Proofpoint Messaging Security

Gateway™ Virtual Edition

Installation Guide

Release 8.X

Proofpoint, Inc.
892 Ross Drive
Sunnyvale, CA 94089
www.proofpoint.com
Website:www.proofpoint.com
Toll-free telephone: 1-877-64POINT
Technical support: https://support.proofpoint.com

Proofpoint Messaging Security Gateway Virtual Edition Installation Guide

June 2020
Revision K
Proofpoint Protection Server

Copyright and Trademark Notices

The Proofpoint Protection Server is proprietary software licensed to you for your internal use by Proofpoint Inc. This software is © Copyright 2002 -
2020 Proofpoint Inc. The copying, modification or distribution of the Proofpoint Protection Server is subject to the terms of the Proofpoint Software
License, and any attempt to use this software except under the terms of that license is expressly prohibited by U.S. copyright law, the equivalent laws
of other countries, and by international treaty.

Proofpoint and Proofpoint Protection Server are trademarks of Proofpoint Inc.

McAfee is a registered trademark of McAfee, Inc. and/or its affiliates in the US and/or other countries. Virus Scanning capabilities may be provided by
McAfee, Inc.
Copyright © 2020 McAfee, Inc. All Rights Reserved.

F-Secure Anti-Virus Copyright © 1993-2020, F-Secure Corp.

VMware, the VMware “boxes” logo, GSX Server, ESX Server, Virtual SMP, VMotion and VMware ACE are trademarks (the “Marks”) of VMware, Inc.

MariaDB licensing information is available in the directory ${PROOFPOINT_ROOT}/opt/mariadb.

Apache 2.2 licensing information is available at http://www.apache.org/licenses.

Perl (Practical Extraction and Report Language) is copyrighted by Larry Wall.

It is free software and it is redistributed by Proofpoint under the terms of the “Artistic License” that comes with the Perl Kit, Version 5.0. Source is
available at http://www.perl.com.

Regular expression support is provided by the PCRE library package, which is open source software, written by Philip Hazel, and copyright by the
University of Cambridge, England.
Source is available at ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/.

Some database support in this solution is provided by MySQL.

Copyright © 1997, 2011-2020 Oracle and/or its affiliates. All rights reserved.

Copyright © 1986 - 1993, 1998, 2004 Thomas Williams, Colin Kelley

Permission to use, copy, and distribute this software and its documentation for any purpose with or without fee is hereby granted, provided that the
above copyright notice appear in all copies and that both that copyright notice and this permission notice appear in supporting documentation.
Permission to modify the software is granted, but not the right to distribute the complete modified source code. Modifications are to be distributed as
patches to the released version. Permission to distribute binaries produced by compiling modified sources is granted, provided you
1. distribute the corresponding source modifications from the released version in the form of a patch file along with the binaries,
2. add special version identification to distinguish your version in addition to the base release version number,
3. provide your name and address as the primary contact for the support of your modified version, and
4. retain our contact information in regard to use of the base software.
Permission to distribute the released version of the source code along with corresponding source modifications in the form of a patch file is granted
with same provisions 2 through 4 for binary distributions.
This software is provided "as is" without express or implied warranty to the extent permitted by applicable law.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation
and/or other materials provided with the distribution.
3. Neither the name of the developer nor the names of contributors may be used to endorse or promote products derived from this software without
specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE DEVELOPER ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO
EVENT SHALL THE DEVELOPER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

Portions of this software are Copyright © 1996-2002 The FreeType Project (www.freetype.org). All rights reserved.
Additional graphical © support is provided by libgd:
Portions copyright © 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002 by Cold Spring Harbor Laboratory. Funded under Grant P41-RR02188
by the National Institutes of Health.
Portions copyright © 1996, 1997, 1998, 1999, 2000, 2001, 2002 by Boutell.Com, Inc.
Portions relating to GD2 format copyright © 1999, 2000, 2001, 2002 Philip Warner.
Portions relating to PNG copyright © 1999, 2000, 2001, 2002 Greg Roelofs.
Portions relating to gdttf.c copyright © 1999, 2000, 2001, 2002 John Ellson (ellson@graphviz.org).
Portions relating to gdft.c copyright © 2001, 2002 John Ellson
Portions relating to JPEG and to color quantization copyright © 2000, 2001, 2002,
Doug Becker and copyright © 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001,
2002, Thomas G. Lane. This software is based in part on the work of the Independent JPEG Group. See the file README-JPEG.TXT for more
information.
Portions relating to WBMP copyright © 2000, 2001, 2002 Maurice Szmurlo and Johan Van den Brande.
Permission has been granted to copy, distribute and modify gd in any context without fee, including a commercial application, provided that this
notice is present in user-accessible supporting documentation.
This does not affect your ownership of the derived work itself, and the intent is to assure proper credit for the authors of gd, not to interfere with your
productive use of gd. If you have questions, ask. “Derived works” includes all programs that utilize the library. Credit must be given in user-accessible
documentation.
This software is provided “AS IS.” The copyright holders disclaim all warranties, either express or implied, including but not limited to implied
warranties of merchantability and fitness for a particular purpose, with respect to this code and accompanying documentation.
Although their code does not appear in gd 2.0.4, the authors wish to thank David Koblas, David Rowley, and Hutchison Avenue Software Corporation
for their prior contributions.

