Defender WebMail Installation and Configuration Guide

Version 5.6 November 2010

Defender WebMail

©2010 Quest Software, Inc. ALL RIGHTS RESERVED. This guide contains proprietary information protected by copyright. The software described in this guide is furnished under a software license or nondisclosure agreement. This software may be used or copied only in accordance with the terms of the applicable agreement. No part of this guide may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying and recording for any purpose other than the purchaser's personal use without the written permission of Quest Software, Inc. If you have any questions regarding your potential use of this material, contact: Quest Software World Headquarters LEGAL Dept 5 Polaris Way Aliso Viejo, CA 92656 USA www.quest.com email: [email protected] Refer to our Web site for regional and international office information.

TRADEMARKS Quest, Quest Software, the Quest Software logo and iToken are trademarks and registered trademarks of Quest Software, Inc. in the United States of America and other countries. Other trademarks and registered trademarks are property of their respective owners.

Disclaimer The information in this document is provided in connection with Quest products. No license, express or implied, by estoppel or otherwise, to any intellectual property right is granted by this document or in connection with the sale of Quest products. EXCEPT AS SET FORTH IN QUEST'S TERMS AND CONDITIONS AS SPECIFIED IN THE LICENSE AGREEMENT FOR THIS PRODUCT, QUEST ASSUMES NO LIABILITY WHATSOEVER AND DISCLAIMS ANY EXPRESS, IMPLIED OR STATUTORY WARRANTY RELATING TO ITS PRODUCTS INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NONINFRINGEMENT. IN NO EVENT SHALL QUEST BE LIABLE FOR ANY DIRECT, INDIRECT, CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS OF INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS DOCUMENT, EVEN IF QUEST HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Quest makes no representations or warranties with respect to the accuracy or completeness of the contents of this document and reserves the right to make changes to specifications and product descriptions at any time without notice. Quest does not make any commitment to update the information contained in this document.

Defender WebMail Installation and Configuration Guide Updated – November 2010 Software Version - 5.6

Defender WebMail Installation and Configuration Guide

Page 2

Defender WebMail

Contents Contents ................................................................................................................................................ 3 What is Defender WebMail? ................................................................................................................. 4 E-mail Access Protocol ...................................................................................................................... 4 Before Installing Defender WebMail...................................................................................................... 5 Upgrading Defender WebMail .............................................................................................................13 Installing a Certificate ..........................................................................................................................17 Adding a Trusted CA Certificate ......................................................................................................17 How to create a PKCS#7 formatted certificate file ..........................................................................17 Using Defender WebMail ....................................................................................................................17 Changing the Defender WebMail Configuration .................................................................................18 Defender WebMail Pre-installation Checklist ......................................................................................19

Defender WebMail Installation and Configuration Guide

Page 3

Defender WebMail

What is Defender WebMail? Defender WebMail allows remote users to securely access their corporate e-mail over the web. It provides a link between remote users on the Internet, a corporate e-mail system and a Defender system. Quest recommends that the WebMail Relay Server component is installed in your corporate DMZ. Remote users will communicate through the WebMail Relay Server to access their e-mail. The WebMail Relay Server will accept access requests from remote users over the web and forward them to the Defender system for authentication. If authentication is successful, the WebMail Relay Server will securely pass the information to the internal e-mail web server.

Remote Users

Internet

WebMail Relay Server

Defender Management Console

E-mail System (eg. Exchange)

DMZ

Defender Security Server(s)

E-mail Web Server

E-mail Access Protocol During the installation procedure, you can configure the WebMail Relay Server (WebRelay) to use SSL (https) for added security. If you choose to use SSL, WebMail automatically runs a re-direct service on http to ensure that all requests entered by the user are re-directed to https, even if the user types http.

Defender WebMail Installation and Configuration Guide

Page 4

Defender WebMail

Before Installing Defender WebMail This section describes the information you need to gather and the actions to perform before you install Defender WebMail. All of the items described below are summarized in a checklist at the end of this document. Print a copy of the checklist to fill in as you work through the following steps. When you have completed the checklist, the installation procedure will be very easy. 1. E-mail Access Protocol (checklist item 1) Do you want your end-users to establish an SSL connection over the Internet to connect to the WebMail Relay Server and collect their e-mail? Quest recommends that you use an SSL connection as this adds security to the system. If SSL is employed, you must install a server certificate on your WebMail Relay Server. The installation procedure will help you generate the certificate request (see 3 below). SSL uses the HTTPS protocol. If SSL is not employed, the HTTP protocol is used. Note: If possible, ask your certificate provider to supply your certificate in PKCS#7 format. If your certificate is supplied in X.509 format, refer to How to create a PKCS#7 formatted certificate file on page 17.

