What’s New in WatchGuard XCS v9.1 Update 2 WatchGuard XCS v9.1 Update 2 Introduce New Features • • • WatchGuard XCS Outlook Add-in SecureMail Email Encryption Intercept Component Report Install WatchGuard XCS v9.1 Update 2 WatchGuard Training 2 WatchGuard XCS Outlook Add-In WatchGuard Training 3 WatchGuard XCS Outlook Add-in Adds special Spam and Not Spam buttons to your Microsoft Outlook client toolbar • • Spam: Report any spam messages that bypassed the spam filters and were delivered to your inbox Not Spam: Report false positives in which legitimate messages were classified as spam WatchGuard Training 4 WatchGuard XCS Outlook Add-in When you click Spam: • • • • The message can remain in the inbox, be moved to the Junk folder, or deleted (configurable) The message is trained as spam by the WatchGuard XCS The message is relayed to WatchGuard servers for training Sent to spam@mailsupport.watchguard.com The sender is added to your personal Blocked Senders List When you click Not Spam: • • • The message is trained as legitimate mail (Not Spam) by the WatchGuard XCS The message is relayed to WatchGuard servers as legitimate mail training Sent to notspam@mailsupport.watchguard.com The sender is added to your personal Trusted Senders List WatchGuard Training 5 WatchGuard XCS Outlook Add-in Available for these software versions of Outlook: • • Outlook 2003 Outlook 2007 Operating System Support • • • Windows XP Windows Vista Windows 7 Supported locales: • • • • • English (default) French (fr) Spanish (es) Japanese (ja) Simplified Chinese (zh-CHS) WatchGuard Training 6 WatchGuard XCS Outlook Add-in Requirements Software Requirements • • • • .NET Framework 3.5 or greater - Not included with the Outlook Add-in .zip file You must download the .NET Framework software from Microsoft Windows Installer 3.1 Microsoft Office Primary Interop Assemblies (PIA) Visual Studio Tools for Office (VSTO) To download the Add-in for your version of Outlook • • • • Select Support > Microsoft Outlook Add-ins on the XCS menu. The WatchGuard Support Center appears. From the WatchGuard Support Center, select Download Software. Select WatchGuard XCS. Select the download link for the Add-in for your version of Outlook. WatchGuard Training 7 Install the Outlook Add-in To install the WatchGuard XCS Outlook Add-in: 1. Close Microsoft Outlook if it is currently running. 2. Make sure you have downloaded and installed the .NET Framework (3.5 or greater) software. 3. Unzip the download package. 4. Double-click the setup.exe installation file. 5. You are prompted to install each prerequisite software as required. 6. Follow the prompts to install the WatchGuard XCS Outlook Add-in. Note: If you already have the prerequisite software installed, you can install the WatchGuard XCS Outlook Add-in with the XCSOutlook2003AddinInstaller.msi or XCSOutlook2007AddinInstaller.msi file. Network administrators can use the .msi installation file to push the add-in to desktop workstations in an Active Directory domain, but the prerequisite software must already be installed on the desktop workstations or be pushed by the administrator before the add-in installation WatchGuard Training 8 Configure the Outlook Add-in When you launch Outlook, new buttons appear on the toolbar Click Configure WatchGuard Training 9 Configure the Outlook Add-in To configure the Outlook Add-in options on your XCS device, go to Security > Content Control > Custom Actions All options are enabled by default WatchGuard Training 10 Advanced Training Options Available for User Submitted messages at Security > Anti-Spam > Anti-Spam > Token Analysis > Advanced • • User Submitted Limit – Not Spam (Legitimate Mail) User Submitted Limit – Spam WatchGuard Training Default = 2000 messages, 10% source weighting 11 New Default Pattern Filters New default Pattern Filters available for User Submitted messages • Security > Content Control > Pattern Filters WatchGuard Training Sets training action for submitted messages sent to the notspam@mailsupport.watchguard.com and spam@mailsupport.watchguard.com addresses 12 SecureMail Email Encryption WatchGuard Training 13 SecureMail Email Encryption Encrypt outbound messages directly from the WatchGuard XCS without the need for a local encryption server or additional desktop software Messages are secured until they are delivered and decrypted by the recipient of the message Recipients open an attachment to the encrypted message that allows them to create an account on the SecureMail web site and log in to read the message WatchGuard Training 14 SecureMail Email Encryption When encryption is enabled, you can use these features to scan for specific patterns in email messages that indicate the message must be encrypted • • • • • Pattern Filters Objectionable Content Filter Content Scanning Content Rules Document Fingerprinting For example, you can create a Pattern Filter to search for the word “[Encrypt]” in the subject field of a message. • An end user can add this phrase to their message subject header to indicate the message must be encrypted before it is