This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit
(http://www.openssl.org/)

zlib.h – interface of the “zlib” general purpose compression library version 1.2.2, October 3rd, 2004
Copyright © 1995-2004 Jean-loup Gailly and Mark Adler
This software is provided “as-is”, without any express or implied warranty. In no event will the authors be held liable for any damages arising from the
use of this software.
Permission is granted to anyone to use this software for any purpose, including commercial applications, and to alter it and redistribute it freely,
subject to the following restrictions:
1. The origin of this software must not be misrepresented; you must not claim that you wrote the original software. If you use this software in a
product, an acknowledgment in the product documentation would be appreciated but is not required.
2. Altered source versions must be plainly marked as such, and must not be misrepresented as being the original software.
3. This notice may not be removed or altered from any source distribution.
Jean-loup Gailly jloup@gzip.org
Mark Adler madler@alumni.caltech.edu

Unifont copyright Paul Hardy of Unifoundry.com (unifoundry@unifoundry.com) released under the terms of the GNU General Public License (GNU
GPL) version 2.0.

Tomcat, Log4j, Apache CXF – Apache Copyright © 1999-2020 Apache Software Foundation

Java JRE, JDK, JavaMail, Sun JavaServerFaces – Copyright © 1997, 2011-2020, Oracle and/or its affiliates. All rights reserved.

JBoss RichFaces – Copyright Red Hat ®. Red Hat is a registered trademark of Red Hat, Inc.

Copyright © 2020 Sendmail, Inc. All Rights Reserved.

Proofpoint gratefully acknowledges contributions of the open source community to the Proofpoint Protection Server. References to open source
software used with the Proofpoint Protection Server is collected into a single repository which can be found in the installed Proofpoint Protection
Server package in src/opensource/OPENSOURCE. That repository, consisting of the contributions from open source projects – but not including
the proprietary Proofpoint Protection Server software referred to above – is a collective work that is © Copyright 2002 - 2020 Proofpoint Inc. You will
find in this repository copies of the source code, or references of where to find, every open source program not referenced in this copyright notice,
that was used in the Proofpoint Protection Server.

Copyright © 2005, Google Inc.

All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation
and/or other materials provided with the distribution. Neither the name of Google Inc. nor the names of its contributors may be used to endorse or
promote products derived from this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED
WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

Copyright © 1996 - 2020, Daniel Stenberg, <daniel@haxx.se>.

All rights reserved.
Permission to use, copy, modify, and distribute this software for any purpose with or without fee is hereby granted, provided that the above copyright
notice and this permission notice appear in all copies.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO
THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE
OR OTHER DEALINGS IN THE SOFTWARE.
Except as contained in this notice, the name of a copyright holder shall not be used in advertising or otherwise to promote the sale, use or other
dealings in this Software without prior written authorization of the copyright holder.

This product includes software developed by The Apache Software Foundation (http://www.apache.org). Licensed under the Apache License,
Version 2.0 (the "License"); you may not use this file except in compliance with the License.You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is
distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
specific language governing permissions and limitations under the License.

Microsoft, MSN, Windows, and Microsoft Office are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or
other countries.

iPhone and iPad are registered trademarks of Apple, Inc.

Elasticsearch - Copyright 2009-2020 Elasticsearch

Gnuplot - Copyright Thomas Williams, Colin Kelley (http://www.gnuplot.info)

Copyright © 2020. Proofpoint, Inc. All rights reserved.

PROOFPOINT is a trademark of Proofpoint, Inc. All other product names and brands are the property of their respective owners.
 Preface

This Installation Guide describes how to set up and configure the Proofpoint Messaging Security Gateway
Virtual Edition (virtual appliance). It is intended for personnel responsible for installing and implementing
enterprise-wide messaging applications. Refer to Proofpoint Help for instructions on configuring and
managing the virtual appliance and the Proofpoint Protection Server software.

