Administration Guide McAfee SaaS Email Archiving
COPYRIGHT Copyright 2013 McAfee, Inc. Do not copy without permission. TRADEMARK ATTRIBUTIONS McAfee, the McAfee logo, McAfee Active Protection, McAfee AppPrism, McAfee Artemis, McAfee CleanBoot, McAfee DeepSAFE, epolicy Orchestrator, McAfee epo, McAfee EMM, McAfee Enterprise Mobility Management, Foundscore, Foundstone, McAfee NetPrism, McAfee Policy Enforcer, Policy Lab, McAfee QuickClean, Safe Eyes, McAfee SECURE, SecureOS, McAfee Shredder, SiteAdvisor, SmartFilter, McAfee Stinger, McAfee Total Protection, TrustedSource, VirusScan, WaveSecure, WormTraq are trademarks or registered trademarks of McAfee, Inc. or its subsidiaries in the United States and other countries. Other names and brands may be claimed as the property of others. LICENSE INFORMATION License Agreement NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANY YOUR SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OF PURCHASE FOR A FULL REFUND. 2 McAfee SaaS Email Archiving Administration Guide
Contents Preface 5 About this guide.................................. 5 Audience.................................. 5 Conventions................................. 5 What's in this guide.............................. 6 Find McAfee SaaS service documentation........................ 6 1 Email Archiving 7 2 Managing the Email Archive 9 Setup information and resources............................ 9 3 Setting up Email Archiving 11 About archive change approvers............................ 11 Set up the archive for the first time.......................... 12 Add your first approver email address......................... 12 Change storage settings............................... 13 4 Creating and managing mail sources 15 Set up mail source connectivity............................ 15 Configure mail source alerts............................. 17 Upgrade or replace a mail server........................... 18 5 Archiving historical messages 21 Set up your mail server to archive historical messages................... 22 Set up a historical mail source............................ 23 Archive email from multiple historical mail sources.................... 23 Archive historical messages that include different format types............... 23 6 Searching the archive 25 Improving your search results............................ 25 Avoiding stop words................................ 30 7 Using Simple Search 31 Find emails using Simple Search........................... 31 8 Using Advanced Search 33 Find emails using Advanced Search.......................... 33 Rules for multilingual search............................. 35 Rules for special characters in a header search...................... 35 9 Using Archive ID Search 37 Find emails using Archive ID Search.......................... 37 10 Viewing an archived email 39 McAfee SaaS Email Archiving Administration Guide 3
Contents View a message.................................. 39 11 Saving searches for reuse 41 Save a search................................... 41 Run a saved search................................. 41 12 Purging messages 43 Purge messages.................................. 43 Archive Compliance Officer role details......................... 44 13 Exporting messages 45.zip file guidelines................................. 45 Viewing.eml files................................. 45 Export messages.................................. 46 14 Setting retention for groups 49 Create a group and add group retention........................ 49 15 Managing Legal Hold 51 How Legal Hold works................................ 51 Enabling and disabling Global Legal Hold........................ 51 Enable Global Legal Hold............................ 52 Disable Global Legal Hold........................... 52 Adding and deleting user-specific legal holds....................... 52 Add a new user-specific legal hold........................ 53 Update a user-specific legal hold........................ 53 Delete a user-specific legal hold......................... 54 16 Generating reports 55 Run a report.................................... 55 Filter a report................................... 55 View report details................................. 56 Download a report................................. 56 17 Download the Archive Add-in 57 18 Frequently asked questions 59 19 Troubleshooting 63 Troubleshooting connectivity errors.......................... 63 Common error messages.............................. 66 Issues with Exchange Server journal mailbox...................... 67 Issues with historical mail sources........................... 68 A known limitation in Exchange Server 2003 affects historical data.............. 68 20 User interface conventions 71 Glossary............................... 73 Glossary 73 Index 77 4 McAfee SaaS Email Archiving Administration Guide
Preface This guide provides the information you need to configure, use, and maintain your McAfee SaaS service. Contents About this guide Find McAfee SaaS service documentation About this guide This information describes the guide's target audience, the typographical conventions and icons used in this guide, and how the guide is organized. Audience McAfee SaaS documentation is carefully researched and written for the target audience. The information in this guide is intended primarily for: Administrators People who configure and manage specific features of a service. Conventions This guide uses the following typographical conventions and icons. Book title or Emphasis Title of a book, chapter, or topic; introduction of a new term; emphasis. Bold User input or Path Code Text that is strongly emphasized. Commands and other text that the user types; the path of a folder or program. A code sample. User interface Hypertext blue Words in the user interface including options, menus, buttons, and dialog boxes. A live link to a topic or to a web site. Note: Additional information, like an alternate method of accessing an option. Tip: Suggestions and recommendations. Important/Caution: Valuable advice to protect your computer system, software installation, network, business, or data. McAfee SaaS Email Archiving Administration Guide 5
Preface Find McAfee SaaS service documentation What's in this guide This guide is organized to help you find the information you need. It's divided into functional parts intended to support the goals you need to accomplish when using your McAfee SaaS service. Each part is further divided into chapters that group relevant information together by feature and associated tasks, so you can go directly to the topic you need to successfully accomplish your goals. Find McAfee SaaS service documentation McAfee provides the information you need during each phase of service implementation, from setup to daily use and troubleshooting. After a service update is released, information is added to the McAfee SaaS Email and Web Security Support site. Task 1 Go to the McAfee SaaS Email and Web Security Support page at http://support.mcafeesaas.com/. 2 Under Knowledge Base, click Reference Materials. 3 Under Reference Materials, scroll down to access information that you need: Service Enhancements and Release Notes Training Materials Service Reference Guides 6 McAfee SaaS Email Archiving Administration Guide
1 1 Email Archiving Email Archiving is a cloud based service that automatically archives your email to a secure centralized location. Additionally, Email Archiving allows you to search your archived email so you can quickly locate and retrieve your messages when you need them. Figure 1-1 Email Archiving architecture McAfee SaaS Email Archiving Administration Guide 7
1 Email Archiving 8 McAfee SaaS Email Archiving Administration Guide
2 Managing the Email Archive Customer Administrators are responsible for setting up users, configuring mail servers, and managing mail sources in the Control Console. Setup information and resources Customer Administrators should consult all of the relevant documentation before performing tasks in the Control Console. Table 2-1 Setup documents checklist Document Email Archiving Service Activation Guide Account Management Administrator Guide Email Archiving Quick Setup Guide for Microsoft Exchange Server Purpose Provides an overview of the setup and activation process. Also includes customer specific access and connectivity information. Describes the tasks needed to setup users and configure the Control Console as prerequisites to setting up Email Archiving. Review the following information: Managing Domains Managing Users and Other Administrators Provides important information on configuring your email servers in preparation to setting up mail connectivity in Email Archiving. Select the appropriate guide for your server: Exchange Server 2000 Exchange Server 2003 Exchange Server 2007 Exchange Server 2010 McAfee SaaS Email Archiving Administration Guide 9
2 Managing the Email Archive Setup information and resources 10 McAfee SaaS Email Archiving Administration Guide
3 Setting 3 up Email Archiving Before you can begin using the Email Archiving service, you must complete the required setup. This process includes selecting your Data Storage Location, Archive Retention Length, and Selective Purge options. You are also required to add at least one archive change approver. Contents About archive change approvers Set up the archive for the first time Add your first approver email address Change storage settings About archive change approvers An archive change approver is anyone that the administrator authorizes to review and then approve or reject changes to the Storage settings in Email Archiving. Change Approval management Customer Administrators and higher manage the list of approval email addresses using the Change Approval section of the Storage tab. Administrators can add and remove email addresses as necessary. The maximum number of approvers is 10. Each new address must be verified as valid before it can be approved and authorized as a new approver. After the first approver is added, all subsequent changes to the email address list must be approved by an existing archive change approver. The approval process The approval process typically follows these steps. 1 An administrator makes a change to the settings for global retention, selective purge, or the list of archive change approvers. 2 An email notification is sent to each archive change approver prompting them to approve or reject the change. 3 An archive change approver responds to the email, approving or rejecting the change. Only one response is required. 4 All of the archive change approvers are informed about the first approver's decision by email. 5 If the change is approved, it is logged in the Storage Configuration report. McAfee SaaS Email Archiving Administration Guide 11
