WHITE PAPER: ENTERPRISE SOLUTIONS. Security and Availability Implementing Security and Archiving Solutions from Symantec

Transcription

1 WHITE PAPER: ENTERPRISE SOLUTIONS Security and Availability Implementing Security and Archiving Solutions from Symantec By Nick Wade Senior Product Manager, Enterprise Vault Now from Symantec

2

3 White Paper: Symantec Enterprise Solutions Security and Availability Implementing Security and Archiving Solutions from Symantec Contents Executive summary Introduction Symantec integrated solutions security archiving Available solutions How to integrate security and archiving Scenario 1: Acme Corporation (Acme Corp.) Deploying Symantec Mail Security 8100 Series Deploying Symantec Mail Security 8200 Series Deploying Symantec Mail Security for Microsoft Exchange Deploying Veritas Enterprise Vault Deploying additional components Scenario 2. Beta Corporation (Beta Corp.) Deploying Symantec Mail Security 8100 Series Deploying Symantec Mail Security 8200 Series Deploying Symantec Mail Security for Microsoft Exchange Deploying Veritas Enterprise Vault Deploying additional components Tested Solutions Summary

4 Executive summary usage has transformed how we conduct business and directly affects how rapidly and efficiently we may exchange information. Consequently, has become a critical application service in the organization. As a result, security and integrity are paramount concerns, as are service availability and optimization technologies, including archiving. Additionally, businesses face increasing regulatory requirements that mandate appropriate levels of record retention and management, including business records comprising varied forms of electronic messaging. This white paper details, at a high level, how to achieve an advantageous combination of best-of-breed security and archiving technologies from Symantec Corporation. These technologies can assist with satisfying the varying needs of security, archiving, and records retention associated with and electronic messages. The hypothetical Acme Corporation and Beta Corporation that are discussed illustrate the example challenges and solutions associated with security as pertains to: Inbound hygiene at the network perimeter and inside the organization content compliance with regard to outbound and intra-organizational archiving for storage management and optimization of Exchange Server services, as well as journaling and compliance-related capture of messages passing through the organization to meet regulatory and/or privacy requirements This white paper describes how two businesses (Acme and Beta Corporations) can deploy Symantec Mail Security appliances and software both within and without the organization to achieve security and content compliance goals. It further describes how to integrate the Symantec technology with Veritas Enterprise Vault to ensure that necessary messages are captured and retained in a cost-effective and usable manner, optionally including any necessary antivirus- and antispam-related messages that may need to be captured and retained in an appropriate low-cost and secured archive for compliance or privacy reasons. 2

5 Introduction Electronic mail ( ) has transformed how we conduct business in the modern day how we exchange thoughts, ideas, proposals, and information as well as the speed and efficiency with which we can conduct business. has become as important, if not more important, in our personal and business lives as the telephone itself. Over the past 10 years, we have gone from leveraging as an alternative communications vehicle to depending on it as our most mission-critical application. According to the Enterprise Strategy Group, more than 60 percent of mid- and enterprise-tier businesses together believe that is the number one mission-critical business application for their organization (Enterprise Strategy Group, March 2004, Case Study: Exchange Storage, Information and Protection). The fact that also serves as a detailed transaction record for a company makes it valuable as evidence in a court of law, proof that companies are following regulations, and a source for identifying violations of internal company policies. As a result, more companies are deciding to preserve for longer periods of time, in a verifiable and non-repudiated archive format. However, the very things that make valuable to an organization also expose it to a great deal of risk and liability. Its ubiquity and simplicity have consequently made it the preferred method for transferring: Any data between users, including non-business content such as multimedia files and executables, or even company confidential information outside corporate walls Threats and disruptions to thousands of users, such as viruses and spam, at high anonymity, high volume, and very low cost Consequently, we spend countless hours, budget, and resources defending and worrying about how to keep running smoothly. To this end, IT professionals look at security issues such as reducing spam or blocking viruses and at availability issues such as making sure the application, systems, and data are there when needed even in the event of a disaster or long after the s were sent. However, as the checklist of what it takes to keep an system grows, IT is now looking for a more holistic solution to balancing the cost and risk associated with . Coupled with this view is the emerging need to retain high-threat content such as virusloaded or spam s in regulated industries as part of the corporate record, with a strong desire to retain such s in a quarantined yet searchable fashion. 3

6 Simultaneously, businesses and IT professionals are being driven to consider how to reduce management costs associated with the infrastructure. The increase in volume of s coming into the corporate network introduces an exponential growth in associated hard costs by regularly exceeding available capacity of traditional gateway systems, mail transfer agents, storage servers, groupware servers, and network bandwidths. Symantec offers integrated, best-of-breed, and market-leading security and archiving solutions. Symantec integrated solutions Symantec is now able to offer a comprehensive solution that enables security and availability. These unique technologies and services control and manage the flow of information from start to finish, helping protect an organization against risks, ensuring uptime of systems and users, satisfying compliance and document retention requirements, while at the same time minimizing the total cost of ownership for . See Figure 1 for how Symantec s technology and service offerings map to the layered approach described in Symantec s Security and Availability white paper ( Security _wp_EN.pdf). security Resilient foundation Perimeter scan Groupware scan archiving Archiving Indexing Search Retrieval Resilient foundation Backup Recovery Storage Clustering Figure 1. Overview Symantec s security and availability approach 4

