Go to the table of contents Go to the previous page Go to the next page View or print as PDF
Configuring System Settings
Administrator Help | Forcepoint Email Security | Version 8.5.x
Managing administrator accounts
Administrator Help | Forcepoint Email Security | Version 8.5.x
Forcepoint Email Security module administrator accounts are created on the Global Settings page of the Forcepoint Security Manager. Only a Super Administrator can add, edit, or delete an administrator account.
A Super Administrator can create two types of accounts: local and network. A local account is stored in the local Security Manager database and contains a single user. A network account can contain a single user or a group of users and is stored on a network server. See Forcepoint Security Manager Help for details about managing Security Manager administrators on this page.
Administrator account settings and role assignments that are configured on one appliance are applied to all the appliances in your network.
Access administrator accounts

The Global Settings page displays.

From the General menu, select Administrators.
The Administrators page displays.
Administrator accounts
Administrator Help | Forcepoint Email Security | Version 8.5.x
The page Settings > Administrators > Delegated Administrators lists all defined Email Security module administrators, their email address, account type, roles, and the administrator's current status (online or offline).
A new administrator is created with the role of Auditor. An Email Security module Super Administrator can assign a default role to a new administrator account or create a new role for that administrator. See Administrator roles for information about adding a new role and defining permissions.
The following table details the default roles available for selection:
Assign administrator roles

The Edit Administrator page displays.

From the pull-down menu Role, select a new default role.


(Optional) View the administrator's current role and permissions; click View Permission.
The View Permission page displays.


The settings are saved.
Administrator roles
Administrator Help | Forcepoint Email Security | Version 8.5.x
A Super Administrator can create several delegated administrators with a variety of roles and permissions on the page Settings > Administrators > Roles. When creating roles for delegated administrators, you specify the users or groups managed by the role along with the permissions associated with the role, before assigning an administrator to that role. An administrator may be assigned to only one role at a time.
 
 
?
?
A user's view of the Email Security module interface is different, depending on that user's specific administrator role. For example, a user with an Auditor role can view the entire Email Security module interface, but cannot modify any settings.
By default, a new Email Security module-specific administrator account is an Auditor account. A Super Administrator can use the following steps to change an administrator's role:
 
 
Add new administrator role

The Add Role page displays.

In the text field Role Name, enter a name for the new role.

In the text field Description, enter a brief, clear description of the role.

From the Managed users and groups table, define the users or user groups to be managed by this role:

The Add Managed Users and Groups dialog box displays.

?
From the field User email address file, click Browse.
The Open window displays.
?
The email address file is added.
?
In the field User email addresses, enter the desired email addresses, separated by semicolons.

The user and group settings are saved and the Add Role page displays.
In the section Permissions, define the permissions for this role by selecting the appropriate buttons in the Permissions table.
The following options are available:
 

The Assign Role dialog box displays.

This role replaces the administrator's current role.


The new administrator role is saved.
Setting system preferences
Administrator Help | Forcepoint Email Security | Version 8.5.x
The page Settings > General > System Settings is used to configure the following email system preferences:
?
?
?
?
Entering the fully qualified domain name
Administrator Help | Forcepoint Email Security | Version 8.5.x
The Fully Qualified Domain Name (FQDN) section of the System Settings page is used to define the FQDN. SMTP protocol requires the use of FQDNs for message transfer. If you completed the First-Time Configuration Wizard, the FQDN you entered there appears on this page as the default entry.
If you did not complete the wizard, enter the appliance fully qualified domain name in the field Fully Qualified Domain Name (format is appliancehostname.parentdomain.com).
 
Important 
Setting the SMTP greeting message
Administrator Help | Forcepoint Email Security | Version 8.5.x
The SMTP Greeting section of the System Settings page is used to define an SMTP greeting. The SMTP greeting message is the response to a connection attempt by a remote server. It can also be used to indicate that the system is working properly. For example, an SMTP greeting could be:
The email security service is ready.
Enter the SMTP greeting

In the text field SMTP greeting, enter a new start-up message.