Conventions
This book uses the following typographic conventions:
• New terms and book titles appear in italic type.
• Text that you type is shown in bold courier font.
• Names of buttons, links, and interface elements appear in this font.
• Text that appears on the screen is shown in courier font.
• Names of keys on the keyboard appear with initial capitalization, such as the Enter key.
• Simultaneous keystrokes are joined with a hyphen. For example, “Press Alt-a.”
• Consecutive keystrokes are joined with a plus sign (+). For example, Esc+m.

Documentation Feedback
Please send your comments and feedback about this manual via email to docfeedback@proofpoint.com.
Proofpoint strives to produce high-quality and technically accurate documentation. Include the name of the
document and the revision date with your email. Your feedback is greatly appreciated and will help us
maintain our high standards for our product documentation.

Release 8.X Virtual Appliance Installation Guide 7

8
Contents

Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Documentation Feedback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Chapter 1 – Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Product Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Installation Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Chapter 2 – System Requirements and Downloads . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Deployment Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Supported VMware Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Support for Kernel-based Virtual Machine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
System Requirements for the Virtual Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Example 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Example 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
System Requirements for the VMware ESX Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
CPU . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
BIOS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Storage. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Network Information for the Proofpoint Virtual Appliance as a Guest . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Ports for the Proofpoint Virtual Appliance as a Guest . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Memory Requirements for the Virtual Appliance as a Guest . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Virtual Appliance Downloads . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
OVF Images . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
ISO Image . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Chapter 3 – VMware ESX Server Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

OVF Image . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Increasing the RAM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Increasing the CPUs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
ISO Image . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

Chapter 4 – Starting the Virtual Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Chapter 5 – Test Email Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

Inject Email Provided by Proofpoint . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Forward Email from a POP Account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Disabling Email Forwarding from a POP Account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Upload Your Own Email Corpus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
System > Inbound Mail Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Release 8.X Virtual Appliance Installation Guide 9

10
Chapter 1 Introduction

A common problem facing most email administrators and end users today is the growing proliferation of
spam and viruses. The flood of such unwanted email sent by spammers and hackers has large cost
implications for corporate Organizations. The unwanted traffic results in lowered productivity and
consumes valuable IT resources. This impact is worse on businesses that maintain in-house email servers
and have limited administrative resources.

The Proofpoint Messaging Security Gateway Virtual Edition (virtual appliance) offers all of the same anti-
spam, anti-virus, encryption, data privacy, and intellectual property leak prevention features found in
Proofpoint’s physical appliances in an easy-to-deploy VMware ESX guest. The benefits from virtualization
include cost savings, rapid deployment and provisioning, and simplified change management.

This Installation Guide is for administrators who want to license and deploy the virtual appliance in a
production environment, or for administrators who are already familiar with the benefits of virtualization,
who are already using VMware products, and are adding one or more virtual appliances to a VMware host.

Product Overview
The table in this section presents the differences between the virtual appliance and appliance. The
supported platforms, system requirements, and features differ between the versions.

See “System Requirements for the Virtual Appliance” on page 14 for more detailed information.

Release 8.X Virtual Appliance Installation Guide 11

 Full version on
Full version on VMware ESX
Details/Features Messaging Security
Server
Gateway Appliance
How to obtain Proofpoint field engineer Proofpoint field
engineer
How software is packaged OVF image or ISO image pre-installed
Can use for evaluation? Yes Yes
Can use for production email Yes Yes
stream?
Master/agent support Yes Yes
Spam and virus filtering modules Yes Yes
Smart Search Yes Yes
Regulatory Compliance Module Yes Yes
Digital Assets Module Yes Yes
ICAP filtering Yes Yes
Proofpoint Encryption Yes Yes
Requires activation ID from Yes Yes
Proofpoint
Upgrade path Yes Yes

Installation Overview
You need to contact Proofpoint in order to obtain the full version of the virtual appliance. After obtaining
your login and password from Proofpoint, you need to download and install the full version of the virtual
appliance software.

In summary, you will follow this procedure to install the virtual appliance software:
• Log in to the Proofpoint support site to download the virtual appliance software.
• Install the software on the host server.
• Start the virtual appliance and configure the network settings.

In this Installation Guide, the VMware server is referred to as the host, and the virtual appliance software is
referred to as the guest.

12
Chapter 2 System Requirements and Downloads

Deployment Scenarios
The virtual appliance can be deployed as a stand-alone solution, or it can be deployed in a cluster, where
several virtual appliances work together to distribute the processing load or provide dedicated services. For
example, when deployed in a cluster, one virtual appliance can be designated as the Config Master, and
the other virtual appliances are designated as agents. The Config Master provides centralized
administration, maintains the Quarantine, the User Repository, the log database, and generates Digests for
the user community. The agents can be dedicated to filtering and relaying email for the Organization.

