Professional Documents
Culture Documents
Release 8.X
Proofpoint, Inc.
892 Ross Drive
Sunnyvale, CA 94089
www.proofpoint.com
Website:www.proofpoint.com
Toll-free telephone: 1-877-64POINT
Technical support: https://support.proofpoint.com
The Proofpoint Protection Server is proprietary software licensed to you for your internal use by Proofpoint Inc. This software is © Copyright 2002 -
2020 Proofpoint Inc. The copying, modification or distribution of the Proofpoint Protection Server is subject to the terms of the Proofpoint Software
License, and any attempt to use this software except under the terms of that license is expressly prohibited by U.S. copyright law, the equivalent laws
of other countries, and by international treaty.
McAfee is a registered trademark of McAfee, Inc. and/or its affiliates in the US and/or other countries. Virus Scanning capabilities may be provided by
McAfee, Inc.
Copyright © 2020 McAfee, Inc. All Rights Reserved.
VMware, the VMware “boxes” logo, GSX Server, ESX Server, Virtual SMP, VMotion and VMware ACE are trademarks (the “Marks”) of VMware, Inc.
Regular expression support is provided by the PCRE library package, which is open source software, written by Philip Hazel, and copyright by the
University of Cambridge, England.
Source is available at ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/.
Portions of this software are Copyright © 1996-2002 The FreeType Project (www.freetype.org). All rights reserved.
Additional graphical © support is provided by libgd:
Portions copyright © 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002 by Cold Spring Harbor Laboratory. Funded under Grant P41-RR02188
by the National Institutes of Health.
Portions copyright © 1996, 1997, 1998, 1999, 2000, 2001, 2002 by Boutell.Com, Inc.
Portions relating to GD2 format copyright © 1999, 2000, 2001, 2002 Philip Warner.
Portions relating to PNG copyright © 1999, 2000, 2001, 2002 Greg Roelofs.
Portions relating to gdttf.c copyright © 1999, 2000, 2001, 2002 John Ellson (ellson@graphviz.org).
Portions relating to gdft.c copyright © 2001, 2002 John Ellson
Portions relating to JPEG and to color quantization copyright © 2000, 2001, 2002,
Doug Becker and copyright © 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001,
2002, Thomas G. Lane. This software is based in part on the work of the Independent JPEG Group. See the file README-JPEG.TXT for more
information.
Portions relating to WBMP copyright © 2000, 2001, 2002 Maurice Szmurlo and Johan Van den Brande.
Permission has been granted to copy, distribute and modify gd in any context without fee, including a commercial application, provided that this
notice is present in user-accessible supporting documentation.
This does not affect your ownership of the derived work itself, and the intent is to assure proper credit for the authors of gd, not to interfere with your
productive use of gd. If you have questions, ask. “Derived works” includes all programs that utilize the library. Credit must be given in user-accessible
documentation.
This software is provided “AS IS.” The copyright holders disclaim all warranties, either express or implied, including but not limited to implied
warranties of merchantability and fitness for a particular purpose, with respect to this code and accompanying documentation.
Although their code does not appear in gd 2.0.4, the authors wish to thank David Koblas, David Rowley, and Hutchison Avenue Software Corporation
for their prior contributions.
This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit
(http://www.openssl.org/)
zlib.h – interface of the “zlib” general purpose compression library version 1.2.2, October 3rd, 2004
Copyright © 1995-2004 Jean-loup Gailly and Mark Adler
This software is provided “as-is”, without any express or implied warranty. In no event will the authors be held liable for any damages arising from the
use of this software.
Permission is granted to anyone to use this software for any purpose, including commercial applications, and to alter it and redistribute it freely,
subject to the following restrictions:
1. The origin of this software must not be misrepresented; you must not claim that you wrote the original software. If you use this software in a
product, an acknowledgment in the product documentation would be appreciated but is not required.
2. Altered source versions must be plainly marked as such, and must not be misrepresented as being the original software.
3. This notice may not be removed or altered from any source distribution.
Jean-loup Gailly jloup@gzip.org
Mark Adler madler@alumni.caltech.edu
Unifont copyright Paul Hardy of Unifoundry.com (unifoundry@unifoundry.com) released under the terms of the GNU General Public License (GNU
GPL) version 2.0.
