ARCHIVING TECH BRIEF: ACTIVE DIRECTORY INTEGRATION

PROOFPOINT.COM : 1 866 366 3668

ARCHIVING TECH BRIEF: ACTIVE DIRECTORY INTEGRATION How does the Proofpoint Archiving Appliance

integrate with Active Directory?

The Proofpoint Archiving Appliance (see Tech Brief on the

Proofpoint Archiving Appliance) uses a Windows account

(that you provide) to login and retrieve user and group

membership information. This information is used to

authenticate user names and passwords for the user

interface. It is also used to resolve the email addresses

contained in messages back to the actual Active Directory

user accounts. With this information, Proofpoint ARCHIVE

can effectively allow access by individual users to their

mail without having to maintain separate user accounts or

email address/user account relationships.

Are schema changes required in Active Directory?

No. To support permissions, Proofpoint looks for standard

Active Directory groups with predefined names, such as

“Proofpoint Archive Search Users”. Users are granted

access to various features simply by adding them (or a

group that they belong to) to one of these groups.

Does Proofpoint require separate user account

management for access to the archive?

No. Users log into the Proofpoint web-based interface with

their standard Active Directory user name and password.

Most permissions are controlled by adding a user to one of

the eleven named Active Directory groups (See Tech Brief

on User Access and Permissions). Some additional

permissions, such as granting access to search through

additional mailboxes, can be configured within the

Proofpoint user interface.

Does Proofpoint automatically archive new mailboxes

as they are created?

Yes. When the Proofpoint retrieves a message from

Exchange, it connects to Active Directory to resolve email

addresses back the to the actual Active Directory user

accounts. As a result, you never have to pre-configure

Proofpoint to archive new mailboxes or email addresses.

How does Proofpoint handle messages sent to

distribution lists?

When the Proofpoint Archiving Appliance retrieves a

message from Exchange, it records who the message was

addressed to. For messages sent to distribution lists, the

system queries Active Directory to determine the actual

recipients that received the message. Both the original

address list (referencing the distribution list) and the

“resolved” list of actual recipients are archived. For legal

discovery purposes, you can search for these messages

based upon the distribution list or any of the recipients.

How are policies and searches tied to users?

Both the policy engine and search capabilities are

designed around Active Directory users, rather than email

addresses. Searching for Active Directory users ensure

that you get all of the results for internal people – without

having to worry about which of the user’s SMTP aliases

the message as sent by or to. You can also search for

internal or external parties based upon SMTP email

address, domain or display name criteria.

How does Proofpoint deal with users that are no

longer in Active Directory?

On a nightly basis, the system gathers a list of all users

that have a mailbox and records key information within the

archive. As part of this process, the system determines

which users are no longer in Active Directory, by

comparing the current list with addresses previously

synchronized. Throughout the user interface, whenever

prompted to enter an Active Directory user, the system will

provide suggestions both from Active Directory as well as

the deleted users recorded within the archive. This allows

you to easily search for former employee’s mail, as well as

provide current employees with access to it.

What types of user groups are supported?

Proofpoint supports three types of user groups for policy

definition and searching: Roles, Departments and

Partners. Roles represent groups of internal people that

share the same job function. Departments are groups of

internal people that belong to the same division. Roles

and Departments can contain lists of Active Directory

users or references to one or more Active Directory

groups. Partners are groups of external parties such as

Auditors, Customers or Resellers. Partners can be defined

as a list of SMTP email addresses or domains.

Does Proofpoint automatically synchronize Active

Directory groups?

Yes. An automated process that runs on the Proofpoint

Archiving Appliance synchronizes any Active Directory

group that is referenced in a Role or Department. As a

result, you don’t have to maintain two different sets of user

groups.

Do I have to define user groups within Active

Directory?

No. While you can leverage Active Directory groups that

are relevant for policy definition and search purposes,

Proofpoint ARCHIVE also allows you to independently

define Roles or Departments within the Proofpoint user

interface.


ARCHIVING TECH BRIEF: ARCHIVING APPLIANCE Proofpoint ARCHIVE is the only on-demand email

archiving solution that combines the control and privacy of

an in-house solution with the benefits of an outsourced

solution. Using our DoubleBlind Encryption™ technology,

your data resides in encrypted format on the Proofpoint

Network. As part of the Proofpoint solution, you also

deploy the Proofpoint Archiving Appliance within your

corporate network behind your firewall.

What is the Proofpoint Archiving Appliance and what

does it do?

