McAfee MSA-3400-SWGI Installation Guide - Page 18

Pre-installation Deployment Strategies for Using the device in a DMZ The device can be added easily to a DMZ configuration. The way you use the device in a DMZ depends on the protocols you intend to scan. Contents Pre-installation SMTP configuration in a DMZ SMTP configuration in a DMZ The DMZ is a good location for encrypting mail. By the time the mail traffic reaches the firewall for the second time (on its way from the DMZ to the internal network), it has been encrypted. Devices which scan SMTP traffic in a DMZ are usually configured in explicit proxy mode. Configuration changes need only be made to the MX records for the mail servers. NOTE: You can use transparent bridge mode when scanning SMTP within a DMZ. However, if you do not control the flow of traffic correctly, the device scans every message twice, once in each direction. For this reason, explicit proxy mode is usually used for SMTP scanning. Mail relay Figure 7: Device in explicit proxy configuration in a DMZ If you have a mail relay already set up in your DMZ, you can replace the relay with the device. To use your existing firewall policies, give the device the same IP address as the mail relay. Mail gateway SMTP does not provide methods to encrypt mail messages - you can use Transport Layer Security (TLS) to encrypt the link, but not the mail messages. As a result, some companies do not allow such traffic on their internal network. To overcome this, they often use a proprietary mail gateway, such as Lotus Notes® or Microsoft® Exchange, to encrypt the mail traffic before it reaches the internal network. 18 McAfee Email and Web Security Appliance 5.5 Installation Guide