Documentation | Support

Go to the table of contents Go to the previous page Go to the next page View or print as PDF
Configuring System Settings
Administrator Help | Forcepoint Email Security | Version 8.5.x
Topics:
?
Managing administrator accounts
?
Setting system preferences
?
Managing appliances
?
Configuring an appliance cluster
?
Managing user directories
?
Managing domain and IP address groups
?
Managing user validation/authentication options
?
Managing Transport Layer Security (TLS) certificates
?
Backing up and restoring manager settings
?
Importing a trusted CA certificate
Managing administrator accounts
Administrator Help | Forcepoint Email Security | Version 8.5.x
Forcepoint Email Security module administrator accounts are created on the Global Settings page of the Forcepoint Security Manager. Only a Super Administrator can add, edit, or delete an administrator account.
A Super Administrator can create two types of accounts: local and network. A local account is stored in the local Security Manager database and contains a single user. A network account can contain a single user or a group of users and is stored on a network server. See Forcepoint Security Manager Help for details about managing Security Manager administrators on this page.
Administrator account settings and role assignments that are configured on one appliance are applied to all the appliances in your network.
Access administrator accounts

From the Security Manager, click Global Settings.
The Global Settings page displays.

From the General menu, select Administrators.
The Administrators page displays.
Administrator accounts
Administrator Help | Forcepoint Email Security | Version 8.5.x
The page Settings > Administrators > Delegated Administrators lists all defined Email Security module administrators, their email address, account type, roles, and the administrator's current status (online or offline).
A new administrator is created with the role of Auditor. An Email Security module Super Administrator can assign a default role to a new administrator account or create a new role for that administrator. See Administrator roles for information about adding a new role and defining permissions.
The following table details the default roles available for selection:
Default Role
Description
Super Administrator
Administrators with this role have full access; they can add and remove administrators and edit the profiles and permissions of all other administrators.
Auditor
Administrators with this role can view all configuration settings but not change them.
Reporting Administrator
Administrators with this role can only edit, run, and schedule reports.
Security Administrator
Administrators with this role have access to all general settings and can add domains and set up routes and preferences. Permissions are identical to a Super Administrator, except they cannot manage other administrators.
Policy Administrator
Administrators with this role can create and manage policies only for the specific users or groups managed by this role. Permissions include reporting and quarantine management for these users and groups.
Quarantine Administrator
Administrators with this role can manage specific queues, troubleshoot from logs, and release messages to users from assigned queues.
Group Reporting Administrator
Administrators with this role can edit, run, and schedule reports only for users in specified groups.
Assign administrator roles

From the page Delegated Administrators, click the name of an administrator.
The Edit Administrator page displays.

From the pull-down menu Role, select a new default role.

Create a new role with different permissions; click New Role.

(Optional) View the administrator's current role and permissions; click View Permission.
The View Permission page displays.

Close the View Permission page; click Cancel.

Click OK.
The settings are saved.
Administrator roles
Administrator Help | Forcepoint Email Security | Version 8.5.x
A Super Administrator can create several delegated administrators with a variety of roles and permissions on the page Settings > Administrators > Roles. When creating roles for delegated administrators, you specify the users or groups managed by the role along with the permissions associated with the role, before assigning an administrator to that role. An administrator may be assigned to only one role at a time.
 
 
 
Managed users and user groups settings are used only for the following permissions:
?
Policies
?
Reports
?
Queues and quarantined messages
A user's view of the Email Security module interface is different, depending on that user's specific administrator role. For example, a user with an Auditor role can view the entire Email Security module interface, but cannot modify any settings.
By default, a new Email Security module-specific administrator account is an Auditor account. A Super Administrator can use the following steps to change an administrator's role:
 
 
 
Only one Super Administrator may access an email appliance at a time. Subsequent Super Administrators are assigned an Auditor (or read-only) role when they access the appliance.
Add new administrator role

From the page Roles, click Add.
The Add Role page displays.

In the text field Role Name, enter a name for the new role.

In the text field Description, enter a brief, clear description of the role.

From the Managed users and groups table, define the users or user groups to be managed by this role:

Under the Managed users and groups table, click Add.
The Add Managed Users and Groups dialog box displays.

Enter the email addresses of managed users or groups in one of the following ways:
?
From the field User email address file, click Browse.
The Open window displays.
?
Browse to an email address file, a text file that contains one email address per line and is no larger than 10 MB, and click Open.
The email address file is added.
?
In the field User email addresses, enter the desired email addresses, separated by semicolons.

Click OK.
The user and group settings are saved and the Add Role page displays.
In the section Permissions, define the permissions for this role by selecting the appropriate buttons in the Permissions table.
The following options are available:
 
Module
Permission Options
Policy
Read-only access to all policies
Management
Policies for users managed by this role
All policies
System Settings and Status (includes access to the System Log, the Alerts page, the Message Queues page, and all Settings tab menu items except Administrators)
None
Read-only access
Management
Real-Time Monitor
None
Read-only access
Message Logs (includes access to the Message, Connection, and Email Hybrid Service logs)
None
Read-only access to all message logs
Manage message logs for users managed by this role
Manage all message logs
Audit and Console Logs (includes access to the Audit, Console, and Personal Email Manager logs)
None
Access to logs
Always Block/Permit lists
None
Read-only access
Management
Administrators
None
Read-only access
Management
Reports
None
Reports for users managed by this role
Access to all reports
Queues and quarantined messages
Queue access (None, Access to all queues, Access to selected queues)
Manage all quarantined messages
Manage messages for users managed by this role
Read-only access to all quarantined messages

In the section Administrators, click Assign Role.
The Assign Role dialog box displays.

