ARCHIVING TECH BRIEF: ACTIVE DIRECTORY INTEGRATION
-
Upload
khangminh22 -
Category
Documents
-
view
4 -
download
0
Transcript of ARCHIVING TECH BRIEF: ACTIVE DIRECTORY INTEGRATION
PROOFPOINT.COM : 1 866 366 3668
ARCHIVING TECH BRIEF: ACTIVE DIRECTORY INTEGRATION How does the Proofpoint Archiving Appliance
integrate with Active Directory?
The Proofpoint Archiving Appliance (see Tech Brief on the
Proofpoint Archiving Appliance) uses a Windows account
(that you provide) to login and retrieve user and group
membership information. This information is used to
authenticate user names and passwords for the user
interface. It is also used to resolve the email addresses
contained in messages back to the actual Active Directory
user accounts. With this information, Proofpoint ARCHIVE
can effectively allow access by individual users to their
mail without having to maintain separate user accounts or
email address/user account relationships.
Are schema changes required in Active Directory?
No. To support permissions, Proofpoint looks for standard
Active Directory groups with predefined names, such as
“Proofpoint Archive Search Users”. Users are granted
access to various features simply by adding them (or a
group that they belong to) to one of these groups.
Does Proofpoint require separate user account
management for access to the archive?
No. Users log into the Proofpoint web-based interface with
their standard Active Directory user name and password.
Most permissions are controlled by adding a user to one of
the eleven named Active Directory groups (See Tech Brief
on User Access and Permissions). Some additional
permissions, such as granting access to search through
additional mailboxes, can be configured within the
Proofpoint user interface.
Does Proofpoint automatically archive new mailboxes
as they are created?
Yes. When the Proofpoint retrieves a message from
Exchange, it connects to Active Directory to resolve email
addresses back the to the actual Active Directory user
accounts. As a result, you never have to pre-configure
Proofpoint to archive new mailboxes or email addresses.
How does Proofpoint handle messages sent to
distribution lists?
When the Proofpoint Archiving Appliance retrieves a
message from Exchange, it records who the message was
addressed to. For messages sent to distribution lists, the
system queries Active Directory to determine the actual
recipients that received the message. Both the original
address list (referencing the distribution list) and the
“resolved” list of actual recipients are archived. For legal
discovery purposes, you can search for these messages
based upon the distribution list or any of the recipients.
How are policies and searches tied to users?
Both the policy engine and search capabilities are
designed around Active Directory users, rather than email
addresses. Searching for Active Directory users ensure
that you get all of the results for internal people – without
having to worry about which of the user’s SMTP aliases
the message as sent by or to. You can also search for
internal or external parties based upon SMTP email
address, domain or display name criteria.
How does Proofpoint deal with users that are no
longer in Active Directory?
On a nightly basis, the system gathers a list of all users
that have a mailbox and records key information within the
archive. As part of this process, the system determines
which users are no longer in Active Directory, by
comparing the current list with addresses previously
synchronized. Throughout the user interface, whenever
prompted to enter an Active Directory user, the system will
provide suggestions both from Active Directory as well as
the deleted users recorded within the archive. This allows
you to easily search for former employee’s mail, as well as
provide current employees with access to it.
What types of user groups are supported?
Proofpoint supports three types of user groups for policy
definition and searching: Roles, Departments and
Partners. Roles represent groups of internal people that
share the same job function. Departments are groups of
internal people that belong to the same division. Roles
and Departments can contain lists of Active Directory
users or references to one or more Active Directory
groups. Partners are groups of external parties such as
Auditors, Customers or Resellers. Partners can be defined
as a list of SMTP email addresses or domains.
Does Proofpoint automatically synchronize Active
Directory groups?
Yes. An automated process that runs on the Proofpoint
Archiving Appliance synchronizes any Active Directory
group that is referenced in a Role or Department. As a
result, you don’t have to maintain two different sets of user
groups.
Do I have to define user groups within Active
Directory?
No. While you can leverage Active Directory groups that
are relevant for policy definition and search purposes,
Proofpoint ARCHIVE also allows you to independently
define Roles or Departments within the Proofpoint user
interface.
PROOFPOINT.COM : 1 866 366 3668
ARCHIVING TECH BRIEF: ARCHIVING APPLIANCE Proofpoint ARCHIVE is the only on-demand email
archiving solution that combines the control and privacy of
an in-house solution with the benefits of an outsourced
solution. Using our DoubleBlind Encryption™ technology,
your data resides in encrypted format on the Proofpoint
Network. As part of the Proofpoint solution, you also
deploy the Proofpoint Archiving Appliance within your
corporate network behind your firewall.