The settings are saved.
Setting system notification email addresses
Administrator Help | Forcepoint Email Security | Version 8.5.x
The System Notification Email Addresses section of the System Settings page is used to define default notification addresses. The email system can automatically send notifications of system events like a stopped service to a predefined address, often an administrator address. When this address is defined, notification messages can also be sent to or from an administrator email address for other events. For example, configuring a notification to be sent to or from an administrator address when a message triggers a filter (on the page Main > Policy Management > Actions) requires the administrator address to be defined on the page System Settings.
Define system notification email addresses

In the text field Administrator email address, enter the desired recipient address for notifications of system events.

In the text field Default sender email address, enter the desired sender address from which user notification messages should be sent.

The settings are saved.
Configuring administrator console preferences
Administrator Help | Forcepoint Email Security | Version 8.5.x
The Administrator Console Preferences section of the System Settings page is used to configure your desired character set encoding and console language.
Set console preferences

From the pull-down menu Preferred character encoding, select a character set for encoding messages.
The selected character encoding setting is used to decode email attachments, including those for which no character encoding information is available.

From the pull-down menu Administrator console language, select the language that the appliance should use.

The settings are saved.
Managing appliances
Administrator Help | Forcepoint Email Security | Version 8.5.x
Before adding an appliance to the Email Security module, it is necessary to install and configure a Forcepoint appliance. Interface information includes IP address, subnet mask, default gateway, and up to three DNS server IP addresses. See the Forcepoint Appliances Getting Started Guide.
Forcepoint Email Security may be deployed as a virtual appliance. See the Forcepoint Appliances Getting Started Guide for complete information about deploying and configuring a virtual appliance.
Beginning with version 8.5, Forcepoint Email Security may be deployed on a virtual appliance in Microsoft Azure. See Installing Forcepoint Email Security in Microsoft Azure for more information.
 
 
If you change either the appliance hostname or C interface IP address on the appliance, you must make the same change on the page Settings > General > Email Appliances. The Email Security module does not detect this change automatically.
Email traffic is usually routed through dedicated appliance interfaces (E1/E2). However, to route traffic through the C interface (for example, to transfer log data to a SIEM server), you need to define a route using the appliance CLI. It is necessary to stop and restart email security services on the appliance each time you add or delete a route on the appliance.
If you are running an Azure deployment, it is necessary to use the C interface for all email traffic.
Appliances overview
Administrator Help | Forcepoint Email Security | Version 8.5.x
You can manage multiple email appliances from the page Settings > General > Email Appliances without having to log on to each machine separately. Managed appliances share a single Log Database, from which email log entries, presentation reports, and the dashboard statistics and charts are generated. The Email Security module and all appliances must share supported versions and subscription key for successful communication among the appliances.
An appliance may operate in standalone mode, which is the default mode when an appliance is added to the Email Security module. You can also create appliance clusters by designating an appliance as a primary machine or as a secondary machine associated with a primary machine. See Designating a primary appliance in a cluster.
The Email Appliances page lists all current system appliances in a table that displays information about the appliance and its status, with functionality to switch to a different appliance that is in standalone mode or to remove an unconnected primary appliance from a cluster. The following table details the functionality on the Email Appliances page:
Selection of the appliance and Delete removes the appliance from the Email Appliances page.
Add an appliance

From the page Settings > General > Email Appliances, click Add.
The Add Appliance dialog box displays.

In the text field C interface IP address, enter the IP address used for communication with the Email Security module.

The dialog box closes and the appliance is added to the Email Appliances page.
Important 
Changing the C interface IP address of an appliance terminates the appliance connection with the Email Security module. In order to re-establish the connection, the IP address must also be changed on the Email Security module page Settings > General > Email Appliances.
When you add an appliance, it is automatically registered with the Data Security module for data loss prevention (DLP). To complete the registration process and deploy DLP policies, click the Data Security module on the Security Manager toolbar and then click Deploy.
Editing appliance settings from the appliances list
Administrator Help | Forcepoint Email Security | Version 8.5.x
The page Edit Appliance is used to edit the appliance C interface IP address. The system connection status and mode cannot be changed on this page.
Edit appliance settings

From the page Settings > General > Email Appliances, click the hostname of an appliance.
The Edit Appliance page displays.

In the text field C interface IP address, enter the new IP address.

The settings are saved.
Configuring an appliance cluster
Administrator Help | Forcepoint Email Security | Version 8.5.x
An email appliance operates in standalone mode by default, but can be configured in a cluster of appliances to manage a large volume of email traffic. After you have added an appliance to the appliances list on the Email Appliances page, you can change its mode from the default standalone to either primary or secondary on the page Settings > General > Cluster Mode.
?
?
?
?
?
See Forcepoint Documentation for more information.
 