7 security Historically, antivirus and antispam technologies have been defined largely as security services. In fact, integrated mail scanning is commonly referred to as security, although this is not entirely accurate. For example, a security threat like a mass-mailer worm has the potential to take end-user systems, even network segments, offline indefinitely. Clearly, this also impacts the availability of , especially for those users and their business. archiving In the same way that security tools act as the first lines of defense in keeping unwanted out of the messaging system environment, archiving works on the back end to move saved messages out of the environment, while at the same time maintaining the availability of the data should it need to be accessed by end users, legal personnel, or HR. Although often used for regulatory purposes, archiving can be an important tool simply to maintain the availability of infrastructure by controlling the amount of data in the primary messaging systems and, as a result, additionally affecting management costs positively. Available solutions Solutions available from Symantec for security include Symantec Mail Security for Microsoft Exchange, Symantec Mail Security for Domino, Symantec Mail Security 8100 Series and 8200 Series appliance systems, Symantec AntiVirus Corporate Edition, and Symantec Brightmail AntiSpam. Solutions available for archiving include its flagship market-leading product, Enterprise Vault. Veritas Enterprise Vault (now from Symantec) is a software-based archiving framework enabling the discovery of content in Microsoft Exchange, SharePoint Portal Server, Lotus Notes, SMTP, IM, and file server environments, while reducing storage and management. Enterprise Vault manages content via policy-controlled archiving to online stores for active retention and seamless retrieval of information. The combination and interaction of these proven, market-leading technologies into a holistic solution for achieving the desired overall goals of security, availability, optimization of ongoing management costs, and satisfaction of regulatory requirements can be very powerful. This white paper details some practical, integrated, and tested security and archiving solutions using the above-mentioned products that our customers can deploy today to derive these benefits. 5

8 How to integrate security and archiving To understand how to potentially leverage the synergy from deploying a combined and proven security and archiving solution from Symantec, consider the following example scenarios: Scenario 1: Acme Corporation (Acme Corp.) uses Microsoft Exchange 2003, and wishes to: Journal all legitimate messages for regulatory purposes Ensure appropriate levels of antivirus and antispam defenses Optionally archive selected spam messages to more cost-effective storage Monitor policy compliance and block s that are out of policy Scenario 2: Beta Corporation (Beta Corp.) also uses Microsoft Exchange 2003, and wishes to: Avoid journaling of all messages due to the load (Beta Corp. is non-regulated) Archive messages for users after 90 days for server optimization Archive spam to a cost-effective temporary location for 60 days, and provide a full text search Archive a copy of inbound or outbound messages where target words and phrases are found Ensure appropriate levels of antivirus and antispam defenses Microsoft Exchange 2003 Symantec Mail Security for Microsoft Exchange MTA and VSAPI Delete or Quarantine Internet Reduce Spam and viruses Symantec Mail Security 8160 Firewall Monitor policy Symantec Mail Security 8260 Less bad traffic Mailbox Store 1 Mailbox Store 2 Journal Store Clean client traffic Throttle spam network traffic Delete or Quarantine Archive; selective spam jounaling Quarantine Archive Archive; mailbox policy and/or journaling User Archives Journal Archives Search, Discover, Review, Audit Veritas Enterprise Vault for Exchange Figure 2. Overview components of implementing security and archiving solutions from Symantec 6

9 Scenario 1: Acme Corporation (Acme Corp.) Acme Corporation (Acme Corp.) runs a clustered Microsoft Exchange Server 2003 messaging and groupware system. Acme Corp. wants to journal and archive all legitimate for three years, but also wants to ensure appropriate levels of antivirus and antispam defenses including a significant reduction in network traffic associated with spam before it reaches the organization. They also want to be able to optionally archive certain selected spam messages because their regulatory requirements state that they need to maintain such s for 180 days in case they were used to obfuscate any illegal communications. Additionally, Acme Corp. needs the ability to monitor compliance with policy and stop serious breaches of policy before even leaves the organization s boundary. Firewall Bridgehead Server Mail server antivirus Internet Microsoft Exchange 2003 Some quarantined Application Storage SAN: Fibre Channel Figure 3. Existing and groupware topology at Acme Corp. 7