The Proofpoint Archiving Appliance is a sealed fixed-

purpose server (in standard 1U rack mount form) that is

installed within your corporate network to provide the tight

integration and security typically only afforded to internal

systems. At the same time, the vast majority of search

processing and all of the storage is maintained on the

Proofpoint Network, reducing overhead and maintenance

headaches.

The Proofpoint Archiving Appliance provides integration

with Microsoft Exchange to ensure reliable, native format

message archiving. Its integration with Active Directory

facilitates unified login and access control management.

The Proofpoint web-based user interface (where

authorized users perform searches) is provided on the

Proofpoint Archiving Appliance for fast, local response

times. Finally, as the Proofpoint Archiving Appliance is the

only holder of your encryption keys used with the

Proofpoint DoubleBlind Encryption (see Tech Brief on

DoubleBlind Encryption), any processing that involves

encryption or decryption happens on the Proofpoint

Archiving Appliance.

How does the Proofpoint Archiving Appliance

integrate with Exchange?

Microsoft Exchange features a capability called journaling.

When enabled, a pointer to any message that is sent or

received though Exchange is added to the journaling

mailbox. At configurable time intervals, the Proofpoint

Archiving Appliance uses MAPI calls (and a user account

that you provide) to login to Exchange and access the

journaling mailbox, in exactly the same way that Outlook

accesses a user’s mailbox. If there are messages in the

journaling mailbox, the Proofpoint Archiving Appliance

divides them into batches, creates a subfolder for each

batch of messages and moves the message references

into the folders.

The batches are then processed by the Proofpoint

Archiving Appliance with DoubleBlind Encryption applied

and submitted to the Proofpoint Network for archival.

Periodically the Proofpoint Archiving Appliance requests

confirmation from the Proofpoint Network that the batch

has been fully processed. Upon confirmation, the batch

folder is removed from the journaling mailbox.

How does the Proofpoint Archiving Appliance

integrate with Active Directory?

The Proofpoint Archiving Appliance uses a Windows

account (that you provide) to login and retrieve user and

group membership information. This information is used to

authenticate user names and passwords for the user

interface. It is also used to resolve email addresses and

distribution lists back to the actual Active Directory user

accounts. With this information, the Proofpoint Network

can effectively allow access by individual users to their

mail without having to maintain separate user accounts or

email address/user account relationships.

How is information sent to the Proofpoint Network?

All data is processed on the Proofpoint Archiving

Appliance, and fully encrypted before it is transmitted to

the Proofpoint Network. This data is further secured in

transit over a secure HTTP connection, using 128-bit SSL

encryption. The encryption of the content and the transfer

protocol allow for data to flow over the public Internet. For

added security, you may configure router/firewall rules to

constrain which IP addresses the Proofpoint Archiving

Appliance can talk to.

How does the Proofpoint Archiving Appliance scale?

The Proofpoint Archiving Appliance is designed to

horizontally scale to meet the largest of enterprise needs.

In most environments, a single Proofpoint Archiving

Appliance easily services the archiving and search

requirements of all of the mailboxes on an Exchange

server. Adding additional appliances will increase

capacity, with multiple appliances pointing to the same

email archive for unified search and discovery across the

enterprise. An up-front assessment based on the number

of users and simultaneous access user requirements will

determine each customer’s set-up.


What impact does the Proofpoint Archiving Appliance

have on the corporate network traffic?

Depending on how much email is generated within your

organization, there may be a slight increase in your

outbound corporate traffic. However, the Proofpoint

Archiving Appliance applies compression and provides you

with the capability to control when email is sent to the

Proofpoint Network.

What impact does the Proofpoint Archiving Appliance

have on Exchange Server load?

According to Microsoft, enabling journaling adds about

15% to the load on the Exchange server. Retrieving the

messages from the journal is similar to having an

additional user accessing their own mailbox, albeit a highly

active user. All told, you can expect to see a 20% increase

in load on your Exchange server with Proofpoint in place

(as compared to a system without journaling enabled).

With all of the mail archived, however, you may find it

easier to enforce tighter restrictions on how much mail or

how long mail can be stored within users’ mailboxes. As

Exchange performance is highly related to the size of the

message stores, the performance gains from tighter

restriction may exceed the load created from the

journaling/archiving process.

What happens if the Proofpoint Archiving Appliance

fails?

The only data that resides on the Proofpoint Archiving

Appliance is your set of encryption keys. While we

encourage you to back up the keys internally, Proofpoint

also partners with an escrow service to maintain a copy of

them on your behalf.

In the event of a Proofpoint Archiving Appliance failure,

Proofpoint will ship you a replacement unit within 36 hours.

