Trustwave Sandboxing Service setup


This article applies to:

  • Trustwave MailMarshal/SEG
  • Trustwave Sandboxing add-in

Question:

  • How do I set up SEG to use the Trustwave Sandboxing Service?

Procedure:

This document describes the required configuration and policy to deliver inbound messages from a Trustwave Secure Email Gateway (premises) installation for checking by the Trustwave Sandboxing service.

Readers are expected to have familiarity with Trustwave SEG administration including creation of policy and policy elements. General procedures to create these items are covered in Help and the User Guide.

Caution: The Sandboxing service is included for MailMarshal Advanced customers, but the service must be provisioned separately. Customers can request provisioning of this service from their account representative. The policy that delivers messages for sandboxing must be implemented only when Trustwave advises that provisioning of the service is complete.

The Sandboxing service is available in two locations (US and EU). Be sure to use the correct values for the instance you requested. 

File Download

Download the zip archive containing required Category Script files from the SEG download page on the Trustwave support website (requires customer login).

System Configuration

  1. Enable TLS on the SEG server for incoming and outgoing messages, using a valid (CA signed) certificate. TLS is required to communicate with the Trustwave Sandbox service.
  2. Create a new IP Group called "IP Trustwave Sandbox". Add the Trustwave Sandbox service Public IP ranges. These are the valid sources for responses from the Sandbox service.
    • For US instance:
      • Trustwave Sandbox US Range 1: 52.191.90.76/30
      • Trustwave Sandbox US Range 2: 13.91.203.24/30
    • For EU instance:
      • Trustwave Sandbox EU Range 1: 20.31.9.32/31
      • Trustwave Sandbox EU Range 2: 20.105.76.250/31
  3. Create a new Quarantine folder called “Trustwave Sandbox Errors”. This will hold messages that could not be processed by the Sandbox service or caused any error in sandbox processing. 
  4. (Optional) Create two new Archive folders called “Sent to Trustwave Sandbox” and “Received from Trustwave Sandbox”. These will hold copies of the messages sent to and received from the Trustwave Sandbox service. Saving these messages can be useful in case of queries about what was processed.
  5. Extract the six SEG Category Scripts from TrustwaveSandboxSEGCustomerFiles.zip. Copy the Category Scripts to the Config folder of the SEG Array Manager installation. The categories will be selectable by name when you create SEG rules.

    Note: The policy listings below assume that default Spam and Malware folders exist. These folders are created by default in recent installations of SEG. If these folders do not exist, you must create them.

Required Policy

Two new Policy Groups are required. The first group delivers messages to the service for processing. The second group processes messages returned from the Sandbox Service. In addition, TLS rules must be changed in many cases.

Policy Group: To Trustwave Sandbox

Place this policy group after all other Content Analysis policy groups except for Archiving policy. The rule action to copy the message to a folder is optional. The “Prefilter” condition checks for message components that can be processed through the Sandbox.

  • This policy group detects incoming messages that have not been sent to the Sandbox service and routes them to the service.
When a message arrives
Where message is incoming
Except where addressed from 'IP Trustwave Sandbox'
Process message using this policy group

Rule: Send to Trustwave Sandbox 

  • Note: Be sure to specify the correct routing for your configured instance.
    The copy action is optional.
Where message size is 'less than 10240 KB'
and where message is categorized as 'Sandbox Prefilter'
Copy the message to 'Sent to Trustwave Sandbox' with release action "continue processing"
And set message routing to
  • For US instance:  smtp.sandboxing.us.twsegcloud.com:25,IPv4
  • For EU instance:  smtp.sandboxing.eu.mailmarshal.cloud:25,IPv4
And pass the message on and do not process any additional rules

1 Rule(s)

Policy Group: From Trustwave Sandbox

Place this policy group before all other Content Analysis policy groups.

  • This policy group detects messages returned from the Sandbox service and quarantines messages that were flagged by the service.
When a message arrives
Where addressed from 'IP Trustwave Sandbox'
Process message using this policy group

Rule: Archive From Trustwave Sandbox (Optional)
Copy the message to 'Received from Trustwave Sandbox' with release action "continue processing"
And pass message to the next rule for processing.

Rule: Trustwave Sandbox Block Malware 
Where message is categorized as 'Trustwave Sandbox Malicious Attachment'
Move the message to 'Malware' with release action "continue processing"

Rule: Trustwave Sandbox Block Suspected Malware 
Where message is categorized as 'Trustwave Sandbox Suspect Attachment'
Move the message to 'Malware - Suspected' with release action "continue processing"

Rule: Trustwave Sandbox Block Spam 
Where message is categorized as 'Trustwave Sandbox Spam'
Move the message to 'Spam - Suspected' with release action "continue processing"

Rule: Trustwave Sandbox Block Suspect URL 
Where message is categorized as 'Trustwave Sandbox Suspect URL'
Move the message to 'Suspect URLs' with release action "continue processing"

Rule: Trustwave Sandbox Errors 
Where message is categorized as 'Trustwave Sandbox Error'
Move the message to 'Trustwave Sandbox Errors' with release action "continue processing"

6 Rule(s)

TLS Connection Properties Policy

The Sandbox service communicates over TLS. The TLS Client Certificate for this server cannot match the sending domain. You must exclude the Sandbox server from Client Certificate domain matching rules.

Add the following condition to any TLS Client Certificate domain matching rule:

Except where addressed from 'IP Trustwave Sandbox'

For example, in the default ruleset of recent MailMarshal versions, modify the rule TLS Connection Properties > Reject Non-domain matching TLS Client Certificates

The rule should appear as follows:

Where the message is addressed to or from any user 
Except where addressed from 'IP Trustwave Sandbox'
Where the TLS client certificate was presented with options: 'Domain does not match'
Refuse message and reply with 550 TLS client certificate subject does not match sender domain

SPF, DKIM, and DMARC Policy

The Sandbox service returns messages using the original "From" address but not the sender's verified IP address. Also, returned messages will have additional headers. To avoid false detection of SPF, DKIM, and DMARC policy breaches, you must exclude the Sandbox server from any rules that apply these checks to inbound messages.

For example, in the default ruleset of recent MailMarshal versions, the following rules or policy groups should have the condition Except where addressed from 'IP Trustwave Sandbox'

  • Connection Policies: Sender Policy Framework check - Log Only
  • Anti-Spam: Sender Policy Framework check
  • Anti-Spam: Block failed DKIM Verification
  • Policy Group DMARC

Attack Prevention (DoS) Configuration

If you have configured Denial of Service prevention (under Receiver Properties > Attack Prevention):
  • To ensure that messages returned from the Sandbox do not trigger DoS blocking, exclude the Sandbox IP addresses from DoS evaluation. Add these ranges to the exclusion list on the Advanced tab of the Attack Prevention window (in 8.X, Exclusions button on the Attack Prevention window).

Last Modified 8/18/2024.
https://support.trustwave.com/kb/KnowledgebaseArticle21151.aspx