit, Version 5.0. Source is available at http://www.perl.com.

Regular expression support is provided by the PCRE library package, which is open source software, written by Philip Hazel, and copyright by the University of Cambridge, England.Source is available at ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/.

Some database support in this solution is provided by MySQL. Copyright © 1997, 2011, Oracle and/or its affiliates. All rights reserved.

Copyright © 1986 - 1993, 1998, 2004 Thomas Williams, Colin KelleyPermission to use, copy, and distribute this software and its documentation for any purpose with or without fee is hereby granted, provided that the above copyright notice appear in all copies and that both that copyright notice and this permission notice appear in supporting documentation.Permission to modify the software is granted, but not the right to distribute the complete modified source code. Modifications are to be distributed as patches to the released version. Permission to distribute binaries produced by compiling modified sources is granted, provided you1. distribute the corresponding source modifications from the released version in the form of a patch file along with the binaries,2. add special version identification to distinguish your version in addition to the base release version number,3. provide your name and address as the primary contact for the support of your modified version, and4. retain our contact information in regard to use of the base software.Permission to distribute the released version of the source code along with corresponding source modifications in the form of a patch file is granted with same provisions 2 through 4 for binary distributions.This software is provided "as is" without express or implied warranty to the extent permitted by applicable law.Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.3. Neither the name of the developer nor the names of contributors may be used to endorse or promote products derived from this software without specific prior written permission.THIS SOFTWARE IS PROVIDED BY THE DEVELOPER ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE DEVELOPER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

Portions of this software are Copyright © 1996-2002 The FreeType Project (www.freetype.org). All rights reserved.Additional graphical © support is provided by libgd:Portions copyright © 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002 by Cold Spring Harbor Laboratory. Funded under Grant P41-RR02188 by the National Institutes of Health. Portions copyright © 1996, 1997, 1998, 1999, 2000, 2001, 2002 by Boutell.Com, Inc.

Portions relating to GD2 format copyright © 1999, 2000, 2001, 2002 Philip Warner. Portions relating to PNG copyright © 1999, 2000, 2001, 2002 Greg Roelofs. Portions relating to gdttf.c copyright © 1999, 2000, 2001, 2002 John Ellson ([email protected]). Portions relating to gdft.c copyright © 2001, 2002 John Ellson Portions relating to JPEG and to color quantization copyright © 2000, 2001, 2002, Doug Becker and copyright © 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, Thomas G. Lane. This software is based in part on the work of the Independent JPEG Group. See the file README-JPEG.TXT for more information. Portions relating to WBMP copyright © 2000, 2001, 2002 Maurice Szmurlo and Johan Van den Brande. Permission has been granted to copy, distribute and modify gd in any context without fee, including a commercial application, provided that this notice is present in user-accessible supporting documentation. This does not affect your ownership of the derived work itself, and the intent is to assure proper credit for the authors of gd, not to interfere with your productive use of gd. If you have questions, ask. “Derived works” includes all programs that utilize the library. Credit must be given in user-accessible documentation. This software is provided “AS IS.” The copyright holders disclaim all warranties, either express or implied, including but not limited to implied warranties of merchantability and fitness for a particular purpose, with respect to this code and accompanying documentation. Although their code does not appear in gd 2.0.4, the authors wish to thank David Koblas, David Rowley, and Hutchison Avenue Software Corporation for their prior contributions.

This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit(http://www.openssl.org/)

zlib.h – interface of the “zlib” general purpose compression library version 1.2.2, October 3rd, 2004Copyright © 1995-2004 Jean-loup Gailly and Mark AdlerThis software is provided “as-is”, without any express or implied warranty. In no event will the authors be held liable for any damages arising from the use of this software.Permission is granted to anyone to use this software for any purpose, including commercial applications, and to alter it and redistribute it freely, subject to the following restrictions:1. The origin of this software must not be misrepresented; you must not claim that you wrote the original software. If you use this software in a product, an acknowledgment in the product documentation would be appreciated but is not required.2. Altered source versions must be plainly marked as such, and must not be misrepresented as being the original software.3. This notice may not be removed or altered from any source distribution.Jean-loup Gailly [email protected] Adler [email protected]

Unifont copyright Paul Hardy of Unifoundry.com ([email protected]) released under the terms of the GNU General Public License (GNU GPL) version 2.0.

