M86 Security Knowledge Base

How to customize the unpacking folder location

Charles Creegan — Wed, 10 Mar 2010 08:52:00 GMT

Abstract:

This article applies to:

WebMarshal 6.5 and above

Question:

How to customize the unpacking folder location

Procedure:

In WebMarshal 6.5 and above, you can change the location of the unpacking folder. By default the folder location is the following subfolder of the WebMarshal install location: \Temp\unpacking

Warning: The instructions below are for advanced users and detail how to change the WebMarshal unpacking folder which is used to unpack and scan Web content. It is important that the directory is excluded from on-access or resident virus and spyware scanning. If you do not exclude this folder from scanning, the WebMarshal Engine and or WebMarshal Controller services may be unable to start. If you change the folder location ensure you update your on-access or resident virus and spyware scanners.

To change the unpacking folder, add the following entry to the WMEngine.config.xml file, within the WebMarshal install:

<WebMarshal>   <Engine>     <Config>        <Paths unpacking="<new location>" />     </Config>  </Engine></WebMarshal>

To apply the change, restart the Engine service.

Marshal advises you ensure the Content Analysis rule Block - Unpacking Error is enabled (it is enabled by default).

Notes:

For more information see the following Marshal Knowledge Base articles:

Q10850 : What directories need to be excluded from resident virus scanning and regular

What URLs are required for operation of WebMarshal features?

Charles Creegan — Mon, 08 Mar 2010 10:45:00 GMT

Abstract:

This article applies to:

WebMarshal 6.5 and above

Question:

What URLs are required for operation of WebMarshal features?

Information:

WebMarshal 6.5 includes a number of features that are automatically updated using web-based services.

These services are accessed by the WebMarshal processing node servers.

You should ensure that access to these services is permitted by any firewall or external proxy (and by WebMarshal rules if required by network setup).

The required URLs include:

For TRACEnet service

https://tracenetlicensing.marshal8e6.com
https://tnreclassify.marshal8e6.com (For user reclassification request, if enabled, in version 6.5 through 6.5.3)
https://tnreclassify.m86security.com (For user reclassification request, if enabled, in version 6.5.5 and above)
https://tnfeedback.marshal8e6.com

For Marshal8e6 Filtering List

https://filterlistlicensing.marshal8e6.com

(Note that this URL must also be accessible from the Array Manager at the time of initial configuration of the list.)

https://secureupdate.8e6.com

Note:

Other optional features, such as virus scanner updaters and other URL list updaters, require additional URL access to HTTP and HTTPS sites. Because WebMarshal is a proxy server, it is expected to have full access to the web.

What is the WELF log file format?

Charles Creegan — Mon, 08 Mar 2010 10:38:00 GMT

Abstract:

This article applies to:

WebMarshal 6.X
Security Reporting Center 2.X
WebTrends Firewall Suite 2.X
WebTrends Firewall Suite 3.X
WebTrends Firewall Suite 4.X

Question:

What is the WELF log file format?

Information:

WELF is the WebTrends Enhanced Log file Format.

The WELF Reference defines the WebTrends industry standard log file exchange format. Any firewall or VPN system logging to this format will be compatible with Firewall Suite 2.0 and later, Firewall Reporting Center 1.0 and later, and Security Reporting Center 2.0 and later.

WebMarshal 6.X "Traffic Logging" logs are created in the WELF format.

Log File Format

A log file is made up of records. Each record makes up a single line of the file. Records must be in chronological order. The earliest record is the first record in the file; the most recent record is the last record in the file. The WebTrends Enhanced Log Format places no restrictions on log file names or log file rotation policies.

Record Format

A record is terminated by the character sequence carriage return-line feed (0x0D-0x0A). There may be no carriage-returns or line-feeds within a record; this format results in a single record per line.

Each record is made up of fields. The record identifier field (id=) must be the first field in a record. All other fields can appear in any order.

Aside from a few required fields, you can decide which optional fields are included in the record. You may want some fields to appear in only certain records because they are only relevant to certain type

How are WebMarshal 6.X browsing times calculated?

Charles Creegan — Mon, 08 Mar 2010 10:29:00 GMT

Abstract:

This article applies to:

WebMarshal 6.X

Question:

How are WebMarshal session and domain browsing times calculated?
Why do WebMarshal time calculations not add up?

Information:

Calculation of browsing time is complex.

For each web site visited the browser will issue many page requests to obtain the necessary style sheets, graphics and text. Some of these requests may not even be to the original domain. A good example is pages which contain advertising, or links to a third party web analytics tool such as Google Analytics.

WebMarshal only sees the requests for pages and cannot determine the actual time spent reviewing a page once it is downloaded. To calculate browsing time for the Active Sessions view and reports, WebMarshal uses a heuristic estimate.

Definitions:

An individual browsing request is called a page view.
A set of browsing requests within a defined time is regarded as a continuous period of browsing, called a session.
A set of requests for items from a single domain is called a visit.

Notes:
WebMarshal records a separate domain visit for each protocol used. For instance, if a user visits a domain by HTTP and HTTPS, WebMarshal records two separate visits.
In WebMarshal 6.5.5 and above, using an application protocol (such as YouTube Video) counts as an additional domain visit.

WebMarshal 6.x allows you to set two values:

The session timeout defaults to 5 minutes (minimum 2 minutes)
The page view padding defaults to 20 seconds (maximum 2 minutes).

Page Vi

WebMarshal Authentication in Multiple Active Directory Domains

Charles Creegan — Mon, 08 Mar 2010 10:16:00 GMT

Abstract:

This article applies to:

WebMarshal 6.X
Microsoft Active Directory

Question:

Can WebMarshal authenticate users in multiple Active Directory domains?
What are the trust requirements for WebMarshal to authenticate AD users?
What are the connectivity requirements for WebMarshal in Active Directory environments?

Information:

WebMarshal 6.0 includes a native Active Directory connector. You can import groups from Active Directory to control browsing through WebMarshal.

Connectivity

All WebMarshal components must be on computers joined to Active Directory. This includes the Array Manager and any separate Processing Servers.

Domain browsing and group import

The WebMarshal user interface only allows you to browse one domain at a time. However, you can import groups from other domains by typing the fully qualified name information for each group.

Domain Trust Scenarios

WebMarshal can import groups and authenticate users from AD domains in the following scenarios:

Single domain

Domains: DOMAIN1
Single Domain
WebMarshal Domain: DOMAIN1
Users: DOMAIN1\User1
Result: DOMAIN1\User1 can authenticate with WebMarshal.

Subdomain

Proxy Caching Recommendations

Charles Creegan — Mon, 08 Mar 2010 10:05:00 GMT

Abstract:

This article applies to:

WebMarshal 6.5 and above

Question:

What are the best practices for configuration of proxy caching hardware and settings?

Information:

Virus Scanning Exclusion

When setting up proxy caching, you must exclude the cache directory from on-access or resident virus/malware scanning. If WebMarshal determines that the cache directory is being scanned, proxy caching will be disabled. To re-enable caching, correct the scanner exclusions and then restart the WebMarshal Proxy service.

Cache Location

By default the cache directory location is within the WebMarshal install location (on each processing node server). This location is appropriate for trial installations and low volumes of traffic.

However, to ensure adequate performance on production servers, M86 Security recommends you place the cache in another location.

Configure the cache on a separate physical disk.