When it arrives, you simply replace the defective unit and

enter the encryption keys. Because the data is never

removed from the batch folders within the journaling

mailbox until the Proofpoint Network confirms that the

batch has been fully archived, even messages that were

in-transit at the point of failure are safe. Any new items

added to the journaling mailbox while the Proofpoint

Archiving Appliance is out of commission simply stay

within Exchange until the new unit is operational.

How secure is the Proofpoint Archiving Appliance?

The Proofpoint Archiving Appliance runs Microsoft

Windows Server 2003 which is one of the most secure

versions of Windows available. Security experts have

designed the server hardening practices we perform on the

Appliance. Services that are unnecessary for the

Appliance to function are disabled. Proofpoint also

employs TCP/IP filtering to block access to all ports the

Appliance does not need. There is only one logon for the

Appliance and NTFS permissions secure application files

and folders.

How is the Proofpoint Archiving Appliance updated?

The appliance is configured to accept critical Windows

Updates automatically. Proofpoint can also push updates

to the appliance as necessary.

How is the Proofpoint Archiving Appliance monitored

and maintained?

Proofpoint personnel monitor the Appliance’s reporting

patterns and use that information to diagnose issues and

remedy problems.

ENTERPRISE ARCHIVE BRIEF: DISCOVERY SEGMENTATION

What is Discovery Segmentation?

In large organizations, legal discovery activities are often

the responsibility of individual business units, agencies or

division. Many have shared email infrastructure and

archive across the organization. Each legal team,

however, should only be able to access the data related to

the divisions for whose legal matters they are responsible.

Proofpoint’s Discovery Segmentation feature will allow

customers to logically segregate archived data based on a

division value. Designated users can then manage both

search and legal hold tasks against data belonging to that

division.

Why is Discovery Segmentation Important?

Discovery Segmentation can be valuable to legal team

members in order to ensure that only relevant business

unit data is searched in responding to discovery

requirements.

However, in industries such as professional services or

legal, the requirements to maintain separation between

distinct business units can be rigorous. For example,

professional services firms may be engaged in both

advisory and audit units, where the ability to maintain walls

between units is necessary to protect the privacy of

sensitive client information.

Additionally, multi-national organizations may find

Discovery Segmentation is an important feature to ensure

that distinct geographic entities are managed in

accordance with their respective regulations and data

privacy laws.

How is data assigned to the appropriate segment?

Discovery Segmentation is achieved by identifying internal

email participants during the archiving process and tagging

the email with the divisions to which they belong. The

tagging values will be preserved with the message in a

separate logical repository within the archive.

As an example, a Discovery user (who belongs to the

Proofpoint Archive Discovery Users group) will be limited

to searching archived email that belongs to any of the

divisions to which they have been granted access. Also,

that discovery user will be limited to configuring legal holds

to include data that is within their divisions.

What archiving functions can be segmented for

Discovery?

Search and legal hold creation can be confined to the data

tagged to specific divisions. The following features are

used to take advantage of the new Discovery

Segmentation functionality:

Create custom division properties

Configure a user to search one or

• Search the archive by multiple divisions

• Create legal holds associated with multiple

divisions

Who can search within a specific division?

Three search roles are defined within the archive:

• Search user: with ability to search across a

defined set of mailboxes;

• Discovery user: with ability to search across all

archived mailboxes to which it has been granted

access;

• Discovery admin: with ability to search across all

archived mailboxes

Support for Discovery Segmentation expands the access

granularity offered to Discovery users by limiting search to

only messages that belong to any of the divisions that they

have been granted access to. Search rights for general

search users and Discovery admins remains unchanged.

Delegated Administration is an optional extension to

Discovery Segmentation. It allows you to delegate mailbox

administration to local IT staff, ensuring that only local

administrators can grant other users search access to local

mailboxes. Implementing Delegated Administration involves

defining one user management security group for each

division as well as assigning at least one user to an “all

users” security group for managing those users who are not

associated with a division. When determining how to handle

Delegated Administration, keep in mind that security groups

do not operate hierarchically. As a result, a user manager

for a division needs to be part of both the Proofpoint User

Managers security group (to be able to able to give

privileges to users) and the Proofpoint <divison_name>

User Managers group for their division.

Who can create and manage legal holds within a

specific segment?

Discovery Users can create legal holds on data in any of

the divisions that they have access to.

Discovery Administrators can create legal holds against

the entire archive, or any set of divisions.

Once a legal hold has been created, permissions to search

within that legal hold can be assigned to any individual that

has search rights (members of search users, discovery

users or discovery administrators). No divisional

restrictions are imposed when searching within a legal hold

to support the scenario where a paralegal is assigned

responsibility for producing a complete data set for a given

matter.

