en-US
search-icon

Email Security 9.0 MSP Deployment Guide

Setting up an MSP Environment

In a Managed Service Provider (MSP) environment, a Split-Configuration is deployed to help scale for email volume, distribution of load, and to provide redundancy. Split-Configuration allows multiple Remote Analyzers (RA) to be deployed at various locations with a single point of management. Junk Box access and administration is available from the Control Center.

The Control Center is the single point of access for all end users to view and manage their Junk Box for false positives. It is the single point of access for the system administrator to make the necessary changes for Spam Management and Message Tracking via the Auditing page. Microsoft Exchange mail servers and Office 365 are both supported with Email Security.

For other Multi-Tenancy configuration considerations, refer to the Users, Groups, and Organizations > Organizations page for more information.

This section describes how to set up your Email Security configuration for an MSP environment through various Frequently Asked Questions (FAQs). See the following topics for more information:

Distributing Mail Flow to Multiple Remote Analyzers

To distribute Mail Flow evenly across multiple Remote Analyzers, the two best practices are:

Set up multiple ES devices in the DMZ utilizing a network security appliance to balance the inbound SMTP traffic load.
Set up ES as the first-touch/last-touch server in the DMZ and use multiple MX records with the same priority or define multiple A records in your DNS zone with the same name and different IP addresses.
* 
NOTE: Email Security hosts can be set on the LAN as well as the DMZ.

Setting up Split Configuration

By default, the Network Architecture setting is All in One configuration. You can select the Split configuration option and specify if the machine is the Remote Analyzer or the Control Center.

Once the service has restarted and you have logged back into the interface, you can now specify which hosts are the RA in your Split Configuration by clicking the Add Server button for Inbound or Outbound Remote Analyzer Paths.

Setting up the RA for Inbound Mail Flow

To set up a Remote Analyzer for Inbound Mail Flow:
1
Navigate to the System > Network Architecture > Server Configuration page.
* 
NOTE: You must have your Email Security server configured for Split configuration with a server added as an Inbound Remote Analyzer Path.
2
Click the Add Path button for the Remote Analyzer you want to set up for Inbound Mail Flow.
3
In the Source IP Contacting Path section, select Any source IP address is allowed to connect to this path, but relaying is allowed only for emails sent to one of these domains and add the domains to be filtered for Inbound mail.

Routing Inbound Mail to Mail Servers

1
Navigate to the System > Network Architecture > Server Configuration page.
* 
NOTE: You must have your Email Security server configured for Split configuration with a server added as an Inbound Remote Analyzer Path.
2
Click the Add Path button for the Remote Analyzer you want to set up for routing Inbound Mail Flow.
3
In the Destination of Path section, select This is an MTA. Route email using MX record routing with these exceptions and add the email addresses or domains. This option allows routing of the message from Email Security to the recipient’s mail server by way of MX records. It also allows for exceptions as explicitly specified by the provided field should the recipient domain’s MX record have unforeseen issues.

Differences between Proxy and MTA Mode

Email Security can run either as an SMPTP Proxy or a Mail Transfer Agent (MTA). SMTP Proxy operates by connecting to a destination SMTP server before accepting messages from a sending SMTP server. The MTA service operates by writing messages to disk and allows for routing of a message. The following table shows a few features and if they are supported on MTA or Proxy mode.

Proxy and MTA Features

Feature

Supported on MTA

Supported on Proxy

Spool email

Yes

No

Faster, more efficient connections

No

Yes

Multiple downstream servers

Yes

No

Setting up the RA for Outbound Mail Flow

This procedure is similar to creating the inbound paths for each RA. Refer to Setting up the RA for Inbound Mail Flow for more information.

To set up a Remote Analyzer for Outbound Mail Flow:
1
Navigate to the System > Network Architecture > Server Configuration page.
* 
NOTE: You must have your Email Security server configured for Split configuration with a server added as an Outbound Remote Analyzer Path.
2
Click the Add Path button for the Remote Analyzer you want to set up for Outbound Mail Flow.
3
In the Source IP Contacting Path section, select Only these IP addresses can connect and relay through this path and add the domains to be filtered for Outbound mail.

Routing Outbound Mail flow to the WAN

1
Navigate to the System > Network Architecture > Server Configuration page.
* 
NOTE: You must have your Email Security server configured for Split configuration with a server added as an Outbound Remote Analyzer Path.
2
Click the Add Path button for the Remote Analyzer you want to set up for routing Outbound Mail Flow.
3
In the Destination of Path section, select This is an MTA. Route email using MX record routing. Queue email if necessary.