Tomcat, Log4j, Apache CXF – Apache Copyright © 1999-2011 Apache Software Foundation

Java JRE, JDK, JavaMail, Sun JavaServerFaces – Copyright © 1997, 2011,Oracle and/or its affiliates. All rights reserved.

JBoss RichFaces – Copyright Red Hat ®. Red Hat is a registered trademark of Red Hat, Inc.

Copyright © 2011 Sendmail, Inc. All Rights Reserved.

Proofpoint gratefully acknowledges contributions of the open source community to the Proofpoint Protection Server. References to open source software used with the Proofpoint Protection Server is collected into a single repository which can be found in the installed Proofpoint Protection Server package in src/opensource/OPENSOURCE. That repository, consisting of the contributions from open source projects – but not including the proprietary Proofpoint Protection Server software referred to above – is a collective work that is © Copyright 2002 - 2011 Proofpoint Inc. You will find in this repository copies of the source code, or references of where to find, every open source program not referenced in this copyright notice, that was used in the Proofpoint Protection Server.

Copyright © 2005, Google Inc.All rights reserved.Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. Neither the name of Google Inc. nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission.THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON

ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

Copyright © 1996 - 2010, Daniel Stenberg, .All rights reserved.Permission to use, copy, modify, and distribute this software for any purpose with or without fee is hereby granted, provided that the above copyright notice and this permission notice appear in all copies.THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.Except as contained in this notice, the name of a copyright holder shall not be used in advertising or otherwise to promote the sale, use or other dealings in this Software without prior written authorization of the copyright holder.

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License.You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

Copyright © 2011. Proofpoint, Inc. All rights reserved.PROOFPOINT is a trademark of Proofpoint, Inc. All other product names and brands are the property of their respective owners.

Release 6.3 Virtual Appliance Installation Guide 7

Preface

This Installation Guide describes how to set up and configure the Proofpoint Messaging Security Gateway Virtual Edition (virtual appliance). It is intended for personnel responsible for installing and implementing enterprise-wide messaging applications. Refer to Proofpoint Help for instructions on configuring and managing the virtual appliance and the Proofpoint Protection Server software.

Conventions

This book uses the following typographic conventions:

• New terms and book titles appear in italic type.• Text that you type is shown in bold courier font.• Names of buttons, links, and interface elements appear in this font.• Text that appears on the screen is shown in courier font.• Names of keys on the keyboard appear with initial capitalization, such as the Enter key.• Simultaneous keystrokes are joined with a hyphen. For example, “Press Alt-a.”• Consecutive keystrokes are joined with a plus sign (+). For example, Esc+m.

Documentation Feedback

Please send your comments and feedback about this manual via email to [email protected]. Proofpoint strives to produce high-quality and technically accurate documentation. Include the name of the document and the revision date with your email. Your feedback is greatly appreciated and will help us maintain our high standards for our product documentation.


Contents

Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7Documentation Feedback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Chapter 1 – Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11Product Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11Installation Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Chapter 2 – System Requirements and Downloads . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15Deployment Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15Supported VMware Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15System Requirements for the Host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Minimum System Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16Recommended System Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16Performance Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

CPU . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17BIOS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17Storage. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Network Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18Memory Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19Virtual Appliance Downloads . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

For Virtual Appliance on VMware ESX Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19For Virtual Appliance on VMware Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

Chapter 3 – VMware ESX Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Chapter 4 – VMware Server Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23VMware Server Performance Tuning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

VMware Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23Background Desktop Anti-virus Scanning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24Virtual Appliance and Power Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24Upgrading from a Previous Release . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

Chapter 5 – Starting the Virtual Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25Provide the Network Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

Chapter 6 – Welcome . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27Inject Email Provided by Proofpoint . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27Forward Email from a POP Account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Disabling Email Forwarding from a POP Account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

10

Upload Your Own Email Corpus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .29Appliance > Inbound Mail Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .29


Chapter 1 Introduction

A common problem facing most email administrators and end users today is the growing proliferation of spam and virus. The flood of such unwanted email sent by spammers and hackers has large cost implications for corporate organizations. The unwanted traffic results in lowered productivity and consumes valuable IT resources. This impact is particularly worse on businesses that maintain in-house email servers and have limited administrative resources.

