Typical deployment scenarios

2 Installing GFI MailSecurity : 2.2 Typical deployment scenarios

2.2

Typical deployment scenarios

Installing GFI MailSecurity on your mail server

$C:\Documents and Settings\ozammit\My Documents\MSEC\Manual\images\installing on exch server.png$

Figure 1 - Installing GFI MailSecurity on your mail server

You can install GFI MailSecurity directly on your mail server, without any additional configuration required. Moreover you can also choose any of the two installation modes (i.e., Active Directory mode or SMTP mode) to define how GFI MailSecurity will retrieve the list of email users since your mail server will have access to both the Active Directory as well as to the list of SMTP users which is contained on the mail server itself.

NOTE: GFI MailSecurity can be only installed in the following Microsoft Exchange 2007/2010 installations:

•

Edge Server Role

•

Hub Transport Role (and any other Microsoft Exchange 2007/2010 server roles which are irrelevant to GFI MailSecurity)

•

Mailbox and Hub Transport Server Role (and any other Microsoft Exchange 2007/2010 server roles which are irrelevant to GFI MailSecurity)

Installing GFI MailSecurity on a mail relay server

$C:\Documents and Settings\ozammit\My Documents\MSEC\Manual\images\MSEC on gateway server.png$

Figure 2 - Installing GFI MailSecurity on a mail gateway/relay server

When installing on a separate server (i.e., on a server which is not your mail server), you must first configure that machine to act as a gateway (also known as “Smart host” or “Mail relay” server) for all your email. This means that all inbound email must pass through this machine for scanning before being relayed to the mail server for distribution (i.e., it must be the first to receive all emails destined for your mail server). The same applies for outbound emails: The mail server must relay all outgoing emails to the gateway machine for scanning before they are conveyed to the external recipients via Internet (i.e. it must be the last 'stop’ for emails destined for the Internet). In this way, GFI MailSecurity checks all your inbound and outbound mail before this is delivered to the recipients.

NOTE: You must install GFI MailSecurity in SMTP Gateway mode if you are running Lotus Notes or another SMTP/POP3 server.

NOTE: If you are running a Windows NT network, the machine running GFI MailSecurity can be separate from your Windows NT network - GFI MailSecurity does not require Active Directory when installed in SMTP mode.

Installing GFI MailSecurity in front of your firewall

$C:\Documents and Settings\ozammit\My Documents\MSEC\Manual\images\Perimeter SMTP Server.png$

Figure 3 - Installing GFI MailSecurity on a separate machine on a DMZ

If running a Windows 2000/2003 firewall such as Microsoft ISA Server, a good way to deploy GFI MailSecurity is to install it on a separate machine in front of your firewall or on the firewall itself. This allows you to keep your corporate mail server behind the firewall. GFI MailSecurity will act as a smart host/mail relay server when installed on the perimeter network (also known as DMZ - demilitarized zone).

NOTE: In a Microsoft Exchange Server 2007/2010 environment, the mail relay server in the DMZ can be a machine running Microsoft Exchange Server 2007/2010 with the Edge Transport Server Role installed.

When GFI MailSecurity is not installed on your mail server:

•

You can perform maintenance on your mail server whilst still receiving email from the Internet.

•

Fewer resources are used on your mail server.

•

Additional fault tolerance - if anything happens to your mail server, you can still receive email. This email is then queued on the GFI MailSecurity machine.

NOTE: GFI MailSecurity does not require a dedicated machine when not installed on the mail server. For example, you can install GFI MailSecurity on your firewall (i.e. on your ISA Server) or on machines running other applications such as GFI MailEssentials.

Installing GFI MailSecurity on an Active/Passive Cluster

NOTE: Installing GFI MailSecurity on a Microsoft Exchange Server 2007/2010 cluster environment is currently not supported.

To install GFI MailSecurity on an Active/Passive cluster you must install GFI MailSecurity on each node.

