Directory integration considerations when updating Symantec Messaging Gateway
Updated On:07-05-2012 09:18
When updating Symantec Messaging Gateway and using the LDAP directory integration features some considerations should be observed regarding how the directory integration may be affected by the update.
Issues to consider before update
For some installations, you may need to add access to LDAP ports for 9.0.x. The Control Center and Scanners that use any LDAP features must be able to connect directly to the LDAP servers. LDAP features include authentication, routing, recipient validation, and address resolution (previously known as synchronization).
Your Control Center and Scanners may already meet this requirement. This access change is a new requirement if your environment matches both of the following criteria:
You have a distributed deployment with at least one separate Scanner.
The deployment uses one or more LDAP sources with the Synchronization usage enabled.
If your environment matches these criteria, use the ldapsearch command to check connectivity on each host before you update to version 9.0.x.
For information about how to use ldapsearch, on the Internet go to the following URL:
In versions 9.0.x, any recipient address that includes a domain alias is considered valid if all of the following conditions are true. If both of the conditions are true, no call is made to the LDAP server to determine whether the recipient is valid or not.
You have one or more domains configured as an alias in Protocols > SMTP > Aliases.
You have Protocols>SMTP>Invalid Recipients set to either Drop or Reject.
Directory integration considerations
The new directory data service caches the query results to reduce the load that is placed on the directory servers and to improve Scanner performance. The cache builds over time. After you update from version 8.0.3 to version 10.0 there may be an initial slow down of mail throughput under a heavy load. The slow down can occur in the first few minutes as the cache builds.
The LDAP query filter formats in 9.0.x have been standardized to use the %s, %u, and %d tokens. These tokens were previously used only for the recipient validation and routing query filters. If authentication, synchronization, or both are enabled in 8.0.3, the query filters are modified to use the standard tokens after you update to version 10.0. If you previously modified any of the default query filters, confirm the functionality of the authentication and address resolution functions in 10.0 using the new Test Query option in the Control Center.
In Symantec Brightmail Gateway 8.0.3 and earlier releases, only LDAP groups were displayed on the Administration > Users > Policy Groups page. In 9.0.x, both LDAP groups and distribution lists appear for a newly added LDAP source. You can view both groups and distribution lists after you update your deployment.
The LDAP recipient validation function is now used to check incoming messages for both Reject invalid recipients and Drop invalid recipients. If you have an 8.0.3 deployment and use LDAP synchronization with Protocols>SMTP>Invalid Recipients set to Dropinvalid recipients, the LDAP source is migrated to a source with both recipient validation and address resolution functions enabled after you update to 9.0.x. Additionally, if you have any enabled recipient validation sources in your 8.0.3 deployment, they are used for Drop invalid recipients upon update to 9.0.x.
If you use one or more Domino LDAP Sync sources with one or more alias domain values, add those values as Symantec Messaging Gateway domain aliases before you update to version 9.0.x. Once you have updated, you can optionally modify the resulting data directory service recipient validation and address resolution query filters to include (mail=%[email protected]<domain>) and (uid=%[email protected]<domain>) clauses as necessary if you do not want to use domain aliases on the Symantec Messaging Gateway host.
User preferences considerations
The following are considerations you should know before you update:
Versions of Brightmail Gateway before 9.0 used the LDAPsynchronization schedule time to replicate user preferences to the Scanners. In 9.0.x, LDAP synchronization has been deprecated and user preferences replication happens on the default schedule of once per day at midnight. You can change the schedule or replicate user preferences manually on the Users tab of the Administration > Settings > Control Center page.
If the following conditions occur, it is recommended that you upgrade the Control Center first. If not, end user preferences are not in effect until you update the Control Center and perform a replication:
You have a distributed deployment
End user preferences are enabled
To reenable end user preferences, update the Control Center and ensure that user preferences are replicated.
User preferences are not replicated to remote Scanners during the migration process. To ensure that user preferences are applied, you must replicate them manually after you update the Control Center and all Scanners. Otherwise user preferences are replicated at the default time of midnight. Navigate to the Users tab of the Administration > Settings > Control Center page and click Replicate Now once all systems are upgraded.
The user preference replication alert is enabled by default after you update to version 9.0.x. Symantec Brightmail Gateway sends an alert to administrators configured to receive alerts when user preferences replication finds an error. You can disable this alert on the DDS tab on the Administration > Settings > Alerts page.