Ideally this disk should be used only for the cache.
At minimum it should be a different disk to the WebMarshal temp (unpacking) and logging directories.
Use a single disk with fast read and seek time. Do not use RAID or mirrored disks (redundancy slows access time).
M86 strongly recommends you use a local disk. The disk must have 100% availability.

In 6.5.5 and above you cannot enter a UNC path. (However these versions will use a UNC path if you entered it previously. If you use a UNC path, the Windows account used to run the WebMarshal Proxy service must have full access to the location.)

Ensure that the cache disk always has some free space (at least 30% free, and preferably more). Set the cache maximum size accordingly. This will help preserve performance.
In an array with more than one processing server, the cache maximum si

What HTML tags are used on WebMarshal notification pages?

Charles Creegan — Mon, 08 Mar 2010 09:57:00 GMT

Abstract:

This article applies to:

WebMarshal 2.X and above

Question:

What HTML tags are used on WebMarshal notification pages?

Information:

This article lists the HTML tags that can be used on WebMarshal notification pages.

Note: When editing WebMarshal notification pages, it is recommended that you make a copy of the existing page, rename it, and then edit the renamed page. Please refer to the WebMarshal User Guide for more detailed instructions on editing notification pages.

{AcceptDetails} and {AcceptUrl}
These tags are used on warning pages. They allow access to be permitted to the site, after the user has clicked the button to accept the warning message.
{DomainName} - available from 6.5.
The domain of the URL that was blocked (used for display purposes)
{DisplayUrl} - available from 6.5.
The URL that was blocked (formatted for display purposes)
{CategoryMatches} and {CategoryMatchesBlank} - available from 6.5.5.
A comma separated list of URL Categories that match the triggered rule.
If no categories match, {CategoryMatches} returns "Uncategorized" while {CategoryMatchesBlank} returns a completely empty (invisible) result.
{Url}
The URL that was blocked.
{UserName}
The domain and user name of the user who was blocked from the site (e.g. domain\username).
{ServerName}
The name of the WebMarshal server.
{RedirectMsg}
The reason why the URL (or file download/upload) was blocked (e.g. "Access to this site was blocked by the rule Block Offensive Language").
{P

Can I use an FTP application through WebMarshal?

Charles Creegan — Mon, 08 Mar 2010 09:47:00 GMT
Abstract:
This article applies to:
WebMarshal
Question:
Can I use an FTP application through WebMarshal?
Reply:
Yes, in addition to web browser applications, some FTP client applications can work with WebMarshal 6.X. The requirements are:
Use passive FTP
Use HTTP/1.1 CONNECT method to access the proxy
For instance, the FileZilla client using "generic proxy" has been used successfully through WebMarshal.
Note:
In WebMarshal 6.1 through 6.5.3, when HTTPS content inspection is enabled, the CONNECT method fails. This issue is corrected in WebMarshal 6.5.5. For more information, see M86 Knowledge Base article Q12950.

Supported Operating Systems and Prerequisite Versions

Charles Creegan — Mon, 08 Mar 2010 09:43:00 GMT
Abstract:
This article applies to:
MailMarshal SMTP 6.7
MailMarshal Web Components (SQM and Web Console)
MailMarshal Exchange 5.2
MailMarshal Exchange 5.3
WebMarshal 6.5
MailMarshal Secure Email Server 5.6
MailMarshal Reporting Console 2.1 (for MailMarshal SMTP and WebMarshal)
Question:
What are the supported operating systems for MailMarshal and WebMarshal?
What version of SQL Server can be used with MailMarshal and WebMarshal?
What versions of IIS and ASP.NET are supported by MailMarshal Web components?
What versions of SQL, IIS and ASP.NET are supported by Marshal Reporting Console?
What versions of ASP.NET are supported by WebMarshal?
What versions of Internet Explorer are supported for MailMarshal Web components?
What versions of ISA Server can be used with WebMarshal as a plugin?
What versions of Microsoft Exchange are supported by MailMarshal Exchange?
Information:
The following table shows supported versions of operating systems and supporting software.
The table reflects the latest versions of Marshal products. For details of previous versions, see the documentation for each version.
The table reflects server requirements. For details of requirements for all user interfaces, see the documentation for each product version.
All 64 bit operating system support is by 32 bit application deployment.
Note: VMWare deployments of the supported operating systems are also supported. See M86 Knowledge Base article Q11828.
Key:
<

What versions of Marshal Security products are currently supported by Marshal Technical Support?

Charles Creegan — Mon, 08 Mar 2010 09:26:00 GMT
Abstract:
This article applies to:
MailMarshal SMTP
MailMarshal Exchange
MailMarshal SPE
MailMarshal SES
Marshal Reporting Console
MailMarshal Appliance e10000
WebMarshal
Marshal EndPoint Security
McAfee for Marshal
Sophos for Marshal
Counterspy for Marshal
PestPatrol for Marshal
MailMarshal Management Pack for MOM
MailMarshal Management Pack for SCOM
Security Reporting Center
Firewall Suite
imMarshal for MSN
Question:
What versions of Marshal products are currently supported by Marshal Technical Support?
Information:
The following tables show the currently supported versions, planned dates of termination of support, and support end dates for discontinued versions.
MailMarshal SMTP (including MailMarshal Secure)

Software Version
Release Date
Discontinued Date
6.7.2.8378
November 10, 2009
Active
6.5.4.7535
May 27, 2009
Active
6.5.3.7407
May 18, 2009
January 31, 2010
6.5.1.7247
April 21, 2009

Changes to Trickle Transfer in WebMarshal 6.5.5 and above

Charles Creegan — Mon, 08 Mar 2010 09:25:00 GMT
Abstract:
This article applies to:
WebMarshal 6.5.5 and above
Question:
How has Trickle Transfer changed in WebMarshal 6.5.5?
How do I use Trickle Transfer and Streaming Content Types in WebMarshal 6.5.5 or above?
Information:
WebMarshal behavior and configuration for large files and streaming media is enhanced in version 6.5.5 and above.
For most installations, no action is required. The change will be handled automatically during upgrade.
Background:
WebMarshal Content Analysis rules (such as TextCensor and virus scanning) require the entire file to be available. This fact can cause several issues for web browsing.
For large files, if a download is held back until the entire file is available, the user's browsing experience is affected.
Software downloads and other very large files could be delayed long enough that the browser times out.
Streaming media present an additional issue because the file will effectively never be complete.
To address these issues, WebMarshal can send part of the file to the browser before completing processing. WebMarshal waits for a configurable time and/or amount of data before beginning to send the file.
Previous behavior:
Versions of WebMarshal before 6.5.5 "trickle" a configurable percentage of large files to the browser. This behavior displays file progress to the user, and also keeps the browser session alive. To resolve the issue of streaming media, certain MIME types could be defined as exempt from content analysis using the Streaming Content Types setting. However, the user still experiences "slow" file download, and streaming media settings can be complex to configure.
Changes in Version 6.5.5 and above:
In version 6.5.5 and above, the percentage trickle setting no longer