Tomcat, Log4j, Apache CXF – Apache Copyright © 1999-2020 Apache Software Foundation
Java JRE, JDK, JavaMail, Sun JavaServerFaces – Copyright © 1997, 2011-2020, Oracle and/or its affiliates. All rights reserved.
JBoss RichFaces – Copyright Red Hat ®. Red Hat is a registered trademark of Red Hat, Inc.
Proofpoint gratefully acknowledges contributions of the open source community to the Proofpoint Protection Server. References to open source
software used with the Proofpoint Protection Server is collected into a single repository which can be found in the installed Proofpoint Protection
Server package in src/opensource/OPENSOURCE. That repository, consisting of the contributions from open source projects – but not including
the proprietary Proofpoint Protection Server software referred to above – is a collective work that is © Copyright 2002 - 2020 Proofpoint Inc. You will
find in this repository copies of the source code, or references of where to find, every open source program not referenced in this copyright notice,
that was used in the Proofpoint Protection Server.
This product includes software developed by The Apache Software Foundation (http://www.apache.org). Licensed under the Apache License,
Version 2.0 (the "License"); you may not use this file except in compliance with the License.You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is
distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
specific language governing permissions and limitations under the License.
Microsoft, MSN, Windows, and Microsoft Office are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or
other countries.
This Installation Guide describes how to set up and configure the Proofpoint Messaging Security Gateway
Virtual Edition (virtual appliance). It is intended for personnel responsible for installing and implementing
enterprise-wide messaging applications. Refer to Proofpoint Help for instructions on configuring and
managing the virtual appliance and the Proofpoint Protection Server software.
Conventions
This book uses the following typographic conventions:
• New terms and book titles appear in italic type.
• Text that you type is shown in bold courier font.
• Names of buttons, links, and interface elements appear in this font.
• Text that appears on the screen is shown in courier font.
• Names of keys on the keyboard appear with initial capitalization, such as the Enter key.
• Simultaneous keystrokes are joined with a hyphen. For example, “Press Alt-a.”
• Consecutive keystrokes are joined with a plus sign (+). For example, Esc+m.
Documentation Feedback
Please send your comments and feedback about this manual via email to docfeedback@proofpoint.com.
Proofpoint strives to produce high-quality and technically accurate documentation. Include the name of the
document and the revision date with your email. Your feedback is greatly appreciated and will help us
maintain our high standards for our product documentation.
Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Documentation Feedback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Chapter 1 – Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Product Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Installation Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
A common problem facing most email administrators and end users today is the growing proliferation of
spam and viruses. The flood of such unwanted email sent by spammers and hackers has large cost
implications for corporate Organizations. The unwanted traffic results in lowered productivity and
consumes valuable IT resources. This impact is worse on businesses that maintain in-house email servers
and have limited administrative resources.
The Proofpoint Messaging Security Gateway Virtual Edition (virtual appliance) offers all of the same anti-
spam, anti-virus, encryption, data privacy, and intellectual property leak prevention features found in
Proofpoint’s physical appliances in an easy-to-deploy VMware ESX guest. The benefits from virtualization
include cost savings, rapid deployment and provisioning, and simplified change management.
This Installation Guide is for administrators who want to license and deploy the virtual appliance in a
production environment, or for administrators who are already familiar with the benefits of virtualization,
who are already using VMware products, and are adding one or more virtual appliances to a VMware host.
Product Overview
The table in this section presents the differences between the virtual appliance and appliance. The
supported platforms, system requirements, and features differ between the versions.
See “System Requirements for the Virtual Appliance” on page 14 for more detailed information.
Installation Overview
You need to contact Proofpoint in order to obtain the full version of the virtual appliance. After obtaining
your login and password from Proofpoint, you need to download and install the full version of the virtual
appliance software.
In summary, you will follow this procedure to install the virtual appliance software:
• Log in to the Proofpoint support site to download the virtual appliance software.
• Install the software on the host server.
• Start the virtual appliance and configure the network settings.
In this Installation Guide, the VMware server is referred to as the host, and the virtual appliance software is
referred to as the guest.
12
Chapter 2 System Requirements and Downloads
Deployment Scenarios
The virtual appliance can be deployed as a stand-alone solution, or it can be deployed in a cluster, where
several virtual appliances work together to distribute the processing load or provide dedicated services. For
example, when deployed in a cluster, one virtual appliance can be designated as the Config Master, and
the other virtual appliances are designated as agents. The Config Master provides centralized
administration, maintains the Quarantine, the User Repository, the log database, and generates Digests for
the user community. The agents can be dedicated to filtering and relaying email for the Organization.