Select the administrator to whom you want to assign this role.
This role replaces the administrator's current role.

Click OK.

From the page Add Role, click OK.
The new administrator role is saved.
Setting system preferences
Administrator Help | Forcepoint Email Security | Version 8.5.x
The page Settings > General > System Settings is used to configure the following email system preferences:
?
Entering the fully qualified domain name
?
Setting the SMTP greeting message
?
Setting system notification email addresses
?
Configuring administrator console preferences
Entering the fully qualified domain name
Administrator Help | Forcepoint Email Security | Version 8.5.x
The Fully Qualified Domain Name (FQDN) section of the System Settings page is used to define the FQDN. SMTP protocol requires the use of FQDNs for message transfer. If you completed the First-Time Configuration Wizard, the FQDN you entered there appears on this page as the default entry.
If you did not complete the wizard, enter the appliance fully qualified domain name in the field Fully Qualified Domain Name (format is appliancehostname.parentdomain.com).
 
 
Important 
This setting is important for proper email security system operation. You must replace the default fully qualified domain name entry with the correct appliance name.
An incorrect fully qualified domain name may cause disruptions in email traffic flow.
Setting the SMTP greeting message
Administrator Help | Forcepoint Email Security | Version 8.5.x
The SMTP Greeting section of the System Settings page is used to define an SMTP greeting. The SMTP greeting message is the response to a connection attempt by a remote server. It can also be used to indicate that the system is working properly. For example, an SMTP greeting could be:
The email security service is ready.
Enter the SMTP greeting

In the text field SMTP greeting, enter a new start-up message.

Click OK
The settings are saved.
Setting system notification email addresses
Administrator Help | Forcepoint Email Security | Version 8.5.x
The System Notification Email Addresses section of the System Settings page is used to define default notification addresses. The email system can automatically send notifications of system events like a stopped service to a predefined address, often an administrator address. When this address is defined, notification messages can also be sent to or from an administrator email address for other events. For example, configuring a notification to be sent to or from an administrator address when a message triggers a filter (on the page Main > Policy Management > Actions) requires the administrator address to be defined on the page System Settings.
Define system notification email addresses

In the text field Administrator email address, enter the desired recipient address for notifications of system events.

In the text field Default sender email address, enter the desired sender address from which user notification messages should be sent.

Click OK.
The settings are saved.
Configuring administrator console preferences
Administrator Help | Forcepoint Email Security | Version 8.5.x
The Administrator Console Preferences section of the System Settings page is used to configure your desired character set encoding and console language.
Set console preferences

From the pull-down menu Preferred character encoding, select a character set for encoding messages.
The selected character encoding setting is used to decode email attachments, including those for which no character encoding information is available.

From the pull-down menu Administrator console language, select the language that the appliance should use.

Click OK.
The settings are saved.
Managing appliances
Administrator Help | Forcepoint Email Security | Version 8.5.x
Before adding an appliance to the Email Security module, it is necessary to install and configure a Forcepoint appliance. Interface information includes IP address, subnet mask, default gateway, and up to three DNS server IP addresses. See the Forcepoint Appliances Getting Started Guide.
Forcepoint Email Security may be deployed as a virtual appliance. See the Forcepoint Appliances Getting Started Guide for complete information about deploying and configuring a virtual appliance.
Beginning with version 8.5, Forcepoint Email Security may be deployed on a virtual appliance in Microsoft Azure. See Installing Forcepoint Email Security in Microsoft Azure for more information.
 
 
 
You can configure a primary, secondary, and tertiary DNS server, with the secondary and tertiary servers being optional entries.
When it starts, the email appliance polls each DNS server to determine which has the lowest latency level. That server is selected as the "primary" server for DNS queries, regardless of its designation. The other servers may be used for subsequent queries based on the network connection status of the primary server.
If you change either the appliance hostname or C interface IP address on the appliance, you must make the same change on the page Settings > General > Email Appliances. The Email Security module does not detect this change automatically.
Email traffic is usually routed through dedicated appliance interfaces (E1/E2). However, to route traffic through the C interface (for example, to transfer log data to a SIEM server), you need to define a route using the appliance CLI. It is necessary to stop and restart email security services on the appliance each time you add or delete a route on the appliance.
If you are running an Azure deployment, it is necessary to use the C interface for all email traffic.
Appliances overview
Administrator Help | Forcepoint Email Security | Version 8.5.x
You can manage multiple email appliances from the page Settings > General > Email Appliances without having to log on to each machine separately. Managed appliances share a single Log Database, from which email log entries, presentation reports, and the dashboard statistics and charts are generated. The Email Security module and all appliances must share supported versions and subscription key for successful communication among the appliances.
An appliance may operate in standalone mode, which is the default mode when an appliance is added to the Email Security module. You can also create appliance clusters by designating an appliance as a primary machine or as a secondary machine associated with a primary machine. See Designating a primary appliance in a cluster.
The Email Appliances page lists all current system appliances in a table that displays information about the appliance and its status, with functionality to switch to a different appliance that is in standalone mode or to remove an unconnected primary appliance from a cluster. The following table details the functionality on the Email Appliances page:
Option
Description
Hostname
Displays the hostname of the appliance. Selection displays the Edit Appliance page for editing the IP address.
Platform
Displays the appliance platform.
C interface IP address
Displays the appliance C interface IP address.
System Connection Status
Displays the appliance connection status.
Mode
Displays the appliance mode.
Action
Displays the actions available for the appliance; N/A, Launch, or Remove.
Launch is used to switch to a different appliance; Remove is used to remove an unconnected primary appliance from a cluster. When a primary appliance is removed, all its secondary appliances change to standalone mode.
The current and all secondary appliances display "N/A".
Delete
Selection of the appliance and Delete removes the appliance from the Email Appliances page.
An appliance that is being accessed by another user cannot be deleted. Once an appliance is removed from the list, you cannot manage it from the Email Appliances page.
Add an appliance

From the page Settings > General > Email Appliances, click Add.
The Add Appliance dialog box displays.