3 Setting up Email Archiving Set up the archive for the first time Set up the archive for the first time If you are new to Email Archiving, you must complete the set up process before you can begin archiving your messages. Before you begin You must be a Customer Administrator or higher to complete the setup process. Task For option definitions, click Help in the interface. 1 Select the Email Archiving tab. You are automatically redirected to the Setup Storage tab. 2 Select your preferred Data Storage Location. 3 Select your Archive Retention Length. 4 If necessary, select to enable Selective Purge. 5 Click Save. A message confirms your selection. At this point, the Data Storage Location is saved but not locked. You can continue to make changes to this value until your mail sources are active. After that, the value is set permanently. 6 Click OK. You are automatically redirected to the Mail Sources tab. From here you should: Add your users using the instructions in Account Management. Add and activate your mail sources. Add at least one archive change approver under Change Approval. Add your first approver email address You should add at least one archive change approver email address to the Change Approval section of the page. As an administrator, you can begin by adding your own email address. After adding an email address, the remaining options on the Storage tab become active and you can make additional changes. Before you begin You must be a Customer Administrator or higher to add an approver email address. Task For option definitions, click Help in the interface. 1 Select Email Archiving Setup Storage. 2 Scroll down to Change Approval, enter a valid email address in the Approver Email Address field and click Add. 12 McAfee SaaS Email Archiving Administration Guide
Setting up Email Archiving Change storage settings 3 3 Click Save. The page verifies your request and the system sends an email to the address you entered. 4 Run your email client and open the email from Email Archiving. 5 Click the Validate link. You are redirected to a new web page that verifies that you have added the email as an approver. 6 Return to Email Archiving. You may need to log on again to refresh the page, or click the Email Archiving tab. 7 Select Email Archiving Setup Storage to view changes. All of the options are active and your email address is updated in the Change Approval list with a status of Verified. Change storage settings After the set up process is complete, you can return to the storage settings at any time to make additional changes. Before you begin You should complete the initial set up and add at least one archive change approver before making any further changes to the storage settings. Task For option definitions, click Help in the interface. 1 Select Email Archiving Setup Storage. 2 Change settings as necessary. Select a new Data Storage Location. Data Storage Location is editable as long as you have not yet activated a mail source. Select a new Archive Retention Length. Enable or disable Selective Purge. Add or remove an archive change approver under Change Approval. Be sure to let other users know that you are adding them and that they should expect a verification email. 3 Click Save. Your change does not apply until it is saved. The value that you changed remains locked until it is either approved or rejected by an archive change approver. New archive change approvers must verify their email address before they can be approved or rejected.you will need to refresh the page or log on again to view status changes. McAfee SaaS Email Archiving Administration Guide 13
3 Setting up Email Archiving Change storage settings 14 McAfee SaaS Email Archiving Administration Guide
4 Creating 4 and managing mail sources Adding and maintaining mail sources allows Email Archiving to retrieve email from your email servers and store those messages in the archive. In Email Archiving, a mail source corresponds to a journal mailbox on an email server. The journaling feature in Microsoft Exchange records a copy, or journal, of all sent and received email messages processed by the Exchange Server. Journaling ensures that blind carbon copy (BCC) and distribution list recipients are captured and archived. The Exchange Server sends this copied email to a dedicated mailbox called the journal recipient mailbox, which also resides on the Exchange Server. The service then retrieves the email from this journal recipient mailbox and archives it. Each Exchange database can have its own journal mailbox. You may have more than one journal mailbox on a single server, and you may have multiple servers in your environment. Once activated, Email Archiving polls each mail source every 15 minutes to check for available messages. New messages are then pulled into redundant, offsite archives. Managing mail sources involves creating and maintaining mail sources for both active and historical sources. Contents Set up mail source connectivity Configure mail source alerts Upgrade or replace a mail server Set up mail source connectivity In order to enable communication between Email Archiving and your mail server, you need to add a mail source and set its connection options. Mail sources are required for both active journal mailboxes as well as historical messages. Before you begin Follow these guidelines: You must be a Customer Administrator to set up or modify a mail source. Ensure that you have configured the mailbox on your mail server correctly. Provision your users in Account Management before adding and activating your first mail source. McAfee SaaS Email Archiving Administration Guide 15
4 Creating and managing mail sources Set up mail source connectivity Task For option definitions, click Help in the interface. 1 Select Email Archiving Setup Mail Sources. 2 Click New. If this is your first mail source, you will see a warning message reminding you to create your users in Account Management before setting up mail sources. Click OK to continue or Cancel if you have not yet set up your users. Figure 4-1 New Mail Source window 3 Configure the Connection options. These options allow Email Archiving to communicate with the mail server. 4 Select whether the mail source will be used for Historical messages. Additional storage for historical messages is required to select this option. 5 Select whether to activate the new mail source. Notice that the Save button is now inactive. 6 Select whether the mail source will use a quiet period. The quiet period should be at least 30 minutes but not longer than 10 hours. 7 Test the connection to the mail server, if necessary. The Save button is now active. 16 McAfee SaaS Email Archiving Administration Guide
Creating and managing mail sources Configure mail source alerts 4 8 Save the mail source: To save an inactive mail source requires that you complete at minimum the Server Name, Port, and Mailbox Username fields. To save an active mail source, you must complete all fields, select Active, and click Test Connectivity with a successful result. a b Verify your selections. Click Save. The New Mail Source window closes. The mail source is now configured to transfer email messages from your mail server to the archive. Configure mail source alerts Setting up mail source alerts allows you to automatically receive notifications when there are problems with your mail source's connectivity, authentication, ingest, or journal queue. Before you begin You must be a Customer Administrator to set up or modify a mail source. Complete and save all required mail source settings on the Connection tab before configuring alerts. McAfee SaaS Email Archiving Administration Guide 17
4 Creating and managing mail sources Upgrade or replace a mail server Task For option definitions, click Help in the interface. 1 Open a mail source and click the Alerts tab. Figure 4-2 Mail Sources window Alerts tab 2 Complete the form and click Save. Upgrade or replace a mail server Upgrade the version of Exchange Server on your mail server or replace an existing mail server while ensuring that all mail properly archived. Before you begin You will need to be able to perform tasks on both your mail server as well as modify mail sources in the Control Console. Task 1 Remove all ability to send mail to or from your server. 2 Monitor the journal mailbox until all mail has been picked up and removed by Email Archiving. 18 McAfee SaaS Email Archiving Administration Guide
Creating and managing mail sources Upgrade or replace a mail server 4 3 Open the Control Console and deselect the Active setting in each mail source that currently points to the old server. This will prevent Email Archiving from trying to import email from your journal mailboxes during the upgrade. 4 Perform your upgrade and make sure no email can be delivered to or from your server until journaling has been enabled. 5 Allow email to flow to your server once your upgrade is complete and journaling is enabled. 6 Open the Control Console and edit your mail sources so that they use the correct address and mail format of the new server. 7 Activate, test, and save each mail source. a Select Active. b c Click Test Connectivity to verify that Email Archiving can connect to the server. Click Save. 8 Monitor your journal mailboxes to ensure that mail is being imported properly. Expect your mail source to be polled for new messages within approximately 15 minutes after it has been activated. McAfee SaaS Email Archiving Administration Guide 19
4 Creating and managing mail sources Upgrade or replace a mail server 20 McAfee SaaS Email Archiving Administration Guide
5 Archiving 5 historical messages The mail source process can also be used for historical data storage. There are, however, important differences between the two processes. Historical message storage can be used for: Email messages that were saved prior to activating Email Archiving. Email messages that were saved outside of the Exchange journaling process. Email messages that were saved in.pst files. Email messages that still reside on the Exchange Server. What makes historical data storage different? Historical messages are archived indefinitely while standard emails are stored based on the retention period. The total number of historical messages in the archive is limited to the storage space you purchased in your Service Agreement. The historical archiving process When the historical mail source is active, the system ingests all of the messages that have been moved into the historical mailbox on the mail server. As each message is moved into the archive, it is also deleted from the mailbox. This process continues until the mailbox is empty, or the historical storage is full. Email Archiving automatically deactivates the historical mail source when the historical data storage limit is reached. If this happens, it may be necessary to purchase more storage and reactivate the historical mail source. Monitoring historical archiving Email Archiving uses the Mail Source alerts feature to automatically notify you when it is finished or when you've used up your available storage space. To receive notifications on the status of your historical storage space, you should be sure to enable alerts. Additionally, you can do the following: Check the historical mailbox on the mail server to see if messages are still waiting to be archived. View the Overview tab and look to see if the mail source is currently active. View the Overview tab and check the value of the Historical Data Storage Usage field. McAfee SaaS Email Archiving Administration Guide 21
