WHITE PAPER: ENTERPRISE SOLUTIONS. Email Security and Availability Implementing Email Security and Archiving Solutions from Symantec

WHITE PAPER: ENTERPRISE SOLUTIONS Email Security and Availability Implementing Email Security and Archiving Solutions from Symantec By Nick Wade Senior Product Manager, Enterprise Vault Now from Symantec

White Paper: Symantec Enterprise Solutions Email Security and Availability Implementing Email Security and Archiving Solutions from Symantec Contents Executive summary..................................................................2 Introduction........................................................................3 Symantec integrated solutions......................................................4 Email security.......................................................................5 Email archiving......................................................................5 Available solutions...................................................................5 How to integrate email security and archiving..........................................6 Scenario 1: Acme Corporation (Acme Corp.)..............................................7 Deploying Symantec Mail Security 8100 Series.......................................9 Deploying Symantec Mail Security 8200 Series......................................10 Deploying Symantec Mail Security for Microsoft Exchange............................15 Deploying Veritas Enterprise Vault.................................................17 Deploying additional components.................................................24 Scenario 2. Beta Corporation (Beta Corp.)..............................................25 Deploying Symantec Mail Security 8100 Series..........................................27 Deploying Symantec Mail Security 8200 Series......................................27 Deploying Symantec Mail Security for Microsoft Exchange............................29 Deploying Veritas Enterprise Vault.................................................29 Deploying additional components.................................................34 Tested Solutions...................................................................35 Summary.........................................................................35

Executive summary Email usage has transformed how we conduct business and directly affects how rapidly and efficiently we may exchange information. Consequently, email has become a critical application service in the organization. As a result, email security and integrity are paramount concerns, as are email service availability and optimization technologies, including email archiving. Additionally, businesses face increasing regulatory requirements that mandate appropriate levels of record retention and management, including business records comprising varied forms of electronic messaging. This white paper details, at a high level, how to achieve an advantageous combination of best-of-breed email security and archiving technologies from Symantec Corporation. These technologies can assist with satisfying the varying needs of email security, email archiving, and records retention associated with email and electronic messages. The hypothetical Acme Corporation and Beta Corporation that are discussed illustrate the example challenges and solutions associated with email security as pertains to: Inbound email hygiene at the network perimeter and inside the organization Email content compliance with regard to outbound email and intra-organizational email Email archiving for storage management and optimization of Exchange Server services, as well as journaling and compliance-related capture of email messages passing through the organization to meet regulatory and/or privacy requirements This white paper describes how two businesses (Acme and Beta Corporations) can deploy Symantec Mail Security appliances and software both within and without the organization to achieve email security and content compliance goals. It further describes how to integrate the Symantec technology with Veritas Enterprise Vault to ensure that necessary email messages are captured and retained in a cost-effective and usable manner, optionally including any necessary antivirus- and antispam-related messages that may need to be captured and retained in an appropriate low-cost and secured archive for compliance or privacy reasons. 2

Introduction Electronic mail (email) has transformed how we conduct business in the modern day how we exchange thoughts, ideas, proposals, and information as well as the speed and efficiency with which we can conduct business. Email has become as important, if not more important, in our personal and business lives as the telephone itself. Over the past 10 years, we have gone from leveraging email as an alternative communications vehicle to depending on it as our most mission-critical application. According to the Enterprise Strategy Group, more than 60 percent of mid- and enterprise-tier businesses together believe that email is the number one mission-critical business application for their organization (Enterprise Strategy Group, March 2004, Case Study: Exchange Storage, Information and Protection). The fact that email also serves as a detailed transaction record for a company makes it valuable as evidence in a court of law, proof that companies are following regulations, and a source for identifying violations of internal company policies. As a result, more companies are deciding to preserve email for longer periods of time, in a verifiable and non-repudiated archive format. However, the very things that make email valuable to an organization also expose it to a great deal of risk and liability. Its ubiquity and simplicity have consequently made it the preferred method for transferring: Any data between users, including non-business content such as multimedia files and executables, or even company confidential information outside corporate walls Threats and disruptions to thousands of users, such as viruses and spam, at high anonymity, high volume, and very low cost Consequently, we spend countless hours, budget, and resources defending and worrying about how to keep email running smoothly. To this end, IT professionals look at security issues such as reducing spam or blocking viruses and at availability issues such as making sure the email application, systems, and data are there when needed even in the event of a disaster or long after the emails were sent. However, as the checklist of what it takes to keep an email system grows, IT is now looking for a more holistic solution to balancing the cost and risk associated with email. Coupled with this view is the emerging need to retain high-threat content such as virusloaded or spam emails in regulated industries as part of the corporate record, with a strong desire to retain such emails in a quarantined yet searchable fashion. 3

Simultaneously, businesses and IT professionals are being driven to consider how to reduce management costs associated with the email infrastructure. The increase in volume of emails coming into the corporate network introduces an exponential growth in associated hard costs by regularly exceeding available capacity of traditional email gateway systems, mail transfer agents, email storage servers, groupware servers, and network bandwidths. Symantec offers integrated, best-of-breed, and market-leading email security and archiving solutions. Symantec integrated solutions Symantec is now able to offer a comprehensive solution that enables email security and availability. These unique technologies and services control and manage the flow of email information from start to finish, helping protect an organization against risks, ensuring uptime of systems and users, satisfying compliance and document retention requirements, while at the same time minimizing the total cost of ownership for email. See Figure 1 for how Symantec s technology and service offerings map to the layered approach described in Symantec s Email Security and Availability white paper (http://enterprisesecurity.symantec.com/pdf/ EmailSecurity06292005_wp_EN.pdf). Email security Resilient foundation Perimeter scan Groupware scan Email archiving Archiving Indexing Search Retrieval Resilient foundation Backup Recovery Storage Clustering Figure 1. Overview Symantec s email security and availability approach 4