Important 
Designating a primary appliance in a cluster
A primary appliance maintains and displays the configuration settings for all the appliances in its cluster.
Specify a primary appliance in a cluster

On the page Settings > General > Cluster Mode, select the appliance mode Cluster (Primary).
A Cluster Properties box opens with the primary appliance IP address displayed in the field Cluster communication IP address. Secondary appliances use this IP address for cluster communications.
 
 

Click Add.
The page Add Secondary Appliance displays, where you can designate the secondary appliances in this cluster.

(Optional) Add a new appliance that is not already on the list; click Add New Appliance.
The Add Appliance page displays.


The appliance is added to the Secondary Appliances list along with its status.

The appliance is added to the cluster.
View appliance details
?
The Appliance Properties dialog box displays with details about the appliance.
Remove a secondary appliance from a cluster
?
The appliance is removed from the cluster.
Managing user directories
Administrator Help | Forcepoint Email Security | Version 8.5.x
A user directory is an important component of email traffic analysis when it is used to set sender/recipient conditions for a policy. It can also provide recipient validation capabilities and be the basis of user logon authentication settings. See Managing user validation/authentication options.
The page Settings > Users > User Directories is used to add a user directory. Available user directories display in table format with functionality to search by keyword or remove a user directory. The following table details the options on the User Directories page.
 
Search a user directory by keyword

From the Cache Size column on the page Settings > Users > User Directories, click View.
The User Directory Entries page displays.

Up to 100 characters can be entered.

Click Submit.
The search results display in table format.

Delete a user directory
A user directory may only be deleted if the directory is not currently being used by an email function. For example, if the directory is being used as part of a policy or as part of user authentication settings, it cannot be removed.
?
The user directory is deleted.
Adding and configuring a user directory
Administrator Help | Forcepoint Email Security | Version 8.5.x
The Add User Directory page is used to add a new user directory. A newly added user directory displays a status of Not referenced, because it is not yet being used by an email function. User directory creation entries are different depending on the type of user directory being added.
Add a new user directory

On the page Settings > Users > User Directories, click Add.
The Add User Directory page displays.

In the text field User directory name, enter a name for the user directory.

From the pull-down menu User directory type, select a type; Microsoft Active Directory, IBM LDAP Server, Generic LDAP, Recipient List, or ESMTP.
The User Directory Properties section displays with configuration options for the selected user directory:
?
?
?
?
?

The user directory is saved.
Microsoft Active Directory
Microsoft Active Directory provides user information management in a Windows environment.
If you plan to use Active Directory and your deployment includes Azure ExpressRoute, some additional configuration is needed in Azure. See the Microsoft article Azure Active Directory (AD) Domain Services for more information.
Configure a Microsoft Active Directory in the User Directory Properties section

On the page Settings > Users > User Directories, click Add.
The Add User Directory page displays.

In the text field User directory name, enter a name for the user directory.

From the pull-down menu User directory type, select Microsoft Active Directory.
User Directory Properties section displays with options for Microsoft Active Directory.

In the text field Server IP address or hostname, enter the IP address or hostname of your LDAP server.

In the text field Port, enter the port number.
The default is 389.

(Optional) Enable secure LDAP, a nonstandard protocol also known as LDAP over SSL; mark the check box Enable secure LDAP.
Marking this check box changes the default port number to 636.

In the text field Username, enter the username for this appliance.
The Username field can contain the user's username (such as admin), email address (such as admin@mycompany.com), or distinguished name (such as cn=admin, dc=company, dc=com).

In the text field Password, enter the password for this appliance.

In the text field Search domain, enter the LDAP server's search domain name.
This value is used when the search filter is applied.

Verify that the field Search filter contains a standard LDAP query that can use validation variables, for example:
(|(mail=%email%)(userPrincipalName=%email%)
(proxyAddresses=smtp:%email%))

From Cache setting, select either Mirror or Cache address.
?
The Mirror setting means that valid addresses are cached all at once by synchronizing the cache with all the addresses stored on the LDAP server. You can manually synchronize the cache with the LDAP server any time after that by clicking Synchronize for this directory on the User Directories page.
?
The Cache address setting means the cache is updated dynamically. A new, valid address is cached after it is verified with the LDAP server. Remove all addresses from the cache by clicking Clear cache.