SSL

Internet

SSL

WebMail Relay Server

2. Name of the WebMail Relay Server (checklist item 2) You need to know the fully qualified domain name (public address) of the WebMail Relay Server located in the DMZ.

Internet

WebMail Relay Server

webmail.mydomain.com webmail.mydomain.com

3. Certificate Information (checklist items 3 and 7) If you chose to use SSL in step 1, you will be prompted to enter the following information during the WebMail installation procedure. If you are not using SSL, go to step 4. Organization Organizational Unit Locality State or Province Country

your company name your department name town or city where your company is located state, province or county where you are located your two character country code as defined in ISO 3166-1 (see http://www.iso.org/iso/country_codes/iso_1366_code_lists/english_ country_names_and_code_elements.htm)

Defender WebMail Installation and Configuration Guide

Page 5

Defender WebMail

4. URL of E-Mail Web Server (checklist items 8 through 10) You need to know the following information about your internal web server: access protocol (SSL or non-SSL) IP address or DNS name port number. Ask your e-mail administrator for this information.

5. Defender Security Server (checklist items 12, 13 and 14) You need to know the following information about your Defender Security Server (DSS): IP address or DNS name of the primary DSS port number of the primary DSS Shared Secret for the access node to be used by the primary DSS. Ask your Defender administrator for this information. 6. Secondary Defender Security Server (checklist items 15, 16 and 17) If you are using a secondary Defender Security Server, you need to know the following information: IP address or DNS name of the secondary DSS port number of the secondary DSS Shared Secret for the access node to be used by the secondary DSS. Ask your Defender administrator for this information. 7. Defender (checklist 19) The following information must be defined at the primary DSS and secondary DSS: Defender 5 create a new access node to allow access from WebMail. Ask your Defender administrator to do this.

Defender WebMail Installation and Configuration Guide

Page 6

Defender WebMail

8. Firewall Configuration (checklist 20) Configure access paths through your firewall(s) to: enable outside users to access the WebMail Relay Server allow the WebMail Relay Server to communicate with the internal e-mail web server and Defender.

9. User ID Set-up (checklist 21) The user ID entered by a user to access e-mail via Defender WebMail must be defined to and be the same on both the Defender system and the e-mail server.

Defender WebMail Installation and Configuration Guide

Page 7

Defender WebMail

Installation Pre-requisites Ensure that Java JDK 1.4 or higher (Windows x86 version) is installed on the machine where you will install Defender WebMail. This is required for 32 bit (x86) and 64 bit(x64) systems. Java JDK 1.4 or higher (Windows x86 version) is available from: http://java.sun.com/javase/downloads/index.jsp. The following dialog is displayed when you start the Defender WebMail installation.

Installing Defender WebMail Defender WebMail is installed on the machine designated as the WebMail Relay Server in your DMZ. 1. To start the installation procedure, run DefenderWebMail.msi on the WebMail Relay Server.

2. Click Next to continue.

Defender WebMail Installation and Configuration Guide

Page 8

Defender WebMail

3. Accept the License Agreement and click Next to continue.

4. Click Next to accept the default destination folder. To select a different destination folder, click Browse, locate the required destination folder, then click Next to continue.

1 2

Defender WebMail Installation and Configuration Guide

Page 9

Defender WebMail

5. Click on the arrow in the Protocol field to display a list of available access protocols. Select the access protocol required for your WebMail Server (checklist item 1). 6. Type the fully qualified domain name for your WebMail Server in the Domain name field (checklist item 2). Click Next to continue.

3 4 5 6 7

7. If you selected the HTTPS access protocol, you will be prompted for the information required to generate a certificate request. Complete the fields on this dialog using items 3 through 7 on the checklist. When the Defender WebMail installation is complete, you can use the automatically generated request to obtain a certificate from your Certificate Authority. Click Next to continue.

8 9 10

8. In the Protocol field, enter the communication protocol for Outlook Web Access application that you want to protect (checklist item 8). 9. In the Server (IP/DNS) field, enter the name for the Outlook Web Access application (checklist item 9). 10. In the Port field, enter the port number of the Outlook Web Access application (checklist item 10).

Defender WebMail Installation and Configuration Guide

Page 10

Defender WebMail

11. If you are using Exchange 2007, check the box. For any other version of Exchange, uncheck the box. (checklist item 11) 12. Click Next to continue.