The Proofpoint Messaging Security Gateway Virtual Edition (virtual appliance) offers all of the same anti-spam, anti-virus, encryption, data privacy, and intellectual property leak prevention features found in Proofpoint’s physical appliances in an easy-to-deploy VMware Server or ESX Server. The benefits from virtualization include cost savings, rapid deployment and provisioning, and simplified change management.

This Installation Guide is for administrators who want to license and deploy the virtual appliance in a production environment, or for administrators who are already familiar with the benefits of virtualization, who are already using VMware products, and are adding one or more virtual appliances to a VMware host.

Product Overview

The table in this section presents the differences between the trial version and full version of the virtual appliance and appliance. The supported platforms, system requirements, and features differ between the versions.

See “System Requirements for the Host” on page 16 for more detailed information.

12

Details/Features Trial version on VMware ServerFull version on VMware Server

Full version on VMware ESX Server

Full version on Messaging Security Gateway Appliance

How to obtain Proofpoint web site Proofpoint field engineer

Proofpoint field engineer

Proofpoint field engineer

How software is packaged

zip archive zip archive ISO image pre-installed

Can use for evaluation?

Yes Yes Yes Yes

Can use for production email stream?

No No Yes Yes

Master/agent support

No Yes Yes Yes

Spam and virus filtering modules

Yes Yes Yes Yes

Regulatory Compliance Module

No Yes Yes Yes

Digital Assets Module

No Yes Yes Yes

ICAP filtering No Yes Yes YesProofpoint Encryption

No Yes Yes Yes

Requires activation ID from Proofpoint

Yes Yes Yes Yes

Upgrade path None None Yes YesSystem Requirements

RAM 3 GB 3 GB (agent)4 GB (master)

3 GB (agent)4 GB (master)

Pre-installed

Disk space 20 GB 40 GB (agent)80 GB (master)

40 GB (agent)80 GB (master)

Pre-installed

CPU 2 2 2 Pre-installed


Installation Overview

Installation Overview

If you have been using the trial version of the virtual appliance, you need to contact Proofpoint in order to obtain the full version of the virtual appliance. After obtaining your login and password from Proofpoint, you need to download and install the full version of the virtual appliance software.

In summary, you will follow this procedure to install the virtual appliance software:

• Click the link provided on page 19 to download the virtual appliance software.• Install the software on the host server.• Start the virtual appliance and configure the network settings.

In this Installation Guide, the VMware server is referred to as the host, and the virtual appliance software is referred to as the guest.


Chapter 2 System Requirements and Downloads

Deployment Scenarios

The virtual appliance can be deployed as a stand-alone solution, or it can be deployed in a cluster, where several virtual appliances work together to distribute the processing load or provide dedicated services. For example, when deployed in a cluster, one virtual appliance is designated as the master, and the other virtual appliances are designated as agents. The master provides centralized administration, maintains the Quarantine, the User Repository, the log database, and generates Digests for the user community. The agents can be dedicated to filtering and relaying email for the organization.

There are many advantages to deploying a cluster of virtual appliances: load balancing, redundancy, and scaling, to name a few. If your organization includes locations that are geographically dispersed it is advantageous to deploy virtual appliances as agents at each location. Agents automatically synchronize with the master appliance so that all virtual appliances in a cluster have the same configuration settings and filtering rules. Each agent in a cluster maintains its own Quarantine and log files, which are also sent to the master virtual appliance on a frequent, periodic basis. You can deploy a cluster that includes both virtual appliances and hardware appliances – they can be mixed in the same cluster.

