How to configure Bitdefender Security for ISA Servers
Bitdefender Security for ISA Servers allows organizations to protect their Microsoft® ISA Servers to block specific types of websites, scan downloaded files and email attachments from web email services. Ensuring compliance to corporate security policies becomes easier and companies will be able to maintain control of sensitive data that would otherwise leak from inside of the organization.
After installing the product, you need to configure it in order to scan the traffic - HTTP and/or FTP. In order to do that, first, you need to create groups and then apply traffic rules onto those groups.
In order to create the groups, please open the Bitdefender Security for ISA Servers console and go to the Policies menu, expand it and go to Policy Elements menu, which expanded, will give you the two options: Client Groups and Content Groups.
Img1
By selecting the Client Groups menu, you can define custom client groups to be used when creating rules. A group can contain one or more computers.To create a group you must run the Client Group Wizard (from the contextual menu point New and select Client Group). The wizard is a four step procedure that will easily guide you into creating different Client Groups on which you can apply different traffic rules.
By selecting the Content Groups menu, you can define custom content groups to be used when creating rules. A content group can contain more content types which can be file extensions (.xyz) or MIME types (class/subclass). The second form (MIME types) is only used for the HTTP traffic, when the header is present.
When analyzing an FTP traffic rule, Bitdefender will compare the file extension to the extensions defined in the content group. As for the HTTP traffic, if the content-type header is present, its value will be searched in the group content type list. If the content type is not found or the header does not exist, Bitdefender will search for the file extension. By default, Bitdefender comes with 5 content groups: Application, Image, Text, Audio and Video. To create a content group you must run the Content Group Wizard (from the contextual menu point New and select Content Group). The wizard is a four step procedure.
Once the groups are created, you can setup the Rules that will scan the traffic. In order to create them, please select the option Rules under the Policies menu.
Img2
Here you can define specific filtering rules for specific IP address groups across multiple scan types. A system of safe domain white lists configurable by the administrator is also available so that the traffic between the ISA Server and the respective domains is not scanned. By default Bitdefender scans all downloaded files through the HTTP protocol and downloaded & uploaded files through the FTP protocol.
Note:A rule is built for a group of clients.
1. Assignment to a group is done based on the IP address of the client having made the request to access the web page or file.
2. Rules are analyzed by order of definition, until the IP address is matched to a Client Group.
3. The defined action is taken (scan or no scan, depending on the constraints defined in the Address White List and the Content Group). Then, the IP address leaves the content filter.
4. If no rule is found for the respective IP, the implicit action will be applied: scanning.
It is recommended that one rule be defined for each group as no other newly defined rules will be taken into consideration once a match has been found.
In the next step, you will go through the Configuration sections:
• Application Filters
• Antivirus Engine
• Alerts
• Antivirus Update
• RTVR
• General
In the Application Filters section, you can enable or disable the Bitdefender filters that scan all HTTP and FTPbased
traffic.
Img3
HTTP: All HTTP responses to clients are sent by the Firewall service of the Microsoft ISA to the Bitdefender filter,
which decides if they need to be scanned or not. After being scanned, the responses are sent to the clients. The unscanned responses are let through without being intercepted.
FTP: The FTP filter is attached by the Firewall to each FTP session opened by the client. The filter monitors the FTP
FTP client-server communication and in case it detects a Bitdefender for MS ISA Servers Enterprise Edition Filter Description data connection for file transfer (upload or download), it intercepts such transfer and scans it or not, according to the defined rules.
In the Antivirus Engine section, you can set the actions to be taken on the infected files and the quarantine location as followed. Bitdefender allows for the selection of two actions to be taken in case an infected document is found.
Img4
First action
Ignore - Ignore infected objects. No action taken.
Disinfect - Disinfect infected objects.
Delete - Delete infected objects.
Move to Quarantine - Isolate infected objects in the quarantine zone.
The Second action is a supplementary measure of protection and it is only activated if the first action is Disinfect.
Ignore - Ignore infected objects. No action taken.
Delete - Delete infected objects.
Move to Quarantine - Isolate infected objects in the quarantine zone.
The Quarantine option allows for the selection of the quarantine location. The default location of the quarantine zone is: C:\Program Files\Common Files\Softwin\ADD-ONS\quar. If you want to change it, type the complete path in the Quarantine location field (the specified folder must have been previously created).
In the Alerts section,you can configure the alarm messages. The alert service of Microsoft Internet Security and Acceleration (ISA) Server notifies you when specified events occur. Bitdefender has designed 5 special types of events that can generate alarm messages:
Bitdefender Information: An alert is generated when Bitdefender services start and stop.
Bitdefender Warning: An alert is generated in case a special situation appears: e.g. license expiration (Bitdefender will alert you three days in advance), protection disabled, etc.
Bitdefender Error: An alert is generated upon the occurrence of a malfunction of Bitdefender. Such situations may appear, for example, because of the accidental deletion of some files or of the failure to load the Antivirus engines.
Bitdefender HTTP Virus: An alert is generated in case an infected file is detected in the HTTP traffic.
Bitdefender FTP Virus: An alert is generated in case an infected file is detected in the FTP traffic.
In the Antivirus Update section, you can configure the Bitdefender update settings. Nowadays the risk of having your computer infected is higher both because of the appearance of new viruses and spyware and of the spread of existing ones.
Bitdefender for MS ISA Servers Enterprise Edition has a built-in function for the automatic update of virus definitions. Every 3 hours the update function is launched and it connects to the Bitdefender upgrade server. In case an update is found, such update is done transparently, without administrator's intervention, through a file download.
Img5
In the RTVR (Real TIme Virus Reporting) section, you can enable the virus reporting feature.
The module is customized for each country and it allows for the sending of alerts on found viruses to the Bitdefender Lab. The reports will contain no confidential data, such as your name, IP address or other, and they will not be used for commercial purposes. The information supplied will only include the name of the country and the virus name and it will solely be used to create statistic reports.
Read More