Proofpoint Enterprise Archive Product...

Proofpoint Enterprise Archive

Product Overview

August 2014

Proofpoint Enterprise Archive

Copyright and Trademark Notices

Proofpoint Archive is proprietary software licensed to you for your internal use by Proofpoint Inc. This software is Copyright © 2002 - 2014 Proofpoint, Inc. The copying, modification or distribution of Proofpoint Archive is subject to the terms of the Proofpoint Software License, and any attempt to use this software except under the terms of that license is expressly prohibited by U.S. copyright law, the equivalent laws of other countries, and by international treaty. From time to time, certain archived email data may additionally be used by Proofpoint to validate service updates, upgrades and fixes within the production environment. Data remains encrypted at all times.

Proofpoint and Proofpoint Archive are trademarks of Proofpoint Inc.

McAfee is a registered trademark of McAfee, Inc. and/or its affiliates in the US and/or other countries. Virus Scanning capabilities may be provided by McAfee, Inc.

Copyright © 2011 McAfee, Inc. All Rights Reserved.

F-Secure Anti-Virus Copyright © 1993-2011, F-Secure Corp.

VMware, the VMware “boxes” logo, GSX Server, ESX Server, Virtual SMP, VMotion and VMware ACE are trademarks (the “Marks”) of VMware, Inc.

Voltage and Secure Messaging are registered trademarks of Voltage Security, Inc. Copyright © 2003-2011 Voltage Security, Inc. All Rights Reserved.

Apache 2.2 licensing information is available at http://www.apache.org/licenses.

Perl (Practical Extraction and Report Language) is copyrighted by Larry Wall.

It is free software and it is redistributed by Proofpoint under the terms of the “Artistic License” that comes with the Perl Kit, Version 5.0. Source is available at http://www.perl.com.

Regular expression support is provided by the PCRE library package, which is open source software, written by Philip Hazel, and copyright by the University of Cambridge, England.

Source is available at ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/.

Some database support in this solution is provided by MySQL.

Copyright © 1997, 2011, Oracle and/or its affiliates. All rights reserved.

Copyright 1986 - 1993, 1998, 2004 Thomas Williams, Colin Kelley

Permission to use, copy, and distribute this software and its documentation for any purpose with or without fee is hereby granted, provided that the above copyright notice appear in all copies and that both that copyright notice and this permission notice appear in supporting documentation.

Permission to modify the software is granted, but not the right to distribute the complete modified source code. Modifications are to be distributed as patches to the released version. Permission to distribute binaries produced by compiling modified sources is granted, provided you

1. distribute the corresponding source modifications from the released version in the form of a patch file along with the binaries,

2. add special version identification to distinguish your version in addition to the base release version number,

3. provide your name and address as the primary contact for the support of your modified version, and

4. retain our contact information in regard to use of the base software.

Permission to distribute the released version of the source code along with corresponding source modifications in the form of a patch file is granted with same provisions 2 through 4 for binary distributions.

This software is provided "as is" without express or implied warranty to the extent permitted by applicable law.

THIS SOFTWARE IS PROVIDED BY THE DEVELOPER ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE DEVELOPER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

Portions of this software are Copyright © 1996-2002 The FreeType Project (www.freetype.org). All rights reserved.

Additional graphical support is provided by libgd:

Portions copyright 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002 by Cold Spring Harbor Laboratory. Funded under Grant P41-RR02188 by the National Institutes of Health.

Portions copyright 1996, 1997, 1998, 1999, 2000, 2001, 2002 by Boutell.Com, Inc.

Portions relating to GD2 format copyright 1999, 2000, 2001, 2002 Philip Warner.

Portions relating to PNG copyright 1999, 2000, 2001, 2002 Greg Roelofs.

Portions relating to gdttf.c copyright 1999, 2000, 2001, 2002 John Ellson ([email protected]).

Portions relating to gdft.c copyright 2001, 2002 John Ellson

Portions relating to JPEG and to color quantization copyright 2000, 2001, 2002,

Doug Becker and copyright © 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, Thomas G. Lane. This software is based in part on the work of the Independent JPEG Group. See the file README-JPEG.TXT for more information.

Portions relating to WBMP copyright 2000, 2001, 2002 Maurice Szmurlo and Johan Van den Brande.

Permission has been granted to copy, distribute and modify gd in any context without fee, including a commercial application, provided that this notice is present in user-accessible supporting documentation.

This does not affect your ownership of the derived work itself, and the intent is to assure proper credit for the authors of gd, not to interfere with your productive use of gd. If you have questions, ask. “Derived works” includes all programs that utilize the library. Credit must be given in user-accessible documentation.

This software is provided “AS IS.” The copyright holders disclaim all warranties, either express or implied, including but not limited to implied warranties of merchantability and fitness for a particular purpose, with respect to this code and accompanying documentation.

Although their code does not appear in gd 2.0.4, the authors wish to thank David Koblas, David Rowley, and Hutchison Avenue Software Corporation for their prior contributions.

This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/)

zlib.h – interface of the “zlib” general purpose compression library version 1.2.2, October 3rd, 2004

Copyright (C) 1995-2004 Jean-loup Gailly and Mark Adler

This software is provided “as-is”, without any express or implied warranty. In no event will the authors be held liable for any damages arising from the use of this software.

Permission is granted to anyone to use this software for any purpose, including commercial applications, and to alter it and redistribute it freely, subject to the following restrictions:

1. The origin of this software must not be misrepresented; you must not claim that you wrote the original software. If you use this software in a product, an acknowledgment in the product documentation would be appreciated but is not required.

2. Altered source versions must be plainly marked as such, and must not be misrepresented as being the original software.

3. This notice may not be removed or altered from any source distribution.

Jean-loup Gailly [email protected]

Mark Adler [email protected]

Unifont copyright Paul Hardy of Unifoundry.com ([email protected]) released under the terms of the GNU General Public License (GNU GPL) version 2.0.