Administrators must consider several factors to determine how many virtual appliances they need to deploy. Proofpoint Professional Services can assist you in this decision process. The following list describes some of the many factors to consider:

• Number of email messages received per day.• Number of users for which a Digest is generated and distributed.• Spam policies – messages that score 80 and above for spam (definite spam) can be either discarded

or quarantined.

• Message size – email messages that include large attachments require more processing time.• Failover and redundancy.• Geographic distribution.

Supported VMware Servers

References to VMware Servers in this document apply to the VMware Server 2.0.0.

References to ESX Servers in this document apply to ESX 4.0, ESXi 4.0, ESX 4.1, and ESXi 4.1servers.

System Requirements for the Host

16


The information in this section applies to the VMware Server and the VMware ESX Server hosts.

The virtual appliance (guest) requires a minimum amount of RAM and available disk space on the host. Verify that the host server exceeds the minimum requirements for RAM and available disk space so that the guest can run on the host. Refer to the “Network Information” on page 18 and “Ports” on page 18 for the additional information you will need for a successful deployment.

Although there are many unique deployment scenarios and email traffic can vary widely among different organizations, you can use the following guidelines to allocate system resources.

Minimum System Requirements

If your deployment:

• contains less than 3000 users• quarantines less than 1 million messages per day• and does not support the End User Web Application,

the minimum system requirements are:

Recommended System Requirements

If your deployment:

• contains more than 3000 users• quarantines more than 1 million messages per day• and supports the End User Web Application,

the minimum system requirements are:

For example, if you install a cluster of one master and two agent virtual appliances on the VMware host, you need 12 GB of RAM, 6 CPUs, and 240 GB of disk space for a successful cluster deployment.

Master AgentRAM 4 GB 3 GBCPU 2 CPUs 2 CPUsDisk Space 80 GB available 40 GB available

Master AgentRAM 6 GB 4 GBCPU 2 CPUs 2 CPUsDisk Space 150 GB available 60 GB available



Important: If the host server has ample memory and disk space, Proofpoint recommends that you increase the allocated RAM and disk space for the virtual appliance to improve performance and allow for a larger Quarantine.

Performance Considerations

The Proofpoint virtual appliance is extremely I/O intensive and has unique performance requirements compared to other common virtual servers such as DNS servers, databases, or mail servers. Even when idle (not filtering email messages), the Proofpoint virtual appliance memory usage will remain high and CPU usage can spike above 90% at times. This is normal behavior.

This section includes recommendations to ensure maximum performance in your virtual environment.

For more information about performance recommendations, refer to the document Best Practices for VMware vSphere 4.1 from the VMware site: http://www.vmware.com/resources/techresources/10161.

CPU

Allocating more than 2 CPUs will result in performance degradation.

All processors must support hardware-assisted virtualization instructions. Newer instructions are highly recommended (Intel VT-d and EPT, AMD AMD-Vi and RVI) although first-generation instructions are acceptable (Intel VT-x and AMD AMD-V).

Do not use CPU Affinity when using hyper-threading.

BIOS

Ensure the following parameters are enabled if the processors support them:

• Turbo Mode• Hyper-Threading• Hardware -assisted virtualization features such as VT-x, AMD-V, EPT, and RVI

Ensure the following parameters are disabled:

• C1E halt state (if Turbo is enabled)• All power-saving options. Power options should be set to high-performance mode. The default values

shipped with hardware are often power-saving settings – these settings can degrade performance considerably.

Storage

Using “Thin Disk Provisioning” is not recommended when running the virtual appliance in a production environment.

When possible, Proofpoint recommends using local storage for the most consistent I/O performance.

Network Information

18

Storage provisioned (local or SAN) for use with VMware is often configured with RAID 5 by default. A RAID 5 configuration is not suitable for the high I/O rates needed by the Proofpoint virtual appliance. Proofpoint recommends a RAID 1+0 (or similar) configuration.

The paravirtualized SCSI adapter is not currently supported by the Proofpoint virtual appliance.