Configuring advanced settings for FTP proxy

Charles Creegan — Mon, 08 Mar 2010 09:24:00 GMT
Abstract:
This article applies to:
WebMarshal 6.1 and above
Question:
What is the behavior of WebMarshal with proxied FTP connections?
Using non-browser FTP clients (such as FileZilla or WinSCP) through WebMarshal when HTTPS inspection is enabled
Information:
Non-browser FTP clients use a HTTP proxy such as WebMarshal by issuing a HTTP 1.1 CONNECT request to the proxy (requesting a connection to the remote FTP control port, usually port 21). The server replies with a passive FTP connection on a high port.
In WebMarshal 6.1 through 6.5.3, when HTTPS inspection is enabled, these connections fail. The initial CONNECT request is treated as a request to create a SSL tunnel. The FTP data connection is not allowed.
In WebMarshal 6.5.5 and above, WebMarshal examines the content of the CONNECT request to determine if it is a FTP connection. FTP connections that are established in this way are allowed and the content is inspected as with any other FTP connection.
Configuration:
You can choose to disable the checking of the CONNECT requests, or the inspection of the FTP content sent through these connections (in WebMarshal 6.5.5 and above).
Configure these settings by adding an entry in the WebMarshal Proxy Configuration file (WMProxy.config.xml) as follows:
<WebMarshal> <Proxy> <Config> <FTP detectFTPTunnels="{value}" processTunnelFiles="{value}" /> </Config> </Proxy></WebMarshal>
Where each value can be true or false.
Enter the values in lower case, not including the {} braces, but including the quote marks.
<

Blocking Search Engines that are not Safe Search enforced

Charles Creegan — Mon, 08 Mar 2010 09:24:00 GMT
Abstract:
This article applies to:
WebMarshal 6.5 and above
Question:
How do I block user access to search engines that do not have Safe Search enforced by WebMarshal?
How do I require users to use Safe Search?
Procedure:
WebMarshal 6.5 and above can enforce Safe Search functionality. As of the date of this article Safe Search enforcement is provided for Google, Yahoo!, and Bing.
To ensure that users only use the "safe" engines, you can create WebMarshal rules to allow these engines and block others.
Within the default WebMarshal configuration, you can implement this function as follows:
Create a URL Category named Safe Search Sites
See the Safe Search Sites.txt file attached to this article for the list of URLs to this add to this category.
Import the file to the category using the Import option on the category window.

Create Standard rules similar to the following:

Permit Safe Search Sites
When a web request is received
For any users
And where the URL is a member of Safe Search Sites
Permit access
And do not process any further standard rules

Block Other Search Engines
When a web request is received
For any users
And where the URL is a member of Search Engines

Block Access to this site and display Blocked page
And do not process any further standard rules
To apply this policy to a group of users (such as Standard Users or Restricted Users), create these two rules as the last

Default Rule changes in WebMarshal 6.5.5

Charles Creegan — Mon, 08 Mar 2010 09:23:00 GMT
Abstract:
This article applies to:
WebMarshal 6.5.5
Question:
What are the changes in default policy in WebMarshal 6.5.5?
Information:
As part of development for WebMarshal 6.5.5, the default rules and policy elements have been reviewed.
When you upgrade, your existing rules are retained.
M86 Security recommends you review the changes outlined below, and consider updating your existing rules.
The TRACEnet function and Proxy Caching are enabled by default.
Policy evaluation (rule processing) is enabled by default.
Note that all requests will be denied until users have been imported or IP range groups configured.
Default rules have been reorganized. See the Default Rules document for details.

Using a UNC path for Configuration Backup

Charles Creegan — Mon, 08 Mar 2010 09:23:00 GMT
Abstract:
This article applies to:
WebMarshal 6.5.5 and above
Automatic Configuration Backup
Question:
How do I configure WebMarshal and Windows accounts to allow configuration backup to a UNC path?
Procedure:
WebMarshal Automatic Configuration Backup (6.5.5 and above) can save the backups to a network location specified by a UNC path.
For this function to work, you must run the WebMarshal Array Manager service under an account that has permission to read configuration and write to the remote location.
To set up the account:
Create a Windows account.
Change permission on the WebMarshal install folder to give the account write (modify) access.
Change permission on the remote share (UNC path) to give the account write (modify) access.
Change WebMarshal security (using the WebMarshal Security Tool) to give the account full access to WebMarshal policy.
Open the Windows Services manager and change the logon account for the WebMarshal Array Manager service.
Restart the WebMarshal Array Manager service.
After completing the above steps you can use WebMarshal Server and Array Properties to set the backup directory to the UNC path.
Notes:
If the configuration backup to the network location fails, WebMarshal takes the following actions:
Logs the failure and notifies the administrator.
Attempts to back up configuration to the default location within the WebMarshal install location. If this action fails, again WebMarshal logs the failure and notifies the administrator.

Firefox cannot detect updates

Charles Creegan — Mon, 08 Mar 2010 09:23:00 GMT
Abstract:
This article applies to:
WebMarshal 6.1 and above
Firefox
Symptoms:
WebMarshal HTTPS Content Inspection enabled.
Firefox does not detect version updates.
Attempts to manually check for updates (Help > Check for Updates) will fail with one of the following errors:
Update XML file malformed (200)
AUS: Update XML File Not Found (404)
Causes:
Firefox checks if updates are available by contacting https://aus2.mozilla.org/. As part of this process, Firefox examines the HTTPS certificate to see who it was issued by. If the issuer is unknown, or is not one of the issuers built into Firefox, the update process fails. WebMarshal's content inspection root certificate is not built in and is therefore causing Firefox to fail to update.
Resolution:
Firefox will update correctly if WebMarshal is configured so that it will not inspect connections to https://aus2.mozilla.org/.
To avoid inspecting these connections while using HTTPS Content Inspection for otehr sites, add an HTTPS rule for this site using the action Permit access and do not inspect content.

Issues after uninstalling WebMarshal from one ISA node

Charles Creegan — Mon, 08 Mar 2010 09:22:00 GMT
Abstract:
This article applies to:
WebMarshal 6.X
Microsoft ISA Server
Symptoms:
WebMarshal installed as plug-in to ISA in a multi-node environment
Uninstalled WebMarshal from one node while in plug-in mode
Remaining nodes do not correctly use the WebMarshal plug-in
Causes:
WebMarshal was uninstalled from a node while in plug-in mode. Due to ISA architecture, this action unregisters the plug-in on all nodes.
Resolution:
To recover from this problem, perform the following steps on each ISA processing node (including the node where you uninstalled WebMarshal):
Open the Windows Services control panel. If any WebMarshal services are present and running, stop these services. This action will also stop the ISA firewall service.
Open a command prompt.
Navigate to the WebMarshal install location.
Enter the following command to manually de-register the WebMarshal filter:
regsvr32 -u WMFilter.dll
On the nodes where you want to continue using WebMarshal as a plug-in, enter the following command to re-register the WebMarshal filter:
regsvr32 WMFilter.dll
Start WebMarshal services and any ISA services that were stopped.
Notes:
This problem does not occur if you first re-configure the node to use to WebMarshal Proxy (not ISA plug-in) before uninstallation.

Services do not start after upgrade

Charles Creegan — Mon, 08 Mar 2010 09:22:00 GMT
Abstract:
This article applies to:
WebMarshal
Upgrade from 6.5.3 or below to 6.5.5 or above
Symptoms:
Array Manager does not start after upgrade.
Other services could also fail to start
Causes:
This problem is due to a known issue with .NET Framework 2.0 RTM. The .NET Framework times out while attempting to validate the certificate used to sign the installation.
This problem will not occur if .NET Framework SP1 or above is installed.
Resolution:
Start the services manually.
Notes:
The problem only occurs once at the time of WebMarshal upgrade.
You should consider applying the latest service pack to the .NET framework on affected servers.