What is the Proofpoint Archiving Appliance and what
does it do?
The Proofpoint Archiving Appliance is a sealed fixed-
purpose server (in standard 1U rack mount form) that is
installed within your corporate network to provide the tight
integration and security typically only afforded to internal
systems. At the same time, the vast majority of search
processing and all of the storage is maintained on the
Proofpoint Network, reducing overhead and maintenance
headaches.
The Proofpoint Archiving Appliance provides integration
with Microsoft Exchange to ensure reliable, native format
message archiving. Its integration with Active Directory
facilitates unified login and access control management.
The Proofpoint web-based user interface (where
authorized users perform searches) is provided on the
Proofpoint Archiving Appliance for fast, local response
times. Finally, as the Proofpoint Archiving Appliance is the
only holder of your encryption keys used with the
Proofpoint DoubleBlind Encryption (see Tech Brief on
DoubleBlind Encryption), any processing that involves
encryption or decryption happens on the Proofpoint
Archiving Appliance.
How does the Proofpoint Archiving Appliance
integrate with Exchange?
Microsoft Exchange features a capability called journaling.
When enabled, a pointer to any message that is sent or
received though Exchange is added to the journaling
mailbox. At configurable time intervals, the Proofpoint
Archiving Appliance uses MAPI calls (and a user account
that you provide) to login to Exchange and access the
journaling mailbox, in exactly the same way that Outlook
accesses a user’s mailbox. If there are messages in the
journaling mailbox, the Proofpoint Archiving Appliance
divides them into batches, creates a subfolder for each
batch of messages and moves the message references
into the folders.
The batches are then processed by the Proofpoint
Archiving Appliance with DoubleBlind Encryption applied
and submitted to the Proofpoint Network for archival.
Periodically the Proofpoint Archiving Appliance requests
confirmation from the Proofpoint Network that the batch
has been fully processed. Upon confirmation, the batch
folder is removed from the journaling mailbox.
How does the Proofpoint Archiving Appliance
integrate with Active Directory?
The Proofpoint Archiving Appliance uses a Windows
account (that you provide) to login and retrieve user and
group membership information. This information is used to
authenticate user names and passwords for the user
interface. It is also used to resolve email addresses and
distribution lists back to the actual Active Directory user
accounts. With this information, the Proofpoint Network
can effectively allow access by individual users to their
mail without having to maintain separate user accounts or
email address/user account relationships.
How is information sent to the Proofpoint Network?
All data is processed on the Proofpoint Archiving
Appliance, and fully encrypted before it is transmitted to
the Proofpoint Network. This data is further secured in
transit over a secure HTTP connection, using 128-bit SSL
encryption. The encryption of the content and the transfer
protocol allow for data to flow over the public Internet. For
added security, you may configure router/firewall rules to
constrain which IP addresses the Proofpoint Archiving
Appliance can talk to.
How does the Proofpoint Archiving Appliance scale?
The Proofpoint Archiving Appliance is designed to
horizontally scale to meet the largest of enterprise needs.
In most environments, a single Proofpoint Archiving
Appliance easily services the archiving and search
requirements of all of the mailboxes on an Exchange
server. Adding additional appliances will increase
capacity, with multiple appliances pointing to the same
email archive for unified search and discovery across the
enterprise. An up-front assessment based on the number
of users and simultaneous access user requirements will
determine each customer’s set-up.
PROOFPOINT.COM : 1 866 366 3668
What impact does the Proofpoint Archiving Appliance
have on the corporate network traffic?
Depending on how much email is generated within your
organization, there may be a slight increase in your
outbound corporate traffic. However, the Proofpoint
Archiving Appliance applies compression and provides you
with the capability to control when email is sent to the
Proofpoint Network.
What impact does the Proofpoint Archiving Appliance
have on Exchange Server load?
According to Microsoft, enabling journaling adds about
15% to the load on the Exchange server. Retrieving the
messages from the journal is similar to having an
additional user accessing their own mailbox, albeit a highly
active user. All told, you can expect to see a 20% increase
in load on your Exchange server with Proofpoint in place
(as compared to a system without journaling enabled).
With all of the mail archived, however, you may find it
easier to enforce tighter restrictions on how much mail or
how long mail can be stored within users’ mailboxes. As
Exchange performance is highly related to the size of the
message stores, the performance gains from tighter
restriction may exceed the load created from the
journaling/archiving process.
What happens if the Proofpoint Archiving Appliance
fails?
The only data that resides on the Proofpoint Archiving
Appliance is your set of encryption keys. While we
encourage you to back up the keys internally, Proofpoint
also partners with an escrow service to maintain a copy of
them on your behalf.
