information thumbnail social media

Configuring the CYREN Services for use with a Web Proxy

This article describes how to configure a proxy server for the CYREN services with the Protection module in all NoSpamProxy versions from version 9.2 onwards. To do this you have to download the files

  • ctasd.conf
  • ctipd.conf (additionally available from version 12.x)
  • ctwsd.conf (additionally available as of version 13.x)

from the directory “C:\ProgramData\Net at Work Mail Gateway\CYREN\”.

The following section is responsible for this:

#   If you connect to the Internet through a proxy server, you
#   should uncomment the following parameters and assign appropriate
#   values.
#ProxyPort = 80
#ProxyServerAddress = myproxy
#ProxyAuth = NoAuth
#ProxyUserName = user@proxy
#ProxyPassword = 1234
#ProxyAccess = 1

If you are using a proxy server without authentication, remove the # character before the lines “ProxyPort”, “ProxyServerAddress”, “ProxyAuth” and “ProxyAccess”. Enter the corresponding port of your proxy server in ” ProxyPort”. Behind the entry “ProxyServerAddress” you configure either the IP address or the FQDN of your proxy server. For “ProxyAuth” leave the entry at “NoAuth”.

If you are using a proxy server with authentication, you must additionally configure the options “ProxyUserName” and “ProxyPassword”. Enter the corresponding logon information for “ProxyUserName” and “ProxyPassword”. Additionally, you must change the value “ProxyAuth” to “Basic”.

After you have saved the file, you must restart the services NoSpamProxy – CYREN Service (ctasd.conf), NoSpamProxy – CYREN IP Reputation Service (ctipd.conf) and NoSpamProxy – CYREN URL Categorization Service (ctwsd.conf) in order for the changes to take effect.

Note

In order for all Cyren services to function properly, unrestricted access to *.ctmail.com must be given. Also a virus scan on these connections must not be done, because the definitions for the Cyren Premium AntiVirus are downloaded there as well!

blank

PDF conversion as part of Content Disarm and Reconstruction (CDR), converts Microsoft Word, Microsoft Excel and PDF documents into secure PDF files by removing any active content. The PDF file can then be opened without any concerns, with the original file either left attached to the email or removed. CDR is a feature in NoSpamProxy Protection and in conjunction with NoSpamProxy Large Files provides an optimal way to disarm unsafe documents and retain the original files.

CDR is configured in the “Content filter actions” and then applied to the corresponding emails via the “Content filters”. A training video on the content filters can be found at https://www.nospamproxy.de/de/support/trainingsvideos/ (German only).

This conversion process is very time-consuming and not all documents can be converted. We have built in a protection mechanism so that the unsafe attachments are not delivered, even if the conversion fails.

  • If only Protection, but not Large Files, is licensed, the email for which the conversion did not work is first stored under “Monitoring > Emails on hold” and the configured administrator is informed. The administrator then has the task of checking the email and can then either download it as an EML file and forward it via Outlook or deactivate/change the content filter for this email for a limited time and force delivery again.
  • If Protection and Large Files are licensed, the original file will be uploaded to the Web Portal if the conversion fails (if desired even if the conversion was successful), but it will be locked there, so that it must also be released by the administrator, deviating from the settings for the successful conversion. The prerequisite for this is the setting “Upload the original document to the Web Portal” in the Content Filter action.
    The email itself is delivered to the recipient, with the corresponding information for downloading, but without the converted PDF file, as this was not possible.

This protective mechanism cannot be changed or influenced.

Note

Since the conversion component is provided by a third-party provider, we have only very limited influence on it. If the conversion cannot be performed to your satisfaction, please send us the file to be converted, if possible. Make sure that the file does not contain any personal data. We will then make this file available to the third party provider for analysis. We would like to point out that a feedback on our part is not possible, as the adaptation process can be very lengthy.

blank

When integrating the WebPortal into the configuration, the following settings must be observed for various scenarios. These settings are outside the NoSpamProxy but are mandatory for integration.

Scenarios

  • NoSpamProxy WebPortal is operated parallel to the gateway role and/or intranet role on the same system
    The Microsoft KB926642 article must be applied. Method 1 (recommended): Create the Local Security Authority host names that can be referenced in an NTLM authentication request is recommended, especially for production environments. Method 2: Disable the authentication loopback check should only be applied to test environments!
    Note: The articles at Microsoft swap the methods in the English and German versions. Always check the exact description!
  • NoSpamProxy WebPortal is operated on a system in the DMZ / on computer(s) outside the domain
    The Microsoft KB951016 article must be applied

blank

How to set the number of concurrent connections manually

This article describes how to change the number of outbound connections of the Gateway role.