Tomcat, Log4j, Apache CXF – Apache Copyright © 1999-2011 Apache Software Foundation

Java JRE, JavaMail, Sun JavaServerFaces – Copyright © 1997, 2011, Oracle and/or its affiliates. All rights reserved.

JBoss RichFaces – Copyright Red Hat ®. Red Hat is a registered trademark of Red Hat, Inc.

Proofpoint gratefully acknowledges contributions of the open source community to Proofpoint Archive. References to open source software used with Proofpoint Archive is collected into a single repository which can be found in the installed Proofpoint Archive package in src/opensource/OPENSOURCE. That repository, consisting of the contributions from open source projects – but not including the proprietary Proofpoint Archive software referred to above – is a collective work that is © Copyright 2002 - 2011 Proofpoint Inc. You will find in this repository copies of the source code, or references of where to find, every open source program not referenced in this copyright notice, that was used in Proofpoint Archive.

Copyright (c) 2005, Google Inc.

All rights reserved.

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.

Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. Neither the name of Google Inc. nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission.

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

Copyright (c) 1996 - 2010, Daniel Stenberg, <[email protected]>.

All rights reserved.

Permission to use, copy, modify, and distribute this software for any purpose with or without fee is hereby granted, provided that the above copyright notice and this permission notice appear in all copies.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

Except as contained in this notice, the name of a copyright holder shall not be used in advertising or otherwise to promote the sale, use or other dealings in this Software without prior written authorization of the copyright holder.

Proofpoint uses the following components which are licensed under the Apache License Version 2.0:

Glassfish Jasper API - Copyright 2009-2011. All rights reserved.

SLF4j - Copyright (c) 2004-2008 QOS.ch. All rights reserved. (Under the MIT license.)

Copyright © 2002 - 2014 Proofpoint, Inc. Proofpoint, Inc. All rights reserved.

PROOFPOINT is a trademark of Proofpoint, Inc. All other product names and brands are the property of their respective owners.

Copyright © 2002 - 2014 Proofpoint, Inc. i

Preface .................................................................................................................................... 1

About this Guide ............................................................................................................... 1

Intended Audience and Prerequisite Knowledge .............................................................. 1

Other Sources of Information ............................................................................................ 1

Contacting Proofpoint Technical Support ......................................................................... 1

Introduction to Proofpoint Archive ...................................................................................... 2

Proofpoint Archive: Part of the Proofpoint Family ............................................................. 2

Proofpoint Archive Overview ............................................................................................ 2

A Hybrid Approach to SaaS Archiving .............................................................................. 3

About Content Collection .................................................................................................. 4

About Content Collection for PSTs ................................................................................... 4

About Discovery Segmentation ........................................................................................ 4

System Requirements ....................................................................................................... 5

How Proofpoint Archive Works ............................................................................................ 6

Proofpoint Enterprise Archive Uses Journaling Mailboxes ............................................... 6

How Journaling Mailboxes Are Populated ........................................................................ 7

Consequences of Using Different Methods for Populating Journaling Mailboxes ............ 7

How Methods of Populating Journaling Mailboxes Work Together .................................. 8

How Archived Messages are Attributed to Active Directory Users ................................... 8

How Users Interact with Archived Messages ................................................................... 8

How Archived Message Language Support Works .......................................................... 9

Network Communication and Security .............................................................................. 10

About DoubleBlind™ Key Architecture ........................................................................... 10

Appliance Connectivity .................................................................................................... 11

Connecting Through a Proxy Server .............................................................................. 11

Planning For Proofpoint Archive ........................................................................................ 12

Understanding Appliance Purposes ............................................................................... 12

Basic Product Architecture (Single Appliance) ............................................................... 13

Using Multiple Appliances ............................................................................................... 14

Supporting External Access to Proofpoint Archive ......................................................... 16

Troubleshooting Proofpoint Archive ................................................................................. 19

Using the Audit Trail to View Login Activity .................................................................... 19

Solving Common Problems ............................................................................................ 19

Troubleshooting User Directory Issues ........................................................................... 20

Generate CSV of Problem Areas .................................................................................... 22

Glossary ................................................................................................................................ 23

Index ...................................................................................................................................... 25

Copyright © 2002 - 2014 Proofpoint, Inc. 1

Preface

About this Guide

This guide introduces Proofpoint Archive, provides useful background information about it, and explains how to set it up.

Intended Audience and Prerequisite Knowledge

This guide is intended for use by IT personnel who manage the Exchange Server environment and are responsible for setting up and maintaining Proofpoint Archive.

Other Sources of Information

This guide covers procedural information for Proofpoint Archive setup and configuration. For other information, see:

Online Help: Click the "help" button to display online help for the product.

Policy Creation and Management: Explains how to set up your organization’s electronic messaging policy. Intended for users responsible for policy management, such as compliance and records management staff.

Legal Discovery and Supervision: Explains how to search the archive using advanced search features available only through the web interface. Also explains how to carry out discovery and supervision activities. Your user permissions may give you limited access to these functions.

Finding Your Own Messages: Explains basic search processes available from Microsoft Outlook or OWA. Intended for users who will search the archive for messages from their own mailboxes.

Reports: Explains available reports and how to generate them.

Contacting Support

If you need help resolving an issue, please contact your local help desk.


Introduction to Proofpoint Archive

This chapter provides background information about Proofpoint Archive. It includes the following topics:

Proofpoint Archive: Part of the Proofpoint Family 2

Proofpoint Archive Overview 2

A Hybrid Approach to SaaS Archiving 3

About Content Collection 4

About Content Collection for PSTs 4

About Discovery Segmentation 4

System Requirements 5

Proofpoint Archive: Part of the Proofpoint Family

Proofpoint offers a comprehensive solution for data protection and governance through an integrated, security-as-a-service platform. Complementing the Proofpoint data protection and security solutions, Proofpoint Archive allows your organization to archive and discover communication across all major communication channels including on-premise and cloud-based email, instant messaging, social media and other web-based applications.