10 Solution: To achieve the stated goals in this scenario, Acme Corp. can implement the following solution where Symantec Mail Security and Veritas Enterprise Vault work together: Desired goal Journal and archive all legitimate records Reduce network traffic due to spam before the network perimeter Further reduce spam and virus-infected after acceptance, archive spam messages, and enforce policy Ensure appropriate levels of antivirus for Exchange servers and clients Regularly review a sample of traffic sent and received by users Search, review, and produce messages as evidential records Solution chosen for deployment Microsoft Exchange Server 2003 Journaling, with Veritas Enterprise Vault for Exchange Journal Archiving Symantec Mail Security 8160 appliance with SMTP Traffic Shaping Symantec Mail Security 8260 appliance with Veritas Enterprise Vault for SMTP Archiving Symantec Mail Security for Microsoft Exchange and Symantec AntiVirus Corporate Edition Veritas Enterprise Vault Compliance Accelerator Veritas Enterprise Vault Discovery Accelerator Accordingly, the following products are chosen for deployment at Acme Corp. Vendor Product Version/Type Symantec Mail Security 8100 Series 8160/Appliance Symantec Mail Security 8200 Series 8260/Appliance Symantec Mail Security for Microsoft Exchange 5.0/Cluster Aware Symantec Enterprise Vault for Exchange 6.0/Server + Standby Optional products below are also chosen for deployment at Acme Corp. Vendor Product Version/Type Symantec Enterprise Vault Compliance Accelerator 6.0/Server Symantec Enterprise Vault Discovery Accelerator 5.0/Server 8

11 Deploying the Symantec Mail Security 8100 Series Deployment of Symantec Mail Security 8160 appliances allows Acme Corp. to employ a bestof-breed appliance that leverages market-leading unique antispam traffic-shaping technology. Acme Corp is able to reduce infrastructure costs by restricting connections from spamsending servers and significantly reducing the received amounts of spam before they are even accepted into the corporate system at the network boundary. Their objective is to significantly reduce the transfer capacity available to spammers, while continuing to maintain it for legitimate sources of . Symantec Mail Security 8160 appliances may be configured in one of two modes: Virtual Bridge or Router. A Virtual Bridge is well-suited when one IP subnet exists where the appliance is deployed, and a Router is well-suited when the appliance is routing between two different subnets. Acme Corp. has one external DMZ subnet and will install the 8160 appliances in Virtual Bridge mode as a result. 1. Install and initialize 8160 appliances. Before beginning installation, Acme Corp. needs the following: For Virtual Bridge mode: Valid license file from Symantec Host name, including domain (FQDN) IP address and netmask for the appliance (in Virtual Bridge mode, only one IP per appliance is needed) If implementing a high-availability cluster at the same location IP address and netmask for the second appliance VRID for both appliances Domain Name Servers (DNS) NTP Servers (optional) List of protected servers 9

12 2. Configure network settings, and user/management access. Acme Corp. can then specify the IP address, host name, new administrator password, and other user and management access levels within the Control Center for the 8160 appliance installation. 3. Specify and configure any base settings. The 8160 appliances are then configured with any base settings as needed by Acme Corp. Network routes Protected servers (internal hosts and their gateways) Exempt IPs (internal hosts for which no SMTP traffic shaping is done) Connection shaping (SMTP traffic shaping) Necessary SNMP data collection For further details on any aspect, refer to the Symantec Mail Security 8100 Series Implementation Guide, available at Deploying the Symantec Mail Security 8200 Series Deployment of Symantec Mail Security security appliances allows Acme Corp. to further employ best-of-breed appliance technology that leverages over 20 spam prevention techniques, including Symantec Brightmail AntiSpam, Directory Harvest Attack Prevention, and Sender Reputation techniques. These techniques reduce infrastructure costs by significantly reducing the received amounts of accepted spam, after initial spam reduction is effected by 8160 appliances. Additionally, content compliance features allow administrators to gain control over inbound and outbound content so they can enforce internal or regulatory content policies, before an issue even arises. To derive the full potential benefits of such a solution, an appliance deployment is required both outside the network perimeter (8160 appliances reducing spam and associated network traffic before entry to the network) and inside the organization (8260 appliances further antispam, antivirus, content compliance, and policy enforcement). 10

13 Symantec Mail Security 8260 appliances may be configured in a number of roles, and all of these may be needed in a larger implementation: Scanner: Performs filtering. You can set up one or many Scanner appliances. Control Center: Manages your system. Each Symantec Mail Security 8200 Series installation has exactly one Control Center appliance. The Control Center can manage multiple Scanner appliances. Control Center and Scanner: Performs both functions. Suitable for smaller installations. The Control Center appliance also hosts Quarantine, a component that stores spam messages and provides end users access to their spam messages. You can also configure Quarantine for administrator-only access. Use of Quarantine is optional. 1. Install the first Symantec Mail Security 8260 appliance in the organization. This is known as the Control Center and is where Acme Corp. also configures their initial set of policies. The Control Center further serves as the administrative console to add any additional appliances into the site. The first Symantec Mail Security 8260 appliance will be installed inside the corporate network behind Acme Corp. s firewalls. 11