There are many advantages to deploying a cluster of virtual appliances: load balancing, redundancy, and
scaling, to name a few. If your Organization includes locations that are geographically dispersed it is
advantageous to deploy virtual appliances as agents at each location. Agents automatically synchronize
with the master appliance so that all virtual appliances in a cluster have the same configuration settings
and filtering rules. Each agent in a cluster maintains its own Quarantine and log files, which are also sent to
the master virtual appliance on a frequent, periodic basis. You can deploy a cluster that includes both
virtual appliances and hardware appliances – they can be mixed in the same cluster, as long as they are all
the same version.
Administrators must consider several factors to determine how many virtual appliances they need to
deploy. Your Proofpoint Sales Engineer will assist you with hardware, memory, and disk space
requirements for a successful deployment that will meet your Organization’s needs. The following list
describes some of the many factors to consider:
• Number of email messages processed during peak hours.
• Number of users for which a Digest is generated and distributed.
• Spam policies – messages that score 80 and above for spam (definite spam) can be either discarded
or quarantined.
• Message size – email messages that include large attachments require more processing time.
• Failover and redundancy.
• Geographic distribution.
• ESXi 6.0, ESXi 6.0 Update 1, ESXi 6.0 Update 2, ESXi 6.5, ESXi 6.5 Update 2, ESXi 6.7, ESXi 6.7
Update 1
Note: Proofpoint Protection Server release 8.X is supported on VMware ESXi 6.X provided that
the installation follows all other system requirements and guidelines in this guide. Any
deviation from these documented guidelines (such as using a newer Virtual Machine
version, or manually upgrading VMware Tools) may result in system instability and are not
supported. Please ensure that all ESXi 6.X virtual machine guest network adapters are set
to E1000, as other adapter types may result in degraded performance.
You can change the default CPU and RAM settings for the OVF image when you install the virtual
appliance software, but not the disk size. For this reason, Proofpoint provides different versions for the OVF
file – one for a 250 GB disk and one for an 80 GB disk size. Your Proofpoint Sales Engineer will
recommend the correct disk size for the Config Master and for each agent. For the ISO image, you can
change all of the default settings when you install the virtual appliance software.
Note: The 80 GB and 250 GB images are set by default to allocate 8 GB of RAM to the virtual
appliance. If you want to increase the RAM to 12 GB, for example, leave the Power on
after deployment check box clear (not selected) at the Ready to Complete OVF
installation step. You can then edit the settings for the virtual appliance after the OVF
image is installed. Otherwise, you will need to perform a clean shutdown of the virtual
appliance before changing the RAM. You cannot edit the settings while the virtual
appliance is up and running.
This section contains examples that demonstrate how system requirements can vary based upon email
traffic.
Example 1
If your deployment:
contains 2,000 users, and they use the End User Web Application,
and 23,000 messages are processed per hour at peak times,
14
System Requirements for the Virtual Appliance
Example 2
If your deployment:
contains 10,000 users, and they use the End User Web Application,
and 102,000 messages are processed per hour at peak times,
and the average message size is 100 KB,
and if each virtual appliance is installed on a physical server with CPU model Intel Xeon E5-2690
V2,
Important: If the host server has ample memory and disk space, Proofpoint recommends that you
increase the allocated RAM and disk space for the virtual appliance to improve
performance and allow for a larger Quarantine.
The Proofpoint virtual appliance is extremely CPU and I/O intensive and has unique performance
requirements compared to other common virtual servers such as DNS servers, databases, or mail servers.
Even when idle (not filtering email messages), the Proofpoint virtual appliance memory usage will remain
high and CPU usage can spike above 90% at times. This is normal behavior.
This section includes recommendations to ensure maximum performance in your virtual environment.
Mandatory:
• The CPUs should be dedicated to the virtual appliance with no over-provisioning.
Best practices:
• The virtual appliance should be installed on a dedicated physical host with no other applications
running on the host.
• For optimal redundancy, split the agents across at least two or three host servers.
• Host systems should be geographically located in different data centers for best redundancy.
• If your deployment includes a Quarantine Node or Smart Search Node, these should be installed on
different physical hosts.
For more information about performance recommendations, refer to the VMware web site for vSphere Best
Practices documentation.