Will saved searches retain divisional properties?

Yes, saved searches will retain the divisional properties

that were originally applied.

multiple divisions


ARCHIVING TECH BRIEF: DOUBLEBLIND ENCRYPTION™ Proofpoint developed our unique DoubleBlind Encryption

system to ensure absolute security and privacy of your

critical business information.

What is DoubleBlind Encryption?

DoubleBlind Encryption is a patented technology that

allows you to retain exclusive access to your data while

outsourcing the archiving of your email. With this

technology, Proofpoint guarantees security and privacy

while still providing full search and discovery capabilities.

How does DoubleBlind Encryption work?

With DoubleBlind Encryption, Proofpoint maintains the

data, but does not have the encryption keys. Your

Proofpoint Archiving Appliance has the encryption keys,

but does not maintain the data (see Tech Brief on the

Proofpoint Archiving Appliance). The Proofpoint Archiving

Appliance, which maintains your encryption keys, acts to

encrypt information before it is sent to the Proofpoint

Network. The data remains in encrypted form on the

network since Proofpoint does not have the decryption

keys.

What makes DoubleBlind Encryption unique is the ability to

maintain the data in encrypted form, while still providing

fully searchable access to it. The separation of the data

and the keys means that information is only accessible

when the two components come together. Proofpoint can

not see your data as we don’t have the keys. Someone

that has access to the keys can not see the data unless

they have access to the Proofpoint Network. Messages

are only decrypted when an authorized user conducts

search and discovery using the web-based user interface

on the Proofpoint Archiving Appliance.

How are the encryption keys generated?

The encryption keys are generated by your Proofpoint

Archiving Appliance during the set-up process at time of

installation within your corporate network.

What type of encryption is used?

While the exact process of DoubleBlind Encryption is

proprietary, the core encryption system uses a

combination of both 1024-bit asymmetric RSA and 192-bit

symmetric TripleDES encryption.

Are the search indexes encrypted?

Yes. All data is encrypted on the Proofpoint Archiving

Appliance before it is transmitted. In this way, you can be

assured that no one other than you – not even Proofpoint

employees – can see the confidential information

contained in your messages.

What happens if someone steals the Proofpoint

Archiving Appliance?

The Proofpoint Network is configured to only accept

requests from specific IP addresses. As part of the setup

process, you provide Proofpoint with the IP address that is

used when requests from your network present

themselves. Typically this is the IP address of your

firewall. If someone was to attempt to connect to the

Proofpoint Network using your Proofpoint Archiving

Appliance outside of your network, the Proofpoint Network

would reject the request.

What if someone breaks into the Proofpoint Network?

While the Proofpoint Network is designed with the highest

level of security, in the unlikely event of a breach, no data

would be compromised as it is all maintained in encrypted

form, with the encryption keys only stored at your location.

Furthermore, redundant storage across multiple data

centers and integral continuous data validation ensures

that any block of data that has been tampered with will be

automatically identified and restored to its true state.


ARCHIVING TECH BRIEF: EMAIL ARCHIVING PROCESS Proofpoint’s on-demand email archiving solution offers

complete data privacy in an easy-to-implement, easy-to-

use application. Proofpoint ARCHIVE provides automated

capture of all your internal and external electronic

communications, allowing for real-time access to archived

data for compliance, legal discovery and end-user

productivity.

How does the Proofpoint email archiving process

work?

Microsoft Exchange features a capability called journaling.

When enabled, a copy of any message that is sent or

received though Exchange is added to the journaling

mailbox. At configurable time intervals, the Proofpoint

Archiving Appliance uses MAPI calls (and a user account

that you provide) to login to Exchange and access the

journaling mailbox, in exactly the same way that Outlook

accesses a user’s mailbox. If there are messages in the

journaling mailbox, the Proofpoint Archiving Appliance

divides them into batches, creates a subfolder for each

batch of messages and moves the message references

into the folders.

The batches are then processed by the Proofpoint

Archiving Appliance, DoubleBlind Encryption is applied,

and messages are submitted to the Proofpoint Network for

archival. Periodically the Proofpoint Archiving Appliance

requests confirmation from the Proofpoint Network that the

batch has been fully processed. Upon confirmation, the

batch folder is removed from the journaling mailbox.

Can mail be lost if the Proofpoint Archiving Appliance

or my network connection goes down?

Unlike other hosted solutions that rely on Exchange to

push messages via SMTP, the Proofpoint Archiving

Appliance pulls messages from the journaling mailbox. As

such, in the event of an issue with the Archiving Appliance,

messages simply queue in the journal mailbox until a

replacement appliance is put into place. Messages that

were submitted to Proofpoint for archiving that have not

been confirmed remain in a folder within Exchange.