NOTE: Although you can install GFI MailSecurity on an Active/Passive cluster, bear in mind that you still need to configure and manage a GFI MailSecurity installation per node. The configuration settings and quarantine emails are not shared between nodes.

On each node, you have to do the following:

•

Install GFI MailSecurity on the node local hard drive.
NOTE: Do not install GFI MailSecurity on the shared drive.

•

Install the GFI MailSecurity WWW virtual directory on the node’s Default Web Site.

•

If you are installing on an IIS cluster, make sure you bind GFI MailSecurity to the Clustered SMTP Virtual Server instance.

The following steps show you how to install GFI MailSecurity in a typical Active/Passive Cluster environment. For this scenario, assume the cluster, named MAILCLUSTER, is made up of two nodes, named Node1 and Node2.

1. Using the Cluster Administrator console make Node1 active.

2. Install GFI MailSecurity on the local hard drive of Node2 as described in the ‘Installing GFI MailSecurity’ section of this chapter. When you reach the IIS Setup step of the installation, select Default Web Site to host the GFI MailSecurity WWW virtual directory.

NOTE: The Default Web Site IP address of Node2 should not be set to ‘All unassigned’. You should configure the Default Web Site to use the IP address of the MAILCLUSTER machine.

3. When the GFI MailSecurity installation on Node2 completes, you should be able to access the Node2 configuration using the following URL: http://Node2/MailSecurity/

4. From the Cluster Administrator console, make Node2 active.

5. Install GFI MailSecurity on the local hard disk of Node1 as described in the ‘Installing GFI MailSecurity’ section of this chapter. When you reach the IIS Setup step of the installation, select Default Web Site to host the GFI MailSecurity WWW virtual directory.

NOTE: The Default Web Site IP address of Node1 should not be set to ‘All unassigned’. You should configure the Default Web Site to use the IP address of the MAILCLUSTER machine.

6. When the GFI MailSecurity installation on Node1 completes, you should be able to access the Node1 configuration using the following URL: http://Node1/MailSecurity/

7. To access the product configuration of the currently active node use the following URL: http://MAILCLUSTER/MailSecurity/.

NOTE: To access product configuration from a remote machine you must configure the GFI MailSecurity SwitchBoard application, making sure that the MAILCLUSTER name/IP is specified for IIS Mode. For more information, refer to Securing access to the GFI MailSecurity configuration/quarantine section in this chapter.

NOTE: You will only be able to access the URL http://MAILCLUSTER/MailSecurity/ if you assign the IP address of the MAILCLUSTER machine to the Default Web Site for Node1 and Node2 during the IIS Setup installation step.

8. The installation of GFI MailSecurity on an Active/Passive cluster is now complete.

NOTE: If Service Pack 2 for Microsoft Exchange Server 2003 is not installed on a Microsoft Exchange Server 2003 cluster installation, Internet Information Services Web sites that are hosted on the cluster will not start automatically when an Exchange Server 2003 virtual server fails over to a cluster node. More information about this issue can be found in Microsoft Knowledge Base Article 885440.

Due to the above, the GFI MailSecurity configuration could become unavailable following a failover or moving of an Exchange Virtual Server from one node of the cluster to the other.

Installing Service Pack 2 for Exchange Server 2003 is thus recommended. Guidelines on how to install Exchange Server 2003 service packs in a clustered Exchange Server environment can be found in Microsoft Knowledge Base Article 867624.

To uninstall GFI MailSecurity from the MAILCLUSTER cluster environment outlined above, follow these steps:

1. Using the Cluster Administrator console make Node1 active.

2. Uninstall GFI MailSecurity from Node2.

3. Using the Cluster Administrator console make Node2 active.

4. Uninstall GFI MailSecurity from Node1.

5. The uninstallation of GFI MailSecurity on an Active/Passive cluster is now complete.

Installing GFI MailSecurity on an Active/Active Cluster

Installing GFI MailSecurity on an Active/Active cluster is currently not supported.