In the text field C interface IP address, enter the IP address used for communication with the Email Security module.

Click OK.
The dialog box closes and the appliance is added to the Email Appliances page.
 
Important 
Changing the C interface IP address of an appliance terminates the appliance connection with the Email Security module. In order to re-establish the connection, the IP address must also be changed on the Email Security module page Settings > General > Email Appliances.
You should also change the address for the Personal Email Manager notification message (Settings > Personal Email > Notification Message).
For subscriptions that include the Forcepoint Email Security Hybrid Module, the email hybrid service must be re-registered after you change the IP address.
When you add an appliance, it is automatically registered with the Data Security module for data loss prevention (DLP). To complete the registration process and deploy DLP policies, click the Data Security module on the Security Manager toolbar and then click Deploy.
Editing appliance settings from the appliances list
Administrator Help | Forcepoint Email Security | Version 8.5.x
The page Edit Appliance is used to edit the appliance C interface IP address. The system connection status and mode cannot be changed on this page.
Edit appliance settings

From the page Settings > General > Email Appliances, click the hostname of an appliance.
The Edit Appliance page displays.

In the text field C interface IP address, enter the new IP address.

Click OK.
The settings are saved.
Configuring an appliance cluster
Administrator Help | Forcepoint Email Security | Version 8.5.x
An email appliance operates in standalone mode by default, but can be configured in a cluster of appliances to manage a large volume of email traffic. After you have added an appliance to the appliances list on the Email Appliances page, you can change its mode from the default standalone to either primary or secondary on the page Settings > General > Cluster Mode.
?
Some platform limitations apply to appliances in a cluster:
?
A V10000 appliance cannot be configured in a cluster with a V5000 appliance.
?
A virtual appliance may be clustered with other virtual appliances, but not with a physical appliance.
?
Platform versions must match in a cluster.
?
Appliances in a cluster should also have the same message queue configurations. Messages in a secondary appliance queue may be lost if that queue is not configured on the primary machine before the cluster is created.
See Forcepoint Documentation for more information.
 
 
Important 
If you are deploying email protection in an appliance cluster and want to use DLP policies, be sure to register all the primary and secondary cluster machines with the Data Security module before you deploy DLP policies.
If you deploy DLP policies on the primary appliance while you are registering a secondary machine with the Data Security module, the registration process for the secondary machine may not complete.
Designating a primary appliance in a cluster
A primary appliance maintains and displays the configuration settings for all the appliances in its cluster.
Specify a primary appliance in a cluster

On the page Settings > General > Cluster Mode, select the appliance mode Cluster (Primary).
A Cluster Properties box opens with the primary appliance IP address displayed in the field Cluster communication IP address. Secondary appliances use this IP address for cluster communications.
 
 
 
Use of the C appliance interface IP address for communication requires you to define a route in the appliance CLI.
You need to stop and restart email services on the appliance each time you add or delete a route on the appliance.

Click Add.
The page Add Secondary Appliance displays, where you can designate the secondary appliances in this cluster.

From the list of standalone appliances on the left, select the secondary appliances to add to this cluster (up to seven appliances).
(Optional) Add a new appliance that is not already on the list; click Add New Appliance.
The Add Appliance page displays.

Click the arrow button to add the appliances to the Secondary Appliances list.

Click OK.
The appliance is added to the Secondary Appliances list along with its status.

On the page Cluster Mode, click OK.
The appliance is added to the cluster.
View appliance details
?
From the Secondary Appliances list, click the appliance name.
The Appliance Properties dialog box displays with details about the appliance.
Remove a secondary appliance from a cluster
?
From the Secondary Appliances list, select the appliance and click Remove.
The appliance is removed from the cluster.
Managing user directories
Administrator Help | Forcepoint Email Security | Version 8.5.x
A user directory is an important component of email traffic analysis when it is used to set sender/recipient conditions for a policy. It can also provide recipient validation capabilities and be the basis of user logon authentication settings. See Managing user validation/authentication options.
The page Settings > Users > User Directories is used to add a user directory. Available user directories display in table format with functionality to search by keyword or remove a user directory. The following table details the options on the User Directories page.
 
Option
Description
User Directory Name
Displays the name of the user directory.
Selection displays the page Edit User Directory, with functionality to configure the user directory settings.
User Directory Type
Displays the user directory type; for example, Recipient List.
Cache Settings
Displays the user directory cache settings.
Cache Size
Displays the user directory cache size, with functionality to search entries listed in the user directory.
Status
Displays the user directory status.
Action
Displays available actions; for example, Delete.
Search a user directory by keyword

From the Cache Size column on the page Settings > Users > User Directories, click View.
The User Directory Entries page displays.

In the text field, enter a keyword.
Up to 100 characters can be entered.

Click Submit.
The search results display in table format.

Empty the search field and display the complete user directory; click Clear.
Delete a user directory
A user directory may only be deleted if the directory is not currently being used by an email function. For example, if the directory is being used as part of a policy or as part of user authentication settings, it cannot be removed.
?
Select the user directory and click Delete.
The user directory is deleted.
Adding and configuring a user directory
Administrator Help | Forcepoint Email Security | Version 8.5.x
The Add User Directory page is used to add a new user directory. A newly added user directory displays a status of Not referenced, because it is not yet being used by an email function. User directory creation entries are different depending on the type of user directory being added.
Add a new user directory

On the page Settings > Users > User Directories, click Add.
The Add User Directory page displays.