5 Archiving historical messages Set up your mail server to archive historical messages Creating multiple historical mail sources Email Archiving limits you to one historical mail source at any given time. Additionally, once a mail source has been set up for historical messages, it cannot be changed or deselected. As a result, you must first delete the existing historical mail source in order to create a new one. In situations where you need to archive mail from multiple sources, you should import messages from each mail server one at a time. This is accomplished by adding a new historical mail source, importing all of the messages, deleting the mail source, and then doing the same for each server in series. Contents Set up your mail server to archive historical messages Set up a historical mail source Archive email from multiple historical mail sources Archive historical messages that include different format types Set up your mail server to archive historical messages Create a designated historical mailbox on your mail server as a prerequisite for archiving historical messages. Before you begin Follow these guidelines: All historical messages must have the same format. If you have a mix of envelope journaled and non journaled messages, you may encounter archiving problems or unexpected search results within Email Archiving. The historical mailbox on the server should not be a journal mailbox. The historical mailbox should not belong to an active user since all of their messages will be deleted after they are archived Do not forward or send messages to the historical mailbox. Forwarding or sending messages changes the sender/recipient information, as well as other metadata about the messages. To retain a copy of historical messages in addition to the archived version, you must also copy those messages to a location outside of the historical message mailbox. Task 1 Create a mailbox for historical email on your mail server. 2 Copy any messages that you want to archive into the historical mailbox. These messages can come from either user mailboxes or user.pst files. After you have copied all of your messages, you are ready to log into Email Archiving and create a new historical mail source. 22 McAfee SaaS Email Archiving Administration Guide
Archiving historical messages Set up a historical mail source 5 Set up a historical mail source Configure a mail source to archive your historical messages. Before you begin Ensure that you have configured the mailbox on your mail server correctly for archiving historical messages. Follow these guidelines when creating an historical mail source: Only one historical mail source can be configured at a time. Historical messages that have previously been journaled with envelope journaling should use the Message Format type corresponding to the version of Exchange that journaled the messages. Otherwise select Generic. Always select Historical. Task For option definitions, click Help in the interface. 1 Select Email Archiving Setup Mail Sources and click New. The New Mail Source window appears. 2 Complete the form and click Save. Archive email from multiple historical mail sources Follow this strategy for archiving historical messages from more than one mail server. Before you begin Review the information for managing mail servers and setting up mail sources. Although you can only have one historical mail source at a time, it is still possible to archive mail from multiple historical mailboxes on your servers. Task 1 Create a historical mail source for the first historical mailbox and archive messages from that mailbox. 2 Delete the historical mail source from Email Archiving. 3 Create a new historical mail source for the next historical mailbox and archive messages from that mailbox. 4 Delete the historical mail source and repeat as necessary. Archive historical messages that include different format types Follow this strategy for archiving historical messages with different message formats. Before you begin Review the information for managing mail servers and setting up mail sources. McAfee SaaS Email Archiving Administration Guide 23
5 Archiving historical messages Archive historical messages that include different format types When archiving historical messages, all of the messages should be of the same type. If messages of different types are mixed together, they need to be separated before they are archived. Additionally, because you can only have one historical mail source at a time, you will need to follow the strategy for working with multiple historical mail sources. Task 1 Create a separate historical mailbox on your mail servers for each message format type. 2 Organize your messages into each of the corresponding historical mailboxes on your mail servers. 3 Create a mail source in Email Archiving that points to the first of the historical mailboxes. 4 Set the Message Format type to the appropriate format. 5 Activate the mail source and archive all of the messages in the associated mailbox. 6 Delete the mail source. 7 Repeat for each of the remaining message formats. 24 McAfee SaaS Email Archiving Administration Guide
6 Searching 6 the archive Creating a search allows you to find, view, and export email messages that are currently being stored in the archive. To create a search, type what you know about the message (or messages) into the criteria fields and click Search. Contents Improving your search results Avoiding stop words Improving your search results You can enhance your search results by following a few best practices and guidelines. Use the right combination of search terms and filtering features to quickly and effectively find the emails you need. Basic search rules Complete at least one search field to begin a new search. The more fields you complete, the more specific your search, and therefore the more limited the number of results. Search fields are not case sensitive. A search for Sales Reports is the same as sales reports. Select your search terms carefully. Use words or phrases that are unique to the messages you want to find. Avoid using common words or phrases like a, an, and the. Additional rules for complex searches Most special characters (including + &!><) are interpreted as plain text when used within a word or phrase. Other special characters (including #) are ignored. Search supports trailing * and? wild cards searches. A * search looks for one or more characters. A? looks for a single character. Email addresses can be searched using the entire address, just the domain, or any part of the address. Select Phrase, Any Word, or All Word to determine how you want search to interpret the text you enter. Guidelines for special characters Special characters cannot be searched by themselves. Some special characters are allowed and can be interpreted as plain text when included as part of an alphanumeric string. Special characters at the beginning or end of a string are often ignored. McAfee SaaS Email Archiving Administration Guide 25
6 Searching the archive Improving your search results Table 6-1 Special characters interpreted as plain text Special Character Name + Plus Sign Dash & Ampersand Bar! Exclamation ) Right Parenthesis ( Left Parenthesis { Left Curly Brace } Right Curly Brace [ Left Bracket ] Right Bracket ^ Caret " Quotation Marks ~ Tilde : Colon Wild card searches Archive search supports two types wildcards, asterisk (*) and question mark(?), when placed within a string or at the end of a string. A wildcard character cannot be placed at the beginning of a text string. It is best to avoid placing a wildcard too early in a search term, or with too few characters. For example, a search using horse* will return better and faster results than h* or h*s. Wildcards cannot be used in a phrase search. Combining wildcards with special characters can lead to inconsistent search results. For example.doc* and doc* will return different results. Asterisk (*) wild card examples The asterisk (*) searches for one or more characters. Table 6-2 Asterisk (*) wild card examples Search Term greg* gre* gr*n *gre Returns.. greg, gregg, gregory, gregorian greg, gregg, gregory, gregorian grey, green, greenhouse grin, green, grain, groan Is not permitted Question mark (?) wild card examples The question mark (?) searches for a single character. 26 McAfee SaaS Email Archiving Administration Guide
Searching the archive Improving your search results 6 Table 6-3 Question mark (?) wild card examples Search Term greg? gre? gr?n gr??n?gre Returns... greg, gregg greg, grey grin green, grain, groan Is not permitted Email addresses Email addresses can be searched using the entire address, just the domain, or any part of the address. Search email addresses in the From and Recipient fields. You search for a full email address or part of an address. You can search parts of an address that: Are separated by special characters. Switch between upper and lowercase. Switch between alphabetic and numeric characters. Email addresses should not include spaces. Full names with spaces are treated as two separate search terms. McAfee SaaS Email Archiving Administration Guide 27
6 Searching the archive Improving your search results Email address search examples Table 6-4 Email address search examples Search Term greg greg smith Returns... Greg Brown <greg@company.co m> Gregory Smith <greg.smith@other.c om> Greg Smith <gsmith@test.com> Greg Jones <greg99@test.com> Greg Brown <greg@company.co m> Gregory Smith <greg@other.com> Greg Smith <gsmith@test.com> Greg Jones <greg99@test.com> GregJones <gj99@special.com> Joe Smith <greg111@special.co m> GregJones <gj99@special.com> Joe Smith <greg111@special.co m> Joe Jones <joe.jones@greg.co m> Joe Jones <joe.jones@greg.co m> Joe Smith <jsmith99@test.com > John Smith <jsmith@company.co m> FredS <fred_smith@other.c om> Joe Brown <j.brown@smith.co m> company.com @company.com Greg Brown <greg@company.com> John Smith <jsmith@company.com> Joe Jones <joe@test.company.com> Greg Brown <greg@company.com> John Smith <jsmith@company.com> 28 McAfee SaaS Email Archiving Administration Guide
Searching the archive Improving your search results 6 Table 6-4 Email address search examples (continued) Search Term greg@company.com Returns... Greg Brown <greg@company.com> gr* GregJones <gj99@special.com> Gram Carter <gc@test.com> Joe Smith <greg111@special.co m> Bob Grey <grey333@company. com> Joe Jones <joe.jones@greg.co m> Monk Williams <mwilliams@gregori an.com> Searching with phrase, any word, or all words Archive search allows you to searching for specific words or phrases in an email. To help with this you can apply rules to some text fields to filter your results. When entering multiple search terms into a text field you can have them treated as an exact phrase, individual terms, or a group of terms. Avoid using common words like a, an, or the in your searches. Common words are typically ignored by search. Instead, use words and phrases that are specific to the emails you want to view or download. Phrase search Finds emails that contain the exact phrase in the exact word order. Any word search Finds emails that contain one or more words regardless of order. All words search Finds emails that contain all words in any order. You cannot use wild cards in a phrase search. Examples of phrase, any word, and all words Searching on the terms phoenix memo returns different result sets based on how you apply the rules. McAfee SaaS Email Archiving Administration Guide 29