Email security Historically, antivirus and antispam technologies have been defined largely as security services. In fact, integrated mail scanning is commonly referred to as email security, although this is not entirely accurate. For example, a security threat like a mass-mailer worm has the potential to take end-user systems, even network segments, offline indefinitely. Clearly, this also impacts the availability of email, especially for those users and their business. Email archiving In the same way that email security tools act as the first lines of defense in keeping unwanted email out of the messaging system environment, email archiving works on the back end to move saved email messages out of the environment, while at the same time maintaining the availability of the data should it need to be accessed by end users, legal personnel, or HR. Although often used for regulatory purposes, archiving can be an important tool simply to maintain the availability of email infrastructure by controlling the amount of data in the primary messaging systems and, as a result, additionally affecting management costs positively. Available solutions Solutions available from Symantec for email security include Symantec Mail Security for Microsoft Exchange, Symantec Mail Security for Domino, Symantec Mail Security 8100 Series and 8200 Series appliance systems, Symantec AntiVirus Corporate Edition, and Symantec Brightmail AntiSpam. Solutions available for email archiving include its flagship market-leading product, Enterprise Vault. Veritas Enterprise Vault (now from Symantec) is a software-based archiving framework enabling the discovery of content in Microsoft Exchange, SharePoint Portal Server, Lotus Notes, SMTP, IM, and file server environments, while reducing storage and management. Enterprise Vault manages content via policy-controlled archiving to online stores for active retention and seamless retrieval of information. The combination and interaction of these proven, market-leading technologies into a holistic solution for achieving the desired overall goals of email security, email availability, optimization of ongoing management costs, and satisfaction of regulatory requirements can be very powerful. This white paper details some practical, integrated, and tested email security and archiving solutions using the above-mentioned products that our customers can deploy today to derive these benefits. 5

How to integrate email security and archiving To understand how to potentially leverage the synergy from deploying a combined and proven email security and archiving solution from Symantec, consider the following example scenarios: Scenario 1: Acme Corporation (Acme Corp.) uses Microsoft Exchange 2003, and wishes to: Journal all legitimate email messages for regulatory purposes Ensure appropriate levels of antivirus and antispam defenses Optionally archive selected spam email messages to more cost-effective storage Monitor email policy compliance and block emails that are out of policy Scenario 2: Beta Corporation (Beta Corp.) also uses Microsoft Exchange 2003, and wishes to: Avoid journaling of all email messages due to the load (Beta Corp. is non-regulated) Archive email messages for users after 90 days for email server optimization Archive spam to a cost-effective temporary location for 60 days, and provide a full text search Archive a copy of inbound or outbound email messages where target words and phrases are found Ensure appropriate levels of antivirus and antispam defenses Microsoft Exchange 2003 Symantec Mail Security for Microsoft Exchange MTA and VSAPI Delete or Quarantine Internet Reduce Spam and viruses Symantec Mail Security 8160 Firewall Monitor email policy Symantec Mail Security 8260 Less bad email traffic Mailbox Store 1 Mailbox Store 2 Journal Store Clean client email traffic Throttle spam network traffic Delete or Quarantine Archive; selective spam jounaling Quarantine Archive Archive; mailbox policy and/or journaling User Archives Journal Archives Search, Discover, Review, Audit Veritas Enterprise Vault for Exchange Figure 2. Overview components of implementing email security and archiving solutions from Symantec 6

Scenario 1: Acme Corporation (Acme Corp.) Acme Corporation (Acme Corp.) runs a clustered Microsoft Exchange Server 2003 messaging and groupware system. Acme Corp. wants to journal and archive all legitimate email for three years, but also wants to ensure appropriate levels of antivirus and antispam defenses including a significant reduction in network traffic associated with spam before it reaches the organization. They also want to be able to optionally archive certain selected spam email messages because their regulatory requirements state that they need to maintain such emails for 180 days in case they were used to obfuscate any illegal communications. Additionally, Acme Corp. needs the ability to monitor compliance with email policy and stop serious breaches of policy before email even leaves the organization s boundary. Firewall Bridgehead Server Mail server antivirus Internet Microsoft Exchange 2003 Some email quarantined Application Storage SAN: Fibre Channel Figure 3. Existing email and groupware topology at Acme Corp. 7

Solution: To achieve the stated goals in this scenario, Acme Corp. can implement the following solution where Symantec Mail Security and Veritas Enterprise Vault work together: Desired goal Journal and archive all legitimate email records Reduce network traffic due to spam email before the network perimeter Further reduce spam and virus-infected email after acceptance, archive spam email messages, and enforce email policy Ensure appropriate levels of email antivirus for Exchange servers and clients Regularly review a sample of email traffic sent and received by users Search, review, and produce email messages as evidential records Solution chosen for deployment Microsoft Exchange Server 2003 Journaling, with Veritas Enterprise Vault for Exchange Journal Archiving Symantec Mail Security 8160 appliance with SMTP Traffic Shaping Symantec Mail Security 8260 appliance with Veritas Enterprise Vault for SMTP Archiving Symantec Mail Security for Microsoft Exchange and Symantec AntiVirus Corporate Edition Veritas Enterprise Vault Compliance Accelerator Veritas Enterprise Vault Discovery Accelerator Accordingly, the following products are chosen for deployment at Acme Corp. Vendor Product Version/Type Symantec Mail Security 8100 Series 8160/Appliance Symantec Mail Security 8200 Series 8260/Appliance Symantec Mail Security for Microsoft Exchange 5.0/Cluster Aware Symantec Enterprise Vault for Exchange 6.0/Server + Standby Optional products below are also chosen for deployment at Acme Corp. Vendor Product Version/Type Symantec Enterprise Vault Compliance Accelerator 6.0/Server Symantec Enterprise Vault Discovery Accelerator 5.0/Server 8

Deploying the Symantec Mail Security 8100 Series Deployment of Symantec Mail Security 8160 appliances allows Acme Corp. to employ a bestof-breed appliance that leverages market-leading unique antispam traffic-shaping technology. Acme Corp is able to reduce email infrastructure costs by restricting connections from spamsending servers and significantly reducing the received amounts of spam before they are even accepted into the corporate email system at the network boundary. Their objective is to significantly reduce the transfer capacity available to spammers, while continuing to maintain it for legitimate sources of email. Symantec Mail Security 8160 appliances may be configured in one of two modes: Virtual Bridge or Router. A Virtual Bridge is well-suited when one IP subnet exists where the appliance is deployed, and a Router is well-suited when the appliance is routing between two different subnets. Acme Corp. has one external DMZ subnet and will install the 8160 appliances in Virtual Bridge mode as a result. 1. Install and initialize 8160 appliances. Before beginning installation, Acme Corp. needs the following: For Virtual Bridge mode: Valid license file from Symantec Host name, including domain (FQDN) IP address and netmask for the appliance (in Virtual Bridge mode, only one IP per appliance is needed) If implementing a high-availability cluster at the same location IP address and netmask for the second appliance VRID for both appliances Domain Name Servers (DNS) NTP Servers (optional) List of protected servers 9