14 2. Install additional Symantec Mail Security 8260 appliances. Any additional internal Scanner appliances may be installed and configured with Acme Corp. s content compliance policies, directly from the Control Center. External appliances may also be installed outside the company s firewalls in the DMZ, and configured with appropriate security policies. Symantec Mail Security 8260 appliances are hardened, self-contained units designed for operation in an unsecured network in front of the company s firewalls and Exchange servers. 3. Configure all internal Scanner appliances with Acme Corp. s content compliance policies. Symantec Mail Security 8260 appliances provide a wide variety of actions for filtering and allow Acme Corp. to either set identical options for all users or specify different actions for different groups of users. Groups of users can be specified based on addresses, domain names, or LDAP groups. For each group, Acme Corp. can specify an action or group of actions to perform, given a particular verdict on an message that is being checked by the appliance. Some examples are shown in the table below; Symantec Mail Desired Goal Security 8260 Action Details Allow messages that Deliver Normally Messages that do not meet any filter criteria defined in the meet policy to pass system will be allowed to pass as normal. This may be the majority of messages being sent from the organization. Archive a copy of Archive, or BCC Messages that contain certain phrases or words, attachment policy medium-risk types, or are addressed to certain destinations may meet messages internal policy conditions allowing them to pass normally, but also may be archived to Veritas Enterprise Vault additionally for records management purposes. Block and Archive a Archive + Delete Messages that are outside policy may be deleted and copy of policy high-risk stopped from leaving the organization. Additionally, they messages may be archived to Veritas Enterprise Vault and placed into a review queue to ensure that they are examined by the organization to determine the policy breach that has occurred. 12

15 4. Configure all Scanner appliances with Acme Corp. s security policies. Again, for each group of users, Acme Corp. can specify actions and groups of actions to perform given a particular verdict. Given Acme Corp. s goals of providing appropriate security for the business at the perimeter of the network, while still retaining the ability to archive selected spam messages to Veritas Enterprise Vault, some examples are given below Symantec Mail Desired Goal Security 8260 Action Details Allow messages that Deliver Normally Messages that do not meet any filter criteria defined in the meet policy to pass system will be allowed to pass as normal. Clean virus-infected Clean Where possible, messages that are infected with a virus will s and pass be cleaned and delivered normally. Where the message normally contains a virus that cannot be cleaned, it will be deleted and prevented from entering the organization. Prevent Directory Firewall s may be flagged because an attempt is under way Harvest attacks, and to mass-mail the organization and correlate NDRs with other virus/spam attacks messages sent, or because a certain number of infected or spam messages are received from the same IP address. Symantec Mail Security 8260 appliances block these events effectively from the business. Reduce network traffic Throttle Attack Network connections from sources that are sending certain associated with SMTP levels of spam may be throttled and restricted so as to connections for spam reduce the amount of bandwidth and data that is associated delivery with these connections. For example, connections from a known spammer may be restricted to 9.6 kb/s to mimic the effect of a poor modem connection. Archive spam Archive (+ optional messages flagged as spam by filters messages Delete or Quarantine) available from Symantec, or as suspected spam by configurable spam scoring levels, may be treated in a number of optional ways: 1. Forwarded to Quarantine (optionally notifying the user) 2. Forwarded to the user s Spam Folder in Exchange (optionally annotated as Spam or Suspected Spam ) later deleted or archived 3. Archived to an administrative SMTP address in Enterprise Vault (optionally a percentage of these may be reviewed) for compliance or privacy purposes 4. Blocked and deleted at the appliance before entering the organization (can be useful for known spam messages) 13

16 5. Configure 8260 appliances to forward spam to Enterprise Vault for archiving. Acme Corp. needs to retain messages that are not delivered to end users for a period of 180 days, as described above. There are two options that allow Acme Corp. to easily achieve this: a. Configure spam forwarding ( Archive action in Symantec Mail Security 8260) to Enterprise Vault via SMTP archiving Acme Corp. can simply archive messages that are flagged by Symantec Mail Security as spam, by administratively forwarding them directly to an SMTP capture address in Enterprise Vault. These will then be archived for each recipient at Acme Corp. into an administrative set of spam retention archives as necessary, and can be immediately searched, reviewed, and exported as necessary (please refer to the section Deploying Enterprise Vault below for further details). b. Configure spam forwarding ( Archive action in Symantec Mail Security 8260) to a Microsoft Exchange journal mailbox, with Enterprise Vault for Exchange Journal Archiving Acme Corp. can also archive spam messages by administratively forwarding them to a designated journal mailbox in Microsoft Exchange, dedicated to the task. These will then be archived into a flat journal archive for retention as necessary, and can immediately be searched, reviewed, and exported as necessary. This option may be beneficial if Acme Corp. also wish to regularly review a random-percentage sample of spam messages on a daily or weekly basis, by combining Enterprise Vault for Exchange Journal Archiving with Enterprise Vault Compliance Accelerator (please refer to the section Deploying Enterprise Vault below for further details). 6. Configure routing from 8160 appliances to deliver messages to 8260 appliances. This step effects the in-stream deployment of the 8260 appliances for incoming messages. Note: Symantec Mail Security 8260 appliances are not the final delivery point for messages being received by Acme Corp., and 8260 appliances will forward legitimate messages for final distribution to the Microsoft Exchange Server 2003 Organization. 7. Reconfigure the Exchange Organization to send outgoing to internal Symantec Mail Security 8260 appliances. This step completes the deployment of Symantec Mail Security 8200 Series appliances for Acme Corp. by submitting all outgoing messages to the content compliance and policy checks as chosen and configured by Acme Corp. (see step 3 above). For further details on any aspect, refer to the Symantec Mail Security 8200 Series Implementation Guide, available at 14