In the text field Cache timeout, enter a value in minutes.
The timeout is the amount of time that a valid address remains in the memory cache. If an email message is sent from a previously validated address during this timeout period, the email is delivered without contacting the validation server. However, if another message is sent from this address after the timeout has expired, the server will be contacted to validate the address. Default value is 60 minutes.

The settings are saved.
IBM LDAP Server Directory
An IBM LDAP Server Directory provides user information management on an IBM server.
Configure an IBM LDAP Server Directory in the User Directory Properties section

On the page Settings > Users > User Directories, click Add.
The Add User Directory page displays.

In the text field User directory name, enter a name for the user directory.

From the pull-down menu User directory type, select IBM LDAP Server.
The User Directory Properties section displays with options for IBM LDAP Server Directory.

In the text field Server IP address or hostname, enter the IP address or hostname of your LDAP server.

In the text field Port, enter the port number.
The default is 389.

(Optional) Enable secure LDAP, a nonstandard protocol also known as LDAP over SSL; mark the check box Enable secure LDAP.
Marking this check box changes the default port number to 636.

In the text field Username, enter the username for this appliance.
The Username field can contain the user's username (such as admin), email address (such as admin@mycompany.com), or distinguished name (such as cn=admin, dc=company, dc=com).

In the text field Password, enter the password for this appliance.

From Cache setting, select either Mirror or Cache address.
?
The Mirror setting means that valid addresses are cached all at once by synchronizing the cache with all the addresses stored on the LDAP server. You can manually synchronize the cache with the LDAP server any time after that by clicking Synchronize for this directory on the User Directories page.
?
The Cache address setting means the cache is updated dynamically. A new, valid address is cached after it is verified with the LDAP server. Remove all addresses from the cache by clicking Clear cache.

In the text field Cache timeout, enter a value in minutes.
The timeout is the amount of time that a valid address remains in the memory cache. If an email message is sent from a previously validated address during this timeout period, the email is delivered without contacting the validation server. However, if another message is sent from this address after the timeout has expired, the server will be contacted to validate the address. Default value is 60 minutes.

The settings are saved.
Generic LDAP Server Directory
A generic LDAP directory provides user information management that is supported on any LDAP server.
Configure a generic LDAP Server Directory in the User Directory Properties section

On the page Settings > Users > User Directories, click Add.
The Add User Directory page displays.

In the text field User directory name, enter a name for the user directory.

From the pull-down menu User directory type, select Generic LDAP.
The User Directory Properties section displays with options for Generic LDAP Server Directory.

In the text field Server IP address or hostname, enter the IP address or hostname of your LDAP server.

In the text field Port, enter the port number.
The default is 389.

(Optional) Enable secure LDAP, a nonstandard protocol also known as LDAP over SSL; mark the check box Enable secure LDAP.
Marking this check box changes the default port number to 636.

In the text field Username, enter the username for this appliance.
The Username field can contain the user's username (such as admin), email address (such as admin@mycompany.com), or distinguished name (such as cn=admin, dc=company, dc=com).

In the text field Password, enter the password for this appliance.

In the text field Search domain, enter the LDAP server's search domain name.
This value is used when the search filter is applied.

Verify that the field Search filter contains a standard LDAP query that can use validation variables; for example:
(mail=%email%)
(|(mail=%email%)(uid=%email%))

In the text field Mail field, enter any optional email addresses to import.

From Cache setting, select either Mirror or Cache address.
?
The Mirror setting means that valid addresses are cached all at once by synchronizing the cache with all the addresses stored on the LDAP server. You can manually synchronize the cache with the LDAP server any time after that by clicking Synchronize for this directory on the User Directories page.
?
The Cache address setting means the cache is updated dynamically. A new, valid address is cached after it is verified with the LDAP server. Remove all addresses from the cache by clicking Clear cache.

In the text field Cache timeout, enter a value in minutes.
The timeout is the amount of time that a valid address remains in the memory cache. If an email message is sent from a previously validated address during this timeout period, the email is delivered without contacting the validation server. However, if another message is sent from this address after the timeout has expired, the server will be contacted to validate the address. Default value is 60 minutes.

