Symantec Enterprise Messaging Management for Microsoft ...

Symantec Enterprise Messaging Management for Microsoft Exchange

This Symantec Yellow Book is intended to help organizations deploy a combination of Symantec products to

ensure the security and availability of their messaging systems, including email in the Microsoft Exchange envi-

ronment. It explains how Symantec's email and instant messaging (IM) management solutions can reduce the

risk and potential downtime posed by security threats and spam, help meet messaging policy and regulatory

compliance needs, and optimize the accessibility and resiliency of the messaging infrastructure. It includes a

brief technical overview of Symantec's comprehensive solution for email and IM, and describes the combination

of Symantec products that are considered essential for efficient and effective messaging management.

This Symantec Yellow Book is focused on addressing the needs of Windows platform-oriented organizations with 1,000-2,500 employees,

but will be useful and of interest to both smaller and larger organizations

Symantec Yellow Books deliver skills and know-how to our partners and customers as well as to the technical

community in general. They show how Symantec solutions handle real-world business and technical problems,

provide product implementation and integration knowledge, and enhance the ability of IT staff and consultants

to install and configure Symantec products efficiently.

About Symantec Yellow Books™

www.symantec.com

Overview of email and Instant Messaging (IM) security, availability, and resilience concepts

Best practices for implementing Symantecemail and IM management solutions

Technical information on how to deploy multipleproducts, sequence their configurations, and achieveproduct synergies

Performance testing powered by IBM®

Symantec Enterprise Messaging Management for Microsoft® Exchange

A comprehensive approach to effectively managing messaging in Symantec and IBM environments

Sym

antec Yello

w B

oo

ks™

$65.00 US $75.00 CANADACopyright © 2006 Symantec Corporation. All rights reserved. 11/06 XXXXXXXX

Sym

antec E

nterp

rise Messagin

g Man

agemen

t for Microsoft E

xchan

ge

Hardware used for performance testing in this Symantec Yellow Book sponsored by Dell™. For more information, go online: www.ibm.com

Introducing Symantec Enterprise MessagingManagement for Microsoft® Exchange

The software described in this book is furnished under a license agreement and may be used

only in accordance with the terms of the agreement.

Documentation version 3.0.IBM

Legal Notice

Copyright © 2007 Symantec Corporation.

All rights reserved.

Symantec, the Symantec Logo, and Symantec Yellow Book are trademarks or registered

trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other

names may be trademarks of their respective owners.

Microsoft, Windows, Active Directory, Excel, JScript, Outlook, PowerPoint, SharePoint, and

Windows server are trademarks or registered trademarks of Microsoft Corporation.

Other brands and product names mentioned in this book may be trademarks or registered

trademarks of their respective companies and are hereby acknowledged.

The products described in this document are distributed under licenses restricting their

use, copying, distribution, and decompilation/reverse engineering. No part of this document

may be reproduced in any form by any means without prior written authorization of

Symantec Corporation and its licensors, if any.

THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS,

REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF

MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT,

ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO

BE LEGALLY INVALID. SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR INCIDENTAL

OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING,

PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED

IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.

The Licensed Software and Documentation are deemed to be commercial computer software

as defined in FAR 12.212 and subject to restricted rights as defined in FAR Section 52.227-19

"Commercial Computer Software - Restricted Rights" and DFARS 227.7202, "Rights in

Commercial Computer Software or Commercial Computer Software Documentation", as

applicable, and any successor regulations. Any use, modification, reproduction release,

performance, display or disclosure of the Licensed Software and Documentation by the U.S.

Government shall be solely in accordance with the terms of this Agreement.

Symantec Corporation

20330 Stevens Creek Blvd.

Cupertino, CA 95014 USA

http://www.symantec.com

Acknowledgments

Symantec thanks the following people for their contribution to the Symantec Yellow Book™:

Principal Authors

Rich AlfordWerner Zurcher

Christina BaribaultJohn Glen

Jeannette StarrEtsuko Kagawa

Julie Murakami

The principal authors and Symantec would like to thank the following contributors:

Kevin KnightSophia Abramovitz

Blake McConnellFaisal Z. Ahmed

Jason MeroJeffrey Armorer

Chris MillerMike Bilsborough

William S. PhillipsPar Botes

David ScottBill Chitty

Matthew SteeleMark Davis

John StoneOsama El beck

Logan SutterfieldDavid Flanders

Martin TuipScott Girvin

Jason WareMatt Hamilton

Lee WeinerDLT Solutions, Inc.

Mia WhitfieldAndy Honl

Ed WhyattJose Iglesias

Dennis WildSimon Jelley

David YePaul C. Johnson

Walt Kasha

Symantec extends a special thanks to IBM for providing hardware and software performance

testing expertise supporting the development of this Symantec Yellow Book.

Chapter 1 Introduction

About this book .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

About enterprise messaging management ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

About the Symantec solution for Enterprise Messaging

Management ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Chapter 2 Challenge of fortifying enterprisemessaging systems

New challenge .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Increasing pressure on corporate IT .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Threat innovation .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

Increase of spam .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

Increase of email size and email storage requirements ... . . . . . . . . . . . . . . . . 26

Lack of central management of messaging archives ... . . . . . . . . . . . . . . . . . . . 27

Need for high availability ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

Mandatory compliance .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

Retention of electronic messages for use as legal evidence .... . . . . . . . . . 29

Higher legal discovery costs ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

Liability due to misuse .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

Higher messaging infrastructure costs ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

Other new messaging applications .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

Symantec response to the challenges ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

Chapter 3 The Symantec enterprise messaging managementsolution for Microsoft Exchange

Challenges and opportunities ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

Effectively managing messaging environments ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

Introducing the Symantec solution .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

Resource management ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

Benefits of a resilient foundation .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

Benefits of storage virtualization .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

Benefits of backup and recovery .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

Benefits of clustering .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

Threat management ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

Layered approach to threat management ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

Contents

Email volume reduction with traffic shaping .... . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

Perimeter security ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

Internal Exchange server filtering .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

Email client security ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

Archival and retention management ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

Email archiving challenges ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

Archiving with Enterprise Vault ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

Integrations with the archiving solution .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

Policy and compliance management ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

Regulatory compliance .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

Messaging policy compliance .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

Discovery and analytics management ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60

Options to meet advanced requirements ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60

Advanced security requirements ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

End-point security and protection products ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

Additional gateway security products ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

Server security products ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

End-point security compliance management products ... . . . . . . . . . . . . . . . . 63

Intelligent monitoring products and services ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64

Symantec Professional Services ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64

Symantec Consulting Services ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64

Symantec Advisory Services ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

Symantec Solutions Enablement Services ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

Symantec Secure Application Services ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

Symantec EMM solution summary .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66

Chapter 4 Enterprise Messaging Management infrastructure

Infrastructure configuration for the Symantec solution .... . . . . . . . . . . . . . . . . . . . 69

Summary checklists for the end-to-end solution .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73

Pre-deployment checklist ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74

Deployment checklist ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76

Requirements for the Symantec solution .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78

Email security hardware and software requirements ... . . . . . . . . . . . . . . . . . . 78

Email archiving hardware and software requirements ... . . . . . . . . . . . . . . . . 81

Solution foundation hardware and software requirements ... . . . . . . . . . . 82

Solution sizing and performance guidelines ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88

Sizing and performance criteria ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88

Hardware configuration .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88

User profile ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90

Baseline server and storage configurations .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92

Test environment .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94

Test methodology .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95

Contents6

Test results ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95

Results analysis ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96

IM Manager performance considerations .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97

Chapter 5 Stopping unwanted email

The challenge of stopping unwanted email ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99

A defense-in-depth strategy .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99

Network boundary tier ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101

Gateway tier ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101

Mail server tier ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102

Desktop tier ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103

Symantec’s Global Intelligence Network .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104

Configuration overview .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105

Best practices for protecting Exchange servers at the mail server

tier ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107

Best practices for protecting the network perimeter at the

gateway server tier ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112

Chapter 6 Using Symantec IM Manager

About Symantec IM Manager ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117

Best practices for preparing the IM Manager environment .... . . . . . . . . . . . . . 118

Installation prerequisites ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118

IM Manager installation information .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119

SQL server installation requirements ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119

Best practices for configuring IM Manager ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119

Instant message network strategies ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120

DNS rerouting configuration .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120

About IM Manager configuration .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121

Archiving instant messages to Enterprise Vault ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122

Exchange Server setup to accept IM Manager messages ... . . . . . . . . . . . . 123

Configure IM Manager directory integration .... . . . . . . . . . . . . . . . . . . . . . . . . . . 123

Configuring IM Manager SMTP delivery to Microsoft

Exchange .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126

Installing the IM Manager Enterprise Vault XSL Transformation

file ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127

Configuring IM Manager export ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128

Best practices for IM Manager security ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129

Threat protection and SPIM filtering .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129

Instant message client version control ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130

Best Practices for IM Manager backup and recovery .... . . . . . . . . . . . . . . . . . . . . . . 130

SQL Server database backup recommendations .... . . . . . . . . . . . . . . . . . . . . . . 131

Recovery after an IM Manager failure ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131

7Contents

IM Manager server failure ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131

IM Manager data corruption .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132

IM Manager database server failure ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132

IM Manager use cases ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134

Instant message security and threat protection use cases ... . . . . . . . . . . 134

Instant message logging for journaling and policy enforcement

use cases ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138

Chapter 7 Message archiving, retrieval, and storage

Microsoft Exchange as an information warehouse .... . . . . . . . . . . . . . . . . . . . . . . . . 143

Archiving, retrieval, and storage in the Exchange environment .... . . . . . . . 144

Support for structured data ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145

Seamless retrieval of archived email ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145

Control of PST archives ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146

Reduction in the size of Exchange information stores ... . . . . . . . . . . . . . . . 146

Enterprise Vault basics ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147

Best practices for planning Enterprise Vault deployments ... . . . . . . . . . . . . . . 150

Documenting the existing Exchange environment .... . . . . . . . . . . . . . . . . . . 150

Documenting the new Exchange Enterprise Vault

environment .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150

Considerations for planning and documenting the Enterprise

Vault deployment ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152

Best practices for sizing Enterprise Vault environments ... . . . . . . . . . . . . . . . . . . 153

Vault Store recommendations .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155

Vault Store partition setting recommendations .... . . . . . . . . . . . . . . . . . . . . . . 156

About the Admin Service ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156

Selecting the level of indexing .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156

Best practices for preparing the Enterprise Vault environment .... . . . . . . . . 157

Installation software prerequisites ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158

Enterprise Vault Service account creation .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158

SQL login account creation .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159

Enterprise Vault server preparation .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159

Best practices for installing Enterprise Vault ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163

Best practices for configuring Enterprise Vault ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163

Enterprise Vault Configuration program tasks ... . . . . . . . . . . . . . . . . . . . . . . . . . 163

Enterprise Vault Administration Console configuration tasks ... . . . . . 165

Best practices for backing up and recovering Enterprise Vault ... . . . . . . . . . 173

SQL Server database backup recommendations .... . . . . . . . . . . . . . . . . . . . . . . 174

Enterprise Vault recovery .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175

Common Enterprise Vault challenges and solutions .... . . . . . . . . . . . . . . . . . . . . . . 175

Enterprise Vault usage .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176

Contents8

Chapter 8 Enhancing Microsoft® Exchange Server availability

About Microsoft Exchange Server availability ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179

Risks to email availability ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179

Exchange service requirements ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180

Symantec solution to ensure Exchange availability ... . . . . . . . . . . . . . . . . . . 181

Modular approach .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181

Best practices for Veritas Storage Foundation for Windows .... . . . . . . . . . . . . . 183

Challenges to managing Exchange storage .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183

Storage Foundation solutions to Exchange store challenges ... . . . . . . . 184

Storage Foundation implementation and usage

recommendations .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185

Best practices for Veritas Storage Foundation High Availability for

Windows .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190

Challenges to clustering the Exchange environment .... . . . . . . . . . . . . . . . . 190

Storage Foundation HA for Windows solutions to Exchange

clustering challenges ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190

About Storage Foundation HA for Windows .... . . . . . . . . . . . . . . . . . . . . . . . . . . 191

Veritas Storage Foundation High Availability for Windows

installation recommendations .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194

Best practices for configuring storage resources for Storage

Foundation HA for Windows .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198

Clustered Microsoft Exchange deployment solution .... . . . . . . . . . . . . . . . . 200

Symantec Mail Security for Microsoft Exchange on Veritas

Cluster Server systems recommendations for use .... . . . . . . . . . . . . . 203

Best practices for Symantec Backup Exec .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205

EMM environment backup challenges ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205

Symantec Backup Exec solution to Exchange backup and recovery

challenges ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205

Backup Exec installation recommendations .... . . . . . . . . . . . . . . . . . . . . . . . . . . . 207

Best practices for backup and recovery in Exchange

environments ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208

Best practices for Enterprise Vault backup .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212

Chapter 9 Regulatory compliance and legal discovery for emailand instant messaging management

About regulatory compliance .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219

Email and instant messaging life cycle management ... . . . . . . . . . . . . . . . . . . . . . . 220

Considerations for data reduction .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222

Spam and archiving .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222

Considerations for threat reduction .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223

Considerations for record retention .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223

Applying policies across the organization .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224

9Contents

Discovery and records retention .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225

Considerations for discovery .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225

Completeness of process ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226

Timeliness of response .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226

Cost efficiency .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226

About the role of backup .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227

Chapter 10 Best practices for Veritas Enterprise Vault™ legaldiscovery and compliance options

About Veritas Enterprise Vault legal discovery and compliance

options .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229

About Enterprise Vault Discovery Accelerator ... . . . . . . . . . . . . . . . . . . . . . . . . . 230

About Enterprise Vault Compliance Accelerator ... . . . . . . . . . . . . . . . . . . . . . . 230

Comparison matrix ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231

Best practices for installing and configuring Enterprise Vault

Discovery Accelerator ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233

Prepare to install Enterprise Vault Discovery Accelerator ... . . . . . . . . . . 234

SQL Server requirements for Enterprise Vault Discovery

Accelerator ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235

Installing Enterprise Vault Discovery Accelerator ... . . . . . . . . . . . . . . . . . . . . 236

Configuring Enterprise Vault Discovery Accelerator ... . . . . . . . . . . . . . . . . . 236

Best practices for installing and configuring Enterprise Vault

Compliance Accelerator ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238

Prepare to install Enterprise Vault Compliance Accelerator ... . . . . . . . . 239

Requirements for the optional Journaling Connector ... . . . . . . . . . . . . . . . . 240

SQL Server requirements for Enterprise Vault Compliance

Accelerator ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241

Install Enterprise Vault Compliance Accelerator ... . . . . . . . . . . . . . . . . . . . . . . 241

Configuring Enterprise Vault Compliance Accelerator ... . . . . . . . . . . . . . . . 242

Best practices for customizing Enterprise Vault Discovery

Accelerator ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247

Creating roles, cases, and targets ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248

Creating searches ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250

Best practices for customizing Enterprise Vault Compliance

Accelerator ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252

Configuring searches ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256

Best practices for upgrading Enterprise Vault Compliance

Accelerator ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258

Upgrading Enterprise Vault Compliance Accelerator ... . . . . . . . . . . . . . . . . 258

Best practices for Enterprise Vault Compliance Accelerator backup

and recovery .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260

Contents10

Chapter 11 Minimizing time and risk in Exchange migrations

Overview of Exchange migration issues ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261

Benefits of using the Symantec solution to manage Exchange

migrations .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263

Using Enterprise Vault in the migration process ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264

Migrating without moving mailbox content ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264

Minimizing mailbox content to be moved .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265

Protecting the investment in Exchange 2003 .... . . . . . . . . . . . . . . . . . . . . . . . . . . 267

Application after migration .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269

Recommendations for migration .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270

PST file migration .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271

Glossary

Index

11Contents

Contents12

Introduction

This chapter includes the following topics:

■ About this book

■ About enterprise messaging management

■ About the Symantec solution for Enterprise Messaging Management

About this bookThis Symantec Yellow Book™, Symantec Enterprise Messaging Management for

Microsoft® Exchange, examines the critical issues organizations face in keeping

messaging systems secure and available. The Symantec solution is designed to

eliminate unnecessary cost and risk by reducing large volumes of unwanted spam,

stopping viruses and worms, protecting confidential data, and by making the

communication infrastructure resilient against failure.

The information presented in this Symantec Yellow book is intended for Microsoft

Windows-based organizations that use email and instant messaging (IM) as

primary tools for business communications, and whose messaging infrastructure

is principally built around Microsoft Exchange. This information primarily

addresses the needs of organizations with 1000 to 2500 employees, but may also

be of use to smaller organizations, as well as larger organizations with multiple

email systems. However, the information may not fully address the specific

requirements of these organizations.

The information presented in this book addresses the challenges associated with

email management as interdependent processes, to show how business-critical

problems can be resolved through a comprehensive solution. It identifies the

challenges predicted by trends in the email environment, and helps IT

professionals gauge the costs and investment of resources required to meet email

management objectives. It contains analysis, best practices, recommendations

for use, and detailed technical guidelines.

1Chapter

Although today’s challenges and solutions focus mostly around email, Symantec’s

vision of enterprise messaging management extends beyond email to other

messaging platforms (such as IM), collaboration tools (such as Microsoft

Sharepoint®), and Voice over IP (VoIP). Email has become a critical application

for business, as its importance has grown.

As more businesses adopt other communication platforms, such as instant

messaging (IM), sharing information over websites, and VoIP, the same challenges

presented by email also appear in these new environments. This results in the

need to manage, secure, and archive these new communication platforms in the

same way that email is managed.

While this book focuses on email management for Microsoft Exchange, it also

addresses IM management. Future Symantec solutions and Symantec Yellow

Books will expand messaging management to include new applications, such as

VoIP communications, as the demand to protect these new communication

environments grows.

This information is intended for IT personnel who are responsible for designing

or implementing email- and IM-oriented solutions, Symantec business partners

helping customers deploy these solutions, and Symantec personnel supporting

all these groups. After reading this book, IT professionals should understand the

challenges surrounding Exchange and IM environments, and the Symantec

technologies designed to meet them.

The following table briefly describes the contents of this book:

Provide CIOs and IT Infrastructure Managers with an

understanding of the components, functions, and value of

Symantec’s comprehensive solution. This solution can keep

email in a Microsoft Exchange environment, as well as IM

running efficiently and securely.

Chapters 1 through 3

Provide IT Infrastructure Managers and other technical

personnel with an overview of how Symantec

messaging-oriented products can be deployed, and to help

plan such deployments. These technical professionals will

also find information about operational best practices for

email, and instant message security, availability, and

archiving solutions.

Chapters 4 through 10

This book also covers the following topics:

■ Challenges in the email and instant message environments that organizations

face today

■ Messaging security, availability, and resilience concepts

IntroductionAbout this book

14

■ How the Symantec solution for messaging management can meet the needs

of organizations

■ Technical information about the products that make up the recommended

solution for Exchange email and IM management

■ How the solution leverages synergies between products

■ Best practices for implementing the solution, developed and proven by

Symantec engineers

■ Important caveats and workarounds for implementing the solution

■ Technical information related to implementing the solution, including

multi-product installation and configuration sequences, and hardware and

software requirements

About enterprise messaging managementSince its inception, modern electronic messaging has been in a state of constant

change. Electronic messaging has changed in its applications, technologies,

mediums, and usability. We are in a period of rapid change in the electronic

messaging environment.

Currently, the most common means of electronic messaging is email. Having

become critical for corporations in the 1990s, email is now growing in its

importance as an accepted form of business record. With the increase in network

bandwidth, the use of email as transport for rich media is now common; beyond

simple text, email is now used to send rich media including html, graphics, audio

and video.

In the last few years, instant messaging (IM) has been rapidly adopted in many

organizational settings. Users in most organizations now use IM, even if the IM

is not yet supported by their IT organizations. It is estimated that IM may even

eclipse email by 2008, as measured by the number of messages sent between users.

IM protocols have been extended to allow voice and video information transfer.

Voice over IP (VoIP) is also gaining popularity after years of slow growth.

Furthermore, organizations are adopting the use of collaborative environments,

such as Microsoft SharePoint as yet another avenue for electronic messaging.

With the advent of IM, cell phones, Blackberries, SMS text messaging, VoIP, and

other technologies, IT can no longer view email as the totality of electronic

messaging. The challenges IT faces with email will also expand to encompass IM,

and other messaging mechanisms and their infrastructures. Therefore, Symantec

recommends that IT organizations take a comprehensive view of all the messaging

platforms in their organization, decide which messaging environments to actively

15IntroductionAbout enterprise messaging management

manage, and how. From this perspective, email is one of many electronic messaging

environments that must be managed.

For now, email remains the most important and resource intensive messaging

technology; one that requires active management. Exponentially increasing

volumes of email, greater reliance on email as a primary business application,

and escalating costs associated with management of the email infrastructure

drive the imperative for a comprehensive email management solution. IT

professionals are responding to the need for longer retention periods for email

data due to corporate, legal, and regulatory pressures. IT professionals must

provide high availability and accessibility of email data. Critical email systems

must also be secured, as effectively as possible, from the risks posed by diverse

threats.

When IT organizations plan migration to new email servers, add IM security, or

consolidate messaging servers, an opportunity exists to strengthen the messaging

infrastructure. As email and IM systems mature, an approach to maintaining

security and availability that encompasses the entire messaging system (hardware,

software, and network infrastructure) becomes a priority.

By contrast, a reactive or piecemeal approach to messaging management that

relies on a growing set of point products will burden IT with responsibility for

resolving interoperability and maintenance issues. In the long run, such a

piecemeal approach will likely prove ineffective and costly, and complicated by

the need to interact with multiple vendors.

Symantec believes that there are five broad areas that organizations must actively

manage in a messaging environment, regardless of format or technology.

Keep messaging systems up, and costs down. The first

requirement of any messaging environment is that the

systems are reliable and available at all times. Also

critically important is that organizations can control costs

while keeping systems available.

Resource management

Keep bad things out. Once a messaging system is up and

running reliably, steps should be taken to protect the

environment from the threats that it faces in the online

world.

Threat management

Keep things as long as needed. Companies face two

problems with messaging environments; managing the

retention of documents, and retrieving specified

documents when needed. More often than not, these needs

are being driven by legal and legislative requirements.

Archival and retention

management

IntroductionAbout enterprise messaging management

16

Keep important information within the company. This

relates to employees inappropriately sending out trade

secrets via email. It is becoming more critical for business

to have tools that allow them to ensure that messaging

tools are being used in ways that comply with company

policy, and do not put the company at risk.

Policy and compliance

management

Keep intellectual property, and search and analyze data

assets.

Discovery and analytics

management

Companies are increasingly aware of the value of the intellectual property

contained in their messaging environment. Organizations need intelligent tools

that allow them to search and analyze their intellectual property and data assets.

Symantec’s approach to providing protection for the entire organization’s IT

environment is founded on protecting infrastructure, information, as well as

interactions. When building a messaging environment, it is important to provide

all the necessary protections. This Symantec Yellow Book presents a solution that

integrates products from a single vendor to provide the necessary protections.

Both the intrinsic advantages of an integrated solutions approach, and the specific

functional benefits of the Symantec solution are covered in this book. Symantec

product synergies and individual product strengths derive from the design

expertise and the accumulated experience of Symantec.

About the Symantec solution for EnterpriseMessaging Management

The Symantec solution for Enterprise Messaging Management for Microsoft

Exchange presented in this book takes a comprehensive view of messaging

management. Although Symantec delivers market-leading products in nearly

every category needed to enable and protect a messaging environment, Symantec

does not recommend a piece-meal approach to building a messaging infrastructure.

As messaging technologies continue to evolve, making decisions one product at

a time does not render the best solution to the wide set of challenges posed by

computer-based communications.

The Symantec response is a single, comprehensive solution; one that is tested and

proven . Symantec security, availability, archiving, and other messaging

management products will continue to evolve with changing market requirements,

and can be expected to meet customer requirements. Whatever new messaging

applications rise to importance within business environments, Symantec products

will be developed to encompass changing business needs.

17IntroductionAbout the Symantec solution for Enterprise Messaging Management

As industry leaders in their respective fields, the acquisition by Symantec of

Veritas, Brightmail, IM Logic, and other companies has created a strong presence

in the broad arena of email messaging management. The companies’ combined

expertise delivers an email messaging management solution for email security,

availability, and resilience. The Symantec solution enables IT organizations to

evolve from an approach that relies on integrating point-products to a more

comprehensive solution.

Symantec’s comprehensive approach to messaging management has the following

advantages:

Standardizing or relying more on Symantec reduces the

number of different vendor tools that are required to

manage and secure your IT and email messaging

environment.

Reduces the number of tools

Fewer tools means less environmental complexity, as

there can be fewer management interfaces to learn.

Reduces complexity

Fewer vendors means dealing with fewer external

partners, and sales and support organizations when

problems arise. If the number of solution vendors in the

environment is large, it can lead to frustration.

Reduces number of vendors

Integrating products allows applications to share data

and user interfaces. Common user interfaces increases

ease of operation across all products. Data sharing

propagates information between products, and enables

more efficient and effective operation and management

capabilities.

Improves functionality and

ease of solution use

There is a fast-growing need for an integrated solution for email management.

This need is precipitated by rapid change in the messaging environment. Symantec

is uniquely positioned to deliver a strong solution composed of quality products.

Complementary areas of expertise offer protection of an organization's messaging

systems, backup and recovery, and information storage and retrieval.

The Symantec solution for Enterprise Messaging Management includes the

following products:

■ Symantec Mail Security 8160 appliance

■ Symantec Mail Security for the Email Gateway – available in software (SMS

for SMTP), appliance (SMS 8260), or hosted (Symantec Hosted Mail Security)

deployment formats

■ Symantec Mail Security for Microsoft Exchange

■ Veritas Enterprise Vault

IntroductionAbout the Symantec solution for Enterprise Messaging Management

18

■ Enterprise Vault Discovery Accelerator

■ Enterprise Vault Compliance Accelerator

■ Veritas Storage Foundation™ for Windows

■ Veritas Storage Foundation High Availability for Windows (Veritas Cluster

Server)

■ Symantec Backup Exec

■ Symantec IM Manager

Symantec Mail Security products reduce the amount of junk email that passes

into an organization and through the Exchange server. Backed by the Symantec

Global Intelligence Network and Security Response organization, Mail Security

for Exchange products protect the email network from threats.

Symantec Mail Security for Exchange products filter content and can direct email

to a Veritas Enterprise Vault email archive according to defined policies. Enterprise

Vault stores email away from the Exchange server. Enterprise Vault Compliance

Accelerator and Enterprise Vault Discovery Accelerator accelerate the search for

information that has been archived by Enterprise Vault, making data more

accessible. Symantec Backup Exec and Storage Foundation for Windows work in

the background to maintain continuous availability of the entire system, and to

ensure a rapid recovery, whatever the cause of failure.

An organization’s specific requirements may need additional products and options.

Some of these products are discussed briefly in the following chapters. A Symantec

sales or reseller partner can provide more detailed information about related

products and services.

A comprehensive solution to enterprise messaging management has many

advantages:

■ Reduction of risks that are related to complex or unproven integrations, and

avoidance of unforeseen issues that can easily follow the integration of

unrelated products

■ Better focus of IT resources to realize greater efficiencies

■ Interaction with a single responsible vendor, which simplifies support,

maintenance, and communications

■ Uniformity and consistency of experience across products, which facilitates

administration and user experience

■ Consolidation of IT knowledge around the single solution, which enables IT

expertise to develop rapidly

■ Professional services, such as consulting, support, and training can be

negotiated and delivered via a single channel

19IntroductionAbout the Symantec solution for Enterprise Messaging Management

The Symantec solution for Enterprise Messaging Management reduces complexity

in your environment by integrating quality products. The solution leverages the

experience and best practices that Symantec and partners have developed by

deploying these products together in various environments. Future revisions of

the Symantec solution will continue to integrate new products and technologies,

as needed by our customers. Customers can confidently stay current and optimize

their systems, based on their partnership with Symantec.

IntroductionAbout the Symantec solution for Enterprise Messaging Management

20

Challenge of fortifying

enterprise messaging

systems


■ New challenge

■ Increasing pressure on corporate IT

■ Symantec response to the challenges

New challengeOver the last twenty years, the widespread adoption of personal computers, popular

use of the Internet, and the establishment of corporate intranets has revolutionized

business communication. Email has become an indispensable organizational and

interpersonal communications tool.

The continuing decline in personal computer and networking costs, and the

increasing ease with which fast and cost-effective communications can occur,

guarantees the further entrenchment of email in the business environment.

Recently, business and personal communications applications that rely on PCs

or other low cost networked end-point devices, such as instant messaging (IM)

and Voice over IP (VoIP) have seen rapid user adoption.

The Internet and email have rapidly evolved and become powerful business

enablers, but not without risks. Email opens a communication door that exposes

businesses to risk, but which organizations cannot afford to close. The Web,

another open door, also serves as a route for email traffic, especially for popular

2Chapter

Web-based mail services. IM and VoIP are also rapidly becoming open doorways

that present new risk.

The simplicity and universality of email has made it a vehicle for the delivery of

diverse electronic threats. Many organizations’ productivity falls dramatically

when email stops functioning.

Email is now a critical application for many organizations, despite the risks and

added burdens associated with its use. For example, one new burden is the

requirement for organizations to ensure that their email traffic complies with

corporate and government regulations relating to audit trails. Email systems

expose organizations to security risks that can impact profitability, and jeopardize

viability. The same characteristics that make email valuable also help create the

current set of challenges facing corporate IT organizations.

According to a 2005 study by the Enterprise Strategy Group, the need to retain

email is now the primary driver of electronic records management initiatives. In

addition, email has also become the most frequently requested type of business

record by courts and regulators.

Seventy-seven percent of organizations involved in an electronic data discovery

request indicate they have been asked to produce email messages as part of a legal

or regulatory proceeding. (Source: ESG Research Report “Digital Archiving,”

December 2005). In industries such as financial services, the retention of instant

message conversations is also already being required.

Instant messaging continues to be the fastest growing communications medium,

with an estimated 390 million consumer and enterprise IM users by the end of

2006. Global services such as AOL® Instant Messenger, MSN® Messenger, and

Yahoo!® Messenger each report over 1 billion messages sent per day, and IM traffic

is expected to exceed email traffic by the end of 2006.

As one of the most successful and widely deployed applications on the Internet,

IM has increasingly become the target for attackers to propagate IM-borne viruses,

worms, spam over IM (spim), malware, and phishing attacks. Though widely

adopted, IM is generally unprotected and unmonitored in consumer and enterprise

environments, leaving it vulnerable to attacks and exploits. These attacks have

grown exponentially over the past three years, increasing the need for real-time

threat response for IM and peer-to-peer (P2P) applications .

For some organizations, including most companies that outsource customer

services, VoIP is already a critical application. An example of this is organizational

IT help desks that have been centralized in one country, and service users

worldwide. For such organizations, VoIP infrastructure availability and freedom

from security threats are critical.

Challenge of fortifying enterprise messaging systemsNew challenge

22

Increasing pressure on corporate ITThe dependency on digital communications has placed pressure on corporate IT

to maintain availability of these messaging systems. Downtime of these systems

can directly impact business revenues.

In the past, email servers were primarily message transfer agents, and were not

available to store information. With Microsoft Exchange and Lotus Notes, email

servers also function as information warehouses.

Email is now often a significant conduit for a company’s business transactions

and internal operations. Consequently, email messages often play a significant

role as evidence in legal proceedings. Email is increasingly subject to costly and

time-consuming legal discovery endeavors.

Today, companies are required to preserve email for longer periods, and to ensure

that the email cannot be tampered with during the mandated retention periods.

This mandate has increased the cost of storage required to retain email messages,

and added complexity to email data life cycle management. This is also true for

IM and VoIP conversations in specific industries, such as banking and financial

services.

The following factors have impacted email and messaging management over the

last two decades:

■ Increasing business-related, person-to-person email volume sent annually

worldwide. Volumes increased 59 percent from 2003 to 2004 (Source: IDC,

Worldwide Email Usage 2005-2009 Forecast, IDC #34504, December 2005)

■ Surge in IM use and traffic, with 85 percent of organizations already reporting

business usage of IM

■ Increasing sophistication and virulence of email- and IM-borne viruses, some

of which have brought many organizations’ business processes to a halt for

hours or even days

■ Increasing volume of email and IM spam entering corporate networks,

comprising 64 percent of incoming email (Source: Brightmail Logistics and

Operations Center monthly Spam Statistics Report)

■ Surge in phishing attacks

■ Mass-mailer bombardment

■ Advent of spyware that self-installs, records keystrokes, scans files, spies on

email, and monitors Internet activity

■ Recognition in the United States, Europe, and other markets that email is a

legal business record that must be preserved

23Challenge of fortifying enterprise messaging systemsIncreasing pressure on corporate IT

■ Emerging regulations governing retention, auditing, and monitoring of email

and IM communications

■ Misuse of corporate information assets affecting company brand, customer

trust, and legal liability

■ Litigation increasingly requires discovery of email

■ Growth in message storage requirements, with 65 percent of organizations

considering growth in messaging storage to be a serious problem, one that is

slightly more problematic than the problem of spam itself (Osterman Research,

Messaging Security Market Trends, 2005-2008, May 2005)

■ Growth in the use of IM and VoIP over corporate intranets and the Internet,

thus placing more stress on corporate networks

Threat innovation

Almost all organizations have experienced the successful penetration of the

corporate network by email-borne threats. In the last decade, email-borne threats

have evolved from accidental infection via attachments containing a macro virus,

to complex threats that can deliver a malicious payload to vulnerable users.

Viruses and mass-mailer worms, such as Blaster and Nimda, have plagued email

ever since 1997 and the advent of Melissa, and have grown in frequency every

subsequent year. Not only are they disruptive, but their payload can compromise

systems, affect security settings, steal information, set up ’bots for future exploits,

delete data, and infect other networked systems. IM-borne threats are a new

infection vector about which IT organizations have to be concerned.

Mass-mailers, in particular, have continued to innovate, moving from exploiting

vulnerabilities in the email client to running their own SMTP servers to broadcast

email inconspicuously. Emails generated automatically by these worms contribute

to the volumes of unwanted, disruptive content found in message archives.

Phishing attacks are among the fastest growing threats that use messaging

systems. Phishing represents the insidious and threatening side of spam, as

perpetrators attempt to solicit and steal passwords, social security numbers, and

identities of unsuspecting targets.

The surge in phishing attacks in recent years has placed added burden on IT staff.

The email system can be attacked through system vulnerabilities, and computers

and servers on the network can be infected. Attackers can also target addresses

of internal users, and also partners, customers, and suppliers.

Many malicious software attacks are blended threats that employ multiple methods

of self-propagation. However, the majority enter through the email gateway: it is

estimated that 80 percent of malicious software attacks enter organizations

Challenge of fortifying enterprise messaging systemsIncreasing pressure on corporate IT

24

through the email gateway and approximately 20 percent enter in other ways,

particularly through IM.

Other pathways include Web-based email from free consumer services, and forms

of removable media, such as USB flash drives, CDs, and DVDs. Early-stage threats

often penetrate gateway defenses before they are discovered and virus definitions

become available.

IM-borne threat innovation has proceeded even more quickly than email threat

innovation. As virus writers discover the IM delivery channel, IM threats have

experienced a more aggressive growth.

In calendar year 2005, over 2,400 unique IM and peer-to-peer threats were

identified: a 1700 percent growth from the previous year. The majority of these

threats were URL-based worms, but the rise of IM-based phishing attacks and

more sophisticated malware complicates IM’s risk profile.

The following factors illustrate IM threat risk:

■ IM threats utilize social engineering to propagate nearly instantly. An IM

worm typically utilizes an infected machine’s buddy list to begin propagating.

Click rates are higher than in email, and the spread of a worm throughout a

network and across the globe can almost be instantaneous.

■ IM threats are usually blended, allowing them to propagate over multiple

communication vectors, and to avoid detection.

■ IM threats mutate rapidly. They’re typically hosted, allowing them to change

the URL signature and malware signature more rapidly than traditional

file-based viruses.

These factors highlight the importance of taking a comprehensive and in-depth

approach to email and messaging security. To provide an adequate defense, a

solution needs to deploy security measures at multiple layers within the network.

Increase of spam

The increase in the number of email messages sent and received globally is in

part due to the proliferation of spam. Gartner estimates that spam accounts for

60 to 75 percent of email volume, and is trending upward. (Source: Gartner

Research Report “Enterprise Spam-Filtering Market Going Strong Into 2004,”

April 2004).

Symantec defines spam as unsolicited commercial or bulk email with the following

characteristics:

■ Email is random, untargeted, and sent by automated methods

■ Senders have no prior relationship with the recipient


Spam is a cheap and effective way for small online retailers and businesses to

market to millions of people who use email. Once a minor nuisance that made up

a small subset of all Internet email, spam has evolved into a scourge that makes

up the majority of email sent around the world. IM spam, sometimes known as

spim, is a growing IM challenge.

Spam impacts organizations by lowering productivity of employees. If every

employee needs to spend a few minutes each day reviewing and deleting spam,

then the accumulated time for the entire organization will quickly add up to a

significant productivity loss.

Today, spam constitutes a major hazard whose net impact on the efficiency and

cost of sustaining email systems is large. Debate exists over whether spam is a

security threat, but adware and spyware threats are usually delivered via spam,

and hackers use spam as their preferred delivery mechanism.

The organization that can reduce the volume of incoming spam will also achieve

a reduction in threats. As a result, organizations are forced to purchase additional

software and hardware for their email infrastructure to maintain normal email

business communication.

Increase of email size and email storage requirements

As the number of email messages increases, so too does the size of the average

email. Email attachments may be rich in graphics and multimedia. When

attachments are proliferated on a one-to-many basis, the sum volume of a single

message increases.

According to IDC, the volume of worldwide, person-to-person business email

increased by 59 percent from 2003 to 2004. IDC forecasts that the number of

person-to-person emails sent daily will reach 36.3 billion worldwide in 2006.

(Source: IDC, Worldwide Email Usage 2005-2009 Forecast, IDC #34504, December

2005)

Moreover, Radicati research reports that the average corporate email user

processes about 10 MB of data per day. This figure is predicted to rise to 15.8 MB

per user, per day by 2008. This projection will place a strain on corporate

messaging servers, which cannot function properly if simultaneously storing

large volumes of data for long periods of time. (Source: E-Mail Archiving Market,

2004–2008 12 Copyright © March 2004 The Radicati Group, Inc.)

The costs associated with storage of email are rising in proportion to the demands

for storage capacity.


26

Lack of central management of messaging archives

Organizations are now required to retain an ever-greater proportion of electronic

messaging to demonstrate compliance with external regulations, adhere to internal

policies, and prepare for possible legal discovery requests.

However, email servers’ message storage systems are not designed to store the

amount of data that is stored on the typical messaging system. The risks and

disadvantages of storing historical data become increasingly apparent.

As the storage management problem grows, so does its impact on administrators.

Email and other message types continue to arrive, and the volume grows from

year to year. The impact of this growth includes rising costs for storage and

backup, and reduced availability and performance of messaging systems.

Messaging servers typically slow down when they reach near-capacity. IT staff

find themselves faced with longer backup times to archive the large amount of

email data.

To alleviate the problem, most IT organizations impose email quotas, restricting

their users to a fixed amount of email storage. Less than 10 years ago, limits of

10 to 50 MB per user were common. Now quotas are typically 25 to 200 MB. Legal

firms set mailbox size limits at up to 2 GB.

Users must constantly ensure their email storage is below the quota. Complying

with email quotas can affect user productivity, typically result in large numbers

of support calls, and is one of the biggest burdens of email management.

Often, companies enforce email quota policies by automating the deletion of all

messages of a specified age. In response, users often set up individual folders on

their client PCs to store old messages for safekeeping. In Microsoft Exchange,

these messages are stored as PST files. Most organizations do not include PST

files in regular Exchange backups.

The alternative of storing PST files on the network file servers requires the same

storage and backup resources. This results in the same availability and

performance problems that are experienced on email servers.

PST files are easily corrupted, which leaves the information stored in this format

susceptible to loss. Storing information in PST files removes it from the control

and oversight of IT staff, and makes it inaccessible to the organization.

Administrators can remedy storage issues by saving email data to tape, CD, or

alternative offline media. However, these alternatives shift the problem rather

than resolving it, and result in reduced accessibility.

In general, organizations are more aware that they can no longer effectively

manage non-centralized archives of information. Corporations now want the

benefits of email quotas (email server storage management) without the associated

problems. IT requires a solution that allows administrators to economize on the


use of primary storage and leverage more cost-effective secondary storage, without

burdening end-users and IT staff, or risking the loss of critical information.

Need for high availability

As businesses expand globally and support operations in different time zones,

maintaining continuous availability of email systems has become an essential IT

service. IT organizations must be able to react to unexpected outages, and keep

communication systems up and running in any foreseeable situation.

To achieve this level of service, IT must now invest more resources to maintain

and upgrade the components of the email system. This includes server operating

systems, network components, and storage systems. Downtime to perform the

necessary hardware maintenance, install upgrades, apply security patches, make

configuration changes, and perform disk defragmentation becomes difficult to

schedule.

To build an infrastructure that supports high levels of availability for messaging

infrastructure, administrators must identify and respond to problems that can

potentially disrupt email and IM access. These problems include performance

degradation or outright failure to email-borne attacks. IT organizations must

create policies, establish procedures, and invest in their infrastructure to meet

their availability requirements.

Specifically, IT must protect data and systems from the following situations:

■ Database corruption and denial of service attacks

■ Performance degradation due to high email volumes

■ Server hardware failure, storage network or device failure, and site failure

Mandatory compliance

As compliance with new regulations becomes mandatory, demonstrating

compliance becomes an important objective. Email, IM, and increasingly VoIP

provide a detailed record of an organization’s transactions, communications, and

business operations. Information stored in email messages or IM and VoIP

conversations are not exempt from the standards that apply to other forms of

information. Some regulations require that electronic communication, including

email and IM messages, are saved for years, long after they are sent and are

available for review.

The following regulations apply to electronic communications:

■ The Sarbanes-Oxley Act (SOX) requires all public companies to save every

record that informs its audit process, emails included, for seven years.


28

■ The Health Insurance Portability and Accountability Act of 1996 (HIPAA)

defines privacy rules that dictate what information health-care companies

can and cannot include in emails. Organizations are required to monitor the

contents of all inbound and outbound emails, and ensure that no data that

could compromise the organization’s integrity enters or exits through email

communication.

■ The National Association of Securities Dealers (NASD) regulations 3010 and

3110 in the United States require supervision of email, IM and other

communications between regulated employees within member organizations,

and with customers.

■ The Securities and Exchange Commission (SEC) Rule 17(a)–4(f) in the United

States requires financial service institutions to retain emails that contain

customer account details, securities trading transactions, and trading

confirmations on non-erasable media for two years. Many financial service

institutions are applying this rule to IM messages as well.

■ The SEC requires investment companies to retrospectively sample emails sent

by their agents to ensure that communications do not contain false claims or

misleading statements, or customer information, such as social security and

credit card numbers and other personal details. Many investment companies

have applied the same practices to IM.

■ Companies with human resources policies relating to harassment or explicit

communications are monitoring employee communication to demonstrate

compliance with internal policies.

Although compliance affects specific industries in different ways, the need to

comply with government and corporate policies impacts all organizations. Email

serves a vital role in demonstrating compliance.

Whether driven by formal regulations, a desire to be prepared for legal discovery,

or the need to enforce corporate policies, companies are sensitive to the risk

associated with email, and with electronic communication in general.

Consequently, corporate IT departments are tasked with implementing practices

that meet increasingly rigorous standards for email, IM, and other forms of

messaging management.

Retention of electronic messages for use as legal evidence

Litigation increasingly requires the submission of electronic message data as

evidence, leading to the recognition in the United States, Europe, and other

markets, that email and other electronic communications constitute a legal

business record that must be preserved.


The emergence of electronic messaging as legal evidence is pressuring companies

to demonstrate that their data is not only secure from tampering, but also that

specific information is quickly retrievable to support the legal discovery process.

Simple record retention alone is insufficient to meet the standards for accessibility.

Companies are must be able to make available, on demand, email and IM content

that meets specific criteria.

For example, the legal discovery process may require emails from or to a specific

individual that meet key word and date range criteria. Email servers are not

designed to cost-effectively provide the storage or the efficient search and retrieval

capabilities required by the legal discovery process.

Higher legal discovery costs

In the United States, as well as increasingly in other markets, email is considered

a relevant business record and must be produced in a legal discovery request.

Consequently, IT managers, as well as legal counsel and compliance officers must

have ready access to email messages.

The traditional way to restore required messages from backup tapes is a

cost-prohibitive and time-consuming process. Manual tape restoration costs

$2,000 to $5,000 per tape, resulting in total charges in typical litigation cases

exceeding $200,000 per case. It can cost organizations millions of dollars per

month to have lawyers or legal representatives scour email records during the

discovery phase of legal process.

For companies in highly litigious industries, the risk of incurring such costs is

unsupportable. Increasingly, such companies are implementing measures

proactively to minimize the risks.

Companies with no information retention policies, and with backup tapes as the

only source of historical messaging data, may not only face escalating discovery

costs, but also penalties for failure to produce relevant email records. If

information discovery is not completed in a timely fashion, fines or other sanctions

against companies can be imposed. Companies are now implementing internal

policies proactively that prepare them to respond to the next regulation or legal

process, rather than risk large costs or penalties.

Liability due to misuse

Messaging content that violates corporate policy, such as sexually or racially

offensive statements, inappropriate language, and copyrighted or sensitive

material, can be a corporate liability. According to Osterman Research, more than

80 percent of corporations are concerned about content inspection and forensics

to maintain security and compliance.


30

Electronic messaging makes it easy for disgruntled employees to cause damage

by sending sensitive material via email to large distribution lists. Unauthorized

release of confidential information can negatively impact the company brand

perception and customer trust. Violations may result in damage to corporate

reputations that lead to decreased customer recruitment or retention. The

publication of trade secrets can lead to the loss of competitive advantage, as well

as fines, or jail time.

Email and IM allows company information assets, whether copyrighted,

proprietary, or confidential company, customer, or user information, to be easily

transferred, accidentally or intentionally, to unauthorized persons. For example,

if an employee sends a customer’s credit card number, social security number, or

medical history through email in clear text, an organization could be in violation

of the Gramm-Leach Bailey rulings, California’s SB1386, or HIPAA.

Organizations are also discovering that scanning inbound messages only is not

enough. Organizations must also scan outbound messages to prevent employees

from sending corporate intellectual property, including sensitive or confidential

information.

In addition to monitoring both inbound and outbound messaging, companies

increasingly need to conduct detailed reporting, logging, alerting, and other

preventive measures to meet security goals. Consequently, organizations need a

solution to ensure that email content is monitored and handled appropriately, to

minimize the risk of compliance violations and other legal liability.

Higher messaging infrastructure costs

The volume of business email is predicted to grow 25 to 30 percent per year

through 2009, excluding spam, which currently accounts for around three-fourths

of all inbound email. IM usage is expected to grow substantially faster over the

same period. This growth reflects an important shift in the way that email and

IM are employed.

The volume of inbound emails often exceeds the capacity of organizations’ email

gateway systems, MTAs, email storage servers, and groupware servers. As email

volume continually increases, email infrastructures have to be repeatedly

expanded.

As the use of IM and other new applications grows, companies have tended to

address the issues independently of each other. This approach adds complexity

to the messaging infrastructure, which causes both capital and operational

expenses to rise.


Other new messaging applications

Other new messaging and collaborative applications are evolving and will come

into wider use in the next few years. VoIP, in particular, is seen as a

communications platform that will enable new kinds of communications between

users and groups. Groupware applications, such as Microsoft SharePoint, enable

user communications and information sharing that could be exploited by hackers

and criminals.

Microsoft also plans to expand Microsoft Office to include user communications

capabilities. IT organizations will be challenged to address all the resulting threats

and challenges on a singular basis.

Symantec response to the challengesThe entrenchment and rapid growth of email and other forms of computer-based

communications in organizations today bring proportionate challenges. With the

addition of the Veritas product lines, Symantec can give IT organizations the

complementary capabilities they need to meet an array of business challenges in

one broad-based, proven solution. Corporations have the opportunity to plan for

an infrastructure that supports future business growth when they migrate to

newer versions of messaging servers, or when they consider consolidation of

servers.

The following chapters describe the Symantec solution for Enterprise messaging

management, for Microsoft Exchange email and public IM environments. The

Symantec products work together to maintain information integrity, while

ensuring fast and uninterrupted message access. By addressing the challenges

holistically, the combined products deliver a solution that meets security,

availability, and compliance objectives without compromise.

Challenge of fortifying enterprise messaging systemsSymantec response to the challenges

32

The Symantec enterprise

messaging management

solution for Microsoft

Exchange


■ Challenges and opportunities

■ Effectively managing messaging environments

■ Introducing the Symantec solution

■ Resource management

■ Threat management

■ Archival and retention management

■ Policy and compliance management

■ Discovery and analytics management

■ Options to meet advanced requirements

■ Symantec Professional Services

■ Symantec EMM solution summary

3Chapter

Challenges and opportunitiesAs computer-based communications, such as email, instant messaging (IM),

Microsoft Sharepoint or VoIP become more important, the requirements and tools

needed for managing these communications systems grow more complex. In this

context, "communications system" refers to the underlying email, IM, VoIP

architecture or messaging system: from the physical infrastructure (servers,

storage, and networks) to the application software (email systems, message stores,

and user PCs).

The following is a brief review of the evolution of the risks and challenges to

well-established communications systems, as examples of what the challenges

are that users and administrators of computer-based communications systems

will likely experience.

In the last few centuries, regional and then international postal systems became

the first worldwide communications system. The telegraph system was the first

international electronic communications system. As the reach of these systems

expanded and costs came down, they were more widely used.

The fixed line telephone system was the next major communication system to

evolve. Again, as the reach of the network expanded, and as the costs came down,

the telephone system became more widely used. During its century-long evolution

various telephone systems suffered reliability issues that kept their use limited,

because people were less willing to rely on unreliable tools or mechanisms. As

telephone system operators reduced unavailability to below a few minutes per

year, usage increased dramatically. As a consequence of this, the modern,

geographically-distributed organization actually became not only possible, but

widespread.

Recently, as the costs for telephone calls became low enough, some users exploited

the telephone system to promote their wares, eventually barraging people’s homes

and offices with telemarketing calls. Also, telephone fraud grew along the same

lines as mail fraud schemes that existed much earlier.

In less than 25 years, Internet-based email has gone from being non-existent to

eclipsing the telephone and all other mechanisms for day-to-day communications,

for many people and organizations. Just as quickly, email has become the main

conduit for computer-based productivity and economic threats, invasions of

privacy, commercial misuse, and information piracy. Let’s take a closer look at

the evolution of these email risks and threats.

It used to be that keeping email servers up and generally running was enough.

Availability and recovery requirements were equivalent to other applications like

file sharing, so doing regular backups to tape was all administrators generally

worried about. Then as email was more widely used and attachments started

The Symantec enterprise messaging management solution for Microsoft ExchangeChallenges and opportunities

34

regularly consuming 1+ megabytes, storage costs started getting out of hand. To

try to keep costs and backup times down, organizations using email programs

such as Exchange and Notes started limiting user’s mailbox sizes. This led users

to start furling away email and attachments in local files on desktops (e.g. PST

files). This decentralized method of email archiving continues to grow as PC disks

grow. Because email message attachments continue to grow in size and frequency,

email server and client storage utilization continues to explode. Follow-on effects

include difficulties related to lengthening backup and recovery windows and well

as antivirus scanning, etc.

At the same time, increasingly malicious threats started being propagated through

email. Initially viruses were most often propagated by teenage hackers. In the last

few years increasingly virulent productivity and economic threats such as worms

and phishing attacks have been propagated by criminal elements. Email

administrators and home users have had to install increasingly sophisticated

antivirus software on every system. Then spam got out of hand; email

administrators and email service providers were forced to deploy spam filtering

solutions, too.

Then the email became so important that unavailability or denial of email services

(whether caused by virus, worms, or internal failures) became very expensive to

organizations. Clustering of email servers and high availability disk storage (often

with snapshots to enable some historical data recovery) become the norm for

larger organizations. Also, it became important to be able to recover from any

kind of failure, including ones that corrupted email databases (via backup/recovery

tools) within minutes of a failure, not hours or days.

Organizations have recently needed to recover important on-line documents ever

more often due to increasing compliance demands from both government

regulations and related corporate policies. Email has become a very important

source for documents used in legal processes. Email discovery for legal proceedings

has become standard and companies need to be able to respond in a timely fashion,

or face document discovery costs that can run to millions of dollars per month.

With decentralized archives such as PST files on desktops, it is hard to find

important email messages (and it may become impossible once employees leave

the organization). So organizations are now embracing centralized email archives

instead of allowing widely scattered PST files.

There are many other risks, such as client or patient privacy rules, that affect

email in various industries and application areas. Some applications use email as

the method for sharing and presenting information. Then there are other

user-collaboration mechanisms like Sharepoint and Instant Messaging (IM) that

augment email to accomplish related tasks. Some of these new applications are

experiencing very rapid evolution in their use.

35The Symantec enterprise messaging management solution for Microsoft ExchangeChallenges and opportunities

In fact, IM is the fastest growing communications medium over the last 10 years,

and has attained widespread use in many organizations and geographies. There

will be an estimated 390 million consumer and enterprise IM users by the end of

2006. Global services such as AOL® Instant Messenger, MSN® Messenger, and

Yahoo!® Messenger each report over 1 billion messages sent per day, and IM traffic

is expected to exceed email traffic by the end of 2006. As one of the most successful

and widely deployed applications on the Internet, IM has become a target used

by attackers to propagate IM-borne viruses, worms, spam over IM (SPIM), malware,

and phishing attacks. Though widely adopted, IM is generally unprotected and

unmonitored in consumer and enterprise environments, leaving it vulnerable to

attacks and exploits. These attacks have grown exponentially over the past three

years, increasing the need for real-time threat response for IM and peer-to-peer

(P2P) applications .