In the event of a Proofpoint Archiving Appliance failure,
Proofpoint will ship you a replacement unit within 36 hours.
When it arrives, you simply replace the defective unit and
enter the encryption keys. Because the data is never
removed from the batch folders within the journaling
mailbox until the Proofpoint Network confirms that the
batch has been fully archived, even messages that were
in-transit at the point of failure are safe. Any new items
added to the journaling mailbox while the Proofpoint
Archiving Appliance is out of commission simply stay
within Exchange until the new unit is operational.
How secure is the Proofpoint Archiving Appliance?
The Proofpoint Archiving Appliance runs Microsoft
Windows Server 2003 which is one of the most secure
versions of Windows available. Security experts have
designed the server hardening practices we perform on the
Appliance. Services that are unnecessary for the
Appliance to function are disabled. Proofpoint also
employs TCP/IP filtering to block access to all ports the
Appliance does not need. There is only one logon for the
Appliance and NTFS permissions secure application files
and folders.
How is the Proofpoint Archiving Appliance updated?
The appliance is configured to accept critical Windows
Updates automatically. Proofpoint can also push updates
to the appliance as necessary.
How is the Proofpoint Archiving Appliance monitored
and maintained?
Proofpoint personnel monitor the Appliance’s reporting
patterns and use that information to diagnose issues and
remedy problems.
ENTERPRISE ARCHIVE BRIEF: DISCOVERY SEGMENTATION
What is Discovery Segmentation?
In large organizations, legal discovery activities are often
the responsibility of individual business units, agencies or
division. Many have shared email infrastructure and
archive across the organization. Each legal team,
however, should only be able to access the data related to
the divisions for whose legal matters they are responsible.
Proofpoint’s Discovery Segmentation feature will allow
customers to logically segregate archived data based on a
division value. Designated users can then manage both
search and legal hold tasks against data belonging to that
division.
Why is Discovery Segmentation Important?
Discovery Segmentation can be valuable to legal team
members in order to ensure that only relevant business
unit data is searched in responding to discovery
requirements.
However, in industries such as professional services or
legal, the requirements to maintain separation between
distinct business units can be rigorous. For example,
professional services firms may be engaged in both
advisory and audit units, where the ability to maintain walls
between units is necessary to protect the privacy of
sensitive client information.
Additionally, multi-national organizations may find
Discovery Segmentation is an important feature to ensure
that distinct geographic entities are managed in
accordance with their respective regulations and data
privacy laws.
How is data assigned to the appropriate segment?
Discovery Segmentation is achieved by identifying internal
email participants during the archiving process and tagging
the email with the divisions to which they belong. The
tagging values will be preserved with the message in a
separate logical repository within the archive.
As an example, a Discovery user (who belongs to the
Proofpoint Archive Discovery Users group) will be limited
to searching archived email that belongs to any of the
divisions to which they have been granted access. Also,
that discovery user will be limited to configuring legal holds
to include data that is within their divisions.
What archiving functions can be segmented for
Discovery?
Search and legal hold creation can be confined to the data
tagged to specific divisions. The following features are
used to take advantage of the new Discovery
Segmentation functionality:
Create custom division properties
Configure a user to search one or
• Search the archive by multiple divisions
• Create legal holds associated with multiple
divisions
Who can search within a specific division?
Three search roles are defined within the archive:
• Search user: with ability to search across a
defined set of mailboxes;
• Discovery user: with ability to search across all
archived mailboxes to which it has been granted
access;
• Discovery admin: with ability to search across all
archived mailboxes
Support for Discovery Segmentation expands the access
granularity offered to Discovery users by limiting search to
only messages that belong to any of the divisions that they
have been granted access to. Search rights for general
search users and Discovery admins remains unchanged.
Delegated Administration is an optional extension to
Discovery Segmentation. It allows you to delegate mailbox
administration to local IT staff, ensuring that only local
administrators can grant other users search access to local
mailboxes. Implementing Delegated Administration involves
defining one user management security group for each
division as well as assigning at least one user to an “all
users” security group for managing those users who are not
associated with a division. When determining how to handle
Delegated Administration, keep in mind that security groups
do not operate hierarchically. As a result, a user manager
for a division needs to be part of both the Proofpoint User
Managers security group (to be able to able to give
privileges to users) and the Proofpoint <divison_name>
User Managers group for their division.
Who can create and manage legal holds within a
specific segment?
Discovery Users can create legal holds on data in any of
the divisions that they have access to.
Discovery Administrators can create legal holds against
the entire archive, or any set of divisions.