2. Configure network settings, and user/management access. Acme Corp. can then specify the IP address, host name, new administrator password, and other user and management access levels within the Control Center for the 8160 appliance installation. 3. Specify and configure any base settings. The 8160 appliances are then configured with any base settings as needed by Acme Corp. Network routes Protected servers (internal hosts and their gateways) Exempt IPs (internal hosts for which no SMTP traffic shaping is done) Connection shaping (SMTP traffic shaping) Necessary SNMP data collection For further details on any aspect, refer to the Symantec Mail Security 8100 Series Implementation Guide, available at www.symantec.com/techsupp/enterprise/select_product_manuals.html. Deploying the Symantec Mail Security 8200 Series Deployment of Symantec Mail Security 8260 email security appliances allows Acme Corp. to further employ best-of-breed appliance technology that leverages over 20 spam prevention techniques, including Symantec Brightmail AntiSpam, Directory Harvest Attack Prevention, and Sender Reputation techniques. These techniques reduce email infrastructure costs by significantly reducing the received amounts of accepted spam, after initial spam reduction is effected by 8160 appliances. Additionally, content compliance features allow administrators to gain control over inbound and outbound email content so they can enforce internal or regulatory email content policies, before an issue even arises. To derive the full potential benefits of such a solution, an appliance deployment is required both outside the network perimeter (8160 appliances reducing spam and associated network traffic before entry to the network) and inside the organization (8260 appliances further antispam, antivirus, content compliance, and email policy enforcement). 10

Symantec Mail Security 8260 appliances may be configured in a number of roles, and all of these may be needed in a larger implementation: Scanner: Performs email filtering. You can set up one or many Scanner appliances. Control Center: Manages your system. Each Symantec Mail Security 8200 Series installation has exactly one Control Center appliance. The Control Center can manage multiple Scanner appliances. Control Center and Scanner: Performs both functions. Suitable for smaller installations. The Control Center appliance also hosts Quarantine, a component that stores spam messages and provides end users access to their spam messages. You can also configure Quarantine for administrator-only access. Use of Quarantine is optional. 1. Install the first Symantec Mail Security 8260 appliance in the organization. This is known as the Control Center and is where Acme Corp. also configures their initial set of policies. The Control Center further serves as the administrative console to add any additional appliances into the site. The first Symantec Mail Security 8260 appliance will be installed inside the corporate network behind Acme Corp. s firewalls. 11

2. Install additional Symantec Mail Security 8260 appliances. Any additional internal Scanner appliances may be installed and configured with Acme Corp. s content compliance policies, directly from the Control Center. External appliances may also be installed outside the company s firewalls in the DMZ, and configured with appropriate email security policies. Symantec Mail Security 8260 appliances are hardened, self-contained units designed for operation in an unsecured network in front of the company s firewalls and Exchange servers. 3. Configure all internal Scanner appliances with Acme Corp. s content compliance policies. Symantec Mail Security 8260 appliances provide a wide variety of actions for filtering email and allow Acme Corp. to either set identical options for all users or specify different actions for different groups of users. Groups of users can be specified based on email addresses, domain names, or LDAP groups. For each group, Acme Corp. can specify an action or group of actions to perform, given a particular verdict on an email message that is being checked by the appliance. Some examples are shown in the table below; Symantec Mail Desired Goal Security 8260 Action Details Allow messages that Deliver Normally Messages that do not meet any filter criteria defined in the meet policy to pass system will be allowed to pass as normal. This may be the majority of email messages being sent from the organization. Archive a copy of Archive, or BCC Messages that contain certain phrases or words, attachment policy medium-risk types, or are addressed to certain destinations may meet messages internal policy conditions allowing them to pass normally, but also may be archived to Veritas Enterprise Vault additionally for records management purposes. Block and Archive a Archive + Delete Messages that are outside policy may be deleted and copy of policy high-risk stopped from leaving the organization. Additionally, they messages may be archived to Veritas Enterprise Vault and placed into a review queue to ensure that they are examined by the organization to determine the policy breach that has occurred. 12

4. Configure all Scanner appliances with Acme Corp. s email security policies. Again, for each group of users, Acme Corp. can specify actions and groups of actions to perform given a particular verdict. Given Acme Corp. s goals of providing appropriate email security for the business at the perimeter of the network, while still retaining the ability to archive selected spam messages to Veritas Enterprise Vault, some examples are given below Symantec Mail Desired Goal Security 8260 Action Details Allow messages that Deliver Normally Messages that do not meet any filter criteria defined in the meet policy to pass system will be allowed to pass as normal. Clean virus-infected Clean Where possible, messages that are infected with a virus will emails and pass be cleaned and delivered normally. Where the message normally contains a virus that cannot be cleaned, it will be deleted and prevented from entering the organization. Prevent email Directory Email Firewall Emails may be flagged because an attempt is under way Harvest attacks, and to mass-mail the organization and correlate NDRs with other virus/spam attacks messages sent, or because a certain number of infected or spam messages are received from the same IP address. Symantec Mail Security 8260 appliances block these events effectively from the business. Reduce network traffic Throttle Attack Network connections from sources that are sending certain associated with SMTP levels of spam may be throttled and restricted so as to connections for spam reduce the amount of bandwidth and data that is associated delivery with these connections. For example, connections from a known spammer may be restricted to 9.6 kb/s to mimic the effect of a poor modem connection. Archive spam Archive (+ optional Email messages flagged as spam by email filters email messages Delete or Quarantine) available from Symantec, or as suspected spam by configurable spam scoring levels, may be treated in a number of optional ways: 1. Forwarded to Quarantine (optionally notifying the user) 2. Forwarded to the user s Spam Folder in Exchange (optionally annotated as Spam or Suspected Spam ) later deleted or archived 3. Archived to an administrative SMTP address in Enterprise Vault (optionally a percentage of these may be reviewed) for compliance or privacy purposes 4. Blocked and deleted at the appliance before entering the organization (can be useful for known spam email messages) 13

5. Configure 8260 appliances to forward spam to Enterprise Vault for archiving. Acme Corp. needs to retain email messages that are not delivered to end users for a period of 180 days, as described above. There are two options that allow Acme Corp. to easily achieve this: a. Configure spam forwarding ( Archive action in Symantec Mail Security 8260) to Enterprise Vault via SMTP archiving Acme Corp. can simply archive email messages that are flagged by Symantec Mail Security as spam, by administratively forwarding them directly to an SMTP capture address in Enterprise Vault. These will then be archived for each recipient at Acme Corp. into an administrative set of spam retention archives as necessary, and can be immediately searched, reviewed, and exported as necessary (please refer to the section Deploying Enterprise Vault below for further details). b. Configure spam forwarding ( Archive action in Symantec Mail Security 8260) to a Microsoft Exchange journal mailbox, with Enterprise Vault for Exchange Journal Archiving Acme Corp. can also archive spam email messages by administratively forwarding them to a designated journal mailbox in Microsoft Exchange, dedicated to the task. These will then be archived into a flat journal archive for retention as necessary, and can immediately be searched, reviewed, and exported as necessary. This option may be beneficial if Acme Corp. also wish to regularly review a random-percentage sample of spam email messages on a daily or weekly basis, by combining Enterprise Vault for Exchange Journal Archiving with Enterprise Vault Compliance Accelerator (please refer to the section Deploying Enterprise Vault below for further details). 6. Configure email routing from 8160 appliances to deliver email messages to 8260 appliances. This step effects the in-stream deployment of the 8260 appliances for incoming email messages. Note: Symantec Mail Security 8260 appliances are not the final delivery point for messages being received by Acme Corp., and 8260 appliances will forward legitimate email messages for final distribution to the Microsoft Exchange Server 2003 Organization. 7. Reconfigure the Exchange Organization to send outgoing email to internal Symantec Mail Security 8260 appliances. This step completes the deployment of Symantec Mail Security 8200 Series appliances for Acme Corp. by submitting all outgoing email messages to the content compliance and email policy checks as chosen and configured by Acme Corp. (see step 3 above). For further details on any aspect, refer to the Symantec Mail Security 8200 Series Implementation Guide, available at www.symantec.com/techsupp/enterprise/select_product_manuals.html. 14

