Securmail Administration

SecurMail

Launch the Bomgar Verify Admin GUI and select the SecurMail tab. The following screen is displayed. Searching for “Senders” will display all users who are configured and have sent a SecurMail. Users that are displayed after searching can be deleted and removed from the system. Searching for “Recipients” will display users who have been sent a SecurMail in “Auto Enroll and Store” mode. Clicking a Recipient search result will display their associated mailbox and provide additional management options –

 

SecurMail - Manage Users

  • The Mailbox can be enabled and disabled
  • The mobile number can be updated
  • The Failed login can be reset, as after 10 consecutive bad authentication the mailbox is locked.
  • The passcode can be resent via SMS
  • A static password can be applied to the mailbox

 

SecurMail Virus Checking Integration

Email send via the “Send Secure” button in Outlook are uploaded to the Security Server and stored in an encrypted state. Virus software deployed on the security server would not be able to check these messages as there are encrypted so any virus checking must be integrated into the security server.

If virus checking is enabled, the message subject, body and any attachments are submitted to a third party virus scanning engine after they are uploaded and before they are encrypted.

If a virus is found a warning message is displayed at the Outlook agent and sending this email is aborted.

SecurMail can integrate with any third party virus software that supports a command line interface and will delete infected files.

The following products have been tested:

  • Symantec Scan Engine V4.30
  • Trend Micro Office Scan Corporate Edition 6.5

Integration Procedure

Step 1 Install the third party Virus checker on the Security Server

Step 2 Start a command window (cmd)

Step 3 Test the third party’s recommend commend line program with a test document and note the response for a clean file.

Step 4 Test the third party program with a test infected file. Note non-harmful test viruses can be downloaded from www.rexswain.com/eicar.html

Check that file is deleted

Step 5 Update setting in server.ini file as detailed below:

Step 6 If disk virus checking is preformed; change the virus checker’s configuration to ignore the DATA directory located by default:

    For 32 bit installations:
    c:\program files\Bomgar\Security Server\DATA
    For 64 bit installations:
    c:\program files(x86)\Bomgar\Security Server\DATA

Step 7 Recipient reply emails. Reply emails are forwarded as is with no checking.

Make sure the MailHost configured in is set such that emails still pass through any email virus checking gateway that you have installed.

The virus settings of SecurMail are location in the server.ini file in:

    For 32 bit installations:
    c:\program files\Bomgar\Security Server\
    For 64 bit installations:
    c:\program files(x86)\Bomgar\Security Server\

SecurMail settings are located in the SecurMail Section

Virus_Checking Can be set to True or False If set to True will run the program Virus_Command with arguments Virus_Command_Args after the Outlook agent has uploaded the message body or attachments. Default: False
Virus_Command The full path to the third party virus checking program
Virus_Command_Args The arguments required to pass to the checking program defended in Virus_Command. Note that $FILENAME$ must be used in place of the test document you checked
Virus_Return The return message displayed if execution worked and no viruses are found

Example 1

Integration with Symantec’s Scan Engine V4.30

    Virus_Command= For 32 bit installations:
    c:\program files\Symantec\Scan Engine\savsecls\savsecls.exe
    For 64 bit installations:
    c:\program files(x86)\Symantec\Scan Engine\savsecls\savsecls.exe
    Virus_Command_Args=-verbose $FILENAME$
    Virus_Return= 0

Example 2

Integration with Trend Micro’s Office Scan Corporate Edition 6.5 with the virus definition file lpt$vpn.335

    Virus_Command= For 32 bit installations:
    c:\program files\Trend Micro\OfficeScan\PCCSRV\Engine\vscanwin32.com
    For 64 bit installations:
    c:\program files(x86)\TrendMicro\OfficeScan\PCCSRV\Engine\vscanwin32.com
    Virus_Command_Args=/D /NM /NB /C /P
    For 32 bit installations:
    c:\program files\Trend Micro\OfficeScan\PCCSRV\lpt$vpn.335" $FILENAME$
    For 64 bit installations:
    c:\program files(x86)\Trend Micro\OfficeScan\PCCSRV\lpt$vpn.335" $FILENAME$
    Virus_Return=1 files have been checked

Virtual Directory Security

IIS Virtual Directory Secmail

The server should be hardened according to Microsoft's recommendations. Once installed only one virtual directory requires being published externally, this is Secmail. This can be controlled via IIS properties, a firewall or reverse proxy server.

It is recommended that any other Bomgar Verify virtual directory is not exposed to the Internet, unless especially required.

Microsoft IIS Server

It is recommended that a dedicated instance of Bomgar Verify SecMail security server be installed for being public facing on the Internet, ideally within the DMZ environment. A reverse proxy such as Microsoft ISA 2010 or various vendor SSL VPN are capable of providing this functionality.

For SecurMail access, it is strongly recommended that a trusted public web server certificate is installed in the IIS server.

The only Virtual directory that should be accessible from the internet is the "secmail" as this is the only one needed by the recipients. All other virtual directories should be set to be accessible from the internal network.

Recipients must access the secmail directory over https. Therefore the server (or the reverse proxy in that case) must use a public trusted certificate.

It is considered more secure to use the reverse proxy method, because there is only a single point of access and you share the certificate with other content using the reverse proxy.

Microsoft Windows 2003 Security resource

http://technet.microsoft.com/en-us/library/cc163140.aspx

Microsoft Windows 2008 Security resource

http://technet.microsoft.com/en-us/library/cc514539.aspx

Microsoft Windows 2012 Security resource

http://technet.microsoft.com/en-us/library/jj898542.aspx

Load Balancing and Redundancy

It is recommended that two SecurMail servers should be installed for redundancy. These servers can either be software or hardware clustered, alternatively the data directory can be installed upon NAS or a SAN device. The data directory path will be the same upon both Bomgar Verify SecurMail servers. The IIS server needs to be configured so that they are active-active or active-passive to each other. Layer 7 switches are one way to load balance across multiple IIS server running SecurMail. Alternatively install Microsoft network load balancing (NLB) on both servers. Using NLB, the same data is stored on multiple servers, so if one becomes unavailable, the client is redirected to another server with the same information. Please see http://technet.microsoft.com/en-us/library/cc770558.aspx