There are many advantages to deploying a cluster of virtual appliances: load balancing, redundancy, and
scaling, to name a few. If your Organization includes locations that are geographically dispersed it is
advantageous to deploy virtual appliances as agents at each location. Agents automatically synchronize
with the master appliance so that all virtual appliances in a cluster have the same configuration settings
and filtering rules. Each agent in a cluster maintains its own Quarantine and log files, which are also sent to
the master virtual appliance on a frequent, periodic basis. You can deploy a cluster that includes both
virtual appliances and hardware appliances – they can be mixed in the same cluster, as long as they are all
the same version.

Administrators must consider several factors to determine how many virtual appliances they need to
deploy. Your Proofpoint Sales Engineer will assist you with hardware, memory, and disk space
requirements for a successful deployment that will meet your Organization’s needs. The following list
describes some of the many factors to consider:
• Number of email messages processed during peak hours.
• Number of users for which a Digest is generated and distributed.
• Spam policies – messages that score 80 and above for spam (definite spam) can be either discarded
or quarantined.
• Message size – email messages that include large attachments require more processing time.
• Failover and redundancy.
• Geographic distribution.

Supported VMware Servers

References to ESX Servers in this document apply to the following servers:
• ESXi 5, ESXi 5.1, ESXi 5.1 Update 1, ESXi 5.5, ESXi 5.5 Update 2, ESXi 5.5 Update 3
Note: Proofpoint does not support SR-IOV (Single Root I/O Virtualization).

Release 8.X Virtual Appliance Installation Guide 13

Support for Kernel-based Virtual Machine

• ESXi 6.0, ESXi 6.0 Update 1, ESXi 6.0 Update 2, ESXi 6.5, ESXi 6.5 Update 2, ESXi 6.7, ESXi 6.7
Update 1
Note: Proofpoint Protection Server release 8.X is supported on VMware ESXi 6.X provided that
the installation follows all other system requirements and guidelines in this guide. Any
deviation from these documented guidelines (such as using a newer Virtual Machine
version, or manually upgrading VMware Tools) may result in system instability and are not
supported. Please ensure that all ESXi 6.X virtual machine guest network adapters are set
to E1000, as other adapter types may result in degraded performance.

Support for Kernel-based Virtual Machine

The virtual appliance will run on KVM. See “Installing the Proofpoint Protection Server on a KVM” in the
Proofpoint Customer Success Center portal for instructions.

System Requirements for the Virtual Appliance

The virtual appliance (guest) requires a minimum amount of RAM and available disk space on the host.
Verify that the host server exceeds the minimum requirements for RAM and available disk space so that the
guest can run on the host. Refer to the “Network Information for the Proofpoint Virtual Appliance as a
Guest” on page 17 and “Ports for the Proofpoint Virtual Appliance as a Guest” on page 17 for the additional
information you will need for a successful deployment.
Important: Email traffic will vary widely among different Organizations. Your Proofpoint Sales
Engineer will make recommendations for system requirements based upon your
Organization’s unique email volume and needs of the user community.

You can change the default CPU and RAM settings for the OVF image when you install the virtual
appliance software, but not the disk size. For this reason, Proofpoint provides different versions for the OVF
file – one for a 250 GB disk and one for an 80 GB disk size. Your Proofpoint Sales Engineer will
recommend the correct disk size for the Config Master and for each agent. For the ISO image, you can
change all of the default settings when you install the virtual appliance software.
Note: The 80 GB and 250 GB images are set by default to allocate 8 GB of RAM to the virtual
appliance. If you want to increase the RAM to 12 GB, for example, leave the Power on
after deployment check box clear (not selected) at the Ready to Complete OVF
installation step. You can then edit the settings for the virtual appliance after the OVF
image is installed. Otherwise, you will need to perform a clean shutdown of the virtual
appliance before changing the RAM. You cannot edit the settings while the virtual
appliance is up and running.

This section contains examples that demonstrate how system requirements can vary based upon email
traffic.