6 Searching the archive Avoiding stop words Table 6-5 Phrase, any word, or all words search for phoenix memo Rule Returns text... But not... Phrase tuesday phoenix memo phoenix memo feedback phoenix transpo rtation memo denver memo memo for phoenix transpo rtation memo denver transpo rtation Any word tuesday phoenix memo denver memo denver transportation phoenix memo feedback memo for phoenix phoenix transport ation memo transport ation memo All words tuesday phoenix memo phoenix memo feedback phoenix transportation memo memo for phoenix denver memo denver transportation transportation memo Avoiding stop words Stop words include common words that are ignored by the system when you submit a search because they are unlikely to return unique results. When entering a search, you should use words and phrases that are specific to the email messages you want to find and avoid generic or overused words and phrases. Email Archiving supports several languages and maintains a list of stop words for each. 30 McAfee SaaS Email Archiving Administration Guide
7 Using 7 Simple Search The simple search options allow users to quickly search for email messages in the archive. You can search based on one or more criteria, including the sender of the email, the recipient of the email, when the message was sent, and words or phrases that were included in the email message. Find emails using Simple Search Use the search form to find emails based on an email address, a date range, or text. Follow these guidelines: Complete one field to find messages that match a single value. Complete multiple fields to find messages that match all of the values. Combine additional fields with a Message Text search to filter the results in a Phrase, Any word, or All words search. You cannot use wildcards when selecting Phrase. Task For option definitions, click Help in the interface. 1 Select Email Archiving Archived Messages. Search is displayed by default. 2 Complete one or more of the following fields: From Recipient Date Range Message Text 3 Click Search. Emails that match your search criteria are displayed in the Results panel. Search examples The following examples compare the results of two similar searches, one using Phrase and the other using Any word in a Message Text search. McAfee SaaS Email Archiving Administration Guide 31
7 Using Simple Search Find emails using Simple Search Table 7-1 Search examples Criteria Returns... Not... Recipient: joe@domain.com Date Range: 7/1/2009 to 11/1/2009 Message Text with Phrase: phoenix memo Mail sent to Joe between July and October, 2009 that contain the phrase phoenix memo. Mail sent to Joe in June, 2009 that contain the phrase phoenix memo. Mail sent to Joe in August 2009 that contain the phrase memo for phoenix. Mail sent to Steve between July and October, 2009 that contain the phrase phoenix memo. Recipient: joe@domain.com Date Range: 7/1/2009 to 11/1/2009 Message Text with Any word: phoenix memo Recipient: joe@domain.com Date Range: 7/1/2009 to 11/1/2009 Message Text with All words: phoenix memo Mail sent to Joe between July and October, 2009 that contain the words phoenix or memo, including: phoenix memo trip to phoenix denver memo Mail sent to Joe between July and October, 2009 that contain the words phoenix and memo, in the subject line, including: phoenix memo memo to phoenix office memo regarding phoenix software Mail sent to Joe in June, 2009 that contain the words phoenix or memo, including: phoenix memo, trip to phoenix,denver memo. Mail sent to Steve between July and October, 2009 that contain the words phoenix or memo, including: phoenix memo,trip to phoenix,denver memo. Mail sent to Joe in June, 2009 that contain both the words phoenix andmemo in the subject line, including: phoenix memo and memo to phoenix office. Mail sent to Joe between July and October, 2009 that contain just one of the words phoenix or memo in the subject line, including: phoenix convention, trip to phoenix, denver memo. Mail sent to Steve between July and October, 2009 that contain both words in the subject line, including phoenix memo, memo to phoenix office, and memo regarding phoenix software. Mail sent to Joe between July and October, 2009 that contain the word phoenix in the subject line and memo in the message body. 32 McAfee SaaS Email Archiving Administration Guide
8 Using 8 Advanced Search The advanced search options allow Customer Administrators to define search criteria for a wider range of archived message elements than the simple search allows. As a result, you can be more precise in your searches. Using these options you can search messages by the following Message header Subject line Message body Attachment body In addition, you can search message metadata for information including: Names of attachments Message sizes Contents Find emails using Advanced Search Rules for multilingual search Rules for special characters in a header search Find emails using Advanced Search Use the advanced search options to create more complex searches and refine your search terms. Follow these guidelines: Apply Phrase, Any word, and All words to specify the matching rules for each of the content fields: Header, Subject, Body, Attachment Content. Apply All or Any to set the rules for all four fields in a content search. Combining All with a Phrase search is the most restrictive. Combining Any with Any word is the least restrictive. Wildcards cannot be used in a Phrase search. Task For option definitions, click Help in the interface. 1 Select Email Archiving Archived Messages. 2 Select Advanced Search in the Criteria panel. McAfee SaaS Email Archiving Administration Guide 33
8 Using Advanced Search Find emails using Advanced Search 3 Complete any of the following fields to search by email address or date: From Recipient Date Range 4 Complete any of the message fields including Header, Subject, Body, or Attachment content to search for message content. a Select All or Any to restrict the search terms relative to each other. b c Enter your search words in each field, as necessary. Select Phrase, Any word, or All words to refine each of your search criteria. 5 Enter an Attachment Name to find messages with a specific file attachment. 6 Select the Message Size (KB) option and type the size value or size range in KB. 7 Click Search. Emails that match your search criteria are displayed in the Results panel. Advanced Search examples The following examples compare the results of four similar searches, using All and Any, and Phrase and Any word in a content search. These examples demonstrate how different combinations create more or less restrictive searches. Table 8-1 Search examples Criteria Match: All Subject with Phrase: phoenix memo Body with Phrase: sales totals Match: All Subject with Any word: phoenix memo Body with Phrase: sales totals Returns Mail that includes... phoenix memo in the subject line. and sales totals in the the body text. Any combination of phoenix and memo in the subject line: phoenix memo phoenix transportation denver memo and sales totals in the the body text. 34 McAfee SaaS Email Archiving Administration Guide
Using Advanced Search Rules for multilingual search 8 Table 8-1 Search examples (continued) Criteria Match: Any Subject with Phrase: phoenix memo Body with Phrase: sales totals Match: Any Subject with Any word: phoenix memo Body with Phrase: sales totals Returns Mail that includes... phoenix memo in the subject line. or sales totals in the the body text. Any combination of phoenix and memo in the subject line: phoenix memo phoenix transportation denver memo or sales totals in the the body text. Rules for multilingual search Advanced search allows you to search the subject, body, attachment content, and attachment names using words and phrases from multiple languages. This capability does not apply to header search. Rules for special characters in a header search The email message header includes a large amount of searchable information. However, certain restrictions apply when using special characters in your search terms. Use these guidelines when searching in the Header or Message Text fields: You cannot search for a special character by itself. You can search for text that includes special characters when they are part of an alphanumeric string. When you include the period (.) and "at" sign (@) in a search term they are interpreted as white space. Most special characters are ignored if they are typed at the beginning or the end of a string. Header search does not support multilingual search. Table 8-2 Special characters Special Character Name Start of String End of String ( Left Parenthesis Ignored { Left Curly Brace Ignored [ Left Bracket Ignored < Right Angle Bracket Ignored " Quotation Marks Ignored Ignored # Pound, hash, number sign Ignored Ignored ) Right Parenthesis Ignored McAfee SaaS Email Archiving Administration Guide 35
8 Using Advanced Search Rules for special characters in a header search Table 8-2 Special characters (continued) Special Character Name Start of String End of String } Right Curly Brace Ignored ] Right Bracket Ignored : Colon Ignored > Left Angle Bracket Ignored, Comma Ignored ; Semi colon Ignored. Period Ignored 36 McAfee SaaS Email Archiving Administration Guide
9 9 Using Archive ID Search You can search for a specific message using its unique Archive ID. This kind of search is useful when you have a lot of messages with similar characteristics and the other search options are returning too many results. Email Archiving assigns each email it archives a unique Archive ID. This is the easiest way to find and retrieve a specific message. Find emails using Archive ID Search Use the Archive ID search option to find a specific email using its unique ID. Task For option definitions, click Help in the interface. 1 Select Email Archiving Archived Messages. 2 Select Archive ID Search in the Criteria panel. 3 Enter an ID. 4 Click Search. The email that matches your search is displayed in the Results panel. McAfee SaaS Email Archiving Administration Guide 37
9 Using Archive ID Search Find emails using Archive ID Search 38 McAfee SaaS Email Archiving Administration Guide
10 Viewing an archived email You can open and view any email that is stored in the archive directly from the search results panel. Both the message preview and message window allow you to view the content of the message, message headers, any attachments associated with the message, and archive specific information including ID and expiration date. View a message Open and view email messages to read content, retrieve attachments, and review header information and metadata. Before you begin You must first run a search and then sort your results to find the email you want to view. Open the message from the Results panel by doing one of the following: Double click the message to view the message in the Message window. Select an option from the Preview menu to open the message in the Message pane. If you selected Preview, the message displays in the Message pane. Otherwise, the message appears in a separate window. McAfee SaaS Email Archiving Administration Guide 39