Similarly, when your Internet connectivity goes down,

messages being submitted during that time can also be

reprocessed, ensuring the integrity of your archive.

Because the data is never removed from the batch folders

within the journaling mailbox until the Proofpoint Network

confirms that the batch has been fully archived, even

messages that were in-transit at the point of failure are

safe.

Why is Proofpoint’s “pull” model better than other

providers that trap SMTP traffic?

Some outsourced vendors trap messages in the middle of

the Internet mail flow. In this setup, your company’s

internet domain (for email purposes, known as an MX

record in a DNS server) is reconfigured to point to the

archive provider, and not to your company directly. As

such, all incoming mail goes to the archiving company first,

who then forwards it to your company’s real mail server.

For outbound mail, you configure your mail servers to send

mail to the archive provider, who then forwards it to the

actual recipient. This approach doesn’t allow you to

archive messages sent between internal parties. In

addition, because messages are captured in SMTP form,

they loose much of the richness of the original message.

For example, depending upon the configuration of

Exchange, you may not see all of the recipients, as internal

BCC information may be lost. Similarly messages sent to

distribution lists may not contain the full list of actual

recipients.

Why is Proofpoint’s “pull” model better than other

providers that require remote journaling?

Some outsourced vendors will ask you to configure

Microsoft Exchange journaling such that copies of

messages are sent to a public internet email address at

the service provider. This approach is dangerous because

Exchange has no way to deal with messages that can’t be

sent due to Internet communication problems or DNS

issues. As a result, messages can get lost. Even more

troublesome is that neither you nor the service provider will

know what has been lost. This approach also suffers from

the same problems with converting messages to SMTP

described above.

How does the Proofpoint email archiving process

impact my Exchange Server load?

According to Microsoft, enabling journaling adds about

15% to the load on the Exchange server. Retrieving the

messages from the journal is similar to having an

additional user accessing their own mailbox, albeit a highly

active user. All told, you can expect to see a 20% increase

in load on your Exchange server with Proofpoint in place

(as compared to a system without journaling enabled).

With all of the mail archived, however, you may find it

easier to enforce tighter restrictions on how much mail or

how long mail can be stored within users’ mailboxes. As

Exchange performance is highly related to the size of the

message stores, the performance gains from tighter

restrictions may exceed the load created from the

journaling/archiving process.


Does the Proofpoint email archiving process impact

my bandwidth requirements?

Depending on how much email is generated within your

organization, there may be a slight increase in your

outbound corporate traffic. However, the Proofpoint

Archiving Appliance compresses content and provides you

with the capability to control when email is sent to the

Proofpoint Network to minimize any impact.

Can Proofpoint archive messages for some, but not all

users?

Yes. In Exchange, journaling is configured on a per-

storage group basis. As such, you can enable journaling

for one storage group and not another. The Proofpoint

Archiving Appliance inspects the mailbox that you define to

retrieve messages for archiving. To archive messages for

a subset of users, you can configure Exchange to journal

to a different mailbox than the one monitored by the

Proofpoint Archiving Appliance. Exchange server rules

can be configured to selectively move messages from one

mailbox to the other for archiving.

In Exchange 2007, the process has been made even

easier, with rules that allow you to specify which mailboxes

are journaled.

How does Proofpoint support multiple Exchange

servers?

Yes. While each appliance can process mail from multiple

journaling mailboxes (each of which can reside on a

separate Exchange server), larger organizations may need

multiple appliances to support the volume of messages.

As each of these appliances will be configured with the

same customer ID and encryption key, they can feed data

into the same archive for unified search and discovery

capabilities.

Does Proofpoint store distribution lists or the actual

recipients?

When the Proofpoint Archiving Appliance retrieves a

message from Exchange, it records who the message was

addressed to. In the case of messages sent to distribution

lists, the Proofpoint Archiving Appliance communicates

with Active Directory to determine the actual recipients that

received the message. Both the original address list

(referencing the distribution list) and the “resolved” list of

actual recipients is archived. For legal discovery

purposes, you can search for these messages based upon

the distribution list or any of the resolved recipients.


ARCHIVING TECH BRIEF: INSTANT MESSAGE ARCHIVING

How does Proofpoint archive Instant Messages (IM)?

Proofpoint supports the capture and archiving of instant

messages directly from Microsoft Office Communications

Server (OCS) or through the use of third-party instant

message proxy software that you install in-house.