Once a legal hold has been created, permissions to search
within that legal hold can be assigned to any individual that
has search rights (members of search users, discovery
users or discovery administrators). No divisional
restrictions are imposed when searching within a legal hold
to support the scenario where a paralegal is assigned
responsibility for producing a complete data set for a given
matter.
Will saved searches retain divisional properties?
Yes, saved searches will retain the divisional properties
that were originally applied.
multiple divisions
PROOFPOINT.COM : 1 866 366 3668
ARCHIVING TECH BRIEF: DOUBLEBLIND ENCRYPTION™ Proofpoint developed our unique DoubleBlind Encryption
system to ensure absolute security and privacy of your
critical business information.
What is DoubleBlind Encryption?
DoubleBlind Encryption is a patented technology that
allows you to retain exclusive access to your data while
outsourcing the archiving of your email. With this
technology, Proofpoint guarantees security and privacy
while still providing full search and discovery capabilities.
How does DoubleBlind Encryption work?
With DoubleBlind Encryption, Proofpoint maintains the
data, but does not have the encryption keys. Your
Proofpoint Archiving Appliance has the encryption keys,
but does not maintain the data (see Tech Brief on the
Proofpoint Archiving Appliance). The Proofpoint Archiving
Appliance, which maintains your encryption keys, acts to
encrypt information before it is sent to the Proofpoint
Network. The data remains in encrypted form on the
network since Proofpoint does not have the decryption
keys.
What makes DoubleBlind Encryption unique is the ability to
maintain the data in encrypted form, while still providing
fully searchable access to it. The separation of the data
and the keys means that information is only accessible
when the two components come together. Proofpoint can
not see your data as we don’t have the keys. Someone
that has access to the keys can not see the data unless
they have access to the Proofpoint Network. Messages
are only decrypted when an authorized user conducts
search and discovery using the web-based user interface
on the Proofpoint Archiving Appliance.
How are the encryption keys generated?
The encryption keys are generated by your Proofpoint
Archiving Appliance during the set-up process at time of
installation within your corporate network.
What type of encryption is used?
While the exact process of DoubleBlind Encryption is
proprietary, the core encryption system uses a
combination of both 1024-bit asymmetric RSA and 192-bit
symmetric TripleDES encryption.
Are the search indexes encrypted?
Yes. All data is encrypted on the Proofpoint Archiving
Appliance before it is transmitted. In this way, you can be
assured that no one other than you – not even Proofpoint
employees – can see the confidential information
contained in your messages.
What happens if someone steals the Proofpoint
Archiving Appliance?
The Proofpoint Network is configured to only accept
requests from specific IP addresses. As part of the setup
process, you provide Proofpoint with the IP address that is
used when requests from your network present
themselves. Typically this is the IP address of your
firewall. If someone was to attempt to connect to the
Proofpoint Network using your Proofpoint Archiving
Appliance outside of your network, the Proofpoint Network
would reject the request.
What if someone breaks into the Proofpoint Network?
While the Proofpoint Network is designed with the highest
level of security, in the unlikely event of a breach, no data
would be compromised as it is all maintained in encrypted
form, with the encryption keys only stored at your location.
Furthermore, redundant storage across multiple data
centers and integral continuous data validation ensures
that any block of data that has been tampered with will be
automatically identified and restored to its true state.
PROOFPOINT.COM : 1 866 366 3668
ARCHIVING TECH BRIEF: EMAIL ARCHIVING PROCESS Proofpoint’s on-demand email archiving solution offers
complete data privacy in an easy-to-implement, easy-to-
use application. Proofpoint ARCHIVE provides automated
capture of all your internal and external electronic
communications, allowing for real-time access to archived
data for compliance, legal discovery and end-user
productivity.
How does the Proofpoint email archiving process
work?
Microsoft Exchange features a capability called journaling.
When enabled, a copy of any message that is sent or
received though Exchange is added to the journaling
mailbox. At configurable time intervals, the Proofpoint
Archiving Appliance uses MAPI calls (and a user account
that you provide) to login to Exchange and access the
journaling mailbox, in exactly the same way that Outlook
accesses a user’s mailbox. If there are messages in the
journaling mailbox, the Proofpoint Archiving Appliance
divides them into batches, creates a subfolder for each
batch of messages and moves the message references
into the folders.
The batches are then processed by the Proofpoint
Archiving Appliance, DoubleBlind Encryption is applied,
and messages are submitted to the Proofpoint Network for
archival. Periodically the Proofpoint Archiving Appliance
requests confirmation from the Proofpoint Network that the
batch has been fully processed. Upon confirmation, the
batch folder is removed from the journaling mailbox.
Can mail be lost if the Proofpoint Archiving Appliance
or my network connection goes down?