In the text field User directory name, enter a name for the user directory.

From the pull-down menu User directory type, select a type; Microsoft Active Directory, IBM LDAP Server, Generic LDAP, Recipient List, or ESMTP.
The User Directory Properties section displays with configuration options for the selected user directory:
?
Microsoft Active Directory
?
IBM LDAP Server Directory
?
Generic LDAP Server Directory
?
Recipient List
?
ESMTP Server Directory

After configuring properties in the section User Directory Properties, click OK.
The user directory is saved.
Microsoft Active Directory
Microsoft Active Directory provides user information management in a Windows environment.
If you plan to use Active Directory and your deployment includes Azure ExpressRoute, some additional configuration is needed in Azure. See the Microsoft article Azure Active Directory (AD) Domain Services for more information.
Configure a Microsoft Active Directory in the User Directory Properties section

On the page Settings > Users > User Directories, click Add.
The Add User Directory page displays.

In the text field User directory name, enter a name for the user directory.

From the pull-down menu User directory type, select Microsoft Active Directory.
User Directory Properties section displays with options for Microsoft Active Directory.

In the text field Server IP address or hostname, enter the IP address or hostname of your LDAP server.

In the text field Port, enter the port number.
The default is 389.

(Optional) Enable secure LDAP, a nonstandard protocol also known as LDAP over SSL; mark the check box Enable secure LDAP.
Marking this check box changes the default port number to 636.

In the text field Username, enter the username for this appliance.
The Username field can contain the user's username (such as admin), email address (such as admin@mycompany.com), or distinguished name (such as cn=admin, dc=company, dc=com).

In the text field Password, enter the password for this appliance.

In the text field Search domain, enter the LDAP server's search domain name.
This value is used when the search filter is applied.

Verify that the field Search filter contains a standard LDAP query that can use validation variables, for example:
(|(mail=%email%)(userPrincipalName=%email%)
(proxyAddresses=smtp:%email%))

From Cache setting, select either Mirror or Cache address.
?
The Mirror setting means that valid addresses are cached all at once by synchronizing the cache with all the addresses stored on the LDAP server. You can manually synchronize the cache with the LDAP server any time after that by clicking Synchronize for this directory on the User Directories page.
?
The Cache address setting means the cache is updated dynamically. A new, valid address is cached after it is verified with the LDAP server. Remove all addresses from the cache by clicking Clear cache.

In the text field Cache timeout, enter a value in minutes.
The timeout is the amount of time that a valid address remains in the memory cache. If an email message is sent from a previously validated address during this timeout period, the email is delivered without contacting the validation server. However, if another message is sent from this address after the timeout has expired, the server will be contacted to validate the address. Default value is 60 minutes.

Click OK.
The settings are saved.
IBM LDAP Server Directory
An IBM LDAP Server Directory provides user information management on an IBM server.
Configure an IBM LDAP Server Directory in the User Directory Properties section

On the page Settings > Users > User Directories, click Add.
The Add User Directory page displays.

In the text field User directory name, enter a name for the user directory.

From the pull-down menu User directory type, select IBM LDAP Server.
The User Directory Properties section displays with options for IBM LDAP Server Directory.

In the text field Server IP address or hostname, enter the IP address or hostname of your LDAP server.

In the text field Port, enter the port number.
The default is 389.

(Optional) Enable secure LDAP, a nonstandard protocol also known as LDAP over SSL; mark the check box Enable secure LDAP.
Marking this check box changes the default port number to 636.

In the text field Username, enter the username for this appliance.
The Username field can contain the user's username (such as admin), email address (such as admin@mycompany.com), or distinguished name (such as cn=admin, dc=company, dc=com).

In the text field Password, enter the password for this appliance.

From Cache setting, select either Mirror or Cache address.
?
The Mirror setting means that valid addresses are cached all at once by synchronizing the cache with all the addresses stored on the LDAP server. You can manually synchronize the cache with the LDAP server any time after that by clicking Synchronize for this directory on the User Directories page.
?
The Cache address setting means the cache is updated dynamically. A new, valid address is cached after it is verified with the LDAP server. Remove all addresses from the cache by clicking Clear cache.

In the text field Cache timeout, enter a value in minutes.
The timeout is the amount of time that a valid address remains in the memory cache. If an email message is sent from a previously validated address during this timeout period, the email is delivered without contacting the validation server. However, if another message is sent from this address after the timeout has expired, the server will be contacted to validate the address. Default value is 60 minutes.

Click OK.
The settings are saved.
Generic LDAP Server Directory
A generic LDAP directory provides user information management that is supported on any LDAP server.
Configure a generic LDAP Server Directory in the User Directory Properties section

On the page Settings > Users > User Directories, click Add.
The Add User Directory page displays.

In the text field User directory name, enter a name for the user directory.

From the pull-down menu User directory type, select Generic LDAP.
The User Directory Properties section displays with options for Generic LDAP Server Directory.

In the text field Server IP address or hostname, enter the IP address or hostname of your LDAP server.

In the text field Port, enter the port number.
The default is 389.

(Optional) Enable secure LDAP, a nonstandard protocol also known as LDAP over SSL; mark the check box Enable secure LDAP.
Marking this check box changes the default port number to 636.