Deploying Symantec Mail Security for Microsoft Exchange Despite having solid perimeter protection in place, it is still necessary for Acme Corp. to inspect internal mail traffic. There are many reasons why this is valuable: Scanning for viruses that enter through other vectors, such as personal Web-based email, removable media, remote laptop users whose virus definitions are not current, and more. Preventing unwanted or oversized content from being sent through the internal mail system s Exchange servers. Messages with confidential or inappropriate content can be removed from the store before anyone can view the message. Post-attack, performing virus cleanup of message stores using the latest antivirus definitions. Groupware protection allows viruses and content violations within the message store to be removed without end-user intervention. As a result, mail server protection solutions, such as those for Microsoft Exchange and Lotus Domino, should be able to inspect content in real time during submission and also on later client access, along with regularly scheduled sweeps of content stored within the system. Symantec Mail Security for Microsoft Exchange gives Acme Corp. these required benefits and more. 1. Install Symantec Mail Security for Microsoft Exchange remotely manage multiple installations of Symantec Mail Security for Microsoft Exchange Symantec Mail Security for Microsoft Exchange can be installed as a console to remotely manage multiple servers on an individual basis or as a group. A console installation of Symantec Mail Security for Microsoft Exchange is typically installed on a client machine (Windows XP or Windows 2000) and used to manage product settings remotely. Groups can be created of servers with similar functions for easier management. 2. Install Symantec Mail Security for Exchange on Exchange 2003 cluster nodes Symantec Mail Security for Microsoft Exchange is fully cluster aware when installed in a Windows cluster environment and also supports Veritas clustering. Symantec Mail Security should be installed onto Exchange Cluster nodes while they are in a passive state to ensure that working Exchange Virtual Servers are not affected negatively by the installation processes. Note: It is important that each node in the Microsoft Exchange Server 2003 cluster have Symantec Mail Security for Microsoft Exchange binaries installed in the same location on the applications disk drive. It is also important that the latest updates and definitions for Symantec Mail Security for Microsoft Exchange are installed by the administrator as installation is completed. 15

3. Install Symantec AntiVirus Corporate Client on Exchange cluster nodes It is also recommended that Symantec AntiVirus with LiveUpdate is installed on each Exchange cluster node. LiveUpdate will ensure that antivirus definitions and Symantec Mail Security for Microsoft Exchange updates are downloaded and installed automatically as soon as they are available. In order to successfully install and bring online a working Microsoft Exchange 2003 Virtual Server with Symantec Mail Security for Microsoft Exchange and Symantec AntiVirus, exclusions should be added to Symantec AntiVirus for the working directories used by Symantec Mail Security for Microsoft Exchange, and for certain Exchange directories. This is covered in a Symantec Knowledge Base Document (ID: 2004052416452048). (Search for this ID at the following url: www.symantec.com/techsupp/.) 4. Install ( or renew) license files to remote servers Acme Corp. must install a license file on each server that is running Symantec Mail Security for Microsoft Exchange in order to activate a content license. This ensures that each server can receive the latest virus definitions updates. Acme Corp. can install a license file from the console for a remote server group or for a remote single server, or they can install it on each individual server directly. 5. Install Spam Folder Agent for Exchange This agent lets Acme Corp. additionally route spam messages to a spam folder in each recipient s mailbox. This option is available for Microsoft Exchange Server 2000/2003 installations. The Spam Folder Agent should be installed on Exchange servers where mailboxes physically reside. The agent creates a spam folder in each user s mailbox automatically. When spam messages are tagged for Spam Folder Agent delivery, the messages are delivered to the spam folder. Tagging may be accomplished by the Symantec Mail Security 8260 appliances at Acme Corp. Acme Corp. may use spam folders as a means of archiving suspected spam that is delivered directly to end users for review. To ensure that such messages are not left in Exchange mailboxes for more than a few days, apply a folder-level mailbox archiving policy in Enterprise Vault to the spam folder for each user that archives all messages after a short time (e.g., five days). This can be separate from, and override, any other default mailbox archiving policy for the users (refer to the section Deploying Enterprise Vault below for further details). 16

6. Enable event forwarding to Symantec Enterprise Security Architecture (optional) Symantec Mail Security for Microsoft Exchange supports event forwarding to Symantec Enterprise Security Architecture (SESA ). SESA is an event management system that employs data collection services for events that Symantec security products generate. When a product is SESA enabled, you can use the SESA Console to view the events that it forwards to SESA. The SESA Console provides a central location from which to view and manage the reporting of event data across multiple SESA enabled security products. For more information on SESA, see the Symantec Enterprise Security Architecture Installation Guide and the Symantec Enterprise Security Architecture Administrator s Guide. Acme Corp. also needs to configure antivirus, further antispam, and other policy aspects of Symantec Mail Security for Microsoft Exchange appropriately. For further details on any aspect, refer to the Symantec Mail Security for Exchange Implementation Guide, available at www.symantec.com/techsupp/enterprise/select_product_manuals.html. Deploying Veritas Enterprise Vault Enterprise Vault 6.0 is installed on Windows Server 2003 to host the archive for Exchange servers at Acme Corp., as well as the archive for any spam email messages captured directly from the Symantec Mail Security 8260 appliances, and a variety of other information within the business. The Enterprise Vault data is stored on a near-line NAS device (or SAN, DAS, SATA, etc.), initially to ensure rapid access to archived content, while providing storage cost benefits desired by Acme Corp. at the same time. Later during the lifecycle of archived email messages (and other information), they may be moved by Enterprise Vault onto other storage devices such as tape or optical libraries for long-term retention. Messages retained in users mailboxes will be archived as they age and become subject to predefined, configurable archiving policies. This ensures that Exchange Server 2003 mailboxes never grow beyond manageable levels; that Exchange servers remain optimized as a result; that backup windows are maintained, and SLAs are achievable; and end users receive a better mailbox service overall. Additionally Acme Corp. can automatically locate, associate (with the owning user), and archive the contents of user PST files on the network. This not only removes the files from the organization but also ensures that Acme Corp. can disclose the email records within by consolidating them into one central, scalable, searchable archive. 17

