Could you recommend which mode easiest to deploy with NDLP Prevent? How to integrated with Email Server and Web Proxy. Guide for this? Thanks!
If you just want to monitor, you can install NDLP Monitor on the appliance and you'll have visiblity in a lot more protocols - this is the easiest way. Just install it, and the 2 separate additionals NICS can be connected in a mirrored port where they'll start indexing traffic immediately.
For preventing, you need a web proxy that supports being an ICAP client and an e-mail gateway that can inspect and take actions based on custom headers.
Thanks George, i want to deploy Preventing but don't know where appliance should put and how to make this work (config guides).
I'm not sure there's such guide and I had to find out things by trial and error. When in prevent mode, it will be using the management interface (the one you're using to access the web gui) for icap, e-mail relaying and management and I don't believe you can chage this. You will need connectivity for the interface for SMTP traffic, ICAP and https for administration.
For http/s, you'll need to add on the proxy the following icap server address:
icap://>IP address of mgmt. port of Prevent>:1344/reqmod
for e-mail, you need to configure your e-mail system to send all outgoing e-mail to NDLP Prevent, then the NDLP Prevent will be sending messages to an e-mail gateway. The e-mail gateway needs to inspect the headers for actions. I can't find out now how the e-mail headrs look like, but you can just send an e-mail through it and check the header.
Message was edited by: georgec on 7/4/12 3:16:53 AM CDT
DLP is complex. EVen with McAFee certified help under the McAfee banner, our deployment of exactly what you're describing has been a bit of a nightmare if I'm being honest. I fear for your customer smalldog, and I think you're in for one heck of a time yourself because McAfee really struggles at putting all these pieces together aside from one SE I've met. Even their own contracted pro services folks... no one knows the breadth of this stuff nearly well enough it seems.
Yes, monitor may give you more asareness to additional protocols, but if email is headed out encrypted, or there's https involved as there is in any chat or social networking site anywhere, Monitor is going to be nearly useless because it won't be in the middle of encrypted web sessions. That' where an SSL middling web proxy that pushes upload requests off to DLP prevent for analysis is useful, and Prevent getting int he middle of outbound mail as an smtp relay is useful.
The mail path can be exchange -> MEG -> prevent -> MEG -> out or some environments will do exchange -> prevent -> MEG and out or ... there are many ways to do it. A lot depends on what email servers you're on, and whether they can be configured to do things with X-RCIS headers such as allow/block/quaratine or not.
Oh, and good luck finding any training for NDLP. There isn't any, at least last I checked.
i use virtual image to install mcafee manager on vmware. But after install i can not log in appliance with password default admin/mcafee, have another password? Thanks!