In the text field Username, enter the username for this appliance.
The Username field can contain the user's username (such as admin), email address (such as admin@mycompany.com), or distinguished name (such as cn=admin, dc=company, dc=com).

In the text field Password, enter the password for this appliance.

In the text field Search domain, enter the LDAP server's search domain name.
This value is used when the search filter is applied.

Verify that the field Search filter contains a standard LDAP query that can use validation variables; for example:
(mail=%email%)
(|(mail=%email%)(uid=%email%))

In the text field Mail field, enter any optional email addresses to import.

From Cache setting, select either Mirror or Cache address.
?
The Mirror setting means that valid addresses are cached all at once by synchronizing the cache with all the addresses stored on the LDAP server. You can manually synchronize the cache with the LDAP server any time after that by clicking Synchronize for this directory on the User Directories page.
?
The Cache address setting means the cache is updated dynamically. A new, valid address is cached after it is verified with the LDAP server. Remove all addresses from the cache by clicking Clear cache.

In the text field Cache timeout, enter a value in minutes.
The timeout is the amount of time that a valid address remains in the memory cache. If an email message is sent from a previously validated address during this timeout period, the email is delivered without contacting the validation server. However, if another message is sent from this address after the timeout has expired, the server will be contacted to validate the address. Default value is 60 minutes.

Click OK.
The settings are saved.
Recipient List
A recipient list is a text file that contains a list of email addresses and their associated passwords, one set per line. This file can be used for user recipient validation.
Configure a recipient list in the User Directory Properties section

On the page Settings > Users > User Directories, click Add.
The Add User Directory page displays.

In the text field User directory name, enter a name for the user directory.

From the pull-down menu User directory type, select Recipient List.

The User Directory Properties section displays with options for Recipient List.

Enable a strong password policy; mark the check box Enforce strong password policy.
With this policy in force, a password must meet the following requirements:
?
Between 8 and 15 characters
?
At least one uppercase letter
?
At least one lowercase letter
?
At least one number
?
At least one special character; supported characters include:
! " # $ & ' ( ) * + , - . / : ; < = > ? @ [ \ ] ^ _ ` { | } ~
If you have an existing recipient list and enable the strong password policy, the email protection system evaluates current passwords in the list against the policy. When this evaluation is complete, a Strength column appears in the Recipient List box, indicating any weak passwords that should be changed. A recipient list that contains weak passwords cannot be saved if the check box Enforce strong password policy is marked.

Add a predefined recipient list file; from the field Recipient information file, click Browse and navigate to the desired text file.
The file format should be one email address and password per line, up to a maximum of 1,000 entries.
 
 
 
If you add a new recipient list file when you already have an active recipient list, the new file will overwrite the current file.

Manually create a recipient list; from the box Enter Recipient Information, enter an individual email address and associated password and click >.
The information is added to the Recipient List box on the right. Continue until all necessary recipients are added.

Click OK.
The settings are saved.
Search the recipient list

From the section Recipient List, enter a keyword in the text box and click Search.
Search results display in the Recipient List box.

View the entire recipient list; click View All.
The entire recipient list displays.
Export the recipient list
?
From the section Recipient List, click Export.
The recipient list is exported to your local drive as a text file.
Remove an entry from the recipient list
?
From the section Recipient List, select an individual entry and click Delete.
The entry is removed.
ESMTP Server Directory
An ESMTP Server Directory provides user authentication and recipient validation using the features in extended SMTP.
Configure an ESMTP Server Directory in the User Directory Properties section

On the page Settings > Users > User Directories, click Add.
The Add User Directory page displays.

In the text field User directory name, enter a name for the user directory.

From the pull-down menu User directory type, select ESMTP.
The User Directory Properties section displays with options for ESMTP Server Directory.

Determine your desired email verification method; from Email verification method, select Use the return status of the VRFY command or Use the return status of the RCPT command:
?
Selection of Use the return status of the VRFY command verifies the email user name.
?
Selection of Use the return status of the RCPT command verifies the email recipient.

In the text field Sender email address, enter an email address for the user directory.

In the text field Cache timeout, enter a value in minutes.
The cache timeout is the amount of time that a valid address remains in the memory cache. If an email message is sent from a previously validated address during this timeout period, the email is delivered without contacting the validation server. However, if another message is sent from this address after the timeout has expired, the server will be contacted to validate the address. Default value is 60 minutes.
Remove all addresses from the cache by clicking Clear cache.

Click OK.
The settings are saved.
Managing domain and IP address groups
Administrator Help | Forcepoint Email Security | Version 8.5.x
A collection of domain names or IP addresses can be defined in a single group for use in email functions. For example, you can define a domain name group to establish domain-based delivery options, or you can define an IP address group for which Reputation Service, Real-time Blacklist (RBL), or directory attack prevention analysis is not performed. IP address groups can also be used for the email encryption functions. Domain groups are added and configured on the page Settings > Users > Domain Groups; IP groups are added and configured on the page Settings > Inbound/Outbound > IP Groups.
You can perform the following operations on domain or IP address groups:
?
Adding a domain group
?
Editing a domain group
?
Adding an IP address group
?
Editing an IP address group
There are two special default groups of domain or IP addresses:
?
Protected Domain group
?
Trusted IP Address group
See Third-party encryption application for information about using the Encryption Gateway default IP address group. Default groups cannot be deleted.
Protected Domain group
The Protected Domain group should contain all the domains that an organization owns and needs the email system to protect. Message direction in the system is determined on the basis of an organization's protected domains:
?
Inbound – The sender address is not from a protected domain and the recipient address is in a protected domain.
?
Outbound – The sender address is from a protected domain and the recipient address is not in a protected domain.
?
Internal – Both the sender and recipient addresses are in a protected domain.
An open relay results when both the sender and recipient addresses are not in a protected domain.
Unless you entered a protected domain name in the Domain-based Route page of the First-time Configuration Wizard, the default Protected Domain group is empty after product installation. Domains may be added to or deleted from the Protected Domain group, the Protected Domain group itself cannot be deleted.
 