The settings are saved.
Recipient List
A recipient list is a text file that contains a list of email addresses and their associated passwords, one set per line. This file can be used for user recipient validation.
Configure a recipient list in the User Directory Properties section

On the page Settings > Users > User Directories, click Add.
The Add User Directory page displays.

In the text field User directory name, enter a name for the user directory.

From the pull-down menu User directory type, select Recipient List.


With this policy in force, a password must meet the following requirements:
?
?
?
?
?
! " # $ & ' ( ) * + , - . / : ; < = > ? @ [ \ ] ^ _ ` { | } ~
If you have an existing recipient list and enable the strong password policy, the email protection system evaluates current passwords in the list against the policy. When this evaluation is complete, a Strength column appears in the Recipient List box, indicating any weak passwords that should be changed. A recipient list that contains weak passwords cannot be saved if the check box Enforce strong password policy is marked.

The file format should be one email address and password per line, up to a maximum of 1,000 entries.
 
 

Manually create a recipient list; from the box Enter Recipient Information, enter an individual email address and associated password and click >.
The information is added to the Recipient List box on the right. Continue until all necessary recipients are added.

The settings are saved.
Search the recipient list

Search results display in the Recipient List box.

The entire recipient list displays.
Export the recipient list
?
The recipient list is exported to your local drive as a text file.
Remove an entry from the recipient list
?
The entry is removed.
ESMTP Server Directory
An ESMTP Server Directory provides user authentication and recipient validation using the features in extended SMTP.
Configure an ESMTP Server Directory in the User Directory Properties section

On the page Settings > Users > User Directories, click Add.
The Add User Directory page displays.

In the text field User directory name, enter a name for the user directory.

From the pull-down menu User directory type, select ESMTP.
The User Directory Properties section displays with options for ESMTP Server Directory.

Determine your desired email verification method; from Email verification method, select Use the return status of the VRFY command or Use the return status of the RCPT command:
?
?

In the text field Sender email address, enter an email address for the user directory.

In the text field Cache timeout, enter a value in minutes.
The cache timeout is the amount of time that a valid address remains in the memory cache. If an email message is sent from a previously validated address during this timeout period, the email is delivered without contacting the validation server. However, if another message is sent from this address after the timeout has expired, the server will be contacted to validate the address. Default value is 60 minutes.
Remove all addresses from the cache by clicking Clear cache.

The settings are saved.
Managing domain and IP address groups
Administrator Help | Forcepoint Email Security | Version 8.5.x
A collection of domain names or IP addresses can be defined in a single group for use in email functions. For example, you can define a domain name group to establish domain-based delivery options, or you can define an IP address group for which Reputation Service, Real-time Blacklist (RBL), or directory attack prevention analysis is not performed. IP address groups can also be used for the email encryption functions. Domain groups are added and configured on the page Settings > Users > Domain Groups; IP groups are added and configured on the page Settings > Inbound/Outbound > IP Groups.
You can perform the following operations on domain or IP address groups:
?
?
?
?
There are two special default groups of domain or IP addresses:
?
?
See Third-party encryption application for information about using the Encryption Gateway default IP address group. Default groups cannot be deleted.
Protected Domain group
The Protected Domain group should contain all the domains that an organization owns and needs the email system to protect. Message direction in the system is determined on the basis of an organization's protected domains:
?
?
?
An open relay results when both the sender and recipient addresses are not in a protected domain.
Unless you entered a protected domain name in the Domain-based Route page of the First-time Configuration Wizard, the default Protected Domain group is empty after product installation. Domains may be added to or deleted from the Protected Domain group, the Protected Domain group itself cannot be deleted.
 