How does Proofpoint work with OCS?

OCS offers the ability to log instant message

conversations to a SQL Server database. Proofpoint OCS

Archiving (an optional module) retrieves conversation

information from this database, resolves SIP (IM)

addresses back to Active Directory users and creates an

email message which it posts to the journaling mailbox.

This message is subsequently archived and full-text

indexed in the same way as any other email message.

How does Proofpoint work with IM Proxy Solutions?

Instant message proxy server software captures instant

message conversations and converts them into SMTP

messages that are then sent to your Exchange server to

be subsequently archived and full-text indexed in the same

way as any other email message.

What IM Proxy software does Proofpoint support?

Proofpoint supports instant message logging software from

Symantec (IMLogic), Akonix and FaceTime

Communications.

Does Proofpoint provide its own IM proxy software?

No. Proofpoint does not develop instant message proxy

software.

How is instant messaging tied to Active Directory?

Proofpoint OCS Archiving uses the Active Directory entries

created during OCS installation to resolve SIP addresses

back to Active Directory users.

Instant message proxy software products provide various

mechanisms to tie instant message nicknames/aliases

back to Active Directory users. Generally these systems

will block instant messaging traffic from nicknames that

have not been registered by the user.

As a result of this mapping, when the messages are

logged for archiving, all of the parties to the conversation

will be resolved to the Active Directory users, and listed on

the “TO” line within the logging email.

Can I search for archived instant messages?

Yes. Messages generated by Proofpoint OCS Archiving or

instant messaging proxy solutions have fixed subject line

prefix and other easily identifiable tags. You can configure

an InfoTag to make it easy to search for these instant

messages. All other search capability, including full text

indexing of the communication and searching for parties

involved in the conversation is fully supported.

Can specific policies be configured for IM

conversations?

Yes. The same approach that allows messages to be

searched applies to the configuration of policies. If you

want a policy that is specific to instant messages, ensure

that you configure a rule that looks for the instant message

InfoTag has been set.


ARCHIVING TECH BRIEF: MANAGED INFRASTRUCTURE All customer data is hosted on the state-of-the-art

Proofpoint Network, a highly secure, reliable and scalable

infrastructure based on a distributed network and grid

storage architecture.

Is my data separate from other customer’s data?

Proofpoint hosts data in isolated units called stores. Each

store contains data for a single customer that is encrypted

with unique customer keys. Stores are signed with unique

customer identifiers. These stores are accessed through

redundant directory services that are able to locate your

data across the entire storage infrastructure.

All data maintained within the Proofpoint Network remains

in encrypted form, and can only be decrypted using unique

keys maintained by the Proofpoint Archiving Appliance.

The isolation of customer data in individual stores,

combined with customer-specific encryption, ensures that

your data is never compromised.

How do you ensure that my data is secure?

The Proofpoint Network is designed to provide complete

protection for your messages through multiple levels of

physical and network security.

Our servers are located in geographically diverse data

centers engineered for maximum security through such

measures as:

around-the-clock onsite security guards;

24 x 7 video surveillance that blankets the entire

facility, monitoring and archiving all visitor movement;

multiple layers of security access into individually-

locked colocation areas via electronically-controlled

pass cards with escorted access and/or biometric

identification, logging all access and ensuring only

authorized personnel can enter the data center.

The network infrastructure is further protected by multiple

layers of industry-standard security technology to guard

against unauthorized access and sudden attacks.

Access to the Proofpoint Network is restricted to

authorized Proofpoint operations personnel who must

supply proper identification codes and passwords to enter

the data center and/or login to the archive servers. In

addition, with Proofpoint’s DoubleBlind Encryption™, all

archived data is stored in encrypted form, so no Proofpoint

personnel can see the confidential information contained in

your messages.

How much redundancy is there in the infrastructure?

The Proofpoint Network is designed to ensure you have

access to your data on demand. The data centers we

employ are engineered for high availability and reliability,

including:

N+1 redundancy for all environmental controls

including redundant HVAC systems and dry coolers,

as well as highly sensitive leak detection systems;

advanced fire detection and suppression systems;

dual, high-voltage feeds from the public hydro

system, with each feed capable of powering the entire

data centre at full load on its own;

redundant UPS systems, diesel generators and

power distribution units to ensure uninterrupted

power, backed by 100% power availability guarantee;

redundant connectivity to major Internet backbones to

ensure network availability 100% of the time.

The Proofpoint network architecture has been designed to

reduce single points of failure by employing redundant

and/or clustered hardware configurations within each data

centre. In addition, the solution was designed to allow

horizontal scalability of the entire server infrastructure.