Upgrading WebMarshal Array installations

Charles Creegan — Mon, 08 Mar 2010 09:22:00 GMT
Abstract:
This article applies to:
WebMarshal 6.x
Array installations
Question:
What is the correct order for upgrading a WebMarshal array installation with separate Array Manager and Processing Node servers?
Procedure:
To upgrade an array with multiple processing nodes, upgrade the Array Manager first. After upgrading the Array Manager, upgrade any additional processing nodes.
This order minimizes disruption when the version of XML configuration files is changed by the upgrade.
When the Array Manager has been updated you will note the following symptoms until you upgrade the nodes:
A message will be logged in the Node Controller service logs: Warning - General : Contact with the WebMarshal Array Manager has been lost.
WebMarshal Console will show the status of the node's configuration as "out of date" with the previous version.
The nodes will continue to process requests using the last valid configuration.
Notes:
If you upgrade the nodes first, you will experience the following symptoms until the Array Manager is updated:
Proxy and Engine services will not start.
The following error message will be logged by each service: Error - Unexpected Error : An unexpected error has occurred: Fetch policy - Policy file is incorrect version ( should be 5 ).
Once you upgrade the Array Manager, you may need to join the nodes to the array using the Server Tool.

Additions to Release Notes for WebMarshal 6.5

Charles Creegan — Mon, 08 Mar 2010 08:57:00 GMT
Abstract:
This article applies to:
WebMarshal 6.5
Question:
What are the Release Notes for WebMarshal 6.5?
What are the Release Notes for WebMarshal Reports 6.5?
Information:
The Release Notes and Reports Release Notes included with WebMarshal 6.5 are accurate as of the date of publication.
The latest release is 6.5.5 (6.5.5.6975, March 9, 2010).
This article will provide any additional information generated after that date.
For specific information about an item fixed in the 6.5.3 release, see M86 Knowledge Base article Q12944.

How do I customize the initial 220 response greeting string that MailMarshal returns to a sender?

Charles Creegan — Sun, 07 Mar 2010 09:55:00 GMT
Abstract:
This article applies to:
MailMarshal SMTP 5.X
MailMarshal SMTP 6.X
Question:
How do I customize the initial 220 response greeting string that MailMarshal returns to a sender?
Procedure:
You can change both the Greeting String and Received field information from the advanced Receiver properties in the MailMarshal Configurator.
MailMarshal SMTP 6.5 and above:
Go to Tools | MailMarshal Properties | Receiver Properties | Advanced.
MailMarshal SMTP 6.0 through 6.4:
Go to Tools | Server and Array Properties | Advanced tab.
Click the Additional Options button.
Click the Receiver tab.
MailMarshal SMTP 5.X:
Go to Tools | Server Properties | Advanced tab.
Click the Additional Options button.
Click the Receiver tab.
Notes:
Example Greeting string: 220 ExchangeServer.Company.com ESMTP MailMarshal (v5.5.5.9) Ready
This article was previously published as:
NETIQKB37854

MailMarshal for Exchange Engine takes a long time to start.

Charles Creegan — Sun, 07 Mar 2010 09:29:00 GMT
Abstract:
This article applies to:
MailMarshal Exchange 5.X
Symptoms:
MailMarshal Exchange Engine takes a long time to start.
MailMarshal Exchange Engine is slow to start.
MailMarshal Exchange Engine is taking too long to start.
MailMarshal Exchange is not starting or restarting in an acceptable amount of time.
MailMarshal Exchange takes in excess of 5 to 10 minutes to start.
Error: 'Unable to get groups from domain <cn=users,cn=builtin,dc=server,dc=domain,dc=com> - <Not enough storage is available to complete this operation.>'
Causes:
On startup, MailMarshal Exchange attempts to download the entire tree from the Global Catalog. If the entire tree for the organization is substantially large, or if there are Global Catalog server issues, MailMarshal may not be able to complete the download in an acceptable amount of time.
Reply:
In MailMarshal Exchange 5.0.3.30, a change was made to the Engine service to allow domains to be excluded from the Global Catalog lookup.
This change requires the following registry modifications:
Warning: Using the Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. Marshal cannot guarantee that problems resulting from the incorrect use of Registry Editor can be resolved. Make sure that you backup your Registry prior to making any changes.
Launch the Microsoft Registry Editor.
Go to the following key: HKEY_LOCAL_MACHINE | SOFTWARE | Marshal Software | MailMarshal Exchange | Default | Engine.
Add the key ADDomainExclusions as a multi-string value. The k

Configuring the Authentication Bypass Cache

Charles Creegan — Thu, 04 Mar 2010 09:50:00 GMT
Abstract:
This article applies to:
WebMarshal 6.5 and above
Question:
Authentication problems when using Apple clients through WebMarshal
Authentication problems when using Microsoft Silverlight Player through WebMarshal
Authentication problems with browser helper applications
Background:
In certain circumstances, browsers and browser plug-ins on the Apple Macintosh operating systems fail to authenticate with the Proxy. These pieces of software see the authentication request as a general failure and fail the request.
Other browser plug-ins can also have this problem. Silverlight Player is a known example.
The Authentication Bypass mechanism described here is an advanced feature designed to overcome this limitation in the client software. It is not limited to the named clients and could be used anywhere that a similar problem occurs.
Procedure:
The authentication bypass mechanism makes a short-term association between an IP address and a user.
When a user is authenticated with WebMarshal from a particular workstation, any new connections made to the Proxy from that workstation will be automatically authenticated with the user's credentials, based on the IP address.
A number of configuration options are available to ensure that the feature applies only to an intended set of client workstations, and only to certain software clients.
This feature is configured by making changed to the WMProxy.config.xml file on the WebMarshal server, or on each processing node in a WebMarshal array. To apply the changes, restart the WebMarshal Proxy service.
Two sample configuration sections are shown below.
Note: You must modify the examples to suit the local e

How do I verify the score a missed message received in SpamCensor?

Charles Creegan — Thu, 04 Mar 2010 09:30:00 GMT
Abstract:
This article applies to:
MailMarshal SMTP
Question:
How do I verify the score a missed message received in SpamCensor?
How do I log all spam (SpamCensor) results?
How do I verify the score a missed message received from SpamProfiler (MailMarshal 6.7 and above)?
Procedure:
You may want to view the spam scoring of messages that were not blocked by MailMarshal. By default, MailMarshal will only log results to the engine log file if the SpamCensor or SpamProfiler triggers. If you want to log all results, regardless of whether or not the features trigger, you will need to modify the registry of the MailMarshal Server.
Warning: Using the Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. Marshal cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Make sure that you backup your Registry prior to making any changes.
Open the Registry Editor.
Go to HKEY_LOCAL_MACHINE\SOFTWARE\NetIQ\MailMarshal\Default\Engine.
Add a new DWORD value named LogSpamAlways.
Set the value to 0 for false, or 1 for true (i.e. log all results).
Save your registry settings.
On MailMarshal 5.x, reload the rules, and restart the MMEngine service
On MailMarshal 6.x, restart the MMArrayManager service, commit configuration changes, then restart the MMController service on each node.
Notes:
This feature was added for SpamCensor in MailMarshal SMTP version 5.5.3.2.
This feature was added for SpamProfiler in MailMarshal SMTP version 6.7.
This article was previously published as:
NETIQKB39846

