yurisk.info » Esafe

New spam on the block

Yuri — Tue, 21 Dec 2010 13:20:45 +0000

May be not new , but new to me – spam mails that instead of direct links to their websites list links cached in google. So , you get in the email not http://degayfisk.com/ but http://google.nr/search?q=cache:c2tHRUQ2mx4J:google.co.nz
It is ,by the way, recognized by eSafe 8.5 as a Clean mail, what a shame.

See what your users are doing – awk one-line scripts to parse eSafe logs

Yuri — Tue, 19 Oct 2010 20:49:46 +0000

As most of the posts here this one is also inspired by a client. There was an unassuming shy and not making any troubles eSafe 8.5 appliance XG-200. Then one day Security Admin of the company complained to me about ‘high CPU utilization’ – getting somewhere up to 60% . eSafe looked absolutely fine and doing its work.
Also I noticed it was kinda working hard , nothing special but just general feeling that it handles a lot of load. And boy was I right – it was doing 200 Mb of logs per day . Given the number of stations in LAN and working hours that was huge. I looked with awk at the logs and happily updated the SecAdmin that eSafe is doing its work and blocks all the users trying frantically to visit various porno sites ignoring the “Site is blocked ..”message by the eSafe. “What? my users to pron sites, can’t be, can you show me the logs, who does it ?” . No problem, and so the awk one-liners you see below were written to parse esafe Aladdin logs to get some insight. Also at the end of the post see eSafe log format in case you want to develop your own scripts.
All logs are located at /opt/eSafe/eSafeCR/SessionLog/
One-liner number one – Gather IPs that sent spam , count number of spam messages per IP, sort the list in ascending order .

# awk -F"|" '$4~SMTP && ( $6~/Spam blocked/ || $6~/Mail rejected/ ) { print $11} ' *.log | sort -n | uniq -c | sort -n | tail -10

29 80.179.60.37
32 41.59.0.205
41 74.63.80.6
41 83.16.167.14
48 125.163.188.31
54 125.163.192.184
57 113.168.9.224
78 89.223.56.16
80 212.143.70.26
104 212.143.70.27

One-liner number two – Mail sender fileds of spam messages , just for fun , no real value for security purpose:

# awk -F"|" ' $4~SMTP && ( $6~/Spam blocked/ || $6~/Mail rejected/ ) { print $15} ' *.log | sort | uniq -c | sort -n

8 Stephan@117.40.136.73
10 bsb@bsbinfo.in
13 info@all-free.co.il
13 Janette@2.90.58.204
15 Ronnie@178.34.19.174
17 KellieClements@cramerspointmotel.com
22 notifs@m.snapinteractiveapps.com
60 ezrachmudag26@gmail.com
25 Simone@187.63.223.21
102 Angelo@31.subnet125-163-188.speedy.telkom.net.id

One-liner to see all the blocks/rejects reasons and respective statistics.

# awk -F"|"' {print $6}' *.log | sort -k1,1 | uniq -c

8 Application blocked
21967 File allowed
360 File blocked
114891 File clean
1731 File modified to remove malicious content
3650 Mail clean
111 Mail modified to remove malicious content
13 Mail rejected #912 – Anti-spoofing – Mail rejected. Attempt to impersonate a local user
164 SMTP error
803 Spam blocked

Now let’s move to HTTP browsing.
One-liner number four – blocked access to websites : number of blocked attempts per website, hostname of the website, internal LAN IP of PC that tried to access the resource.
I do not bring examples here as they are quite embarrassing, even to be brought anonymously, so just trust me – run it on your esafe and you will blush.

# awk -F"|" '$4~HTTP && /File blocked/ { print $7,$17} ' *.log | sort -k1,1 | uniq -c | sort -n -k1,1

Same as above but with full path to the prohibited file.

# awk -F"|" '$4~HTTP && /File blocked/ { print $8,$17,$11} ' *.log | sort -k1,1 | uniq -c | sort -n -k1,1

And finally as promised the format of eSafe logs. All the fields in logs are separated by vertical bar (as you probably guessed awk –F”|” accounts for that). All the fields are present, while irrelevant fields are empty. So it is really scripting-friendly. I broke down the fields into separate lines with field number of each field. Enjoy.