Multiple copies of your encrypted data are also maintained

on spinning disks at multiple data centers.

How is the Proofpoint Network monitored?

Proofpoint leverages the data center’s Network Operations

Center (NOC) for 7x24 monitoring of the physical and

network infrastructure, including network connectivity,

HVAC, fire control, power and security. All systems,

including firewalls and servers are monitored 24 hours a

day, seven days a week with onsite sparing to ensure

rapid replacement and minimize downtime in the event of a

hardware failure.

For application monitoring, we use proprietary tools that tie

into our open-source monitoring infrastructure via SNMP

and port-based monitoring. This service checks the

application on a regular basis to verify and alert our

technical support team of failure. These tools also provide

us with information that can be used for trend analysis and

capacity planning.

The Proofpoint Archiving Appliance includes services that

submit requests to the Proofpoint back-end to determine

whether the archive and the customer’s data are

accessible. The history of these requests is logged on the

back-end and monitored by Proofpoint on your behalf.


What is your disaster recovery plan?

Each customer’s archived data is encrypted by the

Proofpoint Archiving Appliance and sent to a primary data

center. A copy of the encrypted data is also sent to the

secondary data.

In the event that the primary data center that your

Proofpoint Archiving Appliance points to is completely shut

down, we can re-point the Proofpoint Archiving Appliance

to the secondary data center. Once re-pointed, the

secondary data center will process search requests

throughout your archived data. Any new email received by

the corporate Exchange server will continue to be added to

the journaling mailbox for processing by the Proofpoint

Archiving Appliance upon the resumption of normal

operations.

What are your change management, upgrade and

patch management policies?

Proofpoint follows a well-defined change management

process for all changes to our internal and production

environments.

All proposed changes to the application or the underlying

infrastructure, including roll-back procedures, are first

tested in our separate Quality Assurance environment.

The results are then reviewed by members of the

Development, Quality Assurance, Product Management

and Operations groups prior to deployment in the

production environment.

Changes made to the production environment are

implemented during maintenance windows and are fully

tested prior to release to our customers. In addition, all

changes are documented and tracked to ensure

accountability and repeatability.

All operations processes are fully documented and audited

in accordance with our SAS70 Type II certification.

Does the Proofpoint system scale?

The Proofpoint Network has been designed to scale in

parallel with your growing storage requirements. Our

storage infrastructure is capable of scaling to multi-

petabytes of storage. The Proofpoint application has also

been designed to leverage its large-scale distributed

environment to search through petabytes of data in near

real-time.


ARCHIVING TECH BRIEF: OUTLOOK AND OWA INTEGRATION Can I search the Proofpoint Archive within Microsoft

Outlook and Outlook Web Access?

Yes. Proofpoint can automatically create a special folder

within Outlook and Outlook Web Access (OWA) that allows

users to search through the archive of their own mail.

When a user clicks on the folder, the Proofpoint search

screen appears in their main Outlook/OWA window,

allowing them to perform searches of all their archived

mail. This search functionality is similar to Outook’s “find”

feature, except that all content, including attachments is

fully searched and the response time is nearly real-time –

regardless of the size of the user’s mailbox.

Can I do other activities such as legal discovery or

supervision within Outlook?

Proofpoint’s integration within Outlook and OWA is

designed to allow end-users to search their own mailbox

and easily access a full history of their email

communications.

Certain features, such as legal discovery searches,

accumulation of messages into folders for exporting and

the ability to review messages from the Proofpoint

Supervision queue are not supported. These functions

must be performed within the full Proofpoint ARCHIVE web

user interface.

Can I copy messages from the archive to another

folder within Outlook?

While you cannot directly copy messages from the archive

to another folder within Outlook, you can select one or

more messages and retrieve them. This process will send

a copy of the message from the archive to your inbox. You

can then move the retrieved messages to the appropriate

folder, as desired.

Can I access the archive when I am out of the office?

To support external access, Proofpoint provides an

Archive Proxy that can be installed on your Outlook Web

Access servers. This proxy allows end users to access the

archive without the need to expose the appliance directly

on the Internet. The Archive Proxy also facilitates

integrated search and seamless stubbed attachment

retrieval within Outlook Web Access.

Do I have to install software or an Outlook add-in?

How is the integration deployed?

No. Proofpoint’s unique approach to Outlook integration

takes advantage of Outlook features that allow folders to

display specially created web pages within the Outlook

window. As a result, no software needs to be deployed.

To create the Proofpoint Archive folder within Outlook and

OWA on behalf of users, Proofpoint provides a utility that

an Exchange administrator can run. This utility can also

be scheduled to automatically create/update the folder

reference when new mailboxes are created or permission

to search the archive is added.