Going forward, VoIP is likely to evolve and get abused just as quickly and widely.

Vendors are working on preventing VoIP numbers from being spoofed, protecting

IP phones from spam, and guarding against call eavesdropping on IP networks.

Consumer VoIP systems often do not encrypt calls, but enterprises favor

encryption. In summary, while modern digital communications systems enable

wider, better, and cheaper communications, they each come with unique, but

similar, system and user threats.

Due to importance of these communications systems to the user community, IT

professionals must strive to ensure high availability (usually 24x7), site or system

corruption recovery times under a few hours, and avoidance of

virus/worm/malware infestations altogether. IT professionals must simultaneously

protect email user productivity via spam reduction or avoidance. Many IT

organizations also define policies and procedures to meet email retention and

message recovery requirements.

However, chief among these risks is the unavailability of on-line communications

and messages, since this most affects users and the business. Availability can be

affected by external attacks such as security breaches (at any point in the

communications system), or internal failures such as component failures

(hardware, software or network), processing inefficiencies, or user/operator errors.

Effectively managing messaging environmentsEffective messaging management mainly encompasses protecting on-line

communications systems and information from external abuse and attack. It also

simultaneously assures that communications systems and information are

cost-effectively managed and protected in the event of internal failures and user

errors.

The Symantec enterprise messaging management solution for Microsoft ExchangeEffectively managing messaging environments

36

By treating email and other communications systemically, organizations gain the

efficiencies and strengths that derive from deploying an integrated solution, as

opposed to an assortment of point products. The ideal solution is one that

encompasses all of the following concepts: protecting against security threats;

assuring messaging application and data availability; assuring message retention

and accessibility; and maintaining efficient and reliable operations, while also

minimizing storage and server costs.

Specifically, for email, IM, and other open communications systems to be secure

from propagating or presenting threats, the following must be true:

■ Messaging systems, including Email and IM systems, are protected against

intentional or inadvertent attack and disruption

■ Email and IM users are protected against threats and disruptions (such as

spam and viruses) disseminated via the Internet

■ Email messages and IM that are sent to or received from customers, suppliers,

and partners are free of malicious or inappropriate content

■ Networks are protected against exposure to virus and worm infections that

circulate through email and IM

■ Company data is protected against intentional or inadvertent transfer to

unauthorized persons

■ Company data does not violate privacy requirements for personal or protected

information (social security numbers, medical records, and so on)

■ Organizations can maintain their customer's and partner's trust by assuring

that their own systems do not become a vehicle for the distribution of malicious

or junk email to customers and partners

To ensure that messaging systems are continuously available in the face of

infrastructure failures or user errors, the following should be true:

■ Disruptions to the messaging infrastructure are minimized by protecting

against performance degradation and outright failure

■ End-user systems are not compromised or taken offline by email- or IM-borne

attacks

■ Delivery and retrieval of legitimate email messages and IM is assured, amid

the volumes of spam and other unwanted content

■ Email messages and IM conversations can be preserved for long periods,

according to external regulations or internal company policies

■ Users are provided with seamless and continuous access to information in

email, whether in email systems or in long-term archives

37The Symantec enterprise messaging management solution for Microsoft ExchangeEffectively managing messaging environments

■ Users and legal personnel are able to easily and securely search through

historical email messages, email attachments, and IM conversations

■ Organizations are able to supervise employee communications for compliance

with internal and external policies

Choosing a set of tools to individually address all the risks and challenges can

increase the level of complexity. Some organizations have 40 or more tools

deployed to protect and manage their on-line communications.

As the number of independent components in a system grows, it becomes more

complex and failure-prone. By reducing complexity, systems become less

failure-prone and more available. Therefore, complexity is to be avoided in systems

that must be highly available, such as critical on-line communications systems.

One important aspect of complexity is system management complexity. As

hardware and software redundancy is built into a system, operator error becomes

the prevalent source of application downtime.

A comprehensive approach to tools acquisition creates less user interface variance,

with fewer external support personal and vendors to call. All of this reduces

complexity, improves availability, and also reduces system operating costs.

The ideal approach is one that addresses the separate but interdependent aspects

of the entire system concurrently. By leveraging the points of overlap between

components of the email infrastructure, initiatives can provide mutually

reinforcing protections and capabilities. Each component leverages the capabilities

of other components and adds value to the system. The larger and more complex

the messaging environment, the more reward for taking a comprehensive

approach.

The advantages of integrated messaging solutions are becoming readily apparent

to IT professionals. In a Ziff Davis survey conducted by The Strategy Group in

March of 2006, 77 percent of technology decision-makers indicated that having

an integrated email solution was “very important” to them.

Figure 3-1 shows the results of the survey that investigated the perceived

importance of an integrated email solution.

The results of the survey correspond to customer feedback Symantec has received

from many consulting and partner engagements. While a piecemeal approach

may be sufficient for smaller organizations that need to address fewer messaging

challenges, for larger, more complex messaging environments, an integrated

approach is more advantageous to organizations.

The Symantec enterprise messaging management solution for Microsoft ExchangeEffectively managing messaging environments

38

Figure 3-1 Importance of an integrated messaging solution

When IT organizations plan migration to new email servers or consolidation of

messaging servers, a natural opportunity presents itself to make improvements

to their infrastructure.

Introducing the Symantec solutionThe Symantec solution described in this book for Enterprise Messaging

Management assures the security and availability of email and IM environments.

It also reduces costs by simplifying the management of the email environment

and life cycle. The solution reduces the volume of SPAM email, reduces the risk

of virus infection, automatically manages the life cycle of older email through

archiving, and keeps enterprise email infrastructure resilient against failure.

Figure 3-2 illustrates the challenge IT has faced as messaging has evolved.

39The Symantec enterprise messaging management solution for Microsoft ExchangeIntroducing the Symantec solution

Figure 3-2 The Evolution of Enterprise Messaging Management

The enterprise messaging management model addresses the major challenges

related to email, IM, and other on-line messaging technologies, with a 5-step

approach that mirrors the evolution of messaging management. The next section

examines these five steps in more detail.

Resource managementResource management, as a means to keep systems up and costs down, is of critical

importance to companies today. At the highest level, the Symantec approach to

security is to protect IT infrastructure, information, and interactions. The first

step in building any secure messaging environment is to protect the IT

infrastructure. Securing Exchange and the messaging infrastructure requires

building a resilient foundation that will protect your Exchange and messaging

environment from unnecessary downtime.

A modern, properly protected, messaging environment should be built on a

foundation that can manage messaging resources, keep Microsoft Exchange

(Exchange) up and running, and keep costs down. The software foundation for

any messaging environment should address three major areas: storage

virtualization, backup and recovery, and clustering.

Symantec has a hierarchy of products that can address these needs for your

Exchange environment, regardless of its size. The use of these products can

The Symantec enterprise messaging management solution for Microsoft ExchangeResource management

40

enhance the availability of your messaging environment, and help avoid cost

incurred due to downtime.

Benefits of a resilient foundation

The benefits of building a protective software foundation for an EMM environment

are many. One of the most important benefits is that a resilient foundation can

keep an organization’s messaging systems functioning during a disaster.

Figure 3-3 shows the hierarchy of availability requirements, and the features of

the Symantec solution that support each tier or set of requirements.

Figure 3-3 Availability hierarchy

The Symantec solutions for messaging servers described in this book include

products at the first three layers: backup and restore, online volume management

(storage virtualization), and (local) clustering. The vital first step to protecting

any messaging environment is to install a proven backup and recovery solution.

Enterprise-level backup solutions can deliver high-performance data protection

that scales to protect the largest environments.

It is important that organizations take advantage of both tape-based and disk-based

backup. Disk-based backup to inexpensive storage can utilize snapshot-based

protection, which allows for the most rapid recovery.

Depending on an organization’s application recovery objectives, it is useful to

consider accelerated system recovery solutions. Having software that automatically

responds to failures based on well-defined IT policies is preferable to recovering

from an outage with no recovery plan or software recovery tool. With simple

commands, complete server and application restores can be accomplished rapidly.

By integrating the correct storage virtualization solution, administrators are able

to perform many regular storage maintenance tasks online, such as RAID

reconfiguration, defragmentation, file system resizing, and volume resizing.

41The Symantec enterprise messaging management solution for Microsoft ExchangeResource management

Storage virtualization also manages the transmission of data to multiple storage

devices for failure protection. Virtualization can also automatically migrate data

from failing disks to healthy disks, which will reduce the risk of unplanned

downtime.

IT organizations must also be able to maintain and upgrade the messaging and

email infrastructure components that provide service delivery. This includes

email server operating systems, network components, and storage systems. All

maintenance and upgrades must be done without causing additional email service

unavailability. A clustering solution can provide much of this functionality.

Adding clustering software to storage virtualization enables the highest levels of

availability and scalability. Clustering can allow the addition of new servers and

storage without downtime. Clustering can also identify and utilize existing unused

resources. This maximizes the contributions of all the server and storage

components of the email environment. Storage Foundation product options, such

as Veritas™ Cluster Server and Veritas™ Volume Replicator, can ensure 99.99

percent availability of the Exchange infrastructure.

The products that provide a resilient foundation for the Symantec solution for

Microsoft Exchange take a modular approach to resolving the range of potential

threats to email availability. These products form the protective foundation of

the Symantec solution, which are described in more detail in the following sections.

Benefits of storage virtualization

Veritas Storage Foundation for Windows provides storage virtualization

capabilities for Windows-based systems. Veritas Storage Foundation for Windows

products extend the native data management capabilities of Windows® 2000 and

Windows Server 2003. The resulting logical disk and volume capabilities provide

the basis for a scalable storage environment for Microsoft Exchange.

Storage Foundation can create a resilient storage environment in the following

ways:

■ Creates storage that automatically expands to meet growing data needs, such

as a storage volume for a transaction log

■ Designs storage configurations that use mirroring or mirroring/striping

combinations to protect from the loss of a single disk

■ Identifies and addresses storage hotspots that slow overall application

performance

■ Creates point-in-time images for rapid recovery from logical errors or data

corruption


42

To protect the Exchange infrastructure from site-wide disasters, Storage

Foundation products, along with iSCSI, wide-area Fibre Channel SANs, or WANs

with host-to-host replication, can be used to create a disaster recovery site.

Companies can control disaster recovery costs by using inexpensive storage at

the off-site recovery location, and by using a single data center as the off-site

recovery location for multiple data center locations. The secondary disaster

recovery site need not mirror the primary site, and can be simultaneously used

for other purposes.

It is difficult to protect Exchange data from all sources of logical errors. Data

corruption and user or operator errors are risks that are difficult to eliminate. A

good defense is to reverse the effect of errors quickly, with minimal data loss.

Storage Foundation offers point-in-time snapshots of Exchange databases and

transaction log files using the FlashSnap™ option.

A FlashSnap snapshot is an independently addressable volume that mirrors the

production volumes. The FlashSnap option creates point-in-time images of the

data that can be used as a source for quick recovery images of data. Veritas Storage

Foundation for Windows is the preferred software snapshot provider enabling

off-host backup.

Storage Foundation can keep your systems up and running by avoiding downtime

caused by a full disk on an email server. As storage space diminishes, the

traditional method is to rely on time-consuming methods of scaling, such as

installing new servers or adding expensive disk arrays to existing servers. Storage

Foundation can create extensible data storage environments, which can be

leveraged by sharing storage across all messaging servers within a data center.

Adding storage to such an environment does not involve downtime.

Benefits of backup and recovery

The combination of Backup Exec and Storage Foundation offers organizations a

single solution for building a resilient email foundation. Together, Backup Exec

and Storage Foundation enable near-instantaneous recovery from storage device

failures, and a short recovery time for application logic and other types of data

corruption.

Backup Exec is the recommended backup technology for the Symantec solution

for Microsoft Exchange, for organizations with less than 2500 employees or for

organizations that use Windows. Larger organizations may want to consider using

Veritas NetBackup™. Since this book is primarily intended for organizations with

less than 2500 employees, only Backup Exec deployment is addressed.

As the recognized leader for Windows systems backup and recovery, Symantec

Backup Exec provides complete data protection for Windows environments.

Intuitive interfaces enable organizations to manage all aspects of backup and


recovery, and to maintain consistent backup policies that are deployed across

Windows servers and clients.

On Microsoft Exchange servers, Backup Exec simplifies database backup and

recovery, and performs backups without taking the Exchange server offline, or

disrupting local or remote systems. An online backup and recovery approach

ensures continued availability of Exchange services and data during backups.

Central administration, automation options, and support for all popular storage

devices create the flexibility that administrators need to maximize performance.

Backup Exec provides the following advantages:

Includes many advanced features, such as single-instance

store (SIS), global exclusion, storage group multiplexing,

Volume Shadow Copy Services (VSS) integration, and

off-host backups.

Advanced features

Flexible backup methods for scheduled, unattended backups.Scheduled backups

Rapid and precise recovery of databases and mailboxes,

including support for performing individual message

restores.

Rapid recovery

Complete and non-disruptive protection of Exchange

database and mailbox components, including incremental

mailbox backup. Data protection for all Windows

environments, from desktop to remote office to centralized

datacenter.

End-to-end data protection

Centralized management and control, high-performance

technology, and a flexible multi-tier architecture enable

Backup Exec software to adapt to the needs of

Windows-oriented IT environments.

Nearly unlimited scalability

Web-based management and reporting for enterprise users,

including real-time monitoring, historical reporting, and

centralized administration.

Management and reporting

Streamlined server recovery provided by the Backup Exec

IDR option.

Automated disaster recovery

Password protection for backup data.

For more information, see

http://seer.support.veritas.com/docs/236709.htm.

Security


44

Support for a range of disk, tape library, tape drive, and

Storage Area Network (SAN) interconnect technologies from

a number of vendors. Dynamic sharing of individual disk

or tape drives over SCSI or iSCSI and Fibre Channel SANs.

Storage Networking

Eliminate the backup window with the Advanced Disk-based

Backup Option (ADBO). ADBO allows users to break isolate

a mirrored copy of the Exchange Server, mount the data on

the backup server, and then at the end of the backup job,

automatically resync the mirrored copy with the Exchange

application.

For more information, refer to the article at the following

URL:

http://eval.veritas.com/mktginfo/products/White_Papers/

Data_Protection/BE_SFW_Quick_Recovery_Off-Host_

Backup_Bundle.pdf

Off-host backup

Benefits of clustering

Organizations can protect Exchange environments from a range of component

failures by implementing local and wider-area clustering for availability. Veritas

Storage Foundation High Availability (HA) for Windows integrates Veritas Cluster

Server (VCS) technology, which provides scalable failover clustering with workload

management capabilities. In a VCS cluster, multiple servers are linked with shared

storage and private, reliable Ethernet networks.

Storage Foundation HA for Windows, which includes Veritas Cluster Server,

provides the following benefits:

■ Maximize uptime of messaging data and applications

■ Reduce planned or unplanned downtime

■ Enable high-availability for local, metropolitan, or global clustering from

within a single product

■ Test disaster recovery solutions without impacting production applications

■ Optimize and plan cluster configuration and policies through portable modeling

and simulation

By using Storage Foundation with the Global Cluster and Volume Replicator

options, data can be replicated between two separated sites, and application

services can be switched between them with a single mouse click. Organizations

that require the highest levels of availability for application services when site-wide

failures occur should contact Symantec to learn about additional advanced

products.


http://eval.veritas.com/mktginfo/products/White_Papers/Data_Protection/BE_SFW_Quick_Recovery_Off-Host_Backup_Bundle.pdf



Note: Some Exchange users use Microsoft Cluster Server (MSCS), a component of

the Windows 2000 and 2003 Advanced Server package that provides functionality

similar to Veritas Storage Foundation™ High Availability for Windows. This Yellow

Book does not address the installation and configuration of Microsoft Cluster

Server (MSCS). Generally, the deployment steps are similar, whether MSCS or

Veritas Storage Foundation HA for Windows is used. However, this solution has

not been tested in its entirety, only product-by-product, with MSCS. For more

information, contact Symantec sales, Consulting Services, or a Symantec partner.

Threat managementOnce a resilient foundation is in place to keep a messaging environment up and

running, the next action is to protect the systems from external and internal

threats: in other words, keeping bad things out. Threats enter the messaging

environment from multiple sources, such as email, IM, open ports, and come in

multiple types (for example, virus, spam, and worms). The Symantec solution

recommends a layered approach, as one that provides the best way to protect the

modern enterprise messaging environment.

Layered approach to threat management

Symantec's layered approach deploys different types of protection at defined

levels inside the email and messaging architecture. The layered approach starts

with reducing spam volume outside the network. Next, the solution secures the

perimeter of the messaging environment by filtering email and IM messages

outside the organizational network. Finally, email is filtered at various points

inside the messaging environment, as well.

The Symantec solution advocates removing unwanted content from the messaging

system at the earliest possible point in time. The critical interception points in

the email and IM flow, where email and IM can be most effectively controlled are,

as follows:

■ Points of entry of incoming email and IM

■ Distribution points of internal email

■ Points of departure of outgoing email and IM

The benefits to a layered approach to email management are not limited to those

measurable by end-users' productivity. By addressing the separate but

interdependent aspects of the email infrastructure, functions can be layered to

provide mutually reinforcing protections. Each layer adds to the overall strength

of the other layers and the efficacy of the entire solution. Establishing email

The Symantec enterprise messaging management solution for Microsoft ExchangeThreat management

46

security is a critical aspect of the whole solution, as email is the source of the

majority of security threats.

When adopting a layered approach, the first step is to focus on those issues that

are most effectively addressed at the earliest point of entry onto the network. For

example, filtering email only at the endpoints, the desktop or user’s PC, does not

constitute a best practice. Filtering spam and other malware at the endpoint is

the most costly place to manage threats in terms of lost network bandwidth.

Ideally, the only email delivered by the organizational intranet to the endpoints

should be valid and clean.

Figure 3-4 depicts a model of layered functions including hardware and software

that form a best practice for enterprise messaging management in a Microsoft®

Exchange environment.

Figure 3-4 Layered approach

The illustration describes the major activities involved in protecting the messaging

environment from the following external threats:

■ Preventing spam from outside the network

47The Symantec enterprise messaging management solution for Microsoft ExchangeThreat management

■ Filtering perimeter threats

■ Fortifying the messaging servers

■ Securing the desktop PCs

Email volume reduction with traffic shaping

Reducing spam and other unsolicited email is important in achieving email system

security because spam is the delivery vehicle for the majority of threats. An

organization that can reduce the spam proportion of total email volume also

achieves a proportionate reduction in the overall security risk represented by

malicious threats.

Also important to security is keeping email system performance optimal, despite

the overall increase in email volume and the constant barrage of spam.

Eliminating unwanted email, as close as possible to the source, has multiple

benefits. Reducing spam reduces the load on resources, including the organization’s

Internet gateway, firewalls, gateways, internal network bandwidth, processing

power, and storage space. Email volume reduction benefits are seen throughout

the network, from the SMTP gateway scanners to the message stores, and to the

message archive layer.

The challenge in reducing email volume lies in accurately distinguishing legitimate

messages from junk email. Applications that are used to filter email and prevent

the unwanted email from entering the network or internal email systems must

be reliable and must not disrupt the flow of valid email.

A high-quality spam deflector is the first line of defense against unwanted email.

The spam deflector should be deployed outside the messaging infrastructure,

where it can deflect spam before it can impact internal gateways and servers. In

the Symantec solution, that first line of defense is the Symantec™ Mail Security

8160 appliance (8160 appliance).

The 8160 appliance employs a unique approach to spam prevention. It uses a

sender-reputation metrics to reduce the bandwidth of inbound TCP/IP streams.

This metric is frequently updated and targets inbound TCP/IP streams that are

known or suspected spam generators. By limiting the TCP/IP bandwidth available

to known spammers (down to one message per minute or less), significant amounts

of spam are bottled up on the spammer's system and are never received by the

8160 user. This traffic throttling mechanism is referred to as traffic-shaping.

Since 60–70 percent of incoming email is spam, traffic-shaping can translate to

a 50-percent reduction in overall email volume, without risking the loss of valid

email. This achieves a significant reduction in the message volume that is

processed by email scanners and gateways, stored in volume-sensitive message

stores, reviewed in a spam quarantine, and finally archived.


48

These significant volume reductions can further translate into a reduction in the

number and size of servers required to scale to the problem, including gateway

scanning devices and mail servers. In practical terms, reducing spam from 70

percent of traffic to less than 20 percent improves the overall performance and

scalability of existing systems, and eases the burden on back-end systems and

users.

Perimeter security

The perimeter protection layer is one of the most critical layers in enhancing

network security.

Symantec’s perimeter solutions for email include the following capabilities:

■ Mass-mailer cleanup to remove entire messages and prevent unnecessary

virus notifications, based on the presence of a mass-mailer worm

■ Ability to block based on customizable rules

■ Ability to process spam based on antispam engine verdict; for example, deleting

spam messages, but quarantining suspected spam messages for further review

■ Symantec’s Web-based Spam Quarantine removes spam messages from the

messaging environment, but makes them available for further processing and

review

Symantec’s perimeter protection for email provides the following benefits:

■ Fewer non-business emails are archived

■ Fewer messages require review

■ Fewer unwanted messages enter the downstream mail environment

■ Harmful Internet content cannot reach email servers or end-user desktops,

nor spread infections, and disrupt the internal network

Symantec’s perimeter solution for IM includes the following capabilities:

■ Ability to secure corporate networks against external threats, such as IM

viruses, worms, and malware through usage of real-time content filtering

Symantec’s antispam technologies leverage the global Brightmail™ Logistics and

Operations Centers (BLOC) response infrastructure, and the Symantec™ Probe

Network, which identifies known spam sources on the Internet.

Symantec’s Norton AntiVirus™ Exchange (NAVEX™) technologies ensure

consistent virus protection and updating across all supported platforms, using

various detection technologies, including heuristics, which are also supported by

the global Symantec™ Security Response operations centers.


About perimeter threats

The two primary IM and email-borne perimeter threats are viruses and spam.

These are described, as follows:

Virus content that is most common comes from mass-mailer

worms. These are programs that exploit email address lists on

compromised systems, and automatically generate emails to

replicate and distribute their payload to other users and systems.

Mass-mailer worm emails have no intrinsic business value, so

they can be deleted automatically without the risk of data loss.

Often referred to as mass-mailer cleanup or worm purge,

automatic elimination of such content is an important capability

in antivirus solutions.

Viruses

Spam can be removed from mail streams through the use of

programs that isolate or quarantine spam. Spam quarantines are

typically housed on a server that is separate from the email

infrastructure, and are used to move unwanted spam from active

message stores (and user mailboxes) to less expensive media.

Quarantines are required, as anti-spam systems are not 100

percent accurate. Businesses cannot risk the loss of legitimate

email, so users need a place to review spam-tagged messages.

Spam

The reliability of the chosen antispam system can make a significant difference

to the quantity of data that is quarantined. The standard measure of antispam

reliability correlates detection rate to false positives (valid messages incorrectly

identified as spam) to find accuracy.

Detection and accuracy rates are dependent variables. High catch rates are often

achieved at the expense of accuracy, and vice versa. The challenge facing antispam

technology is to improve detection without compromising accuracy.

The best antispam solutions ensure the accurate elimination of spam email

messages while in transit. This minimizes the burden on the spam quarantine

and the user-reviewer. When evaluating antispam options, it is important to look

for a solution that is more than a collection of manual tools.

The ideal solution is an integrated, frequently-updated response mechanism with

highly accurate spam definitions, and techniques that are based on the latest

spamming methods.

Aboutperimeter protection solutions for email delivery formats

A key consideration in perimeter protection for email is the choice of a solution

delivery format. These formats deliver the same functionality, but vary in method.


50

Availability of resources and expertise varies from company to company, so the

choice of format becomes a matter of preference and convenience.

Perimeter protection can be implemented in the following delivery formats:

■ Software-based solutions that require installation of application software on

user hardware and operating system

■ Appliance-based solutions where application software comes preinstalled on

a vendor-maintained operating system and hardware

■ Hosted solutions, where the software and systems are located off-site by a

hosted provider, and Internet email streams are redirected through this

environment to be scanned

The following are important criteria for selection of a solution:

■ Deployment flexibility through support for multiple operating

systems, including Windows®, Solaris™, and Linux®

This provides companies to not require specific operating

system expertise in all geographic locations.

■ Highly integrated solution combining antispam, virus

protection, and content filtering technologies

For emergency updates or upgrades, the fewer the number of

independent components, the easier it is to ensure

compatibility and availability.

■ A single responsible vendor for both the security technology

and response components, to ensure vendor accountability

Software

■ Hardening of the operating system for security. Non-essential

operating system services are disabled, if not removed entirely,

to limit exposure to system vulnerabilities.

■ A global support contract with 24-hour hardware replacement

is available.

■ Automated updates for applications and the operating system

are available, and usually installed without administrator

attention.

Appliance

■ Proxy-based scanning, not store-and-forward mail relay, means

the hosting provider should never take ownership of the

message, with the exception of spam quarantining.

■ Accomplished by acting as a proxy between sending server

and receiving server, holding the connection open long enough

to complete inspection of the message, and then closing out

the transaction.

Hosted solutions

The Symantec solutions for perimeter protection of email span these delivery

formats (software, appliance, and hosted), as well as key operating systems


(Windows, Solaris, and Linux), thereby offering flexibility in choosing the optimal

fit for the unique needs of an organization. The Symantec Mail Security 8200

Series appliances meet the needs of organizations favoring the appliance format.

The Symantec™ Mail Security for SMTP product delivers the same functionality

via a software-only product (deployable across Linux, Windows, and Solaris). And

Symantec Hosted Mail Security is the hosted service offering provided by Symantec

for perimeter protection.

Common to all of these perimeter protection solutions is Symantec’s

industry-leading antispam technologies, which offer a greater than 97 percent

effectiveness rate (Source: InfoWorld Product Review, 2004), and an accuracy

rate of 99.9999 percent (Source: Yankee Group Report, 2004). This is achieved

through over 20 filtering technologies, and an associated spam classification

verdict system.

Also common to these solutions is the use of Symantec’s global Email Security

Unit within Symantec Security Response infrastructure. Symantec’s Security

Response group delivers malware signature updates at 10 minute intervals. In

addition, these products utilize the same Sender Reputation Lists that leverage

the Symantec Probe Network to identify known spam sources on the Internet, to

provide added certainty along with the spam classification verdict system.

The deployment of the Symantec Hosted Mail Security solution is not addressed

in this Yellow Book, as companies with more than 1000 employees often choose

to implement their own internal email security infrastructure.

About perimeter protection solutions for instant messaging

The Symantec solution for perimeter protection of IM is Symantec IM Manager

(IM Manager). IM Manager is a software-only solution that secures and logs

corporate IM traffic.

IM Manager includes certified support for consumer IM services and enterprise

IM platforms. IM Manager provides granular policy controls for text messaging,

file transfers, audio, video, VoIP, application sharing, and other real-time

communication capabilities associated with IM. IM Manager secures corporate

networks against external threats, such as IM viruses, worms, and malware. This

is accomplished through use of real-time content filtering, worm and virus

signature detection, behavior-based threat protection, and file-based antivirus

scanning.

Integrated with the Symantec™ Security Response, IM Manager offers the

industry’s first threat protection from IM-borne viruses and worms. Utilizing a

patent-pending behavior- and signature-based system, IM Manager provides

automatic protection for new and emerging IM viruses.


52

Internal Exchange server filtering

In addition to building solid perimeter protection, it is highly recommended to

inspect internal email traffic, as well. While perimeter protection generally

eliminates unwanted Internet email traffic before threats can enter email message

stores, internal email server filtering products will eliminate malicious or

inappropriate content introduced via Web downloads, early-phase virus

infestations, IM attachments, or other non-direct means.

During the initial outbreak stage of new types of viral threats, emails may enter

the message store before infections are detectable with updated definitions. Once

virus definitions are updated, then subsequent scans of the message store by

internal server filtering solutions will eliminate malicious content to protect new

users from exposure.

Email server filtering products must be able to inspect content in real-time, as

email is committed to the message store, and when email is accessed from the

store. Filtering products must also be able to inspect content on a scheduled or

on-demand basis, to conduct sweeps of message store based on updated virus

definitions, or specific content rules.

Symantec Mail Security for Microsoft Exchange provides these essential internal

email server filtering capabilities for Exchange. This solution is integrated into

the Exchange email environment using vendor-supported Application

Programming Interfaces (APIs), to ensure maximum capability and minimum

conflicts with the underlying messaging architecture.

Similar to the perimeter protection solutions, Symantec Mail Security for Microsoft

Exchange leverages the same antivirus technology, updates, and response. For

organizations that have standardized from mail server to gateway by using an

Exchange infrastructure, the same antispam technologies that are used in

perimeter protection solutions are available, providing the deployment flexibility

that is required by diverse organizations.

In addition to core scanning services, Symantec Mail Security for Microsoft

Exchange offers similar content inspection capabilities, such as subject line and

message body filtering, attachment stripping, and restrictions on message size.

Symantec Mail Security for Microsoft Exchange further contributes to data

reduction by eliminating unwanted content and early-stage mass-mailer worm

messages, and is capable of real-time detection of email policy violations and

misuse.

Email client security

The final layer of protection in the messaging environment is at the end-user

client PC or mobile device. Scanning for viruses on the local end-user system is


necessary to detect those that enter through personal Web-based email, removable

media, and remote laptop users whose virus definitions are not current.

The scope of this Yellow Book does not include an in-depth discussion of email

client antivirus solutions, or malware scanning best practices. The assumption

is that these solutions and practices are already implemented in an organization’s

foundation security infrastructure, and by end-users.

However, it is important to note that Symantec’s client security products are

evolving beyond existing anti-virus and anti-spyware solutions. Symantec client

security products now include state-of-the-art end-point compliance tools.

End-point compliance tools enable the enterprise to ensure that all client PCs are

compliant with current anti-virus definitions, before a client PC is allowed access

to the network.

End-point compliance tools are a powerful solution for any enterprise concerned

about proving compliance and policy enforcement for all of their endpoints.

See “End-point security compliance management products” on page 63.

Archival and retention managementArchiving and managing stored messages is all part of keeping things as long as

needed. Email systems were not designed to store the amount of data that goes

through the average messaging system today. Email administrators experience,

each day, the problems relating to storage management for email. Email continues

to arrive, and the volume grows dramatically from year to year. Many industries

now require the archiving of all IM traffic, which only adds to the retention burden.

The impact to the messaging environment includes:

■ Higher costs due to increased storage and backup costs

■ Lower availability and performance, as messaging servers slow when

near-capacity is reached, and long backup windows are required to back up

the large amount of email data.

Email archiving challenges

To solve these problems, most IT organizations impose email quotas, restricting

their users to a limited amount of email storage (for example, 25 MB to 200 MB).

Users must constantly ensure that their email storage is below the quota, and

store their excess messages in separate files; for example, PST files on their

computers, or on file servers.

PST files kept only on desktops or laptops are often not backed up, so company

data is subject to loss or theft. In some cases, PST files are kept on the network

The Symantec enterprise messaging management solution for Microsoft ExchangeArchival and retention management

54

file servers, and continue to use expensive storage and significantly burden backup

resources.

In either case, these files are susceptible to corruption, and perpetuate the same

availability and performance problems that occur on email servers. Typically,

email quotas affect user productivity, result in large numbers of support calls,

and are one of the larger burdens of email management.

A good solution is to provide the benefit of email quotas without the problems.

Organizations can realize the benefits, but with fewer associated problems by

minimizing the size of primary storage, and by leveraging cost-effective,

centralizing secondary storage without burdening the user or losing critical data.

Centralized message archiving solutions allow organizations to provide users

with a large mailbox while minimizing storage usage on the primary messaging

servers.

A capable messaging archiving solution allows system administrators accomplish

the following:

■ Automatically migrate email messages and attachments to a secondary, less

expensive storage location, based on business policies

■ Automatically expire or delete messages, based on business policies

■ Automatically migrate messages to a third tier of storage, based on business

policies

■ Compress the information and implement single-instance storage, to reduce

the volume of information while leveraging low cost disk or tape storage for

archived data

■ Index the messages and attachments so that users can rapidly search and

retrieve information from the vast store of archived content that accumulates

over time

■ Allow users to seamlessly access messages and attachments from the archive

■ Reduce total cost of ownership of frontline email environments

■ Achieve cost-effective compliance with legal discovery, as well as corporate

and regulatory information retention requirements

■ Perform faster platform migrations

■ Achieve server consolidation and storage optimization

Message archiving is not limited to storage management. Many companies view

archiving as a best practice; a way to preserve critical company information. If

forced into a lawsuit, companies are often required to produce email as evidence.

The old method of producing email, by restoring data from tapes, is generally

time-consuming, and often costs hundreds of thousands of dollars per month.

55The Symantec enterprise messaging management solution for Microsoft ExchangeArchival and retention management

For companies in highly litigious industries, such methods are no longer viable.

Increasingly, companies want to prepare for the next regulation or legal action,

instead of reacting.

Email is both the source and the destination of a company’s communications

records. Companies are motivated to retain email for their own internal purposes;

for example, so they can monitor it for inappropriate usage or company policy

violations.

A good message archiving solution offers the following capabilities to facilitate

discovery and prevent misuse:

■ Automatic archiving of journaled email so that the email is guaranteed to be

captured

■ Indexing of the information as it is archived, to facilitate future discovery

■ Secure search capabilities across the organization, allowing authorized

personnel to perform company-wide information requests

■ Specialized workflow tools to assist in the search and review processes of legal

discovery

■ Sampling and workflow around regulated supervision of employee email

Archiving with Enterprise Vault

Veritas Enterprise Vault provides the centralized email and IM archiving and

retrieval functions of the Symantec EMM solution, and ensures email and IM

content accessibility and availability. Enterprise Vault automatically moves email,

IM, file system, and other content from operational storage locations to a

cost-effective online vault, without impacting end-user access to the data. Users

can access archived information directly from their email client, Web browser,

or other programs, and can access it even while not connected to a network using

the optional Offline Vault functionality.

IT departments can automatically discover, collect, migrate, and eliminate PST

files, and centralize archived email through the PST migration functions provided

with Enterprise Vault. Enterprise Vault can also archive Exchange Journals and

Public Folders, in addition to Exchange mailboxes. Archived data is automatically

compressed, duplicate copies are removed, and data is retained according to

business policies.

Data can be migrated to fully searchable tertiary storage. Permissions to search

the archive can be inherited directly from the source data, or new permissions

can be granted to administrators and information custodians. Some regulated

industries require immutable storage to safeguard email archives. Enterprise

The Symantec enterprise messaging management solution for Microsoft ExchangeArchival and retention management

56

Vault can be configured to migrate data to a write-once/read-many (WORM)

storage system, such as the IBM System Storage™ DR550.

Optionally, Enterprise Vault helps manage the compliance process by enabling

the centralized archiving of all email and IM messages received through email

and IM message journaling. Also, if full indexing is implemented with Enterprise

Vault, then information search and retrieval can be thorough and efficient. This

enables significantly accelerated compliance and (legal or other process-driven)

information discovery processing.

Message archiving using Enterprise Vault provides benefits in the following core

areas:

■ Increased email message and IM conversation availability

Enterprise Vault reduces the amount of data stored in primary messaging

servers and file servers, reducing corruption and performance problems when

these servers reach capacity thresholds. By archiving data for long-term

retention and providing search capabilities, end-user access to data is

maintained.

■ Reduced email cost

Enterprise Vault reduces costs throughout the email environment. By archiving

older or less frequently accessed data to less expensive storage, Enterprise

Vault reduces primary storage costs in the environment. More importantly,

backup costs are reduced, as archived data no longer requires frequent backups.

IT reduces support and migration costs by eliminating email quotas and PST

files, and reduces the amount of data to be moved during upgrades and server

consolidation.

■ Controlled email and IM risk

Enterprise Vault facilitates email messages and IM conversation retention,

following defined business rules to meet legal discovery and regulatory

requirements.

Integrations with the archiving solution

When selecting an archive and retrieval solution for Exchange, it is vital that the

solution is compatible with the security and data management tools a company

uses to keep Exchange running. The Symantec Enterprise messaging management

solution for Microsoft Exchange offers a comprehensive approach to the problem

of archiving and retrieving all email and messaging traffic. As the premier tool

in the Symantec solution for archiving Exchange data stores, Enterprise Vault

seamlessly integrates with Microsoft Exchange and all other Symantec security

management products in the Enterprise messaging management suite.

57The Symantec enterprise messaging management solution for Microsoft ExchangeArchival and retention management

Enterprise Vault provides secondary or tertiary storage behind server systems,

such as Microsoft Exchange. Such secondary or tertiary storage needs to be backed

up through procedures described in this book. Backup Exec can be used to back

up and recover Enterprise Vault. Also, through a range of APIs and other interface

mechanisms, Enterprise Vault can extract information from various other

applications besides email and IM (such as SAP, database platforms, electronic

fax content and more), provide intelligent filtering of archive streams, and enable

access to archived content.

Enterprise Vault can be integrated with Symantec Mail Security appliances and

software. If a company is legally required to keep a copy of all the email it receives,

a Web Quarantine server can be built to store spam and other junk email messages

captured by Symantec Mail Security products. The Web quarantine server can

deliver this junk email to be journaled for compliance purposes to Enterprise

Vault. This junk mail retention legal requirement exists principally for financial

services organizations doing business in the United States.

The Symantec Mail Security 8260 appliance or Symantec Mail Security for SMTP

software can be used to forward all SMTP email communications to Enterprise

Vault servers for journaling. This is useful for customers not using Exchange who

wish to retain email from email servers, such as UNIX® Sendmail™ servers, that

do not have or maintain their own email journaling or data warehouses. Symantec

Mail Security for Exchange now supports the forwarding of filtered content, such

as emails that violate corporate policies, to Enterprise Vault servers for journaling,

review, and potentially for further action, as well as for inclusion in later discovery

processes.

Enterprise Vault can now also leverage Veritas Storage Foundation High

Availability for Windows clustering services (Veritas Cluster Server) to create

highly available archiving, search and retrieval services.

Policy and compliance managementCompliance is a relatively new term to IT professionals, but it has become most

important to the IT world. Policy and compliance management refers to keeping

important documents and communications for future reference. Monitoring and

gauging compliance with policies and laws requires the addition of new tools to

IT environments.

In the case of email, there are three areas where compliance is applicable:

Solutions that assure that PCs used with email do not have

outdated anti-virus signatures and do have an approved set of

system settings and tools implemented

Security policy

compliance

The Symantec enterprise messaging management solution for Microsoft ExchangePolicy and compliance management

58

Focus on external communications policies, and in particular on

Intellectual Property protection

Messaging policy

compliance

Laws or guidelines that government entities create, and which

require internal monitoring and possible reporting

Regulatory Compliance

Often the people most interested in whether organizations are complying with

policies are not employed by IT departments. It may be someone, for example,

from finance who is charged with monitoring regulatory compliance, or someone

in Human Resources monitoring employee communications policy compliance;

anyone charged with the responsibility of complying with policies.

This Yellow Book explores regulatory compliance requirements and tools in

chapters 9 and 10, as well as outbound email filtering tools in Chapter 5. The

Options to Meet Advanced Requirements section of this chapter provides

information about some tools available from Symantec for security policy

compliance.

Regulatory compliance

From a messaging perspective, regulatory compliance is most often an issue for

financial services organizations. In the United States and other countries, financial

institutions generally have to journal all internal and external electronic

communications. This is done to ensure that all messages that might be of future

interest are logged in the archive, and available for future search and recall.

Microsoft Exchange can be configured to journal email, and Enterprise Vault is

an ideal tool to selectively archive journaled email.

IM Manager provides organizations with the ability to further comply with

regulations and other legal requirements. IM Manager addresses compliance by

enabling the ability to insert legal disclaimers, archive IM conversations, and

integrate with Enterprise Vault for IM message retention and discovery purposes.

Once email and IM messages are journaled, Symantec’s Enterprise Vault

Compliance Accelerator allows accelerated searches of the journaled messages.

Enterprise Vault Compliance Accelerator also enables organizations to monitor

employees’ electronic messages, including email and instant messages, to ensure

compliance with corporate policies.

Messaging policy compliance

Outbound email filtering can assist organizations prevent the loss of sensitive

information or intellectual property through email. Also, by defining rules for

outgoing email, and in particular for outbound email attachments, companies can

be assured that they are not propagating malware.

59The Symantec enterprise messaging management solution for Microsoft ExchangePolicy and compliance management

By searching through outbound email and IM attachments for prohibited words

or phrases that may be deemed offensive , organizations can have more control

over how their employees interact with outsiders. Symantec’s Mail Security for

Exchange provides all such outbound email filtering capabilities.

Similarly, IM Manager also protects organizations against the loss of sensitive

information or intellectual property over IM by providing policy controls. These

policy controls extend to internal IM usage, including filtering content of instant

messages, controlling the use file transfers over IM networks, applying regular

expression pattern matching to IM, and real-time user monitoring.

Discovery and analytics managementSome organizations are deploying archiving-based capabilities that include the

ability to perform intelligent archive searches. Legal discovery is a primary

motivator for these searches.

In the past, organizations have had to rely on going through backup tapes to

discover files and messages dating from a certain period of interest. Once files

and messages from the particular period are found, they must be exhaustively

and laboriously searched for relevant information. Paying a legal firm to review

documents for evidence can run up costs nearing or exceeding one million dollars

per month.

Symantec’s Enterprise Vault Discovery Accelerator establishes appropriate

workflow processes to make complex searches of archives possible for the purposes

of legal discovery. It also facilitates the review of retrieved files to decide relevance

to a case.

Enterprise Vault Discovery Accelerator leverages the Enterprise Vault archive

platform’s full text index that can be used to find relevant emails, based on a

number of criteria. Specific items can be selected for export, and are made available

in a format that is appropriate for use as legal evidence. The savings in legal fees

can be many times the cost of the software, hardware, and storage costs.

With the growing focus on intellectual property, companies are beginning to

explore their employee communications for patterns and ideas that may lie hidden

in old messages. Discovery Accelerator’s ability to accelerate archive searches

provides a significant productivity boost for any organization considering such

historic file and communications searches.

Options to meet advanced requirementsSymantec offers products and services that are optional components of the

Symantec solution for Enterprise Messaging Management. These products and

The Symantec enterprise messaging management solution for Microsoft ExchangeDiscovery and analytics management

60

services offer capabilities to organizations with advanced requirements. Some of

these products for users with advanced requirements have already been introduced.

Advanced security requirements

Although the Symantec solution for Enterprise Messaging Management described

in this book includes many email security products that reside on email servers

and gateways, Symantec also offers security products that can significantly benefit

organizations. These products are either highly dependent on email functioning,

or are more sensitive to security threats than the average organization with

1000-2500 employees.

Depending on factors such as size, dependence on the Internet and intranets,

reliance on online systems, and regulatory concerns, organizations should deploy

products, services, and procedures that provide the level of security that is

commensurate with their risk tolerance and exposure to loss.

Symantec’s range of security products can be organized into a hierarchy depicting

the most commonly used technologies to the most sophisticated. This hierarchy

mirrors a similar hierarchy of organizational needs. Organizations select their

IT security products and services by first meeting fundamental needs, and then

moving up to the hierarchy of organizational needs at a pace that reflects their

requirements and budget constraints.

Figure 3-5 depicts a hierarchy of security requirements, from the most

fundamental to the most advanced, and the corresponding levels of investment.

Figure 3-5 Security hierarchy

End-point security and protection products

At a minimum, organizations should employ PC antivirus and personal firewall

software to provide end-point security and gateway security via firewalls

61The Symantec enterprise messaging management solution for Microsoft ExchangeOptions to meet advanced requirements

(potentially) with Virtual Private Network (VPN) capabilities for Internet-based

logins. These measures are essential to avoid penetration and disruption of an

organization’s computers and IT network.

Symantec Backup Exec Desktop and Laptop Option (DLO) or Symantec Backup

Exec System Recovery (formerly LiveState Recovery) are recommended products

for end-user computers that contain email message caches or other critical

organizational data.

These products enable users to rapidly restore corrupted email files, for example,

PSTs, and restore information deleted from local files. In addition, LiveState

Recovery enables PC users to back up their system information to disk to enable

them to rapidly restore their PC should a device failure, or malicious virus or other

malware infestation occur.

As Symantec client security products evolve to include more functions (such as

end-point security compliance functions), and also as the end-point devices and

interconnects for email and messaging evolve, future versions of this Yellow Book

will address the implementation of protection at this layer.

Additional gateway security products

The Symantec Mail Security 8160 appliance that provides traffic-shaping to avoid

receiving email from identifiable spammers is not a standard part of the Symantec

solution for organizations with 1000-2500 employees. Some organizations with

close to 2500 employees, which also receive significant amounts of email, may

want to investigate the use of the 8160 appliance to prevent delivery of up to 80

percent of spam email.

Server security products

The Symantec solution for Enterprise Messaging Management described in this

book includes Symantec Mail Security for Microsoft Exchange as the prime

component of Exchange server security. Other server security products are not

described in this book, as it is not expected that end-users will log in and use the

Exchange server, and it is expected that the Exchange server will be dedicated to

running Exchange

A best practice is to have no other applications or services running on Exchange

back-end data servers besides Exchange (that is, no file serving, IIS, or SQL), and

also to have no end-users log on and use the Exchange server for reading email.

These measures ensure that only secure Exchange services run on the Exchange

servers.

The Symantec enterprise messaging management solution for Microsoft ExchangeOptions to meet advanced requirements

62

Therefore, as long as best practices are followed, and user and service settings,

as well as other permissions, are correctly defined for the Exchange servers,

additional security for Exchange servers themselves may not be needed.

End-point security compliance management products

For organizations with an interest in improving security without foregoing remote

access of internal email, Symantec offers products and technology acquired from

Sygate Corporation, which enable end-point security compliance for various email

clients.

The Sygate Network Access Control product works with network access

infrastructure to require systems be in compliance with IT policy, before they are

allowed to connect to the LAN or VPN.

This protects the network and increases productivity and network availability.

Sygate Endpoint Protection fully automates the process of updating systems that

are out of compliance, reducing the burden on help desk staff.

The Sygate Endpoint Protection product safeguards computers, networks, and

data, as follows:

■ Ridding the network of non-compliant endpoints with universal network access

control

■ Ensuring Compliance on Contact™ with the enterprise network across all LAN,

wireless LAN, and remote access network entry points

■ Protecting endpoints with innovative desktop firewall, host-based intrusion

prevention, and peripheral device control technologies that are tightly

integrated into the Sygate Network Access Control product

The Sygate On-Demand product eliminates the exposure to risk created by

unmanaged devices and guarantees compliance on contact, as follows:

■ Delivering an On-Demand Agent to unmanaged devices that adapts its

protection to the environment

■ Ensuring that unmanaged devices are in compliance with security policies

while connected to the network

■ Preventing the unauthorized transfer of data from networks and devices

■ Protecting confidential data using a secure Virtual Desktop environment that

separates, encrypts, and erases confidential data upon session termination

These capabilities are especially useful to organizations interested in secure email

access from outside the corporate or organizational intranet.

63The Symantec enterprise messaging management solution for Microsoft ExchangeOptions to meet advanced requirements

Intelligent monitoring products and services

In addition to the products described in this book, Symantec offers a security

service that has significant appeal to customers seeking the highest possible levels

of IT security. DeepSight™ Alert Service is one of Symantec’s Managed Security

services, and serves to alert organizations to impending threats spreading on the

Internet. It also informs customers of security measures that they should take to

fortify their systems, when they receive warnings.

Symantec Professional ServicesSymantec Professional Services enables organizations to implement best-practices

security and availability measures across the enterprise, through comprehensive

security and availability assessments, and comprehensive planning and design.

Professional Services develops strategies for managing and reducing risks to help

organizations protect business-critical assets.

The needs of every organization are unique, but with many common themes. The

Symantec solution can be tailored to best meet the particular needs of an

organization, once the analysis has been done to design the solution

implementation. A good design includes not only the hardware, software, and

network components, but also corporate policy definition and translation,

implementation and deployment phasing, PST migration planning, growth

planning, and operational best practices.

Symantec Training, Customer Support, and Consulting Services are prepared to

help every customer make the most of their product purchases. Symantec services

can assure that customers make the right decisions on how, when, and where to

deploy these products through training, consulting, and support services.

Symantec Consulting Services

Symantec Consulting Services provides organizations with best-practice security

and availability measures through comprehensive assessments, planning, and

design consultation. The result is enhanced protection of critical business assets.

Symantec recommends that customers who deploy Enterprise Vault engage

Symantec Consulting Services prior to product implementation, to ensure that

customer needs are met with the deployment. Enterprise Vault enables many

varying policies for and implementations of information archiving and retrieval.

Defining the correct policies and the hardware, and software implementation is

a non-trivial exercise to which Symantec Consulting Services brings significant

experience.

The Symantec enterprise messaging management solution for Microsoft ExchangeSymantec Professional Services

64

Symantec Advisory Services

Symantec Advisory Services offers security and availability consulting services

designed for proactive security and availability risk management. The Symantec

approach addresses the enterprise risk management life cycle from strategy

development to incident readiness, with a continuous focus on minimizing risks,

stabilizing security costs, and reducing complexity.

Symantec Advisory Services consultants combine technical expertise with a

business focus to create comprehensive security and availability solutions. The

delivery process emphasizes knowledge transfer, ensuring that every aspect of a

project’s findings can be successfully implemented and managed.

Symantec Solutions Enablement Services

Symantec Solutions Enablement Services provides organizations with security

and availability product design and implementation, and knowledge transfer

services for Symantec enterprise products. Symantec security and availability

experts assess technology needs, design the best systems and architectures, and

implement the appropriate products at the client, server, and gateway tiers.

Security and availability knowledge transfer services offer detailed product and

technology information transfers and on-site training. It can also provide custom

security services to help monitor and manage the implementation.

For example, Enterprise Vault Services consultants can assist with designing,

deploying, and optimizing archive and information management systems.

Symantec Gateway Security Services consultants use best practices to effectively

implement an integrated gateway security solution based on Symantec Gateway

Security appliances.

Symantec Secure Application Services

In today’s business world, success depends on the ability to capture, analyze, and

share information. But the software applications that businesses rely on for critical

operations are increasingly exposed to security risks.

Symantec Secure Application Services helps organizations identify and mitigate

the risks that threaten applications and the integrity of a company’s valuable

information assets. Symantec consultants follow a programmatic approach,

instilling security best practices across an application’s entire life cycle.

65The Symantec enterprise messaging management solution for Microsoft ExchangeSymantec Professional Services

Symantec EMM solution summaryThe Symantec solution for Enterprise Messaging Management for Microsoft

Exchange is a comprehensive messaging solution that assures the security,

availability, and resilience of messaging systems and information. It also reduces

the total cost of maintenance of the messaging infrastructure.

The solution takes a comprehensive approach to email security, incorporating

antivirus, antispam, archiving, backup and recovery, and storage management

capabilities. Implementing the Symantec solution minimizes deployment issues,

as the solution is tested and proven, sold and supported by a single vendor.

The following products described in this book can be included in the Symantec

solution:

■ Symantec Mail Security 8160 traffic shaping appliance

■ Symantec Mail Security for the Email Gateway – available as software (SMS

for SMTP), appliance (SMS 8260), or hosted (Symantec Hosted Mail Security)

deployment options

■ Symantec Mail Security for Microsoft Exchange

■ Veritas Enterprise Vault

■ Veritas Enterprise Vault Discovery Accelerator option

■ Veritas Enterprise Vault Compliance Accelerator option

■ Veritas Storage Foundation for Windows

■ Veritas Storage Foundation High Availability for Windows (Veritas Cluster

Server)

■ Symantec Backup Exec

■ Symantec IM Manager

This Symantec solution lowers the overall cost of ownership by significantly

reducing the burden at all layers of the email infrastructure. This includes storage

costs and the operational costs associated with attempting to scale infrastructure

and maximize performance.

The solution offers the following capabilities:

■ Improved resilience to failures, which improve the availability of messaging

systems, capable of reducing messaging downtime to minutes per year

■ Multi-layered email security that works at the network and Exchange server

(groupware) tiers to prevent unwanted email from entering the organization

■ Antivirus and antispam technologies that protect against spam, phishing

attacks, and viruses

The Symantec enterprise messaging management solution for Microsoft ExchangeSymantec EMM solution summary

66

■ Archiving capabilities that can reduce email storage volumes (and costs) on

Exchange servers while assuring the availability of information, and also

facilitating Microsoft Exchange server migration

■ Integrated content compliance enforcement tools that assure that unauthorized

or inappropriate content does not leave the organization via email

■ Information search and retrieval tools that significantly aid compliance and

the legal discovery process for email, IM, and other business records

67The Symantec enterprise messaging management solution for Microsoft ExchangeSymantec EMM solution summary

The Symantec enterprise messaging management solution for Microsoft ExchangeSymantec EMM solution summary

68

Enterprise Messaging

Management infrastructure


■ Infrastructure configuration for the Symantec solution

■ Summary checklists for the end-to-end solution

■ Requirements for the Symantec solution

■ Solution sizing and performance guidelines

Infrastructure configuration for the Symantecsolution

This chapter describes the reference architecture of the Symantec™ solution for

Enterprise Messaging Management and its components. The Symantec products

that comprise this reference architecture solution reduce the risk of security

threats, increase reliability of network traffic, and protect and secure email and

instant messaging (IM) communications.