Unlike other hosted solutions that rely on Exchange to
push messages via SMTP, the Proofpoint Archiving
Appliance pulls messages from the journaling mailbox. As
such, in the event of an issue with the Archiving Appliance,
messages simply queue in the journal mailbox until a
replacement appliance is put into place. Messages that
were submitted to Proofpoint for archiving that have not
been confirmed remain in a folder within Exchange.
Similarly, when your Internet connectivity goes down,
messages being submitted during that time can also be
reprocessed, ensuring the integrity of your archive.
Because the data is never removed from the batch folders
within the journaling mailbox until the Proofpoint Network
confirms that the batch has been fully archived, even
messages that were in-transit at the point of failure are
safe.
Why is Proofpoint’s “pull” model better than other
providers that trap SMTP traffic?
Some outsourced vendors trap messages in the middle of
the Internet mail flow. In this setup, your company’s
internet domain (for email purposes, known as an MX
record in a DNS server) is reconfigured to point to the
archive provider, and not to your company directly. As
such, all incoming mail goes to the archiving company first,
who then forwards it to your company’s real mail server.
For outbound mail, you configure your mail servers to send
mail to the archive provider, who then forwards it to the
actual recipient. This approach doesn’t allow you to
archive messages sent between internal parties. In
addition, because messages are captured in SMTP form,
they loose much of the richness of the original message.
For example, depending upon the configuration of
Exchange, you may not see all of the recipients, as internal
BCC information may be lost. Similarly messages sent to
distribution lists may not contain the full list of actual
recipients.
Why is Proofpoint’s “pull” model better than other
providers that require remote journaling?
Some outsourced vendors will ask you to configure
Microsoft Exchange journaling such that copies of
messages are sent to a public internet email address at
the service provider. This approach is dangerous because
Exchange has no way to deal with messages that can’t be
sent due to Internet communication problems or DNS
issues. As a result, messages can get lost. Even more
troublesome is that neither you nor the service provider will
know what has been lost. This approach also suffers from
the same problems with converting messages to SMTP
described above.
How does the Proofpoint email archiving process
impact my Exchange Server load?
According to Microsoft, enabling journaling adds about
15% to the load on the Exchange server. Retrieving the
messages from the journal is similar to having an
additional user accessing their own mailbox, albeit a highly
active user. All told, you can expect to see a 20% increase
in load on your Exchange server with Proofpoint in place
(as compared to a system without journaling enabled).
With all of the mail archived, however, you may find it
easier to enforce tighter restrictions on how much mail or
how long mail can be stored within users’ mailboxes. As
Exchange performance is highly related to the size of the
message stores, the performance gains from tighter
restrictions may exceed the load created from the
journaling/archiving process.
PROOFPOINT.COM : 1 866 366 3668
Does the Proofpoint email archiving process impact
my bandwidth requirements?
Depending on how much email is generated within your
organization, there may be a slight increase in your
outbound corporate traffic. However, the Proofpoint
Archiving Appliance compresses content and provides you
with the capability to control when email is sent to the
Proofpoint Network to minimize any impact.
Can Proofpoint archive messages for some, but not all
users?
Yes. In Exchange, journaling is configured on a per-
storage group basis. As such, you can enable journaling
for one storage group and not another. The Proofpoint
Archiving Appliance inspects the mailbox that you define to
retrieve messages for archiving. To archive messages for
a subset of users, you can configure Exchange to journal
to a different mailbox than the one monitored by the
Proofpoint Archiving Appliance. Exchange server rules
can be configured to selectively move messages from one
mailbox to the other for archiving.
In Exchange 2007, the process has been made even
easier, with rules that allow you to specify which mailboxes
are journaled.
How does Proofpoint support multiple Exchange
servers?
Yes. While each appliance can process mail from multiple
journaling mailboxes (each of which can reside on a
separate Exchange server), larger organizations may need
multiple appliances to support the volume of messages.
As each of these appliances will be configured with the
same customer ID and encryption key, they can feed data
into the same archive for unified search and discovery
capabilities.
Does Proofpoint store distribution lists or the actual
recipients?
When the Proofpoint Archiving Appliance retrieves a
message from Exchange, it records who the message was
addressed to. In the case of messages sent to distribution
lists, the Proofpoint Archiving Appliance communicates
with Active Directory to determine the actual recipients that
received the message. Both the original address list
(referencing the distribution list) and the “resolved” list of
actual recipients is archived. For legal discovery
purposes, you can search for these messages based upon
the distribution list or any of the resolved recipients.
PROOFPOINT.COM : 1 866 366 3668
ARCHIVING TECH BRIEF: INSTANT MESSAGE ARCHIVING
How does Proofpoint archive Instant Messages (IM)?