When using Electronic Flash Drives (EFDs) in your storage environment, read and write caching should be disabled for best performance.

Network Information

Enter the appropriate information in the following table – you will be prompted to provide this information in the VMware Server or VMware ESX Server console when you install the virtual appliance. If you install a cluster of virtual appliances, you need the information in the table for each virtual appliance.

Table 1. Network Settings

You will also need your Proofpoint Activation ID.

Ports

Several ports need to be open on the virtual appliance for a successful deployment. This information is documented in the Proofpoint Product Family Pre-Installation Requirements sheet. You can download the document from the Proofpoint CTS site:

https://support.proofpoint.com/Documentation/Release 6.3.0/Pre Install Requirements.pdf

Default Settings Your SettingsIP Address 192.168.80.80Netmask 255.255.255.0Hostname(Must correspond to the DNS entry for the IP address for the virtual appliance.)

None

Domain(The domain for the virtual appliance.)

None

Gateway 192.168.80.1Primary DNS 204.127.129.1Secondary DNS(Optional.)

None

https://support.proofpoint.com/documentation.cgi?version=6.3.0a&doc=pre_install_req.pdf


Memory Requirements

Memory Requirements

Additional memory is required for certain services or when you enable additional modules. This information is documented in the Proofpoint Release Notes. You can download the Release Notes from the Proofpoint CTS site:

https://support.proofpoint.com/Documentation/Release 6.3.0/Release Notes.pdf

Virtual Appliance Downloads

This section provides the links to the software downloads from the Proofpoint CTS site.

Note: If you copy and paste the links in a browser, you may see unexpected results. Instead, click the links in this document to access the Proofpoint CTS download site.

Every download prompts you for your CTS login and password.

For Virtual Appliance on VMware ESX Servers

The ISO image contains the appliance software and operating system, and is available for download from the Download Area on the Proofpoint CTS site.

You will be prompted to provide your CTS login and password, and to save the images in a directory on your hard drive.

ISO image for ESX servers:

https://support.proofpoint.com/download/6.3.0.356_Appliance_Mfg_Install/6.3.0.356-6.3.0.323-combined-Proofpoint.iso

For Virtual Appliance on VMware Server

Navigate to the following URL to download the zip archive:

https://support.proofpoint.com/download/6.3.0.356_VMWare_Images/pps-6.3.0.356-323.zip

Follow these steps to unzip the archive:

1. You will be prompted to save the archive to a location on your hard disk drive.2. Navigate to the directory where you saved the zip archive after downloading it.3. Extract the files in the archive to a location on your hard drive. The extraction creates the directory

pps-6.3.0.356-323 for the files.Note: You can evaluate the full version of the virtual appliance on a VMware Server. If you

decide to deploy the virtual appliance in a production environment, you will need to install the virtual appliance on a VMware ESX Server.

https://support.proofpoint.com/download/6.3.0.356_VMWare_Images/pps-6.3.0.356-323.ziphttps://support.proofpoint.com/download/6.3.0.356_Appliance_Mfg_Install/6.3.0.356-6.3.0.323-combined-Proofpoint.isohttps://support.proofpoint.com/documentation.cgi?version=6.3.0a&doc=proofpoint_relnotes.pdf


Chapter 3 VMware ESX Servers

This chapter describes the procedure for installing the ISO image for the virtual appliance on ESX servers. For the download link, see “For Virtual Appliance on VMware ESX Servers” on page 19.

Install the virtual appliance software:

1. Verify the ISO files are available on the client machine where the Virtual Infrastructure Client is located.2. Start the Virtual Infrastructure Client (VC) and log in to the VC or ESX server.3. Right click on the system on which you are going to install the virtual guest and select New Virtual

Machine.4. Select Custom, then click Next.5. Give the virtual guest a name. (Suggestion: Proofpoint_virtual_master.)6. Select a datastore. Highlight the datastore and click Next.7. For Virtual Machine Version, select Virtual Machine Version: 7.8. Set the Guest Operating System to Linux and Version to Red Hat Enterprise Linux 4 (32 bit).9. Select 2 for the number of virtual processors (CPUs), then click Next.10. Allocate the appropriate amount of RAM per the system requirements on page 16. If you have more

memory available, use a larger number for better performance.11. Create the appropriate NICs for the network configuration. All must be set to the type Flexible. Click