Important 
The email hybrid service uses the Protected Domain group during Forcepoint Email Security Hybrid Module registration to verify that the domains specified in its delivery routes are all from this group. The Protected Domain group should not be used to configure email delivery routes (on the page Settings > Inbound/Outbound > Mail Routing) if you need to define domain-based delivery routes via multiple SMTP servers. See User directory-based routes.
Trusted IP Address group
Like the Protected Domain group, the Trusted IP Addresses default group is empty after product installation. IP addresses may be added to or deleted from the Trusted IP Addresses group, but the Trusted IP Addresses group itself cannot be deleted. The Trusted IP Addresses group may include up to 1024 addresses.
Trusted IP addresses may include your internal mail servers or a trusted partner mail server.
Mail from an address in the Trusted IP Addresses group can bypass some inbound email analysis. Use of the Trusted IP Addresses group can result in improved email processing time.
Specifically, mail from trusted IP addresses bypasses the following email analysis:
?
Global Always Block List (Main > Policy Management > Always Block/Permit)
?
?
Recipient validation (Settings > Users > User Authentication)
?
All connection controls except the connection control timeout (Settings > Inbound/Outbound > Connection Control)
?
Directory harvest attack (Settings > Inbound/Outbound > Directory Attacks)
?
Relay controls (Settings > Inbound/Outbound > Relay Control)
?
 
Adding a domain group
Administrator Help | Forcepoint Email Security | Version 8.5.x
The page Add Domain Group is used to add a new domain group.
Add new domain group

On the page Settings > Users > Domain Groups, click Add.
The Add Domain Group page displays.

In the field Domain Group Name, enter a name for the new domain group.
This field is required.

In the field Description, enter a brief description of the domain group.

In the section Domain Group Details, add a predefined domain group; from the field Domain address file, click Browse and navigate to the desired text file.
The file format should be one domain address per line, and its maximum size is 10 MB. If a file contains any invalid entries, only valid entries are accepted. Invalid entries are rejected.

Manually add domain entries; in the field Domain address, enter an individual domain address and click >.
The information is added to the Added Domains box on the right. Use wildcards to include subdomain entries (e.g., *.domain.com).

The settings are saved.
Export a domain group
?
The list of domain address entries in the group is exported to your local drive as a text file.
Remove an entry from the domain group
?
The entry is removed.
Editing a domain group
Administrator Help | Forcepoint Email Security | Version 8.5.x
The page Settings > Users > Domain Groups is used to edit existing domain groups, including adding or removing individual domains or editing the domain group description.
If a domain is in use, you will be asked to confirm any changes that involve the domain.
Edit a domain group

From the page Settings > Users > Domain Groups, click the domain group name.
The page Edit Domain Group displays.


The settings are saved.
Adding an IP address group
Administrator Help | Forcepoint Email Security | Version 8.5.x
The page Settings > Inbound/Outbound > IP Groups is used to view and add an IP address group.
Add a new IP address group

On the page Settings > Inbound/Outbound > IP Groups, click Add.
The Add IP Group page displays.

In the field IP Address Group Name, enter a name for the new IP address group.
This field is required.

In the field Description, enter a brief description of the IP address group.

In the section IP Address Group, add a predefined IP address group; from the field IP address file, click Browse and navigate to the desired text file.
The file format should be one IP address per line, and its maximum size is 10 MB
 
 

Manually add IP address entries; in the field IP address, enter an individual IP address and click >.
The information is added to the Added IP Addresses box on the right.

The settings are saved.
Export an IP address group
?
The list of IP address entries in the group is exported to your local drive as a text file.
Remove an entry from the IP address group
?
The entry is removed.
Editing an IP address group
Administrator Help | Forcepoint Email Security | Version 8.5.x
The page Edit IP Group is used to edit existing IP address groups, including adding or removing individual IP addresses and editing the IP address group description.
If an IP address is in use, you will be asked to confirm any changes that involve that address.
Edit an IP address group

From the page Settings > Inbound/Outbound > IP Groups, click the IP address group name.
The Edit IP Group page displays.


The settings are saved.
Managing user validation/authentication options
Administrator Help | Forcepoint Email Security | Version 8.5.x
After defining your domain groups, you can determine recipient validation and user authentication settings for users in the user directories you create. See Managing domain and IP address groups. User validation and authentication settings are configured on the page Settings > Users > User Authentication.
The following types of user validation/authentication are available:
?
Recipient validation, in which a message recipient is validated before a message is received.
?
SMTP authentication, in which a message sender is authenticated before a message is received.
?
Personal Email authentication, in which a user is authenticated before accessing the Personal Email Manager facility for managing blocked email. See Configuring Personal Email Manager End User Options.
?
Distribution list validation, in which individual members of an email distribution list are validated. If an individual recipient in the group is invalid, the message is rejected just for that individual. All valid recipients in the distribution list receive the message.
Include group email addresses in your user directories to use the distribution list validation option. A message to an invalid group alias is rejected for the entire group of recipients.
Users in a domain group are verified against the corresponding user directory, and specified authentication settings are applied.
 