Blended Threats Module updates fail

Charles Creegan — Wed, 03 Mar 2010 07:08:00 GMT
Abstract:
This article applies to:
MailMarshal 6.7 and above
Windows 2003 SP2 and above
Question:
Why do Blended Threats Module updates fail?
Error message: HttpPost: 12057
Information:
If your Blended Threats Module (BTM) updates fail it can be because the MailMarshal Engine (processing node server) has been denied access to the Internet (HTTP and HTTPS). You must allow this access to use the BTM. You can configure MailMarshal to use a proxy server if required for node access. For details, see the documentation for "Internet Access" for your version of MailMarshal.
If you can confirm the MailMarshal node does have access to the Internet, you may need to change the account used to run the Engine service.
This step is typically required on Windows Server 2008, or Server 2003 with current updates, where access is via a proxy server. (For details of the issue, see the Notes section of this article.)
The account you select must:
Have permission to log on to the server
Be a member of the local Administrators group on the server
Have a valid user profile on the server
Have ability to browse the web, including configuration of any proxy settings within Internet Explorer if required.
If you have an array of MailMarshal servers, follow the steps below on each processing node server:
To change the account and confirm access:
Log on to the MailMarshal node server using the account you plan to use for the Engine service.
Using Internet Explorer, if necessary add proxy details.
Browse to the following sites (browsing to the sites verif

FTP over HTTP: Unauthorized - Error 401

Eric Hanson — Mon, 01 Mar 2010 11:34:00 GMT
Abstract:
Description
When trying to access an FTP site, error 401 with error reason: “FTP over HTTP: Unauthorized” is returned.

Symptoms
When browsing to a password protected FTP site through the Vital Security Web Appliance, the browser returns the following error:

When browsing straight to the web-site, a dialog box which requires the user credentials appears:

Cause
The problem is caused because the Vital Security Web Appliance is trying to access the FTP server with an anonymous account, which results in a failed login attempt.

Solution
In order to resolve this issue, the login credentials should be included in the URL in the following format: ftp://username:password@ftp.adress.com

Software Version
8.3.x
8.4.x
8.5.0

This article applies to:
NG 1000
NG 5000
NG 6000
NG 8000
This article was previously published as:
Finjan KB 1576

How do I take my Enterprise Reporter out of evaluation mode?

Imran Chaudhry — Mon, 22 Feb 2010 02:43:00 GMT
Abstract:
This article applies to:
Enterprise Reporter
Question:
How do I take my Enterprise Reporter out of evaluation mode?
Reply
After the designated evaluation period has expired, you may extend your evaluation period, or activate the unit and use it in the activated mode. To change the evaluation mode from the Administrator console by logging in to the Reporter port 808, 88 for reports:
• In the ER Status pop-up box (see Fig. A-1), click Change Evaluation Mode

(Fig. A-1)
This article was previously published as:
8e6 KB 276467

Resetting security permissons

Charles Creegan — Wed, 17 Feb 2010 09:05:00 GMT
Abstract:
This article applies to:
WebMarshal 6.X
Question:
Locked out of WebMarshal Console
Deleted all users and groups from WebMarshal Security Tool
Procedure:
If you have mistakenly removed all groups and users from WebMarshal Security using the Security Tool, you will not be able to use any WebMarshal user interfaces including the Security Tool.
You can reset security to the default level by editing a file on the server.
The default setting is for administrators of the Array Manager server to have access.
To reset security:
Log on to the Array Manager server (or standalone WebMarshal server) using an account with administrator permission.
Locate the following file within the WebMarshal installation:
...\Array Manager\Policy\ArrayPolicy.Working.xml
Make a backup copy of the file.
Edit the file with a text or XML editor
Note: take care when editing the file. For help with editing XML documents, see M86 Knowledge Base article Q12705.
Locate an attribute that begins:
security="O:BAG:BAD:..."
Remove the entire security attribute.
Save the XML file, and then restart the WebMarshal Array Manager service.

My http requests are being categorized/filtered, but I don't get the "Access Denied" block page.

Imran Chaudhry — Tue, 16 Feb 2010 08:32:00 GMT
Abstract:
This article applies to:
R3000
Question:
My http requests are being categorized/filtered, but I don't get the "Access Denied" block page.
Reply
Go through the following checklist. If you need assistance with any of these items, please reference our FAQs or contact our technical support staff for additional help:
If you are using a custom block page, ensure that your web server is up and running. Are you able to browse directly to your web server from your workstation?
Check your firewall to verify that the R3000 can send the “URL redirect” to users on TCP port 81, and that users can connect to the R3000 on port 80 to download the block page.
Verify that your workstation can communicate with the R3000 to download the block page by typing this in your web browser: http://X.X.X.X:81/cgi/block.cgi (note: replace the “X’s” with the IP address of your R3000’s block page interface. Failure to download the block page from the R3000 might indicate a routing or firewall issue between the R3000 and the users.
If you are using an http proxy server, be sure that the URL redirect and block page is not going through the proxy server. To accomplish this, set up an exception in your web browser’s proxy settings. For example, if you’re using Internet Explorer, go to Internet Options -> Connections -> LAN Settings -> Advanced -> Exceptions. In the “Exceptions” list, enter the IP address of your R3000’s block page interface, and the R3000’s hostname. If you are using a custom block page, you should enter the IP address and hostname of your web server, in addition to the IP address and hostname of the R3000. You will have to make this simple modification on every workstation that’s being filtered. Normally, you can push this out as a Policy from your Active Directory

Configuring Windows Firewall on MailMarshal Servers

Charles Creegan — Thu, 11 Feb 2010 14:05:00 GMT
Abstract:
This article applies to:
MailMarshal SMTP
MailMarshal Exchange
MailMarshal SES
Windows Firewall
Question:
What settings are required to allow MailMarshal to work with Windows Firewall?
Information:
When you install MailMarshal server components on a computer with Windows Firewall enabled, you must add exceptions to the Windows firewall configuration to allow MailMarshal to function correctly. These exceptions allow inbound connections to the MailMarshal components.
The required exceptions depend on the MailMarshal version and the server role.
Notes:
MailMarshal SMTP 6.5 and above automatically adds most required exceptions for the MailMarshal services.
In the details below, all executables mentioned are found in the MailMarshal installation folder.
The TCP ports listed are the default values. It is possible to change the ports MailMarshal uses.
M86 Security does not recommend opening TCP ports 137,138,139 for a computer open to the Internet. If you require remote Configurator access to a computer in this situation, you could use Remote Desktop.
For additional details of port usage, see M86 Security Knowledge Base article Q10905.
MailMarshal SMTP
Version 6.x:
MailMarshal SMTP 6.5 and above automatically adds required exceptions for the MailMarshal services that are actually installed on a server (but not the File and Printer Sharing service). If you do not need remote access to the Configurator, no further action is required. Un-installing MailMarshal removes the ex

How do I add custom file type definitions to MailMarshal SMTP?