Every message being sent to, from, or within Acme Corp. s email server environment will be journaled and archived into Enterprise Vault. Generally, Enterprise Vault compresses all items down to 50 percent of their original size (some compressed file formats, such as.zip,.jpg, and.gif, cannot be further compressed) and further reduces archive storage needs by single instancing objects that are the same, regardless of their source (across multiple Exchange servers and PST files, across distributed file systems, and across multiple SharePoint servers and sites). 1. Install Enterprise Vault servers into the internal server network. A number of Enterprise Vault servers commensurate with the archiving throughput needs of Acme Corp. are installed in the company s internal networks. Enterprise Vault servers host a number of services and tasks that run on the Windows Server platform, and address archiving needs for target Exchange servers, including Journal archiving, Mailbox archiving, Public Folder archiving, and SMTP email capture and archiving. Enterprise Vault services and tasks run under a security account context in the Active Directory domain, so a service account is created for each Acme Corp. domain housing Exchange servers that need to be archived and managed. 2. Configure Exchange Server 2003 journaling (optional). Exchange is configured to support envelope journaling. If the current mailbox server is running Exchange Server 2003 Enterprise Edition and has sufficient memory, disk volumes, and processing power to support an additional mailbox store, then Acme Corp. may create an additional Storage Group to host a single database that will support the journaling mailbox(es). Note: Message journaling or envelope journaling may be used for this purpose and are both supported by Veritas Enterprise Vault. For every 12,500 items journaled per hour in Exchange Server, the load on the Exchange server increases approximately 10 percent (from Integrated Solutions for Regulatory Compliance with Windows Server Technologies, www.microsoft.com/exchange/evaluation/regcomp.mspx, Microsoft Corporation, 2004). If the current Exchange servers are heavily used or are running Exchange Server 2003 Standard Edition, Acme Corp. may consider deployment of an additional server to host the journaling mailbox(es). 18

3. Configure SQL Server 2000. SQL Server 2000 supports configuration data and metadata for Enterprise Vault, and enables Discovery Accelerator and other search applications to quickly find and retrieve previously saved search and case information. One SQL server is necessary to support four to five Enterprise Vault servers of an equivalent size. Acme Corp. chooses to use a currently deployed SQL Server 2000 cluster to support Enterprise Vault application database needs. No end-user information is stored in SQL Server. 4. Configure Windows Storage Server 2003 (or other suitable storage for archives). Windows Storage Server 2003 is chosen to host the data being managed by Enterprise Vault at Acme Corp. Approximate data storage needs for Enterprise Vault may be determined using the following formula: ((Number of items) * (Average item size) * 0.5)/(Average single instance storage ratio) + (Number of items)/(average single instance storage ratio) * 7 + (Number of items) * 2 For example, suppose Acme Corp. has 500 items, with an average item size of 10 KB and an average single instance storage ratio of 2.2. The data storage needs would be approximated thus: ((500) * (10 KB) * 0.5)/(2.2) + ((500)/(2.2)) * 7 + (500) * 2 = 3727.28 KB Single instance storage on Exchange servers is very similar to the single instance storage of messages within Enterprise Vault, and current single instance storage ratios are a reasonable indicator of how messages will be shared within Enterprise Vault. Acme Corp. may also choose to utilize tape media storage infrastructure later in the life of archived material (see above), and may do so via the integration of Veritas Enterprise Vault 6.0 and Veritas NetBackup 6.0. This allows tape media in libraries under NetBackup control to provide storage to archive Vault Stores directly within Enterprise Vault. Note: Windows Storage Server 2003 may not be used to host the Enterprise Vault application services and tasks as this is contrary to Microsoft licensing terms. Only the archive and index data stored by Enterprise Vault may reside on Windows Storage Server 2003. 19

5. Configure mailbox archiving. Enterprise Vault servers are responsible for various archiving tasks (mailbox, journal, public folder, PST file migration, etc.) that are dedicated to certain Exchange servers. Acme Corp. needs to configure an appropriate number of Enterprise Vault servers to perform scheduled mailbox archiving for all Exchange Virtual Servers being managed. As a guideline, one Enterprise Vault server may be generally required for every three to four equivalent mailbox home Exchange servers (depending on mailbox numbers per server and email utilization rates). Once configured for each Exchange server, the archiving tasks are started and will then synchronize the initial list of mailbox users and their associated properties from the Exchange Organization and Active Directory. Users must then be enabled for archiving, which may include configuration of a Vault Store for user email archives, deployment and configuration of any necessary client components (optional), configuration of the mailbox archiving policies for various user groups (globally, by OU, or by grouping via various unique LDAP properties), and final scheduled enablement of users mailboxes for archiving services. Users may be enabled in groups to allow appropriate phasing of archiving services into Acme Corp. s organization. Finally, archiving tasks should be scheduled to run at appropriate times, after completion of Acme Corp. s Exchange Server backup windows. Figure 4. Exchange mailbox archiving policies in Veritas Enterprise Vault 20

6. Configure journal archiving. Exchange servers may host one or more journal mailboxes that receive copies of all messages passing through Exchange Server Stores (refer to 2 above). An Enterprise Vault Journal Archiving Task needs to be configured for each Exchange server and will process one or more journal mailboxes. Journal archiving tasks process journal mailboxes every 60 seconds and, as such, run continuously after the initial startup. Every message and attachment is archived, compressed, single instanced, and indexed immediately. Depending on the desired throughput rates and the number of Exchange servers being journaled, Acme Corp. may optionally configure a dedicated Enterprise Vault server for journal archiving tasks. Depending on regulatory requirements Acme Corp. may be addressing by using journaling, the Vault Store partition devices may need to be WORM (Write-Once-Read-Many) compliant. Enterprise Vault supports several WORM-compliant devices, such as Network Appliance NearStore with SnapLock, EMC Centera, IBM DR550, and Pegasus WORM Optical and WORM UDO media types. 7. Configure Public Folder archiving (optional). Acme Corp. is also storing historical email messages, posts, and documents in various Exchange Server Public Folder trees. For Public Folder archiving, an archiving task is configured for one or more Top Level Folder (TLF) tree(s) that Acme Corp. will archive. Public Folder archiving behaves in a similar fashion to mailbox archiving, and similar archiving policies, archiving tasks, and schedules must be configured. 21