The corresponding settings are specified in the file “Gateway Role.config” in “C:\ProgramData\Net at Work Mail Gateway\Configuration\” on the respective gateway role. To edit the file, first stop the gateway role.

Below the tag

<netatwork.nospamproxy.proxyconfiguration ... >

find the tag <queueConfiguration> and add the attributes maxConcurrentConnections="xx" and maxConcurrentConnectionsPerDomain="xx" to it. It should look like this:
<queueConfiguration maxConcurrentConnections="100" maxConcurrentConnectionsPerDomain="10" />

This limits the number of concurrent connections to 100, with a maximum of 10 concurrent connections allowed per domain.

blank

This article describes how to manually set the number of concurrent connections. Since version 7.0, NoSpamProxy determines this number dynamically by itself. The basis for the decision is the CPU and memory usage. To prevent this behavior, proceed as follows:

First stop the Gateway Role. The corresponding setting is made in the “Gateway Role.config”. This file can be found in “C:\ProgramData\Net at Work Mail Gateway\Configuration\” on the respective Gateway Role.

Look for the line beginning with the following characters:

<netatwork.nospamproxy.proxyconfiguration...

Insert the following value directly below:
<connectionLimits hardUpperConnectionLimit="" minimumNumberOfConcurrentSessions="" />

If the values are not specified as in this example, the dynamic limit applies (depending on the CPU utilisation).

The values are both integer values.

The value hardUpperConnectionLimit setermines the maximum number of connections.
The value minimumNumberOfConcurrentSessions determines the maximum number of concurrent connections.

Example
<connectionLimits hardUpperConnectionLimit="100" minimumNumberOfConcurrentSessions="50" />

Finally, save the configuration file and restart the Gateway Role.

blank

To move version 12.x or 13.x to another computer, proceed as follows:

  1. Export and delete existing DKIM keys on the source server if necessary (only available with NoSpamProxy Protection).
  2. Copy your own stored logo image files to the new computer
  3. Copy the files Intranet Role.config and license.xml from the directory C:\ProgramData\Net at Work Mail Gateway\Configuration to the new computer.
  4. Create the directory “C:\ProgramData\Net at Work Mail Gateway\Configuration” on the target server and copy Intranet Role.config and license.xml into it.
  5. Customize the Intranet Role.config.
  6. Install the SQL server.
  7. Stop the Intranet Role service.
  8. a) Back up the database files and restore them to the target SQL server.
    OR
    b) Move the database files to the new directory and mount them in the SQL server.
  9. Execute the NoSpamProxy Setup on the target server.
  10. Connect the Intranet role to the Gateway role.
  11. Then check all previously set passwords and certificates and reassign the connectors.
  12. Import the DKIM keys exported in step 1) to the target server.

The steps in detail

  1. Export and delete existing DKIM keys on the source server.
  2. In the NoSpamProxy Management Console, go to People and Identities > DKIM Keys and export existing DKIM Keys (if any) and delete them afterwards.
  3. Copy your own, stored logo image files to the new computer
    You can find the logo image file under the name Logo.png on the Intranet Role in the directory “C:\ProgramData\Net at Work Mail Gateway\Intranet\Theme\”. Create this directory on the new computer and place the file Logo.png in it.
  4. Copy the Intranet Role.config and license.xml to the new computer.
    First stop all NoSpamProxy services on the source computer and then stop the SQL database instance. This is usually found under the Windows services under the name “SQL Server (NOSPAMPROXY)”.
    Now copy the Intranet Role.config and license.xml from the directory “C:\ProgramData\Net at Work Mail Gateway\Configuration” to the target computer.
    Please copy ONLY the mentioned files from the directories, otherwise problems could occur during installation.
  5. Create the directory “C:\ProgramData\Net at Work Mail Gateway\Configuration” on the target server and copy Intranet Role.config and license.xml into it.
  6. Edit the Intranet Role.config
    Open the file with an editor, such as Notepad, and search for the following entry:
    <connectionStrings configProtectionProvider="DataProtectionConfigurationProvider">
    <EncryptedData>
    <CipherData>
    <CipherValue>AQAAANCMnd...==</CipherValue>
    </CipherData>
    </EncryptedData>
    </connectionStrings>

    Change it to look like this at the end:
    <connectionStrings>
    </connectionStrings>

    Search the entire file for
    encryptedPassword=
    and change the occurrences that look similar to
    encryptedPassword="AQAAANCM...W9b17"inencryptedPassword=""

    Do the same for all occurrences of

    tlsCertificatePin="AQAAANCM...W9b17" and

    tlsCertificateThumbprint="AQAAANCM...W9b17"

    as well as

    password="AQAAANCM...W9b17".