Differences between Global Settings and PerOU Settings

Global Settings are meant for the Global Admin as the changes made here are applicable to all Organizations and all domains specified in the global setup of Email Security. The PerOU settings were designed to alleviate some of the administrative overhead for the Global Admin and provide one UI management account access for each tenant.

Spam Management Access for Tenants

The tenant can log into the OU Administrator account specific to their Organization to configure organizational settings, including Spam Management settings. By navigating to the Anti-Spam > Spam Management page, you can select options for managing Definite Spam and Likely Spam. The default setting for Definite Spam and Likely Spam is to quarantine the message in the user’s Junk Box.

Setting up User Accounts

You can leverage LDAP for Email Security to automatically query and update user accounts from your LDAP server by navigating to the System > LDAP Configuration page.

If the client does not have an LDAP server, you can manually add each user to Email Security with complete login capability for Junkbox access and management. Navigate to the Users, Groups & Domains > Users page and click the Add button.

Configuring PerOU LDAP Settings

For PerOU LDAP configuration, log into each organization and navigate to the LDAP page for set up.

1
Navigate to the Users, Groups & Organizations > Organizations page.
2
Click the Sign in as OrganizationAdmin icon for the organization you wish to configure.
3
Once logged in as the OU Admin for the organization, navigate to the System > LDAP Configuration page.

Adding an Email Address for Alerts

To add an external email address for system-related alerts, navigate to the System > Monitoring page and enter the Email address of administrator who receives emergency alerts.

Understanding Connection Management Settings

The Connection Management settings are only supported via the Global Configuration. This feature is not supported on the PerOU side of the Email Security environment. Connection Management settings gives access to DHA, DOS, Throttling settings along with message size limit and number of recipients limit.

Configuring the Auditing Feature

The system administrator can enable the Auditing feature and track the messages that Email Security has received. Auditing is available on both the Global Management interface and the group interface. The PerOU access gives the tenant their own access to their organization’s Auditing to track their own messages if needed.

The Auditing page also displays all of the messages sitting in the JunkStore. You have access to the Message Details of each message. Message Details provide information on the sender’s IP address, the header information (if Archiving is enabled), and the Spam Judgment.

For the group administrator, navigate to the Auditing > Messages page to configure these features.

Spam Filtering Order of Precedence

The following list is the order of precedence for Spam Filtering on Email Security. This list helps to set the expectation for what may be considered a legitimate false positive by end users.

1
Connection management (IP reputation, IP block, IP allow, IP defer, IP Non grey, and IP Greylisted)
2
DHA (Directory Harvest Attack)
3
Virus
4
Policy filter
5
DMARC
6
DKIM
7
SPF
8
Phishing
9
Corporate Allow list
10
Corporate Block list
11
Personal Allow list
12
Personal Block list
13
Foreign Language
14
Collab
15
Baynesian Rules
16
RBL
* 
NOTE: Some features, like SPF and DKIM, have the option to ignore the Allowed List. When you configure to Ignore Allowed Lists, Address Books do not give a “Free Pass” for that specific feature. Unselecting the check box for Ignore Allowed List gives the sender a “Free Pass” for that option only.

For more information on the order of Email Security judgment, refer to the following KB article: https://support.sonicwall.com/sonicwall-email-security/kb/sw14079.

Configuring End User Login Access for Junk Box Summary

The global administrator navigates to the Junk Box Management > Junk Box Summary page and change the Enable “single click” viewing of messages setting to Full Access. This allows the end user to have full access to their per user Junk Box by clicking any link within the Junk Box Summary.

To configure login access:
1
Log into Email Security as the global administrator.
2
Navigate to the Users, Groups & Organizations > Organizations page.
3
Click the Sign In as OrganizationAdmin icon of the organization you wish to configure.
4
Once logged in as the OU Admin, navigate to the System > LDAP Configuration page.
 
* 
IMPORTANT: LDAP must be configured before continuing.
5
On the LDAP Mappings section, enter the domains.
6
Click Save Changes. This domain appears on the drop-down menu for the Login screen.

Configuring PerOU End User Login

In some cases, the system administrator may prefer to preserve customer privacy. The LDAP Configuration page may be changed to specify an attribute that refers to the email address for the end user. As this may vary for various LDAP servers, the most commonly used attribute could be the UPN for the end user as used in Microsoft platforms.

You may change the User Login Name Attribute to userPrincipalName. This allows the end user to log in using their email address.