Figure 5. Various archiving tasks for an Exchange server in Enterprise Vault 8. Configure SMTP email archiving to receive spam email messages from Symantec Mail Security 8260 appliances. Enterprise Vault can be configured at Acme Corp. to capture and archive (into appropriate spam-retention archives) emails sent directly to the archive servers from Symantec Mail Security 8260 appliances deployed at Acme Corp. As described above, these need to be retained for 180 days. (Refer to the section above titled Deploying Symantec Mail Security 8200 Series Appliances for further details on how to configure Symantec Mail Security 8260 appliances to forward spam emails to Enterprise Vault.) Acme Corp. can install and configure the Enterprise Vault SMTP Archiving components on the desired Enterprise Vault servers. These make use of IIS SMTP services from the Windows Server platform, and are configured with a list of variables describing the Acme Corp. email domains for which spam email messages are being archived, and an archive structure (flat journal, or per recipient structured) for these archived email domains. Acme Corp. can deploy SMTP email archiving to capture email for internal email domains, where incoming spam has been received and forwarded directly to the archive. Acme Corp. can also deploy SMTP email archiving to capture email for external email domains, where Content Compliance policies may have been triggered and a copy of an outgoing email has been forwarded directly to the archive for retention. 22

a. Install the Enterprise Vault SMTP Archiving components. SMTP Archiving components must be installed on a Windows SMTP server. This may be the Enterprise Vault server, or a server dedicated to the tasks of capturing SMTP email for archiving. Enterprise Vault SMTP Archiving components are installed directly from the Enterprise Vault CD. Consult the SMTP Archiving Guide for further details. b. Configure the SMTP Archiving components. The configuration file specifies the following details: The SMTP virtual server to which SMTP Archiving is to bind The address domains that SMTP Archiving is to process (note that domains not specifically configured will be processed into a default folder) The folders, and folder structure, on the server where SMTP Archiving is to put email messages as they are captured for archiving Edit the file using a plain text editor such as Notepad, and save it as a Unicode file. Example Configuration File for Acme Corp.: [Server] Name=Default SMTP Virtual Server Priority=16000 NonDeliveryFolder=d:\EvMailRoot\ServerDefault DiskFullRetryLimit=0 [Domain] Name=acmecorp.com Path=d:\EvMailRoot\AcmeCorp [Domain] Name=acme.com Path=d:\EvMailRoot\Acme AutoEnableMbxFolders=True IndexingLevel=Brief NonDeliveryFolder=d:\EvMailRoot\Acme\NonDelivery 23

c. Create the required domain root folders. This is where the SMTP Archiving components queue the email messages for archiving into a Vault Store. d. Configure archiving of the email messages captured by SMTP Archiving components. Configuration of archiving schedules, target archives and Vault Stores, and other policy-based factors is achieved from the Enterprise Vault Administration Console. Acme Corp. can configure separate target archives, and even separate physical storage, for spam email messages that need to be retained in this way as described above. Consult the Enterprise Vault SMTP Archiving Guide for further details. Deploying additional components Veritas Enterprise Vault Discovery Accelerator Discovery Accelerator enables companies to conduct searches of archived mail and documents in response to a legal discovery. Discovery Accelerator enables the company legal team to review items found by the searches to determine their relevance to the case. Items marked as being relevant to the case can be exported to be used as evidential records, as required. Consult the Enterprise Vault Discovery Accelerator Installation and Administration guides for specific details. Veritas Enterprise Vault Compliance Accelerator Compliance Accelerator enables organizations to monitor employees electronic messages (including email and instant messages) to ensure compliance to policy, or good business practice. This is typically used at brokerage houses to monitor messages to meet regulation supervision requirements. It provides two main ways of monitoring email: Random samples of each employee s messages can be captured and sent for review each day; or all messages can be searched against a predefined lexicon for words or phrases that may indicate non-compliance. Consult the Enterprise Vault Compliance Accelerator Installation and Administration guides for specific details. 24

Symantec Mail Security 8160 Appliance Symantec Mail Security 8260 Appliance Symantec Mail Security for Microsoft Exchange Internet Gateway spam and content filtering Reduce spam and viruses Outbound content filtering and quarantine Monitor email policy Delete or quarantine Mail server antivirus and antispam Application Storage SAN: Fibre Channel Archive; selective spam journaling Archive; real-time journaling Email archive Veritas Enterprise Vault for Exchange Archive Storage CAS, NAS; SATA Tape, Optical, etc. Figure 6. Final chosen email security and archiving deployment topology for Acme Corp., showing new Symantec Mail Security appliances and software, and Veritas Enterprise Vault Scenario 2: Beta Corporation (Beta Corp.) Beta Corporation (Beta Corp.) runs a clustered Microsoft Exchange Server 2003 messaging and groupware system. Beta Corp. wants to avoid message journaling and associated journal archiving in Exchange, but wants to archive a copy of all email messages where the words Confidential, Client Privileged, or Internal Only appear, directly to a separate administrative archive for three years for later discovery purposes. Beta Corp also wishes to archive spam emails directly to Enterprise Vault for 60 days, instead of a quarantine location, as it provides a lower-cost store to maintain spam in case of false positives, as well as a full text index content search for the spam in temporary hold. Beta Corp. also wants to ensure appropriate levels of antivirus and antispam defenses including a significant reduction in network traffic associated with spam before it reaches the organization. Additionally, Beta Corp. wants to archive the messages retained in users mailboxes after 90 days to ensure optimization of storage associated with, and operational running of, Microsoft Exchange systems. 25

Firewall Bridgehead Server Mail server antivirus Internet Microsoft Exchange 2003 Some email quarantined Application Storage SAN: Fibre Channel Figure 7. Existing email and groupware topology at Beta Corp. Solution: To achieve the stated goals in this scenario, Beta Corp. can implement the following solution where Symantec Mail Security and Veritas Enterprise Vault work together: Desired goal Archive a copy of all external email records showing target phrases Reduce network traffic due to spam email before the network perimeter Further reduce spam and virus-infected email after acceptance, archive spam email messages, and enforce email policy Ensure appropriate levels of email antivirus for Exchange servers and clients Search, review, and produce email messages as evidential records Solution chosen for deployment Symantec Mail Security 8260 appliance with Veritas Enterprise Vault for SMTP Archiving Symantec Mail Security 8160 appliance with SMTP Traffic Shaping Symantec Mail Security 8260 appliance with Veritas Enterprise Vault for SMTP Archiving Symantec Mail Security for Microsoft Exchange and Symantec AntiVirus Corporate Edition Veritas Enterprise Vault Discovery Accelerator Accordingly, the following products are chosen for deployment at Beta Corp. Vendor Product Version/Type Symantec Mail Security 8100 Series 8160/Appliance Symantec Mail Security 8200 Series 8260/Appliance Symantec Mail Security for Microsoft Exchange 5.0/Cluster Aware Symantec Enterprise Vault for Exchange 6.0/Server + Standby Optional products below are also chosen for deployment at Beta Corp. Vendor Product Version/Type Symantec Enterprise Vault Discovery Accelerator 5.0/Server 26