Example 1

If your deployment:
 contains 2,000 users, and they use the End User Web Application,
 and 23,000 messages are processed per hour at peak times,

14
 System Requirements for the Virtual Appliance

 and the average message size is 125 KB,

 and if each virtual appliance is installed on a physical server with CPU model Intel Xeon X5670,
your deployment would need:

Master 2 Agents – each agent:

RAM 8 GB 8 GB
CPU (dedicated) 2 dedicated vCPUs 2 dedicated vCPUs
Disk Space 250 GB available 80 GB available

Example 2

If your deployment:
 contains 10,000 users, and they use the End User Web Application,
 and 102,000 messages are processed per hour at peak times,
 and the average message size is 100 KB,
 and if each virtual appliance is installed on a physical server with CPU model Intel Xeon E5-2690
V2,

your deployment would need:

Master 5 Agents – each agent:

RAM 12 GB 8 GB
CPU (dedicated) 4 dedicated vCPUs 4 dedicated vCPUs
Disk Space 250 GB available 80 GB available

Important: If the host server has ample memory and disk space, Proofpoint recommends that you
increase the allocated RAM and disk space for the virtual appliance to improve
performance and allow for a larger Quarantine.

System Requirements for the VMware ESX Server

The Proofpoint virtual appliance is extremely CPU and I/O intensive and has unique performance
requirements compared to other common virtual servers such as DNS servers, databases, or mail servers.
Even when idle (not filtering email messages), the Proofpoint virtual appliance memory usage will remain
high and CPU usage can spike above 90% at times. This is normal behavior.

This section includes recommendations to ensure maximum performance in your virtual environment.

Mandatory:
• The CPUs should be dedicated to the virtual appliance with no over-provisioning.

Best practices:

Release 8.X Virtual Appliance Installation Guide 15

System Requirements for the Virtual Appliance

• The virtual appliance should be installed on a dedicated physical host with no other applications
running on the host.
• For optimal redundancy, split the agents across at least two or three host servers.
• Host systems should be geographically located in different data centers for best redundancy.
• If your deployment includes a Quarantine Node or Smart Search Node, these should be installed on
different physical hosts.

For more information about performance recommendations, refer to the VMware web site for vSphere Best
Practices documentation.

CPU

All processors must support hardware-assisted virtualization instruction sets. Newer instruction sets are
highly recommended (Intel VT-d and EPT, AMD AMD-Vi and RVI) although first-generation instruction sets
are acceptable (Intel VT-x and AMD AMD-V).

Do not use CPU Affinity when using hyper-threading.

BIOS

Ensure the following parameters are enabled if the processors support them:
• Turbo Mode
• Hyper-Threading
• Hardware -assisted virtualization features such as VT-x, AMD-V, EPT, and RVI

Ensure the following parameters are disabled:

• C1E halt state (if Turbo is enabled)
• All power-saving options. Power options should be set to high-performance mode. The default values
shipped with hardware are often power-saving settings – these settings can degrade performance
considerably.

Storage

Using “Thin Disk Provisioning” is not recommended when running the virtual appliance in a production
environment.

When possible, Proofpoint recommends using local storage for the most consistent I/O performance.

Storage provisioned (local or SAN) for use with VMware is often configured with RAID 5 by default. A RAID
5 configuration is not suitable for the high I/O rates needed by the Proofpoint virtual appliance. Proofpoint
recommends a RAID 1+0 (or similar) configuration.

When using Electronic Flash Drives (EFDs) in your storage environment, read and write caching should be
disabled for best performance.

16
 Network Information for the Proofpoint Virtual Appliance as a Guest

Network Information for the Proofpoint Virtual Appliance as a Guest

Enter the appropriate information in the following table – you will be prompted to provide this information in
the VMware ESX Server console when you install the virtual appliance. If you install a cluster of virtual
appliances, you need the information in the table for each virtual appliance.

Table 1. Network Settings

Default Settings Your Settings

IP Address 192.168.80.80
Netmask 255.255.255.0
Hostname None (use the hostname only,
(Must correspond to the DNS entry for the not the fully-qualified
IP address for the virtual appliance.) hostname)
Domain None (domain name only)
(The domain for the virtual appliance.)
Gateway 192.168.80.1
Primary DNS 204.127.129.1
Secondary DNS None
(Optional.)

You will also need your Proofpoint Activation ID, which is included with your Welcome letter.

Ports for the Proofpoint Virtual Appliance as a Guest

Several ports need to be open on the virtual appliance for a successful deployment. This information is
documented in the Proofpoint Product Family Pre-Installation Requirements sheet. You can download the
document from the Proofpoint Knowledge Base. Log in to https://kb.proofpoint.com and go to the
Documentation area. Look for the Pre-Installation Requirements document file in the Messaging Security
Gateway documentation article.

Memory Requirements for the Virtual Appliance as a Guest

Additional memory is required for certain services or when you enable additional modules. This information
is documented in the Proofpoint Release Notes. You can download the Release Notes from the Proofpoint
Knowledge Base.

Virtual Appliance Downloads

The software downloads are available from the Download Area on the Proofpoint support site. This section
provides the links to the software downloads on the support site. Every download prompts you for your
support login and password.