    If De-Mail was configured, please search for

    certificatePin="AQKLM....D87W"

    and change the entry in

    certifcatePin="".

    Finally, search for any DKIM keys that may be available. Search for the following entry:

    <dkimKeys>
    <key domain="example.com" selector="key1" privateKey="AAAAcVARJk3pG0SsnJkmR2FK..." />
    </dkimKeys>

    Change the entry so that it looks like this:

    <dkimKeys>
    </dkimKeys>

    Now save the file.

  7. Install the SQL Server.
    Now install the SQL Server in the version you want starting with SQL Server 2008 R2.
    Do not forget to install the administration tools, in particular SQL Management Studio.
  8. Stop the Intranet Role Service
    Stop the Intranet roles service via the NoSpamProxy console or via the Windows services to exclude access to the database and entries in the database of the Intranet role.
  9. a) Back up the database files and restore them to the target SQL server.
    With the help of SQL Management Studio you first create a backup of the SQL database “NoSpamProxyAddressSynchronization” on the source server.
    Right-click on the database and select “Task / Backup”. A dialog opens. Leave everything there as it is in the standard system and simply add a “disk” and the corresponding path to the backup file in the lower section.
    Then start the backup.
    Copy the resulting backup file to the target server and restore it.
    To do this, right-click on “Databases” in the SQL Management Studio of the target server and select “Restore Database”. A dialog opens.
    First select “Device” and add a new “File” in the dialog that appears. This file is the currently copied backup file.
    Now start the recovery.
    OR
    b) Move the database files to the new directory and mount them in the SQL server.
    The SQL database files are usually located in the path “C:\Program Files (x86)\Microsoft SQL Server\MSSQL.XXXX\MSSQL\Data” or “C:\Program Files\Microsoft SQL Server\MSSQL.XXXX\MSSQL\Data”. You can recognize them by the name that begins with NoSpamProxy.
    Copy both the NoSpamProxyAddressSynchronization.mdf and NoSpamProxyAddressSynchronization.ldf files to the target computer and move the database files to the desired directory. This does not necessarily have to be the default directory of the SQL server.
    Then open SQL Management Studio. After logging on to the server, right-click Databases and select Add (or Databases and Attach).
    In the following dialog, add the first database file from the desired directory. The associated log file is automatically recognized.
  10. Execute the NoSpamProxy Setup for the same version.
    Now start the setup of the NoSpamProxy. Make sure to select Advanced Installation.
    In the query which SQL Server is used, select that a SQL Server is already installed and set the corresponding connection parameters. The setup then recognizes all further configuration files and adapts them.
  11. Connect the Intranet role to the Gateway role.
    As soon as the setup has been completed successfully, reconnect the intranet role under Gateway Components with the gateway role and, if necessary, the web portal.
    To do this, delete the existing connections, then restart the Intranet role and reconnect it.
  12. Then check all previously set passwords and certificates and reassign the connectors.
    With the conversion, the device-dependent encrypted passwords were deleted or can no longer be decrypted. This applies in particular to the password for protecting sensitive data, with which the private keys of S/MIME and PGP are protected.
    In the interface, set the old password again to restore access.
    The same applies to any SSL certificates configured in the receive connector.
    Therefore, check all passwords and SSL certificates that were previously stored and reset them.
    In addition, the send and receive connectors must be reassigned to corresponding gateway roles.
  13. Import the DKIM keys exported in step 1) to the target server.

Migration of the NoSpamProxy Web Portal

If the NoSpamProxy WebPortal is in use and this is to be migrated to another server, there are two different ways of doing this which are described below:

Migration by installing another Web Portal

  1. Install the NoSpamProxy Web Portal on the new server including a new database and set it up according to the installation instructions.
  2. Include the new Web Portal parallel to the existing WebPortal in the NoSpamProxy console under Configuration > NoSpamProxy Components > Web Portal.
  3. Change the accessibility of the Web Portal from the outside so that the standard link points to the new Web Portal, so that only this can be addressed from the outside / from the gateway role. Thus all files are exchanged between the Web Portals via the service “NoSpamProxy – FileSynchronizationService”.
  4. After the set storage time period under Configuration > NoSpamProxy Components > Web Portal > Web Portal Settings > Modify on the  Large Files tab, the old Web Portal can then be switched off because no new files have been stored there or all existing files have expired.