10 Viewing an archived email View a message 40 McAfee SaaS Email Archiving Administration Guide
11 Saving searches for reuse Archive searches that you run on a regular basis can be saved for later reuse. Your search criteria is saved under the name you give it and can be used to generate new results whenever there are updates to the archive. Contents Save a search Run a saved search Save a search Use the save option to store search criteria. Before you begin You should know how to run searches in the Criteria panel. Task For option definitions, click Help in the interface. 1 Run a search in the Archived MessagesCriteria panel. 2 Click Save. The Save Search window appears. 3 Enter a name in the Search Name field. The filename must be 1 60 characters in length. 4 Click Save. A message confirms that your search was saved. You can access your saved searches in the Saved Searches tab. Run a saved search Use saved searches to reuse your previously stored search criteria. Before you begin You will need to have previously saved searches in the Archived Messages tab. McAfee SaaS Email Archiving Administration Guide 41
11 Saving searches for reuse Run a saved search Task For option definitions, click Help in the interface. 1 Select Email Archiving Archived Messages Saved Searches. The Saved Searches tab displays the list of previously saved searches. 2 In the list, do one of the following: Double click the name of the search you want to run. Select the checkbox of the search and then click Edit. The search criteria display in a new tab with the name of the search. 3 Review the saved search criteria and make any changes if necessary. 4 Click Search. Messages returned by the search are displayed in the Results panel. From here, you can run additional saved searches, save any changes you made, or save the search with a new name. 42 McAfee SaaS Email Archiving Administration Guide
12 Purging messages An Archive Compliance Officer can delete one or more messages from the archive, including Historical messages. This ability ensures that your company is compliant with local privacy laws. Contents Purge messages Archive Compliance Officer role details Purge messages As an Archive Compliance Officer, you can delete messages from the archive using the Purge options in the Archived Messages search results panel. Before you begin You must be assigned the Archive Compliance Officer role by your Customer Administrator. You must disable Legal Hold. The Purge menu is inactive when Legal Hold is enabled. Limit your searches to fewer than 10,000 messages. Task For option definitions, click Help in the interface. 1 Select Email Archiving Archived Messages. Search is displayed by default. 2 Run a search in the Criteria panel. McAfee SaaS Email Archiving Administration Guide 43
12 Purging messages Archive Compliance Officer role details 3 Do one of the following to select messages for deletion: To... Purge All Do this... Select Purge Purge All to delete all of the messages in your search results. Purge Selected Select the checkbox for each message and click Purge Purge Selected to delete your selected search results. A dialog box appears in your browser: The selected message(s) will be permanently, and irreversibly purged from your archive and your action will be logged. The purge process can take up to 15 minutes to complete and cannot be interrupted once initiated. By proceeding, you assume all responsibility, legal and otherwise, for your actions. Are you sure you want to proceed? 4 Click OK. Your messages are now queued for deletion and the Purge menu is temporarily inactive. The purge process takes 15 minutes to complete. After that time, the messages you selected for purge will no longer appear in the search results and the Purge menu becomes active. A message appears notifying you that the purge process has completed. Archive Compliance Officer role details The Archive Compliance Officer role is a specific role assigned to a user for the express purpose of purging messages from the archive. Users with this role are responsible for ensuring that their company is in compliance with local privacy laws. Follow these guidelines: Must be assigned to a user by a Customer Administrator Is the only user role that can access and use the selective purge feature Cannot manage mail sources Can access all other Customer Administrator features within Email Archiving When using the Archive Add In, Archive Compliance Officers are restricted to just their own email account. The same is true for Customer Administrators and all other user roles. 44 McAfee SaaS Email Archiving Administration Guide
13 Exporting messages You can download one or more of the messages that you find in a search and view them in an email client. When you export messages, they are compressed in a.zip file. Messages can be exported from either the Results panel or the Message view. Contents.zip file guidelines Viewing.eml files Export messages.zip file guidelines The rules that govern the.zip file you download when you export messages determine the total file size, the emails included, how the email files are named, and the format of the emails. The total size of the file you download cannot be larger than 1 GB. If your result set is larger, you should refine your search criteria and limit your results. At download, the system re runs your original search. As a result, the set of messages in the.zip file may differ from your initial results due to changes in the archive. Messages are stored as.eml files. Each file name matches the message's unique Archive ID. The format of each email varies by your user role: The User role receives the original message. The Customer Administrator role receives the envelope journal as well as the original message which is included as an attachment. A.zip file utility is required for extracting the email files. Viewing.eml files The email files you download from Email Archiving use the.eml file format and require a compatible email client. McAfee recommends Microsoft Outlook Express or a recent version of Microsoft Outlook. McAfee SaaS Email Archiving Administration Guide 45
13 Exporting messages Export messages Table 13-1 Email clients for viewing.eml files Operating System Suggested Email Clients include... Mac OS Microsoft Outlook 2011 Apple Mail Mozilla Thunderbird Windows Microsoft Outlook 2010 Microsoft Outlook 2007 with KB 956693 For more information, go to http://support.microsoft.com/kb/956693 Microsoft Outlook Express Microsoft Windows Live Mail Mozilla Thunderbird Linux Mozilla Thunderbird Export messages You can download email messages from the archive and view them in your email client. This option is available from both the results panel (for multiple messages) and the message view (for individual messages). Before you begin You will need the following: A.zip utility to extract the email messages once they are downloaded An email client that is capable of viewing.eml files 46 McAfee SaaS Email Archiving Administration Guide
Exporting messages Export messages 13 Task For option definitions, click Help in the interface. 1 Run a search in the Criteria panel. 2 Do one of the following to select messages for download. Option Export All from the Results panel Definition Click Export Export All to download all of your search results. Export Selected from the Results panel Click the checkbox for each messages and click Export Export Selected to download select search results. Export from the Message view Double click the message, or select the message and click Preview. Then, click Export to download the individual message. A dialog box appears in your browser. 3 Follow your browser's instructions to Open or Save the file. The file is saved on your local system. 4 Locate the file and open it using your.zip utility. The.zip file and contents display. 5 Extract the messages from the.zip file and save them to a folder. The individual messages are now stored on your local system. From here you can now open and view messages in your email client. McAfee SaaS Email Archiving Administration Guide 47
13 Exporting messages Export messages 48 McAfee SaaS Email Archiving Administration Guide
14 Setting retention for groups Retention rules can be created for and applied to specific groups of users in Email Archiving. This provides you with a more granular means of meeting your compliance requirements than the default rules you set for global retention. Things to keep in mind: Groups are managed on the Account Management tab. You should create new groups in Account Management that are specifically for group retention rather than reusing existing groups. When a user is a member of more than one group, the longer retention length applies to that user. Changes to group retention go through the same approval process that you use to set up storage in Email Archiving. You must be a partner, customer, group, or support administrator to make changes. Create a group and add group retention Use the Groups feature in Account Management to create group retention rules for users in Email Archiving. Task For option definitions, click Help in the interface. 1 Select Account Management Groups. 2 Click New to open the New Group window. 3 Type a Group Name, click Save. 4 Select the group name and click Edit to open the Edit Group window. 5 Select Members and add users to the group. 6 Click Apply. 7 Select Email Archiving and select the retention length. 8 Click Apply. The new retention length applies to all members of the group. McAfee SaaS Email Archiving Administration Guide 49
14 Setting retention for groups Create a group and add group retention 50 McAfee SaaS Email Archiving Administration Guide
15 Managing Legal Hold Enabling legal hold for messages in the archive prevents your messages from being deleted from the system once they have reached their expiration date. Contents How Legal Hold works Enabling and disabling Global Legal Hold Adding and deleting user-specific legal holds How Legal Hold works Placing a legal hold on your archive allows you to retain all of your email messages for as long as the hold is enabled. In Email Archiving, email messages are typically stored in the archive until they reach their expiration date at which point they are permanently deleted. The amount of time a message is stored before it expires is set by the archive retention length in Account Management and this time period applies to all customer messages. By selecting the Enable Global Legal Hold option or applying legal hold to specific users, you can override this process and retain your messages, including expired messages, indefinitely. This can be particularly useful to companies or large organizations that need to ensure that they are in full compliance with regulations covering the retention of their email communications for legal purposes. Conversely, when you remove the legal hold the normal purge process is restored based on all of the previous expiration dates. This means that all of your expired messages, including those that expired while on legal hold, will be automatically deleted during the next purge process. For more information on setting the archive retention length, see the Account Management Help. Enabling and disabling Global Legal Hold You can apply a legal hold to all users by enabling global legal hold. Contents Enable Global Legal Hold Disable Global Legal Hold McAfee SaaS Email Archiving Administration Guide 51