# awk -F"|" ' { for (i=1;i<=NF;i++) print i,$i}' header.txt

1 Date (yyyy-mm-dd HH:mm:ss)
2 eSafe name
3 Record ID
4 ProtocolType
5 Method
6 Event
7 URL host
8 File Name\Mail Subject
9 File Type
10 #File Size
11 Source IP
12 Destination IP
13 #VLAN
14 #Port
15 Mail Sender
16 Mail Recipients
17 URL category
18 User
19 LDAP domain
20 Host
21 Decision By
22 Profile
23 Policy
24 #Policy ID
25 Details
26 Extended result
27 SessionID
28 MessageID
29 #Rule
30 #File Binary Family
31 File container path
32 File name
33 #File parameter
34 #Engine code
35 #Activity code
36 Blocked URL category code
37 URL category mask
38 Result name
39 #Result code
40 #Server type ID
41 #Application code
42 #Action
43 #Risky
44 #Source IP
45 #Destination IP
46 #MachineIP
47 #Duration
48 #AID
49 Referrer
50 UUID
51 #Has CMF
52 Date
53 Time
54 #Mail status
55 DLP profile

RBLs – more hassle than benefit

Yuri — Mon, 18 Oct 2010 10:30:12 +0000

as I wrote earlier Google mail servers got blacklisted , but it was only the beginning. Now I got complains from the client that hotmail.com users also get mail bounced because of this list . So, as running after each and every IP blocked by this list endlessly wasn’t the best use of my time, I disabled this specific RBL in eSafe. So far no complains neither about bounced mail nor increased spam. The screenshot below shows where to find this RBL in the eSafe.

Visio stencils for Cisco, Juniper, Fortinet, Checkpoint, Avaya

Yuri — Sat, 26 Jun 2010 12:43:25 +0000

Some links to download Visio stencils of the few most popular vendors.
Juniper
Cisco
Avaya
BlueCoat
Fortinet
Dell
Checkpoint happen not to have official stencils set, only Nokia appliances stuff can be found. So someone volunteered and using icons/press releases/PowerPoint presentations done by the Checkpoint turned it into the Visio stencils:
fireverse.org
If nothing else helps here you can find the rest:
nag.ru/projects/visio

Quick and dirty way to bypass eSafe inspection

Yuri — Wed, 12 May 2010 18:46:26 +0000

There are times when you need to make some website work immediately while it is being blocked by eSafe for some (many) reasons. And you just don’t get it working the educated way – adding to white/exclude lists, changing script/category block options etc.
For the cases just like that Aladdin have provided us with Exclusion List in NitroInspection Configuration . It basically means traffic to/from the IP addresses you put into this list will be COMPLETELY ignored by eSafe scanning engine, and will be moved from interface to interface at the NIC driver speed.
To get there you go to Options->-NitroInspection Configuration->-Exclusion list->Add
In example below I add facebook.com IP range to such exclusion list.

Increase log size in eSafe

Yuri — Mon, 14 Dec 2009 12:26:38 +0000

Session logs in eSafe are essential for debugging . By default ,nevertheless each Session log file is limited to 100 megabytes in size , after reaching this limit eSafe stops writing the Session logs until the next log rotation – that is midnight.

To fix this , edit the file /opt/eSafe/eSafeCR/esafecfg.ini:

[ALERT GENERAL]
Size limit=2
Last overflow=0
Minimum free disk space=2000
Block if internal error=1
File name=^M
Report days=10
Session log days=7 = > Session log days= 365
Report max length=100
Session log max length=100 => Session log max length=500
Log sessions=1
Detailed log sessions=0
Log System Info Interval=10
MMS block if internal error=1
SessionLog To EventLog=0

eSafe has iptables too ….

Yuri — Tue, 08 Sep 2009 17:58:05 +0000

Did you know that eSafe software is based on RedHat Enterprise Linux (RHEL) ? Of course you did.
But what does it mean? It means that all (or almost all) tools/utilities/programming logic of the Linux is at your fingertips.
Let’s take for example software eSafe runs on the boot