Proofpoint supports the capture and archiving of instant
messages directly from Microsoft Office Communications
Server (OCS) or through the use of third-party instant
message proxy software that you install in-house.
How does Proofpoint work with OCS?
OCS offers the ability to log instant message
conversations to a SQL Server database. Proofpoint OCS
Archiving (an optional module) retrieves conversation
information from this database, resolves SIP (IM)
addresses back to Active Directory users and creates an
email message which it posts to the journaling mailbox.
This message is subsequently archived and full-text
indexed in the same way as any other email message.
How does Proofpoint work with IM Proxy Solutions?
Instant message proxy server software captures instant
message conversations and converts them into SMTP
messages that are then sent to your Exchange server to
be subsequently archived and full-text indexed in the same
way as any other email message.
What IM Proxy software does Proofpoint support?
Proofpoint supports instant message logging software from
Symantec (IMLogic), Akonix and FaceTime
Communications.
Does Proofpoint provide its own IM proxy software?
No. Proofpoint does not develop instant message proxy
software.
How is instant messaging tied to Active Directory?
Proofpoint OCS Archiving uses the Active Directory entries
created during OCS installation to resolve SIP addresses
back to Active Directory users.
Instant message proxy software products provide various
mechanisms to tie instant message nicknames/aliases
back to Active Directory users. Generally these systems
will block instant messaging traffic from nicknames that
have not been registered by the user.
As a result of this mapping, when the messages are
logged for archiving, all of the parties to the conversation
will be resolved to the Active Directory users, and listed on
the “TO” line within the logging email.
Can I search for archived instant messages?
Yes. Messages generated by Proofpoint OCS Archiving or
instant messaging proxy solutions have fixed subject line
prefix and other easily identifiable tags. You can configure
an InfoTag to make it easy to search for these instant
messages. All other search capability, including full text
indexing of the communication and searching for parties
involved in the conversation is fully supported.
Can specific policies be configured for IM
conversations?
Yes. The same approach that allows messages to be
searched applies to the configuration of policies. If you
want a policy that is specific to instant messages, ensure
that you configure a rule that looks for the instant message
InfoTag has been set.
PROOFPOINT.COM : 1 866 366 3668
ARCHIVING TECH BRIEF: MANAGED INFRASTRUCTURE All customer data is hosted on the state-of-the-art
Proofpoint Network, a highly secure, reliable and scalable
infrastructure based on a distributed network and grid
storage architecture.
Is my data separate from other customer’s data?
Proofpoint hosts data in isolated units called stores. Each
store contains data for a single customer that is encrypted
with unique customer keys. Stores are signed with unique
customer identifiers. These stores are accessed through
redundant directory services that are able to locate your
data across the entire storage infrastructure.
All data maintained within the Proofpoint Network remains
in encrypted form, and can only be decrypted using unique
keys maintained by the Proofpoint Archiving Appliance.
The isolation of customer data in individual stores,
combined with customer-specific encryption, ensures that
your data is never compromised.
How do you ensure that my data is secure?
The Proofpoint Network is designed to provide complete
protection for your messages through multiple levels of
physical and network security.
Our servers are located in geographically diverse data
centers engineered for maximum security through such
measures as:
around-the-clock onsite security guards;
24 x 7 video surveillance that blankets the entire
facility, monitoring and archiving all visitor movement;
multiple layers of security access into individually-
locked colocation areas via electronically-controlled
pass cards with escorted access and/or biometric
identification, logging all access and ensuring only
authorized personnel can enter the data center.
The network infrastructure is further protected by multiple
layers of industry-standard security technology to guard
against unauthorized access and sudden attacks.
Access to the Proofpoint Network is restricted to
authorized Proofpoint operations personnel who must
supply proper identification codes and passwords to enter
the data center and/or login to the archive servers. In
addition, with Proofpoint’s DoubleBlind Encryption™, all
archived data is stored in encrypted form, so no Proofpoint
personnel can see the confidential information contained in
your messages.
How much redundancy is there in the infrastructure?
The Proofpoint Network is designed to ensure you have
access to your data on demand. The data centers we
employ are engineered for high availability and reliability,
including:
N+1 redundancy for all environmental controls
including redundant HVAC systems and dry coolers,
as well as highly sensitive leak detection systems;
advanced fire detection and suppression systems;
dual, high-voltage feeds from the public hydro
system, with each feed capable of powering the entire
data centre at full load on its own;
redundant UPS systems, diesel generators and
power distribution units to ensure uninterrupted
power, backed by 100% power availability guarantee;
redundant connectivity to major Internet backbones to
ensure network availability 100% of the time.