Proofpoint Archive Overview

Proofpoint Archive provides a complete message archiving solution that can protect your organization from legal liabilities and regulatory risks while improving email storage management and end-user productivity. Its easy-to-implement, easy-to-use web interface offers fully secure email archiving with robust search and discovery, supervision, and enforcement features.

Proofpoint Archive securely stores your electronic messages for the retention period you specify, while keeping them fully searchable and retrievable in real-time (or with a batch process). At any time, archived messages can be easily viewed, retrieved to a user’s email inbox or exported to an Outlook data file or EDRM XML file.

Proofpoint Archive includes features used to:

design, edit and maintain an electronic messaging policy, including retention, enforcement and supervision rules

perform advanced and comprehensive searches of a message’s header, body, or attachments, easily meeting even the most stringent discovery requirements

generate reports that help properly assess email patterns and behavior, and help evaluate the effectiveness and enforcement of your policies

manage mailbox sizes, removing storage-intensive attachments from Exchange while keeping those attachments accessible to Outlook users (stubbing)

implement a systematic supervision process for selecting and reviewing the content of electronic messages based on your organization’s policy for acceptable use of email

Note: Some functions are optional and may not be available to all users.

Overview and Setup Introduction to Proofpoint Archive


A Hybrid Approach to SaaS Archiving

FIGURE: Hybrid approach

Proofpoint Archive represents a new approach to outsourcing: the hybrid solution. It provides an integrated archiving solution with robust search and discovery, supervision and enforcement features.

The Archiving Appliance

The physical Archiving Appliance is a sealed fixed-purpose server (in standard 1U rack mount form) that is installed within your corporate network behind your firewall, to provide the tight integration and security typically only afforded to internal systems. Alternatively, a virtual appliance (virtual machine image) can be used on a protected machine.

The appliance provides integrates with Microsoft Exchange to ensure reliable, native format message archiving. Its integration with Active Directory facilitates unified login and access control management.

Since the appliance is the only holder of your encryption keys used with the Proofpoint DoubleBlind™ Key Architecture technology (for more on this technology, see "About DoubleBlind™ Key Architecture" on page 10), any processing that involves encryption or decryption happens on the appliance.

The Proofpoint Network

This highly secure, reliable and scalable infrastructure is based on a distributed search and storage architecture. This is where your data resides, in encrypted format. The vast majority of search processing and all of the storage is maintained on the Proofpoint Network, reducing overhead and maintenance headaches.

The archive securely stores your electronic messages and is accessible either through the web interface, or, for end-user searching functions, through Outlook/OWA.



About Content Collection

Proofpoint Content Collection is an optional feature that allows files on corporate file servers or in any site, sub-site, document library, or folder in SharePoint to be retained in a people-based legal hold. This provides a unified, protected, and searchable legal hold repository of both files and messages.

Content Collection is described in the Legal Discovery and Supervision guide.

About Content Collection for PSTs

Proofpoint Content Collection for PSTs is an optional feature that allows the contents of user-based PSTs to be archived, typically for legal hold purposes. This feature is not suitable for large-scale imports of legacy email. Messages archived using this feature will be associated only with the mailbox of the user identified as the owner of the PST, not associated with or appearing in the mailbox of other users named in the PST’s contents.

About Discovery Segmentation

Discovery Segmentation provides a way to configure access to divisional or business unit data. Messages, as they are being archived, are tagged with a division of the organization (as defined in Active Directory), in the company, department, or a custom attribute. Discovery users can only search and add to legal holds those messages for divisions to which they have access.

Note: Discovery Segmentation does not affect Supervision. A user can supervise a mailbox for a division to which they do not belong.

Discovery Segmentation supports a maximum of 100 divisions: if your environment requires more divisions, contact Proofpoint Professional Services. Note that you must have adequate controls in place to populate and accurately maintain division information in Active Directory. Incorrectly archived email cannot be re-archived or otherwise corrected. Note also that the auto user lookup mapping feature must be disabled before enabling this feature.

Delegated Administration is an optional extension to Discovery Segmentation. It allows you to delegate mailbox administration to local IT staff, ensuring that only local administrators can grant other users search access to local mailboxes. Implementing Delegated Administration involves defining one user management security group for each division, as well as assigning at least one user to an “all users” security group for managing those users who are not associated with a division.

When determining how to handle Delegated Administration, keep in mind that security groups do not operate hierarchically. As a result, a user manager for a division needs to be part of both the Proofpoint User Managers security group (so as to be able to able to give privileges to users, and the Proofpoint <divison_name> User Managers group for their division.



System Requirements

The appliance (physical or virtual) must be connected as described in “Appliance Connectivity” on page 11 and must not have any non-Proofpoint applications (including antivirus) installed on it.

Microsoft Exchange must be installed, with the following versions and service packs supported:

Exchange 2003, Service Pack 2

Exchange 2007, Service Pack 1

Exchange 2010, Service Pack 1 , 2, and 3

Exchange 2013, CU 1

Exchange custom managed folders and organization-wide journaling (Hub Transport) require Enterprise CALs for Exchange 2007/2010.