Next.12. Use the default LSI Logic Parallel settings for the SCSI controller. Click Next.13. When you create a disk for production, the Allocate and commit space on demand (Thin

Provisioning) check box should be cleared (not checked). Click Next.14. Change the Disk Capacity to the appropriate amount per the system requirements on page 16. If you

have more disk space available, and anticipate the virtual appliance will be filtering a large volume of email, use a larger number. The disk space is used to store the Quarantine, log files, and User Repository.

15. You can use the default settings for Advanced Options.16. Review your settings, and then click Finish.

Store the images on the datastore to make them available for installation. Create a directory and download the ISO image:

1. Click the Configuration tab for the system.2. Click Storage in the Hardware pane.3. Double-click the storage partition.4. Create a folder for the ISO image.5. Go to the ISO directory you created and upload the ISO image there.

Configure the hardware:

1. Select the virtual guest and click Edit Settings.2. Click CD/DVD Drive 1, then select Datastore ISO file.

22

3. Click Browse. Select the ISO file 6.3.0.356-6.3.0.323-combined-Proofpoint.iso.4. Select Connect at power on.5. Click the Options tab and select Vmware Tools.6. Ensure the Stop option is set to Shut Down Guest. 7. Click OK.8. Click Power On.9. Click the Console tab to watch the installation progress. This process will take 5-10 minutes.10. The system will reboot when you see the “dismounting cdrom” message.

Disconnect the CD image:

1. Select the virtual guest and click Edit Settings.2. Click the Hardware tab.3. Click Host device. Click CD/DVD Drive 1. For Device status, clear the Connected and Connect at

power on check boxes.4. Click Ok.

After the reboot completes, go to “Starting the Virtual Appliance” on page 25 to start the virtual appliance and configure the network settings.


Chapter 4 VMware Server Installation

You can evaluate the full version of the virtual appliance on a VMware Server. However, if you decide to deploy the virtual appliance in a production environment you will need to install the virtual appliance on a VMware ESX Server. Proofpoint does not support the virtual appliance in a production environment on a VMware Server.

Follow these steps to install the virtual appliance software:

1. Start the VMware Server application.2. In the VMware console, power on the virtual appliance by navigating to the pps-6.3.0.356-323 folder.

Select the pps-6.3.0.356-323.vmx file.3. You will see files scrolling in the VMware console as the virtual appliance starts up. This process can

take several minutes. (The active disk drive icon in the Server console will give you a visual clue that the process is indeed taking place.)Note: Use Ctrl-Alt to regain control of the mouse when you are working in the VMware console.

See “VMware Server Performance Tuning” in this chapter to optimize the virtual appliance performance on VMware Server, then go to “Starting the Virtual Appliance” on page 25 to configure the network settings for the virtual appliance.

VMware Server Performance Tuning

The next sections describe tips and tricks to enhance the performance of the virtual appliance.

VMware Console

You can make a few tuning changes to the VMware Server Console that will greatly enhance the performance of the virtual appliance.

1. In the VMware Server Console, click Host, then Settings.2. Click the Memory tab. 3. Under Additional Memory, select Fit all virtual machine memory into reserved host RAM.4. When you run the virtual appliance, if you have only 1 GB of RAM, you will be prompted to adjust the

memory of the virtual machine to approximately 680 MB.5. When you run the virtual appliance, if you do not have 2 CPUs on the host system, you will be

prompted to change the configuration to 1 processor.Note: You will notice downgraded performance for the virtual appliance if you do not have the

recommended memory and CPUs on the host system allocated to the virtual appliance.

VMware Server Performance Tuning

24

Background Desktop Anti-virus Scanning

If you are running anti-virus scanning software in the background on the same host server where you are running the virtual appliance, and the anti-virus scanning software is intercepting all Web or email traffic, you will see a performance decline in the virtual appliance. If you experience slow performance, please check that the anti-virus software is not scanning your disk while you run the virtual appliance within VMware.