17 Deploying Symantec Mail Security for Microsoft Exchange Despite having solid perimeter protection in place, it is still necessary for Acme Corp. to inspect internal mail traffic. There are many reasons why this is valuable: Scanning for viruses that enter through other vectors, such as personal Web-based , removable media, remote laptop users whose virus definitions are not current, and more. Preventing unwanted or oversized content from being sent through the internal mail system s Exchange servers. Messages with confidential or inappropriate content can be removed from the store before anyone can view the message. Post-attack, performing virus cleanup of message stores using the latest antivirus definitions. Groupware protection allows viruses and content violations within the message store to be removed without end-user intervention. As a result, mail server protection solutions, such as those for Microsoft Exchange and Lotus Domino, should be able to inspect content in real time during submission and also on later client access, along with regularly scheduled sweeps of content stored within the system. Symantec Mail Security for Microsoft Exchange gives Acme Corp. these required benefits and more. 1. Install Symantec Mail Security for Microsoft Exchange remotely manage multiple installations of Symantec Mail Security for Microsoft Exchange Symantec Mail Security for Microsoft Exchange can be installed as a console to remotely manage multiple servers on an individual basis or as a group. A console installation of Symantec Mail Security for Microsoft Exchange is typically installed on a client machine (Windows XP or Windows 2000) and used to manage product settings remotely. Groups can be created of servers with similar functions for easier management. 2. Install Symantec Mail Security for Exchange on Exchange 2003 cluster nodes Symantec Mail Security for Microsoft Exchange is fully cluster aware when installed in a Windows cluster environment and also supports Veritas clustering. Symantec Mail Security should be installed onto Exchange Cluster nodes while they are in a passive state to ensure that working Exchange Virtual Servers are not affected negatively by the installation processes. Note: It is important that each node in the Microsoft Exchange Server 2003 cluster have Symantec Mail Security for Microsoft Exchange binaries installed in the same location on the applications disk drive. It is also important that the latest updates and definitions for Symantec Mail Security for Microsoft Exchange are installed by the administrator as installation is completed. 15

18 3. Install Symantec AntiVirus Corporate Client on Exchange cluster nodes It is also recommended that Symantec AntiVirus with LiveUpdate is installed on each Exchange cluster node. LiveUpdate will ensure that antivirus definitions and Symantec Mail Security for Microsoft Exchange updates are downloaded and installed automatically as soon as they are available. In order to successfully install and bring online a working Microsoft Exchange 2003 Virtual Server with Symantec Mail Security for Microsoft Exchange and Symantec AntiVirus, exclusions should be added to Symantec AntiVirus for the working directories used by Symantec Mail Security for Microsoft Exchange, and for certain Exchange directories. This is covered in a Symantec Knowledge Base Document (ID: ). (Search for this ID at the following url: 4. Install ( or renew) license files to remote servers Acme Corp. must install a license file on each server that is running Symantec Mail Security for Microsoft Exchange in order to activate a content license. This ensures that each server can receive the latest virus definitions updates. Acme Corp. can install a license file from the console for a remote server group or for a remote single server, or they can install it on each individual server directly. 5. Install Spam Folder Agent for Exchange This agent lets Acme Corp. additionally route spam messages to a spam folder in each recipient s mailbox. This option is available for Microsoft Exchange Server 2000/2003 installations. The Spam Folder Agent should be installed on Exchange servers where mailboxes physically reside. The agent creates a spam folder in each user s mailbox automatically. When spam messages are tagged for Spam Folder Agent delivery, the messages are delivered to the spam folder. Tagging may be accomplished by the Symantec Mail Security 8260 appliances at Acme Corp. Acme Corp. may use spam folders as a means of archiving suspected spam that is delivered directly to end users for review. To ensure that such messages are not left in Exchange mailboxes for more than a few days, apply a folder-level mailbox archiving policy in Enterprise Vault to the spam folder for each user that archives all messages after a short time (e.g., five days). This can be separate from, and override, any other default mailbox archiving policy for the users (refer to the section Deploying Enterprise Vault below for further details). 16