 
Important 
Ensure that the Protected Domain group contains all the domains you want your email system to protect.
An open relay is created when mail from an unprotected domain is sent to an unprotected domain within your organization. As a result, all mail from any domain that is not protected may be rejected. Mail from an external trusted IP address to an unprotected domain within your organization bypasses analysis and is delivered.
The email hybrid service uses the Protected Domain group during Forcepoint Email Security Hybrid Module registration to verify that the domains specified in its delivery routes are all from this group. The Protected Domain group should not be used to configure email delivery routes (on the page Settings > Inbound/Outbound > Mail Routing) if you need to define domain-based delivery routes via multiple SMTP servers. See User directory-based routes.
Trusted IP Address group
Like the Protected Domain group, the Trusted IP Addresses default group is empty after product installation. IP addresses may be added to or deleted from the Trusted IP Addresses group, but the Trusted IP Addresses group itself cannot be deleted. The Trusted IP Addresses group may include up to 1024 addresses.
Trusted IP addresses may include your internal mail servers or a trusted partner mail server.
Mail from an address in the Trusted IP Addresses group can bypass some inbound email analysis. Use of the Trusted IP Addresses group can result in improved email processing time.
Specifically, mail from trusted IP addresses bypasses the following email analysis:
?
Global Always Block List (Main > Policy Management > Always Block/Permit)
?
All message controls except message size, invalid recipient, and internal sender verification settings (Settings > Inbound/Outbound > Message Control)
?
Recipient validation (Settings > Users > User Authentication)
?
All connection controls except the connection control timeout (Settings > Inbound/Outbound > Connection Control)
?
Directory harvest attack (Settings > Inbound/Outbound > Directory Attacks)
?
Relay controls (Settings > Inbound/Outbound > Relay Control)
?
Personal Email Manager Always Block List
 
 
Mail from trusted IP addresses does not bypass policy and rule application, and is always subject to antispam and antivirus analysis.
 
Adding a domain group
Administrator Help | Forcepoint Email Security | Version 8.5.x
The page Add Domain Group is used to add a new domain group.
Add new domain group

On the page Settings > Users > Domain Groups, click Add.
The Add Domain Group page displays.

In the field Domain Group Name, enter a name for the new domain group.
This field is required.

In the field Description, enter a brief description of the domain group.

In the section Domain Group Details, add a predefined domain group; from the field Domain address file, click Browse and navigate to the desired text file.
The file format should be one domain address per line, and its maximum size is 10 MB. If a file contains any invalid entries, only valid entries are accepted. Invalid entries are rejected.

Manually add domain entries; in the field Domain address, enter an individual domain address and click >.
The information is added to the Added Domains box on the right. Use wildcards to include subdomain entries (e.g., *.domain.com).

Click OK.
The settings are saved.
Export a domain group
?
From the section Added Domains, click Export.
The list of domain address entries in the group is exported to your local drive as a text file.
Remove an entry from the domain group
?
From the section Added Domains, select an individual entry and click Delete.
The entry is removed.
Editing a domain group
Administrator Help | Forcepoint Email Security | Version 8.5.x
The page Settings > Users > Domain Groups is used to edit existing domain groups, including adding or removing individual domains or editing the domain group description.
If a domain is in use, you will be asked to confirm any changes that involve the domain.
Edit a domain group

From the page Settings > Users > Domain Groups, click the domain group name.
The page Edit Domain Group displays.

Configure the settings.

Click OK.
The settings are saved.
Adding an IP address group
Administrator Help | Forcepoint Email Security | Version 8.5.x
The page Settings > Inbound/Outbound > IP Groups is used to view and add an IP address group.
Add a new IP address group

On the page Settings > Inbound/Outbound > IP Groups, click Add.
The Add IP Group page displays.

In the field IP Address Group Name, enter a name for the new IP address group.
This field is required.

In the field Description, enter a brief description of the IP address group.

In the section IP Address Group, add a predefined IP address group; from the field IP address file, click Browse and navigate to the desired text file.
The file format should be one IP address per line, and its maximum size is 10 MB
 
 
 
The default Encryption Gateway IP address group supports only the entry of individual IP addresses. Subnet address entries are considered invalid and are not accepted for this IP address group.
Subnet addresses may be entered for other default and custom IP address groups.

Manually add IP address entries; in the field IP address, enter an individual IP address and click >.
The information is added to the Added IP Addresses box on the right.

Click OK.
The settings are saved.
Export an IP address group
?
From the section Added IP Addresses, click Export.
The list of IP address entries in the group is exported to your local drive as a text file.
Remove an entry from the IP address group
?
From the section Added IP Addresses, select an individual entry and click Remove.
The entry is removed.
Editing an IP address group
Administrator Help | Forcepoint Email Security | Version 8.5.x
The page Edit IP Group is used to edit existing IP address groups, including adding or removing individual IP addresses and editing the IP address group description.
If an IP address is in use, you will be asked to confirm any changes that involve that address.
Edit an IP address group

From the page Settings > Inbound/Outbound > IP Groups, click the IP address group name.
The Edit IP Group page displays.

Configure the settings.