Release 8.X Virtual Appliance Installation Guide 17

 Important: Do not copy and paste the links into a browser. Click the links in this document to
access the Proofpoint support download site.

The OVF or ISO image contains the appliance software and operating system. You will be prompted to
save the images in a directory on your hard drive.

OVF Images

You have the option of installing an OVF image that allocates either 250 GB or 80 GB of disk space for the
Config Master. Proofpoint recommends that you install the 250 GB OVF for the Config Master, and install
the 80 GB OVF for the agents for best performance.

Navigate to the following URL:

250 GB disk allocation

https://support.proofpoint.com/download/pps-8.9.24.25-8.9.24.25-55-250GB-ovf.zip

80 GB disk allocation

https://support.proofpoint.com/download/pps-8.9.24.25-8.9.24-55-80GB-ovf.zip

Follow these steps to unzip the archive:

1. You will be prompted to save the archive to a location on your hard disk drive.
2. Navigate to the directory where you saved the zip archive after downloading it.
3. Extract the files in the archive to a location on your hard drive. The extraction creates the directory
pps-<release-build-number> for the files.
Note: The zip archive is approximately 1.2 GB in size; you should be able to unzip the file on
standard Windows and Macintosh systems with the default zip tools. In addition, most
Linux distributions should support unzipping archives greater than 2 GB. If you encounter
errors, you may try a different system or update your zip extraction tool.

ISO Image

Navigate to the following URL:

https://support.proofpoint.com/download/8.9.24_ISO/8.9.24.25-8.0.3.55-combined-Proofpoint.iso

Copy the ISO image to a vSphere Datastore location which can be accessed from the vSphere host.

Store the images on the datastore to make them available for installation. Create a directory and download
the ISO image:
1. Click the Configuration tab for the system.
2. Click Storage in the Hardware pane.
3. Double-click the storage partition.
4. Create a folder for the ISO image.
5. Go to the ISO directory you created and upload the ISO image there.

18
Chapter 3 VMware ESX Server Installation

This chapter describes the procedure for installing the OVF image or the ISO image for the virtual
appliance on ESX servers.

OVF Image

Install the virtual appliance software:

1. Verify the OVF files are available in a directory or URL that you can navigate to using the vSphere
Client.
2. From the vSphere Client File menu, select Deploy OVF Template.
3. In the Deploy OVF Template pop-up window, browse to the <release-build-number>-ovf directory,
and then click Next.
4. For the Name and Location, enter a name for the virtual appliance. (Suggestion:
Proofpoint_virtual_master.) Click Next.
5. Select a host for the Host/Cluster prompt.
6. Select a datastore for the Storage prompt. Highlight the datastore and click Next.
7. For the Disk Format, select the Thick Provision Eager Zeroed radio button and then click Next.
8. Select Next to accept the default Network Mapping selection.
9. For the Ready to Complete prompt you have the option of selecting the Power on after deployment
check box, or leaving this check box clear.
 If you want to accept the default allocation of 8 GB of RAM, select the Power on after
deployment and click Finish.
 If you want to increase the default allocation of RAM, leave the Power on after deployment check
box clear and click Finish. You can change the default settings after the OVF image installation
completes.

It will take several minutes for the installation to complete. See “Starting the Virtual Appliance” on page 23
to start the virtual appliance and configure the network settings.

Increasing the RAM

If you want to increase the RAM for the virtual appliance, follow the steps in this section. The example in
this section increases the RAM to 12 GB.
Important: If you already completed the OVF installation and have powered on the virtual
appliance, you must complete a clean shutdown procedure before changing any
settings. If you installed the OVF image and did not power on the system, you can
proceed to edit the settings.
1. In the vSphere Client window, right-click the name of the virtual appliance and select Edit Settings
from the menu.
2. In the Virtual Machine Properties window, on the Hardware tab, select Memory and enter 12 into the
Memory Size text box. Select GB from the Memory Size menu (it is set to MB by default).

Release 8.X Virtual Appliance Installation Guide 19

 3. Click OK to save the settings.

Increasing the CPUs

1. In the vSphere Client window, right-click the name of the virtual appliance and select Edit Settings
from the menu.
2. Select CPUs. Select 2 for Number of virtual sockets, and select 2 for Number of cores per socket.
These suggested values are based upon current Proofpoint deployments.
3. Click OK to save the settings.

