How to do a manual migration from GWAVA 6.x to SMG

  • Document ID:7024763
  • Creation Date:30-Jul-2020
  • Modified Date:06-Jan-2021
    • Micro Focus Products:
      GWAVA (Secure Messaging Gateway)

Environment

GWAVA (Secure Messaging Gateway)

Situation

Need to migrate from GWAVA 6.x to SMG, how can this be done to avoid a messy and hard to manage policy once moved to SMG?

Resolution

There is a migration utility to move from GWAVA 6.5 to SMG, but if there are a lot of different settings in GWAVA 6.5 making it harder to manage later on. However, if you don't have a lot of exceptions and if this way is preferred, here's a link to it: GWAVA 6.x to SMG

Here are some steps to do a manual migration for a single server:

1) Install the SMG server as a new install: Link to admin guide for installation.

2) Set up a new policy using the policy wizard. It is recommended to set up a separate one for outbound as well. Link to admin guide for policy management - look under SMTP Policy Create With the Wizard.

Tip for outbound policy: Be default, there are several nodes that aren't usually needed for outbound scanning. After installing it using the wizard, go into the policy and remove any nodes that aren't needed.

A) Go under Organization / Policy management | Policy scan configuration | Outbound Mail Filter Policy


Here is what is installed with the wizard:


B) Click on the garbage can icon on the top of each node that needs to be removed and then click ok to confirm:



Here is an example of a recommended outbound policy:

It is important to keep the 'Message Received', 'Statistics Recording' and 'Message Tracker' nodes. These are needed for stats and tracking purposes. Also, the 'Message Received' node is commonly misunderstood. It simply means this policy received it, it does not mean it's for inbound when it's on an outbound policy.
3) Open the GWAVA 6.x management console UI and the SMG system administration UI, to copy settings from one to the other.

4) Install the SMG license.

The pem file for GWAVA 6.x will not work with SMG. The validation key for SMG can be found after logging into customer center

Go to https://licenses.gwava.com to register and download a SMG pem file. This can then be installed in SMG under system management | licensing:


5) From the GWAVA 6.5 UI under Server / Interface Management | <server name> | server management | Configure server | General. Check the 'Administrator's email address' and 'Keep log files for (days)' to match it on SMG.

     


These settings can be found in SMG under:

Admin email address is located under Organization / Policy Management | Settings | Administrator's email address:


Days to retain log files is located under System Management | Manage servers | <server name> | Days to retain log files


6) Go back to GWAVA 6.5 UI, still under Configure server | QMS configuration | Days to retain messages. The default on GWAVA 6.5 is 30 days.



The default on SMG is 60 days. If this needs to be changed on SMG, login to the SMG quarantine UI and go to Settings | Message Retention and change Days to retain messages in quarantine:


7) Go back to GWAVA 6.5 UI, still under Configure server | SSL configuration. If this is blank proceed to the next step. If there are certificates listed here, they will need to be copied onto the SMG server and the following TID will need to be done:


If it a certain certificate is needed for the UI follow this TID:

8) Go back to GWAVA 6.5 UI | Server / Interface Management | <server name> | server management | Configure domains.


If there is more than one domain listed, they will need to be added in SMG. One would have been added during the initial install of SMG already. This can be done by going to the SMG system admin. UI | Organization / Policy Management | Domain management


Add the missing domains here. Click on this link to the manual about domain management if needed.

9) If you use GWAVA as an outbound relay for any of your servers, go back to GWAVA 6.5 UI | Server/Interface Management | SMTP Scanner | Interface Settings | Trusted outbound relay


In SMG system admin UI | Module Management | Interfaces | SMTP Interface Manager | Relay/Host protection


Note that by default "127.0.0.1", "10.*", "172.16.0.0/12", "192.168.*.". will be in this list. Those can be left or removed depending on your environment. Please see documentation for further information.

10) Go back to the GWAVA 6.5 UI | Server/Interface Management | SMTP scanner | Interface Settings | Show optional SMTP settings. If there is something listed for "Connection Greeting (banner)" or "EHLO hostname", then that will have to be put in SMG as well. If nothing is listed, please proceed to next step.