Click OK.
The settings are saved.
Managing user validation/authentication options
Administrator Help | Forcepoint Email Security | Version 8.5.x
After defining your domain groups, you can determine recipient validation and user authentication settings for users in the user directories you create. See Managing domain and IP address groups. User validation and authentication settings are configured on the page Settings > Users > User Authentication.
The following types of user validation/authentication are available:
?
Recipient validation, in which a message recipient is validated before a message is received.
?
SMTP authentication, in which a message sender is authenticated before a message is received.
?
Personal Email authentication, in which a user is authenticated before accessing the Personal Email Manager facility for managing blocked email. See Configuring Personal Email Manager End User Options.
?
Distribution list validation, in which individual members of an email distribution list are validated. If an individual recipient in the group is invalid, the message is rejected just for that individual. All valid recipients in the distribution list receive the message.
Include group email addresses in your user directories to use the distribution list validation option. A message to an invalid group alias is rejected for the entire group of recipients.
Users in a domain group are verified against the corresponding user directory, and specified authentication settings are applied.
 
 
Important 
You may create multiple Personal Email Manager user authentication groups. However, any protected domain group (as defined in Settings > Users > Domain Groups) may be included in only one Personal Email Manager user authentication group.
Including a protected domain group in more than one Personal Email Manager user authentication group may result in the users of that domain group being denied access to the Personal Email Manager facility.
Add all the user directories that contain the users in this protected domain group to the associated Personal Email Manager authentication group.
The User Authentication List displays the configured user authentication settings. The Add and Delete buttons are used to add or remove recipient validation and authentication settings.
Adding user authentication settings
Administrator Help | Forcepoint Email Security | Version 8.5.x
The page Settings > Users > User Authentication is used to add new user validation/authentication settings for domain/user directory groups.
Add new user authentication and validation settings

From the page Settings > Users > User Authentication, click Add.
The Add User Authentication page displays.

In the text field Name, enter a name for this set of authentication settings.

From Authentication options, mark the check box for the type of user validation/authentication settings to apply: Recipient Validation, SMTP Authentication, Personal Email Authentication, or Distribution List Validation.
Multiple check boxes can be selected.
?
(Optional) If you specify recipient validation, you can mark the associated check box If User Directory is not reachable for Recipient validation, continue to next user directory.
Selection allows the system to continue a recipient search in the next user directory listed in the User Directories section Recipients box if the current user directory cannot be accessed (e.g., server is down or not connected).
?
If you specify SMTP authentication, you must ensure that the option Allow relays only for senders from trusted IP addresses option is selected for both outbound and internal relays on the page Settings > Inbound/Outbound > Relay Control.

From the pull-down menu Domain group, select the domain group to target with your authentication settings.

(Optional) Add or remove domain names from your domain group; from Domains, click Edit.
The Edit Domain Group page displays. Changes you make here are also reflected on the page Settings > Users > Domain Groups. See Editing a domain group.

From the box Current User Directories, select the corresponding user directories to which these authentication settings should apply; mark the check box next to the directory name and click >.
The user directory is added to the Recipients box.

(Optional) Create a new user directory for these authentication settings; click Add user directory.
The Add User Directory page displays to create a new directory. See Adding and configuring a user directory.

In the Recipients box, move selected user directories up or down; select the buttons Move up and Move down.

(Optional) Delete a user directory reference from the Recipients box; select it and click Delete.
This action removes the user directory from the Recipients list, but does not delete it from the page Settings > Users > User Directories.

Click OK.
The settings are saved.
Editing user authentication settings
Administrator Help | Forcepoint Email Security | Version 8.5.x
The Edit User Authentication page is used to edit existing user authentication settings. Functionality is used to configure existing settings as well as add or remove user directories from user validation/authentication settings. User directory entries are modified on the page Settings > Users > User Directories. See Adding user authentication settings.
Edit authentication settings

From the page Settings > Users > User Authentication, click the name of the settings.
The Edit User Authentication Settings page displays.

Configure the settings.

Click OK.
The changes are saved.
Managing Transport Layer Security (TLS) certificates
Administrator Help | Forcepoint Email Security | Version 8.5.x
Transport Layer Security (TLS) is a protocol that provides an extra layer of security for email communications. Use of this protocol helps prevent devices such as non-trusted routers from allowing a third party to monitor or alter the communications between a server and client. The email security system can receive messages transferred over TLS and can also send messages via this protocol to particular domains.
A default TLS certificate is supplied with Forcepoint Email Security for incoming connections. The email system presents this certificate during TLS communications.
After email product installation, default TLS certificate information appears on the page Settings > Inbound/Outbound > TLS Certificate, in the section TLS Certificate for Incoming Connection. Details include the certificate version, serial number, issuer, and expiration date.
Functionality on this page allows you to generate a new certificate when the default certificate expires. Generating a new certificate overwrites any certificate that currently exists. Additionally, certificates can be imported and exported on the TLS Certificate page.
The TLS Certificate page is additionally used to manage trusted Certificate Authority (CA) certificates for outgoing connections. Forcepoint Email Security uses CA-issued root and intermediate certificates (along with the default CA certificate bundle) to verify a server certificate presented by a third-party mail server during TLS communications.
The Trusted CA Certificate for Outgoing Connection table on the TLS Certificate page displays information about the certificate, including common name, issuer, and expiration date. Import functionality is used to browse to the location of a trusted certificate and add it to the Trusted CA Certificate for Outgoing Connection table. A search function is used to perform a keyword search of all your trusted CA certificates.
Generate a new TLS certificate

From the section TLS Certificate for Incoming Connection, click Generate.
A prompt displays to indicate that the existing certificate will be overwritten.