How Proofpoint Archive Works

This chapter explains the details of how Proofpoint Archive works to solve different business challenges. It includes the following topics:

Proofpoint Enterprise Archive Uses Journaling Mailboxes 6

How Journaling Mailboxes Are Populated 7

Consequences of Using Different Methods for Populating Journaling Mailboxes 7

How Methods of Populating Journaling Mailboxes Work Together 8

How Archived Messages are Attributed to Active Directory Users 8

How Users Interact with Archived Messages 8

How Archived Message Language Support Works 9

Proofpoint Enterprise Archive Uses Journaling Mailboxes

FIGURE: How Proofpoint Archive uses journaling mailboxes

To populate the archive, the Archiving Appliance retrieves messages from specific mailboxes on your Exchange Server: these are called journaling mailboxes. It copies groups of messages into a “batch” subfolder of the journaling mailbox, then retrieves the messages, encrypts them and sends them to the archive. When the appliance receives confirmation from the archive that the batch of messages has been fully archived, it deletes the batch subfolder from the journaling mailbox. This “pull and confirm” process ensures that no information is lost, even in the event of a network or appliance failure.

Overview and Setup How Proofpoint Archive Works


How Journaling Mailboxes Are Populated

Populating Journaling Mailboxes Using Microsoft Exchange Journaling

This method is useful for legal discovery and compliance needs: all messages are captured, regardless of user action.

Exchange journaling places a copy of each message that is sent or received into a journaling mailbox. In Exchange 2003, message journaling is enabled for a mailbox store (a database used to organize multiple mailboxes). In Exchange 2007/2010/2013, message journaling can be enabled either for individual mailbox databases (each of which contains multiple mailboxes) or for the entire organization.

Populating Journaling Mailboxes Using Exchange Managed Folders

This method is useful for record management purposes. Users identify different classes of critical business messages that should be archived.

Microsoft Exchange 2007/2010 allows administrators to deploy a special set of managed folders to the Outlook or OWA interface for end users. These folders facilitate consistent organization of information across user mailboxes. Users choose, either manually or via rules, messages to place in these folders. Folders can be configured to place messages in a journaling mailbox.

Populating Journaling Mailboxes Using Proofpoint Archive Stubbing

This method is useful to optimize storage, reducing the storage needs of the Exchange system.

Stubbing is an optional background process that replaces email attachments (which are stored in Exchange) with a much smaller “stub” that points to a copy of the attachment that is stored in the archive. Sometimes the original attachment cannot be located — for example, it may pre-date journaling, have changed since journaling began, or be in a mailbox that does not use journaling. In that case, Proofpoint Archive can place a copy of the attachment in the journaling mailbox so it can be archived. The original attachment can then be stubbed. Special retention policies can be defined for stored attachments.

Importing Messages into the Archive

As a service, Proofpoint can import legacy messages and attachments from a variety of sources directly into the archive.

Consequences of Using Different Methods for Populating Journaling Mailboxes

Journaling Managed Folders

Stubbing Attachment Capture

Import

What is archived?

All messages sent or received from point of implementation onward

All messages users place into a managed folder, from point of implementation onward

Attachments to messages not already archived

Any imported messages

What can be stubbed?

Only messages sent or received from point of implementation onward

Not applicable Any messages (including historical mail)

Any imported messages



How Methods of Populating Journaling Mailboxes Work Together

Different methods of populating journaling mailboxes can work in combination with each other to meet specific business requirements.

For example, to archive both existing mail from user mailboxes and any new messages sent/received, use the import service plus Exchange journaling. Once messages have been imported, you can optionally enable stubbing, which will then be able to process all attachments.

Another common use is to archive all messages for a short period of time while allowing end users to identify business records that should be retained for longer periods. This requires using both Exchange journaling and managed folders.

How Archived Messages are Attributed to Active Directory Users

When the Proofpoint Archive Appliance retrieves messages from Exchange, it records who the message was sent from and to. For those messages sent to distribution lists, the appliance communicates with Active Directory to determine the actual recipients that received the message. Both the original address (referencing the distribution list) and the “resolved” list of actual recipients are archived. For legal discovery purposes, you can search for messages based upon the distribution list or any of the resolved recipients.

If Discovery Segmentation is enabled, the appliance also determines what divisional unit each recipient belongs to (each recipient belongs to a single division). If no division can be resolved, the message is tagged with “No Division”, as are messages associated with groups and deleted users. To have Discovery Segmentation enabled, contact Proofpoint Professional Services.

How Users Interact with Archived Messages

Searching for Messages

Proofpoint Archive provides powerful search functionality that allows users to find messages in the archive. Users use search criteria, such as a word or phrase contained in the message, to find relevant messages. Messages found through a search can be retrieved into the user’s mailbox for forwarding or other purposes.

Exporting Messages to PST

Messages found through searching can be exported to an Outlook Personal Folder file (PST) or EDRM XML file. For PST export, all of the richness of the original message is maintained because the data remains in email format. The PST files can be shared with an outside legal team or regulators. For EDRM XML export, the original messages can be imported using any third party application able to read EDRM XML files. In addition, since the zip file created by EDRM XML export contains the MSG files, you can view the contents of an individual message in Outlook.



Creating and Managing Legal Holds

It is sometimes necessary to retain a specific set of messages beyond their original retention period, usually for legal matters. Authorized users can copy such messages from the archive into a specific container, called a legal hold, ensuring that messages remain intact while the normal archive operations continue. Once the matter is closed, the legal hold can be removed and its contents disposed of.

Reviewing Messages for Compliance (Supervision)

Supervision functions allow your company to designate individuals who can review messages of other users. Messages can be evaluated for a variety of purposes, including compliance with regulations and conformance to industry standards. Proofpoint Archive identifies messages that may not be in compliance with policies and practices. It can also perform a random selection of messages. Both identified and randomly selected messages are placed in a review queue for evaluation by authorized reviewers.

Accessing Stubbed Attachments

Attachments to messages are replaced with a “stub” The message appears unchanged to the user, except that the stubbed attachment appears as an HTM file instead of the original attachment format (such as PDF). This allows the original attachment to be retrieved, if necessary, from the archive rather than from Exchange.