12 13 14

13. In the Server (IP/DNS) field, enter the name of the primary DSS (checklist item 12). 14. In the Port field, enter the port number of the primary DSS (checklist item 13). 15. In the Access Node Shared Secret field, enter the shared secret used for the Access Node and Primary DSS (checklist item 14). Click Next to continue.

15 16 17

16. If you are using a secondary DSS, complete the fields as described in steps 18 through 20. 17. If you do not have a secondary DSS, uncheck the Define secondary DSS checkbox and click Next to continue. 18. In the Server (IP/DNS) field, enter the name of the secondary DSS (checklist item 15). 19. In the Port field, enter the port number of the secondary DSS (checklist item 16). 20. In the Access Node Shared Secret field, enter the enter the shared secret used for the Access Node and Secondary DSS (checklist item 17). 21. Click Next to continue.

Defender WebMail Installation and Configuration Guide

Page 11

Defender WebMail

22. You can review the selections made during the installation by scrolling this screen. To go back and make changes to the installation, click Back. When you have finished configuring Defender WebMail, click Next. After a few moments, the Setup Status screen is displayed. 23. The required files are copied to the WebMail Server. If you selected HTTPS as your access protocol for the WebMail Relay Server, a certificate request is automatically generated.

Note: Defender WebMail configuration is not complete until the server certificate has been issued by a Certificate Authority and correctly installed. Refer to Installing a Certificate for further information. 24. When you have copied the certificate CSR request, click OK. The InstallShield Wizard Complete screen is displayed. 25. Click Finish to complete the WebMail installation.

Defender WebMail Installation and Configuration Guide

Page 12

Defender WebMail

After Installation Perform the following steps in your Defender installation: 1. Define a new access node for WebMail. 2. Create a security policy. 3. Assign the security policy to the access node you have created for the WebMail Agent, using the access node Policy tab. For full information, refer to the Defender Installation Guide.

Upgrading Defender WebMail To upgrade WebMail to the latest version, perform the following steps. Defender WebMail is installed on the machine designated as the WebMail Relay Server in your DMZ. 1. To start the upgrade procedure, run DefenderWebMail.msi on the WebMail Relay Server.

2. Click Next to continue.

Defender WebMail Installation and Configuration Guide

Page 13

Defender WebMail

3. Accept the License Agreement and click Next to continue.

4. Click Next to accept the default destination folder. To select a different destination folder, click Browse, locate the required destination folder, then click Next to continue.

Defender WebMail Installation and Configuration Guide

Page 14

Defender WebMail

5. An existing version of WebMail has been found on you system. The WebMail installer will copy your existing configuration and use this information to configure the new version. The original version of WebMail will then be automatically removed from your system. Click Next to continue with the upgrade procedure.

6. The installer is now ready to perform the upgrade. Click Install to continue.

7. On completion of the upgrade, you will be asked to confirm removal of the old version of Webmail. Click OK to continue.

8. On completion of the upgrade procedure, the Maintenance Complete dialog is displayed. Click Finish.

Defender WebMail Installation and Configuration Guide

Page 15

Defender WebMail

9. To close the Defender WebMail Setup Wizard, click Finish. The latest version of Defender WebMail is now installed and configured with your original configuration information. For further configuration information refer to Changing the Webmail Configuration on page 18.

Defender WebMail Installation and Configuration Guide

Page 16

Defender WebMail

Installing a Certificate To install a certificate obtained using a Defender WebMail generated request, select the Install Certificate option from the Defender WebMail menu on the Start button. Paste the certificate details into the Install Client Certificate window.

Adding a Trusted CA Certificate If you use HTTPS to communicate with your e-mail web server and it uses a certificate issued by a VeriSign or Thawte Certificate Authority, Defender WebMail will automatically trust it. If you are using a certificate issued by any other Certificate Authority, then you will need to add this Certificate Authority to the list of Trusted Certificate Authorities. To add a Trusted CA Certificate, select the Certificate configuration option from the Defender WebMail menu on the Start button. Then select Install Trusted CA Certificate. Import the file that contains the certificate information and enter an alias for the certificate. Restart the Defender WebMail service.

