Example 3: FortiMail unit for an ISP or carrier
Transparent mode deployment
FortiMail™ Secure Messaging Platform Version 4.0 Patch 1 Install Guide
132
Revision 2
When a device joins the network of its service provider, such as a cellular phone carrier or
DSL provider, it may use a protocol such as PPPoE or PPPoA which supports
authentication. The network access server (NAS) queries the remote authentication dial-in
user (RADIUS) server for authentication and access authorization. If successful, the
RADIUS server then creates a record which associates the device’s MSISDN, subscriber
ID, or other identifier with its current IP address.
The server, next acting as a RADIUS client, sends an accounting request with the
mapping to the FortiMail unit. (The FortiMail unit acts as an auxiliary accounting server if
the MSISDN reputation daemon is enabled.) The FortiMail unit then stores the mappings,
and uses them for the MSISDN reputation feature.
When the device leaves the network or changes its IP address, the RADIUS server acting
as a client requests that the FortiMail unit stop accounting (that is, remove its local record
of the IP-to-MSISDN/subscriber ID mapping). The FortiMail unit keeps the reputation
score associated with the MSISDN or subscriber ID, which will be re-mapped to the new
IP address upon the next time that the mobile device joins the network.
The MSISDN reputation feature can be used with traditional email, but it can also be used
with MMS text messages.
The multimedia messaging service (MMS) protocol transmits graphics, animations, audio,
and video between mobile phones. There are eight interfaces defined for the MMS
standard, referred to as MM1 through MM8. MM3 uses SMTP to transmit text messages
to and from mobile phones. Because it can be used to transmit content, spammers can
also use MMS to send spam.
You can blacklist MSISDNs or subscriber IDs to reduce MMS and email spam.
In addition to manually blacklisting or exempting MSISDNs and subscriber IDs, you can
configure automatic blacklisting based upon MSISDN reputation score. If a carrier end
point sends email or text messages that the FortiMail unit detects as spam, the MSISDN
reputation score increases. You can configure session profiles to log or block, for a period
of time, email and text messages from carrier end points whose MSISDN reputation score
exceeds the threshold during the automatic blacklisting window.
FortiAnalyzer units that receive logs from FortiMail units can also produce extensive spam
and virus reports for each subscriber’s end point identifier.
To configure your RADIUS server
1
On your RADIUS server, configure the FortiMail unit as an auxiliary RADIUS server, to
which it will send copies when its accounting records change.
2
Specify that it should send the
Calling-Station-Id
and
Framed-IP-Address
attributes to the FortiMail unit.
The data type of the value of
Calling-Station-Id
may vary. For 3G subscribers,
the RADIUS server typically uses
Calling-Station-Id
to contain an MSISDN. For
ADSL subscribers, the RADIUS server typically uses to contain a login ID, such as an
email address.
3
Determine whether your RADIUS server sends the
Framed-IP-Address
attribute’s
value in network order (e.g. 192.168.1.10) or host order (e.g. 10.1.168.192).
4
Verify that routing and firewall policies permit RADIUS accounting records to reach the
FortiMail unit.
Summary of Contents for FortiMail-100
Page 1: ...FortiMail Secure Messaging Platform Version 4 0 Patch 1 Install Guide...
Page 173: ...www fortinet com...
Page 174: ...www fortinet com...