Deploying the Symantec Mail Security 8100 Series Deployment of Symantec Mail Security 8160 appliances allows Beta Corp. to employ a bestof-breed appliance that leverages market-leading unique antispam traffic shaping technology. This technology reduces email infrastructure costs by restricting connections from spam-sending servers and significantly reducing the received amounts of spam before they are even accepted into the corporate email system at the network boundary. The objective is to significantly reduce the transfer capacity available to spammers, while continuing to maintain it for legitimate sources of email. Refer to the section titled Deploying the Symantec Mail Security 8100 Series on page 10 for general details on this part of the solution. Symantec Mail Security 8160 appliances are configured similarly for Beta Corp. Key differences from Scenario 1, Acme Corp.: None. For further details on any aspect, refer to the Symantec Mail Security 8100 Series Implementation Guide, available at www.symantec.com/techsupp/enterprise/select_product_manuals.html. Deploying the Symantec Mail Security 8200 Series Deployment of Symantec Mail Security 8260 antivirus and antispam appliances allows Beta Corp. to further employ best-of-breed appliance technology that leverages over 20 spam prevention techniques, including Symantec Brightmail AntiSpam, Directory Harvest Attack Prevention, and Sender Reputation techniques; all of which reduce email infrastructure costs by significantly reducing the received amounts of accepted spam, after initial spam reduction is effected by 8160 appliances. Additionally, Content Compliance features allow administrators to gain control over inbound and outbound email content so they can enforce internal or regulatory email content policies, before an issue even arises. Beta Corp. will leverage these features to archive copies of email messages where certain target phrases arise, directly to Enterprise Vault for SMTP Archiving. Refer to the section titled Deploying the Symantec Mail Security 8200 Series on page 7 for general details on this part of the solution. Symantec Mail Security 8260 appliances are configured similarly for Beta Corp. 27

Key differences from Scenario 1, Acme Corp.: 1. Configure all Scanner appliances with Beta Corp. s email security policies. Given Beta Corp. s goals of providing appropriate email security for the business at the perimeter of the network, while still retaining the ability to archive email messages with target words and phrases Confidential, Client Privileged, or Internal Only to Veritas Enterprise Vault, some examples are given below; Symantec Mail Desired Goal Security 8260 Action Details Archive copies of email Archive (+ optional Email messages may be checked against policy compliance messages exhibiting Delete or Quarantine) by Symantec Mail Security 8200 Series appliances, including target phrases by dictionary, content filters, attachment blocking, and property analysis, and then treated in a number of optional ways: 1. Archived to an administrative SMTP address in Enterprise Vault (optionally a percentage of these may be reviewed) for Compliance, Policy, or Privacy purposes 2. Forwarded to Quarantine (optionally notifying the administrator) 3. Blocked and deleted at the appliance before entering or leaving the organization 4. Blocked and archived to an administrative SMTP address in Enterprise Vault 2. Configure 8260 appliances to forward copies of selected email messages to Enterprise Vault for archiving. Beta Corp. needs to retain email messages that include the target words and phrases Confidential, Client Privileged, or Internal Only, indicating a need to check that the messages are not out of policy boundaries. Enterprise Vault for SMTP Archiving allows Beta Corp. to easily achieve this: a. Configure target email forwarding ( Archive action in Symantec Mail Security 8260) to Enterprise Vault via SMTP archiving Beta Corp. can simply archive email messages that are found by Symantec Mail Security to contain target words and phrases, by administratively forwarding them directly to an SMTP capture address in Enterprise Vault. These will then be archived for each recipient at Beta Corp. into an administrative set of retention archives as necessary, and can be immediately searched, reviewed, and exported as necessary (refer to the section Deploying Enterprise Vault below for further details). 28

Deploying Symantec Mail Security for Microsoft Exchange Refer to the section titled Deploying Symantec Mail Security for Exchange on page 16 for general details on this part of the solution. Symantec Mail Security for Microsoft Exchange is configured similarly for Beta Corp. Key differences from Scenario 1, Acme Corp.: None. Beta Corp. also needs to configure antivirus, further antispam, and other policy aspects of Symantec Mail Security for Microsoft Exchange appropriately. For further details on any aspect, refer to the Symantec Mail Security for Microsoft Exchange Implementation Guide, available at www.symantec.com/techsupp/enterprise/select_product_manuals.html. Deploying Veritas Enterprise Vault Enterprise Vault 6.0 is installed on Windows Server 2003 to host the archive for Exchange servers at Beta Corp., as well as the archive for any email messages containing target words and phrases captured directly from the Symantec Mail Security 8260 series appliances, and a variety of other information within the business. The Enterprise Vault data is stored on a near-line NAS device (or SAN, DAS, SATA, etc.) initially to ensure rapid access to archived content, while providing storage cost benefits desired by Beta Corp. at the same time. Later during the lifecycle of archived email messages (and other information), they may be moved by Enterprise Vault onto other storage devices such as tape or optical libraries for long-term retention. Refer to the section titled Deploying Veritas Enterprise Vault on page 19 for general details on this part of the solution. Veritas Enterprise Vault is configured similarly for Beta Corp. Key differences from Scenario 1, Acme Corp.: 1. Configure mailbox archiving. Enterprise Vault servers are responsible for various archiving tasks (mailbox, journal, public folder, PST file migration, etc.) that are dedicated to certain Exchange servers. Beta Corp. needs to configure an appropriate number of Enterprise Vault servers to perform scheduled mailbox archiving for all Exchange Virtual Servers being managed. As a guideline, one Enterprise Vault server may be generally required for every three to four equivalent mailbox home Exchange servers (depending on mailbox numbers per server and email utilization rates). Once configured for each Exchange server, the archiving tasks are started and will then synchronize the initial list of mailbox users and their associated properties from the Exchange Organization and Active Directory. 29