15 Managing Legal Hold Adding and deleting user-specific legal holds Enable Global Legal Hold Apply a legal hold to all users in the archive. If the purge process is currently running, enabling global legal hold will only save those messages that have not yet expired. Task For option definitions, click Help in the interface. 1 Select Email Archiving Setup Legal Hold. 2 Under Global Legal Hold, select Enable Global Legal Hold. The Legal Hold alert message appears. 3 Click Yes to confirm the change. Global legal hold is now active. Expired messages will not be deleted from the archive. Disable Global Legal Hold Remove Global Legal Hold to resume the normal expiration and deletion of messages. Messages that are deleted cannot be restored. Task For option definitions, click Help in the interface. 1 Click Email Archiving Setup Legal Hold. 2 Under Global Legal Hold, deselect Enable Global Legal Hold. The Legal Hold alert message appears. 3 Click Yes to confirm the change. Global legal hold is now inactive. Expired messages will remain in the archive until the next delete cycle. Adding and deleting user-specific legal holds In addition to the global legal hold that applies to all users, you can also create user specific legal holds that apply to just the users you select. You should avoid creating user specific legal holds that apply to new users with a large number of existing email messages. It can take several days for the system to identify all of the user's email messages and in the meantime some messages may remain subject to normal expiration and deletion. If you are applying a user specific legal hold to one or more new users, you should consider: Enabling Global Legal Hold to prevent message expiration for all users. Using Directory Integration to synchronize your user accounts. Contents Add a new user-specific legal hold Update a user-specific legal hold Delete a user-specific legal hold 52 McAfee SaaS Email Archiving Administration Guide
Managing Legal Hold Adding and deleting user-specific legal holds 15 Add a new user-specific legal hold Create a new user specific legal hold to manage user emails affected by a particular incident. Select the specific users you want included. Before you begin You must create all of your users and their aliases in Account Management before applying a user specific legal hold. Consider using Directory Integration to keep your user information up to date. Make sure that your users have been in the system for at least 30 days or consider enabling Global Legal Hold instead. You can create up to 16 user specific legal holds. Each user specific legal hold is limited to 128 users. Task For option definitions, click Help in the interface. 1 Select Email Archiving Setup Legal Hold to view the legal hold options. 2 Under User specific Legal Holds, click New to open the Legal Hold window. 3 Enter a unique name for the legal hold action to help identify it. 4 Enter a description that provides additional details. 5 Use the filter to search for specific users or groups. When you have a very long list of email addresses you can filter the list using part of a name or a domain name. a b Enter your search string. Click Apply to view the results in the Available Users list. 6 Select one or more email addresses from the Available Users list. 7 Click Add. You can apply new filters to find additional users and continue until you've populated the Selected Users list with all of the users you need for the legal hold action. 8 Click Save. The new legal hold action is added to the list and applied to the users you selected. Update a user-specific legal hold Update an existing user specific legal hold to make changes to the name and description, or add and remove users from the list. Before you begin You must create all of your users and their aliases in Account Management before applying a user specific legal hold. Consider using Directory Integration to keep your user information up to date. McAfee SaaS Email Archiving Administration Guide 53
15 Managing Legal Hold Adding and deleting user-specific legal holds Make sure that your users have been in the system for at least 30 days or consider enabling Global Legal Hold instead. You can create up to 16 user specific legal holds. Each user specific legal hold is limited to 128 users. Task For option definitions, click Help in the interface. 1 Select Email Archiving Setup Legal Hold to view the legal hold options. 2 Under User specific Legal Holds, select the legal hold you want to update from the table. 3 Click Edit to open the Legal Hold window. 4 Make changes as necessary. Update the name and description. Add or remove users. 5 Click Save. The legal hold action is updated and applied to the users you selected. Delete a user-specific legal hold Remove a user specific legal hold that is no longer required for legal purposes. Task For option definitions, click Help in the interface. 1 Select Email Archiving Setup Legal Hold to view the legal hold options. 2 Under User specific Legal Holds, select the legal hold you want to delete from the table. 3 Click Delete. 4 Click Yes to confirm the deletion. The legal hold is deleted and no longer applies to the selected users. 54 McAfee SaaS Email Archiving Administration Guide
16 Generating reports Reports in Email Archiving provide detailed information on specific Customer Administrator activities. The contents of a report include information for the current month as well as the 30 days prior. You can use reports to: Identify searches that might be useful but were not saved by the administrators who ran those searches. Identify potential problem areas in your mail service from the types of searches performed. Identify any abuse of the message search capabilities. Contents Run a report Filter a report View report details Download a report Run a report Running a report provides you with detailed information on a specific Customer Administrator activity. Task For option definitions, click Help in the interface. 1 Select Email Archiving Reports. The Available Reports tab displays the list of reports. 2 Select a report by doing one of the following. Select the title of the report and click Run. Double click the title of the report. The report displays in a new tab with the name of the report in the tab title. Filter a report Use the filter options to limit a report to include just the information you need. Before you begin Run a report from the Available Reports tab. McAfee SaaS Email Archiving Administration Guide 55
16 Generating reports View report details Task For option definitions, click Help in the interface. 1 Complete at least one of the filter options: Email Address IP Address Date Range 2 Click Filter. The Results panel updates with the refined report content. View report details Use report details to view additional information for each entry, including the specific details of searches. Before you begin Run a report from the Available Reports tab. Select an entry in the report and click Preview. Double click an entry in the report. The details appear in a new window. Download a report You can save the results of a report to your hard drive as a.csv file. Before you begin Run a report from the Available Reports tab. Task For option definitions, click Help in the interface. 1 Click Download in the Results panel. A dialog box appears in your browser. 2 Follow your browser's instructions to open or save the file. The.csv file can now be opened in Microsoft Excel. 56 McAfee SaaS Email Archiving Administration Guide
17 Download the Archive Add-in The Archive Add in is a Microsoft Outlook plug in that you download and install on your computer. Once installed, It allows you to search your personal email archive directly from Outlook. Visit the McAfee site to find download information and installation instructions for the Archive Add in. Go to the SaaS Email Archiving Add in for Microsoft Outlook page at http:// www.mcafee.com/us/downloads/saas/archive addin.aspx. McAfee SaaS Email Archiving Administration Guide 57
17 Download the Archive Add-in 58 McAfee SaaS Email Archiving Administration Guide
18 Frequently asked questions Here are answers to frequently asked questions. Control Console Access How do I access the Email Archiving Control Console Web site? Your welcome email contains all the information needed for you to access the Control Console. I am new to the company and don't have my predecessor's user name and password to the Control Console. How can I gain access to the system? You must have the primary or technical contact listed on your company's Service Order Form create a new account or grant you access to an existing account. These individuals can also contact customer support for assistance. Why does my browser connection time out? Your browser connection might time out for a variety of reasons: Your network connection dropped because of inactivity. Your computer timed out because of inactivity. Your browser timed out because of inactivity. When your browser connection times out, you simply need to sign back in. Setup and System What is the largest email that can be archived? Currently the maximum size is 50 MB. Any message that exceeds this size may not be archived. How often does Email Archiving move messages from my server into the archive? The short answer is that your server is pulled several times an hour as often as every few minutes. However, the main constraint to import frequency isn't how often Email Archiving is able to poll your server, but how often your server is available to be polled. During a pull attempt, Email Archiving imports every message that exists in the journal mailbox at the moment the pull attempt began. While this is occurring, more messages arrive in the journal mailbox, but they will not be imported until the next attempt. The time it takes to download available messages depends on your organization's mail volume, server load, server performance, and your available upstream bandwidth. For example, if there are only a few messages to import each time Email Archiving polls your server, you would see very frequent pull attempts, perhaps more than one attempt per minute. On the other hand, if you have very high message volume, Email Archiving constantly connects to your system, downloads email until all messages have been imported, closes down the McAfee SaaS Email Archiving Administration Guide 59