19 6. Enable event forwarding to Symantec Enterprise Security Architecture (optional) Symantec Mail Security for Microsoft Exchange supports event forwarding to Symantec Enterprise Security Architecture (SESA ). SESA is an event management system that employs data collection services for events that Symantec security products generate. When a product is SESA enabled, you can use the SESA Console to view the events that it forwards to SESA. The SESA Console provides a central location from which to view and manage the reporting of event data across multiple SESA enabled security products. For more information on SESA, see the Symantec Enterprise Security Architecture Installation Guide and the Symantec Enterprise Security Architecture Administrator s Guide. Acme Corp. also needs to configure antivirus, further antispam, and other policy aspects of Symantec Mail Security for Microsoft Exchange appropriately. For further details on any aspect, refer to the Symantec Mail Security for Exchange Implementation Guide, available at Deploying Veritas Enterprise Vault Enterprise Vault 6.0 is installed on Windows Server 2003 to host the archive for Exchange servers at Acme Corp., as well as the archive for any spam messages captured directly from the Symantec Mail Security 8260 appliances, and a variety of other information within the business. The Enterprise Vault data is stored on a near-line NAS device (or SAN, DAS, SATA, etc.), initially to ensure rapid access to archived content, while providing storage cost benefits desired by Acme Corp. at the same time. Later during the lifecycle of archived messages (and other information), they may be moved by Enterprise Vault onto other storage devices such as tape or optical libraries for long-term retention. Messages retained in users mailboxes will be archived as they age and become subject to predefined, configurable archiving policies. This ensures that Exchange Server 2003 mailboxes never grow beyond manageable levels; that Exchange servers remain optimized as a result; that backup windows are maintained, and SLAs are achievable; and end users receive a better mailbox service overall. Additionally Acme Corp. can automatically locate, associate (with the owning user), and archive the contents of user PST files on the network. This not only removes the files from the organization but also ensures that Acme Corp. can disclose the records within by consolidating them into one central, scalable, searchable archive. 17

20 Every message being sent to, from, or within Acme Corp. s server environment will be journaled and archived into Enterprise Vault. Generally, Enterprise Vault compresses all items down to 50 percent of their original size (some compressed file formats, such as.zip,.jpg, and.gif, cannot be further compressed) and further reduces archive storage needs by single instancing objects that are the same, regardless of their source (across multiple Exchange servers and PST files, across distributed file systems, and across multiple SharePoint servers and sites). 1. Install Enterprise Vault servers into the internal server network. A number of Enterprise Vault servers commensurate with the archiving throughput needs of Acme Corp. are installed in the company s internal networks. Enterprise Vault servers host a number of services and tasks that run on the Windows Server platform, and address archiving needs for target Exchange servers, including Journal archiving, Mailbox archiving, Public Folder archiving, and SMTP capture and archiving. Enterprise Vault services and tasks run under a security account context in the Active Directory domain, so a service account is created for each Acme Corp. domain housing Exchange servers that need to be archived and managed. 2. Configure Exchange Server 2003 journaling (optional). Exchange is configured to support envelope journaling. If the current mailbox server is running Exchange Server 2003 Enterprise Edition and has sufficient memory, disk volumes, and processing power to support an additional mailbox store, then Acme Corp. may create an additional Storage Group to host a single database that will support the journaling mailbox(es). Note: Message journaling or envelope journaling may be used for this purpose and are both supported by Veritas Enterprise Vault. For every 12,500 items journaled per hour in Exchange Server, the load on the Exchange server increases approximately 10 percent (from Integrated Solutions for Regulatory Compliance with Windows Server Technologies, Microsoft Corporation, 2004). If the current Exchange servers are heavily used or are running Exchange Server 2003 Standard Edition, Acme Corp. may consider deployment of an additional server to host the journaling mailbox(es). 18

21 3. Configure SQL Server SQL Server 2000 supports configuration data and metadata for Enterprise Vault, and enables Discovery Accelerator and other search applications to quickly find and retrieve previously saved search and case information. One SQL server is necessary to support four to five Enterprise Vault servers of an equivalent size. Acme Corp. chooses to use a currently deployed SQL Server 2000 cluster to support Enterprise Vault application database needs. No end-user information is stored in SQL Server. 4. Configure Windows Storage Server 2003 (or other suitable storage for archives). Windows Storage Server 2003 is chosen to host the data being managed by Enterprise Vault at Acme Corp. Approximate data storage needs for Enterprise Vault may be determined using the following formula: ((Number of items) * (Average item size) * 0.5)/(Average single instance storage ratio) + (Number of items)/(average single instance storage ratio) * 7 + (Number of items) * 2 For example, suppose Acme Corp. has 500 items, with an average item size of 10 KB and an average single instance storage ratio of 2.2. The data storage needs would be approximated thus: ((500) * (10 KB) * 0.5)/(2.2) + ((500)/(2.2)) * 7 + (500) * 2 = KB Single instance storage on Exchange servers is very similar to the single instance storage of messages within Enterprise Vault, and current single instance storage ratios are a reasonable indicator of how messages will be shared within Enterprise Vault. Acme Corp. may also choose to utilize tape media storage infrastructure later in the life of archived material (see above), and may do so via the integration of Veritas Enterprise Vault 6.0 and Veritas NetBackup 6.0. This allows tape media in libraries under NetBackup control to provide storage to archive Vault Stores directly within Enterprise Vault. Note: Windows Storage Server 2003 may not be used to host the Enterprise Vault application services and tasks as this is contrary to Microsoft licensing terms. Only the archive and index data stored by Enterprise Vault may reside on Windows Storage Server