[root@esafe root]# chkconfig –list
rdisc                          0:off   1:off   2:off   3:off   4:off   5:off   6:off
anacron                   0:off   1:off   2:off   3:off   4:off   5:off   6:off
kudzu                    0:off   1:off   2:off   3:on    4:on    5:on    6:off
syslog                       0:off   1:off   2:on    3:on    4:on    5:on    6:off
network                 0:off   1:off   2:on    3:on    4:on    5:on    6:off
random                  0:off   1:off   2:on    3:on    4:on    5:on    6:off
saslauthd               0:off   1:off   2:off   3:off   4:off   5:off   6:off
microcode_ctl    0:off   1:off   2:on    3:on    4:on    5:on    6:off
irqbalance            0:off   1:off   2:off   3:on    4:on    5:on    6:off
smartd                     0:off   1:off   2:off   3:off   4:off   5:off   6:off
atd                             0:off   1:off   2:off   3:on    4:on    5:on    6:off
log2trap                   0:off   1:off   2:off   3:off   4:off   5:off   6:off
sshd                          0:off   1:off   2:on    3:on    4:on    5:on    6:off
crond                       0:off   1:off   2:on    3:on    4:on    5:on    6:off
ntpd                       0:off   1:off   2:off   3:off   4:off   5:off   6:off
iptables                   0:off   1:off   2:on    3:on    4:on    5:on    6:off
webmin                   0:off   1:off   2:on    3:on    4:off   5:on    6:off
esafe                       0:off   1:off   2:off   3:on    4:on    5:on    6:off

Today I played with just one of them – iptables. First things first – eSafe is not a firewall . You don’t usually give
bunch of papers (called money) to use eSafe for the function that any Pentium 4 PC can do for the fraction of the price. So, it
is not supported and not to be used as the mainstream feature. Nevertheless it is here and may come handy in some situations.

In the output of chkconfig –list chckconfig showed that whenever eSafe is on, iptables is on as well. The default iptables policy is ALLOW ANY ANY :
[root@esafe root]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Few observations:
- To block incoming connections destined for the eSafe itself you use INPUT chain, FORWARD chain has no meaning in bridged eSafe Gateway (in routing Gateway mode it would be applicable I guess)
- I tried few basic rules on the eSafe Hellgate 200 while turning on High-Debug mode , and while machine was loaded by debug
mode , using iptables filtering did not add visible overhead to it.
In most of the deployment scenarios eSafe is installed between internal interface of the firewall and LAN. It means from outside it is protected quite well whereas from LAN it is wide open to any trouble coming in. eSafe has its own means of limiting access to it from certain IPs.
To limit access to eConsole – you go in eConsole to Options -> Access and Permissions -> configure user (by default admin will be there) and IP from which this user will be granted access.
To limit access to WebGUI (HTTPS) : in the WebGUI go to Settings -> Access Control -> put IP to allow it access in “eSafe Appliance accepts connections from:”
To limit access by SSH use Linux means (there are few ways but I show just one of them) :
vi /etc/ssh/sshd_config
# add at the end the following line to limit ssh access to 10.99.99.150 only:
AllowUsers *@10.99.99.150
Or, using wildcards to the whole network only:
AllowUsers *@10.*.*.*

All the above is correct and fine BUT – what if you need to temporarily limit access and not permanently ? All the above are permanent changes that will survive reboot and if you make a mistake you grant someone a visit to the appliance for console connection. On the other hand you may use iptables to achieve the same access control and should something go wrong reboot will return all back to normal.

So, let’s go:

- I don’t like when debugging some complicated issue after logging off from eConsole I can’t access it again as someone from LAN already logged in :
1) Grant your IP the access to econsole:
[root@esafe root]# iptables -I INPUT -p tcp -s 10.99.99.150 --dport 43969:43982 -j ACCEPT
2) Deny anyone else
[root@esafe root]# iptables -I INPUT 2 -p tcp --dport 43969:43982 -j DROP
- SSH in general isn’t something a client should have access to :
1) First allow youself access:
[root@esafe root]# iptables -I INPUT -p tcp --dport 22 -s 10.99.99.150 -j ACCEPT
2) Then deny anyone else:
[root@esafe root]# iptables -I INPUT 2 -p tcp --dport 22 -j DROP

3) Restart ssh daemon (it won’t disconnect your current session):

[root@esafe root]# service sshd restart

[root@esafe root]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     tcp – 10.99.99.150         anywhere           tcp dpt:ssh
DROP       tcp – anywhere             anywhere           tcp dpt:ssh

Those addicted to iptables know that some spicy features come with modules and kernel options set at compile time.
To give you the taste of what is included in eSafe iptables, the listing follows:

/lib/modules/2.4.21-47.ELsmp/kernel/net/ipv4/netfilter/arp_tables.o
/lib/modules/2.4.21-47.ELsmp/kernel/net/ipv4/netfilter/arpt_mangle.o
/lib/modules/2.4.21-47.ELsmp/kernel/net/ipv4/netfilter/arptable_filter.o
/lib/modules/2.4.21-47.ELsmp/kernel/net/ipv4/netfilter/ip_conntrack.o
/lib/modules/2.4.21-47.ELsmp/kernel/net/ipv4/netfilter/ip_conntrack_amanda.o
/lib/modules/2.4.21-47.ELsmp/kernel/net/ipv4/netfilter/ip_conntrack_ftp.o
/lib/modules/2.4.21-47.ELsmp/kernel/net/ipv4/netfilter/ip_conntrack_irc.o
/lib/modules/2.4.21-47.ELsmp/kernel/net/ipv4/netfilter/ip_conntrack_tftp.o
/lib/modules/2.4.21-47.ELsmp/kernel/net/ipv4/netfilter/ip_nat_amanda.o
/lib/modules/2.4.21-47.ELsmp/kernel/net/ipv4/netfilter/ip_nat_ftp.o
/lib/modules/2.4.21-47.ELsmp/kernel/net/ipv4/netfilter/ip_nat_irc.o
/lib/modules/2.4.21-47.ELsmp/kernel/net/ipv4/netfilter/ip_nat_snmp_basic.o
/lib/modules/2.4.21-47.ELsmp/kernel/net/ipv4/netfilter/ip_nat_tftp.o
/lib/modules/2.4.21-47.ELsmp/kernel/net/ipv4/netfilter/ip_queue.o
/lib/modules/2.4.21-47.ELsmp/kernel/net/ipv4/netfilter/ip_tables.o
/lib/modules/2.4.21-47.ELsmp/kernel/net/ipv4/netfilter/ipchains.o
/lib/modules/2.4.21-47.ELsmp/kernel/net/ipv4/netfilter/ipfwadm.o
/lib/modules/2.4.21-47.ELsmp/kernel/net/ipv4/netfilter/ipt_DSCP.o
/lib/modules/2.4.21-47.ELsmp/kernel/net/ipv4/netfilter/ipt_ECN.o
/lib/modules/2.4.21-47.ELsmp/kernel/net/ipv4/netfilter/ipt_LOG.o
/lib/modules/2.4.21-47.ELsmp/kernel/net/ipv4/netfilter/ipt_MARK.o
/lib/modules/2.4.21-47.ELsmp/kernel/net/ipv4/netfilter/ipt_MASQUERADE.o
/lib/modules/2.4.21-47.ELsmp/kernel/net/ipv4/netfilter/ipt_MIRROR.o
/lib/modules/2.4.21-47.ELsmp/kernel/net/ipv4/netfilter/ipt_REDIRECT.o
/lib/modules/2.4.21-47.ELsmp/kernel/net/ipv4/netfilter/ipt_REJECT.o
/lib/modules/2.4.21-47.ELsmp/kernel/net/ipv4/netfilter/ipt_TCPMSS.o
/lib/modules/2.4.21-47.ELsmp/kernel/net/ipv4/netfilter/ipt_TOS.o
/lib/modules/2.4.21-47.ELsmp/kernel/net/ipv4/netfilter/ipt_ULOG.o
/lib/modules/2.4.21-47.ELsmp/kernel/net/ipv4/netfilter/ipt_ah.o
/lib/modules/2.4.21-47.ELsmp/kernel/net/ipv4/netfilter/ipt_conntrack.o
/lib/modules/2.4.21-47.ELsmp/kernel/net/ipv4/netfilter/ipt_dscp.o
/lib/modules/2.4.21-47.ELsmp/kernel/net/ipv4/netfilter/ipt_ecn.o
/lib/modules/2.4.21-47.ELsmp/kernel/net/ipv4/netfilter/ipt_esp.o
/lib/modules/2.4.21-47.ELsmp/kernel/net/ipv4/netfilter/ipt_helper.o
/lib/modules/2.4.21-47.ELsmp/kernel/net/ipv4/netfilter/ipt_length.o
/lib/modules/2.4.21-47.ELsmp/kernel/net/ipv4/netfilter/ipt_limit.o
/lib/modules/2.4.21-47.ELsmp/kernel/net/ipv4/netfilter/ipt_mac.o