The Symantec™ Mail Security 8160 appliance (8160 appliance) can be deployed

on the network to channel email traffic at the TCP protocol level. The 8160

appliance effectively stops spam before it enters the network, while ensuring the

continuous flow of legitimate email. The deployment of the 8160 appliance is

recommended for organizations with 2,000 or more users.

The reference architecture is configured with a double firewall at the gateway.

Email and instant messages that come through the outer firewall must go through

a demilitarized zone (DMZ) containing one of two Symantec gateway security

products. Inside the DMZ, either two Symantec™ Mail Security 8260 appliances,

4Chapter

or two Symantec™ Mail Security for SMTP servers are deployed for spam and

threat removal, and content filtering on inbound and outbound messages.

In a typical deployment, for example, an organization would use either the two

Symantec 8260 appliances or the two Symantec Mail Security for SMTP servers.

One appliance or one server can be dedicated to inbound mail, while the second

appliance or second server handles inbound and outbound mail. In addition,

Symantec™ IM Manager is deployed at the gateway to manage threats and content

associated with IM traffic. Using IM Manager, all instant messaging sessions are

filtered and analyzed, and only authorized protocols and users can establish

instant messaging sessions.

Veritas Cluster Server is implemented to create an Exchange Server cluster.

Implementing a highly available Exchange cluster assures the uninterrupted

delivery and archiving of email.

Symantec™ Mail Security for Microsoft Exchange is implemented on the clustered

Microsoft Exchange™ servers to prevent internal security threats from spreading

inside the firewall. This supplements security at the gateway tier and hardens

Exchange from internal and external threats. These threats can be introduced

into email by activities such as Web browsing, and by removable media such as

USB drives.

Veritas Enterprise Vault™ is deployed to reduce the Exchange message store sizes

by migrating old messages from Exchange to the Enterprise Vault tier. Enterprise

Vault also archives messages for regulatory and other purposes. Symantec IM

Manager provides the capability to archive instant messaging conversations, and

can be integrated with Enterprise Vault. In this way, all conversations through

email or instant messages can be archived and managed by the same policies and

techniques.

Once the messages are archived by Enterprise Vault, they can be searched,

categorized, and inspected. The Enterprise Vault™ Discovery Accelerator option

allows legal teams to conduct online searches of existing archive data in response

to an inquiry. The Enterprise Vault Compliance Accelerator allows organizations

to enforce a corporate strategy for message content compliance.

Symantec Backup Exec™ provides a comprehensive backup solution, which backs

up all the systems that are running. The FlashSnap option is licensed on the

Exchange server and the Backup Exec server to provide off-host backup of these

data-intensive servers in the form of an updatable snapshot. This enables rapid

recovery in the event of a system failure.

Finally, it is recommended that Veritas Storage Foundation™ for Windows is

installed on all the servers of the reference architecture solution. This provides

comprehensive disk storage management and high availability for the critical

servers that are part of the reference architecture of the Symantec solution.

Enterprise Messaging Management infrastructureInfrastructure configuration for the Symantec solution

70

Table 4-1 lists the Symantec products included in each tier of the solution.

Table 4-1 Products in the Symantec solution

Solution TierVersionProduct

Email security: Network

boundary

N/ASymantec™ Mail Security 8160 appliance (optional)

Provides dedicated traffic-shaping features for organizations with 2,000 or

more users. This product is not a standard component of this solution, but it

may be applicable to organizations that have a high email volume.

Email security: GatewayN/ASymantec™ Mail Security 8260 appliance

Provides email security at the SMTP gateway, integrating the best antispam,

antivirus, and content filtering technologies to help organizations reduce spam

volume and eliminate threats.

Note: Either 8260 appliances or servers with Symantec Mail Security for SMTP

software can be installed as equivalent solution components.

Email security: Gateway5.0Symantec™ Mail Security for SMTP software (installed on server)

Provides email security at the SMTP gateway, using technology that stops more

than 97 percent of spam, while producing less than one false positive for every

million emails analyzed (a 99.9999 percent accuracy rate).

Note: Either 8260 appliances or servers with Symantec Mail Security for SMTP

software can be installed as equivalent solution components.

As of June 2006, Symantec Mail Security for SMTP 4.1 has merged with

Symantec BrightMail AntiSpam 6.0 to create Symantec Mail Security for SMTP

5.0.

IM security: Gateway8.0Symantec™ IM Manager

Seamlessly manages, secures, logs, and archives corporate instant-messaging

traffic; and includes certified support for public and enterprise IM networks,

including granular policy enforcement and security controls for files, audio,

video, VoIP, application sharing, and other real-time communication

capabilities. IM Manager mitigates the potential risks associated with the use

of IM in the enterprise.

Email security: Mail

Server

5.0Symantec™ Mail Security for Microsoft Exchange

Protects Exchange mail servers from viruses, messages that overload the system,

inappropriate message content, spam, and denial-of-service attacks. This

product enables organizations to create multiple sets of criteria to identify

threats and violations, and to specify what actions to take in response to

detected threats and violations.

71Enterprise Messaging Management infrastructureInfrastructure configuration for the Symantec solution

Table 4-1 Products in the Symantec solution (continued)

Solution TierVersionProduct

Email archiving:

Archive

6.0 SP2Veritas Enterprise Vault™ with Journaling

Provides policy-based archiving of business-critical information held within

Microsoft Exchange and other business environments. This product enables

organizations to more easily manage storage growth and thereby reduce

hardware and management costs. Email or other data is archived and indexed

so that it is still easily available when needed.

The Journaling option enables Enterprise Vault to work seamlessly with

Exchange journaling.

Email archiving:

Archive

6.0Veritas Enterprise Vault™ Compliance Accelerator (optional)

Enables organizations to implement a corporate strategy for regulatory and

policy compliance. Email can be monitored or collected based on criteria

established by an organization, such as words and phrases used, date ranges,

size, author, or recipient.

Email archiving:

Archive

5.0 SP4Veritas Enterprise Vault™ Discovery Accelerator (optional)

Provides robust search and export tools, and enables designated administrators

or reviewers to conduct online searches of archived data in response to an

external legal request or an internal company inquiry.

Resilient foundation:

Server

4.3 FP1Veritas Storage Foundation™ for Windows with Veritas FlashSnap™ option.

Provides comprehensive, centralized storage volume management of all disk

storage resources within and across domains. This product enables GUI-based

management of local and remote storage attached to a system while the system

remains online, including RAID configuration and performance optimization.

The FlashSnap option enables the creation of independently addressable

point-in-time snapshots that are copies of mirrors of the volumes on a server.


Server

4.3 FP1Veritas Storage Foundation™ High Availability for Windows®

Provides the same functionality as Veritas Storage Foundation for Windows

and supports setup and management of clustering.

Veritas Cluster Server (optional)

Increases the availability of applications by monitoring application status and

automatically moving applications to an alternate server in case of a fault.


Server

10dSymantec Backup Exec™ with SQL Agent (for Enterprise Vault and IM Manager

database backup) and Exchange Agent

Provides high-performance data management by using a client/server model

to provide fast, reliable backup and restore capabilities for servers and

workstations throughout a network.

Enterprise Messaging Management infrastructureInfrastructure configuration for the Symantec solution

72

Figure 4-1 illustrates the network topology of the solution.

Figure 4-1 Topology of the Symantec solution

Summary checklists for the end-to-end solutionDeploying the Symantec end-to-end solution can be a complex project. The

following checklists can make the implementation tasks easier:

■ Pre-deployment checklist

73Enterprise Messaging Management infrastructureSummary checklists for the end-to-end solution

■ Deployment checklist

Note: The checklists assume that Microsoft Exchange is already installed in the

environment.

Pre-deployment checklist

The pre-deployment checklist describes the prerequisites and the tasks that must

be completed during the deployment planning phase. This phase occurs before

the products in the Symantec solution are installed and configured.

To create an installation plan that best matches the needs of the organization,

complete all pre-deployment tasks in the following checklist:

Decide which products in the solution to use.

See Table 4-1 on page 71.

Decide which of the following products to use for AntiSpam and content filtering

at the gateway:


■ Symantec Mail Security for SMTP on a standalone server

Decide whether to cluster the Exchange servers.

Decide which of the following Backup Exec media server deployment strategies

to use:

■ Centrally Administered Server option (CASO)

Can be used with SAN Storage Option (SSO)

■ Standalone media server option

■ SAN-configured media server

Can be used with CASO to provide centralized catalogs, which are required

for this option, and the ability to backup data over the SAN instead of the

LAN.

For more information, see the Backup Exec 10.d for Windows Servers

Administrator’s Guide.

Enterprise Messaging Management infrastructureSummary checklists for the end-to-end solution

74

Ensure that the necessary Backup Exec license is available for each Backup Exec

option that is implemented.

Required licenses for the solution are, as follows:

■ Backup Exec Agent for Microsoft Exchange

Required for Exchange servers.

■ Backup Exec Agent for Microsoft SQL Server

Required for SQL Servers.

■ Backup Exec Remote Agent for Windows Servers

Remote agent licenses must be purchased for every protected server.

Additional licensing options are, as follows:

■ Backup Exec Advanced Disk-based Backup Option (ADBO)

Required for off-host backup.

■ Backup Exec Advanced Open File Option (AOFO)

Ensure files on local or remote servers are protected while in use by handling

open files at the volume level.

■ Depending on the hardware used to store backup data, additional licenses

(either standalone or robotic tape library configurations) are necessary for

each additional tape drive.

Gather the following information to plan the deployment of Enterprise Vault:

■ Determine email usage and archiving tasks.

Consider the retention policy, attachment policy, end-user search capability,

PST policies, and auditing requirements.

■ Gather current Exchange environment statistics to estimate the conversion

of email messages from Exchange to Enterprise Vault vaulted messages.

Determine the average email message size, average number emails received

per day, and the average mailbox size.

For more information, search the knowledge base for Exchange on the

Microsoft Web site.

■ Decide how quickly unstructured email data must be structured and indexed.

■ Determine the number and type of Enterprise Vault servers that will be

needed, based on the estimated email usage and archiving tasks, current

Exchange environment statistics, and timetable for indexing.


Plan for the following three conversion phases:

■ Archiving

Converting specific email from the Exchange information store to Enterprise

Vault.

■ Indexing

Making unstructured email structured and making email accessible.

■ Steady state

Migrating new email on a daily basis according to the organization’s email

archiving policy.

Note: Document the Enterprise Vault deployment plan. Deploying Enterprise

Vault usually starts with a minimum three-day engagement with Symantec

Professional Services to develop a deployment plan.

Prepare the Exchange environment for Enterprise Vault deployment.

See “Best practices for preparing the Enterprise Vault environment” on page 157.

Have all required licenses for all products, and all licensable product features

and options, that are recommended for the solution.

Ensure that all pre-installation and system requirements are met.

See “Requirements for the Symantec solution” on page 78.

Prepare the IM Manager environment for IM Manager deployment.

See “Best practices for preparing the Enterprise Vault environment” on page 157.

Deployment checklist

The deployment checklist describes the tasks that must be performed to implement

the Symantec solution. All items in the pre-deployment checklist must already

be completed. The implementation tasks should be performed in the order listed.

Note: Review the product documentation to learn the information necessary to

successfully install and configure the product before deployment.

Deploy Symantec Mail Security for Microsoft Exchange, as follows:

■ Install Symantec Mail Security for Exchange on every Exchange server in

the environment.

■ Configure the Symantec Mail Security console to manage the Exchange

servers.

Enterprise Messaging Management infrastructureSummary checklists for the end-to-end solution

76

If Storage Foundation for Windows is part of the deployment plan, install it now

on all servers.

Note: If the Exchange servers will be clustered, install Storage Foundation High

Availability for Windows on the Exchange servers to enable clustering.

If Storage Foundation High Availability for Windows is being installed to cluster

Exchange servers, configure the virtual Exchange server.

See “Best practices for Veritas Storage Foundation High Availability for

Windows” on page 190.

Deploy Backup Exec, as follows:

■ Install and configure the Backup Exec server.

■ Install the Backup Exec remote agents on all servers that are part of the

solution.

If the Symantec Mail Security 8260 appliance for AntiSpam and content filtering

at the gateway is part of the deployment plan, do the following:

■ Install the 8260 appliance.

■ Update resident software/installed software. This is not done automatically.

A live internet connection is required to update the software on the appliance.

■ Configure the 8260 appliance.

If the Symantec Mail Security for SMTP server software for AntiSpam and

content filtering at the gateway is part of the deployment plan, do the following:

■ Install the Mail Security for SMTP software on a supported Windows server.

■ Configure the Mail Security for SMTP software.

Optionally, add the Symantec Mail Security 8160 appliance outside the firewall.

Note: The 8160 appliance is not a core component of the solution. It provides

dedicated traffic-shaping features, which are useful for organizations of 2,000

or more users.

Install and configure Enterprise Vault in the Exchange environment.

See “Best practices for installing Enterprise Vault” on page 163.

Optionally, deploy Enterprise Vault Compliance Accelerator on a standalone

server.

See “Best practices for installing and configuring Enterprise Vault Compliance

Accelerator” on page 238.


Optionally, deploy Enterprise Vault Discovery Accelerator on a standalone

server.

See “Best practices for installing and configuring Enterprise Vault Discovery

Accelerator” on page 233.

Install the Backup Exec remote agents on any remaining servers in the solution.

Install and configure the IM Manager environment.

See “Best practices for configuring IM Manager” on page 119. for more information.

Requirements for the Symantec solutionThis section provides an overview of the minimum recommended hardware and

software requirements for each Symantec product that is included in the reference

architecture for the Symantec solution for Enterprise Messaging Management

for Microsoft Exchange.

The requirements information is organized by solution tier, as follows:

■ Email security

See “Email security hardware and software requirements” on page 78.

■ Email archiving

See “Email archiving hardware and software requirements” on page 81.

■ Foundation

See “Solution foundation hardware and software requirements” on page 82.

This information is not intended as a substitute for the detailed prerequisites and

requirements that are documented in the deployment, planning, installation, and

implementation guide for each product. Before deploying any product in the

solution, refer to the appropriate guide for more information.

See “Summary checklists for the end-to-end solution” on page 73.

Email security hardware and software requirements

The email security components of the Symantec solution for Enterprise messaging

management include the products in the following list. You can use either the

Symantec Mail Security 8260 appliance or Symantec Mail Security 5.0 for SMTP.

The antispam, antivirus, and email firewall capabilities of the 8260 appliance

make it the preferred option for organizations with 1000-2500 employees.

Administrators can choose the option that best meets the organization’s needs.


Enterprise Messaging Management infrastructureRequirements for the Symantec solution

78

See “Symantec Mail Security 8260 appliance requirements” on page 79.

■ Symantec Mail Security 5.0 for SMTP

See “Symantec Mail Security 5.0 for SMTP requirements” on page 79.

■ Symantec Mail Security 5.0 for Microsoft Exchange

See “Symantec Mail Security 5.0 for Microsoft Exchange requirements”

on page 80.

Symantec Mail Security 8260 appliance requirements

The Symantec Mail Security 8260 appliance has the following requirements:

The appliance is managed through a secure Web connection using

one of the following browsers:

■ Microsoft® Internet Explorer 6.0

■ Netscape® 7.2

■ Firefox® 1.0

Web browser

No more than 10,000 users is allowed.Users

Required for LDAP-based group policies or alias expansion.LDAP

The Message Transfer Agent (MTA) that is included with the appliance

relays mail to existing email servers. It does not provide final mail

delivery functions or client access to mail via POP.

MTA

For more information, refer to the Symantec Mail Security 8200 Series Planning

Guide.

Symantec Mail Security 5.0 for SMTP requirements

Table 4-2 lists the minimum requirements for Symantec Mail Security 5.0 for

SMTP

Table 4-2 Symantec Mail Security 5.0 for SMTP requirements

DescriptionRequirement

Windows 2000 Server with SP4

Windows Server 2003 with SP1

Operating system

Intel® Pentium® 4 or higher, or compatibleProcessor

1 GB of RAM, minimum; 2 GB or more, recommendedMemory

79Enterprise Messaging Management infrastructureRequirements for the Symantec solution

Table 4-2 Symantec Mail Security 5.0 for SMTP requirements (continued)


512 MB, minimum; 2 GB or more, recommendedDisk space for

installation

Normal filtering operations do not generally require much disk

space. The optional extended logging and statistics features,

and the Web-based Quarantine feature require additional storage

to be allocated.

Storage space

For more information about requirements for various deployment options, refer

to the Symantec Mail Security for SMTP Deployment Planning Guide.

Symantec Mail Security 5.0 for Microsoft Exchangerequirements

Symantec Mail Security for Microsoft Exchange can be added to existing Exchange

servers, or can be part of a new Exchange deployment.

For more information to support a successful deployment of this software, refer

to the Symantec Mail Security for Microsoft Exchange Implementation Guide.

Table 4-3 lists the basic Symantec Mail Security for Microsoft Exchange server

requirements.

Table 4-3 SymantecMail Security forMicrosoft Exchange server requirements


■ Windows 2000 Server or Advanced Server with SP4

■ Windows Server 2003, Standard Edition or Enterprise

Edition, with SP1

Operating system

■ Exchange 2000 Server (SP3) or Enterprise Server

■ Exchange Server 2003 or Enterprise Server

Exchange platform

Intel® Pentium® III or higher, or compatibleProcessor

1 GB of RAMMemory

190 MB for local installation and 260 MB for remote installationDisk space

Microsoft Internet Explorer 6.0Web browser


80

Table 4-4 lists the requirements for the Symantec Mail Security console. This is

a Web-based management application that can be installed on the Symantec Mail

Security server, or on another workstation for remote management.

Table 4-4 Symantec Mail Security console requirements


■ Windows 2000 Server or Advanced Server, with SP4

■ Windows Server 2003, Standard Edition or Enterprise

Edition, with SP1

■ Windows XP

Operating system

140 MB for Mail Security Console installationDisk space

Microsoft Internet Explorer 6.0Web browser

Microsoft Management Console (MMC) 1.2Other software

Email archiving hardware and software requirements

Enterprise Vault 6.0 provides email archiving for the Symantec solution to email

security.

Each of the following components should be installed on a separate, standalone

servers:

■ Enterprise Vault with Journaling

Journaling is a licensable option that supports Microsoft Exchange journaling.

Ensures that email messages are retained to meet regulatory or legal retention

requirements.

■ Enterprise Vault Compliance Accelerator (optional)

Compliance Accelerator is a licensable option that ensures compliance with

regulatory bodies. Provides supervisory review of email. It is an optional

component of the solution.

■ Enterprise Vault Discovery Accelerator (optional)

Discovery Accelerator is a licensable option that provides a fast, efficient,

customizable email search process for legal discovery. It is an optional

component of the solution.

■ Microsoft SQL Server 2000

Enterprise Vault requires access to Microsoft SQL Server for data storage,

which means that SQL Server must be installed and licensed on a computer

to which Enterprise Vault has access. For SQL Server requirements, see the

SQL Server documentation. For additional details of the SQL Server version


requirements for Enterprise Vault, Discovery Accelerator, and Compliance

Accelerator, refer to Chapters 6 and 9.

Table 4-5 lists the requirements for Enterprise Vault and IM Manager.

Table 4-5 Veritas Enterprise Vault requirements

Enterprise VaultRequirement

■ Windows 2000 Server, Advanced Server, or Datacenter

Server; Service Pack 4 required

■ Windows 2003 Server, Standard Edition, Enterprise

Edition, or Datacenter; Service Pack 1 optional

Operating system

Intel® Pentium® III or higher, Dual CPU, 900 MHz or greaterProcessor

4 GB of RAM, minimumMemory

Mirrored system disk and separate local data disk

recommended

System disk

RAID, NAS, or SAN storage device recommendedStorage

For more information, refer to Installing and Configuring Enterprise Vault 6.0.

Table 4-6 lists the requirements for Veritas Enterprise Vault.

Table 4-6 IM Manager requirements

IM ManagerRequirement

Windows 2000 with SP3 or Windows 2003Operating system

1.8GHz Pentium III dual-processorProcessor

Required: 256 MB recommended: 512MBMemory

Required: 10 GB recommended: 30+ GB Hard Disk. (Disk

space is for the SQL Server, Larger implementations we

recommend a RAID array with additional spindles.

System disk

RAID, NAS, or SAN storage device recommendedStorage

For more information, refer to Symantec IMManager Installation Guide 8.0.

Solution foundation hardware and software requirements

The components of the foundation of the Symantec solution for Enterprise

messaging management include the following products:


82

■ Storage Foundation for Windows 4.3 with FlashSnap option

See “Storage Foundation 4.3 for Windows requirements” on page 83.

■ Storage Foundation High Availability for Windows

See “Storage Foundation High Availability 4.3 for Windows requirements”

on page 85.

■ Backup Exec 10d

See “Backup Exec requirements” on page 86.

IT personnel can choose to deploy Storage Foundation for Windows or Storage

Foundation High Availability for Windows, depending on the clustering

requirements of the infrastructure.

Storage Foundation 4.3 for Windows requirements

Storage Foundation for Windows should be installed on all servers in the solution.

The FlashSnap option should be licensed for the Exchange and Backup Exec

servers.

Note: For any installation where multiple products are installed on the same

server, ensure that the server meets the requirements of all the products that are

to be installed on that computer.

Table 4-7 lists the hardware and software requirements for Storage Foundation

for Windows.

Table 4-7 Storage Foundation for Windows requirements


See Table 4-8 on page 84.Operating system

550 MHz Pentium III or higher, recommended.Processor

512 MB of RAM per system, minimum; 1 GB, recommended.Memory

See Table 4-9 on page 85.Disk space

Storage Foundation for Windows supports any device in the

Microsoft Windows Server Catalog, unless DMP Array Support

Libraries (ASLs) or clustering are being used.

If DMP ASLs or clustering are being used, refer to the product

documentation for more information about compatible storage

devices.

Storage devices


Table 4-7 Storage Foundation for Windows requirements (continued)


SCSI, Fibre Channel, iSCSI host bus adapters (HBAs), or iSCSI

Initiator-supported NICs to access shared storage.

Storage access

Spyware monitoring and removal software must be disabled

before installing Storage Foundation for Windows. The firewall

must also be disabled to enable discovery of the local client.

Firewall and

Anti-spyware

Storage Foundation for Windows includes server and client components.

Table 4-8 shows the operating systems that are supported by Storage Foundation

for Windows servers and clients.

Table 4-8 Storage Foundation forWindows server and client operating system

requirements

ClientServerOperating system

YesYesWindows 2000 Server, Advanced Server, or Datacenter Server

Service Pack 4 required

YesYesWindows Server 2003 (32-bit): Standard Edition, Enterprise

Edition, or Datacenter Edition

Service Pack 1 recommended, but not required

NoYesWindows Server 2003 (32-bit) Web Edition


YesYesWindows Server 2003 for 64-bit Itanium® (IA64): Enterprise

Edition or Datacenter Edition


YesYesWindows Server 2003 for Intel® Xeon® (EM64T) or AMD

Opteron™: Standard x64 Edition, Enterprise x64 Edition, or

Datacenter x64 Edition

YesNoWindows XP Professional

Service Pack 1 required; Service Pack 2 supported

YesNoWindows 2000 Professional

Table 4-9 shows estimates of disk space requirements for the initial installation

of Storage Foundation for Windows. Installation on a non-system drive requires

space on both the system drive and the non-system drive.


84

Table 4-9 Storage Foundation for Windows disk space requirements

Non-system driveSystem driveStorage Foundation for

Windows components

System space: 475 MB

Non-system space: 150 MB

600 MBServer components (all options)



475 MBClient components



675 MBServer (all options) and client

components



300 MBLanguage pack

For additional information about Storage Foundation for Windows requirements,

refer to the Storage Foundation High Availability Solutions 4.3 Installation and

Upgrade Guide.

Storage Foundation High Availability 4.3 for Windowsrequirements

Table 4-10 shows the operating systems that are supported by Storage Foundation

High Availability for Windows servers and clients.

Table 4-10 Storage Foundation High Availability forWindows operating system

requirements


YesYesWindows 2000 Server, Advanced Server, or Datacenter Server


YesYesWindows Server 2003 (32-bit): Standard Edition, Enterprise

Edition, or Datacenter Edition


NoFile Share

only

Windows Server 2003 (32-bit) Web Edition


YesYesWindows Server 2003 for 64-bit Itanium (IA64): Enterprise

Edition or Datacenter Edition



Table 4-10 Storage Foundation High Availability forWindows operating system

requirements (continued)


YesYesWindows Server 2003 for Intel Xeon (EM64T) or AMD Opteron:

Standard x64 Edition, Enterprise x64 Edition, or Datacenter

x64 Edition

Table 4-11 estimates disk space requirements for the initial installation of Storage

Foundation High Availability for Windows. Installation on a non-system drive

requires space on both the system drive and the non-system drive.

Table 4-11 Storage Foundation High Availability for Windows disk space

requirements

Non-system driveSystem driveComponents



950 MBServer components (all options)



565 MBClient components



1050 MBServer (all options) and client

components



300 MBLanguage pack

For additional information about Storage Foundation High Availability for

Windows requirements, refer to the Storage Foundation and High Availability

Solutions 4.3 Installation and Upgrade Guide.

Backup Exec requirements

Table 4-12 lists the hardware and software requirements for Backup Exec 10d

with SQL Agent (for Enterprise Vault and IM Manager database backup) and

Exchange Agent.


86

Table 4-12 Backup Exec requirements


■ Microsoft Windows 2000 Server™ family

■ Microsoft Windows 2003 Server family

■ Microsoft Windows XP (Service Pack 1 or later)

■ Microsoft Windows Storage Server 2003

■ Microsoft Small Business Server 2003 Standard and Premium

Operating system

Microsoft Internet Explorer 6.0 or later.Internet browser

Intel® Pentium® III, Xeon, or higher, or compatible.Processor

256 MB RAM, minimum; 512 MB RAM or more, recommended.

RAM requirements vary depending on operations performed, the

options installed, and the specific machine configuration.

Memory

20 MB more than the Windows recommended size for total paging

file size (the total for all disk volumes) is recommended.

Virtual memory

350 MB, minimum, for typical installation.

550 MB, minimum, for all options.

Disk space requirements vary depending on the operations

performed, the options installed, and the specific system

configuration.

Backup Exec database and catalogs require additional space, up

to 2 GB or more.

Disk space

Minimum of 1 storage media drive or single-drive robotic library

with the appropriate controller card.

Storage hardware

Required agent licenses include the following:


■ Backup Exec Agent for Microsoft SQL

■ Backup Exec Remote Agent

Remote agent licenses must be purchased for every protected

server.

Agent licenses

For more information about Backup Exec requirements, refer to the Backup Exec

10d for Windows Servers Administrator’s Guide.


Solution sizing and performance guidelinesThis section provides sizing and performance considerations that expand on the

system requirements previously covered. It also focuses on the complete system

architecture to be deployed.

Guidelines and best practices are provided according to the number of computers

in the deployment. For customer environments that host between 1000 and 2500

Exchange mailboxes and run Symantec Mail Security for Exchange and Enterprise

Vault, the appropriate CPU count, memory size, and number of disks are defined.

These guidelines are not intended to replace complete deployment

recommendations, but to assist with decisions relevant to deploying and sizing

the hardware for the Symantec solution. These guidelines are based on sizing and

performance tests done by Symantec in partnership with IBM®. This partnership

provides enterprise messaging management software along with server and

storage products that offer high performance, flexibility, manageability, and

scalability for Microsoft Exchange environments.

Sizing and performance criteria

In Exchange server environments, system availability, throughput, and response

time contribute significantly to the overall service level.

From the user perspective, the most important criteria is the overall response

time. Users require response times that are under one second for email, and

sluggish performance, such as response times that are over one second, can be

frustrating.

On the Exchange server, system requirements for the workload and service-level

requirement should be determined. In addition, the performance impact of

Symantec Mail Security and Enterprise Vault on the servers storage system should

be measured. It is important to determine the scalability and storage available in

the server and storage systems that make up the solution. Running the Exchange

server systems at thresholds can cause unpredictable and unstable behavior, and

can seriously impact the availability and system service levels.

Hardware configuration

The system sizing and performance tests were performed using IBM servers and

storage.

For server systems, the IBM BladeCenter® and IBM BladeCenter® HS20 servers

were used. The BladeCenter chassis supports external storage solutions and

provides component predictive failure analysis. The HS20 server is an ultra-dense,

highly manageable, modular computing platform that is optimized for high speed

Enterprise Messaging Management infrastructureSolution sizing and performance guidelines

88

network applications. The BladeCenter chassis and BladeCenter servers provide

integrated systems management and can easily scale to meet the requirements

of demanding network applications.

The BladeCenter servers and BladeCenter chassis were configured as follows:

■ IBM BladeCenter HS20 server

■ 2 Intel Xeon 3.60 GHz processors

■ 4 GB RAM

■ 2 36 GB Ultra320 SCSI internal hard disk drives (Raid 1)

Microsoft Exchange and

Microsoft SQL

■ IBM BladeCenter HS20 server

■ 2 Intel Xeon 3.60 GHz processors

■ 2 GB RAM

■ 2 36 GB Ultra320 SCSI internal hard disk drives (Raid 1)

Enterprise Vault, Domain

Controller, and Load

Simulator

■ 14 double processor blade bays

■ DVD-ROM and diskette drive accessible from each server

■ 4 switch module bays

2 Cisco BladeCenter Gigabit Ethernet switches

2 Brocade BladeCenter Fibre Channel switches

■ 4 power supply modules (hot-swap and redundant 2000W

with load-balancing and failover)

■ 2 hot-swap cooling modules

■ 1 system management hardware module

BladeCenter® chassis

The IBM TotalStorage® DS4500 was used as the primary storage system. The IBM

TotalStorage DS4500 delivers excellent disk performance and outstanding

reliability for data-intensive applications. The IBM TotalStorage DS4500 also

offers advanced replication services to support business continuity and disaster

recovery.

The IBM TotalStorage DS4500 was configured as follows:

■ Dual active 2 GB RAID controllers

■ 2 GB cache (battery-backed)

■ Fibre Channel (FC) Switched and FC Arbitrated Loop

(FC-AL) host interface

■ 4-8 mini hubs

■ FC-AL drive interface

■ RAID level 10

■ 94 hard disk drives using 7 DS4000 EXP700 enclosures

■ Dual redundant, hot-swappable fans and power supplies

■ All hard drives in the test configuration are 15,000 RPM

IBM TotalStorage® DS4500

89Enterprise Messaging Management infrastructureSolution sizing and performance guidelines

If secondary WORM storage is required, the IBM System Storage DR550 array

can be used. The architecture of the DR550, which includes hardware redundancy

and IBM autonomic computing technologies, is designed to bring enterprise-class

reliability, scalability, and performance to open-systems environments.

The IBM DR550 is well-suited for archiving e-mail, instant messages, digital

images, contracts and other documents. It also has advanced policy-based data

archival and retention capabilities to help organizations address corporate

governance practices and emerging government and industry regulatory

requirements.

The IBM DR550 lets organizations store, retrieve, manage, share, and secure

regulated and non-regulated data by delivering an integrated solution as a single

unit. The DR550 offers both synchronous and asynchronous replication and

supports up to 112 TB of non-erasable and non-rewriteable physical disk capacity.

When used with attached tape or optical devices, the DR550 can provide essentially

unlimited storage capacity.

Table 4-13 describes the features of the IBM System Storage DR550.

Table 4-13 IBM System Storage DR550 features

DescriptionDR550 feature

Allows for the management of data without an explicit

retention period. Records are protected from deletion until

a specific event occurs.

Event-based records

management

Allows for a designated retention date to be suspended when

a record or set of records must be retained for legal, audit,

or other reasons.

Deletion hold management

Enables data management on multiple tiers of storage to

reduce the total cost of ownership (TCO) for long term

content retention.

Hierarchical storage

management

Prevents the explicit deletion of data until the specified

retention criteria is met.

Data protection

Enforces data protection policies that maintain the data in

non-erasable and non-rewriteable formats.

Policy enforcement

User profile

In order to stress the CPU, memory, and I/O subsystems of the Exchange server,

a user profile was specified to pattern a typical, real-world workload. The profile

was based on the Microsoft® Exchange Server 2003 Load Simulator (LoadSim).


90

The characteristics described in the profile may not be representative of the

average email user in your organization. In most organizations, email usage is

not uniform; email usage can be light, medium, or heavy. The load generated for

the heavy-use profile is an approximation, but is heavier than most organizations

would typically experience.

The heavy-use email user has the following attributes:

■ Maintains a 100 MB mailbox

■ Receives 209 mail messages per day

■ Replies to the sender of 22 messages per day

■ Replies to all recipients of 10 messages per day

■ Forwards 10 messages per day

■ Requests .1 meetings per day

■ Makes .2 appointments per day

■ Browses the calendar 3 times per day

■ Sends a total of 53 messages per day

The email data sets that were used in the testing also patterned typical real-world

examples. The data sets that were used to pre-populate the Exchange server and

to place the system under load were based on the Microsoft Exchange Server 2003

Load Simulator heavy-use profile.

The heavy-use email data set is defined as follows:

■ Average email size is 70 KB

■ Maximum email size is 5 MB

■ 85% of messages range from 2 KB to 80 KB in size and do not have attachments

■ 10% of messages have a small (less than 2 MB) attachment

■ 5% of messages have a large (2 to 5 MB) attachment

The user and data set profiles reflect the number of internal, virus-free messages

that a heavy-use email user is expected to send and receive. Typically, companies

receive the majority of email containing spam and viruses from external sources.

This challenge is addressed in the reference architecture solution by the inclusion

of the Symantec Mail Security 8260 appliance. The 8260 appliance removes spam

and virus-infected emails from external email before it reaches the Exchange

server. Including perimeter email security leaves additional bandwidth on the

Exchange server to handle legitimate email.


Baseline server and storage configurations

Before deploying the Symantec solution for Enterprise Messaging Management,

the Exchange servers were configured for optimal performance. In addition, the

Enterprise Vault servers were configured to simulate a typical customer

environment.

Exchange server configuration

The Exchange server cluster was configured for optimal performance by running

the Exchange Server Best Practices Analyzer. The appropriate best practices for

tuning and configuring the Exchange servers were then followed.

Exchange is an I/O intensive application. Performance is dependant on the

performance of the disk and I/O subsystem. Implementors must understand the

different characteristics of Exchange I/O and how to optimize the storage system

for the Exchange server access. Different types of data should be stored on separate

volumes that are optimized for the predominant type of I/O access.

Enterprise Vault configuration

Deploying Enterprise Vault to archive and journal Exchange email requires the

following hardware components:

■ Enterprise Vault server

■ Microsoft® SQL Server

■ Storage for Enterprise Vault stores

■ Storage for Enterprise Vault indexes

Before starting the tests, the Enterprise Vault server was configured to simulate

a typical customer environment. To appropriately size Enterprise Vault systems

for deployment, careful examination of many variables is required. Implementors

must be aware of factors such as the amount of data to be archived, the average

size of the messages, the number of email attachments that need to be processed,

and when and how often messages are archived.

The number of messages per user that match the archiving policy per day

determines the amount of data that is archived per day. This is the most important

variable to consider when sizing Enterprise Vault systems.

An equally important Enterprise Vault performance consideration is conversion.

Before an item is moved into a user’s vault, the Enterprise Vault Storage Service

compresses the item and adds a text or HTML version of the item. This conversion

is the largest consumer of CPU cycles on the Enterprise Vault server. When


92

archiving data, the Enterprise Vault server typically uses 75% to 100% CPU

processing capability.

Enterprise Vault must copy email and attachment data from the Exchange server

in order to archive it. This data movement from the Exchange server requires

additional CPU, storage, and network resources. Although Symantec recommends

that Enterprise Vault archiving happen at night, for purpose of the performance

and sizing test, the archiving was run under the heavy-use email load .

When journaling is enabled, the journaling activity runs on the Exchange server

continuously to journal email as it is sent and received. When journaling, the

Exchange server copies messages to a journaling mailbox, which contains a record

of all sent and received email. This additional message processing adds additional

CPU overhead to the Exchange server and uses additional storage resources.

Storage configuration

The IBM TotalStorage DS4500 was used as the primary Exchange storage device.

The DS4500 has 96 disk spindles that are available across two array controllers.

The baseline environment included Storage Foundation for Windows on the

Exchange server, and the storage layout remained constant across all test

scenarios.

A summary of the storage layout follows:

■ The volume layout for the Exchange database was RAID 10. The database

volume had 20 disks assigned per mirror. Each was assigned to a separate

controller.

■ As shown in Table 4-14, eight arrays/volumes were created for the test

environment.

■ On the Exchange Server, Storage Foundation for Windows was used to create

a RAID 0 volume across both logical unit numbers (LUNs).

■ The Storage Foundation volume layout for the Exchange log files was RAID 1.

The log file volume had two disks.

■ All drives were15000 RPM.

Table 4-14 describes the storage arrays and volumes that were created for the

test.

Table 4-14 Storage subsystem layout

SizeVolumeArray

678.9 GBExData1 (Exchange data)Array 1 (Raid 1)


Table 4-14 Storage subsystem layout (continued)

SizeVolumeArray

678.9 GBExData2 (Exchange data)Array 2 (Raid 1)

16.5 GBExLog1 (Exchange logs)Array 3 (Raid 1)

16.5 GBExLog2 (Exchange logs)Array 4 (Raid 1)

233.8 GBSpareArray 5 (Raid 1)

100.2 GBEV (Enterprise Vault data)Array 6 (Raid 1)

100.2 GBSQL (Enterprise Vault metadata)Array 7 (Raid 1)

16.5 GBEV_index (Enterprise Vault index)Array 8 (Raid 1)

16.5 GBVCS_Log (Veritas Cluster Server logs)Array 9 (Raid 1)

Test environment

Figure 4-2 shows the performance and sizing test environment:

Figure 4-2 Enterprise Messaging Management test environment


94

Test methodology

To measure the performance impact of the Enterprise Messaging Management

applications on the Exchange server, key performance metrics were measured

under varying loads for the baseline and test configurations.

The following performance metrics were measured:

■ User response time

■ Disk I/O operations per second (IOPS)

■ CPU utilization

First, the baseline Exchange environment was installed and configured. Then,

load tests for 1000, 1500, 2000, and 2500 users were run to measure the baseline

performance. Next, the enterprise messaging management suite was installed

and validated, and then, the load tests for each user set were run again.

The Microsoft Exchange 2003 Load Simulator (LoadSim) was used to simulate the

specified number of mail user agents. The mail user agent emulated the Microsoft

Outlook client, which uses MAPI (Messaging Application Programming Interface)

to access the Microsoft Exchange server. SMTP email traffic was not included in

the test.

LoadSim was configured to prorate an 8-hour test load over a period of four hours.

Results from the first and last hours of the test were discarded to remove ramp-up

and ramp-down effects on the data.

Test results

Performance tests were run for simulated environments of 1000, 1500, 2000, and

2500 users.

Table 4-15 shows the baseline and Enterprise Messaging Management test results

for each user count.

Table 4-15 Performance test results

EMM CPU

utilization

Baseline CPU

utilization

EMM IOPSBaseline IOPSEMM

response

time(ms)

Baseline

response

time (ms)

User Count

25.80%7.60%1131.0531.0109781000

28.30%14.32%1242.8878.01141041500

33.80%22.40%1396.51285.61311292000

38.90%26.50%1789.71519.91731542500


Adding users to the baseline test resulted in the following increases in IOPS and

CPU utilization:

■ Average disk IOPS increase ranged from 200 to 400 for each additional 500

users.

■ Average processor utilization increase ranged from 4% to 8% for each

additional 500 users.

After installing the enterprise messaging management applications, the increase

of users resulted in the following increases in IOPS and CPU utilization:

■ Average disk IOPS increase ranged from 100 to 400 for each additional 500

users.

■ Average processor utilization increase ranged from 2% to 5% for each

additional 500 users.

Comparing the baseline and test results, the approximate performance impact of

the enterprise messaging management suite can be calculated.

Table 4-16 shows the increase in response time, disk IOPS and CPU utilization

for each user count.

Table 4-16 Increase due to EMM suite

Average CPU

increase

Average disk IOPS

increase

Response time

increase

User count

18%60031 ms1000

14%35610 ms1500

11%1112 ms2000

12%27020 ms2500

Comparing the Enterprise Messaging Management results for each user count,

we can approximate the performance impact of each additional 500 users as

follows:

■ Average processor utilization increase of 14%

■ Average disk IOPs increase of 340

■ User Response time increase of 16ms

Results analysis

The BladeCenter chassis, HS20 BladeCenter servers, and the DS4500 TotalStorage

system provided an excellent platform for hosting the Symantec Enterprise


96

Messaging Management solution. The server and storage systems easily managed

the loads generated by all tests. Even in the 2500-user case, resources remained

in reserve to support additional users. The Exchange Server performed acceptably

when Enterprise Vault archiving and journaling were performed during the test.

In all tests, the amount of Exchange server data that was archived was limited by

the CPU bandwidth of the Enterprise Vault server system. The Enterprise Vault

server maintained a data archive rate of 1 GB per hour throughout the tests. While

archiving, the Enterprise Vault server CPU ran at above 90% average utilization

while the data rates remained approximately the same between tests.

IM Manager performance considerations

There are a number of considerations when sizing and scaling IM Manager

deployments. One important consideration is the number of users that will be

connecting to consumer instant message services. These services include AOL,

MSN, Yahoo, and Google Talk. A single IM Manager supports a minimum of 5000

concurrent users.

If more than 5000 users connect to instant message services concurrently, IT

personnel should consider deploying more than one IM Manager server, and then

deploying a network load balancer in front of the IM Manager servers. IM Manager

has been tested with hardware load balancers, as well as software load balancers.

You can contact Symantec support for more information at the following URL:

http://www.symantec.com/techsupp/immanager.htm

Another consideration is that IM Manager uses a resident SQL Server database

for storage of both configuration data and logged instant message conversations

prior to exporting to Enterprise Vault via email. The appropriate sizing of the

database must be considered. As a guideline, the average user logs about 4 MB of

conversation data per year, or about 4 GB of instant message conversation data

per year, per 1000 users in the IM Manager resident SQL Server database.

Symantec IM Manager provides database management tools that allow the

scheduled, logged conversation data to be exported to

Enterprise Vault. IM Manager also allows the conversation data to be purged once

it has been exported. If logged conversation data is not regularly archived, a larger

database will be required.




98

Stopping unwanted email


■ The challenge of stopping unwanted email

■ A defense-in-depth strategy

■ Configuration overview

The challenge of stopping unwanted emailThe challenges related to managing an organization's email infrastructure have

evolved rapidly, as email has become a mission-critical business application. Spam

and viruses present new and constantly changing threats, which amplify the risk

to email security and availability. To meet this challenge, IT personnel must

protect email infrastructure with a combined solution of accurate antispam and

antivirus technologies.

The proactive removal of spam, in combination with Symantec™ antivirus email

protection, markedly improves end user productivity and security. Stopping spam

that delivers phishing schemes, viruses, and restricted content before it reaches

a network saves the time and effort required to process the spam. It also reduces

the risk that a spam recipient may inadvertently execute a malicious file.

The automatic removal of spam combined with Symantec Backup Exec™ also

results in shorter backup and data recovery time. Only virus-free, valid emails

are backed-up, resulting in greater backup efficiency and improved security.

A defense-in-depth strategyTo ensure the security and availability of your business email, Symantec

recommends that organizations implement a multi-tiered solution. Each tier

reduces the downstream risk posed by security threats and spam. This solution

5Chapter

adds cumulative layers of protection around the desktop at strategic points

throughout your network.

Figure 5-1 shows each tier and the Symantec products that are available for

securing that tier.

Figure 5-1 Multi-tiered approach to email threat protection

The task of securing your business email system and keeping it available begins

with controlling and managing the flow of email throughout your organization.

This means removing spam, viruses, and unwanted or unneeded content from

your messaging infrastructure at specific points in time.

No single product is capable of protecting an organization against all email-related

threats. And no single tier of protection can offer 100-percent coverage, especially

against new and emerging threats. By applying different Symantec defenses at

multiple tiers, your email threat defense is strengthened as varied types of threats

are removed at multiple locations, wherever they are detected. Layered defenses

complement each other by using varying methods to thwart attacks.

This multi-tiered approach reduces both security risks and email volume, while

ensuring that messages are legitimate and clean before they pass to the next tier

in your email infrastructure.

Stopping unwanted emailA defense-in-depth strategy

100

Network boundary tier

Organizations today must significantly reduce spam before it enters their

networks, to demonstrate regulatory compliance. To accomplish this, they can

deploy a spam defender at their network boundary that works to hold traffic

volume constant, even as Internet spam volume increases. This type of defense

is called traffic-shaping.

A limitation of the SMTP protocol is its inability to authenticate senders of email.

Traffic-shaping samples and analyzes SMTP packets in real-time, and makes a

spam or not-spam determination based on the reputation of each sender. A

reputation is established from the cumulative history and reputation of the mail

path itself.

The Symantec™ Mail Security 8160 appliance is ideal for organizations with 2,000

or more employees, that require traffic-shaping at their network boundaries.

For more information on the Symantec Mail Security 8160 appliance, see the

Symantec Mail Security 8100 Series Deployment Guide.

Gateway tier

Defending mail servers and mailboxes is no longer enough to ensure the security

and availability of business email. Spammers and other attackers continuously

develop new methods to defeat internal server defenses. Prevention of spam,

viruses, phishing, and spyware must begin at the perimeter, or gateway tier, of a

network, and then layer inward to correctly provide multiple lines of defense.

The gateway tier is the layer of routers, bridges, and switches that handle all

packet transmission on your network, including email traffic. With the Symantec

Mail Security 8260 appliance or Symantec Mail Security for SMTP 5.0 deployed,

spam, viruses, and other threats are automatically detected and stopped before

they reach your email servers. The Symantec Mail Security 8260 appliance and

Symantec Mail Security for SMTP software are Symantec customer-deployment

options that fulfill the same core need at the gateway tier.

Note: As of June 2006, Symantec Mail Security for SMTP 4.1 has merged with

Symantec BrightMail AntiSpam 6.0 to create Symantec Mail Security for SMTP

5.0.

Symantec Mail Security 8260 appliance and Symantec Mail Security for SMTP

help IT organizations face the challenge of protecting your network perimeter.

Table 5-1 describes the challenges and the Symantec solution.

101Stopping unwanted emailA defense-in-depth strategy

Table 5-1 Gateway tier security challenges and solutions

SolutionChallenge

Symantec antispam technology leverages over 20

spam-prevention techniques. The embedded Symantec

antivirus technology includes real-time scanning.

Virus-protection capabilities include the mass-mailer

cleanup, which automatically removes the emails

associated with mass-mailing worms.

Preventing spam and other

unwanted email from reaching

mail servers

Email firewall technologies, which include both Directory

Harvest Attack Prevention and Sender Reputation, restrict

connections from spam-sending servers.

Reducing email infrastructure

costs

Content compliance features allow administrators to

control both inbound and outbound email. In addition to

controlling spam and viruses, this allows monitoring for

sensitive content, and enforcement of corporate and

regulatory policies.

Controlling outbound spam and

viruses

The continually changing email threat landscape requires a solution that

automatically complies with the latest antispam and antivirus policies and rules.

Symantec Mail Security 8260 appliance and Symantec Mail Security for SMTP

provide accurate antispam technology, that is frequently and automatically

updated with the latest protections and response mechanisms.

Mail server tier

The mail server tier processes outbound email while also processing and storing

inbound and internal email. Even if you have solid perimeter protection, it is still

necessary to inspect internal email traffic and stored messages. Viruses can enter

along other vectors, such as personal Web-based email or removable media (for

example, the USB drives of users whose virus definitions are not current).

Also critical is post-attack virus cleanup of message stores (after early-stage virus

infestations) using the latest antivirus definitions. Symantec™ Mail Security for

Microsoft Exchange protects Exchange email servers by providing real-time,

scheduled, and on-demand scanning for viruses. It also scans inappropriate

message content in internal email, and SMTP inbound/outbound traffic.

Table 5-2 describes common challenges that IT departments face, and the Mail

Security for Exchange solution.


102

Table 5-2 Mail server tier security challenges and solutions

SolutionChallenge

Viruses can enter the network via personal, web-based email or removable media

such as USB drives. Mail Security for Exchange can scan mail downstream from

your gateway servers to ensure that new threats are exposed and handled.

Scanning for viruses that enter

the network by bypassing the

network boundary and gateway

tiers

Although inbound email is a common delivery mechanism for viruses, these types

of threats can enter email systems via other sources. While gateway defenses

provide coverage of inbound email, not all threats can be detected and removed at

that tier. Addressing this need requires virus detection and cleanup at the mail

server tier.

Ensuring redundancy in email

inspection

Companies secure internal Web sites from unauthorized individual or departmental

access. However, information from a secured Web site can be downloaded to a

desktop system and easily forwarded.

This possibility risks exposure of data to unauthorized users both inside and outside

the organization. Mail Security for Exchange incorporates rule-based content

filtering to prevent unwanted content from entering—and confidential information

from leaving—the network. Rules can be created that apply to a specific user or

group to provide further granularity that may be required for specific compliance

regulations.

Preventing authorized content

from being sent to

unauthorized users

Companies enforce email policies to prevent inappropriate language in email. This

includes unwanted or oversized attachments, such as MP3 music files, AVI and

other video file types; and file types commonly used for delivery of viruses, such

as executables. Symantec Mail Security for Exchange enforces policies at the mail

server tier to prevent inappropriate email from propagating inside and outside the

company.

Enforcing email usage policies

Symantec Mail Security for Microsoft Exchange gives administrators the ability

to inspect content while in transit, and while it is being accessed from the

information store. Administrators can also conduct sweeps of information-store

content on a scheduled or on-demand basis, using updated virus definitions or

specific content rules that are designed to identify suspicious or inappropriate

content. A constant background scan can also be employed to monitor the store,

and proactively scan new messages and older messages that have not been scanned

with the latest definitions.

Desktop tier

At the innermost tier of your network, desktop users interact with their Exchange

email in boxes. At this tier, security threats and viruses are often launched by

users who remain unaware of malicious activity. Consequently, positioning

103Stopping unwanted emailA defense-in-depth strategy

protection at the desktop is critical to a tiered defense strategy. This tier represents

the last line of defense for Internet-borne threats, and is the layer that responds

and cleans up after infectious outbreaks.

Symantec antivirus solutions stop the successful launch of threats delivered by

various infection methods, such as USB memory sticks, DVD content, CD content.

They also detect and defend against threats that make it to the desktop, either

through Web-based email or Web access.

Note that while desktop-protection solutions are highly customizable and

individually effective, they cannot offer organization-wide protection because

their purpose is to protect only individual desktop mailboxes. Complete enterprise

protection is only possible with a multi-tiered solution that is implemented at the

mail server, gateway, and network boundary tiers.

Symantec’s Global Intelligence Network

A flexible, archiving framework enables the discovery of content stored within

email, file system, and collaborative environments, while helping to reduce storage

costs and simplify management. Search-and-discovery capabilities are

complemented by client applications designed to meet corporate governance, risk

management, and legal protection requirements. Spam and virus detection

technologies, as well as traffic-shaping technology, can be deployed at multiple

layers in the network.

High-resiliency technologies ensure uninterrupted access to mission-critical data.

Online storage management tools with optimized I/O performance reduce planned

and unplanned downtime, while clustering and replication technologies further

reduce downtime.

For organizations that require fast recovery of Exchange server services after site

disasters, Symantec offers metropolitan-area data mirroring and wide-area data

replication, optionally coupled with remote site standby system management

(wide-area clustering).

Supporting Symantec’s products and services is the Symantec Global Intelligence

Network security research organization. This organization aggregates, analyzes,

and delivers security notifications on security threats worldwide. It gathers

malicious code data from over 150 million antivirus desktops, 20,000 Intrusion

Detection (IDS) software clients, and firewall sensors in over 180 different

countries, and more than 43,000 managed security devices. Symantec’s global

Security Response centers monitor the Probe Network, and analyze the latest

spamming tactics across the globe. The Probe Network is an extensive array of

over 2 million decoy email addresses.

Combined with Symantec’s vulnerability database of over 10,000 entries, this

infrastructure provides Symantec’s Security Response analysts with a source of


104

data from which to identify emerging trends in attacks and malicious code activity.

Symantec Security Response centers are located in North America, Asia, Australia,

China, and Europe. Centers are manned by researchers who represent a

cross-section of highly regarded security experts. The centers provide 24-hour

coverage, seven days a week for important security events.

The Symantec Mail Security product line leverages security content updates from

Symantec Security Response to help organizations prepare for and respond to

any security threat. Backed by Symantec’s Global Intelligence Network and

Security Response, information and recommended actions on the latest security

threats can be obtained via Symantec’s globally distributed network of

LiveUpdate™ systems. LiveUpdate extends to all geographic locations and time

zones.

Figure 5-2 illustrates the reach of Symantec's Global intelligence Network.

Figure 5-2 Global Intelligence Network and Security Response

Configuration overviewFor organizations with 1,000 to 2,000 email users, Symantec recommends

implementing email protection at the gateway, mail server, and desktop tiers. In

high-volume email environments, additional protection at the network boundary

tier should be implemented as well.

105Stopping unwanted emailConfiguration overview

The following describes the Symantec Enterprise messaging management solutions

that are applicable at each network tier:

Symantec Mail Security for Microsoft ExchangeMail server tier

One of the following gateway protection products:


■ Symantec Mail Security for SMTP software

Gateway tier

(Optional) Symantec Mail Security 8160 applianceNetwork boundary tier

Figure 5-3 shows the recommended server configurations for each network tier

in a 1,000 to several thousand employee company.

Figure 5-3 Server architecture for the Symantec solution

This figure shows Symantec Mail Security for SMTP installed at the email gateway

layer. The most effective place to deploy Symantec Mail Security for SMTP is at

the perimeter of your email network. By deploying at the gateway, you can take

advantage of all of this tool's email-firewall and connection-management features.