What versions of Outlook are supported?

Proofpoint’s Outlook integration is supported in Outlook

2003 and 2007.

Is there an additional fee for this functionality?

Any user that can access their archived email from the

Proofpoint web-based user interface can take advantage

of the Outlook integration at no extra charge.


ARCHIVING TECH BRIEF: ARCHIVING PROXY What is the archiving proxy?

Proofpoint recommends that the Archiving Appliance not

be exposed to the Internet. While the appliance is

hardened, as the primary keeper of the encryption key

used to secure your archive data, putting it within your

DMZ creates unnecessary risk. To support external users

that need to access the archive, Proofpoint provides an

Archive Proxy, which is an extension for IIS (an ISAPI

filter) that is installed on your OWA front-end servers. The

archive proxy accepts specific requests from the Internet

and relays them to an appliance. By installing the archive

proxy on your OWA server, you can leverage its existing

public DNS and digital certificate.

How do users access the archive via the proxy?

The archive proxy exposes a new “virtual directory” on IIS

that end-users can use to access the archive directly using

a web-browser. For example, if users normally access

OWA at: https://mail.acme.com/exchange, they would

access the archive at: https://mail.acme.com/archive.

More commonly, however, users access the Proofpoint

ARCHIVE search user interface by clicking on the “Archive

by Proofpoint” folder within Outlook or OWA. When this

folder is setup, it can be configured to point to the proxy,

rather than an appliance directly, so that it works for users

when they are out of the office.

What versions of Exchange are supported?

Proofpoint provides a 32-bit version of the archiving proxy

for Exchange 2003 and a 64-bit proxy for Exchange 2007.

Can I load balance user interface appliances?

The archive proxy can be configured to point to multiple

archiving appliances. In this case, each request is routed

to an appliance at random, allowing for effective load-

balancing across appliances.

Are all requests load balanced?

Most of the Proofpoint ARCHIVE user interface is stateless

and can be easily run in a fully load-balanced way. To

improve the performance of supervision review which

involves review of a succession of messages in a queue,

the archiving appliance pre-fetches messages into a

cache. For this reason, supervision requires a user to be

locked to a specific appliance for a given session. The

archive proxy takes care of this automatically. When the

cache is populated on a given appliance, a session cookie

is set in the user’s browser to indicate which appliance

subsequent requests must be served by. The archive

proxy honors this setting for this type of user session.

Does the archiving proxy provide fault tolerance?

Yes, when multiple appliances are configured for use by

the proxy, it detects failed attempts to connect to an

appliance and will resubmit the request to another

appliance. The appliance that didn’t respond is also

“blacklisted” for a time period, so that subsequent requests

are handled by a working appliance.

My OWA servers reside behind a load balancer, will

this work with the archive proxy?

For most tasks, yes. If your OWA environment has

multiple front-end servers behind a load-balancer, you

must install the proxy on each of them. This scenario may

not work properly for supervisory review. Contact

Proofpoint Professional Services for more information.

What role does the archive proxy play in Proofpoint

ARCHIVE OWA integration?

In addition to relaying user interface requests to the

archiving appliance, the archiving proxy also supports

integration with Outlook Web Access. As each request is

submitted to OWA, the archive proxy inspects the URL

looking for requests for messages that have been stubbed

or display of the “Archive by Proofpoint” folder. When it

sees these requests, it intercepts them and, in conjunction

with the archiving appliance updates the responses

appropriately. This integration, including the inspection of

requests, can be disabled, if desired.

Is there a way to force users to connect to the archive

through a secure connection (https)?

If Internet Information Server (IIS) on the OWA server is

configured to reject HTTP requests, the archive proxy will

not receive unsecure requests. As a result, users must

enter “https:” at the beginning of the URL to connect to the

archive, just as they do for OWA access. While unsecured

access to OWA or the archive is never recommended, to

overcome confusion caused when users get error pages,

some organizations leave HTTP access open on IIS, then

install a redirect page to force users to a secure location.

To achieve similar functionality, the archive proxy can be

configured to perform a similar redirect for archive access.

Is there a way to monitor the status of the archiving

proxy?

Yes. The proxy exposes a status page that shows the

number of requests processed and provides links to test

access to each appliance.

https://mail.acme.com/exchange

https://mail.acme.com/archive

ARCHIVING TECH BRIEF: ACTIVE DIRECTORY INTEGRATION

Documents

Transcript of ARCHIVING TECH BRIEF: ACTIVE DIRECTORY INTEGRATION