Important 
You may create multiple Personal Email Manager user authentication groups. However, any protected domain group (as defined in Settings > Users > Domain Groups) may be included in only one Personal Email Manager user authentication group.
The User Authentication List displays the configured user authentication settings. The Add and Delete buttons are used to add or remove recipient validation and authentication settings.
Adding user authentication settings
Administrator Help | Forcepoint Email Security | Version 8.5.x
The page Settings > Users > User Authentication is used to add new user validation/authentication settings for domain/user directory groups.
Add new user authentication and validation settings

From the page Settings > Users > User Authentication, click Add.
The Add User Authentication page displays.

In the text field Name, enter a name for this set of authentication settings.

From Authentication options, mark the check box for the type of user validation/authentication settings to apply: Recipient Validation, SMTP Authentication, Personal Email Authentication, or Distribution List Validation.
Multiple check boxes can be selected.
?
(Optional) If you specify recipient validation, you can mark the associated check box If User Directory is not reachable for Recipient validation, continue to next user directory.
Selection allows the system to continue a recipient search in the next user directory listed in the User Directories section Recipients box if the current user directory cannot be accessed (e.g., server is down or not connected).
?
If you specify SMTP authentication, you must ensure that the option Allow relays only for senders from trusted IP addresses option is selected for both outbound and internal relays on the page Settings > Inbound/Outbound > Relay Control.

From the pull-down menu Domain group, select the domain group to target with your authentication settings.

(Optional) Add or remove domain names from your domain group; from Domains, click Edit.
The Edit Domain Group page displays. Changes you make here are also reflected on the page Settings > Users > Domain Groups. See Editing a domain group.

The user directory is added to the Recipients box.

(Optional) Create a new user directory for these authentication settings; click Add user directory.
The Add User Directory page displays to create a new directory. See Adding and configuring a user directory.


(Optional) Delete a user directory reference from the Recipients box; select it and click Delete.
This action removes the user directory from the Recipients list, but does not delete it from the page Settings > Users > User Directories.

The settings are saved.
Editing user authentication settings
Administrator Help | Forcepoint Email Security | Version 8.5.x
The Edit User Authentication page is used to edit existing user authentication settings. Functionality is used to configure existing settings as well as add or remove user directories from user validation/authentication settings. User directory entries are modified on the page Settings > Users > User Directories. See Adding user authentication settings.
Edit authentication settings

From the page Settings > Users > User Authentication, click the name of the settings.
The Edit User Authentication Settings page displays.


The changes are saved.
Managing Transport Layer Security (TLS) certificates
Administrator Help | Forcepoint Email Security | Version 8.5.x
Transport Layer Security (TLS) is a protocol that provides an extra layer of security for email communications. Use of this protocol helps prevent devices such as non-trusted routers from allowing a third party to monitor or alter the communications between a server and client. The email security system can receive messages transferred over TLS and can also send messages via this protocol to particular domains.
A default TLS certificate is supplied with Forcepoint Email Security for incoming connections. The email system presents this certificate during TLS communications.
After email product installation, default TLS certificate information appears on the page Settings > Inbound/Outbound > TLS Certificate, in the section TLS Certificate for Incoming Connection. Details include the certificate version, serial number, issuer, and expiration date.
Functionality on this page allows you to generate a new certificate when the default certificate expires. Generating a new certificate overwrites any certificate that currently exists. Additionally, certificates can be imported and exported on the TLS Certificate page.
The TLS Certificate page is additionally used to manage trusted Certificate Authority (CA) certificates for outgoing connections. Forcepoint Email Security uses CA-issued root and intermediate certificates (along with the default CA certificate bundle) to verify a server certificate presented by a third-party mail server during TLS communications.
The Trusted CA Certificate for Outgoing Connection table on the TLS Certificate page displays information about the certificate, including common name, issuer, and expiration date. Import functionality is used to browse to the location of a trusted certificate and add it to the Trusted CA Certificate for Outgoing Connection table. A search function is used to perform a keyword search of all your trusted CA certificates.
Generate a new TLS certificate

A prompt displays to indicate that the existing certificate will be overwritten.