Virtual Appliance and Power Options

If you see SCSI timeout or reset messages, you need to change the power settings on the host.

Using the Control Panel, go to Power Options, and set Turn off hard disks to Never.

Upgrading from a Previous Release

If you are already running a version of the virtual appliance on a VMware Server, please contact Proofpoint Technical Support to upgrade to the current release.


Chapter 5 Starting the Virtual Appliance

This chapter applies to the VMware Server and VMware ESX Server hosts. After downloading and installing the virtual appliance software on the host you need to start it, change the admin password, and provide the network configuration settings to complete the installation.

Provide the Network Settings

The following steps are the same for each host (VMware Server and VMware ESX servers) after you have started the virtual appliance on the console.

1. You will be prompted for a login and password in the VMware console. Use admin for the login and password for the password.

2. When the Change Admin Password console appears, change the administrator password – the password must contain a minimum of seven characters and requires one number and one special character.

3. When the Change Network Settings console appears, select Yes. You will be prompted to enter the networking information for the virtual appliance. Use the settings from the Your Settings column in Table 1 on page 18. It may take a few minutes to apply the settings.

4. When the Main Menu console appears, enter 1 if you want to change any network settings that you entered in Step 3. Otherwise, enter 4 to log out of the Main Menu console.

5. When finished entering the console settings click Ctrl-Alt to regain control of the mouse and launch a browser (Internet Explorer or Mozilla Firefox).

6. Using the IP address or hostname you entered in Step 3, point the browser to the URL https://Your_Settings_IP_address:10000, or https://virtual_appliance_hostname:10000. Accept the certificate when prompted.

7. You should now see the Proofpoint login screen in the browser. Enter admin for the Login and the password that you set up in Step 2.

8. You should now see the management interface for the Setup Assistant Guide for the virtual appliance in the browser. Follow the steps in the Setup Assistant Guide to finish configuring the virtual appliance. You must provide the required information (shown with a red asterisk) in each step before you can proceed to the next step. You must enter your Activation ID from Proofpoint in order to receive updates for the spam, virus, Zero-Hour, and Regulatory Compliance filtering engines. You already entered most of these settings in Step 3 above.

9. When you are done entering the settings in the Setup Assistant Guide, click the Finish button to validate the network settings.


Chapter 6 Welcome

If you downloaded the trial version of the virtual appliance or you have evaluated a full version of the virtual appliance, you probably already injected email messages into the virtual appliance and you can skip this chapter.

New customers can use the Evaluation tabs in the management interface to immediately see the power and benefits of the virtual appliance.

There are several ways to inject email into the virtual appliance to test how it filters email and quarantines messages that contain a virus or are designated as spam. The Evaluation page provides these methods to get started immediately:

• Inject a corpus of email provided by Proofpoint.• Forward email to the virtual appliance from a POP account. • Inject your own corpus of email.

Inject Email Provided by Proofpoint

Click the Filter included email collection icon to inject a corpus of email messages provided by Proofpoint into the virtual appliance.

Enter your email address into the Recipient Email Address field so that your email address is added to the User Repository and you can receive a sample User Digest. The User Digest lists the messages addressed to you that have been quarantined because they contain spam.

Click Start to begin injecting email messages.

When the message injection process finishes, click Quarantine > Messages in the navigation pane to view the messages in the Quarantine.

Note: You need to wait at least one hour before you can create reports.

Be sure to check your email account for the User Digest – sent to you by the virtual appliance – the Digest contains a list of the messages in the Quarantine that are addressed to you. (The Digest is sent to the email account that you entered into the Recipient Email Address field.)

Forward Email from a POP Account

You can set up email forwarding directly from your personal POP account to the virtual appliance for filtering. All email messages directed to your personal POP account (for example, [email protected], or

Forward Email from a POP Account

28

[email protected]) are forwarded to the virtual appliance first, filtered, then delivered to the email address that you specify for forwarded email.