How Archived Message Language Support Works

Proofpoint Enterprise Archive supports archiving and searching messages written in a wide number of languages. Languages using both single-byte and double-byte character sets are supported, but the complexity of tokenizing certain languages results in some functionality not being available.

Archiving and search functionality is supported for all single-byte character languages, including:

Western and Eastern European languages

most Central European languages

Russian

Greek

Arabic

Hebrew

Archiving is also supported for all double-byte character languages including:

Chinese (Simplified or Traditional)

Japanese

Korean

Note: The Proofpoint Enterprise Archive interface itself is also available in multiple languages.

Proofpoint Enterprise Archive supports uni-gram search against Chinese, Japanese and Korean messages. Uni-gram search support allows keyword search criteria to match against Chinese, Japanese and Korean text by comparing individual characters.

Note: Additional search results may be returned when messages have Chinese, Japanese and Korean text that contains the search criteria as a subset.


Network Communication and Security

This chapter explains communication and security requirements for Proofpoint Archive. It includes the following topics:

About DoubleBlind™ Key Architecture 10

Appliance Connectivity 11

Connecting Through a Proxy Server 11

About DoubleBlind™ Key Architecture

During archiving, all of your data is encrypted using encryption keys unique to you. A proprietary approach to working with your data, called DoubleBlind™ Key Architecture, ensures maximum security and privacy. In this approach, your Archiving Appliance stores your encryption keys, but does not have the ability to read your data. As a result, your data can never be viewed without access to both your appliance (which resides within your network) and the Proofpoint Network.

FIGURE: How DoubleBlind Key Architecture works

As the Proofpoint Network will only accept requests from IP addresses tied to the appropriate Archiving Appliance, even theft of your appliance (or the machine on which the virtual appliance is installed) won’t compromise the security of your data.

Since all of your data within the Proofpoint Network is encrypted using your key, even if intruders penetrated Proofpoint’s heavily secured infrastructure, they would only see meaningless encrypted data. Certified duplicate copies of your data are maintained in separate data centers

Overview and Setup Network Communication and Security


to further guard against modifications. Proofpoint does not have a mechanism to remotely obtain the encryption key without your consent and your personnel providing access to your appliance.

Proofpoint has an additional offering for government agencies requiring FISMA-compliance. Please contact Proofpoint Professional Services for more information.

Appliance Connectivity

Note: In the following content, “appliance” may refer to the dedicated Archive Appliance, or to the machine on which the virtual appliance is installed.

Network Requirements

The appliance requires outbound Internet connectivity with a static IP address that is accessible internally. The appliance needs to connect to the Internet, but the Proofpoint Network does not need to connect to the appliance.

Connectivity Options

The appliance talks to the Proofpoint Network through one of several connectivity options, including:

HTTPS port 443

HTTPS port 443 with a router or firewall-based access control list (see below).

Router or Firewall Configuration (optional)

For maximum security, Proofpoint highly recommends that you configure your router or firewall with access control lists that prevent the Archiving Appliance from communicating with anything other than the Proofpoint Network or the Windows Update Service.

See the documentation for your router or firewall for instructions on setting up access control lists. Your rules should be configured as follows:

Source IP address of the Archiving Appliance

Destination Contact Proofpoint Professional Services to get the list of destination IP addresses for the data center that services your account and also to get the IP addresses for Windows Update Service.

Port 443

Connecting Through a Proxy Server

The appliance can connect to the Proofpoint Network through your corporate proxy server. However, this is not recommended, since performance may be affected.


Planning For Proofpoint Archive

This chapter outlines considerations to be taken into account when preparing to implement Proofpoint Archive. It includes the following topics:

Understanding Appliance Purposes 12

Basic Product Architecture (Single Appliance) 13

Using Multiple Appliances 14

Supporting External Access to Proofpoint Archive 16

Understanding Appliance Purposes

Some environments may benefit from using multiple appliances. Each appliance can serve one or more of the following purposes:

archiving messages

serving the user interface

exporting messages

stubbing attachments

supporting content collection (see the Legal Discovery and Supervision user guide for details)

In a single-appliance environment, one appliance fulfills all these purposes. In a multi-appliance environment, purposes can be split across the available appliances. Each purpose must be assigned to at least one Archiving Appliance, and all purposes must be performed at each separate location. However, it is not typically necessary to have a separate appliance for each purpose.

When choosing how to distribute purposes across appliances, keep in mind that archiving, exporting and stubbing are background batch processes, so it is acceptable that they build a backlog periodically. Search and other user interface tasks are interactive, requiring immediate responsiveness, so you may want to isolate them from batch processing. Proofpoint will help you determine the number of appliances you need, and which purposes each should play.

Note: In the following content, “appliance” may refer to the dedicated Archive Appliance, or to the machine on which the virtual appliance is installed.

Overview and Setup Planning For Proofpoint Archive


Basic Product Architecture (Single Appliance)

Although additional Archiving Appliances may be necessary for a high volume of data or geographically-separated local area networks, the basic concepts of the architecture that must be understood before expanding to multiple appliances.

FIGURE: A single Archiving Appliance at a location with one Exchange Server

The basic installation consists of a single appliance that archives messages from a single Exchange Server. The above figure illustrates this arrangement.

While this is the simplest configuration, it illustrates a key concept. The appliance must connect to the Exchange Server and Active Directory locally, not over a wide area network connection. If you have multiple locations with their own Exchange Servers, you will need at least one appliance at each location.



Using Multiple Appliances

The basic configuration described above suits most purposes. However, other options might be needed for environments with a high volume of data or geographically-separated local area networks (Proofpoint staff will help you determine the most appropriate configuration.).

Note: Since configuration data is stored centrally, multiple appliances automatically synchronize their configuration.