Click Yes.
TLS certificate generation continues.
Search trusted CA certificates by keyword


Click Search.
Search results display below the search bar.

Clear search results; click Clear search filter.
All trusted CA certificates display below the search bar.
See the following sections for details on importing and exporting TLS and CA certificates:
?
?
?
Importing a TLS certificate
Administrator Help | Forcepoint Email Security | Version 8.5.x
Functionality is available on the page Settings > Inbound/Outbound > TLS Certificate to import a certificate from your network, rather than generate a new one. Importing a certificate overwrites any certificate that currently exists.
Import a certificate that is already located on your network

On the page Settings > Inbound/Outbound > TLS Certificate, click Import.
A prompt displays to indicate that the existing certificate will be overwritten.

An Import Certificate area appears below the Import button.

Click Browse and navigate to the certificate file.
When you select a file, its filename appears in the Certificate file field. File format must be .p12 or .pfx.

In the text field Password, enter a password.
Maximum length is 100 characters.

The certificate is imported.
Exporting a TLS certificate
Administrator Help | Forcepoint Email Security | Version 8.5.x
Functionality is available on the page Settings > Inbound/Outbound > TLS Certificate to export a TLS certificate to a location on your network.
Export a TLS certificate

On the page Settings > Inbound/Outbound > TLS Certificate, click Export.
The Export TLS Certificate dialog box displays.

In the text field Password, create a password for the exported file.

In the text field Confirm password, re-enter the password.

Click Yes.
A navigation window displays.

The TLS certificate is saved to the specified location
Importing a trusted CA certificate
Administrator Help | Forcepoint Email Security | Version 8.5.x
Functionality is available on the page Settings > Inbound/Outbound > TLS Certificate to import a trusted CA certificate from your network.
Import a trusted CA certificate

The Import Trusted CA Certificate dialog box displays.


The certificate is added to the trusted CA certificate table.
Delete a trusted CA certificate
?
The CA certificate is deleted.
Backing up and restoring manager settings
Administrator Help | Forcepoint Email Security | Version 8.5.x
The email management server maintains several important configuration setting files, including
?
?
?
?
You may want to retain a backup copy of these settings to use if a system recovery operation is necessary. A backup and restore utility is included with the Email Security module. Backup and restore functions are available on the page Settings > General > Backup/Restore.
The Backup/Restore function includes a Backup and Restore Log, which displays time-stamped backup and restore activities for the manager.
 
 
Backup and restore functions for an appliance cluster work properly only when cluster settings have not changed between the backup and restore operations. Unexpected results may occur if any of the following settings have been changed between the backup and restore:
?
?
You may need to rebuild a cluster if a restore operation encounters problems.
 
 
Backing up settings
?
Backup functionality is available on the page Settings > General > Backup/Restore. Backup and restore settings on one appliance are applied to all the appliances in your network.
 
Back up settings

On the page Settings > General > Backup/Restore, from the section Backup Settings, click Backup.
The utility activates and conducts a backup if settings have been defined.

Save your backup settings on the Log Database server, mark the check box Save backup configuration settings files on a remote server.
The text fields in the section Remote Server Access are enabled; enter the following server information:
?
Enter the domain if a domain account is used; otherwise, enter the hostname of the SQL Server machine.
?
Enter a user with SQL Server log-in permission.
?
The password may not contain more than one double quotation mark.
?
Enter the shared folder path on the remote SQL Server machine (for example, \\10.1.1.2\shared\).

The backup initiates when all configuration is complete. The Backup and Restore Log displays the time-stamped backup logs.
Restoring the settings
The Restore utility is used to return your settings to their original, backed up state on the Log Database server. The restore function retrieves the location of the backed up settings and applies them to the Email Security module configuration files. The Email Security module service restarts automatically after configuration settings are restored.
Restore settings

(Optional) On the page Settings > General > Backup/Restore, from the section Restore Settings, mark the check box Use the backup files on the remote server to restore configuration settings.
?
From File location, click Choose File and navigate to the backup files on the remote server.

Click Restore.
The Confirm Configuration Restore Operation dialog box displays.

Click Yes.
The restore operation proceeds.

Go to the table of contents Go to the previous page Go to the next page View or print as PDF
Copyright 2018 Forcepoint. All rights reserved.