Using its embedded MTA, Symantec Mail Security for SMTP processes inbound

and outbound Internet mail. The SMS for SMTP filtering engine examines IP

connections, and filters mail using the latest defenses from Symantec. Every 10

minutes, updated spam filters, virus definitions, global sender reputation

information, and other critical email security defenses are updated over a secure

connection.

In this architecture, two Symantec Mail Security 8260 appliances or servers

running SMS for SMTP are recommended at the network perimeter, configured

Stopping unwanted emailConfiguration overview

106

for both inbound and outbound message traffic. The function of these products

is equivalent in this architecture. It is also recommended to install the 8260

appliances or Mail Security for SMTP servers between two firewalls in a

sub-network that separates the internal and external networks. This sub-network

is commonly known as a demilitarized zone (DMZ) or perimeter network.

The Microsoft Exchange mail servers are your company’s groupware, or

downstream servers. They reside inside the company firewall, protected by the

gateway appliances or servers.

See “Best practices for protecting the network perimeter at the gateway server

tier” on page 112.

Optionally, for companies that want to reduce traffic volume at the SMTP layer

before it enters the company network, the Symantec Mail Security 8160 appliance

is available. The 8160 appliance sits at the network boundary, inside the DMZ,

and in front of the gateway appliances or servers.

Best practices for protecting Exchange servers at the mail server tier

The Symantec solution for protecting Microsoft Exchange servers in organizations

with 1,000 to several thousand employees is Symantec Mail Security 5.0 for

Microsoft Exchange (Mail Security for Exchange). Mail Security for Exchange

provides an integrated security solution that protects against viruses, spam, and

security risks, and enforces company policies. Mail Security for Exchange allows

administrators to create and save multiple sets of criteria for identifying threats

and violations. And when a threat or violation is detected, Mail Security for

Exchange can automatically issue notifications and alerts as well as take predefined

administrative actions.

Typical configuration

In a typical configuration, Symantec Mail Security for Microsoft Exchange is

installed on each Exchange server to scan all inbound, outbound, and internal

email. Mail Security for Exchange scans all email content, including message

header, body, and attachments. Mail Security for Exchange scans all email sent

to both public folders and private mailboxes. Mail Security for Exchange provides

email message scanning and security conformity at the server level. This capability

ensures that email in Exchange is free from security risks, spam, and viruses.

Pre-installation and deployment

Before installing Symantec Mail Security for Exchange, all pre-installation and

system requirements must be met.

See “Symantec Mail Security 5.0 for Microsoft Exchange requirements” on page 80.


TheSymantecMail Security forMicrosoftExchange ImplementationGuideprovides

procedures and recommendations for deploying Symantec Mail Security for

Microsoft Exchange. It is recommended that system administrators become

familiar with this guide before installing the software.

Table 5-3 shows the sequence of a typical Symantec Mail Security for Exchange

deployment for a company with fewer than 3,000 employees.

Table 5-3 Typical deployment sequence for Symantec Mail Security

DescriptionDeployment task

Symantec Mail Security for Exchange can be installed directly on a single Exchange

server, or from a multiserver console that is used to manage multiple servers on

an individual basis or as groups of servers. A console installation can be completed

on a client computer (Windows® XP or Windows 2000), but is typically installed on

one of the least-utilized Exchange servers. The console is used to manage product

settings remotely, and groups of servers can be created with similar functions for

easier management.

Task 1: Install Mail Security for

Exchange

Symantec Mail Security for Exchange is fully cluster-aware, when installed in a

Microsoft Windows or Veritas Cluster server environment. Mail Security for

Exchange should be installed on Exchange Cluster nodes while they are in a passive

state, to ensure that working Exchange Virtual Servers are not affected negatively

by the installation processes.

Each node in the Microsoft Exchange Server 2003 cluster must have Symantec Mail

Security for Exchange binaries installed in the same location on the applications

disk drive. In addition, the System Administrator installs the latest updates and

definitions for Mail Security for Exchange as installation is completed.

Task 2: Install Symantec Mail

Security for Microsoft

Exchange Cluster Nodes

Symantec recommends that a Symantec AntiVirus Corporate Edition client (or

equivalent) be installed on your Exchange servers to provide protection at the

operating-system level. This will provide comprehensive protection against both

viruses within Exchange, and file-based threats on the server itself. It should be

set to have virus definitions update automatically.

To successfully install and bring online a working Microsoft Exchange 2003 Virtual

Server with Mail Security for Exchange and Symantec Antivirus, exclusions should

be added to Symantec Antivirus for the working directories used by Symantec Mail

Security for Exchange, and for certain Exchange directories. For more information,

see Symantec Knowledge Base Document ID: 2004052416452048 at the following

URL:

http://www.symantec.com/techsupp/

Task 3: Install Symantec

AntiVirus Corporate Client on

Exchange Server Cluster Nodes


108

Table 5-3 Typical deployment sequence for SymantecMail Security (continued)

DescriptionDeployment task

To activate a content license, a license file must be installed on each server that is

running Mail Security for Exchange. This ensures that each server can receive the

latest virus definition updates.

The license file can be installed from the console for a remote server group, or for

a remote single server. It can also be installed on each individual server directly.

Task 4: Install (or renew)

license files to remote servers

The Spam Folder Agent allows you to route spam messages to a folder designated

for spam, in each recipient’s mailbox. The Spam Folder Agent should be installed

on Exchange servers where mailboxes physically reside. The Agent automatically

creates a Spam folder in each user’s mailbox . When spam messages are tagged for

Spam Folder Agent delivery, the messages are delivered to the Spam folder. Tagging

may be accomplished by Symantec Mail Security 8260 appliances.

Companies can use Spam folders to archive suspected spam that is delivered directly

to end users for review. To ensure that such messages are not left in Exchange

mailboxes for more than a few days, system administrators can apply a folder-level

mailbox-archiving policy in Enterprise Vault, to the Spam folder for each user. This

policy archives all messages after a short time (for example, 5 days). This can be

separate from, and override, any other default user mailbox archiving policy.

Task 5: Install Spam Folder

Agent for Exchange

Symantec Mail Security for Exchange configuration

Symantec offers configuration recommendations for Mail Security for Exchange.

This information is not intended to replace product documentation. The following

points address common questions about settings.

Table 5-4 shows the recommended configuration settings for Symantec Mail

Security for Exchange.

Table 5-4 Recommended settings

RecommendationSetting

Attachment Blocking: A list based on internal company policy should be set up in

the content directory.

General Settings (applies to all

autoscans)

Run LiveUpdate at least every 4 hours.LiveUpdate/Rapid Recovery

Utilize with filtering sub-policies to protect users from known threats that are

undetectable through other means. Example: when a virus definition does not yet

exist for a threat. a match List is referenced in the subpolicies to match specific

email text or attachment types, and perform a specified action when detected.

Match List

Threshold on Storage: Store all data for 12 months.Report Settings


Table 5-4 Recommended settings (continued)

RecommendationSetting

May require customization to use match lists for detecting known threats that are

undetectable through other means (i.e., when a virus definition does not yet exist

for a threat).

Filtering sub-policies

AutoProtect must always be turned on to scan for viruses in transit, and on access.

Background scanning can be enabled. However, this adds to the Exchange server

load, and may impact performance.

Upon virus definition update, Force rescan should be enabled to ensure that

messages are scanned with the latest definitions during on-access or real-time

scanning.

Scans: Auto Protect

Manual scan is used to immediately scan the message store to find a virus, security

risk, or content violation.

Scheduled scan is used to schedule a scan of the message store during off-peak

hours.

Scans

Multiserver console configuration

The Symantec Mail Security for Exchange console can be configured to manage

one or more Exchange servers.

If your company is using multiple Microsoft Exchange servers, and wants to

manage mail security from the Mail Security for Exchange console (multiserver

console), system administrators should have an implementation plan that includes

server names and total number of Exchange servers on which Mail Security for

Exchange is to be installed.

To manage Mail Security for Exchange using the multiserver console, all Mail

Security for Exchange servers must be in the same domain as the console. System

administrators should use the multiserver console whenever multiple servers

have the same settings.

Virus definition recommendations

An Exchange server should be protected with both a file system antivirus scanner

(for example, Symantec AntiVirus Corporate Edition) and antivirus protection

for the Exchange message store (Mail Security for Exchange). If both Symantec

Mail Security for Exchange and Symantec™ AntiVirus Corporate Edition are

installed on the same server, they can share a single set of definitions. This allows

system administrators to update once, instead of separately managing definitions

for both products. In this case, virus definitions should be managed by Symantec

AntiVirus Corporate Edition, and virus updates should be turned off within


110

Symantec Mail Security for Microsoft Exchange, to leverage the Symantec

AntiVirus Corporate Edition definitions.

If Symantec AntiVirus Corporate edition is not installed on the Exchange server,

you must manage virus updates within Symantec Mail Security for Microsoft

Exchange. Symantec Mail Security for Exchange has two types of definitions:

■ Rapid Release definitions

Rapid Release definitions are certified, updated multiple times a day (often

hourly), and provide the fastest response for emerging threats. They are best

suited for front-end or bridgehead servers, where email from external sources

is first received and thus a higher threat level is present. These definitions are

not made available through automated processes such as LiveUpdate, and

must be retrieved either manually or through a scripting process.

■ LiveUpdate Certified definitions

Certified definitions are tested more thoroughly and updated less frequently.

They are automatically retrieved using LiveUpdate. They are more suitable

for servers with user message stores, where definition stability and automatic

updating is more important. Certified definitions are released daily, but are

not made available through LiveUpdate each day. They can also be retrieved

manually or through scripting processes.

If Certified definitions are automatically retrieved using LiveUpdate on a server

with a message store, then the On Virus Update Force Rescan option must be

enabled. This ensures that all messages are scanned with the latest virus

definitions prior to end-user access.

File Filtering Rule

Symantec Mail Security for Exchange comes with the File Filtering - File Name

Rule. This rule detects common, virus carrier file types and blocks them

automatically, even when they are contained in a zip file. The associated match

list contains examples of the most common virus carriers. Because these files are

not generally needed for regular business communication, it is relatively safe to

block them by default. Enabling this rule protects the Exchange server from new

threats, even before virus definition updates are available, by blocking based on

the file extension.

Zip file recommendations

Zip and other container files have been used to carry threats in recent outbreaks.

How a company handles zip files is dependent on its threshold for risk. Some

companies block all container files, while others take a more discriminatory,

granular approach.

Mail Security for Exchange provides the following features to handle zip files:


■ Handles password-protected zip files with an exception rule (Encrypted File

Rule) to allow different dispositions to be selected.

This allows zip files, unless they are password protected. Password-protected

zips can be quarantined or deleted.

■ Blocks certain attachment types, even when they are found in a zip file.

This allows the System Administrator to specifically block dangerous

attachment types, even if they are in a zip file. Less dangerous and more

business-critical documents, for example, Microsoft Office documents, can be

allowed in a zip file, while the more frequent carriers of threats (for example,

*.exe, *.bat, and *.scr files) can be blocked.

Best practices for protecting the network perimeter at the gatewayserver tier

For SMTP gateway perimeter protection, Symantec offers the following methods

of implementing email security solutions:

■ Software-based

■ Appliance-based

■ Hosted service

Organizations with more than a few hundred email clients typically choose either

a software-based or appliance-based solution. Smaller companies typically choose

the hosted service solution, in which the software and systems are located off-site

at a hosting provider, and internet email streams are redirected to the provider

for scanning.

Choice of solution formats

For companies with more than 1,000 nodes, Symantec offers the following

appliance-based and software-based solutions to protect the network perimeter:


■ Symantec Mail Security for SMTP software (formerly Symantec BrightMail

AntiSpam software)

■ Symantec Hosted Mail Security

The availability of resources and expertise varies from company to company.

Therefore, the choice of solution format is typically based upon environmental

factors and preferences. All solution formats offer the same technology; only the

delivery format differs. Where smaller companies often choose the hosted service,

companies with more than 1,000 employees generally choose the appliance or

software formats.


112

Table 5-5 lists the advantages unique to the appliance and software formats.

Table 5-5 Software-based and appliance-based solutions

AdvantagesDescriptionFormat

Gives you complete control over your entire environment,

including choice of hardware and operating system.

Provides highly-integrated antispam, virus protection, and

content filtering technologies. For emergency updates or

upgrades, the fewer the number of components, the easier it

is to ensure compatibility and uptime.

A single vendor is responsible for both the security technology

and response components. This eliminates finger-pointing

between vendors.

Application software must be

installed on customer-provided

hardware and operating system

Software

No operating system or compatible hardware to acquire and

maintain.

No software to install.

Application and operating system updates can be automated.

Initial security hardening and subsequent patching provided

by vendor.

A global support contract with hardware replacement is

available.

Application software comes

pre-installed on vendor-maintained

operating system and hardware

Appliance

The preferred solution for companies with 1,000 to 2,500 employees is to deploy

the Symantec Mail Security 8260 appliance. This all-in-one deployment option

requires no ongoing administration or tuning. Timely and secure updates are

delivered automatically. This solution provides 24x7x365 protection from new

spam and virus attacks.

Symantec Mail Security deployment

Whether Symantec Mail Security is deployed on a server or by using the 8200

series appliance, Symantec Mail Security provides comprehensive, integrated

gateway messaging security. It stops spam and phishing attacks at the gateway,

prevents viruses from reaching your email servers, and controls inbound and

outbound content contained in email messages.

These technologies are integrated via an administration console that provides a

single, comprehensive method for managing and enforcing policies, and viewing

trends across multiple systems. The same set of deployment considerations applies

to both technologies.


For companies who choose the appliance option, the IT staff can configure each

Symantec Mail Security server, or 8260 appliance, to operate in a number of

different roles.

Table 5-6 describes the roles performed.

Table 5-6 Symantec Mail Security for SMTP roles

DescriptionRole

Performs email filtering

One or more scanner servers or appliances can be set up

Scanner

Manages the server or appliance systems

Each SMS for SMTP installation has one Control Center.

The Control Center can manage multiple scanners. The

Control Center also hosts Quarantine, a component that

stores spam messages and provides end-users access to

their spam messages. Administrators can also configure

Quarantine for administrator-only access. Use of

Quarantine is optional.

Control Center

Performs both functions

A dual-role deployment is suitable for smaller installations

Control Center and Scanner

For companies with more than 1,000 employees, Symantec recommends that two

SMS for SMTP servers or appliances be configured as inbound and outbound

relays (scanners) as follows:

■ One system runs a scanner to scan inbound and outbound email, and also runs

the Control Center and quarantine Server.

■ The appliance system runs only the scanner to process inbound and outbound

email.

Inbound traffic configuration

Traffic enters your network through the outer firewall. With both SMS for SMTP

systems operating as inbound relays, inbound message traffic can be routed to

them via a DNS round robin server or a load balancer.

The DNS round robin server is a less expensive option than a hardware load

balancer. Hardware load balancers are more robust and responsive than DNS

servers, and provide a higher degree of flexibility. However, the DNS server option

is often sufficient for organizations with fewer than 3,000 nodes.

Table 5-7 shows how email traffic is handled by SMS for SMTP.


114

Table 5-7 Symantec Mail Security for SMTP traffic routing

Routing methodTraffic

Clean messages are delivered to the Exchange mail servers

via a Smart Host configuration

Clean messages

Messages that require quarantine are stored on the

Control Center/Quarantine server

Infected messages

Assigned to both 8260 appliancesPrimary MX records

Symantec recommends that your outer firewall be configured as a transparent

SMTP proxy. This configuration is necessary because it enables the SMS for SMTP

to receive information about source IP addresses. As the SMS for SMTP filters IP

addresses, it attunes itself to the local environment in order to filter more

effectively.

Symantec Gateway Security 5400 and 5600 series provide transparent SMTP

proxy features. For firewalls without this feature, it is recommended that system

administrators configure their routers to pass all port 25 traffic directly to the

SMS for SMTP servers, or 8260 appliances, thus bypassing the firewall for SMTP

traffic.

Both content and IP-based filtering are handled by SMS for SMTP. To configure

IP-based filtering, system administrators can enable the Email Firewall feature

in SMS for SMTP. The Email Firewall feature provides IP-based filtering to reduce

traffic at the TCP/IP layer, and reduce the volume of data that requires processing

by the application. Filtering at this layer is an effective complement to content

filters.

However, to set up a full TCP/IP filtering layer, administrators must install the

Symantec Mail Security 8160 appliance. The 8160 appliance provides full

traffic-shaping of incoming network traffic.

Outbound traffic configuration

Outbound email is routed through the SMS for SMTP systems. With both SMS for

SMTP systems operating as outbound relays, outbound message traffic can be

routed to them via a DNS round-robin server or a load-balancer. System

administrators can reconfigure end-user email clients, or configure the Exchange

servers to route all outbound traffic through the outbound SMS for SMTP systems.

Depending upon company policy requirements, system administrators can

implement custom content filters that are specific to outbound email compliance

policies. They can tag, report on, or spool email for later analysis and archiving

using Veritas Enterprise Vault™.



116

Using Symantec IM

Manager


■ About Symantec IM Manager

■ Best practices for preparing the IM Manager environment

■ Best practices for configuring IM Manager

■ Archiving instant messages to Enterprise Vault

■ Best practices for IM Manager security

■ Best Practices for IM Manager backup and recovery

■ IM Manager use cases

About Symantec IM ManagerSymantec IM Manager is the industry’s most widely deployed and trusted solution

for secure IM management. IM Manager enables organizations to control the use

of public and enterprise instant messages for real-time communication, while

ensuring compliance with legal and corporate governance policies.

With scalability, reliability, and extensibility, IM Manager manages, secures, logs,

and archives all instant message traffic with certified support for public and

enterprise instant message networks, including AOL, MSN, Yahoo!, ICQ, IBM Lotus

Instant Messaging, Microsoft Office Live Communications Server 2003/2005,

Jabber, Reuters, and others.

IM Manager empowers businesses of all sizes, across all industries to perform the

following tasks:

6Chapter

■ Manage and control instant messaging to drive business value and eliminate

organizational risk

■ Secure corporate networks against IM security threats like IM viruses, malware,

spam, and intellectual property loss

■ Satisfy regulatory compliance, corporate governance, and internal IT

compliance standards for logging, archiving, and auditing instant message

conversations

IM Manager removes the burden of securing and managing disparate instant

message networks and protocols, providing a single flexible solution for instant

messaging management, security, and compliance. This further enhances the

value of real-time communication and collaboration.

Best practices for preparing the IM Managerenvironment

Before IM Manager can be installed in a Microsoft Windows environment, the

following preparations are necessary:

■ Install third party products

See “Installation prerequisites ” on page 118.

■ Gather information required to install IM Manager

See “IM Manager installation information” on page 119.

■ Determine SQL server installation requirements

See “SQL server installation requirements” on page 119.

Installation prerequisites

The following bullet items reflect minimal third-party software products that

must be installed on the host server according to each IM Manager component

that is installed. To see the full list of supported third-party software, refer to the

Symantec IMManager 8.0 Installation Guide for more information.

■ Microsoft Windows Server 2000 with SP3 or Windows 2003 latest service packs

■ Windows 2003 Components ASP.NET, IIS, MSMQ

■ Windows Internet Explorer 6.0

■ MDAC 2.8 or later

■ XML Core Services 4.0 SP2

■ Access to MS SQL or MSDE installed database

Using Symantec IM ManagerBest practices for preparing the IM Manager environment

118

IM Manager installation information

IM Manager requires the following information during the installation process:

■ Permissions for each server on which the installation is run

The installer must be run by a user who has appropriate administrator

permissions .

■ A service account for IM Manager services

In domain deployments, this account must be a member of the domain, and

be an administrator on the local machine. It is recommended that the Enterprise

Vault Service Account be used to install IM Manager.

■ A valid IM Manager License file.

The full path to the license file is required.

SQL server installation requirements

The SQL Server installation requirements consist of the following items:

■ Server location (FQDN, hostname or IP address) and database name.

The IM Manager installation program will create database schema or attach

to an existing IM Manager schema.

■ Set of administrative credentials with appropriate permissions to create

database and users

If Windows authentication is used, then the service account must have

permissions. If SQL authentication is used, then the SQL account must have

the appropriate permissions. This is usually the “sa” account, but it may be

another account that has been granted the appropriate permissions.

Best practices for configuring IM ManagerThe specific configuration strategy that is chosen depends on the goals of the

organization. For IM Manager to capture instant message traffic, instant message

clients must connect to the IM Manager server. Clients that connect directly to

the Internet without passing through the IM Manager server are not managed.

For this reason, it is important that your environment limit the ability of clients

to connect to the Internet directly.

The most secure environment is one where the user’s desktop is blocked by the

corporate firewall from making any direct external connections to the public

instant message networks. Users are permitted to connect to the public instant

message networks only through IM Manager.

It is important that the administrator read through the Symantec IMManager

DNS and Network Configuration version 8.0 documentation to become familiar

119Using Symantec IM ManagerBest practices for configuring IM Manager

with the IM Manager administrator and configuration tasks. The document also

describes how to map IM Manager to respond to the instant message client

applications, as well as firewall configurations, DMZ deployment, and how to

configure DNS redirection in Windows 2003.

Instant message network strategies

An instant message control strategy includes the following:

■ Instant message clients must connect to IM Manager, and not directly to the

Internet.

This can be done through DNS redirection, or by modification of individual

instant message clients and workstations.

Refer to Symantec IMManager DNS andNetwork Configuration version 8.0 for

more information on DNS redirection.

■ The corporate network should block any instant message connections that do

not go through IM Manager. Refer to Symantec IMManager DNS and Network

Configuration version 8.0 for more information about the ports that are

important for Public IM and IM Manager and on the specific steps necessary

to block IM over HTTP.

DNS rerouting configuration

Each of the public instant message clients depends on a DNS query to make a

connection to the instant message network. Administrators can configure your

company’s DNS to reply with the IP address of the IM Manager server, rather than

an address on the Internet. By controlling the DNS, the instant message clients

connect to IM Manager rather than to the Internet.

IM Manager must find the Internet IP addresses of the public instant message

networks. In addition, IM Manager cannot use the same DNS server as the end

users. Some IM Manager features require successful DNS lookups of internal

corporate servers. IM Manager should not use an ISP’s external DNS servers. The

solution is to install a separate DNS service on the IM Manager server for IM

Manager use. While DNS is the recommended and most secure approach, there

are other ways to route traffic to IM Manager. If your organization does not make

the required DNS change, it is possible to modify client host files. Typically, a

company will only need to make modifications to its DNS values.

Using Symantec IM ManagerBest practices for configuring IM Manager

120

Table 6-1 Public IM network domains

Domain nameService provider

login.oscar.aol.com

toc.oscar.aol.com

AOL Instant Messenger

scs.msg.yahoo.com

scsa.msg.yahoo.com

scsb.msg.yahoo.com

scsc.msg.yahoo.com

Yahoo! Messenger

messenger.hotmail.comMSN Messenger

login.icq.comICQ

Refer to Symantec IMManager DNS and Network Configuration version 8.0 for

more information on DNS and network configuration.

About IM Manager configuration

IM Manager provides a variety of configuration options for maximum flexibility

in managing instant message traffic. The following features should be configured

for IM Manager to support compliance and archiving. These configurations can

be made through the IM Manager administrative interface.

Refer to Symantec IMManager Admin Interface Guide version 8.0 for more

information on how to configure IM Manager.

IM manager can be configured to support the following features:

■ Screen Name Registration

IM Manager allows an organization to take control of public IM usage, and

attach anonymous instant message screen names to corporate identities.

Screen name registration is a configuration option in IM Manager. Specifically,

it is the ability to require screen name registration, so that a user cannot use

instant messaging unless they have gone through the process of registration.

Pairing screen name registration with logging and archiving, allows

organizations to understand instant message conversations based on actual

corporate identities, instead of public instant message names.

■ Disclaimers

IM Manager provides the ability to send each participant in a conversation a

disclaimer. This can be customized to tell each user that the conversation is

being logged and archived, as well as any other acceptable information an

organization employs.

121Using Symantec IM ManagerBest practices for configuring IM Manager

■ Logging instant messages

IM Manager can be configured to ensure that all instant messages are captured

to the local database for review and export to Enterprise Vault. For

configuration information on this, refer to the IM Manager customer

self-service portal.

Archiving instant messages to Enterprise VaultAfter deploying IM Manager, administrators can archive instant messages to

Veritas Enterprise Vault. IM Manager exports IM conversations as formatted

SMTP messages, and can be configured to forward those messages to a Microsoft

Exchange Journaling mailbox. These messages are then processed, indexed,

archived, and made accessible for search and review by Enterprise Vault.

Figure 6-1 shows the integration between Veritas IM Manager, Enterprise Vault

and the Microsoft Exchange servers.

Figure 6-1 IM Manager, Veritas Enterprise Vault and Microsoft Exchange

integration

To configure the system for instant message capture and export

1 Set up Exchange Server to accept IM Manager messages.

2 Configure IM Manager Directory Integration.

3 Configure the Symantec IM Manager server to deliver SMTP Messages to

Microsoft Exchange.

4 Install the IM Manager Enterprise Vault XSL Transformation file.

5 Configure the IM Manager Export.

Note: Details of IM Manager configuration can be found online at the Symantec

IM Manager customer self-service portal.

Using Symantec IM ManagerArchiving instant messages to Enterprise Vault

122

In order to export IM messages from IM Manager to Enterprise Vault, the

Transfrom.xsl configuration file must be downloaded from the IM Manager

customer self-service portal and installed to the IM Manager server. The IM

Manager customer self-service portal can be found on the Internet at the following

URL:

http://www.symantec.com/techsupp/immanager.htm.

To locate the Transform.xls configuration file, obtain a user account and password

from the IM Manager customer self-service portal and perform a search to find

the Knowledge Base article titled, HOWTO: Export IMManager conversations to

Veritas Enterprise Vault. You can download the "Transform.xsl" file directly from

the article.

See “Installing the IM Manager Enterprise Vault XSL Transformation file”

on page 127.

Exchange Server setup to accept IM Manager messages

In order for Microsoft Exchange to receive IM Manager instant message transcripts,

administrators must enter the following configurations:

■ Microsoft Exchange accepts incoming SMTP messages on port 25

■ Microsoft Exchange accepts incoming SMTP messages from the IM Manager

server.

In some organizations, the ability to relay messages to the Exchange server is

limited to specific machines. If so, ensure that the IM Manager server has the

ability to deliver SMTP messages to the Exchange server, and that Microsoft

Exchange Journaling is set up. The Microsoft Exchange Journaling Mailbox is used

to export IM messages between IM Manager and Enterprise Vault.

Configure IM Manager directory integration

Before configuring IM Manager to send messages to the Exchange Journaling

mailbox, your system must be prepared by adding user’s email addresses to the

message data in the IM Manager database. Enterprise Vault uses the email address

as the user’s unique identifier. In addition, this allows Enterprise Vault to associate

the transcript with the user for filtering and review purposes.

Note: Prior to performing this step or capturing messages in IM Manager,

administrators must ensure that all users have registered their instant message

buddy names with IM Manager. Refer to theSymantec IMManagerAdmin Interface

Guide version 8.0 for more information on user registration.

123Using Symantec IM ManagerArchiving instant messages to Enterprise Vault


Setting up user email addresses in IM Manager involves the following procedures:

■ Configure directory access information

See “Configuring directory access information” on page 124.

■ Configure directory field import information

See “Configuring directory field import information” on page 125.

■ Configure directory synchronization schedules

See “Configuring directory synchronization schedules” on page 125.

Configuring directory access information

The LDAP parameters must be entered before starting the LDAP service.

To configure LDAP parameters

1 From the IM Manager Administrator Console, click SystemConfiguration >

Directory Integration > Configuration.

2 Type the connection parameter information as shown:

Host name or IP address of machine where the

enterprise LDAP server is installed.

Directory Server DNS Name

Distinguished Name of the person whose LDAP user

account to use to access the LDAP directory. This is

optional and if left blank the account used by the

service is used to connect to LDAP.

User Distinguished Name

LDAP Directory user account password corresponding

to the Distinguished Name typed in the User

Distinguished Name text box. This is optional and if

left blank the account used by the service is used to

connect to LDAP.

User Password

Use to repeat the user account password, for

confirmation purposes.

Re-Enter User Password

Port number used to access the LDAP Directory server

addressed by the entry in the Directory Server DNS

Name text box. The standard port for LDAP servers is

389 (the default).

Port Number

3 Click Submit to save the parameter information.


124

To start the LDAP update service

1 Open the Windows Management Console, click Start.

2 Right-click MyComputer, and then click Manage.

3 To select the LDAP Update service, double-click Services andApplications.

4 Click Services > LdapUpdateService.

5 To start the LdapUpdateService , right-click LdapUpdateService, and click

Start.

When the service is started, IM Manager verifies the connection to the IM

Manager database, automatically retrieves LDAP directory attributes schema,

and inserts each attribute as a record in the IM Manager database fields table.

Configuring directory field import information

When configuring the directory field for import information, the administrator

selects which of the LDAP attribute fields to add to the IM Manager message log

table. At a minimum, the email address for import must be selected. With Active

Directory, this is the mail attribute.

To add LDAP attribute

1 Open the IM Manager Administrator Console, then clickSystemConfiguration

>Directory Integration > Field Selection.

2 Click Add orRemove Fields fromDirectory link. This opens the Manage

LDAP Fields page in a separate window.

3 On the LDAP Field Selection page, select the check boxes corresponding to

the fields you want to add to the IM Manager database.

4 ClickSubmit to save the changes and return to the LDAP Field Selection page.

The updated list of selected fields appears in the Corporate (LDAP) Directory

Fields group.

Configuring directory synchronization schedules

Both a cache update and the messages update need to be configured. The cache

update replicates user information from the Directory into the IM Manager

database. The messages update revises instant messages with additional user

information selected in the field selection page.

It is a common practice to schedule the cache update to run once a day, and to

schedule the messages update to run once every thirty minutes.

There are two elements to setting a schedule, as follows:


Sets the first possible date and time for execution of the update task.Start Time

Sets the interval between updates. Set in whole minutes.Frequency

After scheduling the recurring LDAP updates, run an immediate LDAP Cache

Update sync before exporting conversations.

To run LDAP cache

1 From the Symantec IM Manager Administrator console, click System

Configuration >Directory Integration > Synchronization.

2 Select the check box for Perform a cache update at the next opportunity.

3 Click Submit to save changes

Once the LDAP Cache Update completes, IM Manager will enter a successful Mirror

Sync operation on the LDAP history table at SystemConfiguration >Directory

Integration >History.

Configuring IM Manager SMTP delivery to Microsoft Exchange

IM Manager uses the IIS SMTP service built into Windows to deliver instant

message transcripts to the Exchange Journaling Mailbox. Ensure that IIS SMTP

is installed on the same server on which the IM Manager export tool is installed.

Complete the following two procedures to configure and test the IIS SMTP service

for delivery of messages to the Exchange server.

To configure the IIS SMTP service

1 To open the Internet Services Manager, click Start > Programs >

Administrative Tools > Internet Information ServicesManager.

2 Expand the server node, right-click on Default SMTPVirtual Server, and

select Properties.

3 Click the Delivery tab, and then click Advanced. The Advanced Delivery

dialog box appears.

4 In the Smart host text box, type the hostname or IP address of your Exchange

server.

5 Click OK to save your changes.

To test the IIS SMTP configuration

1 Change the X-Receiver field to the name of the Exchange journaling mailbox.

2 Change the From field to [email protected], where

yourdomain.com is the email domain of your organization.


126

3 Change the To field to a valid email address for one of the users in the

organization.

4 Place the modified email message into the SMTP Pickup directory. Verify

delivery of this message to the Exchange journaling mailbox and into

Enterprise Vault Digital Vault.

The following is an example of the modified email message for test

verification:

X-Receiver: [email protected]

Message-Id: 1234513abcdedf

Date: Mon, 10 Feb 2003 14:58:08

From: [email protected]

To: [email protected]

Subject: This is a test SMTP message

This is a test message

Installing the IM Manager Enterprise Vault XSL Transformation file

The IM Manager export tool uses an XSL transformation process to generate the

final SMTP messages that are delivered to Enterprise Vault.

To set up the XSL transform file:

1 Go to the Symantec IM Manager self-service portal located at the following

URL:


2 Search for the Symantec KB article "Transform.xsl", and then download the

XSL file.

3 Save the transform.xsl file to the IM Manager server where the export tool

is installed:

c:\Program Files\Symantec\IMManager\IMArchive

4 Open the transform.xsl file in a text editor.

5 Set the value of exportSystem to KVS.

6 Set the value of the journalingEmailboxname variable to the Exchange

journaling mailbox that the Enterprise Vault is processing.



7 Set the value of the fromEmailaddress variable to the to a valid email address

on your network, such as:

[email protected]

8 Save the transform XSL file.

By default, all dates and times in the body of the email message are converted

to the timezone of the server running the export. If necessary, the timezone

can be changed to UTC by changing the value of useLocalDate to false.

The following is an example of the XSL transform file:

var fromEmailaddress = "[email protected]";

var journalingEmailboxname = "[email protected]";

var useLocalDate = true;

// Set this to 'false' if you want the dates/times in the body

// of the message to be UTC.

// Change this to one of: Legato, KVS, Exchange

var exportSystem = "KVS";

Configuring IM Manager export

Configuring the IM Manager export requires the creation and configuration of an

export account.

To configure IM Manager export:

1 At the IM Administrator console, click SystemConfiguration > Export.

2 Click AddAccount to configure a new export account.

3 In the Account Name field, type the textual description of the export account.

Keep the Message Suffix and XML Output Directory set to the defaults.

4 Ensure that the Output Directory points to the SMTP Pickup directory on the

IM Manager server.

5 Select the mail attribute in the Directory Fields To Export.

Keep the default file name in Transform XSL, unless you have chosen to

change the name of the XSL Transform file.

6 Click Submit to save the changes.


128

To schedule an IM Manager export

1 Click Export next to the export account name that was just created. This

displays the Export job Date Criteria tab. Most organizations run the export

on a nightly basis, and export all messages accumulated since the last export.

2 Select either the Date Range or Relative Days Range radio button.

3 Input the date range you want to search for in the At Most text box and the

Not Less Then text box, or input it manually through the calendar view.

4 Click the Filter tab.

5 Type the domain name for email addresses in your organization in the Active

Directory Fields > Mail textbox.

This is necessary so that only conversations that have been synchronized

with email addresses are exported.

6 Click the Schedule Settings tab.

7 Select the Repeating radio button.

8 Enter the starting date and time and the frequency.

9 Enter domain\username and password to start the scheduled job.

10 Click Export to set up the export job.

11 If you want to perform a test, select the Immediate radio button, and then

click Export. You will need to reconfigure the Repeating export settings.

Best practices for IM Manager securityCustomers of IM Manager have the ability to protect their organizations against

instant message security threats. With the use of content filtering, spam blocking,

and client version control, organizations can protect themselves against instant

message security threats. Adopting the following instant message security best

practices reduces the risk of compromise due to instant message security threats.

Threat protection and SPIM filtering

With Symantec IM Manager 8.0, customers using the Real Time Threat Protection

System are continually protected against known spammers and instant message

worms. When a threat is identified, the Symantec security team produces new

content filters that are automatically deployed to IM Manager customers.

Additionally, IM Manager monitors instant message traffic for any instant message

threat outbreaks in your environment. IM Manager has an heuristics-based,

anomaly-detection filter that responds if instant message traffic starts to mimic

129Using Symantec IM ManagerBest practices for IM Manager security

that of an instant message threat. If this occurs, the user is quarantined and data

is sent to Symantec Security Response for review. This provides real-time threat

protection of instant messages.

To verify that you are protected, open the IM Manager Administrator Console

and navigate to the System Dashboard. The section Threat Protection Status

indicates when your system was last updated with filtering definitions.

Instant message client version control

Organizations should standardize the set of instant message clients they use.

Standardization allows organizations to keep control of the desktop environment,

and ensures that vulnerabilities in instant message clients are less prevalent.

These vulnerabilities include buffer overflows and client side security holes. Use

of the IM Manager Client Version Control feature allows IT organizations to control

exactly what versions of clients that are sanctioned on their network. Refer to the

Symantec IMManager Administrator's Guide for information on setting up Client

Version Control.

Best Practices for IM Manager backup and recoverySymantec IM Manager 8.0 seamlessly manages, secures, logs, and archives

corporate instant-messaging traffic with certified support for public and enterprise

IM networks. The basic IM Manager 8.0 installation includes the IM Manager

server and the IM Manager database. The database manager holds all of the critical

data needed for IM Manager to operate, including configuration and data files.

Microsoft SQL Server 2000 SP4 is the database revision recommended for this

solution.

Backing up critical application data on a regular basis is crucial to an effective

backup and recovery plan for IM Manager.

The following databases and configuration files should be backed up on a regular

basis:

The SQL Server database is the repository for all instant message

conversations.

SQL

IM Manager holds critical configuration information within the

transform XSL file.

Transform.XSL file

It is important to follow all recommended backup procedures for

Enterprise Vault, with specific attention paid to the Vault Store

directories that will house the IM Manager archives.

Enterprise Vault

Using Symantec IM ManagerBest Practices for IM Manager backup and recovery

130

SQL Server database backup recommendations

It is vital that you perform data backups, and monitor database storage usage on

a daily basis. The SQL database objects associated with IM Manager are critical

to IM Manager functionality. Symantec recommends regular backups and

consistent monitoring of the database to ensure continuous availability.

As with any software that relies on a SQL database, it is highly recommended that

an administrator is familiar with SQL Server best practices, in order to determine

the point-in-time versus point-of-failure restore levels that would be acceptable

during a recovery scenario. The frequency of database and transaction log backups

should correspond to your recovery point objectives.

A complete backup of the IM Manager environment requires backing up the

following components:

■ The IM Manager database as part of the regularly scheduled infrastructure

systems backup jobs

■ The TRANSFORM.XSL file with the scheduled database backups

■ The Directory database transaction logs at least daily

■ The system databases, especially Master and MSDB, after any change

More information about SQL Server backup best practices can be found by

searching the Microsoft SQL Web site.

Recovery after an IM Manager failure

IM Manager failure can be defined in several different ways:

■ The IM Manager server may fail and need to be recovered or replaced.

■ The IM Manager database (configuration information and actual data) may

become inaccessible or unavailable.

■ The Database server may fail and need to be recovered or replaced.

With any of these scenarios, recovery is a simple process. One key point to

remember is that the database holds the IM Manager configuration and the actual

IM data. Once the IM database is available to the IM Manager software, IM Manager

is back online.

IM Manager server failure

If the IM Manager server fails, restore the server by executing your organization's

standard procedure for restoring a failed server. Once the server is brought back

into service, re-install the IM Manager software.

131Using Symantec IM ManagerBest Practices for IM Manager backup and recovery

During installation you will need to specify a database for IM Manager to attach

to. You will need to supply the location of your SQL Server and a temporary name

of the new database that the installation process requires to complete an IM

Manager install. Once the installation is complete and the original SQL Database

is restored and available, change the IM Manager Database settings to point to

the restored database location. This is done from the IM Manager Administrator

UI under the System Configuration, Database settings page.

Another consideration during recovery is the DNS or host file settings for the IM

Manager. During the initial installation of IM Manager, the DNS or host files are

configured to ensure IM traffic is routed through IM Manager. If this recovery

scenario resulted in any change to the system name or IP information, that

information will need to be updated.

Refer to the Symantec IMManager DNS and Network Configuration version 8.0

documentation for detailed information.

IM Manager data corruption

When the IM SQL server database has become corrupted or unavailable, the data

must be restored from the backups. Based on a backup schedule, recent backups

will be available with data up to the time of the last backup. Recover this SQL data

as outlined in the Backup Exec Administrators Guide. Since the SQL server name

or SQL Database name does not change, no other action should be required for

IM Manager to resume operation.

IM Manager database server failure

When the SQL Server has failed or become unavailable, replace or fix the server

based on company procedures for a failed infrastructure server. If that procedure

calls for that server to be recovered to its original state, when it is back online

and SQL has been re-installed or recovered, the IM Manager database can be

recovered. This is done by executing a SQL Database restore, as described in the

Backup Exec Administrators Guide.

Once recovery is complete, ensure the SQL Server name and database instance

information is correct in the IM Manager MMC Snap-In Database settings and

the IM Manager Administration UI Database settings. In this instance, the SQL

Server name and database instance name should not have changed from its original

state.

If the procedures call for putting a new or different SQL server into production

to minimize down time, then when that SQL server is online, perform a “redirected

SQL restore” as outlined in the Backup Exec Administrators Guide to the new SQL

instance. Once the IM Manager SQL database is recovered on the new SQL server,

Using Symantec IM ManagerBest Practices for IM Manager backup and recovery

132

change the settings in the IM Manager MMC Snap-in, as outlined earlier.

Additionally, the web services for IM Manager will need to be modified to

accommodate the database change.

In the following two recovery scenarios, it is assumed that the IM Manager server

does not change from the original installation and configuration. If that is true,

then no additional consideration for DNS or host file changes are needed, as those

settings apply only to the IM Manager server.

To modify the IM Manager Web Services to accommodate a new or different SQL

server

1 Start the Installation program from the media used to install IM Manager.

2 At the Welcome page of the installation program, choose to Modify the

installation, and click Next.

3 If asked for the user credentials, provide the ones used during the initial

installation, click Next.

4 At the prompt to continue using the existing License Key from your IM

Manager installation, click Yes to continue.

5 In the IM Manager Setup Wizard, uncheckAdministrator,UserandReviewer

Interfaces, and click Next.

This action also unchecks the Administrator Service selection. This action

may take a few minutes to complete. Wait for the instructions to continue.

6 When prompted, click Finish to reboot the server for changes to take effect.

7 Once the server has rebooted and is back online, restart the IM Manager

Installation program from the original installation media.

To restart the IMManager Installation program from the original installationmedia

1 At the Welcome page of the installation program, choose to Modify the

installation, and click Next.

2 If asked for the user credentials, provide the ones used during the initial

installation, click Next.

3 At the prompt to continue using the existing License Key from your IM

Manager installation, click Yes to continue.

4 In the IM Manager Setup Wizard, place a checkmark in Administrator, User

andReviewer Interfaces. Also place a checkmark in Administrator Service,

and click Next.

133Using Symantec IM ManagerBest Practices for IM Manager backup and recovery

5 In the Modify IM Manager Wizard, specify the name of the new SQL server

and the SQL database (as well as SQL user credentials if applicable). Click

Next.

It may take a few minutes to complete this action. Wait for the Finish page

to appear before continuing.

6 Click Finish to close the wizard and complete the procedure to recover IM

Manager.

IM Manager use casesAccording to a recent Radicati Group report, a majority of businesses are now

reporting regular use of instant messaging.Employees are often downloading and

using many different instant messaging clients, such as AOL, MSN or Yahoo!

without supervision or direction. It is clear that organizations are gaining benefits

from instant messaging use. Productivity gains include increased global real-time

communication and lower phone, travel and collaboration tool costs. However,

this highly-connected and networked world presents many security and

management challenges. Providing security for the modern multi-vendor,

multi-protocol, and ever changing instant messaging environment is a challenge

for the IT organization.

Symantec provides a complete security, compliance, and management solution,

so instant messaging can be offered as a supported, or at least a controlled service

to an organization. By implementing Symantec technologies, an organization can

log and archive all instant messages, scan all instant messages for malware and

viruses, control all instant message, and provide visibility of how instant messages

are utilized in the enterprise.

In summary, by deploying IM Manager and archiving instant message

conversations to Enterprise Vault, organizations are not restricted from the

continued use of instant messages with multiple instant message providers.

Instant message security and threat protection use cases

The following use cases serve to illustrate how IM Manager can be used to provide

security and protect instant messaging environments from external threats. Use

these IM Manager capabilities as appropriate in your organization.

■ Setup internal message routing

See “Set up internal message routing for AOL, MSN, Yahoo, Google ” on page 135.

■ Configure real-time threat protection

See “Configure the real-time threat protection system ” on page 135.

Using Symantec IM ManagerIM Manager use cases

134

■ Block outbound instant message file transfer

See “Block outbound instant message file transfer ” on page 136.

■ Integrate IM Manager with Symantec scan engine

See “Integrate IM Manager with an existing Symantec security scan engine ”

on page 136.

■ Disable use of unsanctioned instant message protocols

See “Disable use of unsanctioned protocols” on page 137.

Set up internal message routing for AOL, MSN, Yahoo, Google

All public and enterprise instant message systems, including AOL, MSN, Yahoo,

Microsoft Office Live Communications and more, enable organizations to use

different instant message networks. If an instant message conversation is occurring

between corporate employees, instant message logic can prevent that conversation

from leaving the corporate domain, and traveling over the public instant message

system.

Normally, instant message messages are routed through the Internet even when

both parties to a conversation are logged into the same organizational network.

Users may assume that their messages are secure, as long as they are directed to

people within the same enterprise (on the company intranet). These users may

unwittingly send confidential information based on that assumption. Internal

routing allows the IM Manager administrator to protect messages between internal

users by rerouting the messages within the organizational intranet.

To route instant messages within the organizational intranet

1 Open the IM Manager Administrator console, and go the following URL:

http://localhost/IMManager/Admin/IMAdminNav.asp

2 Click Security Settings > Internal Routing.

3 Select from any of the public instant message clients that you want to enable

for internal messaging (MSN, Yahoo, Google, AOL, ICQ).

Configure the real-time threat protection system

Administrators can selectively disable enterprise-wide access to specific public

instant message clients, and secure corporate networks against instant message

vulnerabilities. The Real-Time Threat Protection System integrates anti-virus

scanning, instant message content filtering, and advanced Spam detection and

blocking. It also has direct integration with the IMlogic Threat Center for predictive

threat protection, and automatic, real-time instant message worm and virus

updates.

135Using Symantec IM ManagerIM Manager use cases


To verify that outbound instant message file transfers are blocked

1 Open IM Manager Administrator console and go to the following URL:


2 Click Threat Protection >RTTPS.

3 Click Settings.

4 Verify the RTTPS filter is enabled in block mode. The RTTPS filter is enabled

by default during installation.

Block outbound instant message file transfer

IM Manager’s Default Rules allow instant message administrators to enable users

to transfer files through their instant message client at the enterprise level, and

retain copies of transferred files, if desired. IM Manager also provides the ability

to block files from being transferred from outside the network. By blocking files,

more security from viruses and other malicious threats is provided.

To block outbound file transfer

1 Open IM Manager Administrator console and go to the following URL:


2 Click RulesManager >Default Rules.

3 On the Default Rules page under Type find File transfer On/Off, and under

the control column click Edit.

4 Under Options and Values, uncheck the Enable file transfer box, if checked.

5 Click Submit.

6 Open two instant message clients, and validate that no files can be sent from

either user.

When the user goes to send a file, the user should see in their instant message

users text box, the “IM username has declined your file transfer” message, and is

not allowed to send a file

Integrate IMManagerwith an existing Symantec security scanengine

Integrated with leading anti-virus scan engines, IM Manager seamlessly scans

and filters all instant message file transfers, and ensures inappropriate or

malicious instant message content is not transmitted. IM Manager allows an

administrator to scan a file that has been transferred via instant message, but is

not exported into the Enterprise Vault archive. IM Manager places the transferred

or scanned file at the file system level.


136



To integrate IM Manager with a security scan engine

1 Install the Symantec Scan Engine software on the IM Manager server.

2 From the IM Manager server, expand the following: StartMenu\Program

files\Symantec IMManager\Symantec IMManagerMMCSnap-In

3 Once the MMC Snap-In is open, right-click IMManager and clickProperties.

4 In the IM Properties dialog box, click Virus Scanning Tab.

5 On the Virus Scanning Tab properties page, add a checkmark in the box Enable

Virus scanning.

6 From the Virus scanning engine drop down box, select SymantecVirus

Scanning.

7 Type the Hostname or IP address, or leave the default as Local host.

8 Leave the default as Port 1334.

Disable use of unsanctioned protocols

An organization may want to standardize on one instant message network. If

there is more of a threat associated with one particular network, then it might

make sense to set rules within the company. IM Manager provides the ability to

create rules that can be managed by the administrator. It also provides the ability

to create groups that may need to communicate to customers using a medium

other than the established instant message network.

To disable use of unsanctioned protocols

1 Open IM Manager Administrator console, and go to the following URL:


2 Click RulesManager >Default Rules to load the Default Rules page.

3 Edit the Logging Level rule which can be found under the type column.

4 Under Options and Values select the radio button Dropmessages entirely.

5 Click Submit to save the changes.

6 In the Default Rules page, click on the instant message network that you want

your users to stop using (for example, MSN instant message network).

7 Edit the Logging level rule for MSN Login ON/OFF,

8 On the Add/Edit rule page under Options and Values, uncheck the option to

allow user to login, and click Submit.

Users should not be able to login to the instant message network you specified.



Instant message logging for journaling and policy enforcement usecases

The following use cases serve to illustrate how IM Manger can be used to deploy

message logging, journaling and policy enforcement. Use these IM Manager

capabilities as appropriate in your organization.

■ Require instant message screen name registration

See “Require instant message screen name registration with Active Directory”

on page 138.

■ Disable or enable conversation logging

See “Disable or enable conversation logging as a default ” on page 139.

■ Configure XML and XSL data exports

See “Configure XML and XSL data exports for instant message journaling ”

on page 140.

■ Perform an EV search for a keyword

See “Perform an Enterprise Vault keyword search” on page 141.

■ Backup IM Manager database

See “Back up IM Manager database” on page 142.

Require instantmessage screen name registrationwith ActiveDirectory

Administrators can eliminate risks from malicious instant messages by mapping

instant message screen names to business users through integration with existing

corporate user directories. Policy controls can also be set for user profiles in the

corporate directory, to ensure user authentication before allowing access to instant

message networks. IM Manager also provides support for federated and external

users to extend secure instant message management across corporate network

boundaries. IM Manager can also be configured to associate instant message

screen names to the corporate user directory.

To require instant message screen name registration

1 At the IM Manager Administrator console, and go to the following URL :


2 Click Security Settings >User Registration option to load the User

Registration page.

3 Ensure that the Require IM Screen-name Registration checkbox is checked,

and that the Auto Register IM Screen Names checkbox is unchecked.


138


4 If the user is not registered they will be provided with the following message:

“You cannot login to the IM Network because you have not registered your

IM screen-name. Contact Symantec's internal global IT helpdesk for

assistance.” This message can be changed to convey whatever you want it to,

in your environment.

5 Once the user has been registered within IM Manager, then the user should

not get the message when another instant message user is registered in the

environment.

Disable or enable conversation logging as a default

Some organizations might need to restrict certain internal groups from sending

instant message messages to other internal groups. For example, a brokerage firm

may choose to enable all its employees to use instant message networks internally,

but need to restrict the Business Research Group from communicating with the

Trading Group. Conversely, a pharmaceutical company may choose to disable all

its employees from instant message network access, but need to enable only the

Regulatory Affairs Group to conduct instant message communication with Clinical

Trials Groups.

To selectively enable or disable instant message communication

1 At the IM Manager Administrator console, and go to the following URL:


2 Click RulesManager >Default Rules option to load the Default Rules page.

3 On the Default Rules page, edit the Logging Level rule.

4 On the Logging Level rules page under Options and Value, clickDropmessage

entirely radio button.

5 Click Submit to save changes.

6 At the IM Manager Administrator console, clickUserManagement>Groups

>AddGroups.

7 At the top of the application window, select the clickhere hyperlink to create

a new group.

8 Type a name for the new group, for example, Engineering, and click Submit

to save the changes.

9 Click ManageGroups to search for the new group that you created.

10 In the search by box, type the name of the new group that you created, in the

group name field , and click Submit.

11 In the Search Results, the new group name should be listed.



12 In the Search results group summary, in the options column, click AddUser

to this group icon.

13 In the Display name field, type an instant message user's name, for example,

IMuser1 and IMUser2, and click Submit.

14 In the Search result box, highlight IMuser1 IMUser2. Click the arrow button

to move the IMUsers to the new group. Click Done.

IMuser1IMuser2 are now part of the Engineering group.

15 At the IM Manager Administrator console, click RulesManager | Default

Rules | Search andAddRules.

16 From the Add a Rule drop down box, click LoggingLevel, and then click Add.

17 Under Options and Values, click Logmessages in the database radio button,

and click Submit to save changes.

Configure XML and XSL data exports for instant messagejournaling

IM Manager can archive instant messages to Veritas Enterprise Vault. IM Manager

exports instant message conversations as formatted SMTP messages, and can be

configured to forward those messages to a Microsoft Exchange Journaling mailbox.

These messages are processed, indexed, archived, and made accessible for search

and review by Enterprise Vault.

IM Manager uses the IIS SMTP service built into Microsoft Windows to deliver

instant message transcripts to the Exchange Journaling Mailbox. Ensure that IIS

SMTP is installed on the server on which the IM Manager export tool is installed.

The Symantec IM Manager export tool uses an XSL transformation process to

generate the final SMTP messages that are delivered to Enterprise Vault.

Use the following instructions to set up the IIS service for delivery of messages

to the Exchange server.

To configure IIS SMTP service

1 Open the Internet Services Manager Start > Programs > Administrative Tools

> Internet Services Manager.

2 Expand the server node, and right-click on the default SMTP Virtual Server.

From the shortcut menu that appears, click Properties.

3 Click Delivery tab, and then click Advanced. The Advanced Delivery dialog

box appears.


140

4 Type the hostname or IP address of your Exchange server in the Smart host

text box.

5 Click OK to save the changes.

To test the IIS SMTP configuration

1 Change the X-Receiver field to the name of the Exchange journaling mailbox.

2 Change the From field to be [email protected], where

yourdomain.com is the email domain of your organization.