Note: Some ISPs charge you for email forwarding.

You need the following information:

• The name of the mail server for your POP account.• The user name and password for your POP account.• Some POP accounts require the port number and whether or not the server requires SSH for

communication.

• A new address to which forwarded email messages will be sent.

Click the Filter emails from any POP account icon to forward your email messages from your POP account to the virtual appliance for filtering. Follow the instructions on the page. Be sure to provide a new email address in the Forward email address field (not the same one you use for your POP account).

You can create more than one email forwarding profile. For example, if you have several different POP accounts, you can create a forwarding profile for each one.

Disabling Email Forwarding from a POP Account

If you have more than one email forwarding profile, you can disable all of them at once. Follow these steps:

1. Log in to the virtual appliance.2. Click the Users link under Groups and Users in the navigation pane.3. In the User List, click the entry for your email address to see the Attributes pop-up window.4. Click the POP3 Forwarder tab in the Attributes pop-up window.5. Select No for the Enable Forwarder attribute.6. Click Save Changes.

Follow these steps to disable email forwarding from a specific POP account:

1. Log in to the virtual appliance.2. Click the Users link under Groups and Users in the navigation pane.3. In the User List, click the entry for your email address to see the Attributes pop-up window.4. Click the POP3 Forwarder tab in the Attributes pop-up window.5. Select the name of the profile you want to disable.6. Click the Off radio button for the Enable parameter.7. Click Save Changes.

If several users in your organization have email forwarding profiles, you can disable all of the profiles at once by changing a Global attribute. Follow these steps:

1. Log in to the virtual appliance, and be sure you are in the Advanced mode so you see all of the links in the navigation pane.

2. Click Global under Groups and Users in the navigation pane.3. Click the POP3 Forwarder tab and select No for the Enable Forwarder attribute.4. Click Save Changes.


Upload Your Own Email Corpus

Upload Your Own Email Corpus

You can inject your own corpus of email messages into the virtual appliance. To do this, you must first create a zip archive that contains a collection of email messages in RFC 822 format.

Before you create the zip archive, you should “clean up” the email headers in the corpus. For example, if the messages are addressed to no legitimate recipients, or to multiple recipients, that information is stored in the Quarantine along with the message. If you release a message from the Quarantine, or send Digests to all recipients who have messages in the Quarantine, you can potentially generate countless email bounces.

Click the Upload and filter your emails icon to inject your own corpus of messages into the virtual appliance.

You can optionally change the recipient address for the messages in your zip archive (recommended). For example, if you enter your email address into the Recipient email address field, the messages injected into the Quarantine from your corpus will be addressed to you, and show up in your Digest.

Appliance > Inbound Mail Tab

Click the Inbound Mail tab under Appliance in the navigation pane to configure the virtual appliance to accept and filter inbound email for your organization. Click the Help link in the upper-right corner for detailed instructions.

30

PrefaceConventionsDocumentation Feedback

Chapter 1 IntroductionProduct OverviewInstallation Overview

Chapter 2 System Requirements and DownloadsDeployment ScenariosSupported VMware ServersSystem Requirements for the HostMinimum System RequirementsRecommended System RequirementsPerformance ConsiderationsCPUBIOSStorage

Network InformationPortsMemory RequirementsVirtual Appliance DownloadsFor Virtual Appliance on VMware ESX ServersFor Virtual Appliance on VMware Server

Chapter 3 VMware ESX ServersChapter 4 VMware Server InstallationVMware Server Performance TuningVMware ConsoleBackground Desktop Anti-virus ScanningVirtual Appliance and Power OptionsUpgrading from a Previous Release

Chapter 5 Starting the Virtual ApplianceProvide the Network Settings

Chapter 6 WelcomeInject Email Provided by ProofpointForward Email from a POP AccountDisabling Email Forwarding from a POP Account

Upload Your Own Email CorpusAppliance > Inbound Mail Tab

proofpoint messaging security gateway virtual edition installation guide...

Documents