22 5. Configure mailbox archiving. Enterprise Vault servers are responsible for various archiving tasks (mailbox, journal, public folder, PST file migration, etc.) that are dedicated to certain Exchange servers. Acme Corp. needs to configure an appropriate number of Enterprise Vault servers to perform scheduled mailbox archiving for all Exchange Virtual Servers being managed. As a guideline, one Enterprise Vault server may be generally required for every three to four equivalent mailbox home Exchange servers (depending on mailbox numbers per server and utilization rates). Once configured for each Exchange server, the archiving tasks are started and will then synchronize the initial list of mailbox users and their associated properties from the Exchange Organization and Active Directory. Users must then be enabled for archiving, which may include configuration of a Vault Store for user archives, deployment and configuration of any necessary client components (optional), configuration of the mailbox archiving policies for various user groups (globally, by OU, or by grouping via various unique LDAP properties), and final scheduled enablement of users mailboxes for archiving services. Users may be enabled in groups to allow appropriate phasing of archiving services into Acme Corp. s organization. Finally, archiving tasks should be scheduled to run at appropriate times, after completion of Acme Corp. s Exchange Server backup windows. Figure 4. Exchange mailbox archiving policies in Veritas Enterprise Vault 20

23 6. Configure journal archiving. Exchange servers may host one or more journal mailboxes that receive copies of all messages passing through Exchange Server Stores (refer to 2 above). An Enterprise Vault Journal Archiving Task needs to be configured for each Exchange server and will process one or more journal mailboxes. Journal archiving tasks process journal mailboxes every 60 seconds and, as such, run continuously after the initial startup. Every message and attachment is archived, compressed, single instanced, and indexed immediately. Depending on the desired throughput rates and the number of Exchange servers being journaled, Acme Corp. may optionally configure a dedicated Enterprise Vault server for journal archiving tasks. Depending on regulatory requirements Acme Corp. may be addressing by using journaling, the Vault Store partition devices may need to be WORM (Write-Once-Read-Many) compliant. Enterprise Vault supports several WORM-compliant devices, such as Network Appliance NearStore with SnapLock, EMC Centera, IBM DR550, and Pegasus WORM Optical and WORM UDO media types. 7. Configure Public Folder archiving (optional). Acme Corp. is also storing historical messages, posts, and documents in various Exchange Server Public Folder trees. For Public Folder archiving, an archiving task is configured for one or more Top Level Folder (TLF) tree(s) that Acme Corp. will archive. Public Folder archiving behaves in a similar fashion to mailbox archiving, and similar archiving policies, archiving tasks, and schedules must be configured. 21

24 Figure 5. Various archiving tasks for an Exchange server in Enterprise Vault 8. Configure SMTP archiving to receive spam messages from Symantec Mail Security 8260 appliances. Enterprise Vault can be configured at Acme Corp. to capture and archive (into appropriate spam-retention archives) s sent directly to the archive servers from Symantec Mail Security 8260 appliances deployed at Acme Corp. As described above, these need to be retained for 180 days. (Refer to the section above titled Deploying Symantec Mail Security 8200 Series Appliances for further details on how to configure Symantec Mail Security 8260 appliances to forward spam s to Enterprise Vault.) Acme Corp. can install and configure the Enterprise Vault SMTP Archiving components on the desired Enterprise Vault servers. These make use of IIS SMTP services from the Windows Server platform, and are configured with a list of variables describing the Acme Corp. domains for which spam messages are being archived, and an archive structure (flat journal, or per recipient structured) for these archived domains. Acme Corp. can deploy SMTP archiving to capture for internal domains, where incoming spam has been received and forwarded directly to the archive. Acme Corp. can also deploy SMTP archiving to capture for external domains, where Content Compliance policies may have been triggered and a copy of an outgoing has been forwarded directly to the archive for retention. 22

25 a. Install the Enterprise Vault SMTP Archiving components. SMTP Archiving components must be installed on a Windows SMTP server. This may be the Enterprise Vault server, or a server dedicated to the tasks of capturing SMTP for archiving. Enterprise Vault SMTP Archiving components are installed directly from the Enterprise Vault CD. Consult the SMTP Archiving Guide for further details. b. Configure the SMTP Archiving components. The configuration file specifies the following details: The SMTP virtual server to which SMTP Archiving is to bind The address domains that SMTP Archiving is to process (note that domains not specifically configured will be processed into a default folder) The folders, and folder structure, on the server where SMTP Archiving is to put messages as they are captured for archiving Edit the file using a plain text editor such as Notepad, and save it as a Unicode file. Example Configuration File for Acme Corp.: [Server] Name=Default SMTP Virtual Server Priority=16000 NonDeliveryFolder=d:\EvMailRoot\ServerDefault DiskFullRetryLimit=0 [Domain] Name=acmecorp.com Path=d:\EvMailRoot\AcmeCorp [Domain] Name=acme.com Path=d:\EvMailRoot\Acme AutoEnableMbxFolders=True IndexingLevel=Brief NonDeliveryFolder=d:\EvMailRoot\Acme\NonDelivery 23