3 Change the To field to a valid email address for one of your users in your

organization.

4 Drop the modified email message into the SMTP Pickup directory. Verify

delivery of this message to the Exchange journaling mailbox and into

Enterprise Vault Digital Vault.

To set up the XSL file

1 Download the XSL file from the Symantec's IM Manager customers self-service

portal located at:


Search for the Symantec KB article "Transform.xsl".

2 Save the transform.xsl file to the Symantec IM Manager server where you

have the export tool installed: For example, c:\Program

Files\Symantec\IMManager\IMArchive


4 Set the value of exportSystem to KVS.




on your network such as [email protected]


By default, all dates and times in the body of the email message are converted

to the timezone of the server running the export. If necessary, the timezone

can be changed to UTC by changing the value of useLocalDate to false.

Perform an Enterprise Vault keyword search

Once integration between Enterprise Vault and IM Manager is completed, searching

is possible for all IM messages that have been journaled and then stored in



Enterprise Vault. Customers can perform searches on specific keywords or search

for entire IM conversations.

To search for a keyword in Enterprise Vault

1 At the IM Manager Administrator console, and go to the following URL:


2 In the username and password dialog box, type a username and password.

The Enterprise Vault browser search window appears.

3 In the Enterprise Vault browser search window, click on the category content,

and type a word, such as IM.

4 Click Search to start the search. The results show all of the IM Manager

instant messages with the word IM in the body of the messages.

Back up IM Manager database

IM Manager stores the instant message conversations and the IM Manager

configuration information within the SQL database. Using Symantec Backup Exec,

administrators can ensure that exposure to data loss is minimized by regular,

scheduled backups of that database.

For more information regarding backing up a SQL database with Backup Exec,

refer to the Backup Exec section in Chapter 8 of this Symantec Yellow Book, as

well as the Backup Exec 10d Administrator’s Guide.

To backup the IM Manager database

1 Ensure the IM Manager database is included in the selection list during the

backup job setup within Backup Exec.

2 Ensure the schedule for the backup job being created is set to run during the

normal backup timeframe.

3 If you are using Enterprise Vault to archive IM Manager data, backup the

transform.xsl file that was installed and configured during your initial IM

Manager setup.

This file is not part of the SQL database backup; it is a separate selection that

will need to be made during the backup job creation. The recommended

location is the following directory: c:\Program Files\Symantec\imarchive\ .

It is normal to have multiple selections for a single backup job.


142


Message archiving,

retrieval, and storage


■ Microsoft Exchange as an information warehouse

■ Archiving, retrieval, and storage in the Exchange environment

■ Enterprise Vault basics

■ Best practices for planning Enterprise Vault deployments

■ Best practices for sizing Enterprise Vault environments

■ Best practices for preparing the Enterprise Vault environment

■ Best practices for installing Enterprise Vault

■ Best practices for configuring Enterprise Vault

■ Best practices for backing up and recovering Enterprise Vault

■ Common Enterprise Vault challenges and solutions

■ Enterprise Vault usage

Microsoft Exchange as an information warehouseIncreasingly, organizations are using their email storage on Microsoft® Exchange

servers as information warehouses. Because Exchange dates and time stamps

every message it processes, organizations also use Exchange to document the

progress and workflow of business projects.

7Chapter

The knowledge that is contained in email repositories makes the value of email

increasingly important in the modern business enterprise. However, this new

reliance on email has also increased the frustration of email users as they try to

manage, file, and retrieve all of the data that is stored in email archives. It has

also magnified storage issues for IT departments.

To use Exchange as a viable information warehouse, IT organizations must be

able to manage data stores of increasing size, and quickly retrieve relevant

information on request. These tasks are challenging enough, but add to them the

fact that Exchange was never designed to function as a business information

repository. Although companies may be aware of the value of the information

that is contained in Exchange information stores, the unstructured nature of the

Exchange data keeps the information out of the reach of users and organizations.

Archiving, retrieval, and storage in the Exchangeenvironment

In the same way that email security tools act as a first line of defense to keep

unwanted email out of the messaging system environment, email archiving works

to remove saved email messages from the environment, while maintaining the

availability of the data.

The Symantec Enterprise Messaging Management (EMM) solution for Microsoft

Exchange uses Veritas Enterprise Vault to archive Microsoft Exchange email and

instant messages. Enterprise Vault acts as an information warehouse for corporate

data. Organizations can mine the data by using the built-in index and search

technology.

The Enterprise Vault repository is designed to do the following:

■ Flexibly store archived content.

■ Reduce storage size by compression and single-instancing.

■ Index content for rapid and targeted retrieval.

■ Ensure future accessibility by rendering an HTML copy of all archived content.

■ Utilize user-authentication security controls.

■ Define and implement retention and expiration policies.

■ Provide a centralized archiving platform to search IM Manager journal instant

messages

Enterprise Vault can also facilitate migrations and consolidations by reducing

the size of existing data stores.

Message archiving, retrieval, and storageArchiving, retrieval, and storage in the Exchange environment

144

See “Benefits of using the Symantec solution to manage Exchange migrations ”

on page 263.

Support for structured data

Enterprise Vault provides the following support for structured data:

Enterprise Vault supports the archival of categorized

information that is appended to email information.

Categorization is a key driver in the management of email

records. It allows organizations to perform tasks such as

recalling all email messages that are marked as personal,

or retaining all records for a longer period that are marked

as business.

Categorization

Enterprise Vault works seamlessly with Exchange

5.5/2000/2003 journaling to satisfy the corporate legal and

regulatory retention requirements. You can configure

Enterprise Vault to retain a copy of all email messages that

are sent and received, for the period of time mandated by

regulatory or corporate requirements.

Archiving for compliance

and discovery

Note:Organizations that must respond to legal discovery requests or demonstrate

compliance can deploy Veritas Enterprise Vault Compliance Accelerator and

Veritas Enterprise Vault Discovery Accelerator.

See “About Enterprise Vault Discovery Accelerator” on page 230.

Seamless retrieval of archived email

The following Enterprise Vault capabilities provide seamless retrieval of archived

mail:

Enterprise Vault indexes email, attachments, and all

common file types. With an indexed online archive, users

can search available content using different keywords and

search terms, including Microsoft Outlook® message

categories. For example, a firm can quickly recall all email

messages and attachments across an organization that relate

to a particular category or search term.

Online archive access

145Message archiving, retrieval, and storageArchiving, retrieval, and storage in the Exchange environment

Enterprise Vault automatically manages the full email life

cycle. It protects corporate intellectual property by retaining

access and enabling rapid discovery of content that is based

on defined policies. These policies can be applied to an

organizational unit (OU) or an individual user.

Lifetime management of

email

Individual folders or folder hierarchies may be archived and

replace them with shortcuts. Folder access controls are

synchronized with Enterprise Vault access to control search

scope.

Public folder archiving

Offline Vault provides laptop access to archived email even

when it is not connected to the corporate network.

Enterprise Vault requires little bandwidth, and can be

configured to provide users with a local Vault on their PC

hard drive. At the same time, the user’s email is also

archived to the corporate archive, protects it from loss or

damage.

Offline vault laptop access

Control of PST archives

Enterprise Vault allows organizations to migrate some or all existing PST file data

into an archive repository. By restoring access and search capabilities to this data,

administrators can eliminate the need for PST files.

Enterprise Vault includes the following features:

■ Server-based pull migration, client-side push migration, or a combination of

both.

■ Identification of the ownership of PST files.

■ Central view of all of the PST files in existence on the entire network, along

with the current migration status of these files.

Reduction in the size of Exchange information stores

Archiving helps to keep email available by controlling the amount of data in the

primary messaging systems. The single best practice for ensuring peak

performance within the Exchange environment is to maintain the smallest possible

Exchange data stores.

Small data stores make the task of migrating to newer releases of Exchange. easier.

They also improve performance and significantly reduce the backup window. In

addition, smaller data stores allow for an easier restoration of an Exchange

environment in a disaster recovery scenario.

Message archiving, retrieval, and storageArchiving, retrieval, and storage in the Exchange environment

146

Administrators can improve Service Level Agreements (SLAs) for backup with

archiving. The majority of data is moved from the Exchange stores, which allows

organizations to plan and carry out SLAs. In addition, users can service their own

requests for old and lost information without using Help Desk or administration

resources.

Enterprise Vault improves performance and lowers costs in the following ways:

Reduces Exchange message store size by 50 percent or more

Supports any Windows® NTFS-conforming storage solution,

including magnetic or optical disks, Storage Area Network

(SAN), or Network Attached Storage (NAS)

Maintains single-instance storage of identical items

Optimizes storage

Saves time and money that are spent retrieving and

recovering old or lost email

Provides immediate recovery of individual mailboxes

Reduces cost of message

retrieval, recovery, and

administration

Reducing Exchange or file server storage requirements lets administrators

consolidate servers, as more users can be housed and supported on each server.

Enterprise Vault basicsEnterprise Vault provides a flexible archiving framework that lets you discover

content in email, instant messages, file systems, and collaborative environments,

while helping to reduce storage costs and simplify management. Enterprise Vault

manages content by automated, policy-controlled archiving to online stores. It

provides active retention and seamless retrieval of information.

The built-in search and discovery capabilities of Enterprise Vault are

complemented by specialized client applications that support corporate

governance, risk management, and legal protection.

Enterprise Vault is a powerful and complex product. Before it can be deployed, IT

departments should become familiar with its capabilities.

Enterprise Vault installs the following services and tasks:

All configuration information for Enterprise Vault is stored

in a SQL Server database with the default name of

EnterpriseVaultDirectory. The directory service is used to

access this database and all information that it contains.

Directory service

147Message archiving, retrieval, and storageEnterprise Vault basics

Each enabled Exchange Server has one Exchange mailbox

task that is assigned to it. The Exchange mailbox task scans

mailboxes on an associated Exchange Server. It detects any

items that are ready to be archived, based on the established

policy for users. For example, a policy could be defined to

prevent archiving of items that are less than 90 days old.

Once an Exchange mailbox task discovers items that match

the policy rules for archiving, the Exchange mailbox task

passes the items to the Storage Service.

The Exchange Mailbox task uses six Microsoft Message

Queues (MSMQ) per service. Each queue has different

functions and priorities that can be monitored to verify

progress.

Exchange mailbox task

Enterprise Vault email journaling is managed by the

journaling task. The task is configured to run when a

journaling mailbox has been set up for Exchange, and whose

contents are marked for archiving by Enterprise Vault.

Journaling task

Separate Enterprise Vault tasks are available to aid PST

migrations. Administrators can manage PST migrations

several ways with Enterprise Vault.

See “PST file migration” on page 271.

PST Migration tasks

The storage service manages the vault and archival storage

in the following ways:

■ Converts email messages to HTML or text

■ Stores compressed versions of email messages, and

stores documents

■ Retrieves archived items for viewing

■ Restores archival items for copying and conversion

■ Deletes archived items upon request

The Storage service creates a compressed version of the

item that is being archived on one of the volumes it

maintains (for example, an NTFS file system), and then

stores metadata about the archived item in the SQL

database.

Storage service

Message archiving, retrieval, and storageEnterprise Vault basics

148

Enterprise Vault indexes all the items that it archives.

Search capabilities depend on the level of indexing (brief,

medium, and full) that have been established for each Vault

Store. Each indexing service can store its indexes in multiple

locations. Indexes are created using the AltaVista® search

format. Once the index grows to a predetermined size, it

automatically creates a new index for better search

performance.

Indexing service

Each shopping service stores the shopping basket

information that is collected when users invoke the web

access application. Each time a user creates a search using

the Web application, the shopping service stores information

on the volume for that user in order to manage each

shopping basket.

Shopping service

Enterprise Vault includes the following:

A Vault Store consists of a SQL database and an NTFS

volume, or Network Appliance SnapLock™, or EMC Centera™

storage device. These components house the vault store.

When an item is archived, a copy of the item is converted

to an HTML or text file. The original and the copy are stored

in the Vault Store as a single compressed file.

Metadata is written to the database to identify who has

access to the archived item and where the item is stored in

the Vault Store.

Vault stores

Enterprise Vault uses storage partitions to collect the files

for all archives. A partition can be open to allow Enterprise

Vault to write archived data to it. A partition can also be

closed to prevent the partition from being used to archive.

Vault store partitions

To search and locate archived items, Enterprise Vault

creates an index of all the items that it archives. brief,

medium, or full indexing.

Indexes

Enterprise Vault includes a web access application that is

used to perform certain search functions using a GUI

interface. The default URL for the web access application

is http://<ServerName>/EnterpriseVault.

Web access application

149Message archiving, retrieval, and storageEnterprise Vault basics

Best practices for planning Enterprise Vaultdeployments

Administrators can customize Enterprise Vault with policies that fit many unique

environments. In general, the investment of effort required to do this is comparable

to the effort required for the implementation of an initial Exchange environment.

Symantec Enterprise Vault training is recommended before implementation.

Alternatively, Symantec Consulting Services can help guide the customization

process.

Administrators should also document the status of the current Exchange

environment as well as the deployment plan.

Documenting the existing Exchange environment

The following information is required to document the status of the existing

Exchange environment:

■ Size of the Exchange data stores

■ Average daily volume of email

■ Average size of email

■ Average size of email attachments

■ Average size of individual email mailboxes

■ Total number of email accounts

■ Current email storage requirements

Documenting the new Exchange Enterprise Vault environment

Before an administrator deploys Enterprise Vault in an Exchange environment,

they need to document the answers to the following questions on policy issues:

■ How long will email be kept?

■ What are the business goals of the retention policy?

■ When will email be removed from Exchange and moved

into Enterprise Vault stores?

■ When will email be removed from Enterprise Vault?

■ Is there a department-level (human resources, Legal)

retention policy?

■ Will email be retained indefinitely?

Email retention policy

Message archiving, retrieval, and storageBest practices for planning Enterprise Vault deployments

150

■ Can users keep their own archives?

■ Will archives be centralized?

■ Where will archives be stored? (online, near-line, or

off-line)

■ What storage volumes will contain the vaults?

■ Are policies set per department or per user?

Personal Archives (PST)

policy

■ Are policies blocked entirely?

■ Is attachment size limited?

■ Is there a limit on policy type? (such as .exe or .bat files)

Attachment policy

■ Is there a need to keep Exchange data stores small?

■ Does any email, regardless of age, need to be discovered?

■ Is there a need to provide quick access to old email?

■ Will enhanced search capabilities for users be necessary?

Email archiving policy goals

■ Will users have the ability to search all of their archives?End user search capability

■ Will all Exchange email be journaled for some period of

time?

■ Will legal discovery and compliance searches be

required?

Email Auditing requirements

Enterprise Vault deployments vary widely, so the responses to these questions

will also vary by organization. However, most organizations deploy Enterprise

Vault to solve messaging challenges in one of three critical areas: 1) mailbox

management, 2) records management, or 3) message journaling for compliance.

Enterprise Vault is most frequently deployed to simplify mailbox management.

Enterprise Vault addresses the need for quicker recovery times, less email

corruption, elimination of PST files, and better performance, by downsizing

Exchange data stores.

Simplifying Exchange storage and data management improves email availability.

Deployments of this type often use quota-based policies, which specify that email

be migrated to archival storage when a user’s Exchange mailbox reaches a specified

threshold; for example, 80% or 90% of their mailbox size. An indicator for the

age of the email may or may not be set. Automatic archiving and the ability to

view archived items while disconnected from any network or storage with the

offline vault option make such archiving transparent to users.

A records management orientation for Enterprise Vault deployment will lead to

age-based archiving policies. Items in user mailboxes may be automatically

archived after 30 days of receipt. At that point, email that exceeds a certain size,

for example 1 megabyte in size, can be archived. Archiving may then be done for

151Message archiving, retrieval, and storageBest practices for planning Enterprise Vault deployments

all email held 90 days, regardless of size, and retained for 3 or 7 years, or as long

as necessary.

Customers with a compliance focus often deploy Enterprise Vault in order to

create a journal of all email and instant messages. The journal allows recovery of

all email messages and instant message conversations for the retention period

specified.

The archiving of journaled email and instant messages is generally immediate.

Retention periods for journaled email may be as short as 30 days or as long as 7

years in regulated industries, such as financial services. Answering the many

archiving policy questions is simpler for customers with a message-journaling

focus, as their focus is often driven by specific laws, regulations, or high-level

corporate policies. Message journaling adds a significant load to the Exchange

and Enterprise Vault servers, as all email, email attachments, and instant message

traffic have to be converted to text or HTML, and archived for future access.

Of course, Enterprise Vault customers may have other orientations or goals that

drive their archiving requirements. These sample orientations are provided to

assist customers in planning their deployments.

Considerations for planning and documenting the Enterprise Vaultdeployment

Symantec recommends that administrators have a written plan for the deployment

of Enterprise Vault into your organization. Administrators should consider the

following factors when developing a Enterprise Vault deployment plan:

Message archiving, retrieval, and storageBest practices for planning Enterprise Vault deployments

152

■ Keep in mind that migration typically takes place over

days or weeks.

■ Consider that the speed of migration is dictated mostly

by the size and type of attachments that need to be

converted as part of archive process. The size of the

message is also important. In addition, the amount of

server resources that are dedicated to the migration

process also impacts the speed of the migration.

■ Consider processor load requirements when you migrate

aged email. Email migration significantly increases the

processor load on the Exchange server. Simple

maintenance of new email in Enterprise Vault it is much

less resource intensive, and therefore less of an impact

to the Exchange server.

■ Plan for test runs that can help develop accurate

conversion estimates for your environment.

■ Determine hardware needs using Symantec expertise

and the particular experiences gained from initial

deployments in your environment.

Migration strategy

■ Determine how deployment will proceed.

■ Consider whether archiving will be deployed department

by department.

■ Determine who are the key users.

Deployment and migration

sequence

■ Decide on the levels of indexing available: Brief, Medium,

and Full. Full indexing requires more storage space, and

is required for deployments using Enterprise Vault

Compliance Accelerator and Enterprise Vault Discovery

Accelerator.

Indexing

■ Know the indexing policy that will be implemented and

communicate the policy to the end-user community.

■ Get trained and use consulting services before

implementation.

■ Set user expectations regarding the appearance and

retrieval of archived or Vaulted email.

Best practices for sizing Enterprise Vaultenvironments

To avoid unexpected results or downtime, administrators should always contact

a Symantec Enterprise Vault Consulting Services Center before deploying

Enterprise Vault. The Enterprise Vault Consulting Services Center can provide

153Message archiving, retrieval, and storageBest practices for sizing Enterprise Vault environments

the appropriate estimates for scalability, Vault Store growth, speed of searches,

data retention requirements, and other factors.

Estimates are determined by the number and location of Exchange servers, the

size of items that are archived, the frequency of archiving, the retention policies,

the number of users, and how often searches need to run, among other variables.

Administrators can contact Symantec Consulting Services through their local

Symantec sales office, or at the following email addresses:

■ [email protected]




Symantec Consulting Services has published some estimates on the size of Vault

Stores and indexes, and the amount of information that is stored Enterprise Vault

over a period of five years.

Based on the information that is provided by Symantec Consulting Services,

administrators can produce estimates for a deployment by reviewing the following

factors:

■ Total volume of email that is archived from users’ mailboxes in one year.

■ Total disk space that is consumed by the Vault Store files, Vault Store

databases, and indexes after all of the user mailboxes have been initially

migrated and archived for one year.

Table 7-1 provides an example of how these sizing factors are estimated.

The figures are based on the following assumptions:

■ The organization has 1,528 email users.

■ All user mailboxes are archived by Enterprise Vault.

■ All messages over 90 days old are archived from all user mailboxes.

■ Each user archives 12 messages per day.

■ There are 250 working days in each year.

■ The average message size is 77 KB.

■ Each mail message is sent to five internal users.

■ Growth of email volume is 15-40 percent annually.

■ Growth of average message size is 30 percent annually.

Message archiving, retrieval, and storageBest practices for sizing Enterprise Vault environments

154

Table 7-1 Example sizing estimate for deployment planning

Year 5Year 4Year 3Year 2Year 1Sizing factor

1,5281,5281,5281,5281,528Number of users

2320171412Number of messages archived per day per

user

22417213210177Average message size in KB

34,196,09025,410,09017,770,09011,276,0905,928,090Total number of messages that are archived

65043127315978Size of Vault Store NTFS in GB

75421.19Size of Vault Store Database in GB

7164202239520Size of Indexes in GB

1,372.71856.79499.55255.6398.89Size of information that is stored in

Enterprise Vault in GB

Figure 7-1 shows the projected growth of information over five years.

Figure 7-1 Example of projected growth in information storage requirements

Vault Store recommendations

It is recommended that administrators create a new Vault Store for each archive

source.

Organizations that use Veritas Storage Foundation dynamic disk groups can

enable capacity monitoring for any volume. Administrators can also receive email

notification when an established percent-of-filled-capacity threshold is reached.

This enables administrators to take action before a critical condition is reached

that might otherwise stop the archiving process.

155Message archiving, retrieval, and storageBest practices for sizing Enterprise Vault environments

Vault Store partition setting recommendations

Enterprise Vault uses storage partitions to collect the files for all archives.

Administrators should determine whether to set individual partitions as either

open or closed. The Open setting allows Enterprise Vault to write archived data,

while the Closed setting prevents items from using that partition when archiving

occurs.

Enterprise Vault saves the archived files that reside on vault store partitions as

DVS files (Digital Vault Save sets). Administrators can configure an Enterprise

Vault policy to later collect DVS files into CAB Container files. CAB files can be

backed up more quickly, since larger files are faster to back up than multiple,

smaller files.

Administrators are not required to view the DVS file from inside the Outlook

client. Each DVS file can be opened directly from inside the partition. Since email

messages can be viewed in the open DVS file, administrators must maintain a

form of security on this directory to ensure that end users do not have access to

it.

The CAB collection process occurs once a day, at a predefined time that is

previously configured. There must be at least 15 DVS files before a CAB file is

generated. Each CAB file can contain a maximum of 1,000 DVS files.

About the Admin Service

The Admin Service monitors space for all local hard drives on the system on which

it is installed and running. If necessary, the Admin Service writes warning

messages to the Windows Application Log. It will also shut down Enterprise Vault

services before the storage space allocated to Enterprise Vault is exceeded. It does

this to maintain data integrity across the Exchange Server and its Vault Stores.

The Veritas Storage Foundation for Windows capacity monitoring capability can

be configured to send an email notification automatically when an established

capacity threshold is reached. For example, an administrator can define a

notification that delivers a warning message when a volume reaches 95 percent

capacity. If more space is not allocated before a partition fills, Enterprise Vault

shuts down the Admin Service to prevent any more data from being accepted into

its queue.

Selecting the level of indexing

Administrators can set one of the following three levels of indexing for archived

items:

■ Brief

Message archiving, retrieval, and storageBest practices for sizing Enterprise Vault environments

156

Enables searching of common Outlook fields and metadata searching. Author,

Subject Recipient, Created Date, Expiry Date, File Extension, Retention

Category, and Original Location attributes are all searchable.

■ Medium

Enables all the same searching that Brief Indexing offers, as well as allowing

single word searches of any item that is archived, including attachments.

■ Full

Enables all the same searching that Brief and Medium Indexing offers, as well

as allowing the ability to perform full-text, phrase-level searches on any items

that are archived.

Note: Full indexing is required for Enterprise Vault Compliance Accelerator and

Enterprise Vault Discovery Accelerator searching.

The three levels of indexing have the following impact on storage size:

Every item that is archived increases the index file by 3

percent of the actual size of the item archived.

Brief indexing

Every item that is archived increases the index file by 8–12


Medium indexing

Every item that is archived increases the index file by 12–20


Full indexing

It is highly recommended to store Index files (flat files) on SAN or DAS storage

devices due to heavy I/O usage. To improve performance, administrators should

store Index files on separate volumes from the Enterprise Vault Partition being

used for the Enterprise Vault Store files and databases.

Note: Once an index is created, its location cannot be easily changed.

Administrators must allocate adequate space to enable the index to grow over

time.

Best practices for preparing the Enterprise Vaultenvironment

Before Enterprise Vault can be installed in a Microsoft Windows® Server 2003

environment, administrators must complete the following preparation tasks:

■ Installation software prerequisites

157Message archiving, retrieval, and storageBest practices for preparing the Enterprise Vault environment

■ Enterprise Vault Service account creation

■ SQL login account creation

■ Enterprise Vault server preparation

Installation software prerequisites

Administrators must install the following software in a Windows Server 2003

environment:

■ Microsoft Windows Server 2003 with the latest service packs and patches

■ Windows 2003 ASP.NET and Active Server Pages components

If the Enterprise Vault Compliance Accelerator and Discovery Accelerator will

be installed, an Authenticated User account with Full Control privileges must

be added to the Windows TEMP folder and ASP.NET folder.

■ Microsoft Internet Explorer with the latest service packs

■ Microsoft SQL Server 2000 with Service Pack 3, a, or 4 (SP4 is preferred)

Case-sensitive installations are not supported.

■ Microsoft Exchange Server 2003 with Service Pack 1

■ Microsoft Outlook 2003 with Service Pack 2

See “Email archiving hardware and software requirements” on page 81.

For more information, see the Installing and Configuring Enterprise Vault 6.0

manual.

It is highly recommended that Veritas Storage Foundation for Windows software

be installed in a Windows 2003-based Exchange environment.

Finally, verify that administrators have obtained an Enterprise Vault license for

all computers that will be running the Enterprise Vault Services.

Enterprise Vault Service account creation

Administrators must create a Windows service account on the server on which

Enterprise Vault will be installed. An example of a Windows service account name

for Enterprise Vault might be EVAdmin.

The account must meet the following criteria:

■ Be a domain-based Windows security account belonging to the local

Administrators group on each computer that runs Enterprise Vault services.

■ Be a member of the Exchange Administrators group for the Exchange store

that will be archived.

Message archiving, retrieval, and storageBest practices for preparing the Enterprise Vault environment

158

■ Be given Full Control privileges to each Exchange server to be archived using

Enterprise Vault.

■ Should not be a Domain Administrator account

It is better to assign Exchange Server permissions to the user account explicitly,

as described in the Installing and Configuring Enterprise Vault 6.0 manual.

■ Be given database access rights to the Microsoft SQL Server(s) that are deployed

for Enterprise Vault.

See “SQL login account creation” on page 159.

SQL login account creation

To create an SQL login account, administrators must complete the following tasks

in SQL Enterprise Manager:

■ Expand the SQL Server container and select Security. Then right-click Logins

and, on the shortcut menu, click New Login. Select and enter the name of the

Vault Service Account. For example, domain\EVAdmin.

■ On the General tab, verify that Windows Authentication is set, Grant Access

is enabled, and that the correct domain for the account is selected.

■ On the Server Roles tab, enable the Database Creators role.

■ On the Database Access tab, in the Permit column for the Master database,

place a checkmark.

■ On the Database Access tab, under Roles, assign the user db_owner permissions.

Enterprise Vault server preparation

Before Enterprise Vault is installed, the administrator must prepare the server

for installation, as follows:

■ Perform a custom installation of Microsoft Outlook and select the Collaboration

Data Objects option.

■ Add and configure the following Windows components:

■ Message Queuing with Active Directory® Integration disabled.

■ Application Server Console enabled.

■ Active Server Pages enabled.

■ Active Server Pages scripts that are enabled to run.

■ Install Microsoft Exchange System Manager 2003 with System Management

Tools.


■ Create a Vault Site Alias on the DNS server.

For complete instructions for preparing the Enterprise Vault server, see the

Installing and Configuring Enterprise Vault 6.0 manual.

Installing and configuring Microsoft Outlook

Enterprise Vault requires an installation of Microsoft Outlook 2003 SP3 that has

the Collaboration Data Objects option enabled.

To install and configure Microsoft Outlook

1 Log on to the Enterprise Vault server by using the Enterprise Vault service

account.

2 Begin installing Microsoft Outlook 2003 SP2.

3 During installation, enableChooseAdvancedcustomizationofapplications

to access the Outlook component options for installation.

4 In the panel containing the Outlook custom component options, expand the

Outlook tree options and select CollaborationDataObjects.

Enterprise Vault 6.0 and later releases now perform this step automatically.

Adding and configuring Windows components

Administrators must first log on to the Enterprise Vault server with the Enterprise

Vault service account.

Table 7-2 shows the components that administrators must add and configure.

Table 7-2 Windows components to add and configure

Configuration procedureWindows component

In the Windows Control Panel, in Add or Remove programs, do the following:

■ In the Add or Remove Windows Components program, click Application Server

and then click Details.

■ Click MessageQueuing and uncheck ActiveDirectory Integration.

Unless Active Directory Integration is disabled, its installation will result in a

sizeable performance loss.

Note:Microsoft Message Queuing is I/O intensive, so it should always be moved from

the default installation drive of C:\ to another local drive.

Message Queuing with Active

Directory Integration

disabled


160

Table 7-2 Windows components to add and configure (continued)

Configuration procedureWindows component




■ Click Application Server Console.

Application Server Console




■ Click IIS and then click Details.

■ Click WorldWideWeb Service and then click Details.

■ Click Active Server Pages.

Active Server Pages

On the Windows desktop, do the following:

■ Click MyComputer >Manage.

■ In the Computer Management dialog box, in the directory tree, expand Services

andApplications > IISManager >Web Service Extensions.

■ In the Web Service Extensions pane, verify that Active Server Pages is set to

Allowed.

Active Server Pages scripts

enabled to run

Installing Exchange System Manager 2003 with SystemManagement tools

As part of the preparation for installing Enterprise Vault, the Microsoft Exchange

System Manager 2003 needs to be installed on the Enterprise Vault server.

To install Microsoft Exchange System Manager 2003 with System Management

tools

1 Verify that the server meets the minimum system requirements for Exchange

System Manager 2003.

For more information, go to the following URL:

www.Microsoft.com

2 Log on to the Enterprise Vault server with the Enterprise Vault service

account.

3 Begin an installation of Microsoft Exchange System Manager.

4 Select a custom installation.

5 Disable Messaging and Collaboration Services

6 Enable SystemManagement Tools


Creating an Enterprise Vault Site Alias on the DNS server

Administrators can install Enterprise Vault without a Vault Site alias. However,

the best practice is to define a Vault Site alias before installing Enterprise Vault,

as the alias cannot be changed after it has been configured.

Additionally, a Fully Qualified Domain Name (FQDN), such as,

EnterpriseVaultServer.yourdomain.com, should not be used. Instead, use an alias

such as “EnterpriseVaultServer”. If the Enterprise Vault server name is changed

or moved to a different domain, or if clustering is later used, an administrator

can reassign the DNS alias to the new server, domain, or cluster. It is also a best

practice to assign and refer to all Enterprise Vault servers by an alias.

To create an Enterprise Vault Site Alias on the DNS server

1 Have the DNS administrator log on to the DNS server.

2 Select Start > Programs >Administrative Tools >DNS.

3 Expand the DNS server, and then expand Forward Lookup Zone.

4 Select the domain in which Enterprise Vault is to reside.

5 Right-click the domain, and then select NewAlias.

6 Under Alias, type the name of the Enterprise Vault alias.

7 Under FQDN for Target Host, type the fully qualified name (FQN) of the

Enterprise Vault server.

Creating an Outlook profile on the Enterprise Vault server

After Outlook is installed, the administrator must create an Outlook profile on

the Enterprise Vault server.

To create an Outlook profile on the Enterprise Vault server

1 On the Exchange server, in Windows, expand ActiveDirectoryUsers and

Computers >NewUser.

A new user wizard launches.

2 In the wizard, verify that the Create an Exchange mailbox option is enabled.

3 Select First Organization/First Administrator Group/Your_Server.

4 Select First Storage Group/Mailbox Store (the server).

5 In Outlook, while still logged on with the Enterprise Vault service account,

open the mailbox just specified.

Opening the mailbox registers the MAPI connection, which enables

administrators to analyze Exchange stores.


162

Best practices for installing Enterprise VaultWhen administrators use the Enterprise Vault Installation Wizard to install

Enterprise Vault, they should perform the following tasks:

■ Select the option to install Enterprise Vault Services and Administration

Console only.

Avoid installing additional options at this time.

■ After installation completes, leave the Run the configuration option enabled,

and then click Finish to exit the wizard.

Best practices for configuring Enterprise VaultThe Enterprise Vault Configuration program guides administrators through the

creation of a Vault directory and database, and a Vault site. The wizard also assists

administrators to add Vault service properties on the new server. After completing

these directory setup tasks, the Administration Console can be used to further

configure Enterprise Vault.

Enterprise Vault Configuration program tasks

Administrators can create a Vault directory and database, and a Vault site; add

Vault services; and add and configure Vault service properties.

Table 7-3 shows the basic steps involved in using the Enterprise Vault

Configuration Wizard.

163Message archiving, retrieval, and storageBest practices for installing Enterprise Vault

Table 7-3 Directory setup tasks using the Configuration Program

Wizard optionsTask

Configure the following wizard options:

■ Do you want to create a new Vault Directory on this computer: Type Yes

■ Vault service account: Type the Enterprise Vault service account that was already

created. Use the format DomainName\VaultAdminAccount.

The following permissions are automatically granted: Logon as service, Act as

part of operating system, Debug program rights.

■ SQL Server location: Type the location that was previously installed to host the

databases. Use the format ServerName\InstanceName if using Instance Names,

or ServerName, if instance Names are not being used.

Note:An existing SQL Server computer or the server that is dedicated to Enterprise

Vault can be used. Folders must be created below the root level of the volume to

create the database; for example, F:\Folder. This database grows at the rate of 250

bytes per archived item.

■ Where MDF and LDF database files are hosted: Type the location on the SQL Server

computer where MDF and LDF database files are hosted.

Creating a new Enterprise

Vault directory database


■ Vault site name: Type the name of the new Enterprise Vault site.

The name of the site cannot be changed after it has been created.

■ Vault Site Alias: Type the site alias that was created on the DNS server.

Creating a new Enterprise

Vault site


■ After the Enterprise Vault services are created, right-click Index Service, and

then select Properties.

■ On the Index Locations tab, add the location to which Index Services should store

the index.

Note: The default location for the index files is the C:\ drive. As indexes increase

in size, it is recommended that another location be used. If another location is

used, remember to delete the existing entry. Indexes cannot be stored on a

read-only disk, and should not be moved after creation.

■ Complete the wizard. View the properties of the other Enterprise Vault services

and make changes, if necessary.

■ Start all Enterprise Vault Services.

Adding Enterprise Vault

service properties

Note: The services will not start unless an administrator has installed the

appropriate license keys. The license keys should be installed as described in the

instructions that are supplied with the keys.

Message archiving, retrieval, and storageBest practices for configuring Enterprise Vault

164

Enterprise Vault Administration Console configuration tasks

After an administrator completes the Enterprise Vault Configuration Program,

the Enterprise Vault Administration Console can be launched. When prompted

for the Directory Service Computer to connect to, the Enterprise Vault server

name must be entered.

In the Enterprise Vault Administration Console, an administrator must complete

the following configuration tasks in the order presented:

■ Creating a Vault Store

■ Creating the Exchange Mailbox task

■ Microsoft Exchange forms distribution

■ Folder creation

■ Installing Microsoft Exchange forms

■ Enabling archiving for mailboxes

■ Policy creation

■ Retention categories setup

■ Site properties view

■ Enterprise Vault configuration to support Exchange email journaling

■ Configuring Enterprise Vault to support Symantec IM Manager

■ Archiving public folders

■ User desktops setup

■ Generating reports

Creating a Vault Store

After the Vault directory is configured using the Enterprise Vault Configuration

Program, administrators can use the Administration Console to create and

configure a Vault store.

To create a Vault store

1 Open the Enterprise Vault Administration Console.

2 Expand the tree view until the Vault Store directory is visible.

3 Right-click the directory and select New>Vault Store.

4 Type a name for the new Vault Store.

165Message archiving, retrieval, and storageBest practices for configuring Enterprise Vault

5 Type the SQL Server location that was previously installed to host the

databases. Use the following format: ServerName\InstanceName if using

Instance Names. Use the format: ServerName if not using Instance Names.

To see all directories, authenticate to the SQL Server computer.

6 Name the partition and determine whether the new vault store should be

Open.

If it is the first vault store partition, create the partition as Open.

7 Complete the remainder of the wizard, accepting default settings or

configuring wanted settings.

8 When prompted, clickSharearchiveditems to enable single-instance storage.

Single-instance storage optimizes the use of storage space. For example, with

this option enabled, a large Microsoft PowerPoint® slide deck that is sent to

multiple email addresses on the same Vault store is archived only once.

At the time of install, it is also recommended that administrators set the File

Collection Software option to None. As the data collection continues to

increase, this setting can be changed in Enterprise Vault by selecting Vault

Stores > Vault Store Name > Properties.

Creating the Exchange Mailbox task

After the Vault Store is created, administrators can then create the Exchange

Mailbox task.

Note that if Compliance Accelerator and Discovery Accelerator are to be installed

and used, indexing must be set to Full.

To create the Exchange Mailbox task

1 In the Enterprise Vault Administration Console, expand the tree view until

the Archiving Targets > Exchange directory is visible.

2 Right-click Exchange and select New>Domain.

3 Type the name of the domain that contains the Exchange Server to be

archived.

It is recommended not to enable the Use specific Global Catalog server option.

4 Expand the tree view until the newly added domain is visible.

5 Right-click the Exchange Server and select New>Exchange Server.

6 Type the name of the Exchange Server on which items should be archived.

7 Leave the Exchange Mailbox Task option enabled, and verify that the

Enterprise Vault server that is listed is the correct one.


166

Microsoft Exchange forms distribution

To distribute the Microsoft Exchange forms that are installed from the Enterprise

Vault kit, it is recommended that the forms be placed in the Microsoft Exchange

Organization Forms Library. Administrators must provide all Enterprise Vault

users access to the Forms Library. However, before access to the forms can be

provided, administrators may need to create a folder in the Organization Forms

Library to hold the forms (for example, VaultIcons).

For complete instructions, administrators can refer to the Distributing the

Microsoft Exchange forms section in the Installing and Configuring Enterprise

Vault 6.0 manual.

Folder creation

Administrators must create a folder in the Organizations Forms Library with

access provided to all Microsoft Exchange users who are going to use Enterprise

Vault. Administrators can use Exchange Systems Manager’s Administrative

Groups management facility to create a folder that is accessible throughout an

Exchange organization.

Installing Microsoft Exchange forms

Administrators can install the forms from Microsoft Outlook using a mailbox that

has Owner permissions for the folder in the Organization Forms Library. This is

done on the computer to which the Microsoft Exchange Forms from the Enterprise

Vault kit have been installed. Users can access the new forms when they install

the Enterprise Vault User Extensions.

To install Microsoft Exchange Forms

1 Open Microsoft Outlook.

2 In the Tools menu, click Options >AdvancedOptions > CustomForms >

Manage Forms.

3 Locate the Forms Library and set the filter to show Form Message (*.fdm).

4 Install the Enterprise Vault Archive Item, Delete Pending Item, Pending Item

and Restore Pending Item forms to the Enterprise Vault folder (not Personal

Forms).

For complete instructions, administrators can refer to the Installing and

Configuring Enterprise Vault 6.0 manual.


Enabling archiving for mailboxes

An Exchange Mailbox task allows mailboxes to be archived using the Vault store.

After an Exchange Mailbox task is created, individual mailboxes can be assigned

to that task. Before archiving can begin, administrators must configure the

archiving and retention policies for the mailboxes.

To enable archiving for a mailbox

1 If necessary, create a Vault store and partition.

2 If necessary, do the following to add an Exchange Organization:

■ Expand VaultSite >Archiving Targets > Exchange >Domain >

OrganizationUnit.

■ Right-click OrganizationUnit and select New>OrganizationUnit.

■ Proceed through the wizard.

■ Enter the name of an Organization Unit in the Domain that you want to

add, or check Whole Exchange Organization check box.

■ Select an Exchange Mailbox Policy and PST Migration Policy.

■ Select a default Retention Category.

■ Select a default Vault Store.

■ Select a default Indexing Service.

■ If mailboxes are to be enabled automatically, select the Automatically

enable mailboxes option.

When mailboxes are enabled automatically, they are put into certain

default policy groups, and some flexibility is lost. To determine whether

it is appropriate to enable this option, administrators should review the

Enterprise Vault documentation.

3 To enable archiving for particular mailboxes, in the Administration Console,

click EnableMailbox on the Tools menu or click the Enable Mailboxes for

Archiving icon on the toolbar. Then complete the wizard.

It is not necessary to use the Synchronize option when enabling or disabling

mailboxes, as Enterprise Vault automatically performs a full synchronization.

However, to enable a newly created mailbox for archiving, run the Synchronize

option. New mailboxes do not appear in the list of new mailboxes to add for

archiving until a synchronize has occurred.


168

Policy creation

Enterprise Vault includes a default Mailbox, Journal, and Public Folder policy.

Administrators can create new policies and edit existing policies. A Lock option

can be enabled to prevent users from changing their personal settings.

Note:Review the Policy Properties\Archiving Rules tab. Consider setting the policy

to Start with items larger than X. When this option is set, larger items are archived

first, which reduces the size of the mailboxes.

See the Installing and Configuring Enterprise Vault 6.0 manual for complete

instructions. Alternatively, search on quota-based archiving in the Enterprise

Vault online Help documentation.

Retention categories setup

Enterprise Vault includes predefined retention categories. Administrators can

create new retention categories and edit existing retention categories.

It is recommended that a retention category be assigned to items at the time that

they are archived. This makes it easier for Enterprise Vault to retrieve items, as

it is possible to search by category.

Note: Once an item is archived, its retention category cannot be changed. Only

the name of the retention category and the retention period can be changed. For

a workaround, an administrator must first restore the item, then change the

retention category, and finally archive it again.


instructions.

Site properties view

Administrators can view vault site properties by clicking the Review Site Properties

toolbar icon.

Before reviewing site properties, administrators should refer to the Installing and

Configuring Enterprise Vault 6.0 manual for information about each setting.

Enterprise Vault configuration to support Exchange emailjournaling

Administrators can archive Enterprise Vault email journaling by configuring an

Enterprise Vault Journaling Task. Before an Enterprise Vault Journaling Task can


be configured, the Exchange Server must be configured to direct all mail to one

or more designated journal mailboxes. To do this, administrators must enable the

option: Archive all messages sent or received by mailboxes on this store. After

enabling Exchange to journal, a Journal Task can be created in Enterprise Vault.

Note: Exchange email journaling is a resource-intensive activity for Exchange

servers. For organizations with 1000-2500 email users, it is possible that additional

Exchange servers and storage will be required for journal processing.

Administrators can contact their Symantec partner or Symantec Professional

Services for more information.

All journaled mailboxes should be stored in a different Vault Store from user

mailboxes or public folders that are being archived.

After Journaling is set up, administrators can review the types of emails that are

being archived. Decisions about whether to remove read receipts or system

messages from the list can also be made.

Administrators should refer to the Installing and Configuring Enterprise Vault 6.0

manual for more information. Alternatively, they can refer to theEnterpriseVault

Settings for a Journal Mailbox topic in the Enterprise Vault online Help.

Configuring EnterpriseVault to support Symantec IMManager

Symantec IM Manager uses the Exchange journal mailbox to export IM messages

to Enterprise Vault. The IM Manager export tool uses an XSL transformation

process to generate the final SMTP messages that are delivered to Enterprise

Vault.

Note:By default, all dates and times in the body of the email message are converted

to the timezone of the server running the export. If preferred, an administrator

can change the timezone to UTC by changing the value of useLocalDate to false.

var fromEmailaddress = "[email protected]";

var journalingEmailboxname = "[email protected]";

var useLocalDate = true;

// Set this to 'false' if you want the dates/times in the body of

// the message to be UTC.

// Change this to one of: Legato, KVS, Exchange var exportSystem = "KVS";


170

To enable archiving for a mailbox

1 Download the XSL file from the Symantec KB article INFO: Transform.xsl.

2 Save the transform.xsl file to the IM Manager server where the export tool

is installed: c:\Program Files\Symantec\imarchive\.


4 Set the value of exportSystem to KVS




on your network, for example, [email protected]


Searching Enterprise Vault for Symantec IM Manager instantmessages

Before searching on Symantec IM Manager instant messages, administrators need

to refer to the following section in chapter 6, which describes the steps to search

for instant messages using the Enterprise Vault browser search:

See “Instant message logging for journaling and policy enforcement use cases”

on page 138.

Administrators must also make sure that EV journaling is configured properly.

For more information on setting up archiving of journaled messages, see Installing

and Configuring Enterprise Vault 6.0.

Administrators can easily archive instant messages to Veritas Enterprise Vault.

IM Manager exports instant messages as formatted SMTP messages, and can be

configured to forward those messages to a Microsoft Exchange Journaling mailbox.

Once they are forwarded to Exchange Journaling, the messages can be processed,

indexed, archived, and made accessible for search and review by Enterprise Vault.

Enterprise Vault provides search capabilities through a web browser that allows

a user to search messages within any vault store.

To perform a web browser search on existing IM Manager instant messages

1 From a web browser, enter the following URL:

http://<ev server name>/ Enterprise Vault/search.asp

2 If prompted, enter a domain\username and password in the dialog box.

3 Select the category Content, and then type IM

4 Click the Search button to start the search.


Archiving public folders

Before Enterprise Vault can begin archiving public folders, administrators should

create an Exchange Public Folder Task for the Exchange server. When a public

folder root path is specified, all folders in that path are archived by default.

Administrators can refer to the Installing and Configuring Enterprise Vault 6.0

manual for more information. Alternatively, they can also view the Public folder

archiving, best practices topic in the Enterprise Vault online Help.

User desktops setup

Enterprise Vault provides three ways to grant users access to items in the archive

Vault. Administrators can deploy Vault User Extensions for Outlook, enable

Enterprise Vault shortcuts, or use the Enterprise Vault Web access application.

With User Extensions, an administrator can restrict or enable actions to determine

what a user is allowed to do with the installation of Enterprise Vault User

Extensions for Outlook. Users can archive emails, perform searches on multiple

archives, view, restore, delete items, and set access permissions on archive folders.

Administrators can refer to the Installing and Configuring Enterprise Vault 6.0

manual for complete instructions.

With Enterprise Vault shortcuts, users do not need User Extensions installed on

their desktops. The shortcuts give users browser access to archives, enabling them

to view, search, restore and delete items, but not to manually archive items.

See the Installing and Configuring Enterprise Vault 6.0 manual for more

information.

With the Enterprise Vault Web access application, users can search, view, restore,

and delete items in their archives by using their browsers. With this option, users

cannot manually archive items.


instructions. Alternatively, see the Web Access application topic in the Enterprise

Vault online Help.

If users are allowed to delete from the vault, auditing must also be enabled.

Auditing logs information so that deleted items can be retrieved from backups,

if necessary. To disable the delete option, modify the desktopsettings.txt file.

Offline Vault provides users with the ability to view and retrieve items from their

Archives when they are disconnected from the Exchange Server. Offline Vault is

enabled automatically for any user that uses an Outlook .OST file. When a user

is working offline, all requests to retrieve items are re-routed to the Offline Vault.


172

Generating reports

Reports that are created by Exchange Mailbox and Exchange Public Folder Tasks

display the number and total size of items that are scheduled for archiving. In

addition, reports display the number of expired shortcuts that can be deleted.

Reports can be generated when enabling, disabling, or creating new mailbox

archives, to see how much space would be saved by enabling more mailboxes for

archiving. When running a task in Report mode, nothing is archived at the time

of the report run.

To generate a one-off report for individual mailboxes

1 Open the Mailbox Archiving Task properties for the Exchange Server.

2 Click the Schedule tab.

3 Under Run, click RunNow.

4 In the Run Now window, do the following:

■ Under Run Mode, click Report.

■ Under Number of mailboxes, click Selectmailboxes.

5 In the Mailbox Filter window, provide the search information for the mailbox.

6 Click OK.

Reports are saved in the Enterprise Vault installation folder. The default

location is:

C:\Program Files\Enterprise Vault\Reports

Best practices for backing up and recoveringEnterprise Vault

Enterprise Vault is a distributed application that installs software components

across multiple servers. To ensure a backup of Enterprise Vault, administrators

must back up the original deployment install directories and file sets, as well as

other critical components, such as MSMQ, IIS, SQL and Exchange.

For more information on this topic, see theEnterpriseVaultAdministrator’sGuide.

Regardless of the backup software used, an administrator must ensure that these

components are backed up properly.

See “Best practices for Symantec Backup Exec” on page 205.

The following Enterprise Vault components must be backed up:

■ Directory Service SQL database

173Message archiving, retrieval, and storageBest practices for backing up and recovering Enterprise Vault

■ Directory Service computer

Perform a full system and file backup, including registry

■ Index Service file locations

View Properties for each Service to locate install directories

■ Shopping Service files

View Properties for each Service to locate install directories

■ Vault Store SQL databases

■ Vault Store files

Use Enterprise Vault Admin Console to locate each Storage Service and the

vault store files

■ Enterprise Vault Servers

Perform a full system and file backup, including registry

It is recommended to shut down all Enterprise Vault services during backups.

Alternative methods exist that allow services and tasks to be placed in a read-only

state during backups.

For information about alternative methods for backup, see the Enterprise Vault

Administrator's Guide 6.0.

SQL Server database backup recommendations

As with any SQL database, it is important to have a daily backup plan in place,

and to monitor the amount of space allocated to the databases.

Administrators should review corporate policies and procedures and the SQL

Server best practices documentation to determine the acceptable levels of data

restoration, for example, point-in-time or point-in-failure. This documentation

review will also assist administrators to plan how frequently to run backups of

any database and all transaction logs.

The following backup schedules are recommended:

■ Back up all vault store databases daily after the main run of the Exchange

Mailbox task

■ Back up the Directory database at least weekly

■ Back up the Directory database transaction logs at least daily

■ Back up all system databases, especially Master and MSDB, after any change

For more information, search the Microsoft web site for information on best

practices for SQL Server backup.

Message archiving, retrieval, and storageBest practices for backing up and recovering Enterprise Vault

174

Enterprise Vault recovery

Restoring an Enterprise Vault environment from backup requires multiple

considerations.

For a comprehensive discussion of what is required to properly restore an

Enterprise Vault environment see the Enterprise Vault Administrator's Guide 6.0.

Common Enterprise Vault challenges and solutionsTable 7-4 presents some of the challenges faced by users, and the solutions to

those challenges.

Table 7-4 Solutions to common Enterprise Vault challenges

SolutionChallenge

Enterprise Vault automatically moves older items from

the Exchange Server to the Enterprise Vault archive.

Administrators can specify the time to deploy the archive

by utilizing age-based archiving policies or specific

size-quota-based archiving policies.

Administrators can give end-users the ability to archive

manually by deploying client-side utilities, or can prevent

end-users from changing any policy.

End-users can keep large volumes of email and

attachments stored in their Outlook clients., This can

reduce Exchange Server performance, and add to the

administrative tasks manage storage.

If end-users have their data archived by Enterprise Vault

and client-side tools are deployed, users can restore

directly from their Vault Store.

End-users may delete important mail or data, either

inadvertently or purposefully, to gain needed space on

their local drives. This requires an administrator to

restore the data, which can be costly and time consuming,

especially if archives are stored off-site.

Existing data stored in local PST files can be migrated

and archived to Enterprise Vault. End-users can retain

access to their data by deploying client-side tools.

Administrators can restrict the deployment of PST files

to maintain a central storage of corporate data.

End-users may keep their mailbox stored in local PST

files instead of utilizing the corporate storage, which

leads to greater mail storage requirements and data

management overhead. IT Managers cannot manage

email when it is stored in local PST files.

Enterprise Vault’s mailbox archiving can reduce the

Information Store size once archiving is enabled, which

reduces the necessary backup window, and allows the

backup job to run successfully.

Exchange Servers can require a longer backup window

than what is available. In this case, a backup will fail

unless the window is extended to accommodate the longer

backup job.

175Message archiving, retrieval, and storageCommon Enterprise Vault challenges and solutions

Table 7-4 Solutions to common Enterprise Vault challenges (continued)

SolutionChallenge

Enterprise Vault’s Journal archiving functionality, in

conjunction with the Exchange Server Journaling option,

can collect and archive all email sent or received by all

users on each enabled Exchange Server. Sites can

maintain a copy as long as required by law, or by internal

policies.

All mail must be maintained in a location where it can be

accessed for legal discovery, auditing, or compliance

purposes.

Enterprise Vault usageTable 7-5 lists guidelines for using Enterprise Vault.

Table 7-5 Enterprise Vault usage guidelines

DescriptionGuideline

From the Tools menu, you can select Enable Mailboxes and proceed through the

wizard. When prompted to Automatically enable mailboxes, it is recommended

that administrations not enable this option. Enabling the option can remove

some flexibility in the administration of Enterprise Vault.

Set Enterprise Vault to restrict

any new mailboxes from being

archived automatically.

Message archiving, retrieval, and storageEnterprise Vault usage

176

Table 7-5 Enterprise Vault usage guidelines (continued)


The Admin Service monitors all local disks by default, whether or not they are

used by Enterprise Vault. If a disk that is not used by Enterprise Vault becomes

too full, the Admin Service could shut down Enterprise Vault, even though

Enterprise Vault has enough available space. In this case, the Admin Service

can be stopped, if necessary, and set to restart without monitoring that disk.

To stop monitoring disks, open Services and select Pause or Stop the Enterprise

Vault Admin Service.

Note: Do not stop the Admin Service unnecessarily. Enterprise Vault requires

the Admin Service to be present at all times. If the Admin Service is stopped, all

the other Enterprise Vault services on the same computer are also shut down.

Modify the behavior of the Admin Service by initializing the Admin Service with

the following startup parameters:

■ To specify a list of disks to monitor (and to omit other disks), use the

/DISKS=<list> parameter, where <list> is the list of disks that will be

monitored. Do not include any spaces or tabs in the list value. The colon (:)

in the disk name is optional.