Multiple Exchange Servers and Archiving Appliances at a Single Location

You are not restricted to just one journaling mailbox (or Exchange Server) when configuring appliances. The following figures are representative of cases where there are multiple appliances and multiple journaling mailboxes. To simplify the diagrams, only two appliances and two Exchange Servers (each with one journaling mailbox) appear, but in practice there could be more of each. Also, the single appliances shown in the figures could easily be expanded to multiple appliances with specific purposes, as is shown in the following example.

FIGURE: Two Archiving Appliances connected to two Exchange Servers at a single location

In the case shown above, each Archiving Appliance archives messages from a single journaling mailbox and stubs attachments from a single Exchange Server. This arrangement is satisfactory when both Exchange Servers are equally busy, with relatively little fluctuation in their loads.

FIGURE: Two Archiving Appliances connected to both Exchange Servers at a single location



When issues of load balancing arise, another configuration (shown above) is possible. Load balancing can be achieved by connecting both appliances to the journaling mailboxes on both servers. (In this scenario, both appliances can also be configured to stub attachments in both Exchange Servers: stubbing is explained in "Setting Up Stubbing" on page Error! Bookmark not defined..)

Multiple Exchange Servers and Archiving Appliances at Multiple Locations

If you have multiple office locations (sites), each with their own Exchange environment, you will need multiple appliances.

FIGURE: Multiple locations

Each location can be modeled on any of the other examples in this section. All locations in a site store messages in a single archive, providing unified enterprise searching for legal discovery purposes. You can balance loads by adjusting the number of appliances at each location and assigning specific purposes to them, remember that the appliances at each location must provide complete coverage for all the Archiving Appliance purposes: see "Understanding Appliance Purposes" on page 12.



Multiple Appliances in a Single Location with a Single Exchange Server

FIGURE: Four Archiving Appliances at a single location

The above figure illustrates a situation where the volume of email traffic or search usage patterns requires extra processing power, which is achieved by assigning specific purposes to separate appliances (see "Understanding Appliance Purposes" on page 12).

Note: Your Company’s encryption key is generated during the configuration of your first appliance. All other appliances must be configured with the same encryption key.

Supporting External Access to Proofpoint Archive

Considerations for External Access

Proofpoint Archive supports external access for users wanting to search the archive and/or retrieve stubbed attachments from outside the corporate network. Access may be through the web interface, Outlook or OWA. For security reasons, the Archiving Appliance should never be placed outside your firewall, so this access is handled through an HTTP proxy (strictly speaking, this is a “reverse proxy”). Access is provided via the OWA server, since it already has a connection to the internal network and the public Internet.

Note: If your environment contains more than one OWA server that resides behind a load balancer, the proxy needs to be installed on each of those servers. Consult with Proofpoint professional services before proceeding.

This section describes several alternative configurations for external access, using the proxy provided by Proofpoint. The Proofpoint Archive proxy installs on your OWA server, allowing it to use the same DNS entry and digital certificate as that server. It can load-balance requests between any number of appliances at a location. The exception to this load balancing is the Proofpoint supervision process, which caches, on an appliance, the messages to be reviewed. As a result, a reviewer’s session will be locked to the first appliance to which they connect.

For stubbing, the proxy provides the publicly available URL that allows original attachments to be retrieved, via an appliance, from the Archive where they exist.



Using a Single Exchange Server Running OWA

In the configuration illustrated below, a single Exchange Server runs OWA. Users access OWA by connecting directly to the Exchange Server, which is where the Proofpoint Archive proxy will be installed.

FIGURE: Single Exchange Server Running OWA



Front End Exchange Server Running OWA

In the configuration illustrated below, two Exchange Servers are used:

A front end Exchange Server, residing between two firewalls, is used for external access.

A back end Exchange Server, behind a firewall, is used for internal access.

Typically the front end Exchange Server acts as the SMTP mail gateway and does not hold any mailbox databases: these are on the back end Exchange Server, which is also where journaling takes place. The Proofpoint Archive proxy is installed on the front end Exchange Server. This configuration provides greater security.

FIGURE: Front End Exchange Server Running OWA

If your environment contains more than one OWA server which resides behind a load balancer, the proxy needs to be installed on each of those servers.


Troubleshooting Proofpoint Archive

This chapter explains commonly performed maintenance procedures. It includes the following topics:

Using the Audit Trail to View Login Activity 19

Solving Common Problems 19

Troubleshooting User Directory Issues 20

Generate CSV of Problem Areas 22

Troubleshooting Archiving Issues 22

Using the Audit Trail to View Login Activity

User Managers can view the audit trail to view:

Successful logins

Unsuccessful login attempts

Note: The audit trail for a specific message can be viewed by right-clicking on the message in the results list.

1. In the Administration module, in the Reports section, click Audit Trail. The Audit Trail screen appears.

2. Optionally, specify a time limitation for the activities by choosing from the Event Date list.

3. Optionally, display information only for a specific user by enabling the Performed by Specific option and entering a name.

3. Check one or both of Login Successful or Login Unsuccessful.

5. Click Update List. A list of the selected activities, for the selected users, on the selected date, appears.

To sort the list, click anywhere in the header and choose a sort option.

To display the details of an activity, select it.

Solving Common Problems

Proofpoint Archive processes messages prior to storing them in its secure archive. Occasionally, the content of the message, or an attachment, or references to users and groups in Active Directory, can’t be processed properly. When this happens the message is put aside.

To index messages, all senders and recipients must be known. The Archiving process must be able to resolve addresses into the corresponding Active Directory entries in order to assign the appropriate search permissions. Similarly, distribution lists must be expanded to the actual set of recipients.

In rare cases, the process may not recognize some component in the message. As an example, this can happen if the message itself is corrupted.