26 c. Create the required domain root folders. This is where the SMTP Archiving components queue the messages for archiving into a Vault Store. d. Configure archiving of the messages captured by SMTP Archiving components. Configuration of archiving schedules, target archives and Vault Stores, and other policy-based factors is achieved from the Enterprise Vault Administration Console. Acme Corp. can configure separate target archives, and even separate physical storage, for spam messages that need to be retained in this way as described above. Consult the Enterprise Vault SMTP Archiving Guide for further details. Deploying additional components Veritas Enterprise Vault Discovery Accelerator Discovery Accelerator enables companies to conduct searches of archived mail and documents in response to a legal discovery. Discovery Accelerator enables the company legal team to review items found by the searches to determine their relevance to the case. Items marked as being relevant to the case can be exported to be used as evidential records, as required. Consult the Enterprise Vault Discovery Accelerator Installation and Administration guides for specific details. Veritas Enterprise Vault Compliance Accelerator Compliance Accelerator enables organizations to monitor employees electronic messages (including and instant messages) to ensure compliance to policy, or good business practice. This is typically used at brokerage houses to monitor messages to meet regulation supervision requirements. It provides two main ways of monitoring Random samples of each employee s messages can be captured and sent for review each day; or all messages can be searched against a predefined lexicon for words or phrases that may indicate non-compliance. Consult the Enterprise Vault Compliance Accelerator Installation and Administration guides for specific details. 24

27 Symantec Mail Security 8160 Appliance Symantec Mail Security 8260 Appliance Symantec Mail Security for Microsoft Exchange Internet Gateway spam and content filtering Reduce spam and viruses Outbound content filtering and quarantine Monitor policy Delete or quarantine Mail server antivirus and antispam Application Storage SAN: Fibre Channel Archive; selective spam journaling Archive; real-time journaling archive Veritas Enterprise Vault for Exchange Archive Storage CAS, NAS; SATA Tape, Optical, etc. Figure 6. Final chosen security and archiving deployment topology for Acme Corp., showing new Symantec Mail Security appliances and software, and Veritas Enterprise Vault Scenario 2: Beta Corporation (Beta Corp.) Beta Corporation (Beta Corp.) runs a clustered Microsoft Exchange Server 2003 messaging and groupware system. Beta Corp. wants to avoid message journaling and associated journal archiving in Exchange, but wants to archive a copy of all messages where the words Confidential, Client Privileged, or Internal Only appear, directly to a separate administrative archive for three years for later discovery purposes. Beta Corp also wishes to archive spam s directly to Enterprise Vault for 60 days, instead of a quarantine location, as it provides a lower-cost store to maintain spam in case of false positives, as well as a full text index content search for the spam in temporary hold. Beta Corp. also wants to ensure appropriate levels of antivirus and antispam defenses including a significant reduction in network traffic associated with spam before it reaches the organization. Additionally, Beta Corp. wants to archive the messages retained in users mailboxes after 90 days to ensure optimization of storage associated with, and operational running of, Microsoft Exchange systems. 25

28 Firewall Bridgehead Server Mail server antivirus Internet Microsoft Exchange 2003 Some quarantined Application Storage SAN: Fibre Channel Figure 7. Existing and groupware topology at Beta Corp. Solution: To achieve the stated goals in this scenario, Beta Corp. can implement the following solution where Symantec Mail Security and Veritas Enterprise Vault work together: Desired goal Archive a copy of all external records showing target phrases Reduce network traffic due to spam before the network perimeter Further reduce spam and virus-infected after acceptance, archive spam messages, and enforce policy Ensure appropriate levels of antivirus for Exchange servers and clients Search, review, and produce messages as evidential records Solution chosen for deployment Symantec Mail Security 8260 appliance with Veritas Enterprise Vault for SMTP Archiving Symantec Mail Security 8160 appliance with SMTP Traffic Shaping Symantec Mail Security 8260 appliance with Veritas Enterprise Vault for SMTP Archiving Symantec Mail Security for Microsoft Exchange and Symantec AntiVirus Corporate Edition Veritas Enterprise Vault Discovery Accelerator Accordingly, the following products are chosen for deployment at Beta Corp. Vendor Product Version/Type Symantec Mail Security 8100 Series 8160/Appliance Symantec Mail Security 8200 Series 8260/Appliance Symantec Mail Security for Microsoft Exchange 5.0/Cluster Aware Symantec Enterprise Vault for Exchange 6.0/Server + Standby Optional products below are also chosen for deployment at Beta Corp. Vendor Product Version/Type Symantec Enterprise Vault Discovery Accelerator 5.0/Server 26