The Proofpoint network architecture has been designed to
reduce single points of failure by employing redundant
and/or clustered hardware configurations within each data
centre. In addition, the solution was designed to allow
horizontal scalability of the entire server infrastructure.
Multiple copies of your encrypted data are also maintained
on spinning disks at multiple data centers.
How is the Proofpoint Network monitored?
Proofpoint leverages the data center’s Network Operations
Center (NOC) for 7x24 monitoring of the physical and
network infrastructure, including network connectivity,
HVAC, fire control, power and security. All systems,
including firewalls and servers are monitored 24 hours a
day, seven days a week with onsite sparing to ensure
rapid replacement and minimize downtime in the event of a
hardware failure.
For application monitoring, we use proprietary tools that tie
into our open-source monitoring infrastructure via SNMP
and port-based monitoring. This service checks the
application on a regular basis to verify and alert our
technical support team of failure. These tools also provide
us with information that can be used for trend analysis and
capacity planning.
The Proofpoint Archiving Appliance includes services that
submit requests to the Proofpoint back-end to determine
whether the archive and the customer’s data are
accessible. The history of these requests is logged on the
back-end and monitored by Proofpoint on your behalf.
PROOFPOINT.COM : 1 866 366 3668
What is your disaster recovery plan?
Each customer’s archived data is encrypted by the
Proofpoint Archiving Appliance and sent to a primary data
center. A copy of the encrypted data is also sent to the
secondary data.
In the event that the primary data center that your
Proofpoint Archiving Appliance points to is completely shut
down, we can re-point the Proofpoint Archiving Appliance
to the secondary data center. Once re-pointed, the
secondary data center will process search requests
throughout your archived data. Any new email received by
the corporate Exchange server will continue to be added to
the journaling mailbox for processing by the Proofpoint
Archiving Appliance upon the resumption of normal
operations.
What are your change management, upgrade and
patch management policies?
Proofpoint follows a well-defined change management
process for all changes to our internal and production
environments.
All proposed changes to the application or the underlying
infrastructure, including roll-back procedures, are first
tested in our separate Quality Assurance environment.
The results are then reviewed by members of the
Development, Quality Assurance, Product Management
and Operations groups prior to deployment in the
production environment.
Changes made to the production environment are
implemented during maintenance windows and are fully
tested prior to release to our customers. In addition, all
changes are documented and tracked to ensure
accountability and repeatability.
All operations processes are fully documented and audited
in accordance with our SAS70 Type II certification.
Does the Proofpoint system scale?
The Proofpoint Network has been designed to scale in
parallel with your growing storage requirements. Our
storage infrastructure is capable of scaling to multi-
petabytes of storage. The Proofpoint application has also
been designed to leverage its large-scale distributed
environment to search through petabytes of data in near
real-time.
PROOFPOINT.COM : 1 866 366 3668
ARCHIVING TECH BRIEF: OUTLOOK AND OWA INTEGRATION Can I search the Proofpoint Archive within Microsoft
Outlook and Outlook Web Access?
Yes. Proofpoint can automatically create a special folder
within Outlook and Outlook Web Access (OWA) that allows
users to search through the archive of their own mail.
When a user clicks on the folder, the Proofpoint search
screen appears in their main Outlook/OWA window,
allowing them to perform searches of all their archived
mail. This search functionality is similar to Outook’s “find”
feature, except that all content, including attachments is
fully searched and the response time is nearly real-time –
regardless of the size of the user’s mailbox.
Can I do other activities such as legal discovery or
supervision within Outlook?
Proofpoint’s integration within Outlook and OWA is
designed to allow end-users to search their own mailbox
and easily access a full history of their email
communications.
Certain features, such as legal discovery searches,
accumulation of messages into folders for exporting and
the ability to review messages from the Proofpoint
Supervision queue are not supported. These functions
must be performed within the full Proofpoint ARCHIVE web
user interface.
Can I copy messages from the archive to another
folder within Outlook?
While you cannot directly copy messages from the archive
to another folder within Outlook, you can select one or
more messages and retrieve them. This process will send
a copy of the message from the archive to your inbox. You
can then move the retrieved messages to the appropriate
folder, as desired.
Can I access the archive when I am out of the office?
To support external access, Proofpoint provides an
Archive Proxy that can be installed on your Outlook Web
Access servers. This proxy allows end users to access the
archive without the need to expose the appliance directly
on the Internet. The Archive Proxy also facilitates
integrated search and seamless stubbed attachment
retrieval within Outlook Web Access.
Do I have to install software or an Outlook add-in?
How is the integration deployed?