/lib/modules/2.4.21-47.ELsmp/kernel/net/ipv4/netfilter/ipt_mark.o
/lib/modules/2.4.21-47.ELsmp/kernel/net/ipv4/netfilter/ipt_multiport.o
/lib/modules/2.4.21-47.ELsmp/kernel/net/ipv4/netfilter/ipt_owner.o
/lib/modules/2.4.21-47.ELsmp/kernel/net/ipv4/netfilter/ipt_pkttype.o
/lib/modules/2.4.21-47.ELsmp/kernel/net/ipv4/netfilter/ipt_recent.o
/lib/modules/2.4.21-47.ELsmp/kernel/net/ipv4/netfilter/ipt_state.o
/lib/modules/2.4.21-47.ELsmp/kernel/net/ipv4/netfilter/ipt_tcpmss.o
/lib/modules/2.4.21-47.ELsmp/kernel/net/ipv4/netfilter/ipt_tos.o
/lib/modules/2.4.21-47.ELsmp/kernel/net/ipv4/netfilter/ipt_ttl.o
/lib/modules/2.4.21-47.ELsmp/kernel/net/ipv4/netfilter/ipt_unclean.o
/lib/modules/2.4.21-47.ELsmp/kernel/net/ipv4/netfilter/iptable_filter.o
/lib/modules/2.4.21-47.ELsmp/kernel/net/ipv4/netfilter/iptable_mangle.o
/lib/modules/2.4.21-47.ELsmp/kernel/net/ipv4/netfilter/iptable_nat.o
/lib/modules/2.4.21-47.ELsmp/kernel/net/ipv6/ah6.o
/lib/modules/2.4.21-47.ELsmp/kernel/net/ipv6/esp6.o
/lib/modules/2.4.21-47.ELsmp/kernel/net/ipv6/ip6_tunnel.o
/lib/modules/2.4.21-47.ELsmp/kernel/net/ipv6/ipcomp6.o
/lib/modules/2.4.21-47.ELsmp/kernel/net/ipv6/ipv6.o
/lib/modules/2.4.21-47.ELsmp/kernel/net/ipv6/netfilter/ip6_tables.o
/lib/modules/2.4.21-47.ELsmp/kernel/net/ipv6/netfilter/ip6t_LOG.o
/lib/modules/2.4.21-47.ELsmp/kernel/net/ipv6/netfilter/ip6t_MARK.o
/lib/modules/2.4.21-47.ELsmp/kernel/net/ipv6/netfilter/ip6t_ah.o
/lib/modules/2.4.21-47.ELsmp/kernel/net/ipv6/netfilter/ip6t_dst.o
/lib/modules/2.4.21-47.ELsmp/kernel/net/ipv6/netfilter/ip6t_esp.o
/lib/modules/2.4.21-47.ELsmp/kernel/net/ipv6/netfilter/ip6t_eui64.o
/lib/modules/2.4.21-47.ELsmp/kernel/net/ipv6/netfilter/ip6t_frag.o
/lib/modules/2.4.21-47.ELsmp/kernel/net/ipv6/netfilter/ip6t_hbh.o
/lib/modules/2.4.21-47.ELsmp/kernel/net/ipv6/netfilter/ip6t_hl.o
/lib/modules/2.4.21-47.ELsmp/kernel/net/ipv6/netfilter/ip6t_ipv6header.o
/lib/modules/2.4.21-47.ELsmp/kernel/net/ipv6/netfilter/ip6t_length.o
/lib/modules/2.4.21-47.ELsmp/kernel/net/ipv6/netfilter/ip6t_limit.o
/lib/modules/2.4.21-47.ELsmp/kernel/net/ipv6/netfilter/ip6t_mac.o
/lib/modules/2.4.21-47.ELsmp/kernel/net/ipv6/netfilter/ip6t_mark.o
/lib/modules/2.4.21-47.ELsmp/kernel/net/ipv6/netfilter/ip6t_multiport.o
/lib/modules/2.4.21-47.ELsmp/kernel/net/ipv6/netfilter/ip6t_owner.o
/lib/modules/2.4.21-47.ELsmp/kernel/net/ipv6/netfilter/ip6t_rt.o
/lib/modules/2.4.21-47.ELsmp/kernel/net/ipv6/netfilter/ip6table_filter.o
/lib/modules/2.4.21-47.ELsmp/kernel/net/ipv6/netfilter/ip6table_mangle.o