In SMG system admin UI | Module Management | Interfaces | SMTP Interface Manager | Protocol. Put the "Connection Greetting (banner)" from GWAVA 6.5 in the "SMTP banner" section for SMG. Put "EHLO hostname" from GWAVA 6.5 in both the "Custom EHLO response" and the "Forwarded EHLO/HELO response" in SMG.

11) Go back to the GWAVA 6.5 UI | Server/Interface Management | SMTP scanner | Interface Settings | Show optional SMTP settings | Maximum SMTP DATA line length. Make note of the number (default is 1000).

In SMG system admin UI | Organization/Policy Management | Domain Management | <domain name> | SMTP Hosts | Line Limit. Default is 1000 in SMG as well. If this default worked for your system before then you can leave it as is. If not, change it to what you had in GWAVA 6.5.


12) Go back to the GWAVA 6.5 UI | Scanner/Policy Management | Scanning Configuration | Anitivirus. Check to see if the service is enabled. Check the scan result action. By default the "Block the message" is checked and "Quarantine the message" is not checked.

In SMG system admin UI | Organization/Policy Management | Policy Scan configuration | Inbound Mail Filter Policy. Find the Anti-Virus filter. There should be a red link to the Quarantine with the read hand. The red hand means don't quarantine. 


13) Go back to the GWAVA 6.5 UI | Scanner/Policy Management | Scanning Configuration | Antispam | Spam Detection. There are three sections Confirmed Spam, Bulk spam, and Valid bulk mail.

In SMG system admin UI | Organization/Policy Management | Policy Scan configuration | Inbound Mail Filter Policy, find the Anti-Spam filter linked to the Spam Filter Group. Click on the shield and you will see Confirmed Spam, Bulk mail, and Valid bulk mail. By default Confirmed Spam and Bulk Mail are checked. We recommend these settings. 

 
 14) Go back to the GWAVA 6.5 UI | Scanner/Policy Management | Scanning Configuration | Antispam | SURBL, SPF, RBL, IP reputation. Go through each of these and make note of what is set to quarantine and block message.

In SMG system admin UI | Organization/Policy Management | Policy Scan configuration | Inbound Mail Filter Policy, find the Spam Filter Group. Linked to the Spam filter group there will be RBL, SURBL, and SPF.

15) Go back to the GWAVA 6.5 UI | Scanner/Policy Management | Scanning Configuration | Text Filtering. There will be Subject + Body filter, Subject filter, Body filter. If there are any filters listed in this field(s) then use a Chrome browser to highlight them, copy, and paste them into an Notepad++. In Notepad++ | Edit | Line Operations | Remove empty lines. Then Edit | Blank Operations | Trim Leading and Trailing Space.

In SMG system admin UI | Organization/Policy Management | Policy Scan configuration | Inbound Mail Filter Policy. Create a new Message Text filter**. Give it a name so you know what it is triggering on (i.e. Subject text filter). Copy the text from Notepad++ and paste into the filter. Select if you want the text filter to look in message body or subject or both. It may be necessary to create several message text filters depending on your setup. Link the filter to the Block Message and Quarantine as seen in GWAVA 6.5.

**To create a new filter (while in the Policy management workbench), in the filters tab, select desired filter, then drag and drop onto workbench. 

16) Go back to the GWAVA 6.5 UI | Scanner/Policy Management | Scanning Configuration | Mime filtering | Oversize and Undersize.

In SMG there is two place you can set oversize limits:
A) SMG system admin UI | Module Management | Interfaces | SMTP Interface Manager | Protocol | Enable SIZE limit & SIZE limit (bytes). Note: In GWAVA 6.5 the setting is in kB and in SMG it is in bytes. 

B) SMG system admin UI | Organization/Policy Management | Policy Scan configuration | Inbound Mail Filter Policy. Create a Message Size filter and  link to block or Quarantine according to your set up. Click on the icon to configure the Oversize and Undersize.

Note: the difference between A and B is that A checks at initial SMTP ehlo connection and if the size to too large then the message is NOT received into the system. B allows the message to be received but if message is too large then the message will get blocked or quarantined.
17) Go back to the GWAVA 6.5 UI | Scanner/Policy Management | Scanning Configuration | Mime filtering | Fingerprinting. Check the file types listed for quarantine and message block.