When such issues occur, the message is put aside in a sub-folder of the journaling mailbox so that processing of other messages can proceed. The Proofpoint Archive user interface contains a Status and Issues subsection that helps you to investigate the problems and, if necessary, submit them to Proofpoint for further evaluation. To generate a CSV file of your current data for support purposes, click Download from this section.

Overview and Setup Troubleshooting Proofpoint Archive


If you have referenced an Active Directory group, either from your roles/departments or through review privileges or stubbing policies, changes to those groups are synchronized nightly. To see a list of those groups and when they were last synchronized, from the Status and Issues section, click Group Synchronization Status.

Troubleshooting User Directory Issues

If the Archiving process cannot access specific properties for an Active Directory user, such as the MailboxGUID property, the message cannot be fully indexed. Similarly, if the process cannot access the Group Members property for a distribution list, the appropriate set of users and mailboxes cannot be assigned to the message. Other issues may occur, but the two just mentioned are the most likely. The problem is usually solved by assigning the proper permissions to the account that the Archiving process uses to access Active Directory, or by mapping deleted users to information that already exists in the archive about those users.

The archiving process attempts to gather additional information for each Exchange address referenced in a message. This information is normally gathered from Active Directory. When a user (or mailbox) is deleted, however, Active Directory no longer contains the required information, so the archiving process records the address as an issue, and puts the message aside. There are two options to help resolve user directory issues:

engage Proofpoint Support to have an automated mapping process executed

manually resolve the User Directory issues

The automated mapping process used by Proofpoint Support scans the archive to see if it can find older messages that were successfully archived for each problematic Exchange address. If it finds a match, a deleted user mapping is created. Once all mappings have been updated, all messages put aside for user directory issues are moved to the reprocess queue where they can be reviewed and reprocessed. Please work with Proofpoint Support to have this process applied to your User Directory issues.

In addition, when messages are archived, the email addresses of participants in that message are analyzed to determine if they are internal or external addresses. Participants with internal email addresses have the message associated with their mailbox and, therefore, their participation can be found by a standard search. Participants who have external email addresses will not be found by a standard search and cannot be used in a people-based legal hold (Discovery users with access to all mailboxes will be able to find such messages, however, based on the external user’s name). A domain list policy (see the Policy Creation and Management guide) can optionally be used to explicitly identify those email addresses that are to be considered internal or external. If a domain list policy is not used, the regular address resolution process occurs.

While the above mapping process attempts to deal with the majority of issues related to deleted users, there will still be cases where manual mapping is required. For example, if a message that arrives in the journaling mailbox references a user that has never been archived before, the automated mapping process can't gather the required information. To address this, the manual mapping tools attempt to provide suggestions by searching the archive based on display name, allowing you to map messages to another mailbox that is a replacement mailbox for that user or to opt to treat the user as an external address. You can investigate archiving issues and perform mapping if you are a member of the User Managers group.



To view a list of issues related to Active Directory

1. In the Administration module, in the Status and Issues section, click Directory Issues. A list of issues appears, on three tabs: Current Issues, Deleted User Mapping and Deleted Group Mapping.

The Current Issues tab Display Name column contains those names that the Archiving Appliance cannot resolve. The Issue Description column gives information about the type of problem. There are many possibilities, among which are:

Unable to read Display Name

Unable to read Group Members

Unable to access object

2. Click on the user that has an issue, then click Details on the toolbar. The Issue Details screen appears, providing some information about this type of issue and listing the steps needed to resolve the issue.

3. Follow the instructions given in the Issue Details screen to rectify the problem.

4. Repeat for each item in the User Directory Issues list.

5. Click OK.

To mark users or groups as deleted

1. In the Administration module, in the Status and Issues section, click Directory Issues,

2. On the Current Issues tab, select the user or group that you want to mark as deleted.

3. On the toolbar, click Mark User as Deleted or Mark Group as Deleted. The Mark as Deleted User or Mark as Deleted Group screen appears.

4. For a deleted user, choose whether to process as internal or external address. For internal address, enter the SMTP address and Mailbox GUID for the user, for an external address enter just the SMTP address. For a deleted group, enter with the SMTP address or click Find Suggestions and select the appropriate group name from the list that appears.

5. Click OK.

To reprocess messages:

1. When all user directory issues have been addressed, in the Administration module, in the Status and Issues section, click Directory Issues or Archiving Issues.

2. In the toolbar, click Reprocess Messages. The messages are validated. A screen appears that informs you that messages are being reprocessed. Note that messages that are more than 30 days old do not get submitted for supervision review.

3. Click OK. Further issues may occur as a result of reprocessing. If so, repeat the steps in this procedure.

To view list of users or groups that have been marked as deleted:

1. In the Administration module, in the Status & Issues section, click Directory Issues.

2. Click the Deleted User Mappings or Deleted Group Mappings tab. A list of mapped users/groups appears, with user information on one tab and group information on another.

Note: To edit a user/group that has been marked as deleted, click on it and click Edit.



Generate CSV of Problem Areas

1. When all user directory issues have been addressed, in the Administration module Status & Issues section, click Directory Issues.

2. On the toolbar, click Download.

Troubleshooting Archiving Issues

Archiving issues arise when the Archiving Appliance cannot process the message because:

some of the senders and recipients are unknown

the message is flagged as a special type that the Archive wasn’t designed to archive

the message itself is corrupted in the mail system

The Journal Folder Status screen shows how many messages are currently in the processing queue as well as the number of messages that have been detected as having issues of a particular type. By knowing the journaling mailbox and the type of issue encountered, you can use the Archiving Issues screen to view all the messages that fall in this category.

To determine if there are archiving issues:

1. In the Administration module, in the Status & Issues section, click Journal Status Issues, The Journal Status screen appears. Every journaling mailbox monitored by the Archiving Appliance is listed. Within each mailbox group there is an entry for the number of issues. If that number is zero, there are no issues. The number is a link to a page that lists issue types and the number of messages having that type of issue.