Website/malware categorization in eSafe

Yuri — Fri, 12 Jun 2009 08:41:02 +0000

If some website gets blocked by eSafe for being categorized wrongly you
may fix it actually very simple. You enter the link below and change the website category; this takes some time , usually from few hours up to a day,for the change to take effect. If website has no category already then update takes effect fast.

filterdb.iss.net/urlcheck/

To see what each category includes:
www-935.ibm.com/services/us/index.wss/detail/iss/a1029077?cntxt=a1027244

When you want to report an item that was falsely detected as virus/malware by
eSafe you should send your request to :

eSafe Certified Professional

Yuri — Sat, 07 Mar 2009 15:30:52 +0000

Recently I’ve taken the 2-day course and then successfully passed eSCP certification and here are some impressions about that. First, for serial certification obtainers,for the main question – what is the gain here? – I will frankly say – I don’t know. This cert isn’t found under ‘most wanted/hot/industry leading’ headings anywhere, so whether it’s gonna get you an advantage in promotion/job search/etc remains an open question.
The course was fully funded by my work and I took part in it for the benfit of the knowledge I would gain there only. And to take test is possible only after you passed the course. So , let’s head over to the course.
The course was administered at 3rd-part learning center but by folks from Aladdin itself ONLY – one of the strong points of the course. As I understood even if the course would be given in the heart of Amazonia,Brazil it still would be presented by Aladdin folks, no ‘certified instructors’ are employed.
There were 2 instructors , one doing talking and helping in labs , and the other helping in labs . While first instructor is from Presale team, she could answer any technical questions I had (“- Can you remind me name of the file to add Ip address to the interface so it survives reboot, unlike ifconfig ?”).

The overall course consisted of approximately 20% presentations/talks and 80% hands-on labs. The contents can be seen here, only that we dealt with version 7 only, not 6.2 as in pdf:
ftp://ftp.aladdin.com/pub/marketing/eSafe/Agenda/Expert_Agenda.pdf .
Every pair of students was given Hellgate appliance to play with. And we used it to the full – our team even succeeded to push beyond the limit,crash and do RMA on our HellGate – fastest RMA ever seen – took 5 mins to bring new Hellgate.

Everyone was given a book-sized course material including presentations we heard and labs. The flow was – presentation then lab. Started with reimaging eSafe from usb, then all config labs as per pdf above. The LDAP lab took much more then was allocated for it as many (including me) are not good fiends with all the AD/LDAP/OU/CN/DN stuff ,eventhough the AD server was preconfigured and we had to just(?) connect eSafe to it.
Due to time shortage we haven’t done Web SSL/Reporter/Proxy (not a big deal for me as I am yet to see any of them in the wild) labs.
All setup had access to the Internet , so URL-filtering we could test real-time.

To conclude – I enjoyed the course, learned lots of new things (my job involves supporting already installed and working eSafe, so I don’t do installing/configuring from scratch the appliance, something our integration department always do) and therefore it was worthwhile.
Upon completion we were given link to password-protected CBT, possibility to open personal account with portal.aladdin.com , link to download eSafe 7.1 ISO disk (every eSafe has built-in evaluation license for 30 days), nice bag, and user/pass and link to the website to take exam.

Now to exam – it is a web based test, with 50 questions and 90 minutes to do it.
The test is pretty easy given you took active part in the course before as it recaptures the same topics. So I did it in about 30 mins, got the web page “Congradulations you passed” and a week later received by a courier framed certificate that I am now eSafe Certified Professional.

eSafe download – demo, docs

Yuri — Wed, 28 Jan 2009 18:48:10 +0000

Today newcomer to our department asked me how he should start learning eSafe – should he install Mail or Gateway on VMware ? Erm … May be docs and manuals (as I did) ? No ,old-fashioned, in our age of
CBTs/virtualization/Camtasia-everywhere buzzwords it needs to be with GUI and interactive, so …
The best way to start learning a product is first to see it – for this Aladdin made a demo econsole.
After you run it it presents you with dosen of eSafe ”machines” to any of which you can login by double clicking and feel like you are configuring a real eSafe machine – all GUI and options are exact copy of real
product. You can get it here after filling form with (ir)relevant details.
Demo econsole

Here is the link for econsole download eSafe 7.1, be aware that is quite important that you use econsole verison matching exactly the
eSafe software version you are trying to connect to. I once had client that installed eSafe 7.0 (some beta release) and downloaded locally econsole from the machine, all worked fine.Then he upgraded eSafe software to 7.1 but did NOT reinstall new econsole , as the result
he couldn’t find bunch of options in the econsole. In worst scenario using non-matching version of econsole to make configuration changes might cause substantial damage to the eSafe software, up to complete reinstall/reimage.
eSafe econsole 7.1
Docs Also freely available at :
eSafe Documenation
Knowledgebase – if you work for Aladdin partner you will have access to
complete knowledgebase , while anyone else can see a smaller part of it (that will suffice for few long
weeks of studying nevertheless ).
kb.aladdin.com