No. Proofpoint’s unique approach to Outlook integration
takes advantage of Outlook features that allow folders to
display specially created web pages within the Outlook
window. As a result, no software needs to be deployed.
To create the Proofpoint Archive folder within Outlook and
OWA on behalf of users, Proofpoint provides a utility that
an Exchange administrator can run. This utility can also
be scheduled to automatically create/update the folder
reference when new mailboxes are created or permission
to search the archive is added.
What versions of Outlook are supported?
Proofpoint’s Outlook integration is supported in Outlook
2003 and 2007.
Is there an additional fee for this functionality?
Any user that can access their archived email from the
Proofpoint web-based user interface can take advantage
of the Outlook integration at no extra charge.
PROOFPOINT.COM : 1 866 366 3668
ARCHIVING TECH BRIEF: ARCHIVING PROXY What is the archiving proxy?
Proofpoint recommends that the Archiving Appliance not
be exposed to the Internet. While the appliance is
hardened, as the primary keeper of the encryption key
used to secure your archive data, putting it within your
DMZ creates unnecessary risk. To support external users
that need to access the archive, Proofpoint provides an
Archive Proxy, which is an extension for IIS (an ISAPI
filter) that is installed on your OWA front-end servers. The
archive proxy accepts specific requests from the Internet
and relays them to an appliance. By installing the archive
proxy on your OWA server, you can leverage its existing
public DNS and digital certificate.
How do users access the archive via the proxy?
The archive proxy exposes a new “virtual directory” on IIS
that end-users can use to access the archive directly using
a web-browser. For example, if users normally access
OWA at: https://mail.acme.com/exchange, they would
access the archive at: https://mail.acme.com/archive.
More commonly, however, users access the Proofpoint
ARCHIVE search user interface by clicking on the “Archive
by Proofpoint” folder within Outlook or OWA. When this
folder is setup, it can be configured to point to the proxy,
rather than an appliance directly, so that it works for users
when they are out of the office.
What versions of Exchange are supported?
Proofpoint provides a 32-bit version of the archiving proxy
for Exchange 2003 and a 64-bit proxy for Exchange 2007.
Can I load balance user interface appliances?
The archive proxy can be configured to point to multiple
archiving appliances. In this case, each request is routed
to an appliance at random, allowing for effective load-
balancing across appliances.
Are all requests load balanced?
Most of the Proofpoint ARCHIVE user interface is stateless
and can be easily run in a fully load-balanced way. To
improve the performance of supervision review which
involves review of a succession of messages in a queue,
the archiving appliance pre-fetches messages into a
cache. For this reason, supervision requires a user to be
locked to a specific appliance for a given session. The
archive proxy takes care of this automatically. When the
cache is populated on a given appliance, a session cookie
is set in the user’s browser to indicate which appliance
subsequent requests must be served by. The archive
proxy honors this setting for this type of user session.
Does the archiving proxy provide fault tolerance?
Yes, when multiple appliances are configured for use by
the proxy, it detects failed attempts to connect to an
appliance and will resubmit the request to another
appliance. The appliance that didn’t respond is also
“blacklisted” for a time period, so that subsequent requests
are handled by a working appliance.
My OWA servers reside behind a load balancer, will
this work with the archive proxy?
For most tasks, yes. If your OWA environment has
multiple front-end servers behind a load-balancer, you
must install the proxy on each of them. This scenario may
not work properly for supervisory review. Contact
Proofpoint Professional Services for more information.
What role does the archive proxy play in Proofpoint
ARCHIVE OWA integration?
In addition to relaying user interface requests to the
archiving appliance, the archiving proxy also supports
integration with Outlook Web Access. As each request is
submitted to OWA, the archive proxy inspects the URL
looking for requests for messages that have been stubbed
or display of the “Archive by Proofpoint” folder. When it
sees these requests, it intercepts them and, in conjunction
with the archiving appliance updates the responses
appropriately. This integration, including the inspection of
requests, can be disabled, if desired.
Is there a way to force users to connect to the archive
through a secure connection (https)?
If Internet Information Server (IIS) on the OWA server is
configured to reject HTTP requests, the archive proxy will
not receive unsecure requests. As a result, users must
enter “https:” at the beginning of the URL to connect to the
archive, just as they do for OWA access. While unsecured
access to OWA or the archive is never recommended, to
overcome confusion caused when users get error pages,
some organizations leave HTTP access open on IIS, then
install a redirect page to force users to a secure location.
To achieve similar functionality, the archive proxy can be
configured to perform a similar redirect for archive access.
Is there a way to monitor the status of the archiving
proxy?
Yes. The proxy exposes a status page that shows the
number of requests processed and provides links to test
access to each appliance.