Users must then be enabled for archiving, which may include configuration of a Vault Store for user email archives, deployment and configuration of any necessary client components (optional), configuration of the mailbox archiving policies for various user groups (globally, by OU, or by grouping via various unique LDAP properties), and final scheduled enablement of users mailboxes for archiving services. Users may be enabled in groups to allow appropriate phasing of archiving services into Beta Corp. s organization. Finally, archiving tasks should be scheduled to run at appropriate times, after completion of Beta Corp. s Exchange Server backup windows. Figure 8. Exchange mailbox archiving policies in Veritas Enterprise Vault Beta Corp. wants to archive the messages retained in users mailboxes after 90 days to ensure optimization of storage associated with, and operational running of, Microsoft Exchange systems. To do so, Beta Corp. can configure one global mailbox archiving policy for all user mailboxes. 30

Figure 9. Age-based mailbox archiving policy for 90-day archiving for Beta Corp. Includes archiving of items larger than 1 MB at 30 days. 2. Configure journal archiving. Exchange servers may host one or more journal mailboxes that receive copies of all messages passing through Exchange Server Stores. An Enterprise Vault journal archiving task needs to be configured for each Exchange server and will process one or more journal mailboxes. Journal archiving tasks process journal mailboxes every 60 seconds and, as such, run continuously after the initial startup. Every message and attachment is archived, compressed, single instanced, and indexed immediately. Beta Corp chooses not to employ Microsoft Exchange Server Journaling, and doesn t require journal archiving. 31

3. Configure SMTP email archiving to receive email messages with target phrases from Symantec Mail Security 8260 appliances. Enterprise Vault is configured at Beta Corp. to capture and archive (into appropriate administrative retention archives) emails sent directly to the archive servers from Symantec Mail Security 8260 appliances deployed at Beta Corp. As described above, these need to be retained when the words or phrases Confidential, Client Privileged, or Internal Only appear in an email being sent externally or received from external sources. (Refer to the section above titled Deploying the Symantec Mail Security 8200 Series for further details on how to configure Symantec Mail Security 8260 appliances to forward spam emails to Enterprise Vault.) Beta Corp. can install and configure the Enterprise Vault SMTP Archiving components on the desired Enterprise Vault servers. These make use of IIS SMTP services from the Windows Server platform, and are configured with a list of variables describing the Beta Corp. email domains for which such target email messages are being archived, and an archive structure (flat journal, or per recipient structured) for these archived email domains. a. Install the Enterprise Vault SMTP Archiving components. SMTP Archiving components must be installed on a Windows SMTP server. This may be the Enterprise Vault server, or a server dedicated to the tasks of capturing SMTP email for archiving. Enterprise Vault SMTP Archiving components are installed directly from the Enterprise Vault CD. Consult the SMTP Archiving Guide for further details. b. Configure the SMTP Archiving components. The configuration file specifies the following details: The SMTP virtual server to which SMTP Archiving is to bind The address domains that SMTP Archiving is to process (note that domains not specifically configured will be processed into a default folder) The folders, and folder structure, on the server where SMTP Archiving is to put email messages as they are captured for archiving Edit the file using a plain text editor such as Notepad, and save it as a Unicode file. 32

Example Configuration File for Beta Corp.: [Server] Name=Default SMTP Virtual Server Priority=16000 NonDeliveryFolder=d:\EvMailRoot\ServerDefault DiskFullRetryLimit=0 [Domain] Name=beta.com Path=d:\EvMailRoot\Beta AutoEnableMbxFolders=True IndexingLevel=Brief NonDeliveryFolder=d:\EvMailRoot\Beta\NonDelivery c. Create the required domain root folders. This is where the SMTP Archiving components queue the email messages for archiving into a Vault Store. d. Configure archiving of the email messages captured by SMTP Archiving components. Configuration of archiving schedules, target archives and Vault Stores, and other policybased factors is achieved from the Enterprise Vault Administration Console. Beta Corp. can configure separate target archives, and even separate physical storage for email messages that need to be retained in this way, as described above. Consult the SMTP Archiving Guide for further details. 33

Deploying additional components Veritas Enterprise Vault Discovery Accelerator Discovery Accelerator enables companies to conduct searches of archived mail and documents in response to a legal discovery. Discovery Accelerator enables the company legal team to review items found by the searches to determine their relevance to a particular case. Items marked as being relevant to the case can be exported to be used as evidential records, as required. Consult the Discovery Accelerator Installation and Administration guides for specific details. Symantec Mail Security 8160 Appliance Symantec Mail Security 8260 Appliance Symantec Mail Security for Microsoft Exchange Internet Gateway spam and content filtering Reduce spam and viruses Outbound content filtering and quarantine Monitor email policy Delete or quarantine Mail server antivirus and antispam Application Storage SAN: Fibre Channel Archive; selective emails with target words Archive; mbx policy 90 days Email archive Veritas Enterprise Vault for Exchange Archive Storage CAS, NAS; SATA Tape, Optical, etc. Figure 10. Final chosen email security and archiving deployment topology for Acme Corp., showing new Symantec Mail Security appliances and software, and Veritas Enterprise Vault. 34

Tested solutions The combined, integrated solutions outlined in this white paper have been tested by Symantec Corporation, in the Veritas Software Integration and Functional Test laboratories (SWIFT); May 2005. Summary This white paper has described how two businesses (Acme Corporation and Beta Corporation) can deploy Symantec Mail Security appliances and software both within and without the organization to achieve various email security and content compliance goals. It further describes how they can integrate Symantec technology with Veritas Enterprise Vault to ensure that necessary email messages are captured and retained in a cost-effective and usable manner, optionally including any necessary antivirus- and antispam-related messages that may need to be captured and retained in an appropriate low-cost and secured archive for privacy or compliance reasons. The hypothetical Acme Corporation and Beta Corporation discussed in this white paper illustrate two example challenges and solutions associated with email security as pertains to: Inbound email hygiene at the network perimeter and inside the organization Email content compliance with regard to outbound email and intra-organizational email Email archiving for storage management and optimization of Exchange Server services, as well as journaling and compliance-related capture of email messages passing through the organization to meet regulatory requirements 35

About Symantec Symantec is the world leader in providing solutions to help individuals and enterprises assure the security, availability, and integrity of their information. Headquartered in Cupertino, Calif., Symantec has operations in more than 40 countries. More information is available at www.symantec.com. For specific country offices and contact numbers, please visit www.symantec.com. For additional information in the U.S. call toll-free 1 (800) 745-6054 or visit http://ses.symantec.com/ secureapps. Symantec Corporation World Headquarters 20330 Stevens Creek Boulevard Cupertino, CA 95014 USA +1 (408) 517 8000 1 (800) 721 3934 www.symantec.com Copyright 2006 Symantec Corporation. All rights reserved. Symantec, the Symantec Logo, Symantec AntiVirus, SESA, VERITAS, Brightmail, Enterprise Vault, NetBackup and LiveUpdate are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. 2/06 10533942