CPU
All processors must support hardware-assisted virtualization instruction sets. Newer instruction sets are
highly recommended (Intel VT-d and EPT, AMD AMD-Vi and RVI) although first-generation instruction sets
are acceptable (Intel VT-x and AMD AMD-V).
BIOS
Ensure the following parameters are enabled if the processors support them:
• Turbo Mode
• Hyper-Threading
• Hardware -assisted virtualization features such as VT-x, AMD-V, EPT, and RVI
Storage
Using “Thin Disk Provisioning” is not recommended when running the virtual appliance in a production
environment.
When possible, Proofpoint recommends using local storage for the most consistent I/O performance.
Storage provisioned (local or SAN) for use with VMware is often configured with RAID 5 by default. A RAID
5 configuration is not suitable for the high I/O rates needed by the Proofpoint virtual appliance. Proofpoint
recommends a RAID 1+0 (or similar) configuration.
When using Electronic Flash Drives (EFDs) in your storage environment, read and write caching should be
disabled for best performance.
16
Network Information for the Proofpoint Virtual Appliance as a Guest
You will also need your Proofpoint Activation ID, which is included with your Welcome letter.
The OVF or ISO image contains the appliance software and operating system. You will be prompted to
save the images in a directory on your hard drive.
OVF Images
You have the option of installing an OVF image that allocates either 250 GB or 80 GB of disk space for the
Config Master. Proofpoint recommends that you install the 250 GB OVF for the Config Master, and install
the 80 GB OVF for the agents for best performance.
https://support.proofpoint.com/download/pps-8.9.24.25-8.9.24.25-55-250GB-ovf.zip
80 GB disk allocation
https://support.proofpoint.com/download/pps-8.9.24.25-8.9.24-55-80GB-ovf.zip
ISO Image
https://support.proofpoint.com/download/8.9.24_ISO/8.9.24.25-8.0.3.55-combined-Proofpoint.iso
Copy the ISO image to a vSphere Datastore location which can be accessed from the vSphere host.
Store the images on the datastore to make them available for installation. Create a directory and download
the ISO image:
1. Click the Configuration tab for the system.
2. Click Storage in the Hardware pane.
3. Double-click the storage partition.
4. Create a folder for the ISO image.
5. Go to the ISO directory you created and upload the ISO image there.
18
Chapter 3 VMware ESX Server Installation
This chapter describes the procedure for installing the OVF image or the ISO image for the virtual
appliance on ESX servers.
OVF Image
It will take several minutes for the installation to complete. See “Starting the Virtual Appliance” on page 23
to start the virtual appliance and configure the network settings.
If you want to increase the RAM for the virtual appliance, follow the steps in this section. The example in
this section increases the RAM to 12 GB.
Important: If you already completed the OVF installation and have powered on the virtual
appliance, you must complete a clean shutdown procedure before changing any
settings. If you installed the OVF image and did not power on the system, you can
proceed to edit the settings.
1. In the vSphere Client window, right-click the name of the virtual appliance and select Edit Settings
from the menu.
2. In the Virtual Machine Properties window, on the Hardware tab, select Memory and enter 12 into the
Memory Size text box. Select GB from the Memory Size menu (it is set to MB by default).
ISO Image
20
8. Click Power On.
9. Click the Console tab to watch the installation progress. You will be prompted to install the software (it
does not automatically install). This process typically takes 5-10 minutes.
10. The system will reboot when you see the “dismounting cdrom” message.
After the reboot completes, go to “Starting the Virtual Appliance” on page 23 to start the virtual appliance
and configure the network settings.
After downloading and installing the virtual appliance software on the host you need to start it, change the
admin password, and provide the network configuration settings to complete the installation.
The following steps are the same for each host after you have started the virtual appliance on the console.
1. You will be prompted for a login and password in the VMware console. Use admin for the login and
password for the password.
2. When the Change Admin Password console appears, change the administrator password – the
password must contain a minimum of seven characters and requires one number and one special
character.
3. When the Change Network Settings console appears, select Yes. You will be prompted to enter the
networking information for the virtual appliance. Use the settings from the Your Settings column in
Table 1 on page 17. It may take a few minutes to apply the settings.
4. When the Main Menu console appears, enter 1 if you want to change any network settings that you
entered in Step 3. Otherwise, enter 4 to log out of the Main Menu console.
5. When finished entering the console settings click Ctrl-Alt to regain control of the mouse and launch a
browser (Internet Explorer or Mozilla Firefox).