18 Frequently asked questions connection, and then seconds or minutes later starts the process over again. In this case, you would see many fewer polls but nearly identical performance (that is, messages arriving into the archive in a timely manner). Can the import interval be adjusted separately for each mail source? The interval cannot be adjusted, but a Quiet Period can be defined to prevent imports during a specified window. Can only certain users be set up for Email Archiving? Email Archiving imports all mail present in any journal mailbox defined as a mail source within Email Archiving. Therefore, you may be able to limit what users are journaled by putting them in separate Microsoft Exchange databases: one with journaling enabled and one without journaling. Microsoft Exchange Server 2007 premium journaling contains more detailed journaling filters. Please consult your Exchange Administrator or Microsoft for more information on taking advantage of this functionality. How do I import old emails into the email archive? Export all your historical data to.pst format and note the total size of the.pst files. Sign a historical data hosting agreement with your sales representative. You will receive further instructions on how to proceed after your order is processed. What happens to Email Archiving if my mail server goes into disaster recovery? Email Archiving will not be able to pull messages until the mail server comes out of disaster recovery mode. What happens if Email Archiving loses the connection to my email server while messages are being imported? If the connection breaks, the message that was interrupted will remain on your server until the next import attempt. The partially imported message is discarded and is not committed to the archive. Searching How do I view archived messages? Sign on to the Control Console. If you have more than one service, make sure you are viewing the Email Archiving portion of the Control Console. Select Archived Messages, then select New. Enter at least one search criteria and either select Run or press the Enter key. How can I retrieve an image that was attached to a message? After you have retrieved and opened the message, click on the attachment to download it. When I single click an archived message in the search results window, why don't I see the email message? he preview pane is minimized. Click the double headed arrow in the lower right side of the window to open the preview window or simply double click on the message to open it in a new window. How do I view Bcc recipients? You must be a Customer Administrator to view envelope metadata, which includes Bcc information. Bcc recipients can be viewed by exporting a message and viewing the journal report body, which contains an exhaustive list of all recipients. What is the maximum number of messages that are returned and displayed when performing a search? As many that match the search criteria. How much data can be exported at a time? 1 GB. An employee has left the company and I want to remove their account and/or old emails from the archive system. How is this done? 60 McAfee SaaS Email Archiving Administration Guide
Frequently asked questions 18 Arbitrarily deleting messages prior to the maturity of the retention period is forbidden. This intentional limitation makes the archive tamper proof. What type of Exchange journaling is required for Email Archiving to function properly? Email Archiving uses Envelope Journaling. This method allows archiving of P1 message headers (envelope headers) which includes information about the recipients, CC, BCC recipients and recipients from distribution groups. Data Retention What happens after the retention period expires? When a message ages past its retention period, it is permanently deleted from the archive. What's the difference between Journaled and Historical data? Journaled data refers to messages that are automatically generated by the customer's mail server to a journal pickup mailbox for archiving (per the start date of the Agreement). Historical data includes messages created prior to the start date of the Agreement as well as messages that were not journaled as of the start date of the Agreement. Does a Customer Administrator have access to a user's archived email if the user has been deleted from the company's Active Directory and the mail servers? Yes. Customer Administrators can search on, open, and export a deleted user's messages. McAfee SaaS Email Archiving Administration Guide 61
18 Frequently asked questions 62 McAfee SaaS Email Archiving Administration Guide
19 Troubleshooting Common problems and recommended solutions. Contents Troubleshooting connectivity errors Common error messages Issues with Exchange Server journal mailbox Issues with historical mail sources A known limitation in Exchange Server 2003 affects historical data Troubleshooting connectivity errors Descriptions of and solutions for connectivity errors. Email Archiving could not open a socket to retrieve mail on the target mail source. This may be because the specified host cannot be located. McAfee SaaS Email Archiving Administration Guide 63
19 Troubleshooting Troubleshooting connectivity errors Cause An error was encountered when attempting to connect to the mail server. The error might occur because of one of the following reasons: The server name specified in the mail source configuration may be incorrect. The mail server might not have an open port for the IMAP or POP3 communication. The IMAP or POP3 port on the mail server might be different than that entered on the Mail Sources window. A firewall might be blocking the Email Archiving from connecting to the mail server's IMAP or POP3 port. POP3 or IMAP services might not be running on the mail server. Solution 1 If a server name has been entered, check that the name has been entered correctly and has been administered on the customer's DNS server. 2 If an IP address has been entered in the Server Name field, check that the address is correct for the mail server. 3 If the server name or IP address has been entered correctly, check that the IMAP or POP3 port is enabled and open in the customer mail server. 4 If one or more firewalls are in place, ensure that the IMAP or POP3 port is open for Email Archiving (refer to your Activation Guide for the IP address range of Email Archiving servers). 5 Check to see if the protocol and port combination specified on the Mail Sources window matches what is running on the target server. The default port number for both POP3 and IMAP is different when SSL is selected for the connection. The default port number for both POP3 and IMAP is different when SSL is selected for the connection. 6 Check to make sure the proper protocol, IMAP or POP3, is running on the mail server. 7 Contact Customer Support if the server name or IP address has been correctly identified and the IMAP or POP3 ports are correctly administered on the firewall, mail server, and Mail Sources window. Email Archiving could not complete the authentication when connecting to the mail source server. The most likely causes of this are an incorrect mailbox user name or password. Cause The user authentication step failed, probably because of an incorrect mailbox user name or password. Solution Check the mail server to verify the mailbox user name and password are correct. Email Archiving detected a protocol error. Cause Email Archiving detected a protocol error, such as an unexpected use of POP3 or IMAP. Solution Confirm that the mail server supports the protocol identified on the Mail Sources window for the specific port on the Mail Sources window. If the protocol is properly supported by the mail server for the designated port, contact Customer Support. 64 McAfee SaaS Email Archiving Administration Guide
Troubleshooting Troubleshooting connectivity errors 19 The mail server reported an error condition or failed to respond in a timely manner. Cause The mail server reported an error condition or failed to respond in a timely manner (which is typically around 60 seconds). Solution Check an error log, for example the event log, on the mail server to see if an error occurred. Email Archiving received a "lock busy" response from the mail server when attempting to authenticate. Cause Email Archiving received a "lock busy" response from the mail server when attempting to authenticate. There might be a problem with your mail server. Solution 1 Try connecting again in a few minutes. 2 If you get an error again, confirm that your server is operating correctly. You might need to contact your vendor s technical support. Email Archiving encountered an error during an initial DNS lookup and could not connect. Cause Email Archiving encountered an error during an initial DNS lookup and could not connect. Solution 1 Check that the server host name is valid. 2 If the server host name is valid, contact Customer Support. The mail server is busy. Cause The mail server returned a busy indication. Solution 1 Try again in a few minutes. 2 If you get an error again, confirm that your mail server is operating correctly. You might need to contact your vendor's technical support. Start Time/Stop Time: Invalid Time (A red box appears in the window which states the Incorrect time and "Invalid Start Time") Cause One or more of the times in the Quiet period do not form a proper time range or the times are not in proper military time. Solution Make sure the Start time is earlier than the Stop time. value is not a valid IP address or domain name, element: server_host, value=[] Cause The IP address or the Server Name is incorrect. Solution 1 Check that the address is correct for the mail server. 2 Contact Customer Support if the server name or IP address has been correctly identified. Internal error code 5. Contact Customer Support. Internal error code 6. Contact Customer Support. McAfee SaaS Email Archiving Administration Guide 65
19 Troubleshooting Common error messages Internal error code 8. Contact Customer Support. Internal error code 10. Contact Customer Support. Internal error code 12. Contact Customer Support. Common error messages Understand and troubleshoot common error messages. This field is required. (All the required fields encased with a red border indicating that these are required fields) Cause One or more required fields are lacking an entry. Solution Check that you have entries in the fields outlined in red. Unable to search mail. Connection to Email Archiving server failed. If the problem persists, please contact your archiving administrator. Cause The Email Archiving could not retrieve data from the Email Archiving server for one of the following reasons: The connection was down. A Email Archiving server process encountered an error. The request for data was corrupted. Solution 1 Try the request again in a few minutes. 2 Contact Customer Support Unable to search mail. Message size upper range value must be numeric. Cause During a message size search, the "Between" option was chosen but only the lower value in the range was given. Solution Enter both the lower and upper values to define the search range. Invalid request (must have an id, scope and message_id) Cause When opening a message, the sign in session timed out. Solution 1 Sign in again and retrieve the message again. 2 Contact Customer Support Connection to Email Archiving server failed. If the problem persists, please contact your archiving administrator. Cause The connection to the Email Archiving server failed to retrieve the message data for viewing. Solution 1 Try the request again in a few minutes. 2 Contact Customer Support Your session has expired, please sign in again. 66 McAfee SaaS Email Archiving Administration Guide