ISO Image

Install the virtual appliance software:

1. Start the Virtual Infrastructure Client (VC) and log in to the VC or ESX server.
2. Right click on the system on which you are going to install the virtual guest and select New Virtual
Machine.
3. Select Custom, then click Next.
4. Give the virtual guest a name. (Suggestion: Proofpoint_virtual_master.)
5. Select a datastore. Highlight the datastore and click Next.
6. For Virtual Machine Version, select Virtual Machine Version: 8. (Versions 8, 9, 10, 11, 13, and 14
are supported. Version 12 does not apply.)
7. Set the Guest Operating System to Linux and Version to Red Hat Enterprise Linux N (64 bit).
(Select any 64-bit version, or select Other 64 bit.)
8. Select 2 for the number of virtual processors (CPUs), then click Next.
9. Allocate the appropriate amount of RAM per the system requirements on page 14. If you have more
memory available, use a larger number for better performance.
10. Proofpoint strongly recommends the E1000 network adapter, though we have tested successfully with
the VMXNET 2/3 (enhanced) adapter. (You can add more than one adapter and bind them if
necessary.) Click Next.
11. Use the default LSI Logic Parallel settings for the SCSI controller (recommended). Click Next.
12. Select Create a new virtual disk. Click Next.
13. Change the Disk Capacity to the appropriate amount per the system requirements on page 14. If you
have more disk space available, and anticipate the virtual appliance will be filtering a large volume of
email, use a larger number. The disk space is used to store the Quarantine, log files, and User
Repository. Select Thick Provision Eager Zeroed, and then click Next.
14. You can use the default settings for Advanced Options.
15. Review your settings, and then click Finish.

Configure the hardware:

1. Select the virtual guest and click Edit Settings.
2. Click CD/DVD Drive 1, then select Datastore ISO file.
3. Click Browse. Select the ISO file <release-build-number>-combined-Proofpoint.iso from the
datastore where it was copied.
4. Select Connect at power on.
5. Click the Options tab and select VMware Tools.
6. Ensure the Stop option is set to Shut Down Guest.
7. Click OK.

20
 8. Click Power On.
9. Click the Console tab to watch the installation progress. You will be prompted to install the software (it
does not automatically install). This process typically takes 5-10 minutes.
10. The system will reboot when you see the “dismounting cdrom” message.

Disconnect the CD image:

1. Select the virtual guest and click Edit Settings.
2. Click the Hardware tab.
3. Click Host device. Click CD/DVD Drive 1. For Device status, clear the Connected and Connect at
power on check boxes.
4. Click Ok.

After the reboot completes, go to “Starting the Virtual Appliance” on page 23 to start the virtual appliance
and configure the network settings.

Release 8.X Virtual Appliance Installation Guide 21

22
Chapter 4 Starting the Virtual Appliance

After downloading and installing the virtual appliance software on the host you need to start it, change the
admin password, and provide the network configuration settings to complete the installation.

The following steps are the same for each host after you have started the virtual appliance on the console.
1. You will be prompted for a login and password in the VMware console. Use admin for the login and
password for the password.
2. When the Change Admin Password console appears, change the administrator password – the
password must contain a minimum of seven characters and requires one number and one special
character.
3. When the Change Network Settings console appears, select Yes. You will be prompted to enter the
networking information for the virtual appliance. Use the settings from the Your Settings column in
Table 1 on page 17. It may take a few minutes to apply the settings.
4. When the Main Menu console appears, enter 1 if you want to change any network settings that you
entered in Step 3. Otherwise, enter 4 to log out of the Main Menu console.
5. When finished entering the console settings click Ctrl-Alt to regain control of the mouse and launch a
browser (Internet Explorer or Mozilla Firefox).
Steps 6-9 apply only to the Config Master.
6. Using the IP address or hostname you entered in Step 3, point the browser to the URL
https://Your_Settings_IP_address:10000, or https://virtual_appliance_hostname:10000. Accept the
certificate when prompted.
7. You should now see the Proofpoint login screen in the browser. Enter admin for the Login and the
password that you set up in Step 2.
8. You should now see the management interface for the Setup Assistant Guide for the virtual appliance
in the browser. Follow the steps in the Setup Assistant Guide to finish configuring the virtual
appliance. You must provide the required information (shown with a red asterisk) in each step before
you can proceed to the next step. You must enter your Activation ID from Proofpoint in order to receive
updates for the spam, virus, Zero-Hour, and Regulatory Compliance filtering engines. You already
entered most of these settings in Step 3 above.
9. When you are done entering the settings in the Setup Assistant Guide, click the Finish button to
validate the network settings.

Release 8.X Virtual Appliance Installation Guide 23

24
Chapter 5 Test Email Routing

If you have evaluated a full version of the virtual appliance you probably already injected email messages
into the virtual appliance and you can skip this chapter.