Click Yes.
TLS certificate generation continues.
Search trusted CA certificates by keyword

From the section Trusted CA Certificate for Outgoing Connection, enter a keyword in the text field Search filter.

Click Search.
Search results display below the search bar.

Clear search results; click Clear search filter.
All trusted CA certificates display below the search bar.
See the following sections for details on importing and exporting TLS and CA certificates:
?
Importing a TLS certificate
?
Exporting a TLS certificate
?
Importing a trusted CA certificate
Importing a TLS certificate
Administrator Help | Forcepoint Email Security | Version 8.5.x
Functionality is available on the page Settings > Inbound/Outbound > TLS Certificate to import a certificate from your network, rather than generate a new one. Importing a certificate overwrites any certificate that currently exists.
Import a certificate that is already located on your network

On the page Settings > Inbound/Outbound > TLS Certificate, click Import.
A prompt displays to indicate that the existing certificate will be overwritten.

On the prompt, click Yes.
An Import Certificate area appears below the Import button.

Click Browse and navigate to the certificate file.
When you select a file, its filename appears in the Certificate file field. File format must be .p12 or .pfx.

In the text field Password, enter a password.
Maximum length is 100 characters.

Click OK.
The certificate is imported.
Exporting a TLS certificate
Administrator Help | Forcepoint Email Security | Version 8.5.x
Functionality is available on the page Settings > Inbound/Outbound > TLS Certificate to export a TLS certificate to a location on your network.
Export a TLS certificate

On the page Settings > Inbound/Outbound > TLS Certificate, click Export.
The Export TLS Certificate dialog box displays.

In the text field Password, create a password for the exported file.

In the text field Confirm password, re-enter the password.

Click Yes.
A navigation window displays.

Browse to the location in your network where the certificate and password should be stored and click Save.
The TLS certificate is saved to the specified location
Importing a trusted CA certificate
Administrator Help | Forcepoint Email Security | Version 8.5.x
Functionality is available on the page Settings > Inbound/Outbound > TLS Certificate to import a trusted CA certificate from your network.
Import a trusted CA certificate

In the section Trusted CA Certificate for Outgoing Connection, click Import.
The Import Trusted CA Certificate dialog box displays.

In the Import Trusted CA Certificate dialog box, enter the desired certificate file name or browse to its location in your network.

Click OK.
The certificate is added to the trusted CA certificate table.
Delete a trusted CA certificate
?
From the section Trusted CA Certificate for Outgoing Connection, select a CA certificate and click Delete.
The CA certificate is deleted.
Backing up and restoring manager settings
Administrator Help | Forcepoint Email Security | Version 8.5.x
The email management server maintains several important configuration setting files, including
?
Database configuration
?
Appliances list
?
Administrator settings
?
Presentation report templates and data
You may want to retain a backup copy of these settings to use if a system recovery operation is necessary. A backup and restore utility is included with the Email Security module. Backup and restore functions are available on the page Settings > General > Backup/Restore.
The Backup/Restore function includes a Backup and Restore Log, which displays time-stamped backup and restore activities for the manager.
 
 
 
Because the Backup/Restore utility stops the Email Security module service, backup and restore activities are recorded only in the Backup and Restore log.
Backup and restore functions for an appliance cluster work properly only when cluster settings have not changed between the backup and restore operations. Unexpected results may occur if any of the following settings have been changed between the backup and restore:
?
Appliance mode (cluster or standalone)
?
IP address or hostname
You may need to rebuild a cluster if a restore operation encounters problems.
 
 
 
If you specify your backup file location for a remote server, ensure that your restore operation is configured to restore configuration files from that remote server location.
Backing up settings
?
Backup functionality is available on the page Settings > General > Backup/Restore. Backup and restore settings on one appliance are applied to all the appliances in your network.
 
 
?
The version of the backed up settings must match the version of the currently installed product.
?
Backup and restore settings must both use either local or remote file storage. You cannot restore a local file using remote settings.
?
The backup settings file size may not exceed 10 MB.
?
The following special characters are not supported in backup server entries: |, <, >, and &.
Back up settings

On the page Settings > General > Backup/Restore, from the section Backup Settings, click Backup.
The utility activates and conducts a backup if settings have been defined.

Save your backup settings on the Log Database server, mark the check box Save backup configuration settings files on a remote server.
The text fields in the section Remote Server Access are enabled; enter the following server information:
?
Domain/Hostname
Enter the domain if a domain account is used; otherwise, enter the hostname of the SQL Server machine.
?
User name
Enter a user with SQL Server log-in permission.
?
Password
The password may not contain more than one double quotation mark.
?
Backup/Restore file path
Enter the shared folder path on the remote SQL Server machine (for example, \\10.1.1.2\shared\).

Ensure that the remote log database server is accessible; click Check Status.
The backup initiates when all configuration is complete. The Backup and Restore Log displays the time-stamped backup logs.
Restoring the settings
The Restore utility is used to return your settings to their original, backed up state on the Log Database server. The restore function retrieves the location of the backed up settings and applies them to the Email Security module configuration files. The Email Security module service restarts automatically after configuration settings are restored.
Restore settings

(Optional) On the page Settings > General > Backup/Restore, from the section Restore Settings, mark the check box Use the backup files on the remote server to restore configuration settings.
?
From File location, click Choose File and navigate to the backup files on the remote server.

Click Restore.
The Confirm Configuration Restore Operation dialog box displays.

Click Yes.
The restore operation proceeds.

Go to the table of contents Go to the previous page Go to the next page View or print as PDF
Copyright 2018 Forcepoint. All rights reserved.