Please note: If you switch off the system with the old WebPortal, also remove it under Configuration > NoSpamProxy Components > WebPortal, otherwise the Intranet role will still try to communicate with the Web Portal, resulting in memory overflow of the database.

Migration by relocation of the data

  1. Install the SQL Server in the version you want starting from SQL Server 2012. Do not forget to install the management tools, especially SQL Management Studio.
  2. Stop the “NoSpamProxy – FileSynchronizationService” service via the Windows computer administration (Windows services) and the Internet Information Service (IIS) via the command line “CMD> iisreset /stop” to exclude access to the database and entries in the database of the web portal.
  3. a) Back up the database files and restore them to the target SQL server.
    Using the SQL Management Studio, you first create a backup of the SQL database “enQsigPortal” on the source server. To do this, right-click on the database and select “Task / Backup”. A dialog opens. Leave everything there as it is in the standard system and simply add a “disk” and the corresponding path to the backup file in the lower section. Then start the backup. Copy the resulting backup file to the target server and restore it.
    To do this, right-click on “Databases” in the SQL Management Studio of the target server and select “Restore Database”. A dialog opens.
    First select “Device” and add a new “File” in the dialog that appears. This file is the currently copied backup file. Now start the recovery.
    OR
    b) Move the database files to the new directory and mount them in the SQL server.
    The SQL database files are usually located under “C:\Program Files (x86)\Microsoft SQL Server\MSSQL.XXXX\MSSQL\Data” or “C:\Program Files\Microsoft SQL Server\MSSQL.XXXX\MSSQL\Data”. You can recognize them by the name “enQsigPortal”. Copy both the enQsigPortal.mdf and enQsigPortal.ldf file to the target computer. Now move the database files to the desired directory. This does not necessarily have to be the default directory of the SQL server. Then open SQL Management Studio. After logging on to the server, right-click Databases and select Add (or Databases and Attach). In the following dialog, add the first database file from the desired directory. The associated log file is automatically recognized.
  4. Copy the storage folder of the files from the source server to the destination server. Where the files are stored on the source server can be found in the NoSpamProxy console under Configuration > NoSpamProxy Components > Web Portal in the integrated WebPortal. Please note the folder structure and store the files on the target server where they should be stored in the future.
  5. Install the WebPortal on the target server and set up the access in IIS according to your environment. Make sure that you select the existing instance on the SQL Server and do NOT install a new instance!
  6. Remove the old WebPortal from the Intranet role and add the new WebPortal accordingly in the NoSpamProxy console under “Configuration > NoSpamProxy Components > WebPortal”.
    After inserting the components, make sure that you adjust the storage location accordingly!
    If the access to the new WebPortal works and your users can also download the files, you can still see in the NoSpamProxy console under “Monitoring > Suspended e-mails” whether there in the meantime have accumulated e-mails that are still waiting for processing by the content filter. To do this, restart the processing.

Notes

  • All certificates that can be found in the console under “People and Identities > Certificates” are in the database and are automatically moved by the relocation of the intranet roles database “NoSpamProxyAddressSynchronization” during a migration.
  • The gateway role gets all information from the intranet role. Therefore this role is simply reinstalled during an upcoming migration.
  • If template adjustments were made manually, you must copy the changed templates to the target system.
  • If the disclaimer is licensed and configured, please note the following Knowledge Base article http://kb.nospamproxy.de/Wiki-Seiten/DisclaimerSSLCert.aspx and copy the templates for the disclaimer from the directory “C:\ProgramData\Net at Work Mail Gateway\Intranet\Templates” to the target system

blank

Important information on integrating SwissSign as a certificate provider

The following document was created in collaboration with SwissSign. It contains all relevant information on the integration of a Managed PKI from SwissSign into NoSpamProxy.

FAQNetAtWork.pdf

This document will be updated if necessary.

Last updated 03.09.2015.

SwissSign Silver ID products supported by NoSpamProxy

NoSpamProxy currently supports two out of three Silver ID products offered:

  • Silver certificates without state, organisation and country field
    • Name in the order process: Email ID Silver, email address validated (web interface or partner application)
  • Silver certificates without state field
    • Name in the order process: Email ID Silver, email address validated, organization, country (partner application only)

Products not supported

The following Silver ID product is not supported:

  • Silver certificates with state field
    • Name in the order process: Email ID Silver, email address validated, organization, canton/state, country (partner application only)

Please take note of this information when ordering and make sure to only order the supported products!

If you have ordered the wrong product, you will find the form with which you can request the change from SwissSign under the following link:
https://www.swisssign.com/dam/jcr:85abf68a-1990-47f7-9530-9b1cce0397a7/MPKI_ChangeOrder_DE.pdf