Installing GFI MailSecurity

This chapter explains how to install and configure GFI MailSecurity. You can install GFI MailSecurity directly on your mail server or you can choose to install it on a separate machine configured as a mail relay/gateway server. When installing on a separate machine, you must first configure the machine to relay the inbound and outbound emails to your mail server prior to installing this mail security software.

In order to function correctly, GFI MailSecurity requires access to the complete list of all your email users and their relative email addresses. This is required in order to generate the email monitoring rules which will filter inbound and outbound emails. GFI MailSecurity can define the list of email users in two ways: either by querying your Active Directory (requires installing this software in Active Directory mode) or by importing the list from your SMTP Server (requires installing this software in SMTP mode). The mode to be used depends entirely on your network setup and the machine on which you will be installing this mail security software. You can choose the required access mode during the installation of GFI MailSecurity.

Installing GFI MailSecurity on your mail server

GFI MailSecurity can be installed directly on your mail server, without any additional configuration required. Moreover you can also choose any of the two installation modes (i.e., Active Directory mode or SMTP mode) to define how GFI MailSecurity will retrieve the list of email users since your mail server will have access to both the Active Directory as well as to the list of SMTP users which is contained on the mail server itself.

Installing GFI MailSecurity on a mail relay server

Figure 2 - Installing GFI MailSecurity on a mail gateway/relay server

When installing on a separate server (i.e., on a server which is not your mail server), you must first configure that machine to act as a gateway (also known as "Smart host" or "Mail relay" server) for all your email. This means that all inbound email must pass through this machine for scanning before being relayed to the mail server for distribution (i.e., it must be the first to receive all emails destined for your mail server). The same applies for outbound emails: The mail server must relay all outgoing emails to the gateway machine for scanning before they are conveyed to the external recipients via Internet (i.e., It must be the last 'stop' for emails destined for the Internet). In this way GFI MailSecurity checks all your inbound and outbound mail before this is delivered to the recipients.

NOTE 1: You must install GFI MailSecurity in SMTP Gateway mode if you are running Lotus Notes or another SMTP/POP3 server.

NOTE 2: If you are running a Windows NT network, the machine running GFI MailSecurity can be totally separate from your Windows NT network - GFI MailSecurity does not require Active Directory when installed in SMTP mode.

Installing GFI MailSecurity in front of your firewall

Figure 3 - Installing GFI MailSecurity on a separate machine on a DMZ

If running a Windows 2000/2003 firewall such as Microsoft ISA Server, a good way to deploy GFI MailSecurity is to install it on a separate machine in front of your firewall or on the firewall itself. This allows you to keep your corporate mail server behind the firewall. GFI MailSecurity will act as a smart host/mail relay server when installed on the perimeter network (also known as DMZ - demilitarized zone).

You can perform maintenance on your mail server whilst still receiving email from the Internet.

Fewer resources are used on your mail server.

Additional fault tolerance - if anything happens to your mail server, you can still receive email. This email is then queued on the GFI MailSecurity machine.

NOTE: GFI MailSecurity does not require a dedicated machine when not installed on the mail server. You can, for example, install GFI MailSecurity on your firewall (i.e., on your ISA Server) or on machines running other applications such as GFI MailEssentials.

Installing GFI MailSecurity on an Active/Passive Cluster

To install GFI MailSecurity on an Active/Passive cluster you must install GFI MailSecurity on each node.

NOTE: Although you can install GFI MailSecurity on an Active/Passive cluster, bear in mind that you still need to configure and manage a GFI MailSecurity installation per node. The configuration settings and quarantine emails are not shared between nodes.

Install GFI MailSecurity on the node local hard drive.
NOTE: Do not install GFI MailSecurity on the shared drive.

Install the GFI MailSecurity WWW virtual directory on the node's Default Web Site.

If you are installing on an IIS cluster, make sure you bind GFI MailSecurity to the Clustered SMTP Virtual Server instance.

The following steps show you how to install GFI MailSecurity in a typical Active/Passive Cluster environment. For this scenario, assume the cluster, named MAILCLUSTER, is made up of two nodes, named Node1 and Node2.

2. Install GFI MailSecurity on the local hard drive of Node2 as described in the `Installing GFI MailSecurity' section of this chapter. When you reach the IIS Setup step of the installation, select Default Web Site to host the GFI MailSecurity WWW virtual directory.

3. When the GFI MailSecurity installation on Node2 completes, you should be able to access the Node2 configuration using the following URL: http://Node2/MailSecurity/

5. Install GFI MailSecurity 9 on the local hard disk of Node1 as described in the `Installing GFI MailSecurity' section of this chapter. When you reach the IIS Setup step of the installation, select Default Web Site to host the GFI MailSecurity WWW virtual directory.

6. When the GFI MailSecurity installation on Node1 completes, you should be able to access the Node1 configuration using the following URL: http://Node1/MailSecurity/

7. To access the product configuration of the currently active node use the following URL: http://MAILCLUSTER/MailSecurity/.

8. The installation of GFI MailSecurity on an Active/Passive cluster is now complete.

NOTE: If Service Pack 2 for Microsoft Exchange Server 2003 is not installed on a Microsoft Exchange Server 2003 cluster installation, Internet Information Services Web sites that are hosted on the cluster will not start automatically when an Exchange Server 2003 virtual server fails over to a cluster node. More information about this issue can be found in Microsoft Knowledge Base Article 885440.

Due to the above, the GFI MailSecurity configuration could become unavailable following a failover or moving of an Exchange Virtual Server from one node of the cluster to the other.

Installing Service Pack 2 for Exchange Server 2003 is thus recommended. Guidelines on how to install Exchange Server 2003 service packs in a clustered Exchange Server environment can be found in Microsoft Knowledge Base Article 867624.

To uninstall GFI MailSecurity from the MAILCLUSTER cluster environment outlined above, follow these steps:

5. The uninstallation of GFI MailSecurity on an Active/Passive cluster is now complete.

Installing GFI MailSecurity 9 on an Active/Active Cluster

Installing GFI MailSecurity 9 on an Active/Active cluster is currently not supported.