Charles Creegan — Thu, 11 Feb 2010 07:31:00 GMT
Abstract:
This article applies to:
MailMarshal SMTP 5.5
MailMarshal SMTP 6.X
MailMarshal SMTP 2006
Question:
How do I add custom file type definitions to MailMarshal?
How do I configure MailMarshal to correctly recognize my file types?
How do I prevent my "Block Unknown Attachments" rule from triggering on legitimate attachments?
Why is MailMarshal blocking legitimate file types?
How do I stop MailMarshal from blocking legitimate file types?

See also Q12988, How do I remove or disable custom filetypes?
Causes:
MailMarshal recognizes many, but not all, executable, image, document, movie, sound, archive, encrypted, and other file types. If MailMarshal does not recognize an attachment as a legitimate file type during mail processing, it tags the unrecognized file as Binary Unknown (BIN). By default, MailMarshal blocks the file with the Block Unknown Attachments rule. The workaround is to add a custom file type definition locally. Once MailMarshal recognizes the file as a custom file type, and not as BIN, the attachment will no longer trigger the Block Unknown Attachments rule.
This article explains how MailMarshal administrators can create custom file type definitions, enabling MailMarshal to recognize and pass files you do not want it to block.
Warning: Custom types override MailMarshal's built-in types. MailMarshal assigns only one file type to each file. If a file is recognized as a custom type, it may not be unpacked or scanned for malware as expected. This behavior can result in security breaches. Test any custom file types carefully.
Procedure:
Note: This solution is intended for advanced users. Most sites will not nee

WebMarshal console takes a long time to respond

Charles Creegan — Wed, 10 Feb 2010 14:12:00 GMT
Abstract:
This article applies to:
WebMarshal 3.7
WebMarshal 6.X
Symptoms:
The WebMarshal console takes a long time to respond when you commit the configuration
Configuration backups fail
Error message: Failed to create backup: Exception of type 'System.OutOfMemoryException' was thrown.
Causes:
One or more URL categories with over 5000 entries
A common reason for very large URL categories is URL harvesting with the "Add URL to category" rule action.
Resolution:
In WebMarshal 3.7 and above, you can use FileFilter (text based URL filtering lists) to maintain large URL categories outside the WebMarshal user interface. FileFilter categories are reloaded on a daily schedule.
Follow the steps below to convert a URL category to a FileFilter category:
Log on to the WebMarshal Array Manager computer.
Open the WebMarshal Console, and navigate to the URL category you want to convert.
Click Export to File at the top of the category window.
Save the file as a plain text (.txt) file in the Array Manager FileFilter folder. By default this folder is located at: C:\Program Files\Marshal\WebMarshal\ArrayManager\Policy\FilteringLists\FileFilter
Using Notepad or another text editor, open the file you have just saved. At the top of the file, add text within brackets. The text must include an integer and a name for the category, as seen in the example image below.

To make the file easy to find, the file name and category name should match.
Each FileFilter category mus

Microsoft Windows Update causes database connection problem for SPE Web Console

SPE Team — Tue, 09 Feb 2010 13:51:00 GMT
Abstract:
This article applies to:
MailMarshal SPE 2.1.0+
Internet Explorer 7
Internet Explorer 8
Microsoft Windows Update KB937143
Microsoft Windows Update KB939653
Symptoms
Applied Windows Update KB937143 or KB939653 on MailMarshal SPE Web Console server.
Upgraded server to Internet Explorer 7
Upgraded server to Internet Explorer 8
MailMarshal SPE Web Console v2.1.0 - v2.2.0 displays error: System Error: Database could not be contacted - Login failed for user 'sa'.
MailMarshal SPE Web Console v2.3.0 and above displays error: System Error: Database Version not supported - Expected minimum 9 but got -1.
The Web Console cannot be used. Other MailMarshal SPE and MailMarshal SMTP components continue to function.

Causes
Windows Update KB937143 (MS07-045: Cumulative Security Update for Internet Explorer) causes unexpected changes in some Windows system functionality that is used by the MailMarshal SPE Web Console website.
It appears that the account used as the identity by the SPE Application Pool has insufficient/incorrect privileges to complete a request. By default the SPE App Pool uses an identity of "Network Service".
This update only affects servers with IE7 or IE8 installed. Servers that have IE6 installed are not affected.
Resolution:
Microsoft has issued a hotfix that resolves this issue. For more information, please see the following Microsoft Knowledge Base article:
http://support.microsoft.com/kb/945701
Workaround:
If you are unable to apply the Microsoft hotfix, choose one of the following three possible workarounds:
Safest workaround:
Correct Security Permissions in the R

How do I set up automatic message release in MailMarshal?

Charles Creegan — Tue, 09 Feb 2010 09:39:00 GMT
Abstract:
This article applies to:
MailMarshal SMTP
MailMarshal Exchange 5.X
Question:
How do I set up automatic message release in MailMarshal?
Procedure:
The automatic message release feature allows users to release messages from the MailMarshal quarantine folders without requiring access to the MailMarshal Console. Automatic message release works using a MailMarshal external command. The command is used in a MailMarshal rule and it is triggered by an email reply containing a special release string. With this feature, users can simply reply to an e-mail notification and their quarantined messages will be released to them.
All MailMarshal SMTP versions since 5.x include the message release executable MMReleaseMessage.exe
New installations also create an external command definition that allows MailMarshal to use the executable, and an email template for the notification.
Note: With MailMarshal SMTP 6.x/2006 Arrays (and single server installations with newer Windows versions), you must add user name and password parameters in the external command definition in most cases. See the Authentication Issues section below.
This article provides basic information about how to set up and configure the external command. For more details search for 'message release' and 'external command' in the User Guide for your version. User guides are available on the MailMarshal SMTP documentation page or MailMarshal Exchange documentat

Retrieving all email addresses from LDAP

Charles Creegan — Mon, 08 Feb 2010 10:40:00 GMT
Abstract:
This article applies to:
MailMarshal SMTP 6.4 and above
Question:
How can I get a full list of every email address in a LDAP directory?
Scraping the LDAP directory
Need to list all email addresses in the company for DHA
Want to use the "scrape" method from MailMarshal 6.1
Procedure:
The following tips can be useful if you want to get a list of all email addresses in a LDAP directory.
You can set up the LDAP connection to "scrape" all addresses in any group you retrieve from the directory.
In the LDAP Connection properties window > LDAP server tab, click Advanced.
On the User Attributes tab of the Advanced LDAP properties window, in the User Class Names field enter top
You can create a user group that includes all items in a container.
In the New User Group wizard, choose to import groups from a LDAP connection.
Click Browse and select any group.
On the Import LDAP User Groups page, replace the group name. Type the name of a container, preceded by *.
For instance, to retrieve all email addresses from the example.com domain, enter *,DC=Example,DC=Com
When you set up the connector and group as above, every email address in every attribute of each item in the group is retrieved.
Notes:
MailMarshal SMTP versions 6.1 through 6.3 do not require or recognize the class name "top". These versions do not allow filtering by class name.
If you want to maintain the version 6.1 behavior in MailMarshal SMTP 6.4, you can use the User Class Name "top", as above.
If you find that this setting does not work as expected, you can revert to the versi

SQM login "Remember Me" not working

SPE Team — Mon, 08 Feb 2010 10:10:00 GMT
Abstract:
This article applies to:
MailMarshal SMTP 6.4 and above
MailMarshal SPE 2.3 and above
Spam Quarantine Management website
Forms authentication
Symptoms:
Remember Me is selected on the site login page
User credentials are only remembered for a short time. Users are asked to enter credentials after about 20 minutes.
Causes:
The Remember Me function uses ASP.NET authentication cookies. By default the cookies time out after 20 or 30 minutes, depending on the version of ASP.NET originally installed.
Resolution:
To resolve this issue, change the ASP.NET configuration settings for the SQM virtual directory.
Note: If you have more than one SQM web server, you must perform these steps on each web server.
On the SQM web server, open IIS Manager.
Navigate to the properties of the SQM virtual directory (by default, this is Default Web Site/SpamConsole)
Select the ASP.NET tab and click Edit Configuration.
On the Authentication tab, in the Authentication settings | Forms authentication section, select Enable sliding expiration. Set the Cookie timeout to a longer value.
To retain login memory for 30 days, enter 30.00:00:00.
Click OK and exit IIS manager.
Notes:
This problem does not affect Windows authentication.