New customers can use the Evaluation links in the management interface to immediately see the power
and benefits of the virtual appliance.

There are several ways to inject email into the virtual appliance to test how it filters email and quarantines
messages that contain a virus or are designated as spam. The Evaluation page provides these methods
to get started immediately:
• Inject a corpus of email provided by Proofpoint.
• Forward email to the virtual appliance from a POP account.
• Inject your own corpus of email.

Inject Email Provided by Proofpoint

Click the Filter sample email collection icon to inject a corpus of email messages provided by Proofpoint
into the virtual appliance.

Enter your email address into the Recipient Email Address field so that your email address is added to
the User Repository and you can receive a sample User Digest. The User Digest lists the messages
addressed to you that have been quarantined because they contain spam.

Click Start to begin injecting email messages.

When the message injection process finishes, click Quarantine > Messages in the navigation pane to
view the messages in the Quarantine.
Note: You need to wait at least one hour before you can create reports.

Be sure to check your email account for the User Digest – sent to you by the virtual appliance – the Digest
contains a list of the messages in the Quarantine that are addressed to you. (The Digest is sent to the
email account that you entered into the Recipient Email Address field.)

Forward Email from a POP Account

You can set up email forwarding directly from your personal POP account to the virtual appliance for
filtering. All email messages directed to your personal POP account (for example, you@comcast.net, or
you@gmail.com) are forwarded to the virtual appliance first, filtered, then delivered to the email address
that you specify for forwarded email.

Release 8.X Virtual Appliance Installation Guide 25

Forward Email from a POP Account

Note: Some ISPs charge you for email forwarding.

You need the following information:

• The name of the mail server for your POP account.
• The user name and password for your POP account.
• Some POP accounts require the port number and whether or not the server requires SSH for
communication.
• A new address to which forwarded email messages will be sent.

Click the Filter emails from any POP account icon to forward your email messages from your POP
account to the virtual appliance for filtering. Follow the instructions on the page. Be sure to provide a new
email address in the Forward email address field (not the same one you use for your POP account).

You can create more than one email forwarding profile. For example, if you have several different POP
accounts, you can create a forwarding profile for each one.

Disabling Email Forwarding from a POP Account

If you have more than one email forwarding profile, you can disable all of them at once. Follow these steps:
1. Log in to the virtual appliance.
2. Click the Users link under User Management in the navigation pane.
3. In the User List, click the entry for your email address to see the Attributes pop-up window.
4. Click the POP3 Forwarder tab in the Attributes pop-up window.
5. Select No for the Enable Forwarder attribute.
6. Click Save Changes.

Follow these steps to disable email forwarding from a specific POP account:
1. Log in to the virtual appliance.
2. Click the Users link under User Management in the navigation pane.
3. In the User List, click the entry for your email address to see the Attributes pop-up window.
4. Click the POP3 Forwarder tab in the Attributes pop-up window.
5. Select the name of the profile you want to disable.
6. Click the Off radio button for the Enable parameter.
7. Click Save Changes.

If several users in your Organization have email forwarding profiles, you can disable all of the profiles at
once by changing the Organization attribute. Follow these steps:
1. Log in to the virtual appliance, and be sure you are in the Advanced mode so you see all of the links in
the navigation pane.
2. Click Organization under User Management in the navigation pane.
3. Click the POP3 Forwarder link and select No for the Enable Forwarder attribute.
4. Click Save Changes.

26
 Upload Your Own Email Corpus

Upload Your Own Email Corpus

You can inject your own corpus of email messages into the virtual appliance. To do this, you must first
create a zip archive that contains a collection of email messages in RFC 822 format.

Before you create the zip archive, you should “clean up” the email headers in the corpus. For example, if
the messages are addressed to no legitimate recipients, or to multiple recipients, that information is stored
in the Quarantine along with the message. If you release a message from the Quarantine, or send Digests
to all recipients who have messages in the Quarantine, you can potentially generate countless email
bounces.

Click the Upload and filter your emails icon to inject your own corpus of messages into the virtual
appliance.

You can optionally change the recipient address for the messages in your zip archive (recommended). For
example, if you enter your email address into the Recipient email address field, the messages injected into
the Quarantine from your corpus will be addressed to you, and show up in your Digest.

System > Inbound Mail Page

Click the Inbound Mail link under System in the navigation pane to configure the virtual appliance to
accept and filter inbound email for your Organization. Click the Help link in the upper-right corner for
detailed instructions.

Proofpoint recommends that you engage help from a Sales Engineer to assist you with the remaining
configuration steps for your deployment.

Release 8.X Virtual Appliance Installation Guide 27

28