For example, to monitor only disks C:, E:, and F:, type /DISKS=C:E:F:

■ To restore the default behavior (to monitor all disks), type /DISKS

■ To turn off monitoring for the next instance of the Admin Service, type

/NOMONITOR

■ To turn on monitoring for the next instance of the Admin Service, type

/MONITOR

■ To make a parameter apply every time the Admin Service starts, add the

/SAVE parameter. For example:

/DISKS=C:E:F: /SAVE

/NOMONITOR /SAVE

Control which disks the Admin

Service monitors.

Forcing shortcut deletion is useful for PST migrations in which older shortcuts

need to be removed from mailboxes. For more information, review Site Properties

on the Vault Store.

Alternatively, see the Shortcut deletion topic in the Enterprise Vault online

Help.

Force shortcut deletion to occur

immediately instead of waiting for

a scheduled deletion.

If a mailbox is not archiving, the archiving function can be forced to process

only a specific mailbox, even if other mailboxes are enabled for archiving. To

archive a specific mailbox, go to Site Properties > Schedule > Run Now, and then

set Number of Mailboxes to Select Mailboxes.

Force archiving to process a

specific mailbox.

177Message archiving, retrieval, and storageEnterprise Vault usage

Table 7-5 Enterprise Vault usage guidelines (continued)


By default, messages within the Deleted Items folder will not be archived.

Administrators can configure Enterprise Vault to archive the Deleted Items

folder by doing the following:

■ Follow the directions in Editing Settings in the Enterprise Vault

Administrator’s Guide.

■ Configure the Enterprise Vault Policy Manager scripting tool to apply a policy

to the Deleted Items folder. Administrators can configure the Policy Manager

tool to apply a policy to the Deleted Items folder. A policy of 0 days can be

created with a Janitor retention category specifying that these items are

deleted from Enterprise Vault in a specified number of days.

Policy Manager allows administrators to apply settings to individual mailboxes

more specifically than when the EV Administration Console is used.

For more information, see the Enterprise Vault Administrator’s Guide .

Archiving deleted items from the

Deleted Items folder for a period

of time.

By modifying the properties of the archiving task, administrators can force the

update of the number of threads in the Exchange Mailbox task to reduce the

impact on an Exchange server. The threads for off-peak periods can then be

increased.

Configure Enterprise Vault to run

slower or faster as needed.

The following errors can be ignored:

■ 8 byte boundary error from MSMQ Performance object

■ MSMQ has no privilege to create audit log

■ DCOM errors in system log after reboot

Ignore some errors.

If Exchange connectivity issues occur, locate the file fixmapi.exe on the

Enterprise Vault server. Launch the executable file and then reboot the server.

Troubleshoot connectivity issues.

Message archiving, retrieval, and storageEnterprise Vault usage

178

Enhancing Microsoft®

ExchangeServer availability


■ About Microsoft Exchange Server availability

■ Best practices for Veritas Storage Foundation for Windows

■ Best practices for Veritas Storage Foundation High Availability for Windows

■ Best practices for Symantec Backup Exec

About Microsoft Exchange Server availabilityThis chapter describes the Symantec availability solution within the network

perimeter. The potential sources of disruption to email and Microsoft Exchange

servers are so numerous that ensuring continuous availability of a Exchange email

environment can be a daunting challenge.

Risks to email availability

As a critical component of IT service, Exchange email is subject to a number of

risks.

Table 8-1 categorizes the major risks that threaten the continuous availability of

Exchange email.

8Chapter

Table 8-1 Risks to email availability

DescriptionRisk

Severe weather or earthquakes can disrupt entire geographic

regions for a prolonged period of time.

Major disasters

A power failure or fire can affect a local data center.Localized disasters

Spam, viruses and worms with the potential to bring down

the server, either by attacking the operating system or the

Exchange server, or by overloading the capacity of the

Exchange server.

External data threats

The power supply can fail to a storage subsystem, network

router, or server.

Hardware component

failures

User errors, index corruption or application problems can

result in data loss.

Logical data threats

The Exchange application environment depends on many

different components, which require constant maintenance.

Maintenance includes: firmware updates, OS patches,

capacity upgrades, preventative maintenance on storage

hardware, and driver updates. These updates, while

necessary to maintain the Exchange environment, can

introduce instability and downtime.

Exchange environment

changes

Exchange service requirements

Microsoft Exchange is a resource-intensive application that often requires the

best server hardware and storage available to the datacenter. IT organization are

painfully aware that Exchange data stores grow daily and can rapidly fill the most

expensive storage space on their network.

To meet ever increasing demands, IT organizations must ensure a resilient

foundation for the Exchange environment that can provide the following

functionality:

■ Storage management

Storage management systems allow IT to grow and shape Exchange storage

while keeping it available.

■ High availability clustering

Recent clustering technology allows the Exchange service to continue running

even after complete failure of an Exchange server.

■ Backup protection

Solid backup protection lets IT recover and restore data, even from a disaster.

Enhancing Microsoft® Exchange Server availabilityAbout Microsoft Exchange Server availability

180

Ensuring the availability of an Exchange service begins with providing all of this

functionality. In addition, administrators must be able to constantly monitor

these functions so that they can be alerted to potential problems. IT organizations

must continually assess whether their Exchange environment can deliver. If not,

organizations are risking Exchange downtime and sacrificing availability.

Symantec solution to ensure Exchange availability

The Symantec solution for Enterprise Messaging Management ensures high

availability for Microsoft Exchange with the following combination of products:

■ Veritas Storage Foundation™ for Windows®

This product provides the ability to monitor, manage, and grow Exchange

storage with a unified interface and without downtime. Storage Foundation

extends and enhances Windows with the industry’s leading volume

management technology. Administrators can configure, share and manage

storage for optimal performance and availability, creating a scalable foundation

for storage growth.

■ Veritas Storage Foundation™ High Availability (HA) for Windows®

This product adds Veritas™ Cluster Server to Storage Foundation, which allows

administrators to cluster critical applications and resources, and further

eliminates planned and unplanned downtime. Resource and application-specific

agents, including an agent for Exchange, monitor and manage the critical

components of the Exchange environment to ensure maximum application

availability.

■ Symantec Backup Exec™

This product provides Exchange server with complete backup protection,

ensuring that IT organizations can implement a complete disaster recovery

plan. Backup Exec together with Storage Foundation also enables off-host

backup, thus offloading the burden of backup processing from the Exchange

server.

Modular approach

The Symantec solution for Enterprise Messaging Management takes a modular

approach to ensuring email availability. Organizations can implement different

components in a phased approach, depending on their specific needs.

By implementing the Symantec availability solutions, IT organizations can ensure

the constant availability of their Exchange services, and protect their company’s

investment in the Exchange infrastructure. The products that comprise the

Symantec solution are Microsoft-certified, and are integrated into the Windows

environment. Symantec and Microsoft have collaborated to improve storage

181Enhancing Microsoft® Exchange Server availabilityAbout Microsoft Exchange Server availability

manageability on the Windows platform. Veritas Storage Foundation builds on

the dynamic volume capabilities now native to the Windows platform.

Table 8-2 describes the necessary features for implementing high availability in

an Exchange environment.

Table 8-2 Symantec availability solution features

product featuresSymantec solution

product

Capacity monitoring that allows threshold alerts to be set

over all Exchange storage. In the event of a triggered alert,

notification can be sent to the administrator, or storage can

be increased automatically, as set by policy.

Design storage configurations that use mirroring or

mirroring/striping combinations to protect from the failure

of a disk or array LUN.

Point-in-time image creation of storage groups for quick

recovery from logical errors or data corruption.

In the event of a triggered alert, SNMP notification can be

sent to the administrator or to management software, such

as HP OpenView or IBM Tivoli, or storage can be

automatically increased.

Storage Foundation

Hot-failover and load balancing of the Exchanger server on

up to 32 cluster nodes to provide high availability and

performance scalability of the Exchange environment.

Ability to perform maintenance and testing by proactively

moving application services to alternate servers in the

cluster.

Ability to meet service level agreements (SLAs) by

automatically monitoring application delivery, and failing

over to alternative resources.

Storage Foundation HA for

Windows (using Veritas

Cluster Server)

Special dedicated backup agents that integrate with the

Exchange server ensuring smooth operation of back-up

process with Exchange service.

Single console interface to monitor backups regardless of

how many backup servers are involved.

Off-host backup capability that natively integrates with

Storage Foundation, providing extra backup protection and

improved backup performance.

Backup Exec

Enhancing Microsoft® Exchange Server availabilityAbout Microsoft Exchange Server availability

182

Best practices for Veritas Storage Foundation forWindows

Symantec provides best practices and recommendations for the deployment and

configuration of Storage Foundation in a Microsoft Exchange environment.

To implement Symantec availability products in an Exchange environment, IT

organizations should follow the instructions in the Symantec product

administration guides for Veritas Storage Foundation for Windows, Veritas Storage

Foundation High Availability for Windows, and Symantec Backup Exec.

TheVeritas StorageFoundationandHighAvailability Solutions 4.3 SolutionsGuide

for Microsoft Exchange is also useful for Exchange server configurations.

These guides, including this Symantec Yellow Book, provide recommendations

that will make the implementation of these products successful.

Challenges to managing Exchange storage

One of the more important considerations relating to the availability, security,

and performance of an Exchange environment is the definition and maintenance

of an efficient storage layout. The way in which storage is planned, significantly

affects the Windows and Exchange environment. Optimally, administrators in

the Exchange environment should have the best tools to give them the most

flexibility and ease of use at their disposal.

Storage Foundation includes the following items:

■ Host-based storage virtualization

Through volumes and other storage abstractions, Storage Foundation provides

the ability to dynamically allocate new storage and perform data migrations

(while applications like Exchange remain on-line) across all types of disks

(whether ATA-,SCSI-, Fibre Channel-, or iSCSI-attached), including RAID

arrays. All Storage Foundation data and storage operations are transparent

to applications, such as Exchange, file systems, databases, and so forth.

■ Advanced Dynamic Disk support

Storage Foundation builds on the dynamic disk capability that Veritas built

into Windows 2000 and 2003 for Microsoft. Storage Foundation provides

mirrored stripes, concatenated mirrors, more than two mirrors, clustering

support, Windows-compliant disk multi-pathing, storage monitoring and

notifications, and other features

■ Veritas FlashSnap™ option

This option provides a Microsoft approved (for Exchange), Volume Shadow

Copy Service (VSS)-compliant snapshot mechanism that can accelerate the

183Enhancing Microsoft® Exchange Server availabilityBest practices for Veritas Storage Foundation for Windows

recovery of Exchange to a point in time or the point of failure through the use

of point-in-time snapshots. FlashSnap can also enhance backup performance

through alternative, host-accessible snapshots that are integrated with Backup

Exec’s Advanced Disk-based Backup Option (ADBO).

Storage Foundation solutions to Exchange store challenges

Table 8-3 describes the ways in which Storage Foundation solves the storage

challenges of the Exchange environment.

Table 8-3 Exchange storage challenges

SolutionChallenge

Capacity monitoring: This feature monitors storage activity and provides

alerts when storage levels reach pre-defined thresholds. Actions and

Thresholds are fully user-definable.

Storage requirements are

approaching Exchange server

thresholds

Dynamic Volume growth: Storage Foundation can increase the size of

Exchange data stores manually or automatically without impacting the

Exchange server.

Exchange server needs more storage

Enhanced RAID management: Storage Foundation can manage any block-level

storage devices including FC, iSCSI, and DAS, all with a consistent, unified

user interface.

Managing complex RAID

configurations from multiple vendors

Storage flexibility: Storage Foundation enables control of storage costs by

providing maximum flexibility in storage choice. There is a single, consistent

management interface to heterogeneous storage hardware such as Hitachi®,

HP, and EMC®. Storage Foundation allows the use of inexpensive storage in

a RAID configuration.

Managing Exchange storage across

different hardware vendors

FlashSnap snapshots: Provide point-in-time recovery from hard disk storage

that is much faster than tape restores. FlashSnap snapshots are fully

integrated with Windows Server 2003 Volume Shadow Copy Service (VSS).

FlashSnap provides built-in VSS Provider and VSS Requester support to allow

creation of Microsoft supported and approved snapshots.

VSS integration ensures that the Exchange application is quiesced before

taking a snapshot, ensuring high integrity snapshots for recovery. FlashSnap

is also fault-tolerant as it prepares a full mirror copy and is not reliant on

the original volume if it fails (as in the case of copy-on-write snapshots).

Tape restores do not provide a rapid

recovery from an Exchange outage

Reduced backup window: Reduces the server load to Exchange by providing

off-host backups. Off-Host backups can be performed from a secondary server

location, thereby decreasing the processor load on the Exchange server.

Backup window for Exchange is long

due to processor load

Enhancing Microsoft® Exchange Server availabilityBest practices for Veritas Storage Foundation for Windows

184

Storage Foundation implementation and usage recommendations

There are many tasks to consider when implementing Storage Foundation in an

Exchange environment. Administrators should use the following sequence of

tasks for a Storage Foundation implementation:

■ Study the Storage Foundation documentation and system requirements for

Microsoft Exchange.

■ Plan Exchange storage layout. (Layout examples are provided.)

See “Suggested Exchange storage group layout with Storage Foundation”

on page 189.

■ Deploy Storage Foundation in the Microsoft Exchange environment.

Storage Foundation documentation and prerequisites

The Veritas Storage Foundation for Windows Administrator Guide contains

information on storage technologies and how to best use them. It is also an

excellent resource for information on general storage management features,

capacity monitoring, and Auto Grow.

The Veritas Storage Foundation and High Availability Solutions 4.3 Solution for

Microsoft Exchangeprovides best practices regarding snapshot solutions for Quick

Recovery.

The following are Storage Foundation installation prerequisites :

■ Ensure that hardware, software, and system requirements are met.

■ Ensure that networking and firewall requirements are met.

■ Make available the license keys for the Storage Foundation options to be

implemented.

■ Perform a system reboot after installation of Storage Foundation.

These tasks are covered in theVeritas StorageFoundation forWindows Installation

and Upgrade Guide.

Plan the Exchange storage layout

Dynamic volumes and RAID play an integral part in providing reliability and

performance in the Exchange environment. There are different benefits for each

RAID type in relation to different Exchange objects.

For more information on the different RAID types, see the Veritas Storage

Foundation for Windows Administration Guide.

Administrators should also research the best practices regarding Exchange storage

layout. In addition to Microsoft documentation, the Veritas Storage Foundations


and High Availability Solutions 4.3 Solutions Guide for Microsoft Exchange, is a

helpful resource for mapping out Exchange storage. The guide is available from

Symantec.

RAID volumes can be optimized in a variety of environments. For Exchange

environments with Storage Foundation, Symantec recommends the following

practices:

■ Increase read performance and failure tolerance with host-based mirroring

■ Plan disk group usage

■ View the suggested configuration of disk groups and volumes for an Exchange

server for help in planning Exchange storage layout.

See “Suggested Exchange storage group layout with Storage Foundation”

on page 189.

Increase read performance and failure tolerancewith host-basedmirroring

Administrators can use host-based mirroring of virtual disks to increase overall

system read performance and failure tolerance. In a mirrored configuration, read

requests are handled in a round-robin fashion. The round-robin algorithm

distributes read requests across all members, or plexes, of a mirrored volume.

Mirroring can increase read performance significantly.

Host-based mirrored volumes provide protection against hardware failures such

as I/O bus, host bus adapter, power and cooling, RAID controller, and disk.

Plan disk group usage

Table 8-4 describes two methods for use of disk groups.

Table 8-4 Disk group usage methods

DescriptionMethod

Storage Foundation defines labeled disk groups. Disk groups

provide a way of organizing physical disks in a system into

logical entities, which simplifies storage management for

systems with large numbers of disks. Disk groups are useful

for managing storage in clusters, as well as convenient for

organizing and managing disk storage resources on an

application basis.

Use multiple disk groups


186

Table 8-4 Disk group usage methods (continued)

DescriptionMethod

Storage Foundation is a group of disks that can be migrated

from one cluster node to another as a unit. (Only entire disk

groups migrate or fail over). The disks that hold a clustered

application's data should belong to the cluster disk groups

that are associated with that application. The disk groups

should be part of the application’s resource group, so that

failover can occur.

In a cluster, each application that fails over independently

of other applications should have its data stored on volumes

in disk groups that are exclusive to that application. This

allows an application’s storage to fail over with the

application without having an adverse effect on other

applications or their associated storage.

Allocate disk groups in

clusters

Use Veritas FlashSnap option

The Storage Foundation FlashSnap option enables storage administrators to

create multiple point-in-time copies, or snapshots, of dynamic volumes. The can

be done with minimal impact on applications and users. The snapshot is a

broken-off mirror of the original volume and functions as an independent volume.

It can be retained on the same host or moved to another host. It can be merged

back with the original volume until another snapshot is implemented.

On-host snapshots can be used for quick recovery of an application, such as a

Microsoft Exchange. Off-host snapshots allow users to perform resource-intensive

processes, such as application testing, decision support, data mining, and backups,

without affecting production servers and data.

Plan the Exchange storage groups

By using the following recommendations, administrators can better leverage the

functionality of Storage Foundation, including snapshots and Quick Recovery for

Exchange:

■ Database stores and transaction logs for each storage group must be stored

on disks contained within a single dynamic disk group.

■ Each database should be in a separate volume, but the volumes may share the

same dynamic disks.

■ Mailbox stores and public stores must be stored on separate volumes to enable

independent recovery.


■ Database stores and transaction logs must be in separate volumes in order to

perform a roll-forward recovery to the point of failure.

■ Database stores and transaction logs should be on separate disks so that disk

failure does not affect both the database stores and transaction logs.

■ Configure transaction logs in a redundant layout. The preferred software

layout is RAID 0+1 (mirrored stripes) volumes as this provides better read and

write performance than RAID 1 (mirrored) alone. The transaction log will

generate the most I/O and thus should use the highest performance disks

available.

■ Use the preferred layouts for the database stores, which are hardware RAID

5, software RAID 1 (mirroring) with logging (DRL) enabled, or software RAID

0+1 (mirrored striped).

FlashSnap option is not supported for software RAID 5 volumes.

■ Associate no more than six volumes with a storage group. One volume should

contain the transaction logs. Up to five other volumes may contain databases.

■ Move the components of the first storage group to new volumes off of the boot

drive. By default, the first storage group is mapped to the boot drive. A snapshot

image cannot be taken of the boot drive.

■ Use Exchange System Manager to move production databases and logs off of

the boot drive onto newly created volumes that are created with Storage

Foundation.

■ Use Exchange transaction logs to roll forward a database to achieve a

point-of-failure recovery. The circular logging option should not be enabled.

If circular logging is enabled, a database cannot be rolled forward to achieve

a point-of-failure recovery.

■ Optionally create another shadow copy set after an incremental tape backup.

Create this shadow copy set on a separate set of disks rather than refreshing

the shadow copy set taken after the full backup. This practice ensures that the

shadow copy set of a clean database is not being overwritten with an image of

a potentially corrupted database.

Note: As a quick recovery practice, Symantec recommends that administrators

create or refresh a shadow copy set immediately after a full tape backup of

Exchange. At this point, the database has been checked for corruption and the

transaction logs have been truncated. This ensures a clean database image.


188

Suggested Exchange storage group layout with StorageFoundation

Table 8-5 shows a sample configuration and layout to create the appropriate disk

groups and volumes in an Exchange environment.

Table 8-5 Example configuration for Exchange server EXCH1

Volume contentDrive letterVolume nameDynamic disk

group

Exchange

storage group

Exchange

server

Volume for storing

the Microsoft

Exchange Server

SG1 transaction log

files

T: (or Mount Point)EXCH1_SG1_TLogsEXCH1_SG1EXCH1_SG1EXCH1

Volume for storing

the Microsoft

Exchange Server

SG1 database

S: (or Mount Point)EXCH1_SG1_DB1EXCH1_SG1EXCH1_SG1EXCH1

Volume for storing

the Microsoft

Exchange Server

public folders DB

P: (or Mount Point)EXCH1_SG1_PubEXCH1_SG1EXCH1_SG1EXCH1

Volume for storing

the Microsoft

Exchange Server

SG2 transaction log

files

J: (or Mount Point)EXCH1_SG2_TLogsEXCH1_SG2EXCH1_SG2EXCH1

Volume for storing

a Microsoft

Exchange Server

SG2 database

K: (or Mount Point)EXCH1_SG2_DB1EXCH1_SG2EXCH1_SG2EXCH1

Volume for storing

another Microsoft

Exchange Server

SG2 database

L: (or Mount Point)EXCH1_SG2_DB2EXCH1_SG2EXCH1_SG2EXCH1

In the example, the dynamic disk group EXCH1_SG1 is a concatenation of the

names of the Exchange server, EXCH1, and the Storage Foundation dynamic disk

group, SG1. SG1 corresponds to the first Exchange storage group for the EXCH1

server (Storage Group 1). The configuration assumes that two Exchange storage

groups and two databases are used in this configuration.


Deploy Storage Foundation in the Exchange environment

Storage Foundation is an integral part of the storage management infrastructure

in the Exchange environment. Symantec recommends installing Storage

Foundation on all Exchange mailbox servers in the Exchange environment before

installing any other product in the Symantec solution.

Administrators should read the Storage Foundation product documentation and

review the recommendations in this book to prepare for a deployment of Storage

Foundation.

Best practices for Veritas Storage Foundation HighAvailability for Windows

In the enterprise environment, high availability can describe any software or

hardware that provides fault tolerance. The term has become associated more

specifically with clustering. Clustered systems offer advantages, including fault

tolerance, high availability, scalability, simplified management, and support for

rolling upgrades.

The following sections describe concepts relating to Veritas Storage Foundation

High Availability for Windows and its clustering component, Veritas™ Cluster

Server. Also provided are best practices for the implementation of Veritas Cluster

Server 4.3 clustered solutions in an Exchange environment.

Challenges to clustering the Exchange environment

As a critical application, Exchange must be highly available to the organization.

Veritas Cluster Server, the clustering component for Storage Foundation HA for

Windows, can enable service availability of less than 52 minutes of downtime per

year. Clustering provides redundancy with a hot-failover mechanism to one of

the multiple server nodes within the cluster. This failover is mostly transparent

to users, which is a desirable configuration.

Storage Foundation HA for Windows solutions to Exchange clusteringchallenges

By capitalizing on the key strengths of Veritas Cluster Server, Storage Foundation

HA for Windows can do the following:

■ Automatically monitor all Exchange components and respond appropriately

in the event of a problem, failing over to other resources if necessary.

Enhancing Microsoft® Exchange Server availabilityBest practices for Veritas Storage Foundation High Availability for Windows

190

■ Allow administrators to proactively switch Exchange functions to other

resources to perform routine maintenance or upgrades on components, such

as server upgrades or OS patch applications.

Table 8-6 describes Exchange clustering challenges and how Veritas Cluster Server

meets the challenges.

Table 8-6 Exchange clustering challenges and Veritas Cluster Server solutions

SolutionChallenge

With Veritas Cluster Server, up to 32 nodes can be

clustered. Nodes can be configured as load balancing or

failover.

Creating high availability regardless of hardware brand

Exchange servers can share passive nodes one at a time

or as a group.

Controlling costs of cluster hardware

Veritas Cluster Server can be removed temporarily from

the Exchange environment to allow for troubleshooting,

and then reinstated.

Troubleshooting Exchange problems without third-party

programs interfering

Veritas Cluster Server can cluster most applications.Clustering other applications in addition to Exchange

Veritas Cluster Server can cluster heterogeneous server

hardware. Hardware does not need to be identical.

Clustering different brands and types of server hardware

Veritas Cluster Server can cluster the Exchange

environment, even if Exchange is already installed.

Clustering an existing Exchange server installation

without reinstalling Exchange

Veritas Cluster Server provides a detailed level of rights

management of the cluster.

Providing granular administrative rights

Veritas Cluster Server can cluster heterogeneous storage.Using external storage hardware from different vendors

About Storage Foundation HA for Windows

Veritas Storage Foundation High Availability for Windows (including both Veritas

Storage Foundation for Windows and Veritas Cluster Server) provides a framework

for application management and availability. Storage Foundation HA for Windows

lets administrators monitor systems and application services, and restart services

on a different system when hardware or software fails.

Veritas Cluster Server clusters

A Veritas Cluster Server cluster is composed of a set of systems that provide

scalability and high availability for specific applications. Veritas Cluster Server

monitors and controls the applications in a cluster, and can restart or move them

191Enhancing Microsoft® Exchange Server availabilityBest practices for Veritas Storage Foundation High Availability for Windows

in response to a variety of hardware and software faults. A cluster consists of

multiple systems connected by a dedicated communications infrastructure. This

infrastructure enables cluster members to exchange information on the status of

cluster resources.

Each cluster has a unique cluster ID. Systems in a cluster are connected by

redundant cluster communication links. Clusters can have from 1 to 32 member

systems, or nodes. Applications can be configured to run on specific nodes within

the cluster. Nodes can be individual systems, or they can be created with domains

or partitions on enterprise-class systems.

Individual cluster nodes run their own operating system and possess their own

boot device. Each node must run the same operating system within a single Veritas

Cluster Servercluster.

Most applications in a cluster require access to shared application data for systems

hosting the application. Nodes sharing storage access are eligible to run an

application. Nodes without common storage cannot fail over an application that

stores data to disk.

Resources

Resources are hardware or software entities, such as disk groups and file systems,

network interface cards (NICs), IP addresses, and applications. Controlling a

resource means bringing it online (starting), taking it offline (stopping), and

monitoring the resource.

Service groups

A service group is a logical grouping of resources and resource dependencies. It

is a management unit that controls resource sets.

For example, a database service group may be composed of resources that manage

logical network (IP) addresses, the database management software (DBMS), the

underlying file systems, and the logical volumes. A database service group also

includes a set of physical disks managed by the volume manager (typically Veritas

Storage Foundation for Windows in a Veritas Cluster Server cluster).

A single node may host any number of service groups, each providing a discrete

service to networked clients. Each service group is monitored and managed

independently. Independent management enables a group to be failed over

automatically, or manually idled for administration or maintenance, without

affecting other service groups. If the entire server crashes, all service groups on

that node must be failed over elsewhere.

Veritas Cluster Server monitors each resource in a service group and, when a

failure is detected, restarts that service group. This could mean restarting it locally


192

or moving it to another node and then restarting it. The method is determined by

the type of failure. In the case of local restart, the entire service group may not

need to be restarted. Restarting a single resource within the group may be

sufficient to restore the application service.

Administrative operations are performed on resources, including starting,

stopping, restarting, and monitoring at the service group level. Service group

operations initiate administrative operations for all resources within the group.

For example, when a service group is brought online, all resources within the

group are also brought online. When a failover occurs in Veritas Cluster Server,

resources never fail over individually; the entire service group fails over. If there

is more than one group defined on a server, one group may fail over without

affecting the other groups on the server.

Agents

Agents are Veritas Cluster Server processes that manage resources of predefined

resource types according to commands received from the Veritas Cluster Server

engine, HAD. A system has one agent per resource type, which monitors all

resources of that type; for example, a single IP agent manages all IP resources.

When the agent is started, it obtains the necessary configuration information

from Veritas Cluster Server. It then periodically monitors the resources, and

updates Veritas Cluster Server with the resource status.

The agent provides the type-specific logic to control resources. The action required

to bring a resource online or take it offline differs for each resource type. Veritas

Cluster Server employs agents to handle this functional disparity between different

resource types. For example, bringing a disk group online requires importing the

disk group. Bringing a database online requires starting the database manager

process, and issuing the appropriate startup commands.

Veritas Cluster Server agents are multithreaded, which means a single Veritas

Cluster Server agent monitors multiple resources of the same resource type on

one host. For example, the IP agent monitors all IP resources.

Veritas Cluster Server monitors resources when they are online and offline to

ensure that they are not started on systems upon which they are not intended to

run. For this reason, Veritas Cluster Server starts the agent for any resource

configured to run on a system when the cluster is started. If no resources of a

particular type are configured, the agent is not started. For example, if there are

no Exchange resources in the configuration, the Exchange agent is not started on

the system.


Veritas Storage Foundation High Availability for Windows installationrecommendations

While there are many tasks to consider when implementing a Storage Foundation

HA for Windows in an Exchange environment, the following practices are essential

for a successful implementation:

■ Study the documentation and different cluster topologies

■ Meet hardware, network, and software requirements

■ Review installation preparation

For more information about these tasks, refer to the Veritas Cluster Server

InstallationGuide and theVeritasCluster ServerAdministrationGuide. TheVeritas

Storage Foundations and High Availability Solutions 4.3 Solutions Guide for

Microsoft Exchange also provides essential information on storage and cluster

configuration.

Storage foundation documentation and different clustertopologies

Clustering is a critical service that must be highly reliable, but is technically

complex. Storage Foundation HA for Windows and Veritas Cluster Server provide

reliability while shielding IT organizations from the underlying complexity.

Storage Foundation HA for Windows provides tools to make it as easy as possible

to perform clustering tasks. However, software of this type requires planning

before any implementation can begin.

An understanding of the differences and advantages of the different cluster

topologies (active/active versus active/passive) is necessary to implement Veritas

Cluster Server in a particular Exchange environment. This Symantec Yellow Book

provides information on how to create an active/passive cluster environment,

and covers prerequisites for deploying the clustered Exchange solution, including

networking components and hardware configurations, such as static IP address

configuration and internal network cardconfiguration.

Meet hardware, network, software, and configurationprerequisites

Table 8-7 lists Veritas Cluster Server hardware prerequisites in an Exchange

environment.


194

Table 8-7 Veritas Cluster Server hardware prerequisites

PrerequisiteHardware component

Recommend three NICs per cluster member. Two NICs

are used exclusively for the private network. The

remaining NIC is used for the public network.

Three NICs

Require one of these components to access shared

storage from all systems in the cluster. All systems in

the cluster must have the same HBA model and be

configured at the same driver and firmware levels.

SCSI, Fibre Channel, iSCSI host

bus adapters (HBAs), or iSCSI

Initiator-supporting NICs

Require shared disks to support applications that

migrate between nodes in the cluster. Verify that each

system can access the shared storage.

Shared disks

Ensure that Fiber Switch zoning is done correctly, if the

cluster is using a Fibre Channel SAN, so that cluster

nodes can access the correct, shared disks in the

network.

Fibre Channel SAN (if used)

Table 8-8 lists the Veritas Cluster Server network prerequisites in an Exchange

environment.

Table 8-8 Veritas Cluster Server network prerequisites

Network prerequisiteNetwork entity

Connect each private (cluster heartbeat) NIC through a

separate hub or switch to avoid single points of failure.

Private NICs

Disable the Windows firewall on systems running

Windows Server 2003 SP1 and any other third-party

firewall applications on the local nodes.

Windows firewall

Obtain the following static IP addresses:

■ One IP address for each physical server or node in

the cluster

■ One IP address for each cluster

■ One IP address for each virtual Exchange server and

any other clustered services

IP addresses

Configure name resolution for each node.Name resolution

Verify the availability of DNS Services. Active

Directory-integrated DNS or BIND 8.2 or higher are

supported.

DNS services


Table 8-8 Veritas Cluster Server network prerequisites (continued)

Network prerequisiteNetwork entity

Make sure a reverse lookup zone exists in the DNS. Refer

to the application documentation for instructions on

creating a reverse lookup zone.

Reverse lookup zones

Make sure that the DNS server has lookup zones defined

correctly for all subnets within the network. Ensure that

forward lookup and reverse lookup entries are created

correctly. The zone type recommended is Active

Directory Integrated.

Lookup zones for subnets

Turn off (recommended) DNS scavenging for resource

records corresponding to virtual servers configured as

LanMan resources. DNS scavenging affects virtual

servers configured in Cluster Server because the

LanMan agent uses DDNS to map virtual names with IP

addresses.

Note: Administrators can add the static IP address of

the virtual server node if they choose to turn on

scavenging.

DNS scavenging

Verify that Active Directory Services are available. Make

sure that an Exchange Forest preparation and Domain

preparation is performed and that the Exchange schema

is propagated based on the selected topology.

Active Directory Services

The following software is required for Veritas Cluster Server in an Exchange

environment:

■ Windows 2003 Enterprise Server with Service Pack 1

Microsoft support for Microsoft Exchange Server 2003 is limited to 32-bit

versions of the Windows 2003 operating system

■ Remote control software (for example, Symantec PC Anywhere™)

Remote control software helps manage remote servers

■ Windows 2003 operating system installed on the same local drive on all nodes

The Veritas Cluster Server application agent for Microsoft Exchange requires

the operating system to be installed on the same local drive on all nodes. For

example, if Windows 2003 is installed on the C: drive of one node, installations

on all other nodes must be on their respective C: drives. Make sure that the

same drive letter is available on all nodes and that each node has adequate

space for the installation.


196

Table 8-9 lists the Veritas Cluster Server network configuration prerequisites in

an Exchange environment.

Table 8-9 Veritas Cluster Server network configuration prerequisites

Configuration prerequisiteAction

Establish a separate naming convention for public and

private NICs to avoid confusion (Recommended).

Naming of public and private

NICs

Disable TCP/IP and Microsoft File Sharing. Also disable

the Client for Windows on the private heartbeat NICs.

Disabling settings

Set each Heartbeat NIC to 100MB Half Duplex. On the

Window Server 2003, on the NIC Properties page, click

Configure next to the adapter name. Then, on the

Advanced tab, select Media Type in the property listing.

In the Value drop-down list, select 100Mbps Half Duplex.

Setting heartbeat NIC media type

value

Set the systems hardware driver signing level to Ignore.

This ensures that Storage Foundation will validate the

system during installation checks.

Setting the systems hardware

driver signing level

Make sure every cluster server has its Internet Protocol

(TCP/IP) properties configured to use the public NIC,

with preferred and alternative DNS pointing to the same

main DNS server.

Configuring TCP/IP for clustering

Review installation preparation

Symantec recommends that administrators prepare for installation with the

following best practices:

■ Ensure that the appropriate and identical OS level, Service Pack level, firmware,

and driver revisions are installed on all systems to be clustered. Check the

Symantec Veritas Cluster Server Hardware Compatibility List (HCL) and

Software Compatibility List (SCL) for tested and supported versions.

The Veritas Cluster Server HCL and SCL are available at the following URL:

http://support.veritas.com/menu_ddProduct_SFHFW_view_CL.htm.

■ Ensure that the necessary remote control software to manage your remote

servers is available.

■ Make a note of all the necessary IP addresses available before starting the

installation. Each system has an IP address, in addition to one for the Cluster

Service, and one for each instance of Microsoft Exchange.

■ Ensure that all network cards are configured for Auto Negotiate, and that the

speed and duplex mode are forced from both the NIC and the Switch port to


the preferred speed and duplex mode. All cards on the same network segment

must be configured identically.

■ Ensure that all systems are members of the appropriate domain and are

configured to connect to the same DNS server.

■ Ensure that the DNS server is appropriately configured for forward/reverse

lookup.

■ Ensure that DNS entries for each virtual Exchange Server to be installed are

created before installation.

■ Verify that all systems on which Exchange Server will be installed have

Microsoft IIS installed. SMTP, NNTP, and WWW services must be installed on

all systems. If Exchange is installed on Windows 2003, make sure to install

the ASP.NET service as well.

■ Ensure that the appropriate administrator(s) have proper access rights to

install Exchange.

See “Veritas Cluster Server Agent for Exchange permissions ” on page 201.

See theVeritas Storage Foundations and High Availability Solutions 4.3 Solutions

Guide for Microsoft Exchange for more information about cluster installation.

Best practices for configuring storage resources for Storage FoundationHA for Windows

Storage Foundation HA for Windows helps administrators configure Exchange

storage volume and disk groups. The following sections describe some of the best

practices for a clustered Exchange storage configuration.

Volume layout recommendations

Volumes for database files, transaction log files, and MTA and Exchange registry

replication for Veritas Cluster Server should be mirrored to separate hard drives

(physical disks) or arrays. For transaction logs, Symantec recommends RAID 1+0

(mirrored stripes) volumes for better performance.

The Veritas Cluster Server application agent for Microsoft Exchange requires at

least four volumes to be created per virtual Exchange server. One each is created

for the first Exchange database, registry replication information, transaction logs

(for the first storage group), and MTA data. These volumes must be accessible

from all cluster nodes.


198

Disk group layout recommendations

When creating Storage Foundation disk groups that will contain disks used by

clustered services, select the option to create a cluster disk group.

All volumes and cluster disk groups should be configured using Storage Foundation

from the same node.

Each Exchange storage group should have its own cluster disk group. If there are

four storage groups per Exchange virtual server (EVS), then there should be four

cluster disk groups.

Storage configuration example

Table 8-10 shows one example of a configuration and layout to create the

appropriate disk groups and volumes to maintain a high availability environment.

In the example, the cluster disk group, EVS1_SG1 derives its name from the

Exchange virtual server EVS1. SG1 refers to the Storage Foundation disk group

that corresponds to the Exchange storage group (first storage group or storage

group 1). Two Exchange Storage groups and two databases are used in the Example

configuration.

This example includes Registry replication (RegRep) volumes in one of the

clustering disk groups.

Table 8-10 Example of disk groups and volumes for an Exchange virtual server

Volume contentDrive

letter

Volume

name

Cluster disk

group

Exchange

storage group

Exchange

virtual

server

Veritas Cluster

Server service

group

Volume that contains

the list of registry

keys that must be

replicated among the

cluster systems

R:EVS1_

RegRep

EVS1_SGInot applicableEXCHVS1EVS1

Volume for storing

Microsoft Exchange

Server MTA database

for the Exchange

Server

N:EVS1_MTAEVS1_SGInot applicableEXCHVS1EVS1

Volume for storing

the Microsoft

Exchange Server SG1

transaction log files

T: (or

Mount

Point)

EVS1_SG1_

TLogs

EVS1_SG1EVS1_SG1EXCHVS1EVS1


Table 8-10 Example of disk groups and volumes for an Exchange virtual server

(continued)

Volume contentDrive

letter

Volume

name

Cluster disk

group

Exchange

storage group

Exchange

virtual

server

Veritas Cluster

Server service

group

Volume for storing

the Microsoft

Exchange Server SG1

database

S: (or

Mount

Point)

EVS1_SG1_

DB1


Volume for storing

the Microsoft

Exchange Server

public folders DB

P: (or

Mount

Point)

EVS1_SG1_

Pub


Volume for storing a

Microsoft Exchange

Server SG2

transaction log file

J: (or

Mount

Point)

EVS1_SG2_

TLogs


Volume for storing a

Microsoft Exchange

Server SG2 database

K: (or

Mount

Point)

EVS1_SG2_

DB1


Volume for storing

another Microsoft

Exchange Server SG2

database

L: (or

Mount

Point)

EVS1_SG2_

DB2


Note: Additional storage groups (such as EVS1 _SG2_DG) only contain data and

log volumes. The RegRep and MTA volumes are included only in the first storage

group.

After the storage configuration for the Exchange cluster portion of the installation

is implemented, verify the following information:

■ Disk group is imported on the first node of the cluster

■ Volume containing the information for registry replication (EVS1_SG1_Regrep

in the table.) is mounted

Clustered Microsoft Exchange deployment solution

During deployment of a clustered Exchange solution, make sure that the user for

the preparation, installation, and post-installation phases of Exchange


200

implementation remains the same. In addition, make sure that the cluster ID is

unique if one or more cluster exists on the same subnet.

Veritas Cluster Server Agent for Exchange permissions

Verify that the following is true for the administrator that is responsible for

installing Veritas Cluster Server in an Exchange environment:

■ The administrator must be a domain user.

■ The administrator must be an Exchange Full Administrator.

■ The administrator must be a member of the Exchange Domain Servers group

■ The administrator must be a member of the Local Administrators group for

all nodes where he or she is installing are installing Veritas Cluster Server

Agent for Exchange.

■ The administrator must have write permissions for objects corresponding to

installation nodes in the Active Directory.

■ The administrator must have delete permissions on the object, if a computer

object corresponding to the Exchange virtual server exists in the Active

Directory.

■ The administrator must be an Enterprise Administrator, Schema Administrator,

Domain Administrator, and Local Machine Administrator to run ForestPrep.

In addition, the administrator must be a Domain Administrator and Local

Machine Administrator to run DomainPrep.

the HAD Helper domain user account should have the Add workstations to domain

privileges setting enabled in the Active Directory.

To verify that the HAD Helper domain user account is set up as recommended,

complete the following steps:

■ Click Start > Administrative Tools > Local Security Policy on the domain

controller to launch the security policy display.

■ Click Local Policies > User Rights Management and make sure the user account

has this privilege.

Microsoft Exchange andVeritas Cluster Server ExchangeAgentinstallation recommendations

The StorageFoundationandHighAvailability Solutions 4.3 forMicrosoft Exchange

Solutions guide contains checklists of installation prerequisites in the following

sections:

■ Installing Exchange on the first node


■ Installing Exchange on additional nodes

The prerequisites describe new installations of Microsoft Exchange. Make sure

that all items in the checklist are completed on all Exchange nodes before installing

the Veritas Cluster Server Exchange Agent on the nodes.

Installing Microsoft Exchange on the first node

In addition to the installation prerequisites provided in the Storage Foundation

and High Availability Solutions 4.3 for Microsoft Exchange Solutions guide, the

following installation recommendations can help administrators successfully

install Exchange on the first node:

■ Administrators who are installing Exchange 2003, but do not want to install

Exchange Server Service Pack 1 as part of the installation process, can obtain

SP1 installation steps from the Veritas Storage Foundation for Windows

documentation.

■ After a virtual name has been assigned to the Exchange server, it cannot be

changed unless Exchange is uninstalled from the Veritas Cluster Server

environment and then reinstalled.

To ensure proper failover in the cluster beforemoving a database to shared storage

1 Open Veritas Storage Foundation for Windows and import the cluster Disk

Group on the local node.

2 Mount the volumes for the Exchange database, MTA data, and transaction

logs.

3 Assign a drive letter to the volumes.

Microsoft Exchange installation on additional nodes

In addition to the installation prerequisites provided in the Storage Foundation

and High Availability Solutions 4.3 for Microsoft Exchange Solutions guide, the

following installation recommendations can help administrators successfully

install Exchange on additional nodes:

■ When installing Microsoft Exchange Server 2003 on additional nodes,

administrators must use the disaster recovery switch on the second node.

■ Administrators who are installing Exchange 2003 on additional nodes, but do

not want to install Exchange Server Service Pack 1 as part of the installation

process, can obtain SP1 installation steps from the Veritas Storage Foundation

for Windows documentation.


202

Post-deployment recommendations

After installing Microsoft Exchange, Symantec recommends the following

post-deployment practices:

■ Change the admin password for the Veritas Cluster Server console.

■ Do not use the virtual name or virtual IP address when connecting and

administering a cluster node through Storage Foundation HA for Windows.

Connecting to a computer from the Veritas Enterprise Administrator (VEA)

GUI using a virtual name or the virtual IP address causes the VEA GUI to

display the computer name of the cluster node that currently owns the virtual

name and IP resources. Therefore, use the actual computer name or the IP

address of the cluster node instead.

■ When running Veritas Cluster Server in Exchange environments, always store

the anti-virus/anti-spam definitions update log on the shared disk device. This

ensures that any node running Exchange has up-to-date virus and spam

signatures.

Symantec Mail Security for Microsoft Exchange on Veritas ClusterServer systems recommendations for use

The following list describes recommendations for use of Symantec Mail Security

for Microsoft Exchange on a system in a Veritas Cluster Server-managed cluster:

■ When installing Symantec Mail Security for Exchange, ensure that the

Symantec Mail Security for Exchange binaries are installed using the same

drive letter and directory location on each node in the cluster that will run

Exchange services. Also ensure that the virus signatures and quarantine queues

are stored in directories local to each node in the cluster, which is the default.

■ After installing Symantec Mail Security for Exchange on each cluster node,

the Symantec Mail Security for Exchange service Startup Type value should

be set to Automatic, by using the Windows Services Manager.

■ After installing Symantec Mail Security for Exchange, freeze the Exchange

Service Group in the Veritas Cluster Server and add a process agent resource

to control the Symantec Mail Security for Exchange service. If there are

multiple Exchange virtual servers, repeat for each Exchange group.

To do this, create a process resource for each Symantec Mail Security for

Exchange service in the Exchange Service Group. Generic Services should not

be used because of concurrency issues.

No additional resource should be created to control the spam statistics

gathering process (SAVFMSESpamStatsManager). The service should not be

started (which is the default) because the best practice is to perform spam

filtering at network gateways, not on Exchange servers.


■ Use the Veritas Cluster Server vcsgensvc.vbs script to control the services for

the online, offline, and monitor attributes. The absolute path to the script must

be included in the attribute value. It must also be prefixed by the word

cscript.exe. The following is an example :

cscript c:\program files\VERITAS\Cluster Server\bin\samples\process\

vcsgensvc.vbs online SMSME

■ Use the service name (SMSME) to control the service. Place it as the argument

after the online, offline, or monitor directive. The virtual name attribute, as

listed in the LanMan resource, follows the SMSME argument for only the

monitor attribute value (cscript “c:\program files\VERITAS\Cluster Server\

bin\samples\process\vcsgensvc.vbs” monitor SMSME <virtualname>).

■ In the Veritas Cluster Server Management console, connect dependencies for

the SMSME resource where the Information Store resource is a parent to the

SMSME resource and the SMSME resource is parent to the System Attendant

resource. The Information Store Resource should also continue to depend on

the System Attendant.

■ If Symantec AntiVirus™ Corporate Edition is not being used to update virus

signatures, configure a post-offline trigger to restart the Symantec Mail

Security for Exchange services. This ensures that updates to virus signatures

can be maintained on passive Exchange nodes.

■ If Symantec AntiVirus™ Corporate Edition and Symantec Mail Security for

Microsoft Exchange are both present on the clustered Exchange nodes, all

directories for Veritas Cluster Server should be excluded from virus scanning.

In addition, all Exchange directories (local and shared storage) should be

excluded. For more information on configuration in an Exchange environment,

see the Symantec AntiVirus Corporate Edition and Symantec Mail Security for

Microsoft Exchange documentation.

Note: For more information on configuring Symantec Mail Security for Exchange,

including information about registry key path information and how to keep virus

definitions up to date for non-active nodes, contact Symantec Professional Services.

Also, review the latest knowledge base article at the following URL:

http://library.veritas.com/docs/281043


204

http://library.veritas.com/�docs/�281043

Best practices for Symantec Backup ExecThe cornerstone of any availability solution is its backup and recovery plan.

Choosing a reliable backup product is important to every IT organization. Backups

may be the last line of defense against data loss.

This section describes best practices for using Symantec Backup Exec. It also

includes best practices for using Backup Exec with Veritas Enterprise Vault.

EMM environment backup challenges

IT organizations are faced with the need to ensure continuous business

communications. The loss of a single message may generate hours of unnecessary

labor for system administrators. Email or instant message loss can lower

productivity, even slowing the progress of the entire organization.

Microsoft Exchange and IM Manager server data protection challenges include

the following backups:

■ Windows operating system and system state

■ Exchange server application directory

■ Exchange databases

■ Enterprise Vault

■ IM Manager Data

A secure backup plan is a critical component in a complete availability solution

for any enterprise messaging management environment.

Symantec Backup Exec solution to Exchange backup and recoverychallenges

Symantec Backup Exec and Backup Exec Agent for Microsoft Exchange Server

meet the criteria for fast, flexible, and reliable Exchange Server data protection.

Backup Exec has supported Microsoft Exchange since its introduction in 1996,

and supported Windows Server operating systems since their introduction in

1992. Backup Exec provides established experience and proven reliability in the

Exchange server market.

Backup Exec is an easy-to-use product. It integrates with Windows operating

systems and provides native agents for Microsoft Exchange backup. Native backup

agents for Microsoft® SQL Server are also available.

Table 8-11 lists the Exchange backup challenges that Backup Exec addresses.

205Enhancing Microsoft® Exchange Server availabilityBest practices for Symantec Backup Exec

Table 8-11 Exchange backup challenges and Backup Exec solutions

Backup Exec solutionExchange backup challenge

Backup Exec has the ability to manage all backup jobs from a single console.Administering multiple backup

jobs

Backup Exec provides centralized management of all media servers (tape or disk)

with the Centralized Administration Server option.

Administering multiple backup

servers

Backup Exec can load balance backup jobs.Ensuring optimal Backup

performance

Backup Exec Restore can automatically dismount the Exchange database. This

feature ensures that a valid database is brought on line quickly when traditional

or snapshot backups are performed.

Restoring Exchange databases

quickly and accurately

Backup Exec has integrated Snapshot protection with consistency checks. This

feature leverages Microsoft virtual snapshot (VSS) technology to provide on-host

or off-host backup from consistent snapshot image.

Ensuring the integrity of

snapshots

Backup Exec can perform mailbox or message level restores from a full,

incremental or differential traditional backup without requiring the installation

of a separate Exchange 2003 server.

Leveraging Exchange Recovery

Storage Groups

Backup Exec can protect Exchange data at the individual storage group, database,

or mailbox level, and with full, incremental, copy, or differential backups.

Providing flexible levels of

backup

Backup Exec supports the protection of multiple databases on a single Exchange

2000 or Exchange 2003 server.

Backing up all Exchange

components

Backup Exec can transparently integrate an online, or hot, Exchange Server 5.5,

Exchange 2000, and Exchange 2003 server backups within regularly scheduled

network backup routines.

Performing hot Exchange

backups

Backup Exec can relocate any database to another server or storage group with

the move database (MDB) relocation feature.

Relocating Exchange databases

Backup Exec can store single instances of attachments to eliminate backing up

redundant copies of files that are sent to large numbers of users. This reduces

the time required to perform mailbox backups and reduces the amount of media

required to protect the Exchange environment.

Reducing the size of Exchange

data stores

Backup Exec has an Automated Data Staging feature that can quickly back up

and recover Exchange Server databases or transaction logs by staging backups

to disk or RAID system prior to a nightly full or differential to tape.

Staging data for backup

Backup Exec supports cluster fail-over in a Veritas Cluster Server environment,

providing improved fault tolerance.

Supporting clustered Exchange

servers

Enhancing Microsoft® Exchange Server availabilityBest practices for Symantec Backup Exec

206

Table 8-11 Exchange backup challenges and Backup Exec solutions (continued)

Backup Exec solutionExchange backup challenge

Backup Exec has a LAN-Free Exchange Server backup feature that supports

storage area networks (SAN), with the SAN Shared Storage Option. This increases

backup and recovery performance over a fiber channel or iSCSI network.

Supporting SANs

Backup Exec uses the native Exchange Server Backup APIs and Messaging APIs

for reliable Exchange protection.

Ensuring reliable backups

Backup Exec supports off-host backups in conjunction with the Advanced

Disk-based Backup Option (ADBO) to eliminate the backup window. This support

frees the Exchange server to serve its users 24x7x365 and perform backups at

any point in time. For more information on ADBO, go to the following URL:

http://eval.veritas.com/mktginfo/products/White_Papers/Data_Protection/

BE_SFW_Quick_Recovery_Off-Host_Backup_Bundle.pdf

Providing off-host backups

Backup Exec installation recommendations

While there are many tasks to consider when implementing a backup and recovery

solution in an Exchange environment, the following practices and considerations

are essential for a successful backup and recovery plan:

■ Obtain licenses for Backup Exec components

■ Become familiar with Backup Exec documentation

■ Version considerations for Backup Exec

Obtain licenses for Backup Exec components

Licenses for the required options of Backup Exec must be purchased and specified

during the Backup Exec installation. To protect the complete solution described

in this Symantec Yellow Book document, licenses are required for the following

Backup Exec components:


■ Backup Exec Agent for Microsoft SQL Server (for backing up the Enterprise

Vault SQL Server database).

■ Backup Exec for Windows Servers

Optionally, if an enterprise wants to use the Advanced Disk-based Backup Option

(ADBO) for off-host backups of Exchange and SQL, a separate license for that

option must also be specified during installation.


http://eval.veritas.com/�mktginfo/�products/�White_Papers/�Data_Protection/�BE_SFW_Quick_�Recovery_�Off-Host_Backup_�Bundle.p

http://eval.veritas.com/�mktginfo/�products/�White_Papers/�Data_Protection/�BE_SFW_Quick_�Recovery_�Off-Host_Backup_�Bundle.p

A license for one tape drive is included with each license of Backup Exec for

Windows Servers. A separate license is also required if more than one tape drive

is to be used for backup. For each additional tape drive, whether standalone, in

an autoloader, or in a robotic tape library, a Library Expansion Option (LEO) license

is required.

Information on Backup Exec licensing is contained in the SymantecBackupExec™

forWindows Servers Quick Installation Guide.

Become familiar with Backup Exec documentation

Symantec Backup Exec provides comprehensive documentation to create and

implement a backup and recovery plan with Exchange environments. IT

organizations considering the installation of Backup Exec should become

thoroughly familiar with following guides:

■ Symantec Backup Exec™ forWindows Servers Administrator’s Guide

■ Symantec Backup Exec™ forWindows Servers Quick Installation Guide

Version considerations for Backup Exec

The Symantec solution for Enterprise Messaging Management was tested using

the latest version of Backup Exec (10d). The features described in this section are

available in Backup Exec starting with version 10.0.

Symantec recommends using the latest version available. If an earlier version of

Backup Exec is currently in use in the Exchange environment, an upgrade to the

current version (10d) is recommended.

After the Backup Exec software and necessary licenses are purchased, refer to

the Symantec Backup Exec™ for Windows Servers Quick Installation Guide for

information on upgrade instructions.