Troubleshooting Issues with Exchange Server journal mailbox 19 Cause Your browser's connection has timed out for one of a variety of potential reasons: Your network connection dropped because of inactivity. Your computer timed out because of inactivity. Your browser timed out because of inactivity. Solution Sign into the Control Console again. Unable to export mail. Connection to Email Archiving server failed. If the problem persists, please contact your archiving administrator. Cause The Email Archiving could not retrieve data from the Email Archiving server for one of the following reasons: The connection was down. A Email Archiving server process encountered an error. The request for data was corrupted. Solution 1 Try the request again in a few minutes. 2 Contact Customer Support. Unable to export mail. Attempting to export [] Mb. Max export size is 1 GB. Cause The total size of all the messages included when you tried to export messages exceeded 1 GB. Solution 1 Change your search so that fewer messages are listed before you export messages. 2 Use the Export Selected option instead of Export All so you can export fewer messages at a time. Issues with Exchange Server journal mailbox Troubleshoot journal mailboxes. The journal mailbox is never empty. There are several reasons why your journal mailbox may never completely empty: 1 Messages arriving in the journal mailbox during an archive session will not be processed until a future archive session. 2 Messages larger than 50 MB are left in the journal mailbox indefinitely because the maximum message size is 50 MB. 3 Messages that are improperly formatted cannot be archived, and are subsequently left in the journal mailbox. Improperly formatted messages can occur for various reasons, including: Journaling is not configured properly. Messages are sent directly to the journal mailbox (bypassing the journal function). Messages are copied directly to the journal mailbox. McAfee SaaS Email Archiving Administration Guide 67
19 Troubleshooting Issues with historical mail sources 4 The number of journaled messages is greater than the maximum number of messages that can be imported during a single archive session. 5 Large messages may be imported at night because the necessary network and server resources are typically more available at night. Issues with historical mail sources Troubleshoot Historical mail sources. When historical data storage is exceeded. When you exceed your Historical Data Storage Limit, the historical mail source becomes inactive. This results in the following events: The historical mail source is no longer displayed on the Overview window. The Mail Sources window shows the historical mail source as inactive. The Mail Source configuration window for the historical mail source shows the Active checkbox as deselected. A known limitation in Exchange Server 2003 affects historical data A limitation exists in Exchange Server 2003 and earlier versions that might cause some messages to remain effectively invisible to users in Email Archiving. This issue specifically affects customers who are using SaaS Email Archiving Historical Data Hosting with historical data that originated from Exchange Server 2003 or earlier. In these instances historical data is imported without the SMTP address information which is needed for associating email messages to user accounts. What can cause missing SMTP address data? Some historical messages do not contain SMTP address data for email recipients which can resulting in possible side effects, including: Affected messages do not associate to users because X.400 addresses, instead of SMTP addresses, are present in the message header. SMTP addresses are required by Email Archiving for user association to occur. Customer Administrator or Compliance Officer role archive searches by SMTP address will not work because SMTP addresses are not present in the original message and therefore cannot be indexed. This issue does not prevent messages from being archived so affected messages can be located by other search criteria. There are two scenarios where messages might be missing SMTP address data: An internal recipient sends a message to one or more other internal recipients and the data is later exported using.pst export (using Outlook or EXMERGE). This is because exporting to.pst format does not force Exchange to perform an X.400 to SMTP address translation. An internal recipient sends a message to one or more other internal recipients and the data is imported into Email Archiving using IMAP or POP, but the internal participant's Active Directory account is no longer present. As a result, the X.400 to SMTP address mapping cannot take place. 68 McAfee SaaS Email Archiving Administration Guide
Troubleshooting A known limitation in Exchange Server 2003 affects historical data 19 These early versions of Exchange rely primarily on X.400 addressing and SMTP addressing is only used for messages that traverse the SMTP, POP, or IMAP services. Therefore, internal messages exported to.pst format do not translate to SMTP addressing and messages for users that no longer exist in the Active Directory cannot be mapped to their SMTP addresses. Workaround for historical data imports If you are importing historical data into Email Archiving from Exchange Server 2003 or earlier, be sure that: The email is exported to Email Archiving using POP or IMAP. Make sure that there is a valid Active Directory account account containing a matching X.400 address (to what is in the historical email), and at least one valid SMTP address for each user if you want user association or SMTP address searching. McAfee SaaS Email Archiving Administration Guide 69
19 Troubleshooting A known limitation in Exchange Server 2003 affects historical data 70 McAfee SaaS Email Archiving Administration Guide
20 User interface conventions The user interface for Email Archiving uses a common set of conventions for displaying information. Calendars For completing a date field from a calendar. Table 20-1 Calendar options Option Left Arrow Month and Year Selection Definition Navigates to the previous month. Click to select a month and year: Select a month. Select from the year range, or click the arrows to see the previous or next ten years. Click OK to complete your selection. Click Cancel to return to the main calendar display. Once you have selected your month and year you still need to click on a day to populate the date field. Right Arrow Day Selection Today Navigates to the next month. Click on a day of the month to select the day for the month and year you selected previously. Once selected, the calendar closes and the date field updates. Reverts your selection to the current date. This button is easily confused with an OK button. Table conventions For information displayed in tabular format. McAfee SaaS Email Archiving Administration Guide 71
20 User interface conventions Table 20-2 Table conventions Option Checkboxes Column Headings Paging Definition Select checkboxes to select one or more individual rows. Select the checkbox in the heading row to select or deselect all rows. Click on column headings to sort information. Select Sort Ascending to order from A to Z. Select Sort Descending to order from Z to A. Select Columns and click the checkbox for a column name to show or hide the column. Drag and drop the column heading to rearrange the display. Use the paging options to browse multiple pages of information. First Page button Displays the first page of data. Previous Page button Displays the previous page of data. Page x of y field Selects a particular page of data where x is the requested page and y is the total number of pages. Next Page button Displays the next page of data. Last Page button Displays the last page of data. Displaying a b of c Displays in the lower right of the table the number of individual results, where a is the starting numbered result on this page, b is the last numbered result on this page, and c is the total number of results on all pages. 72 McAfee SaaS Email Archiving Administration Guide
Glossary McAfee SaaS Email Archiving Administration Guide 73
Glossary 74 McAfee SaaS Email Archiving Administration Guide
Glossary Active Mail Source A mail source that is actively ingesting messages from a mail server. Archive See Archived Messages Archive Compliance Officer A specific role assigned to a user for the express purpose of purging messages from the archive. Archive Retention Length The length of time that messages should be retained in the archive. Archived Messages The searchable online repository where your messages are stored. Authentication Occurs when the mail source logs into your mail server using the Mailbox Username and Password. Connection Security The encryption option used for retrieving emails from your mail server. Connectivity The ability of the mail source to communicate with your mail server. Historical Data Storage Archive space allocated specifically for historical messages. Historical Limit The maximum amount of historical data you can store in the archive. Historical Messages Historical messages include email messages that were saved outside of the normal ingest process, but now need to be stored in Email Archiving. Ingest The process of copying email from your mail server into the archive. Journal Mailbox The journal enabled mailbox on your mail server. Journal Queue Emails on your server that are waiting to be added to the archive. Legal Hold A hold placed on the archive to retain messages past their expiration date for compliance and e discovery purposes. Mailbox Username The login for the mail server used by a mail source configuration. Mail Source The journal mailbox as it is defined in Email Archiving. The mail source allows the system to communicate with your mail server for message ingest. McAfee SaaS Email Archiving Administration Guide 75
Glossary Message Format The format of the email based on the mail server where it was originally stored. Usually a version of Exchange. Messages Email messages imported into Email Archiving. Msgs See Messages Nickname A unique name assigned to a mail source for easy identification. Poll A periodic check of the mail server by Email Archiving to identify email that is ready for ingest. Port The TCP port number of the journal mailbox on the email server. Protocol The protocol that the mail server supports. Typically IMAP. Purge The process for deleting select messages from the archive. Queue See Journal Queue Quiet Period Scheduled time during the day when Email Archiving should not ingest email messages from the mail server. Retention See Archive Retention Length Server Name The IP address or hostname of your mail server. Status A colored icon that describes the ability of your mail source to connect and ingest messages. 76 McAfee SaaS Email Archiving Administration Guide
Index A About this guide 5 Audience 5 C Conventions 5 F Find documentation 6 W What's in this guide 6 McAfee SaaS Email Archiving Administration Guide 77
SEWS-ARC-AG-7.0-00