2. Click the number. The Issue Type screen appears. Note the journaling mailbox name and the issue types. You use this information to view specific messages using the Archiving Issues screen.

To view list of messages with a specific issue type

1. In the Administration module, in the Status & Issues section, click Archiving Issues, The Archiving Issues screen appears.

2. Choose the journaling mailbox with which you want to work and click Update List. A list of the archiving issues for that mailbox appears.

3. Optionally, choose an issue type from the Issue Type list.

4. Click on a message to view it, as a way to determine what caused the issue. You may want to view multiple messages in an attempt to determine the cause of the issue.

5. If you wish to submit the message to Proofpoint for further analysis, click Submit Message on the toolbar.

6. Add comments if necessary.

7. Click Submit. The message is submitted to Proofpoint for analysis. A screen appears that confirms that the message has been submitted for evaluation.

8. If necessary, continue to analyze other issues. Use the Journal Mailbox and Issue Type lists to choose the issue you want to analyze next.


Glossary

Term Description

Access rights Rights that give users access to specific Proofpoint Archive functions. Set by making users members of specific Proofpoint Archive security groups in Active Directory.

Active archive The full contents of the archive. Does not include any messages that have been disposed of from the archive but remain in legal holds.

Appliance See Archiving Appliance.

Archive Proofpoint Archive function that stores electronic messages for specific retention periods.

Archiving Appliance

A sealed, fixed-purpose server installed within your corporate network or, optionally, a virtual machine. Integrates with Microsoft Exchange and Active Directory. Holds encryption keys. Hosts Proofpoint Archive user interface.

Archive folder A folder containing links to a set of messages found by a specific search and saved to a folder.

Batch Search Service that allows batch searching only, with the search taking place as a background process. Search results are placed in a folder for further analysis. Some functions are not available in this service.

Custodian The users whose messages appear in a legal hold.

Department A Proofpoint Archive user group, representing users who belong to an organizational unit.

Discovery Segmentation

Allows for logically segregating archived data based on a division value. Designated users can perform search and legal hold tasks against data belonging to the divisions to which they have been granted access.

Discovery User Proofpoint Archive user who can search archived messages in any mailbox.

Disposition Process of removing a message from the archive when its disposition date has been reached.

Expert reviewer Individual with specialized knowledge useful for determining if messages pass or fail. Associated with specific acceptable use policy entries.

External person Someone who does not work for your company.

InfoTag Metadata assigned to a message to characterize it for searching and policy entry use.

Internal person Someone who works for your company.

Journaling Mailbox

Mailbox that records messages flowing into and out of an organization. Accessed by Archiving Appliance to retrieve messages for processing.

Legal hold Container for messages that have reached the end of this disposition period but need to be retained for legal purposes.

Nonce A randomly-generated, cryptographic token used to prevent replay attacks.

Partner A Proofpoint Archive user group, representing external users such as lawyers or customers. Rules can apply to partners.

Pass/fail Used in Proofpoint Archive Supervision. Reviewers determine if messages pass (do not contravene acceptable use policy entries) or fail (contravene acceptable use policy entries).

Policy document Printed (PDF) version of electronic messaging policy.

Policy entries Main components of an electronic messaging policy; specify what the policy is to enforce.

Proofpoint Network

Where data resides, in encrypted format.

Purpose Archiving Appliances perform specific purposes (archiving, user interface, exporting, stubbing). Any appliance can serve all or some of these purposes.

Real-Time Search

Service that allows searching in real-time, placing the search results in the results list for further analysis.

Retention period The period of time a message is intended to be retained, under normal circumstances. Determined by the retention policies active at the time the message was archived.

Retention series Messages archived according to the same retention policy.

Role A Proofpoint Archive user group, representing users with similar job functions. Rules can apply to roles.

Security Group A Proofpoint Archive -specific Active Directory group. Used to control access to the Archive.

Overview and Setup Glossary


Stub Method of reducing storage size by replacing stored attachment with link to original attachment stored in the archive.

Stubbing Optional functions that manage mailbox sizes by replacing large attachments with links to the archive.

Stubbing Policy A policy used to determine what mailboxes, and what folders in those mailboxes, to stub, and what size of attachments to stub.

Stubbing time window

Configured time period during which stubbing takes place.

Supervision Optional functions used to design, edit, maintain and perform reviews of messages for acceptable use.

Supervision user An Archive user who can review and evaluate other person’s messages. Depending on privileges, this user may also be able to perform other review functions such as batch processing and reviewing messages processed by other reviewers, or be able to view reports about the number and nature of violations of the corporate electronic communications policy.

User group Role, department (internal person) or partner (external person).

User manager A Proofpoint Archive user who can assign privileges to other users and who can create and manage roles and departments.


Index

A

appliance

connectivity, 11

multiple, 14

physical, 3

purposes, 12

single, 13

virtual, 3

archive

external access to, 16

how users interact with, 8

archive, how messages attributed to users, 8

audit trail, 19

C

configuration

router or firewall, 11

corporate proxy server use, 11

D

Delegated Authentication feature, 4

Discovery Segmentation

role in attributing messages to users, 8

Discovery Segmentation feature, 4

divisions, tagging messages with, 4

E

encryption

about, 10

external access to archive, 16

F

firewall configuration, 11

H

HTTPS ports, 11

I

internet connectivity, 11

J

journaling mailbox

populating, 7

use of, 6

L

language support, 9

login activity, monitoring, 19

M

messages, how attributed to users, 8

multiple appliances, 14

P

product architecture

single appliance, 13

R

router configuration, 11

S

supported Exchange versions, 5

T

troubleshooting

archiving issues, 22

common problems, 19

user directory issues, 20

Proofpoint Enterprise Archive Product...

Documents

Transcript of Proofpoint Enterprise Archive Product...