Best practices for backup and recovery in Exchange environments

Symantec recommends a number of best practices for configuring and using

Backup Exec with Exchange 2003. For more information on backing up, restoring,

and disaster recovery of Exchange, and configuring users, media sets, and backup

devices, refer to the Symantec BackupExec™ forWindows ServersAdministrator’s

Guide.

Backup preconfiguration tasks

To use Backup Exec in Exchange environments, at least one Backup Exec Media

Server is required. The Media Server must have backup storage devices (disk or

tape devices) connected to the network.


208

Before using Backup Exec in an Exchange environment, make sure the following

tasks are performed:

■ Provide network and rights access to Backup Exec servers

■ Disable Write Caches on Fibre Channel, SCSI or iSCSI controllers

■ Disable circular logging

Provide network and data access to Backup Exec clients from Backup Execservers

The Backup Exec Media Server must have access to all of the systems it will protect.

In addition, the Backup User account must have proper permissions to carry out

a backup or restore operation.

Disable Write Caches on Fibre Channel, SCSI or iSCSI controllers

Windows does not use buffers, so when Exchange (or other applications) receives

a write-complete notice from Windows, the write-to-disk action has already been

completed. If Write Cache is enabled, Windows responds as though a write-to-disk

has been completed, and will provide this information to Exchange (or other

applications) incorrectly. A system failure that occurs before the operation is

actually written to disk could cause data corruption.

Disable circular logging

Circular logging minimizes the risk for filling the hard disk with transaction log

files. However, if a solid backup strategy is in place, transaction log files are purged

during the backup, thus freeing disk space. If circular logging is enabled,

transaction log histories are overwritten, and incremental and differential backups

of storage groups and databases are disabled. Recovery is possible only up to the

point of the last full or copy backup.

Types of backups in an Exchange environment

The optimal type of Exchange backup to use varies depending on the size of the

Exchange environment, the number of transactions processed each day, and the

recovery time target desired.

Table 8-12 describes the different types of Backup Exec backups, their Exchange

recovery advantages and disadvantages, and their effects on Exchange data

structures.


Table 8-12 Backup Exec backup types

Impact on Exchange data storageBackup type

Full backups are the best way to backup the entire information store,

the directory database, and the transaction logs. Many organizations

run full backups on a weekly basis, as they prefer to run incremental

backups throughout the week to keep backup run time to a minimum.

The trade-off with this technique occurs at recovery time when

recovery must begin with restoring from the full backup, and then

restoring each subsequent incremental backup. After full backups,

administrators can choose whether or not to purge the transaction

logs.

Full

Incremental backups are used to provide more frequent recovery

point options throughout the day and to manage log file growth. In

an incremental backup, the transaction logs that were created since

the last full or incremental backup are backed up. Once the logs are

backed up, the log files are purged.

Incremental

Differential backups back up only if the transaction log files are not

purged.

Differential

Brick-level backups back up each mailbox separately and back up

the folders and messages. Performing brick-level backups allow

administrators to restore a single mailbox or single folder. Some

organizations use brick-level backups only for designated mailboxes.

These recoveries are also very I/O intensive. They can take much

longer to recover than standard file recovery operations.

Brick level

Best practices for ensuring successful backups

To ensure successful backups, Symantec recommends the following practices:

■ Perform trial restores.

■ Test the backup and recovery dependencies.

Ensure that the Exchange System Manager is working.

Ensure that the domain controllers maintain contact with the Exchange server

during a backup.

■ Backup the necessary items and make copies of those items that will aid in the

event of a disaster recovery. Document everything, including any custom

configurations to the Outlook Web Access (OWA) logon page with forms-based

authentication. Store a copy of the certificates used for HTTPS and SSL along

with the private keys. A best practice for these items is to copy them to a

separate server for Disaster Recovery.

■ Understand the pros and cons of backing up the System State


210

Symantec recommends backing up the System State as part of a complete

disaster recovery solution. This includes the OS, the boot files, the Registry

and the COM+ class registration database.

■ If the Exchange environment is running a domain controller, then the Active

Directory database and the SYSVOL directory should also be backed up. If

running in a cluster, administrators must have the quorum resource recovery

log and the cluster service resource registry checkpoints.

If installed, the Certificate Services database should be backed up.

■ For ease of disaster recovery, create a replica of the EFORMS Registry folder

in a public folder store or in a different routing group.

■ When using Backup Exec with clustered Exchange servers, backups should

include the System State of all nodes in the cluster.

Importance of online backups

Online backups perform operations one database file at a time. As each database

file is transferred to the backup medium, Exchange performs a cyclic redundancy

check. If there are problems with the data, the backup stops and the event is

logged. Administrators do not have the capability to do this type of check with a

regular offline backup.

It is not a good practice to delete transaction logs manually. Administrators who

are only doing offline backups will not be able to automatically purge the

transaction logs. However, it is good practice to run a daily maintenance schedule

with the Information Store Service. Once archived, this will remove deleted

messages and mailboxes and perform online defragmentation. Defragmentation

will not run if the backup process is running on any database in the storage group.

Schedule backups and IS maintenance to run at different times.

Optimizing backup and recovery performance

Symantec recommends that administrators follow these practices with Microsoft

Exchange to ensure the most efficient backup and recovery performance:

■ Locate transaction log files on separate physical disks from the database.

Separating transaction log files from the database is the single most important

configuration detail affecting the performance of Exchange servers. This

configuration detail also has recovery implications, because transaction logs

provide an additional recovery resource (enabling up-to-date email recovery).

■ Archive (or expunge) HTTP, SMTP, IMAP protocol logging directories. Exchange

will not automatically wrap these log files. If not archived, these logs can grow

large quickly.


■ Periodically check the BadMail directory of any significant SMTP servers in

the Exchange environment. The directory is located at \Program Files\

Exchsrvr\Mailroot\vsi1\Badmail. Because of the manner in which SMTP

messages are logged, customers might see hundreds of these files a week, if

there are failed SMTP relay attempts. Such files can almost always be safely

deleted.

■ Check mailbox usage as part of an overall backup and recovery strategy. One

method is to use Exchange System Manager to simply export mailbox usage

information to a text file. Over time administrators can use this data to get a

quick trend analysis, and look for any unusual patterns that might impact

performance. Administrators will also get a look at mailboxes that have

exceeded their storage capacity, or are getting near that point.

Off-host backup usage recommendations

Performing a full system backup of a server is a CPU-intensive activity that can

limit the availability of Exchange email. Using Shadow Copy Sets for off-host

backup provides the ability to offload this processor-intensive activity from the

Exchange server to secondary staging server. The staging server is then used for

a full backup process. Creating a Shadow Copy will put less strain on the Exchange

server than a full backup.

Before backup up using Shadow Copy Sets, make sure the following conditions

are met:

■ The Advanced Disk-based Backup option is selected during Backup Exec

installation.

■ The staging server is equal in capacity to the Exchange server.

■ The Backup Exec Agent for Microsoft Exchange is installed on Exchange server.

A shared storage environment (such as a Fibre Channel or iSCSI SAN, or at least

a shared SCSI bus) is required.

Best practices for Enterprise Vault backup

When companies implement Veritas Enterprise Vault and want to use Backup

Exec for Enterprise Vault backup and recovery operations, the following additional

practices are essential for a successful backup and recovery plan:

■ Observe the best practices to back up critical Enterprise Vault components

identified in the table below.

■ Determine the backup window for Enterprise Vault.

■ Ensure that Enterprise Vault services are in the correct service state during

backup.


212

■ Return registry keys to read-write mode after backup event completes, if

necessary.

Enterprise Vault critical components

Enterprise Vault has several critical components that must be backed up to ensure

complete restore capability.

Table 8-13 identifies some of the best practices associated with these components.

Table 8-13 Enterprise Vault components that are critical to backup operations

Best practiceComponent

Back up all databases with the name EV<store name>.

Schedule an SQL backup just before the main backup job.

After the SQL backup is complete, point the main backup

process to the destination directory of the SQL backup,

thereby allowing backup of the backup.

SQL databases:

■ EVEnterpriseVaultDirectory

Stores structural information about the Enterprise

Vault system architecture.

■ Vault store

Stores the individual databases for each store that

Enterprise Vault users create.

Both types of databases use the naming convention

EV<store name>.

always use the Enterprise Vault Administration Console

to obtain the actual location, as the Program Files\

Enterprise Vault\Indexing location can be customized.

Indexes

By default, the indexing engine stores its index files in

Program Files\Enterprise Vault\Indexing.

Like the indexing location, the shopping basket location

can also be customized. Therefore, always use the

Enterprise Vault Administration Console to obtain the

current location of these shopping baskets.

Note: Some organizations elect not to back up shopping

baskets because they do not contain any email messages.

They only contain pointers to message IDs.

Shopping baskets

When users perform a search of the Vault, they have the

option to group items from their search results logically

in what the application calls a “shopping basket”.

The Enterprise Vault application saves these baskets as

individual files that are stored by default in Program

Files\Enterprise Vault\Shopping.


Table 8-13 Enterprise Vault components that are critical to backup operations

(continued)

Best practiceComponent

Always back up the entire Vault Store folder structure so

that all email and instant messages can be restored

properly with the vault store databases pointing to the

appropriate locations.

To obtain the file location of a vault store, use the

Enterprise Vault Administration Console.

Some organizations with multiple Vault Stores may have

Vault Stores spread across different drives and media

types. Stores are not always grouped under a single

directory structure on one drive.

Always back up each Vault Store’s full directory structure

daily.

Vault stores

Archived email and instant messages are stored as

individual files in an elaborate directory structure starting

with the name of the vault store. For example, a typical

directory structure might be:

\Enterprise Vault Stores\<vault store name>\<year>\

<month>\<date>\<GMT hour>\<file>

Note: Enterprise Vault is being used to vault both

Exchange email and Instant Message data from IM

Manager. During the creation of the backup job, the

administrator should ensure that both types of vault data

is selected for backup.

Only one backup copy is necessary, as the license key

does not change over time.. This file does not need to be

backed up daily.

The file naming convention of the license key is

Keys_<servername>.txt.

License key

The license key is saved as a text file in the Program Files\

Enterprise Vault\directory.

Backing up Microsoft SQL Server

Backup Exec incorporates online, non–disruptive SQL database protection as part

of everyday backup routines, which increases the chance of data recovery and

minimizes data loss without inhibiting daily database activity. Using database,

differential, and log backups provides a good balance between backup windows,

and minimizes the amount of time that will be spent recovering a database.

To decide which backup methods to use for the best data protection, consider the

following typical environments:

Consider running a daily full database backup every evening

and daily transaction log backups.

Small environment

Consider running a weekly full database backup and daily

transaction log backups along with daily differential backups

except on the day when the full backup is run.

Mid-sized environments


214

Consider running daily differential database backups, weekly

full database backups, and transaction log backups as

necessary. Many shops run full backups on a weekly basis,

preferring to run differential backups throughout the week

to keep backup run time to a minimum.

Extremely large environments may need to run file group

backups in order to split the full backup over several days.

Log backups are required to be able to recover a system from

a file group backup.

Large environments

The trade-off with running fewer full backups with more differential backups

occurs at recovery time. The last full database backup must be restored along with

the last differential database backup and all subsequent log backups. The method

with the best outcome is determined by factors such as the size of the environment,

the number of transactions processed each day, and the expectations of users

when a recovery is required. It is also considered a best practice to separate SQL

backup jobs from other backup jobs.

Backup, restore and recovery strategies are presented in more detail in the

Symantec Backup Exec™ forWindows Servers Administrator’s Guide.

The following items are required for the SQL Agent:

■ Backup Exec must have access rights to read both of the following SQL registry

keys:

HKEY_LOCAL_MACHINE\Software\Microsoft\Microsoft SQL Server

HKEY_LOCAL_MACHINE\Software\Microsoft\MSSQLServer

■ If Backup Exec does not have access to these registry keys, a restore to the

default directory may not work, and the Automate master database restore

option on the Restore Job Properties for SQL dialog box will not work.

■ To ensure that Backup Exec has access rights, verify that the logon account

used has Administrator rights to the Windows server on which the SQL instance

is installed.

■ The media server must have access to the SQL installation.

■ The credentials stored in the Backup Exec logon account used for backing up

and restoring SQL must have been granted the System Administrator role on

the SQL instance.

■ To back up SQL, use a Backup Exec logon account that stores the credentials

of a Windows user account. The Windows user account must have been granted

the System Administrator role on the SQL instance.

■ If SQL Server Authentication is being used, add a Backup Exec logon account

that stores the credentials of the SQL user account. In the backup selections


list, apply the Backup Exec logon account for the Windows user account to the

Windows server that SQL is installed on, and then apply the logon account for

the SQL user account to the SQL instance.

More information regarding backing up, restoring and disaster recovery of SQL

can be found in the Symantec Backup Exec™ forWindows Servers Administrator’s

Guide.

Determine the backup window for Enterprise Vault

Determine the backup window, which is the best time for backing up Enterprise

Vault data and the Enterprise Vault SQL data. These components have pre– and

post–backup operation procedures that must be executed. These times are used

when setting up the schedule for the backup jobs.

Change Enterprise Vault service states for backup

During a backup, a user or process must not add new data to the Enterprise Vault

archives, as integrity will be lost between the databases, indexes, and Vault Stores.

A backup (and restore) should represent a single snapshot, to which the server

can revert. Therefore, to preserve data integrity, most organizations shut down

their Archiving, Retrieval, Journaling, Public Folder, Shopping, Storage, and

Indexing services during the allocated time for backups. Then restart them when

the backup is complete.

Some organizations may want to leave the services running during a backup. Such

organizations have the option to shut down only the key components of the storage

and indexing services that affect backup integrity. The Admin, Directory, Storage,

Indexing, and Shopping services can be left running. Users will be able to access

archived messages from both Outlook and the search application.

To accomplish this, an administrator must create Registry keys to control specific

components of the storage and indexing services that affect backup integrity.

After these keys are created, the administrator must change specific keys so that

those services change to read-only mode before a backup event occurs.

Restore Registry keys to read-write mode

If administrators have created Registry keys to disable Archiving, Public Folder,

and Journaling services during backup, they must return the keys to read-write

mode after the backup event has completed successfully for Enterprise Vault to

return to normal operation.

Registry key creation and modification tasks can be done with automated scripts,

and can be scheduled to run by the Windows scheduler. Scheduling backups and

having a backup window that allows backup operation before the scheduled


216

read-write revert script runs, will allow successful backups of the Enterprise Vault

archives.

These scripts are described in the Enterprise Vault Administrator's Guide, and are

available from Symantec technical support services.

Backup Exec allows the running of a script (or command file) before and after a

backup via pre- and post-commands. This could simplify the pre- and post-backup

process. Refer to the Symantec Backup Exec Administrator’s Guide for more

information about configuring pre- and post-commands.

Enterprise Vault backup sequence

Table 8-14 shows the sequence of tasks that summarize the process for backing

up Enterprise Vault with Backup Exec.

Table 8-14 Enterprise Vault backup sequence forBackup Exec

TaskSequence

Schedule the Enterprise Vault pre-backup task to run at the start of the

backup window.

Step 1

Create a backup policy to backup the following during the backup

window, allowing 15 minutes for the Enterprise Vault Pre-backup task

to run:

■ Enterprise Vault

■ Enterprise Vault SQL database

■ IM Manager SQL database

■ IM Manager .XSL file

■ Exchange data

Step 2

Create a selection list within Backup Exec to back up the vault stores,

indexes, shopping and license key information, as described in the

Enterprise Vault documentation. Be sure to include all vaults for both

Exchange email data and IM Manager instant message data.

Step 3

Create a selection list within Backup Exec to back up the SQL databases

for Enterprise Vault, the IM Manager SQL database, and the SQL master

database.

Step 4

Create a policy to back up the Enterprise Vault data, and create a

template that has scheduling information that will start the backup 15

minutes after the pre-backup script has run.

Step 5

Ensure the Reset Archive Bit operation is selected in Backup Exec

(default).

Step 6


Table 8-14 Enterprise Vault backup sequence forBackup Exec (continued)

TaskSequence

Create one of the following backup policies:

■ A policy to backup the Enterprise Vault-related SQL data that is

scheduled to run when other jobs are not running

■ A policy to backup the Enterprise Vault-related SQL data that backs

up to a separate resource and can be done in parallel with other

backup jobs

Step 7

Schedule the Enterprise Vault post-backup task to run at the end of the

backup window.

Step 8


218

Regulatory compliance and

legal discovery for email

and instant messaging

management


■ About regulatory compliance

■ Email and instant messaging life cycle management

■ Considerations for data reduction

■ Considerations for threat reduction

■ Considerations for record retention

■ Considerations for discovery

About regulatory complianceIn the past two decades, email has evolved from a simple, quick method of personal

communication to a de facto record archive for business transactions and

operations. In addition, business organizations have seen a steep rise in the use

of instant messaging (IM) as a form of communication. IM has also become a

critical business communications tool for many companies. Businesses need to

consider the record of IM conversations much in the same way as they consider

email.

9Chapter

Whether communications happen in the form of an email or an instant message,

these messages serve as detailed transaction records for businesses. These

messages are critically valuable as evidence in a court of law, and proof that

companies are following compliance regulations. They are also a record of implied

business transactions, and a source for identifying violations of internal company

policies.

Consequently, modern business organizations are storing and guarding legacy

email and instant message conversation records for years. This is done to comply

with external rules and internal corporate governance guidelines. This relatively

new regulatory practice has increased the cost of storage required to retain legacy

email and instant message records, as well as added complexity to enterprise

message management.

The need to prepare for discovery and to enforce corporate policies, creates the

necessity for companies to establish messaging controls for email and IM.

Regulatory compliance is making it mandatory for organizations to implement

IT controls and processes for message management. In particular, companies

need to effectively store, protect, and search legacy email and instant message

conversation records. Whenever a message is sent by business personnel, or

received at an organization’s email or IM gateway, it must be controlled, monitored,

protected, and managed.

If an organization is unable to comply with regulatory requirements or its own

internal policies governing email and instant messaging, the use of email and

instant messaging may be banned. In practice, this type of prohibition is rarely

implemented for email communication, and is more likely to be applied to instant

messaging communication. However, most organizations have begun to embrace

instant messaging as an important, business communication tool.

Note: The impact of regulatory compliance mandates varies greatly between

regulations, industries, and individual companies. The implementations of the

Symantec™ solution for enterprise message management that are recommended

in this Symantec Yellow Book may not apply to all organizations.

Moreover, IT organizations must deal with a wide array of non-email or instant

message electronic records. Discussion of regulatory compliance as it relates to

these other types of electronic records, as well as the impact of specific regulations,

is outside the scope of this chapter.

Email and instant messaging life cycle managementManagement of regulatory compliance and legal discovery requirements has

brought new considerations and requirements for email and instant messaging.

Regulatory compliance and legal discovery for email and instant messaging managementEmail and instant messaging life cycle management

220

From the time a message is either sent by an individual in the organization or

received at the gateway, it must be managed through each phase of its life cycle.

At some point in time, the message is deleted and permanently destroyed, in

accordance with the relevant business policy or regulation.

There are numerous regulations relating to records retention that require email

and instant messages be archived. In addition to archiving the messages, the

ability to subsequently search archived messages and to provide this information

in a timely manner to support legal discovery is also required.

The following factors should be considered when developing a message retention

and retrieval implementation:

Message data reduction involves the automated, proactive

removal of spam and spim (spam received over IM). Today, these

unsolicited and unwanted messages consume the majority of

message volume on the Internet. Reducing unwanted message

volume in a business enterprise, will greatly reduce the presence

of non-business-related information in message archives.

Data reduction

Email and instant message threat reduction involves stopping

phishing attacks, viruses, worms, and restricted content before

these threats reach the organization’s network and message

servers.

Threat reduction

Message retention is the automatic capture and secure storage

of email, instant messages, and attachments sent or received

by business personnel. An organization’s message retention

policy must also allow for subsequent expiration and deletion

of retained messages, based on the organization’s established

regulatory policies. Determining what messages are retained,

and for how long, is a vital consideration.

Record Retention

Organizations must comply with possible legal obligations,

should a court of law demand access to specified email or instant

message records. Message discovery is the process of searching

and classifying archived message content to meet these

requirements.

Discovery

Email backup is typically a required, regularly scheduled process.

Backups entail copying and archiving email content and

attachments to offline media, and storing email archives at

secure locations, both onsite and offsite. Similarly, logs of

instant message conversations may also be backed up.

Determining what part backup plays in the overall compliance

strategy has important implications for both regulatory

compliance and legal discovery.

Backup

221Regulatory compliance and legal discovery for email and instant messaging managementEmail and instant messaging life cycle management

Considerations for data reductionManaging spam and spim, non-business email, and instant messages is a challenge

to business organizations. Although tougher government legislation and

enforcement of anti-spam laws is ongoing, this unwanted communication still

exists as a major problem. Comprehensive email messaging management solutions

enable organizations to significantly reduce the effects of spam and spim on

business email traffic and server throughput.

Companies must take definitive steps to maintain normal email business

communications despite growing spam volumes. They must also be aware of how

spam may impact regulatory compliance.

The risks associated with unwanted messages are many. Left ignored, spam and

spim could create the following risks or concerns for your business:

■ Large amounts of non-business-related messages can negatively impact the

ability of business personnel to be responsive to requests for historical email.

Particularly with email, when a significant amount of spam is present, email

discovery becomes more difficult. Whether stored messages are located in an

inbox, a PST, or an archive, the presence of spam can result in additional time

and cost to complete discovery.

■ The content of unsolicited and unwanted messages is a serious concern. Spam

and spim are frequently used as a launching vehicle for viruses, worms, and

other malicious content. These threats use ever-changing forms of deception,

such as phishing and other social engineering schemes, to expose confidential

information. Depending on the success of the attack, and the type of

information obtained, it can put company computers and information at risk.

■ Spam and spim content is commonly malicious, inappropriate, or not conducive

to business. Mailboxes on corporate email servers, instant message

conversations, or messages in archives with inappropriate, illegal content, are

potential liabilities for companies.

■ Computers that have been compromised by malicious software can be used by

spammers to anonymously steal use of company equipment. This can

significantly increase a company's hardware and bandwidth costs. Inside an

organization, these so-called zombie computers can generate spam messages

without the knowledge or approval of business management.

Spam and archiving

Since regulations do not provide clear guidance on how to handle unsolicited

messages such as spam, deleting these messages may not be advisable. It may be

appropriate for some businesses to archive spam and spim messages as a matter

Regulatory compliance and legal discovery for email and instant messaging managementConsiderations for data reduction

222

of caution. In this case, the messages would still be filtered before reaching the

recipient’s Inbox, but would be archived instead of deleted.

Through the integration of Symantec™ Mail Security 8200 appliance and Veritas

Enterprise Vault™, the Symantec Enterprise Messaging Management solution

allows spam to be automatically redirected to an archive.

Considerations for threat reductionAs email and instant message communication grows in importance as a

business-critical service, there is a corresponding evolution of related threats.

The primary delivery vehicle for malicious attacks into modern business

organizations is through email and instant messaging.

The benefits of taking steps to proactively filter and provide messages that are

free of viruses, worms, and other malicious code are apparent to most

organizations. However, the connection between these threats and regulatory

compliance is not as obvious.

Malicious code most commonly attempts various forms of deception and fraud

that are targeted at individuals and organizations. In addition, the methods used

to transmit malicious content in both email and instant messages are continually

evolving and employ more sophisticated exploits.

Maintaining a message archive that is clean of viruses, phishing attempts, and

other types of malicious code is important. This not only reduces the possibility

that malicious code could be accidently executed by recipients, but also prevents

the inadvertent release of confidential company or individual information.

Considerations for record retentionIn most unregulated industries, deciding what business messages must be archived

is often a subjective process. An organization needs to consider not only regulatory

requirements, but also the practicality of implementing the policy.

A definitions of what constitutes record and non-record messages, and what needs

to be preserved, should be established, along with the regulatory compliance and

legal discovery requirements. Typically, executive management, the legal

department, and outside legal counsel jointly determine what constitutes record

and non-record messages.

Each business, through examination of the current regulations, must interpret

how these regulations apply to their enterprise and industry. It is clearly beyond

the scope of any single group or person to determine what constitutes record and

non-record messages.

223Regulatory compliance and legal discovery for email and instant messaging managementConsiderations for threat reduction

The role of the IT organization in meeting compliance needs to be considered as

part of an enterprise-wide compliance- and risk-management program. The duties

of IT are still critical to the success of any regulatory compliance program. In the

United States, the courts recognize and expect that IT management plays a vital

role in message-preservation efforts. In some cases, IT professionals may be called

upon to testify in court about their message-preservation efforts and policies, and

to demonstrate due diligence in their processes.

When developing a compliance program, it is highly recommended that an

organization include legal expertise both from inside and outside the organization

Applying policies across the organization

Once policies are established for the business, a strategy for implementation must

be developed. Symantec recommends that enterprises identify how current

regulations apply, and which policies, schedules, and procedures are required for

specific business units and specific individuals. Alternatively, IT can implement

the required policies, schedules, and procedures for everyone in a uniform manner

across the entire enterprise.

When it comes to compliance and message retention, individual business units

may have different requirements for managing internal records. By identifying

key business units that generate or receive email and instant messages that are

subject to retention requirements, specific policies can be put in place for each

business unit.

As with business units, compliance requirements for specific roles within a

business can vary. Specific titles or scopes of authority may require different

email or instant message archiving requirements.

When scrutinizing individuals, it is worthwhile to consider the importance of

implementing legal holds on an individual’s email and instant message

communication. In order to avoid reliance on an individual's follow-up actions to

achieve compliance with a legal hold, it may be necessary to automatically archive

all an individual's communications. An automatic-hold mechanism is a more

effective method than the alternative, which is to instruct individuals to retain

all messages that may potentially pertain to a matter undergoing litigation.

Organizations can also opt to take a uniform approach by archiving messages for

all email and instant message users, regardless of their role or organization. By

applying the same policies and procedures across the entire company, all

communications are captured. The benefit is that all sent and received messages

are archived regardless of sender, content, origin, and destination. However,

depending on the size of the organization, and type of regulations, this approach

may be neither feasible or advisable.

Regulatory compliance and legal discovery for email and instant messaging managementConsiderations for record retention

224

Applying the same policies and procedures across the entire company may have

the following drawbacks:

■ Email and instant messages may be retained for longer periods than required.

■ Non-essential email and instant messages may be retained.

■ Potentially relevant messages may not be recovered in a timely, cost-effective

manner.

Discovery and records retention

Retention of relevant message data for long periods of time requires sufficient

system, storage, and networking resources. Any decision that a business makes

about what, where, and how to archive email and instant messages plays a direct

role in determining hardware requirements.

It is important to consider potential discovery requirements to which the business

may be subject. Companies must be prepared to produce records for legal discovery

upon demand, and a large message archive could make discovery more challenging.

The need to analyze potentially irrelevant messages that still match search criteria

could increase the time, cost, and accuracy of the discovery effort.

Message retention schedules and procedures should be relevant to the particular

industry or business, and the applicable regulations. An intensive assessment of

these considerations should be made before deciding how to implement a message

retention system.

Considerations for discoveryCompanies must be prepared to produce records for legal discovery upon demand.

The following considerations are key in the message discovery process:

Ensuring that search results are accurate, and flagging all relevant

messages

Completeness

Responding to discovery requests in the time allottedTime

Reducing logistical and cost issues when responding to discovery

requests

Cost

The process of evaluating the risk trade-offs and determining a suitable balance

of each of the factors is different for each industry, business, and situation.

225Regulatory compliance and legal discovery for email and instant messaging managementConsiderations for discovery

Completeness of process

Thoroughness in a discovery search is critical. This includes the accuracy of the

search results in flagging all message content that is potentially relevant to the

specific discovery request, subpoena, or litigation.

Organizations are required to turn over all relevant information over which they

have custody, regardless of its location. Discovery of relevant message content

can involve multiple search locations, including personal computers, laptops,

email servers, spam quarantines, backup servers, archive servers, and offline disk

or tape. Without a coordinated and automated approach to message management,

discovery can be a challenging task.

With email, the message or messages being searched for are not necessarily

contained in a user’s inbox, but could also be located in locally stored PST email

archives or in offline backups. With instant messages, there are similar

considerations. Instant messages may be logged locally on end-user machines.

These logs may also get backed up as part of regular user backups, so searching

backups need to be considered. Even if email and instant messages are being

centrally archived, it is important to consider that these archives may not be the

only location from where a message record might be recovered.

Timeliness of response

Responding to discovery requests in a fixed amount of time is a common

requirement. While the amount of time spent identifying and producing requested

messages depends on what is requested, turnaround time can be impacted in other

ways.

Preventing non-business information from populating an archive is an important

goal. The fewer personal and non-business related messages cluttering the storage

space will enable an organization to improve search times and the average number

of search hits. The ideal result is a much higher percentage of relevant information

with every discovery search that is performed.

The accessibility of email and instant messages stored in archives is an important

consideration. Inaccessible messages archived on offline media or stored on

individual computers in PST files, are significantly more difficult to search for

than messages stored in an automated online archive.

Cost efficiency

It is important to reduce the cost of responding to discovery requests. A message

retention plan should exist to manage discovery requests in a minimally disruptive

way to the business, including the individuals, business units, or groups involved

in the discovery.

Regulatory compliance and legal discovery for email and instant messaging managementConsiderations for discovery

226

Being able to minimize the number of individuals that need to be actively involved

in responding to the discovery is beneficial. By having a message retention policy

and automatic enforcement mechanisms in place, the burden of taking additional

steps to recover and protect any potentially relevant messages is removed from

individuals.

Being able to minimize the number of locations, including systems and physical

locations, is critical. Itemizing, locating, and examining systems for potentially

relevant messages, or recovering data from offline media can be costly. Having a

comprehensive message retention system in place may substantially reduce the

number of locations in which a copy of a potentially relevant message may exist.

By archiving email and instant messages, the process required to search for and

recover potentially relevant messages may be simplified.

About the role of backup

The need to provide regular backup and restore services for Exchange servers is

a well-established requirement for most IT organizations. However, the

relationship between backup and regulatory compliance is not necessarily

straightforward.

Although backups provide a periodic snapshot of the message records that reside

on an organization’s servers, reliance on backup alone may be inadequate. Backups

can create the following areas of exposure:

■ Backups are periodic.

Backups only provide- access to messages existing on the server at the time

the backup was created.

■ Backups contain unfiltered data.

Backups contain everything in the inbox, not just what may be required by

company policy for compliance.

■ Backups are difficult to search.

Backups often require lengthy restore operations to stage the email back to

an Exchange server before the actual search can be performed. Oftentimes,

inefficient and time-consuming searches usually result from discovery in

backup message archives.

■ Backups are typically kept offline.

Backups must be restored to an online Exchange server to be efficiently

accessed for email This process can be iterative, when multiple backups must

be reconstructed to create a time line of related messages.

■ Backup media have physical profiles that must be tracked and managed.

■ Backups typically do not expire uniformly.

227Regulatory compliance and legal discovery for email and instant messaging managementConsiderations for discovery

Most likely, using backup tapes as a generic cover for regulatory compliance will

be insufficient for most organizations faced with regulatory requirements.

Discovery searches by companies with no message-retention policies in place,

who are forced to rely on backups as their historical archive, will take more time,

incur more costs, and involve greater risks.

Regulatory compliance and legal discovery for email and instant messaging managementConsiderations for discovery

228

Best practices for Veritas

Enterprise Vault™ legal

discovery and compliance

options


■ About Veritas Enterprise Vault legal discovery and compliance options

■ Best practices for installing and configuring Enterprise Vault Discovery

Accelerator

■ Best practices for installing and configuring Enterprise Vault Compliance

Accelerator

■ Best practices for customizing Enterprise Vault Discovery Accelerator

■ Best practices for customizing Enterprise Vault Compliance Accelerator

■ Best practices for upgrading Enterprise Vault Compliance Accelerator

■ Best practices for Enterprise Vault Compliance Accelerator backup and recovery

About Veritas Enterprise Vault legal discovery andcompliance options

Veritas Enterprise Vault provides full email and other information retrieval and

content search capabilities based on the indexes that are maintained by Enterprise

Vault. For those organizations that desire or require advanced information search

10Chapter

and retrieval capabilities, Symantec offers the Enterprise Vault Discovery

Accelerator and Enterprise Vault Compliance Accelerator options. These options

work in association with email journaling to provide users with complete and

accelerated information search and retrieval capabilities.

About Enterprise Vault Discovery Accelerator

Veritas Enterprise Vault™ Discovery Accelerator is a case management system

designed to facilitate and audit internal work flows for legal teams running

searches and marking records.

Veritas Enterprise Vault Discovery Accelerator’s robust search and export tool

allows an assigned administrator or reviewer to conduct online searches of their

existing archived data in response to an external legal request or an internal

company inquiry. Enterprise Vault Discovery Accelerator can search user mailbox

archives, journal mailbox archives, file system archives, Microsoft SharePoint®

archives and public folder archives. If an item of interest is found during the

search, administrators can permanently attach comments or marks to the item,

for example, ranking it by relevance to the search request, and then export the

items or reports as PST or XML files for later use in pending or threatened

litigation.

Veritas Enterprise Vault Discovery Accelerator does not alter the original contents

of the email or document, but appends additional information to the data, in order

to preserve the integrity of the items returned by the search. Once an item is

tagged with comments by a reviewer, comments can not be removed, in this way,

maintaining an auditable trail. Enterprise Vault Discovery Accelerator is ideal for

ad hoc searches. Most searches that are performed for discovery purposes are

created on an as-needed basis. Enterprise Vault Discovery Accelerator can produce

information in formats that are suitable for presentation in a formal, legal context.

About Enterprise Vault Compliance Accelerator

Veritas Enterprise Vault™ Compliance Accelerator enables organizations to

implement corporate strategies for regulatory compliance.

Enterprise Vault Compliance Accelerator allows administrators to create searches

that align with an organization’s compliance strategy, such as collecting a

percentage of all generated email and monitoring for inappropriate language or

conduct. After formal retention policies are established, compliance requirements

can be accurately fulfilled using Enterprise Vault Compliance Accelerator.

Enterprise Vault Compliance Accelerator can be configured to search archives

for defined words and phrases, to search by date ranges and message size, type

of email, or the direction (inbound or outbound) of the email. Administrators can

Best practices for Veritas Enterprise Vault™ legal discovery and compliance optionsAbout Veritas Enterprise Vault legal discovery and compliance options

230

also search for the email author, domain name, recipient, and attachments. Finally,

administrators can search using any ad hoc search criteria they choose.

Comparison matrix

Table 10-1 lists the features and functionality supported by Enterprise Vault

Compliance Accelerator and Enterprise Vault Discovery Accelerator.

Table 10-1 Matrix comparingComplianceAccelerator andDiscovery Accelerator

Discovery

Accelerator

Compliance

Accelerator

Functionality

YesYesWeb-based interface

YesYesStore data within SQL Database

YesYesSearch Enterprise Vault index

NoYesCreate scheduled searches

YesYesPerform ad hoc searches

NoYesEmployee and group synchronization from Active Directory

NoYesSearch by file extension (.exe, .mp3, .htm)

NoYesSearch by number of attachments

NoYesSearch by size of attachment

NoYesSearch by minimum number of items discovered

YesYesSearch by date range

NoYesSearch by absolute limit (set upper limit on number of items to discover)

NoYesSearch by message size

Can be configuredYesSearch by message type (IM, Bloomberg®)

NoYesSearch by retention category

YesYesSearch using existing templates

NoYesSearch by external domain

Can be configuredYesSearch by message direction (recipient or sender; incoming or outgoing)

NoYesSearch and monitor emails between business units

231Best practices for Veritas Enterprise Vault™ legal discovery and compliance optionsAbout Veritas Enterprise Vault legal discovery and compliance options


(continued)

Discovery

Accelerator

Compliance

Accelerator

Functionality

NoYesApplication searches

YesYesKey word and hot word searches

YesNoAssign Bates numbers for legal inquiries

YesYesComply with legal discovery requests

NoYesRandom sampling of user data (by percentage)

NoYes (requires

Journaling

Connector)

Department index tagging

NoYesReporting

YesNoReport and view assignments (marked, status, reviewer)

YesYesAssign reviewer and supervisor levels and permissions

YesYesCustomize review marking (comments)

YesYesAutomatically accept search results

YesYesAudit history and workflow of searched and discovered items

YesYesExport search results to PST file

YesYesExport data to PST file

NoYesExport configuration data to XML file

YesYesExport search results to MSG file

YesYesExport search results to HTML file

YesYesImport configuration data

NoYesCreate exception employees (special grouping and searching restrictions

or monitoring, such as executive or sensitive team data)

NoYesDesigned for use with human resources departments (internal policy and

procedure tracking and enforcement)

YesNoDesigned for use with legal departments and workflow audits of legal cases

(reduces cost of scrubbing and reviewing data)

Best practices for Veritas Enterprise Vault™ legal discovery and compliance optionsAbout Veritas Enterprise Vault legal discovery and compliance options

232


(continued)

Discovery

Accelerator

Compliance

Accelerator

Functionality

NoYesDesigned to assist with regulatory control

NoYesDesigned to assist with monitoring and surveillance

NoYesFacilitates compliance with government (federal, state, and local)

regulations

NoYesFacilitates compliance with financial regulations (NASD and SEC)

NoYesFacilitates health care compliance (HIPAA; privacy regulations and public

records requests)

YesYesDesigned to assist energy companies comply with government

policies(scandal discovery and regulations)

YesYesDesigned to support academic research

NoYesFacilitates compliance with Sarbanes-Oxley Act (internal controls and

reporting

NoYesDesigned to assist Microsoft Exchange administrators with data discovery

Best practices for installing and configuringEnterprise Vault Discovery Accelerator

It is recommended that the Enterprise Vault Discovery Accelerator software be

installed and configured to run on a server that is not an Enterprise Vault server.

While Enterprise Vault Discovery Accelerator can be installed and run on an

Enterprise Vault server, this may significantly degrade performance and so it is

not recommended.

Nonetheless, Enterprise Vault software must be installed on the Enterprise Vault

Discovery Accelerator server, but the Enterprise Vault software can be installed

without completing all of the configuration steps. In this type of configuration,

Symantec™ recommends setting the Enterprise Vault Admin Service Startup Type

to Disabled.

Enterprise Vault Discovery Accelerator must be configured and installed using

the Vault Service account. The computer on which Enterprise Vault Discovery

Accelerator is installed and runs must be in the same domain as the Enterprise

Vault Server, or in a trusted domain. The computer on which Enterprise Vault

233Best practices for Veritas Enterprise Vault™ legal discovery and compliance optionsBest practices for installing and configuring Enterprise Vault Discovery Accelerator

Discovery Accelerator is installed and runs must have the exact same operating

system release and patches, and the exact same Enterprise Vault release, as the

computers running the Enterprise Vault services.

Prepare to install Enterprise Vault Discovery Accelerator

Make sure that the following prerequisites are met before installing Enterprise

Vault Discovery Accelerator:

■ The Vault Stores to be searched must have Indexing set to Full.

■ Enterprise Vault 6.0 is used with Enterprise Vault Discovery Accelerator 5.0

SP3 or later. Enterprise Vault supports only Enterprise Vault Discovery

Accelerator 5.0 SP3 or later.

■ Microsoft Internet Explorer 6.0 or later is installed, as well as the Internet

Explorer WebControls from the Redistributable folder in the install kit.

Symantec recommends disabling pop-up blockers. Pop-up blockers may disrupt

the dialog boxes that appear when reviewing messages with Enterprise Vault

Compliance Accelerator.

■ Microsoft .NET Framework v1. 1 with Service Pack 1 is installed. The Microsoft

.NET Framework can be found in the Redistributables folder of the Enterprise

Vault Discovery Accelerator install kit. Microsoft .NET SP1 should be installed

to address known memory leaks and security issues.

■ Automatic updates of Microsoft .NET should be disabled. All updates should

be reviewed before installing.

Any Microsoft .NET patches should be installed one at a time in a test

environment before installing in a production environment.

■ Microsoft Internet Information Services (IIS) is installed to the Enterprise

Vault Discovery Accelerator system and the IIS worker process has write access

to the Enterprise Vault Discovery Accelerator installation folder.

■ Microsoft Active Server Pages (ASPs) are installed and the Web Service

Extension option is set to allow Active Server Pages scripts to run.

■ The Vault Service account in which the IIS worker process is running has Full

Control access to the Windows® Temp folder and Allow inheritable permissions

from parent to propagate to this object enabled.

■ The Authenticated Users group has Full Control access to the Windows Temp

and TMP folder and Allow inheritable permissions from parent to propagate

to this object enabled. If the ASP.NET service logs on under a different account

than Authenticated Users, the different account should be given Full Access

rights as well.

Best practices for Veritas Enterprise Vault™ legal discovery and compliance optionsBest practices for installing and configuring Enterprise Vault Discovery Accelerator

234

■ The Enterprise Vault Discovery Accelerator database requires 600 MB minimum

of free space on the SQL Server computer.

■ The Microsoft MIME type, JScript® (JSE), is enabled in the IIS properties.

■ The Default Web Site in IIS Manager can be browsed to and opened from

Computer Management and IIS Manager.

If the Under Construction page cannot be opened, IIS is not configured properly

and the Enterprise Vault Discovery Accelerator Web application will not

function. For IIS troubleshooting information, see the following URL:

http://www.microsoft.com/WindowsServer2003/IIS/default.mspx

■ If Enterprise Vault Discovery Accelerator is on a different server than

Enterprise Vault, the correct version of MAPISVC.INF is installed on the

Enterprise Vault Discovery Accelerator server. To verify the version, open

Help in the Enterprise Vault Administrator Console and search on

MAPISVC.INF.

■ The Enterprise Vault Discovery Accelerator server has a minimum of 2 GB of

memory. If the Enterprise Vault Discovery Accelerator computer is not a

standalone computer, it must have a minimum of 4 GB, with at least 2 GB

allocated for Enterprise Vault Discovery Accelerator use.

Note: Running Enterprise Vault Compliance Accelerator and Enterprise Vault

Discovery Accelerator on the same computer is not supported. Only Enterprise

Vault Discovery Accelerator 5.0 SP3 or later is supported with Enterprise Vault

6.0.

See the Enterprise Vault Discovery Accelerator Installing and Configuring guide

for more information.

SQL Server requirements for Enterprise Vault Discovery Accelerator

Because of the amount of resources that searching requires, the Enterprise Vault

Discovery Accelerator database should be installed on a standalone computer.

Enterprise Vault Discovery Accelerator SQL Server database requires 600 MB

minimum of disk space to be created.

For other requirements:

See “SQL Server requirements for Enterprise Vault Compliance Accelerator”

on page 241.


Installing Enterprise Vault Discovery Accelerator

Enterprise Vault must be installed before installing Enterprise Vault Discovery

Accelerator. Before installing Enterprise Vault Discovery Accelerator, ensure that

all prerequisites to install Enterprise Vault Discovery Accelerator have been met.

To install Enterprise Vault Discovery Accelerator

1 Start the Enterprise Vault Administrator Console, and then point to the

Enterprise Vault server to be used by Enterprise Vault Discovery Accelerator.

2 Launch the Enterprise Vault Discovery Accelerator installation wizard, and

when prompted for the Enterprise Vault Discovery Accelerator Service login,

provide the Domain\UserName for the Vault Service account.

3 After the installation is complete, copy the Enterprise Vault Discovery

Accelerator license key to C:\Program Files\KVS\Discovery Accelerator.

An Enterprise Vault license key is not required for Enterprise Vault Discovery

Accelerator to run.

4 Verify that the IIS Admin Service and WWW Publishing Service are started.

5 After installation completes, wait approximately 10 seconds before starting

the Enterprise Vault Discovery Accelerator Service to ensure that the services

are registered.

Note: Installations of Enterprise Vault Discovery Accelerator and Enterprise Vault

Compliance Accelerator are not supported on the same computer.

Configuring Enterprise Vault Discovery Accelerator

The Vault Service account must be used to configure Enterprise Vault Discovery

Accelerator to manage the Enterprise Vault server. Configuring Enterprise Vault

Discovery Accelerator includes the following tasks:

■ Launching the Enterprise Vault Discovery Accelerator Web application

■ Completing the configuration

Best practices for Veritas Enterprise Vault™ legal discovery and compliance optionsBest practices for installing and configuring Enterprise Vault Discovery Accelerator

236

To launch the Enterprise Vault Discovery Accelerator Web application

1 Launch the Web browser and browse to the Enterprise Vault Discovery

Accelerator home page, http://<Discovery Accelerator server name>/

EVDiscovery/.

To eliminate the need to authenticate every time a connection is made, use

the localhost connection method (http://localhost/EVDiscovery/) instead of

using the Enterprise Vault Discovery Accelerator server name.

2 When prompted for login information, provide the Vault Service account

information that was used during the installation process.

3 Click the Configure link to begin the configuration process.

To complete the configuration

1 Provide a valid SQL Server computer name and the Instance name, if

applicable (ServerName\InstanceName).

2 If desired, specify a new name for the database. The default name for the

database to be created is EVAccelerator.

Specify a unique database name if Enterprise Vault Compliance Accelerator

is also installed, if a previous version of Enterprise Vault Discovery Accelerator

is installed, or if there are multiple installations of Enterprise Vault Discovery

Accelerator on different computers.

3 Point to an existing volume on the SQL Server computer where the MDF

database files will be hosted.

A local or mapped drive can be used, but not a UNC path. Whatever volume

is used should reside on the SQL Server computer, and not on the Enterprise

Vault Discovery Accelerator computer.

4 Point to an existing volume on the SQL Server computer where the LDF

database files will be hosted.

A local or mapped drive can be used, but not a UNC path. Whatever volume

is used should reside on the SQL computer, not the Enterprise Vault Discovery

Accelerator computer.

5 Verify or provide the DNS alias or server name of the Enterprise Vault

Directory Service computer.

6 After configuration is complete, when prompted to restart the Enterprise

Vault Discovery Accelerator Service, wait approximately 10 seconds before

starting the Enterprise Vault Discovery Accelerator Service to ensure that

all services are registered.


Note: To install the database files to a hidden share, the databases must first be

installed to a non-hidden share. The Enterprise Vault Discovery Accelerator

installer does not allow a database to be created in a hidden share (for example

D:\SQL$). However, Enterprise Vault Discovery Accelerator does function correctly

when using hidden shares. Use SQL Server to move the databases to a hidden

share after they are created.

Enterprise Vault Discovery Accelerator browser interfacerecommendations

Symantec recommends the following practices when using the Enterprise Vault

Discovery Accelerator browser interface:

■ Use the links provided in the application to navigate from page to page instead

of using the Internet Explorer browser toolbar Back button, or the Backspace

or other shortcut keys. The bottom of each Enterprise Vault Discovery

Accelerator page displays a Close button to close the page and return to the

previous page.

■ To refresh the current Enterprise Vault Discovery Accelerator page, right-click

the page, and then select Refresh from the context menu. Clicking Refresh in

the browser toolbar opens the Enterprise Vault Discovery Accelerator home

page.

■ Run the browser in full screen mode by using the function key F11 to toggle

between views.

Best practices for installing and configuringEnterprise Vault Compliance Accelerator

Enterprise Vault Compliance Accelerator and SQL Server should not be installed

on the same computer as the Enterprise Vault system, except perhaps during

evaluation or pilot deployments. Because of the additional demands placed on

system resources, the ability to conduct quick searches and archiving is reduced

when these components are all co-located on a single computer. Installing

Enterprise Vault Compliance Accelerator on a separate computer reduces the

impact of intensive searching on the Enterprise Vault system.

Also, running Enterprise Vault Compliance Accelerator and Enterprise Vault

Discovery Accelerator on the same computer is not supported.

The Enterprise Vault software must be installed on the server where the

Compliance Accelerator software will be run to allow access to the messages in

the Enterprise Vault archives. However, it is not necessary to configure the

Best practices for Veritas Enterprise Vault™ legal discovery and compliance optionsBest practices for installing and configuring Enterprise Vault Compliance Accelerator

238

Enterprise Vault management services to run on the computer running Enterprise

Vault Compliance Accelerator, so you can set the Enterprise Vault Admin Service

Startup Type on this computer to Disabled.

Enterprise Vault Compliance Accelerator must be installed and configured using

the Vault Service account. The computer used for installation must be in the same

domain as the Enterprise Vault server, or in a trusted domain. The same release

of Enterprise Vault software as is used on the Enterprise Vault server(s) must also

be installed on the Enterprise Vault Compliance Accelerator computer.

Instead of using Enterprise Vault Compliance Accelerator to search the Vault

Stores containing archived email messages from users, Symantec recommends

that administrators create a new Vault Store for all the journaled email, and

configure Compliance Accelerator to depend upon the data in that Vault Store.

This new Vault Store can then be searched with Enterprise Vault Compliance

Accelerator.

Prepare to install Enterprise Vault Compliance Accelerator

Make sure that the following prerequisites are met before installing Enterprise

Vault Compliance Accelerator:

■ Microsoft Internet Explorer 6.0 or later is installed, as well as the Internet

Explorer WebControls. These can be downloaded from the website links

provided in the installation documentation.

■ Microsoft Active Server Pages (ASPs) are installed and the Web Service

Extension option is set to allow Active Server Pages scripts to run.

■ Microsoft IIS is installed on the Enterprise Vault Compliance Accelerator

computer, and the IIS Worker Process has write access to the Enterprise Vault

Compliance Accelerator installation folder.

■ Symantec recommends disabling pop-up blockers. Pop-up blockers may disrupt

the dialog boxes that appear when reviewing messages with Compliance

Accelerator.

■ The Enterprise Vault Compliance Accelerator database requires 600 MB

minimum of disk space on the SQL Server computer.

■ Microsoft .NET Framework version 1.1 with Service Pack 1 (SP1) is installed.

In addition, Microsoft .NET SP1 should be installed to address known memory

leaks and security issues. These can be downloaded from the website links

provided in the installation documentation.

■ Automatic updates of Microsoft .NET should be disabled. All updates should

be reviewed before installing.

239Best practices for Veritas Enterprise Vault™ legal discovery and compliance optionsBest practices for installing and configuring Enterprise Vault Compliance Accelerator

Any Microsoft .NET patches should be installed one at a time in a test

environment before installing in a production environment.

■ A PDF reader or spreadsheet viewer is installed for printing and viewing

Enterprise Vault Compliance Accelerator reports.

The Microsoft Excel® Viewer can be downloaded from Microsoft.

■ The Microsoft MIME type, JScript (JSE), is enabled in the IIS properties.

■ The Authenticated Users group has Full Control access to the Windows Temp

and TMP folder and Allow inheritable permissions from parent to propagate

to this object enabled. If the ASP.NET service logs on under a different account

than Authenticated Users, the different account should be given Full Access

rights as well.

■ If Enterprise Vault Compliance Accelerator is on a different server than

Enterprise Vault, the correct version of MAPISVC.INF is installed on the

Enterprise Vault Compliance Accelerator server. To verify the version, open

Help in the Enterprise Vault Administrator Console and search on

MAPISVC.INF.

■ An Enterprise Vault Compliance Accelerator license key is obtained for any

computer on which the Enterprise Vault Compliance Accelerator Service is to

run. The service can not start until the license key is installed.

■ The Enterprise Vault Compliance Accelerator server has at least 2 GB of

memory. If the Enterprise Vault Compliance Accelerator computer is not a

standalone, it must have a 4 GB minimum of memory, with at least 2 GB

allocated for Enterprise Vault Compliance Accelerator usage.

Requirements for the optional Journaling Connector

Installing the optional Journaling Connector allows organizations to increase

performance and search capabilities. The Journaling Connector lets administrators

randomly sample a department’s or individual’s messages.

By default, the Journaling Connector does not add report type messages (such as

delivery receipts, read receipts, out of office auto replies, auto replies from

Microsoft Outlook® rules, or quota warnings) to the review set.

Before installing the Journaling Connector, note the following requirements:

■ The Journaling Connector component must be installed on all servers running

the Enterprise Vault Journaling Task (formerly the Enterprise Vault Journaling

Service).

■ The Journaling Connector component can be installed using the Custom Install

option for Enterprise Vault Compliance Accelerator.


240

■ Install Microsoft .NET Framework v1.1 on any computer on which the

Journaling Connector is to run.

■ Set indexing to Full on the Enterprise Vault archives.

Note: Computers with only the Journaling Connector component do not need an

Enterprise Vault Compliance Accelerator license key installed.

SQL Server requirements for Enterprise Vault Compliance Accelerator

Symantec strongly recommends that the Enterprise Vault Compliance Accelerator

database reside on a standalone computer. This is because of the amount of

resources used during searches.

The SQL Server database that Enterprise Vault Compliance Accelerator uses

requires 600 MB of disk space (minimum) to be created.

Other requirements for the SQL database are as follows:

■ Enterprise Vault Compliance Accelerator is supported for use with SQL Server

2000 SP3a and SP4. It is expected to support the use of SQL Server 2005 in

2006.

■ The SQL Server should have at least 2 GB of memory. If the Enterprise Vault

Compliance Accelerator computer is not standalone, it must have a minimum

of 4 GB of memory, with at least 2 GB allocated for Enterprise Vault Compliance

Accelerator.

■ The Vault Service account must be a System Administrator on the SQL server.

In addition, the SQLAgent service must be running. If the Enterprise Vault

Compliance Accelerator database is created on a different computer than the

Enterprise Vault databases, the administrator must create a SQL login for the

Enterprise Vault Service account that is identical to the one used on the

Enterprise Vault database server.

■ The volume that will be used for the Enterprise Vault Compliance Accelerator

database must be created before Enterprise Vault Compliance Accelerator is

installed. When prompted to select the volume in which to create the database,

point to the SQL computer volume, not to the Enterprise Vault Compliance

Accelerator volume.

Install Enterprise Vault Compliance Accelerator

Verify that all requirements to install have been met. Enterprise Vault must be

installed before installing Enterprise Vault Compliance Accelerator.