delivered. WatchGuard Training 15 Replaces PostX/CRES Encryption SecureMail Email Encryption subscription replaces the existing WatchGuard XCS Email Encryption technology powered by PostX/CRES (Cisco Registered Envelope Service) Current PostX/CRES customers can continue to use and receive support for PostX Encryption until their current license expires WatchGuard Training 16 How SecureMail Works • • • • • When a user sends a message, the WatchGuard XCS uses pattern and content filters to determine if a specific encryption policy applies to the message. The SecureMail engine communicates with the SecureMail service to generate encryption keys, any branding data, and creates the notification message. SecureMail uses IBE (Identity-Based Encryption), which generates encryption keys based on the sender and recipient email addresses. The message is signed with the sender's public key and delivered to the recipient as a message attachment. The recipient opens the attachment that allows them to register (if this is the first encrypted message received) and authenticate their email address to the SecureMail web site. The SecureMail web site uses the recipient's private session key to allow the recipient to read the unencrypted message. WatchGuard Training 17 Read an Encrypted Message When you receive an encrypted SecureMail message, open the message attachment “message_zdm.html” Click Read Message WatchGuard Training 18 Read an Encrypted Message If this is the first encrypted message you receive, you are prompted to register with the SecureMail service to create an account and establish a password. You must respond to a verification email message before you can open the encrypted message. WatchGuard Training 19 Read an Encrypted Message You must type your password to verify your identity When you are authenticated, the secure message is decrypted and displayed WatchGuard Training 20 Reply to an Encrypted Message You can securely reply to or forward encrypted messages with the same web-based service that allows you to read the encrypted message • Click Reply • • Type your reply, and click Send Secure An encrypted reply is sent to the sender of the original encrypted message WatchGuard Training 21 Reply to an Encrypted Message • • • The SecureMail server sends secure replies on behalf of your organization's email domain, and the email message appears to originate from a SecureMail domain. In certain cases, mail security devices may block these messages because they originate from a different domain than your own. You must make sure that your mail security devices are configured to allow messages from SecureMail servers when secure replies are sent back to your email domain. On the WatchGuard XCS, you can set up a Pattern Filter to Accept these SecureMail server IP addresses: mail1.vsn.voltage.com 165.193.228.181, 205.140.196.245* replaces mail1 address soon mail2.vsn.voltage.com 165.193.228.186, 205.140.196.250* replaces mail2 address soon mail3.vsn.voltage.com 165.193.91.245 mail4.vsn.voltage.com 165.193.91.250 WatchGuard Training 22 Activate SecureMail When you purchase SecureMail Email Encryption, you must activate the subscription from the LiveSecurity activation page. • From the WatchGuard Support page, select Activate a Product. • Log in, select your XCS product, then enter your activation key for SecureMail Email Encryption. WatchGuard Training 23 Activate SecureMail You must provide information about your organization: • • Email Domains – The email domains from which your users will send encrypted messages (example.com, example1.com, etc.) Gateway IP addresses – The public IP addresses from which your WatchGuard XCS device connects to the SecureMail servers. • This is required to authorize only your organization's IP addresses to establish a connection with the SecureMail service. Authorization Code – Authorizes SecureMail Email Encryption for use with your WatchGuard XCS device. WatchGuard Training This code is entered in your SecureMail configuration on the WatchGuard XCS. The Authorization Code must be 15-20 alphanumeric characters in length and cannot contain symbols or spaces. 24 Activate SecureMail You will receive your SecureMail account information and confirmation from WatchGuard customer care in 24-36 hours. WatchGuard Training 25 SecureMail Branding You can display custom logos and branding text for your organization on encrypted message envelopes You must purchase and activate the subscription from the LiveSecurity activation page WatchGuard Training 26 Activate SecureMail Branding Provide the following information: • • Branding Profile code Identifies your branding profile (logo and branding text) on the SecureMail service The branding profile value is entered in your SecureMail configuration on the WatchGuard XCS Can be up to 20 alphanumeric characters, must start with a letter, and cannot contain symbols or spaces Logo After activation, you will be contacted by customer care. You can send a custom logo to customer care to display on your encrypted message envelopes Must be 370 pixels wide and 70 