Steps 6-9 apply only to the Config Master.
6. Using the IP address or hostname you entered in Step 3, point the browser to the URL
https://Your_Settings_IP_address:10000, or https://virtual_appliance_hostname:10000. Accept the
certificate when prompted.
7. You should now see the Proofpoint login screen in the browser. Enter admin for the Login and the
password that you set up in Step 2.
8. You should now see the management interface for the Setup Assistant Guide for the virtual appliance
in the browser. Follow the steps in the Setup Assistant Guide to finish configuring the virtual
appliance. You must provide the required information (shown with a red asterisk) in each step before
you can proceed to the next step. You must enter your Activation ID from Proofpoint in order to receive
updates for the spam, virus, Zero-Hour, and Regulatory Compliance filtering engines. You already
entered most of these settings in Step 3 above.
9. When you are done entering the settings in the Setup Assistant Guide, click the Finish button to
validate the network settings.
If you have evaluated a full version of the virtual appliance you probably already injected email messages
into the virtual appliance and you can skip this chapter.
New customers can use the Evaluation links in the management interface to immediately see the power
and benefits of the virtual appliance.
There are several ways to inject email into the virtual appliance to test how it filters email and quarantines
messages that contain a virus or are designated as spam. The Evaluation page provides these methods
to get started immediately:
• Inject a corpus of email provided by Proofpoint.
• Forward email to the virtual appliance from a POP account.
• Inject your own corpus of email.
Enter your email address into the Recipient Email Address field so that your email address is added to
the User Repository and you can receive a sample User Digest. The User Digest lists the messages
addressed to you that have been quarantined because they contain spam.
When the message injection process finishes, click Quarantine > Messages in the navigation pane to
view the messages in the Quarantine.
Note: You need to wait at least one hour before you can create reports.
Be sure to check your email account for the User Digest – sent to you by the virtual appliance – the Digest
contains a list of the messages in the Quarantine that are addressed to you. (The Digest is sent to the
email account that you entered into the Recipient Email Address field.)
Click the Filter emails from any POP account icon to forward your email messages from your POP
account to the virtual appliance for filtering. Follow the instructions on the page. Be sure to provide a new
email address in the Forward email address field (not the same one you use for your POP account).
You can create more than one email forwarding profile. For example, if you have several different POP
accounts, you can create a forwarding profile for each one.
If you have more than one email forwarding profile, you can disable all of them at once. Follow these steps:
1. Log in to the virtual appliance.
2. Click the Users link under User Management in the navigation pane.
3. In the User List, click the entry for your email address to see the Attributes pop-up window.
4. Click the POP3 Forwarder tab in the Attributes pop-up window.
5. Select No for the Enable Forwarder attribute.
6. Click Save Changes.
Follow these steps to disable email forwarding from a specific POP account:
1. Log in to the virtual appliance.
2. Click the Users link under User Management in the navigation pane.
3. In the User List, click the entry for your email address to see the Attributes pop-up window.
4. Click the POP3 Forwarder tab in the Attributes pop-up window.
5. Select the name of the profile you want to disable.
6. Click the Off radio button for the Enable parameter.
7. Click Save Changes.
If several users in your Organization have email forwarding profiles, you can disable all of the profiles at
once by changing the Organization attribute. Follow these steps:
1. Log in to the virtual appliance, and be sure you are in the Advanced mode so you see all of the links in
the navigation pane.
2. Click Organization under User Management in the navigation pane.
3. Click the POP3 Forwarder link and select No for the Enable Forwarder attribute.
4. Click Save Changes.
26
Upload Your Own Email Corpus
Before you create the zip archive, you should “clean up” the email headers in the corpus. For example, if
the messages are addressed to no legitimate recipients, or to multiple recipients, that information is stored
in the Quarantine along with the message. If you release a message from the Quarantine, or send Digests
to all recipients who have messages in the Quarantine, you can potentially generate countless email
bounces.
Click the Upload and filter your emails icon to inject your own corpus of messages into the virtual
appliance.
You can optionally change the recipient address for the messages in your zip archive (recommended). For
example, if you enter your email address into the Recipient email address field, the messages injected into
the Quarantine from your corpus will be addressed to you, and show up in your Digest.
Proofpoint recommends that you engage help from a Sales Engineer to assist you with the remaining
configuration steps for your deployment.