SMG system admin UI | Organization/Policy Management | Policy Scan configuration | Inbound Mail Filter Policy | Fingerprint Executable Files. Click Show file types and add/remove the file types your organization wants here. Note: SMG cleaned up a lot of the old file types.

18) Go back to the GWAVA 6.5 UI | Scanner/Policy Management | Scanning Configuration | Mime filtering | Attachment types. 

SMG system admin UI | Organization/Policy Management | Policy Scan configuration | Inbound Mail Filter Policy | Named Executable Files. Compare list to GWAVA 6.5.

19) Go back to the GWAVA 6.5 UI | Scanner/Policy Management | Scanning Configuration | Mime filtering | Source Address (from:). Use chrome to highlight and copy to Notepad++. Then remove blank lines and empty spaces as mentioned in step 15 above.

SMG system admin UI | Organization/Policy Management | Policy Scan configuration | Inbound Mail Filter Policy | Create a new Email Address filter and give it a unique name (i.e. Sender filter). Link to Block or Quarantine services as seen in GWAVA 6.5 configuration. 

20) Go back to the GWAVA 6.5 UI | Scanner/Policy Management | Scanning Configuration | Mime filtering |  IP Address. Use chrome to highlight and copy to Notepad++. Then remove blank lines and empty spaces as mentioned in step 15 above.

SMG system admin UI | Organization/Policy Management | Policy Scan configuration | Inbound Mail Filter Policy | Create a new IP Address filter. Copy the IP address filters from Notepad++ into the new filter. Link to Block or Quarantine as seen in the GWAVA 6.5 configuration.

21) Go back to the GWAVA 6.5 UI | Scanner/Policy Management | Scanning Configuration | Message services | signatures. Check to see if signatures are enabled for incoming and/or outgoing. You can copy the message or type it in manually in SMG.
SMG Inbound signature: SMG system admin UI | Organization/Policy Management | Policy Scan configuration | Inbound Mail Filter Policy. Create a new Message Signature service and link it to Message Received. Click on the icon and create the signature you would like your users to receive on inbound mail.

SMG Outbound signature: SMG system admin UI | Organization/Policy Management | Policy Scan configuration | Outbound Mail Filter Policy. Create a new Message Signature service and link it to Message Received. Click on the icon and create the signature that you would like on outbound mail. 
22) Go back to the GWAVA 6.5 UI | Scanner/Policy Management | Scanning Configuration | Message services | Blind Carbon copy. Check to see what Events if any that are flagged for Blind Carbon Copy.

SMG system admin UI | Organization/Policy Management | Policy Scan configuration | Inbound Mail Filter Policy. Create a Carbon Copy service and link it to any of the events/filters that where checked in GWAVA 6.5. Click the icon and enter the email address(s) of users that want to be BCC.

23) Go back to the GWAVA 6.5 UI | Scanner/Policy Management | Scanning Configuration | Exceptions| Source Address (from:). Use chrome to highlight and copy to Notepad++. Then remove blank lines and empty spaces as mentioned in step 15 above. If there are blank lines and spaces the exceptions may not work.

SMG system admin UI | Organization/Policy Management | Policy Scan configuration | Inbound Mail Filter Policy. We strongly recommend a Email Address exception to be linked to the spam filter group. This is because that is were most false positives are found. You will have to go through your exceptions and make sure that you have a similar layout in SMG.

Note: If you need exceptions that are not part of the Spam Filter Group, then the another Exception list can be created specifically for that filter.

24) It is now time to send a test message via Telnet. Please follow the steps in the TID 7019627.
 
Note: It may take some time for the first message to process. This is because when the first message hits the system, it does Virus updates for the first time. 

25) Once you have sent successful test messages, it is time to cut over from GWAVA 6.5 to SMG. This can be done two ways Changing your NAT to point to the new SMG server or changing the IP address of SMG to the old GWAVA 6 IP. 

To change over to SMG an IP change is necessary. This is done by three places:

1. SMG system admin UI | System management | Connection Address
2. SMG system admin UI | Module Management | Scan Engine Manager | Connection Address
3. In the VA admin | https://<server IP>:9443 | Network | NIC Configuration | Select the eth card and change the IP address. Wait a moment and then go to the VA admin using the new IP. Then select reboot.

There is a great YouTube video on this process. Please check it out here

26) It is time to log in to SMG and the Email server to verify mail flow.