pixels high on a transparent background in gif, jpg or png format WatchGuard Training 27 Configure SecureMail Go to Security > Encryption > SecureMail and select the Enable SecureMail Encryption check box In the Authorization Code text box, you must type your authorization code to authorize SecureMail Email Encryption for use with this WatchGuard device In the Branding Profile text box, type an optional branding profile value that corresponds to your branding profile (logo and text) configured with the SecureMail service • If you type an incorrect Branding Profile value, the default WatchGuard branding appears on the encrypted message envelope From the User List drop-down list, select the list that contains the users allowed to use SecureMail encryption WatchGuard Training 28 Troubleshoot SecureMail Configuration When you apply the SecureMail configuration, the WatchGuard XCS connects to the SecureMail server and tests your configuration. If you receive an error that the WatchGuard XCS cannot contact the SecureMail server, check the following: • • The WatchGuard XCS requires an outbound HTTPS connection on port 443 to connect to the SecureMail server. Make sure this connection is allowed by your network firewall. The SecureMail service returns an XML-based configuration file. Make sure your network firewall or content filter allows XML files. If the connection to the SecureMail server completes, but you receive an error that the Message Encryption verification test failed, check the following: • • Confirm that you correctly entered your Authorization Code. Check the gateway IP addresses you activated with SecureMail to make sure you are connecting from the public IP address of the WatchGuard XCS. WatchGuard Training 29 Configure SecureMail – Upload Users You must upload a list of user email addresses that are permitted to encrypt messages with SecureMail encryption. • If the user does not appear in the list, the message is rejected with the error code "550 Error: content rejected". Create a text file containing a list of user email addresses with one address per line. For example: user1@example.com user2@example.com user3@example.com user4@example.com Click Manage User Lists. (You can also select Security > Content Control > Dictionaries & Lists on the menu) WatchGuard Training 30 Configure SecureMail – Upload Users (continued) Click Browse to select your list of users to upload. From the Character set drop-down list, select the encoding used in the uploaded file. For example, select ASCII. Click Continue. WatchGuard Training 31 Configure SecureMail – Upload Users (continued) In the Name text box, type a descriptive name for the list. From the Type drop-down list, select email. Click Continue to finish uploading the file. WatchGuard Training 32 Configure SecureMail – Upload Users (continued) The SecureMail configuration page displays: • • A summary of users in your encryption list The total number of users in the list and the license limit WatchGuard Training 33 Configure SecureMail – Create Content Filters Use the following features to create content filters to determine messages to encrypt: • • • • • Pattern Filters Objectionable Content Filter Content Scanning Content Rules Document Fingerprinting WatchGuard Training 34 Intercept Component Report WatchGuard Training 35 Intercept Component Report Reports on Intercept Anti-Spam component processing Includes the frequency of spam received based on each spam category, the Token Analysis score of messages received, and the Intercept component contribution • • • Spam Frequency – This graph displays the frequency of Certainly Spam, Probably Spam, and Maybe Spam, received over a period of time Token Analysis Score – This graph displays the number of messages received based on their Token Analysis score Intercept Component Contributions – This table displays statistics on identified spam for each Intercept component that contributed to the overall Intercept score WatchGuard Training 36 Install XCS v9.1 Update 2 Install XCS v9.1 Update 2 If enabled, Security Connection automatically downloads update releases • • Install the update in Administration > Software Updates > Updates The update appears in the Available Updates section • • Select the update, then click Install The device restarts This process can take several minutes to complete! WatchGuard Training 38 Install XCS v9.1 Update 2 (continued) You can also download the update software from the LiveSecurity site • From the Software Downloads page, download the XCS v9.1 Update 2 software [xcs91_update_2.pf] to your local computer Click to download WatchGuard Training 39 Install XCS v9.1 Update 2 (continued) Upload the software update in Administration > Software Updates > Updates • • Click Browse to find the downloaded file on your computer Click Upload WatchGuard Training 40 Install XCS v9.1 Update 2 (continued) The update appears in the Available Updates section Select the update, then click Install The device restarts This process can take several minutes to complete! WatchGuard Training 41 Thank You!