This article applies to:

• Trustwave MailMarshal (SEG)

Question:

• How do I check that web updates are working?
• Is SpamCensor up to date?
• Is SpamProfiler up to date?
• Is the Blended Threats Module (BTM) up to date?
• Are virus signatures up to date?
• Is my IP Reputation Service license up to date?
• What websites must be allowed through a firewall for updates to work?

Information:

To check that the MailMarshal (SEG) product automatic updates are working, see the relevant sections below.
Note that the URLs may map to dynamic IP addresses. It is not possible to give a definitive list of IP addresses.

• For troubleshooting notes see the end of this article

All update functions and TLS - Certificate issues

• Sample error:
  SSL certificate problem, verify that the CA cert is OK.
  Details: error:14090086:SSL routines: SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
• For a resolution, see Trustwave Knowledge Base article Q13703.
• Note also that you must allow HTTP access to Certificate Revocation List servers so that SSL certificates can be validated. For TLS, this requires access via HTTP (port 80) from processing nodes to all certificate authority sites.

Spam Censor

[Updated by the MailMarshal Array Manager service]

The Spam Censor Updates run under the Array Manager Service on the Array Manager server, and they require HTTP and HTTPS access.  To set a proxy and proxy logon information if required, you can use the Configurator (MailMarshal Properties > Internet Access).

Required URLs are:

• HTTP:://www.marshal.com
• HTTPS://www.marshal.com
• HTTPS://cdn-updates.marshal.com
  • This URL is hosted on Microsoft Azure CDN. IP addresses may change. IP addresses can be retrieved using the "Front Door" tag in Microsoft Azure IP Ranges and Service Tags.

If updates are not succeeding, particularly with a proxy, you may need to run the Array Manager service using a Windows account with administrative privilege and proxy permissions.  

To check that updates are successful, see the Configurator (MailMarshal Properties > Automatic Updates).   You can check that the SpamCensor updates are current by clicking Check for Updates Now.

See also:

• Q11718, Why do SpamCensor updates fail?
• Q11998, 403 Access Forbidden: Product Key or Maintenance is not current.
• Q14242, 410 Updates are no longer provided for this product version.
  • Updates are no longer provided for most releases below 8.0.

SpamProfiler

This information applies to all supported MailMarshal versions.

[Updated by MailMarshal SpamProfiler Process]

The Array Manager checks daily to verify licensing of this service. The required URL is https://mailmarshal.licensing.marshal.com/

• You can check licensing activity by searching the MMArrayManager log (located in the \Logging folder of the installation).

SpamProfiler updates are retrieved by services running on the MailMarshal processing servers (in an array, each server updates separately). To set a proxy and proxy logon information if required, you can use the Configurator (MailMarshal Properties > Internet Access) to set "default access for nodes". You can also set different proxy details for each node.

Required URLs are: 

• HTTP://sigupdates.marshal.com
• HTTPS://sigupdates.marshal.com
• HTTP://pki.cloudmark.com/
• HTTPS://pki.cloudmark.com/
• HTTP://lvc.cloudmark.com/
• HTTPS://lvc.cloudmark.com/
• HTTP://tracks.cloudmark.com/
• HTTPS://tracks.cloudmark.com/
• HTTPS access to the following network range: 208.83.136.0/22

NOTE: As of February 2024, HTTPS is the default protocol. If you use a proxy server that inspects HTTPS content (such as WebMarshal), you should bypass the proxy for all the above URLs. SpamProfiler licensing and updates will fail if proxy SSL certificates are used.

You can check that SpamProfiler is updating by viewing the MMReceiver or MMSpamProfiler log (located in the \logging folder of the installation).

You should see an entry like the following when you first enable spam profiler:

[MICROUPDATE] Successful auto configuration download from network (new serial xx.xx).

and subsequent updates like:

[MICROUPDATE] Successful signatures incremental download from network (new serial xxxxxxx.xxxxxxx)

URL Categorizer Service 

[Check performed by the MailMarshal Engine service]

The URL Categorizer check requests are performed in real time by the Engine service on each SEG processing server. To set a proxy and proxy logon information if required, you can use the Configurator (Trustwave SEG Properties > Internet Access) to set "default access for nodes". You can also set different proxy details for each node.

The default required URLs are: 

• HTTP://tw-seg-urlcategorizer.cloudapp.net (Located in Americas region)
  • also known as urlcategorizer.seg.trustwave.com
• HTTP://tw-seg-urlcategorizer-au.cloudapp.net/ (Located in APAC region)

Note that the SEG installation will select an instance based on geography and latency. All installations should have access to both instances.

You can choose to use HTTPS for these requests. See article Q20362.

Blended Threat Service 

[Licensing update by Array Manager service]

The Array Manager checks daily to verify licensing of this service.

The required URL is https://mailmarshal.licensing.marshal.com

• Note: ALL installations of MailMarshal/SEG 7.1 and above perform this check. It is not limited to installations licensed for the Blended Threats service. Installations without the service still must check in order to determine whether a license has been added.
• You can check licensing activity by searching the MMArrayManager log (located in the \logging folder of the installation).
• In version 7.1, search for the string BTM Provisioning
• In version 7.2 and above, search for the string Licensing

Testing and validation of URLs is performed in real time when the user clicks the URL.

• URLs are checked through web request to the site scanmail.trustwave.com (from the user's browser)
• Click statistics are retrieved through web request to the site stats.scanmail.trustwave.com (from the Array Manager)

Licensing/Maintenance display 
Marshal IP Reputation Service provisioning 

[Licensing update by Array Manager service]

The Array Manager checks daily to verify maintenance entitlement for the product, and checks as required for Marshal IP Reputation Service information.

The required URL is https://mailmarshal.licensing.marshal.com

• You can check activity by searching the MMArrayManager log (located in the \Logging folder of the installation).
• Search for the string Licensing or RBL Provisioning

Bitdefender for Marshal
McAfee For Marshal
Sophos For Marshal

[Updated by Marshal Bitdefender Updater, Marshal Sophos Updater, or Marshal McAfee Updater services]

These plug-ins update on each processing server. To set a proxy or local update location, use the configuration console for each application. You can check that updates are successful using the configuration console. Update information is also logged to text log files.

• Note that the required URLs differ depending on the version installed

For details see the following articles:

• Bitdefender for Marshal: Q20561
• McAfee for Marshal: Q11360
• Sophos for Marshal: Q11906

Troubleshooting notes:

If SpamProfiler or Blended Threats (7.1 and above) is not updating as expected:

• Verify the internet access settings in TWO locations, even for a single server installation:
  • MailMarshal Properties > Internet Access
  • Server and Array Configuration > Server Properties for the individual server > Internet access (Customize...)
• The customized node setting overrides the main setting, even if you have only one server.

This access setting is also used for retrieval of Certificate Revocation Lists for TLS functionality (version 7.1 and above)