Not able to install the patch, status window times out

Imran Chaudhry — Fri, 05 Feb 2010 08:29:00 GMT
Abstract:
This article applies to:
Enterprise Reporter
R3000
Question:
Not able to install the patch, status window times out
Reply
No error is shown and the status window simply times out. Check if you have a pop-up blocker enabled. Once you click Apply, you must accept the EULA agreement in order for the patch installation will start. The EULA loads on port 8082. If you have a pop-up blocker enabled, it may block the EULA so the installation process will not take place, until you disable the pop-up blocker or add the unit IP address as a trusted site. If it does not resolve the issue, please contact Technical Support for further troubleshooting.

This article was previously published as:
8e6 KB 300815

Troubleshooting a patch download issue.

Imran Chaudhry — Thu, 04 Feb 2010 04:46:00 GMT
Abstract:
This article applies to:
Enterprise Reporter
Mobile Client
R3000
Question:
Troubleshooting a patch download issue.
Reply
The R3000 checks for new patches at the top of every hour, this process is called Traveler. Traveler will run to make sure it has downloaded the latest patches. Even if it has already downloaded all available patches, the process will still run at the top of every hour.

If Traveler is sending alerts that it has failed to download the last few attempts, then please check the following:

1. Make sure the hostname of the R3000 matches the hostname you activated the account with, as this must be exact. If you are not sure what hostname was used to activate the unit, you can call M86Security Technical Support +1-713-682-1400 to find out. Please have your serial number ready in order for Support to look up the correct unit.

2. Make sure patch.8e6.net resolves using the DNS server that R3000 is configured with. Currently, patch.8e6.net should resolve to 174.129.7.218.

3. Make sure HTTPS transfers are allowed on the firewall, this takes place on port 443.

This article was previously published as:
8e6 KB 300222

Traverler/ Patch errors or failing

Imran Chaudhry — Thu, 04 Feb 2010 04:39:00 GMT
Abstract:
This article applies to:
R3000
Question:
Traverler/ Patch errors or failing
Reply
If you are getting email alerts or seen the library update log with errors please see checklist below.
Note: the filter will continue to connect to our update or patch servers to grab libraries or new patch availability.

Checklist for failed traveler or patch errors:
1. Customers filter was never registered (http://www.8e6.com/activate).
2. Customer has old version with FTP setting (only https is available now)
3. Customers contract expired.
4. Customers DNS servers cannot resolve secureupdate.8e6.com to an IP address
5. Customer kept old hostname from evaluation and never registered new hostname or rebooted after changing.
6. Filters hostname has been changed and does not match original registration name.
7. port 443 out bound is closed.
8. firewall has rules(if used) are missing update servers ip's 174.129.7.218 (domain name is secureupdate.8e6.com)
see article 290102 for complete list here http://www.M86security.com/
If all is good above then please call +1-713-682-1400, so we can log in and look at the back end.

This article was previously published as:
8e6 KB 297460

Current 8e6 Technologies IP Address Change

Imran Chaudhry — Thu, 04 Feb 2010 04:35:00 GMT
Abstract:
This article applies to:
Enterprise Reporter
R3000
Threat Analysis Reporter
Question:
Current 8e6 Technologies IP Address Change
Reply
In order to provide improved access and reliability, 8e6 is upgrading its Internet connection to a multi-homed configuration. Unfortunately, this change requires the renumbering of some customer-facing systems. Consequently, some changes may be required on your networks to ensure continued connectivity to 8e6 for the purposes of downloading library updates, software patches, and technical support remote access. This is a one time only change since the new IP addresses are “owned” by 8e6 and, as such, portable with respect to future Internet Service Provider changes.
Bottom line, it is extremely important that your firewall administrator is alerted to the following items, in order to ensure continue connectivity to 8e6 update servers.
FTP Update Server EOL
Concurrent with this change comes the End-of-Life for the legacy FTP update servers. As of July 31st 2008, updates will only be available using the HTTPS update servers. The 2.1 software release of the R3000 (scheduled for mid-July) will remove the ability to download library and software updates via FTP, and switch the transport method of all library and software updates to HTTPS.
It is recommended that you immediately ensure that your R3000 is set to use HTTPS for library and software updates. This can be done via the R3000 GUI, and is available under Library>Updates>Configuration. If your R3000 is set to use FTP, change the method to HTTPS. Once the configuration change is made you can perform a manual update to ensure that connectivity can be established.
Library, Software Patch and CFM Updates
If your network firewall rules for outbound connectivity utilize statically assigned IP addresses for access to 8e6’s patch, up

Error: 'Unable to connect to server' occurs when trying to open the MailMarshal Configurator on a remote workstation.

Charles Creegan — Wed, 03 Feb 2010 13:05:00 GMT
Abstract:
This article applies to:
MailMarshal SMTP 5.X
MailMarshal SMTP 6.X
Symptoms:
Error occurs when trying to open the MailMarshal Configurator on a remote workstation.
Error: 'Unable to connect to server'
Error: The computer 'ExampleServerName' was not found on the network.
MailMarshal Console can be opened on a remote workstation without error.
Causes:
Remote Registry service is not enabled.
Information:
To use the MailMarshal Configurator remotely, the Remote Registry service must be running on the MailMarshal server or Array Manager. Set the service to start automatically. This service is not necessary to use the MailMarshal Console remotely.
Notes:
The Remote Registry service has always been a requirement for remote Configurator connections.
This issue has recently become more common because Windows Vista SP1 and Windows 7 disable the Remote Registry service by default.
It is best practice to install server applications such as MailMarshal on a Windows Server operating system. All Windows Server operating systems enable the Remote Registry service by default.
This article was previously published as:
NETIQKB40128

What causes a blank page through Vital Security NG Proxy? - Internal

Peleg Samson — Wed, 03 Feb 2010 00:13:00 GMT
Abstract:
Description
When using Internet Explorer and working through the Vital Security NG appliance the website is displayed as a blank page.
The browser appears to be transferring data, but the final result is an empty page.

Symptoms
Browse to the following URLs to reproduce this behaviour:
www.jobsearch.lu
www.tui.de

Cause
This behaviour can be analyzed with the network traffic capture.
It will show HTTP 205 Reset Content message sent back from the server.