How to create a PKCS#7 formatted certificate file To convert a certificate from X.509 format to PKCS#7 format you must have access to a Windows machine running a recent version of Internet Explorer. Follow the steps below: 1. Copy the certificate response to the Windows machine and name the file sslcert.cer. 2. Double-click on sslcert.cer. The certificate details are displayed in a new window. 3. Click Install Certificate. Accept the default values in the Certificate Install wizard windows. Close the certificate details window. 4. Open an Internet Explorer window (note that these instructions are based on IE6 and may differ for other versions). 5. From the Tools menu, select Internet Options. 6. On the Content tab, click Certificates. 7. Locate and highlight the imported certificate. It may be located in the Other People tab. 8. Click Export. 9. Export the certificate as a PKCS#7 formatted certificate and include all certificates in the certification path. 10. Save the certificate as a p7b file and close Internet Explorer. 11. Provide the PKCS#7 certificate as the response in the WebMail certificate configuration window.

Using Defender WebMail Enter the URL used to access the Defender WebMail Server, see checklist item 2. You will be prompted to enter your: User ID Web e-mail password Defender authentication credentials as appropriate.

Defender WebMail Installation and Configuration Guide

Page 17

Defender WebMail

Changing the Defender WebMail Configuration To change your configuration details after installation, select the Configure Defender WebMail option from the Defender WebMail menu on the Start button. The options are described below: Please enter the URL of the Defender WebMail server < > Type the URL that users will use to access the Defender WebMail server. Add another Defender WebMail URL If you enter Yes, you are prompted to enter the URL of the WebMail Server. Which port do you want the Defender WebMail servers to use? Please enter the URL of the Outlook Web Access (OWA) server < > Type the URL that will be used to access the Outlook Web Access server. Please enter the DNS/IP Address of your primary Defender Security Server < > Type the full distinguished name or IP address of the machine where your primary Defender Security Server is installed. Please enter the port number of your primary Defender Security Server Type the port number that will be used by your primary Defender Security Server. The default is 1812. Please enter the Access Node shared secret on your primary Defender Security Server Type the shared secret used by the Access Node and the primary Defender Security Server. This is the shared secret that you specified when you first set up the Access Node. Please enter the DNS/IP Address of your secondary Defender Security Server Type the full distinguished name or IP address of the machine where your secondary Defender Security Server is installed. Please enter the port number of your secondary Defender Security Server Type the port number that will be used by your secondary Defender Security Server. The default is 1812. Please enter the Access Node shared secret on your secondary Defender Security Server Type the shared secret used by the Access Node and the secondary Defender Security Server. This is the shared secret that you specified when you first set up the Access Node. User inactivity timeout in seconds? Type the amount of time (in seconds) that you want to allow a session to be idle. After this interval of inactivity, the user will need to log in again and re-authenticate. The default is 10 minutes. The inactivity timeout value must be less than the session timeout value. Session timeout in seconds? Type the amount of time (in seconds) that you want a session to be valid. After this time elapses, users will need to log in again and re-authenticate. The default is 7200 seconds (two hours). The session timeout value must be greater than the inactivity timeout value (see below). Level of client IP address verification Type either 0, 1 or 2 to specify the level of client IP address verification required during authentication. 0 = client IP address is not verified 1 = only the network section of the IP address is verified 2 = the entire IP address is verified against the original client IP address expected by Defender WebMail. Exchange 2007? Enter Yes is you are using Exchange 2007. For any other version of Exchange, enter No.

Defender WebMail Installation and Configuration Guide

Page 18

Defender WebMail

Defender WebMail Pre-installation Checklist 1.

Access protocol of the WebMail Server

HTTP ( )

2.

Fully qualified domain name of WebMail Server

___________________

3.

Organization (your company name)

___________________

4.

Organizational Unit (your department name)

___________________

5.

Locality (town or city)

___________________

6.

State or Province

___________________

7.

Country (limited to two characters)

__

8.

Access protocol of the Outlook Web Access application

HTTP ( )

9.

IP address / DNS name of the Outlook Web Access application

___________________

10.

Port number of the Outlook Web Access application

___________________

11.

Exchange 2007

___________________

12.

IP address / DNS name of the Primary DSS

___________________

13.

Port number of the Primary DSS

___________________

14.

Shared Secret for the Primary DSS

___________________

15.

IP address / DNS name of Secondary DSS

___________________

16.

Port number of Secondary DSS

___________________

17.

Shared Secret for the Secondary DSS

___________________

18.

Firewall configured to allow WebMail traffic?

Tick when done ( )

19.

Same user ID defined on both Defender and the email system?

Tick when done ( )

Defender WebMail Installation and Configuration Guide

HTTPS ( )

HTTPS ( )

Page 19