RFC 2068 Clause 10.2.6 - 205 Reset Content
"The server has fulfilled the request and the user agent SHOULD
reset the document view which caused the request to be sent.
This response is primarily intended to allow input for actions to take
place via user input, followed by a clearing of the form in which the
input is given so that the user can easily initiate another input action.
The response MUST NOT include an entity."
However, IE accepts a HTTP 205 Reset Content response with a body and displays a page.
The Vital Security NG proxy does not forward the corresponding body, and the page is not displayed.
IE behaves abnormaly, when it answers the request with a HTTP 205 Reset Content status.
Mozila Firefox is answered with a standard 200 OK response.

Solution
Use Mozilla browser to override this behaviour or contact your web-server administrator to upda

How do I specify advanced options / filters of packet trace? - Internal

Peleg Samson — Wed, 03 Feb 2010 00:11:00 GMT
Abstract:
Question
In some cases it is useful or even necessary to take a packet capture trace on a Vital Security NG appliance.
The appropriate tool in the setup console (found in Advanced settings -> Network settings -> Network diagnostics -> Tcpdump) just gives you the option of tracing all traffic or specifying a given tcp port.
This often generates complex capture files. When using standard user login, the options for the packet capture are limited.

How can I specify filters / advanced options of packet network capture?

Answer
Login to the Webmin console (https://NG_IP:3012) with user: support password: fin000jan.
Navigate to Others -> Custom Commands -> Network traffic capture.
This field allows for "tcpdump parameters", so that more options than just the tcp port can be set or specified.
For more informations on available options please use "man tcpdump" on a linux system that you have access to.
An example that might be useful for a quick start (use it without quotes) is: "host 192.168.5.131" . This just captures the traffic from and to host 192.168.5.131.
This option might be useful to reproduce and trace a problem from a given client or to a given web server.
Note: not all tcpdump options are available. If an option is not supported, an appropriate error message will be displayed.

Software Version
8.3.X
8.4.X
8.5.0

This article was previously published as:
Finjan KB 1250

Why a Security Policy Might Appear to Be Ineffective - Caching and Multiple Hosts - Internal

Peleg Samson — Wed, 03 Feb 2010 00:10:00 GMT
Abstract:
Description
In some cases, the security policy on a Finjan system might appear to be ineffective. This can be noticed after a recent policy change or after first deploying a Finjan solution.

Symptoms
Common symptoms include:
Content that should be blocked is downloadable by a browser.
Images or text content might be missing from an allowed page.
A script error might be indicated in the lower left corner of the browser on an allowed page.
Some menus on an allowed page might not function.

Cause
There are two common causes for this behavior:
Caching
Content received from multiple web hosts

Solution
Caching - Caching is often the reason why a security policy change might appear to be ineffective.
For example, if the default policy blocks an applet, the substitute applet might be cached.
If the administrator changes the policy to allow the applet, the user might continue to receive the cached substitute applet. Therefore, it appears as though the security policy change did not work.
Using logs, it is possible to determine if cached content is provided to the user.
If an object is served from a cache, there will be no record of the request in the logs.
In order to see all transactions, it may be necessary to temporarily change the logging settings.
Please note that increased logging can reduce performance, so it is important to change the logging settings back to their previous values when troubleshooting is complete.
The systems administrator should be aware of all caches that might prevent requests from reaching the scanner.
The administrator should also know how to ma

Dashboard Does Not Show Any Data - Internal

Peleg Samson — Wed, 03 Feb 2010 00:01:00 GMT
Abstract:
Description
Dashboard in version 9.0 does not show data or devices

Symptoms
Dashboard in version 9.0 does not show data or devices

Cause
In version 9.0 the SNMP community needs to be "finjan" in order make the dashboard able to retrieve data.

Solution
Navigate to Administration > Alerts > SNMP
Under the tab "SNMP version" make sure that the SNMP community is "finjan".

This limitation is resolved in versions higher than 9.0.

Software Version
9.0

This article applies to:
NG 1000
NG 5000
NG 6000
NG 8000
This article was previously published as:
Finjan KB 1846

How to change the admin password of BCMM from its CLI (SSH) - Internal

Peleg Samson — Wed, 03 Feb 2010 00:01:00 GMT
Abstract:
Question
How to change the admin password from BCMM in SSH?

Answer
The BCMM command line works in several domains, since it’s a centric point of access to a lot of system components (i.e. Blades, Management modules, Switches, etc..)
The first step is declaring in what domain you are going to work:
> env –T system:mm[1]
This will set you working in the Management module domain.
Then list the current users:
> users –curr
Usually you’ll see the “USERID” listed as no. 1 – remember this no.!
Now running the users command with the change password switches:
> users -1 –op -p

NOTE: Notice the -1 switch, this is the user no. you saw on the “users –curr” command output.
You can find more information in IBM's docuemntation.

That's it, youre done - the password has changed.

Software Version
Any NG-8000 Installation

This article applies to:
NG 8000
This article was previously published as:
Finjan KB 1800

Finjan Vital Security Hardware Support Matrix

Peleg Samson — Tue, 02 Feb 2010 22:58:00 GMT
Abstract:
This article applies to:
NG 1000
NG 5000
NG 6000
NG 8000
This article was previously published as:
Finjan KB 1850

What are the differences between the authentication tiers?

Alfred Alva — Fri, 29 Jan 2010 06:01:00 GMT
Abstract:
This article applies to:
R3000
Question:
What are the differences between the authentication tiers?
Reply:
Tier 1 (Web-based authentication disabled) - The only available methods of authentication are either via Net Use login scripts or commands, or by using the 8e6 Authenticator application (authenticat.exe).
Tier 2 (Time-based profiles) - With this option, a user can still authenticate in the same style as Tier 1, but another option becomes available as well. One can set the default global group or IP group profile to be restrictive, and set the redirect page to be an authentication request form instead of a block page. In this way, a user would browse to a site, and be asked to authenticate by entering in their domain username and password. The proper authentication profile would then be applied for X minutes, as configured on the Enable/Disable Authentication screen. Note that one can set a logoff script to kill this profile before X minutes expires.
Tier 3 (Java applet) - This option is nearly the same as Tier 2, but instead of the profile being assigned for a set amount of time, a small window with a Java applet will popup on the user's machine.
The box will manage a heartbeat connection with the R3000, and the profile will remain active as long as this heartbeat does. The profile will only terminate after some number of heartbeats are missed, or a kill command is issued by closing the applet window.
This article was previously published as:
8e6 KB 276505

How can I redirect the user to the Web Based Authentication Request Form instead of Default blocked page?

Alfred Alva — Thu, 28 Jan 2010 06:47:00 GMT
Abstract:
This article applies to:
R3000
Question:
How can I redirect the user to the Web Based Authentication Request Form instead of Default blocked page?
Reply
There are two methods to have users get redirected to a Web Authentication Request Form instead of the default block page.
The first is to set their Profile>Profile options>Redirect URL>Custom url to be the Authentication Request Form. However, in order for this to work, you will need to have a forward and reverse DNS entry for your filter on your local DNS server. Then Block all for that category.
If this is not possible, you can simply set the redirect URL to be a custom URL of the following format:
https://x.x.x.x:8081/AuthenticationServer/AuthenticationForm.jsp
where x.x.x.x is your filter's management IP address.

This article was previously published as:
8e6 KB 289253

Domains:	DOMAIN1
	Single Domain
WebMarshal Domain:	DOMAIN1
Users:	DOMAIN1\User1
Result:	DOMAIN1\User1 can authenticate with WebMarshal.