To install Enterprise Vault Compliance Accelerator

1 To verify the correct functioning of Enterprise Vault, start the Administrator

Console and then point to the Enterprise Vault server to be used for Enterprise

Vault Compliance Accelerator.

2 Log on to the Vault Service account and run the Enterprise Vault Compliance

Accelerator\Setup.exe installer.

Follow the prompts in the installation wizard.

3 When the setup program prompts you for details of the account under which

to run the enterprise Vault Accelerator Manager Service, enter the name of

the Vault Service account with which you manage your Enterprise Vault

server in the form domain\username. The setup program may also prompt

you for the name of the SQL Server computer that hosts the database for the

Enterprise Vault Directory.

4 When prompted to select an installation option, do one of the following:

■ To install the basic Compliance Accelerator components but not the

Journaling Connector, select the Typical option.

■ To pick the components that you want to install, select the Custom option.

For example, select this option to install both the basic Compliance

Accelerator components and the Journaling Connector on the same

computer, or to install the Journaling Connector only. (The Journaling

Service must be installed for the Journaling Connector option to appear.)

5 Click Next, and then follow the on-screen instructions.

6 When the installation completes, verify that the correct license is in the KVS

directory, and then start the Enterprise Vault Compliance Accelerator Service.

See “Upgrading Enterprise Vault Compliance Accelerator” on page 258.

Configuring Enterprise Vault Compliance Accelerator

In a Web application, the Vault Service account must be used to configure

Enterprise Vault Compliance Accelerator to set up and manage the Enterprise

Vault server. Configuring Enterprise Vault Compliance Accelerator consists of

the following tasks:

■ Before launching the Enterprise Vault Compliance Accelerator Web Application

in a browser, add server names and paths to the Trusted Sites in the browser,

or ensure that the Compliance Accelerator server is in the same domain as the

Enterprise Vault server.

■ Configure Enterprise Vault Compliance Accelerator


242

To add server names and paths to Trusted Sites

◆ Add the following server name and application paths to the browser’s Trusted

Sites:

■ http://LocalHost/EVBACompliance

■ http://<computer name>/EVBACompliance

To configure Enterprise Vault Compliance Accelerator

1 In a supported Web browser, type one of the following URLs:

http://LocalHost/EVBAComliance

or, if you are not logged on to the Compliance Accelerator server, type

http://<YourComplianceAcceleratorIISServerName>/EVBACompliance.

When a prompt appears for login information, provide the Vault Service

account information that was used during the installation.

2 Click the Configure link to begin the configuration process.

3 Type the following to provide configuration database information:

■ Server Name

Provide a valid SQL server name (ServerName\InstanceName).

■ Database Name

The default name for the Configuration database is created as

EVConfiguration. If Compliance Accelerator 6.0 has been previously

installed, a database called EVConfiguration may already exist. In this

case, you must give the new Compliance Accelerator configuration

database a different name, or select Use Existing Database, if applicable.

■ Data file folder

Point to an existing volume on the SQL Server computer to host the MDF

database files.

■ Log file folder

Point to an existing volume on the SQL Server computer to host the LDF

database files.

■ Verify or provide the DNS alias or server name of the Enterprise Vault

Directory Service computer.

4 Type the following to provide customer database and Enterprise Vault

information:

■ Name

Specifies a unique name for the customer.


■ VaultID

Identifies the journal vault that the customer uses. Leave Blank to use all

Enterprise Vault Site Journal Vaults or obtain the ID by looking at the

property page for the journal vault in the Vault Administration Console.

■ Directory DNS alias

Specifies the DNS alias or server name of the Enterprise Vault Directory

Service computer.

■ Administrator User or Group

Specifies the Windows group or user account that has administration

permissions in the customer site.

■ Enable Customer tasks

When selected, enables users to perform activities in the Compliance

Accelerator Web interface. If you clear this check box, only automatic

tasks like scheduled searches are permissible.

■ IIS

This section enables you to specify details of the IIS server that is to host

the Compliance Accelerator site.

■ Virtual Directory

Specifies the unique name of the IIS virtual directory for this customer.

(A virtual directory is a directory that is not contained in the home

directory but appears to client browsers as though it were.) The name

must not include any of the following characters:

\ : * ? " < > |

■ IIS Server

Identifies the IIS server that is to host the Compliance Accelerator site.

■ Manage Virtual Directory

When selected, enables you to administer the virtual directory using the

Compliance Accelerator Web interface.

■ Database Details

This section enables you to specify details of the SQL Server database in

which to store Compliance Accelerator customer data.

■ SQL Server

Identifies the SQL Server on which the Compliance Accelerator database

is stored.

■ Database

Specifies the name of the Compliance Accelerator database.

■ Use Existing Database


244

When selected, instructs Compliance Accelerator to use the specified

existing database instead of creating a new one. If you choose this option,

the remaining fields in the page are unavailable.

■ Data file folder

Specifies a location for the database file. This should be a valid, existing

path on the SQL Server computer. It can be a local or network share path.

■ Log file folder

Specifies a location for the database log files. This should be a valid,

existing path on the SQL Server computer. It can be a local or network

share path.

■ Initial Database Size

Sets the initial size in megabytes of the Compliance Accelerator database

file. In the Growth % field at the right, you can specify, as a percentage

of the file size, the amount of space that is automatically added to the file

each time more is needed.

■ Initial Log Size

Sets the initial size in megabytes of the database log files. In the Growth

% field at the right, you can specify, as a percentage of the file size, the

amount of space that is automatically added to a file each time more is

needed.

■ Windows Authentication

Specifies whether to use a Microsoft Windows user account to connect to

the Compliance Accelerator database. If you clear this check box, then

you must set the SQL login name and password to use for the database

connection.

■ Connection Time Out

Specifies the amount of time in seconds to wait for connections to the

Compliance Accelerator database to complete before terminating the

attempt and generating an error.

■ Connection Life Time

Specifies the time in seconds that a connection to the Compliance

Accelerator database is considered valid. When the time has elapsed, the

connection is disposed of.

When a connection is returned to the pool, its creation time is compared

with the current time, and the connection is destroyed if that time span

exceeds the value specified by Connection Life Time. This is useful in

clustered configurations to force load balancing between a running server

and a server just brought online. A value of 0 causes pooled connections

to have the maximum connection timeout.


■ Max Pool Size

Specifies the maximum number of database connections that can be

simultaneously opened to the Compliance Accelerator database.

■ DSN

Specifies the full connection string, or Data Source Name (DSN), to use

when connecting to the Compliance Accelerator database.

5 After the configuration process has completed, restart the Enterprise Vault

Compliance Accelerator Manager Service when prompted and wait

approximately 10 seconds to ensure that all services have registered.

Note: To install the database files to a hidden share, the databases must first be

installed in a non-hidden share. The Enterprise Vault Compliance Accelerator

installer does not allow a database to be created in a hidden share (for example

D:\SQL$). However, Enterprise Vault Compliance Accelerator does function

correctly when using hidden shares. Use SQL Server to move the databases to a

hidden share after creation.

Enterprise Vault Compliance Accelerator browser interfacerecommendations

When using the Enterprise Vault Compliance Accelerator browser interface, follow

these practices:

■ Use the links provided in the application to navigate from page to page instead

of using the Internet Explorer browser toolbar Back button, or the Backspace

or other shortcut keys. The bottom of each Enterprise Vault Compliance

Accelerator page contains a Close button for closing the page and returning

to the previous page.

■ To refresh the current Enterprise Vault Compliance Accelerator page,

right-click the page and then select Refresh from the context menu. You can

use the browser Refresh button or the application logo to open the Enterprise

Vault Compliance Accelerator home page.

■ Run the browser in full-screen mode. You can press the function key F11 to

toggle between the views.

■ A red exclamation mark on an Enterprise Vault Compliance Accelerator page

indicates an error or warning. To view the message, hold the cursor over the

exclamation mark.

■ If a pop-up blocker application is running, an Internet Explorer pop-up icon

may appear in the browser footer. Modify the settings, if necessary.


246

■ If a question mark appears over the Department name, note that the

administrator has not assigned a Department Reviewer.

If upgrading from Enterprise Vault 5.x, Department Reviewer is a new

functionality and the administrator must add the role to the Departments task

after it has been created under the Roles tasks.

■ Use the tasks under the Application Administration column to add employees,

create departments and roles, and set up schedules for searches. Note that

Application Administration tasks are applied system-wide, and are not

restricted to a specific department.

■ Use the tasks in the Department Administration column to create a department

or department group, grant users access to a specific department group, assign

employees to be monitored, and select the monitoring policy with which

monitored employees must comply.

Best practices for customizing Enterprise VaultDiscovery Accelerator

After Enterprise Vault Discovery Accelerator is installed and configured,

administrators can customize the Vault Store for their particular environments

by doing the following:

■ Creating roles, cases, and targets.

■ Creating site specific marks (comments) to search archived data.

Users see only the departments, features and tasks for which they have

permissions, as defined by the Roles options. The user’s view can be changed by

assigning either a different role to the user or by changing the permissions

included in a role.

Administrative users perform the following functions:

■ Application administrators

Application administrators create roles, set up targets to be searched, and

establish the marks to be added as comments for each case. To perform

case-specific tasks, users with application roles need to be given a case role

for each case they need to access.

■ Case administrators

Case administrators have the ability to perform case-specific tasks in the Case

Administration and Review Messages columns on the home page.

It is recommended that at least one power user should exist to perform

troubleshooting. This user should have access to all the functions in Case

247Best practices for Veritas Enterprise Vault™ legal discovery and compliance optionsBest practices for customizing Enterprise Vault Discovery Accelerator

Administration and Application Administration. Symantec recommends that the

Vault Service account hold both permissions.

Creating roles, cases, and targets

The following tasks should be performed by users with the appropriate

administrative privileges:

■ Assign a role

After the Discovery database is created, the program returns to the Enterprise

Vault Discovery Accelerator home page. Application administrators can access

the Application Administration options page to create roles and cases. Roles

and cases must be created before searches can be performed.

■ Create or edit Scheme Templates

The Case administrator can create or edit existing Scheme Templates. Scheme

Templates provide a set of marks, or comments, that reviewers can apply to

any item discovered in a case. The templates are available to all cases. If a new

Scheme Template is created, the reviewer marks can be customized for a

particular organization, industry, or level of reviewer. Custom Scheme

Templates allow organizations to limit certain comments to certain reviewers,

based on level of authority. For example, a higher level of review comments

would be given to a member of the internal legal counsel team than to the

paralegal team.

To add any new mark to a customized template, the Application administrator

must create the marks using the Marks task option.

■ Select a Vault Store

Enterprise Vault Discovery Accelerator automatically synchronizes with the

Enterprise Vault server and displays all available Vault Stores that are on the

Enterprise Vault server. After a Vault Store is selected, the administrator can

enable the user mailbox to be searched.

Only Case administrators can override the existing Vault Stores used for a

specific search.

■ Create a target

Before beginning a search, administrators can establish which mailbox is the

target of the search, and designate targets or specific users for cases that will

be searched. Case Managers can create specific Target Groups by using the

Address Manager. Make sure to enter all the email addresses for a given user

to search, and separate each address with a carriage return.

A new Target Group can include all users from one or more departments, or

only specific users. For example, to create a Target Group that holds the entire

sales and marketing team, an administrator would first ensure that all sales

and marketing users are created as individual targets. Next, the administrator

Best practices for Veritas Enterprise Vault™ legal discovery and compliance optionsBest practices for customizing Enterprise Vault Discovery Accelerator

248

would create a Target Group, and then add the mailboxes for the sales and

marketing team to the new Target Group.

After the targets are established, they are displayed under the Case

Administration column, but only if the login account being used has

permissions to view cases.

For more information about how to bulk-load, or import data into Enterprise

Vault Discovery Accelerator, see Enterprise Vault Discovery Accelerator

Installing and Configuring guide.

■ Create a case

A case is an organized search of large volumes of email in a selected Vault

Store. Multiple cases can be created by a Case administrator for a given piece

of mail with different markups and comments. Each case is maintained within

the specific case history. Once a case is created, it can be closed, but not deleted.

This allows an audit trail to be maintained. Only one case owner can be

assigned, but the case owner can be a group that has multiple users. Only one

case owner can be assigned, but the case owner can be a group that has multiple

users.

An existing Bates number can be assigned to the case by using the Size Export

ID field for tracking and search purposes. The output results can be stored to

a network share using \\my_computer\case. Alternatively, the results can be

stored to a local drive.

■ Use target shortcuts when creating a case

When creating a new case, if the name of the target or Target Group to be

searched is known then the administrator can type the shortcut (instead of

browsing the list), following these guidelines:

■ For targets, use the format T:<TargetName>.

■ For target groups, use the format TG:<TargetGroupName>.

■ For example, to search through all mail for a group called Executives, type

TG:Executives.

■ To enter multiple targets, separate each line with a carriage return.

■ If desired, enter only part of an address or display name, for example, User1.

A wildcard can be used to denote part of the search term, for example, Use*.

Note that three characters must precede the wildcard character.

■ If a target in the address book is referenced, the display name must be

preceded by T:. Do not include wildcard characters in an address book

reference.

■ Add user roles


After a case is created, a Case administrator can add a user from the Case

Administration column to define users and roles. After the user is added to

the case, the administrator can apply specific marks for the user to the case.

Creating searches

The following tasks relate to searches:

■ Create a search

Enterprise Vault archives copies of inbound and outbound messages and

documents so that all copies can be searched. To create a search, from the Case

Administrator column, select any case created earlier, then select Options >

Searches.

New searches can be created that contain key words or phrases, specific data

that was sent between individuals, or data sent within a date range. Completed

searches can not be deleted or re-executed. However, once a search is saved,

it can be used as a template for subsequent searches. If a search is in progress,

it can be stopped before it is complete to change the search criteria.

Note: Do not enable Auto Accept on any search that will not be permanently

saved. When this option is disabled, the administrator will have to manually

accept or reject the search results. After the administrator chooses to accept

a search, the search is permanently stored in the Enterprise Vault Discovery

Accelerator database.

Type the keyword or phrase to be searched in the Contents field. Separate each

line by a carriage return.

When creating a search, a display name can be used for the target. For example,

in addition to the full email address name of [email protected], a shorter

version, User1, can also be queried and discovered during a search. The

following search specification rules apply:

■ Selecting Any of in the drop-down menu allows a search for messages to

or from any of the targets that are entered.

■ Selecting All of in the drop-down menu means search for messages with

all of the words or phrases in the subject line.

■ To search for messages with specific text in the subject line, enter the words

or phrases in the Subject box. Enter one word or phrase per line. The

wildcard character * can be used to denote one or more characters, but it

must be preceded by at least three characters.

■ Selecting Any of in the drop-down box means search for messages with

any of the words or phrases in the subject line.

Best practices for Veritas Enterprise Vault™ legal discovery and compliance optionsBest practices for customizing Enterprise Vault Discovery Accelerator

250

■ Selecting All of means search for messages with all of the words or phrases

in the subject line.

■ Selecting Any of in the small drop-down box means search for items with

any of the words or phrases in the content.

■ Selecting All of means search for items with all of the words or phrases in

the content.

■ There may be additional criteria boxes if the administrator has added

custom search attributes to the system.

■ Accept or reject search

The search provides the administrator with data to review. The administrator

can then accept or reject the search. Accepting the search allows the

administrator to send it to a reviewer and permanently store it in the Enterprise

Vault Discovery Accelerator database. Rejecting the search deletes it, so that

it does not get stored in the Enterprise Vault Discovery Accelerator database.

■ Assign review marks

Once a search result returns data that is of interest, and the search is accepted,

comments called marks can be added to the searches to indicate progress. New

custom, site-specific marks can be created under the Application

Administration column. Marks can be used to inform reviewers or supervisors

that a case is unreviewed, pending review, already questioned by appropriate

legal teams, reviewed by appropriate legal teams, and so on.

■ Review and apply comments to messages

Once a search has been accepted, reviewers can access the appropriate case

from the Review Message column of Enterprise Vault Discovery Accelerator.

Once in the case, the status of the work can be seen, and items can be selected

to work on, such as current status, last marked by or Item ID. When a reviewer

adds a comment to a case or email, the comment attaches itself to the original

email, but it does not alter the email, thus preserving the integrity of the

document. All comments applied to a case are permanent.

■ Export findings

After all items for a case have been reviewed and are ready to be sent to the

appropriate parties, for example, the legal team, human resources department,

or third-party reviewer, the case administrator can create a New Run from the

Production task to format the findings in PST, MSG or HTML format. If

exporting to PST files, the file can be password-protected, and the maximum

size of the PST file specified. Exporting to a PST file can be time consuming.

However, saving the file to a directory on the local computer speeds the process.


Best practices for customizing Enterprise VaultCompliance Accelerator

After Enterprise Vault Compliance Accelerator has been installed and configured,

search configuration data can be set up. Roles and role assignments, employees

and groups, permissions and departments must be created in order to search

archived data. Users can only see the departments, features, and tasks that they

have permission to access, as defined by the Roles options. User views can be

changed by assigning a different role to the user, or changing the permissions

included in a role.

The following tasks relating to creating roles, groups, and departments should

be performed by users with the appropriate privileges:

■ Create roles

The Enterprise Vault Compliance Accelerator administrator must create and

assign roles to the users of the application. Application permissions or

department permissions can be assigned to a specific role. To perform tasks

in a specific department, employees with application roles must also be assigned

the appropriate department role in that department. To perform tasks in more

than one department, they must be assigned the role in each department that

they need to access.

For more information on adding and modifying roles, see the Enterprise Vault

Compliance Accelerator Installing and Configuring guide.

■ Create employee groups

To create employee groups, a user must be an Application administrator. To

create searchable employee groups more efficiently, the Automatically

synchronize group members option should be enabled.

Once an employee has been selected for monitoring, the employee cannot be

deleted from Enterprise Vault Compliance Accelerator. If the monitored

employee leaves the company, select Suspend all monitoring on the Employee

properties page to disable all monitoring for the employee.

The following methods can be used to synchronize group members:

■ Active Directory search (LDAP filter)

Using the Active Directory search is the most time consuming because it

can only be run against user objects. Make sure to type the LDAP path

correctly. If the synchronization process has begun, exit the Enterprise

Vault Compliance Accelerator application to stop the synchronization

search and correct any mistakes. Use the ADSI Edit tool to verify the

ADsPath of a container. Do not modify any attributes of the Active Directory

objects when viewing the ADsPath Container with the ADSI tool.

Best practices for Veritas Enterprise Vault™ legal discovery and compliance optionsBest practices for customizing Enterprise Vault Compliance Accelerator

252

For example: Search Filter

(&(objectCategory=person)(department=Marketing)) Search Root

LDAP://ou=users,dc=mydomain,dc=com

■ Active Directory Container (LDAP Search)

In the ADsPath field, provide the Distinguished Name of the Active

Directory container that holds the users to add to the group. All users in

the container will be added to the group. If the organization is organized

by cities and the created groups are named after cities, look for the object

whose with a city name, for example, Redmond.

ADsPath LDAP:// ou=users,dc=mydomain,dc=com

■ Windows Group import

This is generally the fastest way to create employee groups, provided that

the environment is configured to use groups.

Example: Group Name: MyDomain\GroupName

After an import option has been selected, click Synchronize Now.

Synchronization of the employees and groups occurs on a four hour schedule

(see example, below), or every time the service is restarted. Both are

configurable in the ComplianceService.exe.config file. Do not reconfigure

synchronization to occur during the window used to run the synchronization.

For example, If synchronization takes more than two hours, do not reconfigure

Enterprise Vault Compliance Accelerator to sync every hour.

<add key="Synchronization interval (hours)" value="4" />

Employee Management profiles for members are created automatically if they

do not exist at the time of Employee Group creation. If an existing group

member is no longer found on a subsequent synchronization run, the employee

profile will be removed from the list of members. Also, employees can be

manually added at the Employee task option.

In the Employee profile\Email Addresses field, verify that all variations of a

user’s mailbox addresses are provided. Use carriage returns to separate each

new address.

One example is as follows: The legal department makes a request to the human

resources department, informing them that [email protected] has been

sending emails with proprietary information to a competitive company. Human

resources wants to monitor email from User1 emails for a specified period by

using the Enterprise Vault Compliance Accelerator scheduled search. The

Enterprise Vault Compliance Accelerator searches are enabled to locate all

email addressees for User1 as well as any outbound emails to the

CompetitiveDomain.Com. All variations of the User1 email address should be

created as a searchable item in order to ensure discovery of violation of

company policy. For example:

253Best practices for Veritas Enterprise Vault™ legal discovery and compliance optionsBest practices for customizing Enterprise Vault Compliance Accelerator

[email protected]

[email protected]

[email protected]

[email protected]

■ Create departments

The administrator can search archives and monitor employees once department

groups and employee groups have been created. Department employees can

be monitored by using the Journaling Connector or by running searches that

meet specific criteria. While setting up a department, a monitoring policy can

be created for all monitored employees in a department. This is done by

enabling the policy to capture a percentage of Message Type and Review

Requirements options.

Each department must be given an owner. The owner must have a Windows

login, but does not need special Windows or Enterprise Vault Compliance

Accelerator system privileges. Symantec recommends setting the Vault Service

account as the owner of the department in case an administrator needs to

connect to the system to troubleshoot problems. The department owner has

the same permissions that the User Admin role is granted. By default, all

departments use the Vault Store selected at configuration. However, the

administrator can customize the Vault selections. If searches are returning

empty when known data exists for a user, verify that the correct department

Vault Store has been searched. If the Vault Store must be changed, enable the

Customize for this Department option, and then choose the correct Vault Store.

Change the location of the Output folder for exported items to a local computer

or a network share.

Note: If the organization has a legal requirement to monitor a certain

percentage of messages per employee, setting a limit for the Review

Requirement option of the Monitoring Policy may prevent the requirement

from being met.

■ Configure departments

After the Application administrator has created a department, the Department

administrators can configure the departments by adding specific employees

or employee groups as monitored employees. To do this, open the specific

department to be configured and click the Monitored Employees option. Add

monitored employees by name or by a configured Employee Group. Only

previously configured Employee Groups and Employees can be selected.

■ Configure searches

Searches can be scheduled and run by one or more departments. Searches can

be done at the application administration or department administration level.


254

If the Search option does not appear in the Department Application tasks,

verify that the owner has permission to run searches under the Roles tasks.

The sampling percentage for the configured Monitoring Policy will default to

the existing department properties. Search results that occurred in prior

searches can be captured by enabling Include Captured Messages.

■ Accept or reject search results

Leave the Automatically accept results option disabled unless all searches

should be saved automatically into Enterprise Vault Compliance Accelerator.

After a search is accepted or the search results screen is closed, Enterprise

Vault Compliance Accelerator stores the search for auditing purposes, and it

can no longer be removed. Any accepted search is stored in Enterprise Vault

Compliance Accelerator and can be used for future searches as a template.

The percentage searched of the item being searched is derived from the

Department properties page.

When auto accept is disabled, the administrator must reject a search to keep

it from being stored in the Enterprise Vault Compliance Accelerator database.

When the results of a finished search are rejected, the search is deleted.

■ Search departments

When creating department searches, the Any of value under Authors &

Recipients means that messages for any of the employees in the selected

department are searched. The All of value means that only messages that

include as recipients all the employees in the selected department are searched.

When searching by departments, increase the performance and accuracy by

using the Journal Connection option.

For more information on searching with department tags, see the Enterprise

Vault Compliance Accelerator Installing and Configuring guide.

A department in partitions can only search messages to and from other

departments if both departments reside within the same partitions.

■ Schedule searches

Use Enterprise Vault Compliance Accelerator to search Vault Stores on a set

time\schedule. The SQLAgent must be enabled. Symantec recommends that

the Agent is set to automatically start.

■ Review searches

During the search process, Search Details can be expanded to see the percentage

searched, number of hits discovered for that particular searched item, and so

on. After the search is completed, the Reviewer column can be checked from

the Enterprise Vault Compliance Accelerator home page to review any

discovered data. From the review menu, administrators can modify the review

criteria, download the original message to a MSG format file, and print the

message, attachments, and comment history.


Any comments added to the search will be stored in the Enterprise Vault

Compliance Accelerator database and remain as part of the permanent vaulted

message. Enterprise Vault Compliance Accelerator comes with six default

review status, however the administrator can add different marks as needed.

■ Create exception employees

There may be occasions when content from the executive team could contain

sensitive data. In this case, Enterprise Vault Compliance Accelerator can be

enabled to use exceptions when administrators are reviewing search results.

For example, using Exceptions, a Tier-1 reviewer may be limited from accessing

data generated by Executive Employee Groups or Senior Management

Departments. However, access to this sensitive data can be given to a Tier-3

reviewer who has the appropriate authority. Exception employees can be

created and managed using the Department Explorer view or Exceptions Task

links.

For more information on customizing Exceptions Task links, see theEnterprise

Vault Compliance Accelerator Installing and Configuring guide.

Configuring searches

Searches can be scheduled and run by one or more departments. Searches can be

done at the application administration or department administration level. If the

Search option does not appear in the Department Application tasks, verify that

the owner has permission to run searches under the Roles tasks. The sampling

percentage for the configured Monitoring Policy will default to the existing

department properties. Search results that occurred in prior searches can be

captured by enabling Include Captured Messages.

The following are guidelines for defining and utilizing searches:

■ Search departments

When creating department searches, the Any of value under Authors &

Recipients means that messages for any of the employees in the selected

department are searched. The All of value means that only messages that

include as recipients all the employees in the selected department are searched.

When searching by departments, increase the performance and accuracy by

using the Journal Connection option.

For more information on searching with department tags, see the Enterprise

Vault Compliance Accelerator 6.0 - Installing and Configuring guide. A

department in partitions can only search messages to and from other

departments if both departments reside within the same partitions.

■ Accept or reject search results

Leave the Automatically accept results option disabled unless all searches

should be saved automatically into Enterprise Vault Compliance Accelerator.


256

After a search is accepted or the search results window is closed, Enterprise

Vault Compliance Accelerator stores the search for auditing purposes, and it

can no longer be removed. Any accepted search is stored in Enterprise Vault

Compliance Accelerator and can be used as a template for future searches.

The percentage searched of the item being searched is derived from the

Department properties page.

When auto accept is disabled, the administrator must reject a search to keep

it from being stored in the Enterprise Vault Compliance Accelerator database.

When the results of a finished search are rejected, the search is deleted.

■ Schedule searches

Use Enterprise Vault Compliance Accelerator to search Vault Stores on a set

time schedule. The SQL Agent must be enabled. Symantec recommends that

the Agent is set to automatically start.

■ Review searches

During the search process, Search Details can be expanded to see the percentage

searched, number of hits for a specific search request, and other information.

After the search is completed, the Reviewer column can be checked from the

Enterprise Vault Compliance Accelerator home page to view any discovered

data. From the Review menu, administrators can modify the review criteria,

download the original message to a MSG format file, and print the message,

attachments, and comment history.

Any comments added to the search will be stored in the Enterprise Vault

Compliance Accelerator database and remain with the archived message

permanently. Enterprise Vault Compliance Accelerator comes with six review

status options, however the administrator can add new status marks, as needed.

■ Create search exceptions

There may be occasions when search results contain sensitive material from

an unintended source, for example, from executive management., In this case,

Enterprise Vault Compliance Accelerator can implement exceptions when

administrators are reviewing search results. For example, using exceptions,

a Tier-1 reviewer can be restricted from accessing data generated by executive

employee groups or senior management departments. Review access to

sensitive data can be given to a Tier-3 reviewer who has the appropriate

authority. Exception employees can be created and managed using the

Department Explorer view or Exceptions Task links.

For more information on customizing Exceptions Task links, see theEnterprise

Vault Compliance Accelerator 6.0 - Installing and Configuring guide.


Best practices for upgrading Enterprise VaultCompliance Accelerator

This section describes how to upgrade an existing installation of Enterprise Vault

Compliance Accelerator 5.0 or 5.1 to version 6.0 or change the installation to

include the Journaling Connector. If upgrading, you must upgrade both the main

Compliance Accelerator components and any instances of the Journaling

Connector.

For more information on upgrading Enterprise Vault Compliance Accelerator,

see the Enterprise Vault Compliance Accelerator 6.0 Installing and Configuring

guide.

Note: It is not possible to upgrade an Enterprise Vault Compliance Accelerator

1.5 installation to Enterprise Vault Compliance Accelerator 6.0.

The Journaling Connector can be used to improve the performance and accuracy

of searches that are run against messages to or from all members of a specific

department. If the Compliance Accelerator was installed without the Journaling

Connector, the Journaling Connector can be installed later by following the steps

below.

To add the Journaling Connector

1 Log on as the Vault Service account and verify the IIS worker process has

write access to the Enterprise Vault Compliance Accelerator installation

folder.

2 Open the Control Panel and double-click Add/Remove Programs.

3 SelectEnterpriseVaultComplianceAccelerator and selectChange/Remove.

4 Select the Modify option and click Next.

5 In the component selection window ensure that both the Enterprise Vault

Compliance Accelerator and Journaling Connector check boxes are selected.

There must be an Enterprise Vault Journaling Service installed for the

Journaling Connector option to be displayed.

6 Click Next, and then follow the on-screen instructions.

Upgrading Enterprise Vault Compliance Accelerator

An upgrade can be performed from an existing installation of Enterprise Vault

Compliance Accelerator 5.0. If the Journaling Connector is installed, it must be

upgraded as well. Back up the existing SQL Enterprise Vault Compliance

Best practices for Veritas Enterprise Vault™ legal discovery and compliance optionsBest practices for upgrading Enterprise Vault Compliance Accelerator

258

Accelerator database and the configuration files in the installed directory before

beginning the update process.

To upgrade Enterprise Vault Compliance Accelerator

1 Log on as the Vault Service account and verify the IIS worker process has

Write access to the Enterprise Vault Compliance Accelerator installation

folder.

2 In Control Panel, double-click the Administrative Tools applet, and then

double-click Services.

3 Stop the Enterprise Vault Compliance Accelerator Service.

4 Run the Compliance Accelerator installation program (\Compliance

Accelerator\Setup.exe).

5 Follow the prompts in the installation wizard for the new version.

6 In a Web browser, open the Enterprise Vault Compliance Accelerator home

page.

7 Click Update. After the update process, the existing Enterprise Vault

Compliance Accelerator database will be updated and the Update in progress

page is displayed. The browser window can be closed while the update is in

progress.

8 Select a Department Reviewer role for the new Department Explorer feature.

If you want to use an existing reviewer role for department reviewers, select

Use existing role.

Note: The Department Reviewer role cannot be renamed or deleted after the

upgrade. For more information on upgrading Enterprise Vault Compliance

Accelerator, see the Enterprise Vault Compliance Accelerator 6.0 Installing

and Configuring Guide.

259Best practices for Veritas Enterprise Vault™ legal discovery and compliance optionsBest practices for upgrading Enterprise Vault Compliance Accelerator

9 Start a new Enterprise Vault Compliance Accelerator browser session, and

click Update. A message reports when the update is complete.

Note: If you close the browser window while the upgrade is in progress, the

next time you start a Compliance Accelerator browser session, you must click

Update again. A message will indicate whether the update has completed or

is still in progress. If an error occurs during the update, make a note of the

problem indicated in the message and then click Retry to restart the update.

When the upgrade has finished, do not click OK yet.

10 After the update status displays, restart the Enterprise Vault Compliance

Accelerator Service, and then click OK. You should see all the tasks that the

login is permitted to access.

Best practices for Enterprise Vault ComplianceAccelerator backup and recovery

If a disaster recovery of Enterprise Vault Compliance Accelerator must be

performed, Enterprise Vault Compliance Accelerator must be reinstalled and then

pointed to an existing backup of the database.

To prepare for a Enterprise Vault Compliance Accelerator recovery, the

administrator should have backups of the following Enterprise Vault Compliance

Accelerator configuration files and databases:

■ Enterprise Vault Compliance Accelerator SQL database

■ The configuration files in the KVS\Business Accelerator - Compliance folder,

except for the Compliance Accelerator license file.

The backups/copies should be stored in a different location than the installed

files.

To recover Enterprise Vault Compliance Accelerator

1 Uninstall Enterprise Vault Compliance Accelerator, removing all files.

2 Re-install the product on the server.

3 Replace the newly installed configuration files directory with the saved copy,

excepting the license file.

4 Restart the Enterprise Vault Compliance Accelerator Service and verify a

connection to the correct database.

5 Wait 10 seconds before restarting the service.

Best practices for Veritas Enterprise Vault™ legal discovery and compliance optionsBest practices for Enterprise Vault Compliance Accelerator backup and recovery

260

Minimizing time and risk in

Exchange migrations


■ Overview of Exchange migration issues

■ Benefits of using the Symantec solution to manage Exchange migrations

■ Using Enterprise Vault in the migration process

■ Recommendations for migration

Overview of Exchange migration issuesMany companies today face the challenge of replacing a legacy mail system with

Microsoft® Exchange, or upgrading an older version of Exchange. Whatever the

reason for migrating to Exchange 2003, the migration process can require

considerable time and cost in resources.

Reducing the risk associated with migrating a business-critical application is of

paramount importance. For email migration, the major areas of risk that need to

be considered and managed include the following:

■ The migration of data

■ The value of that data to the business

■ The potential downtime of the core email business system should something

go wrong

The time, effort, and cost associated with a migration project is in proportion to

the amount of email that must be migrated. Focusing on reducing the physical

volume of data to be migrated reduces the overall risk and minimizes the

11Chapter

coexistence time, which in itself is a major load on administration and support

resources.

When migrating from a legacy email system, the following items must be

considered:

■ Mailbox profile

■ Mailbox content

■ Personal folder content

■ Public folder content

■ Address books, both personal and corporate

While the overall migration is typically managed through the use of standard

Microsoft Exchange or third-party migration tools, nearly all of these tools have

an unwanted impact on storage. Migration scenarios usually involve running

parallel mailboxes in the legacy system and in Exchange 2003, which doubles the

email storage required for the duration of the migration.

Even after the completion of the migration, the amount of storage consumed is

likely to be significantly higher as a result of the loss of single-instance, or

rationalized, message storage, where shared messages and attachments are stored

only once per Exchange server. Single-instance storage uses the unique

MESSAGE-ID of each message, and the migration process must leave MESSAGE-IDs

intact and in context in order to maintain single-instance storage.

Migration tools operate on a MAPI basis, with no provision for the single-instance,

which is usually provided through the Exchange Message Transfer Agent (MTA).

In effect, every migrated message becomes unique, and the new email environment

consumes more email storage space, in some cases two-to-three times more than

the originating mail system. The impact on storage space of the loss of

single-instance storage depends in part on the size of the organization. The larger

the organization, the less likely it is that groups of mail users who have common

mail threads and attachments will all reside on the same server.

This issue is well documented by Microsoft and experts in the field of migration,

as outlined in the following article:

http://www.windowsitpro.com/Articles/ArticleID/23819/23819.html

There is no way to avoid this problem when using Microsoft tools to migrate from

a non-Exchange system to Exchange. When migrating Exchange versions, the

only method of mitigation is to perform an in-place upgrade of the existing system.

This method requires system downtime, and all mailboxes must be converted at

once—a high-risk approach when compared to a phased approach. Should anything

go wrong, the whole process must be abandoned and the entire system reinstated.

Minimizing time and risk in Exchange migrationsOverview of Exchange migration issues

262

Throughout the migration process, it is important to consider the needs of

end-users. Ideally, users should have uninterrupted access to the mail system,

complete access to their personal email knowledge base, and a single point of

access with no need to run parallel systems.

The aim of any migration or upgrade is to deliver the benefits of the new

technology without introducing undue risk and ongoing costs.

To provide a solid foundation for successful deployment of new technology, the

following core principles should be addressed:

■ Controlling storage

■ Reducing administration resources

■ Maintaining end-user transparency

Benefits of using the Symantec solution to manageExchange migrations

Whether an organization is upgrading Exchange or migrating to Exchange from

an alternate mail environment, the Symantec solution can help minimize storage

costs and migration time and reduce project risk.

In a typical Exchange migration, moving mailbox content is the area where

Symantec adds the most benefit. In addition, Symantec reduces mail storage needs

on an ongoing basis after migration to the new Exchange environment.

By deploying Enterprise Vault, an organization can minimize the amount of email

to be moved before migration. Specifically, Enterprise Vault can be used to reduce

the size of the Exchange message store by 50 percent or more by moving older

items out into a separate Enterprise Vault repository. This repository is Exchange

version–independent and has its own single-instance and compression methods

for storage.

Once in Enterprise Vault, data does not need to be converted when the organization

moves to Exchange 2003. Data remains accessible to the user, and if required, can

be restored to Exchange in the correct native format.

Note: Enterprise Vault does not perform the actual Exchange Server migration.

Rather, it reduces the amount of data that must be moved when an Exchange

migration takes place.

263Minimizing time and risk in Exchange migrationsBenefits of using the Symantec solution to manage Exchange migrations

Using Enterprise Vault in the migration processThe following describes possible approaches to an Enterprise Vault–assisted

migration:

This approach uses Enterprise Vault in both the source

environment and the target environment.

All content from the source environment is archived.

See “Migrating without moving mailbox content” on page 264.

Migrate without

moving mailbox

content

This approach uses Enterprise Vault in both the source

environment and the target environment.

From the source environment, only content that meets specified

criteria, such as age, is archived. Mailboxes and public folders are

migrated.

See “Minimizing mailbox content to be moved” on page 265.

Minimize mailbox

content to be moved

during migration

This approach is applicable when Exchange migration is already

in progress or when content is being migrated from a

non-Exchange legacy mail system. It uses Enterprise Vault in the

target environment only.

Migrated content is consolidated in the target environment.

See “Protecting the investment in Exchange 2003” on page 267.

Migrate all mailbox

content

This approach is applicable when Exchange migration is already

complete. Enterprise Vault is deployed in a standalone Exchange

environment with no further migration requirements.

Size of the Exchange databases is reduced and controlled.

See “Application after migration” on page 269.

Reduce the size of

email storage after

migration

The choice of approach is dependent on the status of an organization’s Exchange

migration and on overall email storage needs and goals.

Migrating without moving mailbox content

When migrating Exchange, Enterprise Vault can archive all existing mailbox

content without migrating it to the new environment. The migration effort is

reduced to migrating personal address books and mailbox profiles.

This approach realizes a significant reduction in time, effort, risk, and cost during

a migration project. Cost savings are achieved as end-users maintain ongoing

access to historical mail without the need to move that mail into the new Exchange

environment.

Minimizing time and risk in Exchange migrationsUsing Enterprise Vault in the migration process

264

Figure 11-1 shows the migration approach in which email is archived rather than

migrated.

Figure 11-1 Migrate without moving mailbox content

This approach is implemented as follows:

■ All mailbox content and PSTs from the source environment are archived.

Mailbox profiles and address books are migrated to the target environment.

(1)

■ Archived mailbox and PST content is accessed from the target environment

by using Enterprise Vault’s Archive Explorer™. (2)

■ Public folders in the target environment are archived on a ongoing basis. (3)

Minimizing mailbox content to be moved

Enterprise Vault is most commonly used to minimize the amount of mailbox

content that is physically migrated across the two environments. This approach

represents a significant reduction in time, effort, risk, and cost.

265Minimizing time and risk in Exchange migrationsUsing Enterprise Vault in the migration process

In this scenario Enterprise Vault is used before migration to aggressively archive

content from the mailbox into the Enterprise Vault repository. Either all content

or a percentage of content is archived from the source environment and replaced

with shortcut links in the mailboxes and public folders in the new Exchange

environment. The data migration effort is then focused on moving the residual

shortcuts and the remaining content.

A common approach is to archive content older than 30 days. Residual shortcuts

are left behind for all the archived content, or for a portion of it, for example,

content up to a year old. Such policies can reduce the source mailbox and public

folder content by up to 80 percent.

This action significantly reduces the data migration effort, while maintaining

seamless access from the target mailboxes to content archived from the source

environment.

Figure 11-2 depicts Enterprise Vault being deployed in both the source

environment and target environment to minimize the content migration effort.

Figure 11-2 Minimize mailbox content to be moved during migration



266

■ Archive a percentage of content from the source environment based on age

or mailbox quota. Archive all PST files from the source environment. (1)

■ Migrate mailbox profiles, residual content, archive shortcuts, and address

books to the target environment. (2)

■ Provide access to archived mailbox, public folder and PST content via

Enterprise Vault shortcuts created in mailboxes and via Enterprise Vault’s

Archive Explorer™. (3)

■ Deploy ongoing archiving in the target environment, with access to archived

content via both Archive Explorer and shortcuts in mailboxes. (4)

Protecting the investment in Exchange 2003

When a company has already begun an Exchange migration project or is migrating

content from legacy mail systems, it may not be possible or appropriate to

introduce a new technology into the legacy environment. In this case, Enterprise

Vault can be introduced solely into the Exchange 2003 environment to ensure

best-practice mailbox management from day one.

Although this approach does not reduce the amount of time taken to perform the

migration, it does minimize the risk associated with migration and the storage

costs associated with managing the migrated content.

Enterprise Vault can be used to minimize the impact of migrated data that is

taking up more physical storage than necessary because single-instancing has

been lost. Enterprise Vault can reduce the physical requirements for storage

through archiving as well as recreating lost single-instance storage. The process

is seamless to users, who have their original items replaced with shortcuts.

Exchange 2003 adopts a storage group model that allows mailboxes and content

to be organized more efficiently within an Exchange site. To optimize the migration

process and ensure that migrated mailboxes experience the least fragmentation,

Symantec recommends maintaining a transitory storage group into which

mailboxes are migrated.

Enterprise Vault can be configured to constantly and aggressively archive from

these mailboxes according to a defined business policy. The archiving services

can be scheduled to run, ideally, every 15 minutes during the migration to archive

content rapidly into the target environment as it arrives from the Exchange

migration wizards. Shortcuts then replace the original items. After a mailbox has

been migrated, the resultant archived mailbox is transferred to the target storage

group, where it is consolidated and any fragmentation eliminated.

The migration of PST files can be undertaken independently of the mailbox

migration, in this way, mitigating a significant risk to the project. Additionally,

the need to populate the new target mailboxes with residual shortcuts for the


migrated PST content can be avoided by using Enterprise Vault’s Web-based

Archive Explorer.

Figure 11-3 depicts a scenario in which the data migration is underway prior to

the introduction of Enterprise Vault. Consequently, Enterprise Vault is deployed

only in the target environment.

Figure 11-3 Migrate all mailbox content


■ Migrate mailbox profiles, mailbox and public folder content, and address books

from the originating Exchange system or legacy mail system to the transitory

storage group in the target Exchange environment, using the Microsoft

migration wizards or similar tools. (1)

■ Archive all PST files from the source environment to the archive deployed in

the current environment. SID history is required to map permissions.

Aggressively archive content from mailboxes and public folders in the

transitory storage group until archiving thresholds are reached. (2)


268

■ Move the archived mailboxes and public folders into the target storage group

for fragmentation elimination and storage consolidation. (3)

■ Provide access to archived mailbox and PST content via Enterprise Vault

shortcuts created in mailboxes and also via Enterprise Vault’s Archive Explorer.

(4)

■ Deploy ongoing archiving in the target environment, with access to archived

content via both Archive Explorer and shortcuts in mailboxes. (5)

Application after migration

Enterprise Vault can help in instances where an organization has already

completed the Exchange migration and, as a result, large private and public

databases are negatively affecting backup and recovery times.

In this case, the primary concern is to reduce the size of the Exchange databases

quickly and to cap them if necessary to control growth. The goal is to provide a

defined service level agreement (SLA) on Exchange, a predictable backup and

recovery strategy, and ongoing reductions in associated storage costs.

Mailbox quotas may be used to cap mailbox sizes, but this approach is highly

intrusive for the end-user and may result in corporate records being lost. The

introduction of an archiving policy that works together with a mailbox quota

provides the ability to control Exchange growth. This policy is non-intrusive to

the end user, preserving long-term access to important Exchange content.

Archiving policy, following this model, might constrain mailbox sizes by archiving

at 75 percent of a mailbox quota of 100 MB, thus effectively capping Exchange to

75 MB multiplied by the number of mailboxes, with an effective mailbox size

governed by the amount of storage allocated to a mailbox archive.

As with the other migration scenarios, migration of PST files can be treated as a

separate project, and can be undertaken independently of the archiving of

mailboxes to reduce the risk and cost of storage.

Figure 11-4 shows a scenario where Enterprise Vault is effectively deployed into

a standalone Exchange implementation with no mailbox migration requirements.


Figure 11-4 Reduce the size of email storage after migration


■ Mailbox content has already been migrated to the target environment. (1)

■ Archive all PST files from the source environment to the archive deployed in

the current environment. SID history is required to map permissions. (2)

Initially, content from mailboxes and public folders in the target environment

should be archived aggressively until the quota archiving thresholds are

reached. Subsequently, ongoing archiving in the target environment should

be done on a nightly schedule, with access to archived content via both Archive

Explorer and shortcuts in mailboxes.

■ Provide access to archived mailbox and PST content via Enterprise Vault

shortcuts created in mailboxes and via Archive Explorer. (3)

Recommendations for migrationSuccessful and painless migration to Exchange 2003 depends on many factors,

and is never entirely risk-free. Using Enterprise Vault to assist in the management

Minimizing time and risk in Exchange migrationsRecommendations for migration

270

of Exchange content can be a critical success factor by reducing the risks associated

with storage and administration overhead and by providing end-user transparency.

The approach to use for Enterprise Vault–assisted Exchange migration depends

on the following factors:

■ Perception of the risk inherent in the migration project

■ Current status of the migration project

■ Availability of storage to address migrated mail content

■ Availability of backup technology to address migrated mail content

■ Time available to perform the migration

■ Resources and software tools available to perform the migration

In a normal migration scenario, where Symantec becomes involved early in the

planning of a migration project, the benefits of Enterprise Vault are easily justified

in terms of project time, storage and resource cost-savings, and a general reduction

in overall project risk. The later Symantec is engaged in a migration project, the

more Enterprise Vault’s benefits are focused on storage cost-savings.

PST file migration

Regardless of the stage of a migration project, PST file migration always benefits

significantly from the use of Enterprise Vault. Symantec understands very well

the pain that PST files cause organizations. By using a proven Exchange modeling

and ROI process, Symantec can justify the use of its technology on the basis of

the risk mitigation, cost and time savings resulting from the migration,

repatriation, and consolidation of PST file content into an archive that is

seamlessly accessible by Windows® users.

Enterprise Vault provides the following tools for migrating (importing) the

contents of PST files to archives:

■ Locate and Migrate — This locates PST files on users’ computers, copies them

to a central location, and then migrates them.

■ Client-Driven Migration — This uses the Locate and Migrate tool, but finding

PST files and sending them to a PST collection area is performed automatically

by the user’s computer, instead of by the Enterprise Vault Server Tasks. This

can be useful in the following cases:

■ You do not have permission to access PST files on the user’s computer.

■ The user’s computer is available on the network only occasionally.

For example, a user with a laptop computer who visits the office on one

day each week.

271Minimizing time and risk in Exchange migrationsRecommendations for migration

■ Scripted migration using Policy Manager — This is ideal for performing bulk

migrations of PST files, but you need to collect the PST files in a central

location.

■ PST Migrator wizard-assisted migration — If you have a small number of PST

files, this provides a quick and easy way of migrating them to Enterprise Vault.

If the PST files then continue to have more items stored in them you will need to

perform repeated migrations in order to archive new items, which is probably not

what you want to do. If you attempt to migrate thousands of PST files at the same

time the migration can take a long time to run. The time taken will be roughly

comparable to the amount of time your Enterprise Vault system would take to

archive the same amount of data from mailboxes. Symantec recommends that

you experiment by migrating a few PST files and then gradually increase the

numbers that you work with.

PST migration tips

The following are useful tips and guidelines for migrating PST files:

■ Unless you have only a few PST files to migrate, Locate and Migrate is likely

to require the least effort. If the end-user population is very mobile, then the

Client- Driven Migration variation will be most beneficial.

■ Migrate a few PST files and then, when you are familiar with the process,

increase the numbers.

■ Migration is much easier if you have PST files in only a few locations, rather

than in many.

■ Ensure that the appropriate permissions exist on the PST files before running

PST Migrator, otherwise the process will fail.

■ You can use the Windows 2000 command-line utility (CACLS) to grant the

Vault Service account Full Control access to the PST files.

■ You can run more than one instance of PST Migrator. For maximum overall

throughput, it is recommended that you run 10 instances. If the computer is

also archiving at the same time, then reduce the number of PST Migrator

instances.

Minimizing time and risk in Exchange migrationsRecommendations for migration

272

active/active In VERITAS Cluster Server, active/active is a failover configuration where each

systems runs a service group. If either fails, the other one takes over and runs

both service groups. Also known as a symmetric configuration.

active/passive In VERITAS Cluster Server, active/passive is a failover configuration consisting

of one service group on a primary system, and one dedicated backup system. Also

known as an asymmetric configuration.

AdministrationConsole In Backup Exec, the Administration Console provides a user interface to Backup

Exec operations. The user interface can be run from the media server or a remote

computer.

adware Programs that facilitate delivery of advertising content to the user through their

own window, or by utilizing another program’s interface. In some cases, these

programs may gather information from the user’s computer, including information

related to Internet browser usage or other computing habits, and relay this

information back to a remote computer.

antispam A subcategory of a security policy that controls the receipt of unsolicited email,

often referred to as spam.

antivirus A subcategory of a security policy that pertains to computer viruses.

Anti-Virus Cleaner The Anti-Virus Cleaner receives messages from the Brightmail Server. The Cleaner

parses the message, decodes most attachments, and cleans them using the

Symantec AntiVirus engines and definitions. It then adds a header and message

text advising the recipient of its actions, and returns the message via SMTP to

the incoming mail stream.

application roles In Enterprise Vault Compliance Accelerator, application roles enable users to

perform tasks in the Application Administration area on the home page, but not

in the Department Administration and Reviewer areas.

archive bit In Backup Exec, a file attribute that is set whenever a file is modified. For full and

incremental backups that use archive bits, this bit is turned off after the backup

completes, indicating to the system that the file has been backed up. If the file is

changed again before the next incremental or full backup, the bit will be turned

on and Backup Exec will back up the file.

Archive Explorer In Enterprise Vault, Archive Explorer provides users a searchable folder view of

their archives that is similar to the Microsoft Outlook folders view. The folder

Glossary

names and structure match the original mail folders from which their items were

archived.

Archiving Service In Enterprise Vault, the Archiving Service archives items from the Exchange

Private Information Stores. At the times scheduled by the administrator, the

Archiving Service scans mailboxes for items that satisfy the archiving policy of

the site, mailbox, or folder in question.

audit log A running history of all actions performed in the Backup Exec system. An entry

into the log is created each time an action that is configured to display in the audit

log occurs.

backup A process where selected files on a computer drive are copied and stored on a

reliable form of media.

blended threat Blended threats combine the characteristics of viruses, worms, Trojan Horses,

and malicious code with server and Internet vulnerabilities to initiate, transmit,

and spread an attack. By using multiple methods and techniques, blended threats

can rapidly spread and cause widespread damage.

Brightmail Agent The Brightmail Agent resides on each Brightmail Scanner and communicates with

the Brightmail Control Center to support centralized configuration and

administration activities.

Brightmail Client The Brightmail Client receives messages from the MTA and communicates with

the Brightmail Server to provide message filtering. The Brightmail Client resides

on a Brightmail Scanner.

Brightmail Control

Center

The Brightmail Control Center is a Web-based cross-platform configuration and

administration center built in Java. Each Symantec Brightmail Anti-Spam

installation has one Brightmail Control Center, which also houses Brightmail

Quarantine and supporting software.

Brightmail Server The Brightmail Server filters messages and assigns verdicts to messages based

on the filtering results. The Brightmail Server resides on a computer hosting a

Brightmail Scanner.

capacity monitoring In Storage Foundation for Windows, capacity monitoring refers to monitoring

dynamic volume capacities, so that when any volume reaches preset size

thresholds, an alert message is sent.

CASO See central administration server.

catalog In Backup Exec, a database for keeping track of the contents of media created

during a backup or archive operation. Information can only be restored from fully

cataloged media.

central administration

server

A Backup Exec media server with the Central Admin Server Option (CASO)

installed. In a CASO environment, the central administration server becomes the

centralized focal point of the Backup Exec enterprise. It is the media server where

Glossary274

an administrator makes decisions on what data and servers are to be protected

in the environment. It is also the media server where the building blocks of job

creation take place—the creation of policies and the association of selection lists

to those policies.

clean An action that consists of deleting virus infections that cannot be repaired, and

repairing repairable virus infections.

cluster One or more computers linked together for the purpose of multiprocessing and

high availability.

concatenation Storing data either on one disk (simple) or on disk space that spans more than

one disk (spanned).

Content Compliance A set of features in Symantec Mail Security 8200 Series appliances that enable

administrators to enforce corporate email policies, reduce legal liability, and

ensure compliance with regulatory requirements. These features include

annotations, streamlined filter creation using multiple criteria and multiple

actions, flexible sender specification, dictionary filters, and attachment

management.

content filtering A subcategory of a security policy that pertains to the semantic meaning of words

in text (such as email messages). It can also include URL filtering.

Control Center A Web-based configuration and administration center for Symantec Mail Security

8200 Series appliances. Each site has one Control Center. The Control Center also

houses Quarantine and supporting software.

device In Backup Exec, device can refer to a robotic library drive, a stand-alone drive, a

backup-to-disk folder, a backup-to-disk device, or a cascaded drive pool.

differential backup In Backup Exec, the differential backup methods are used to back up files that

have changed since the last full or incremental backup. A differential backup can

be based on archive bit or time stamp information.

directory harvest attack A high-volume email campaign addressed to dictionary-generated recipient

addresses on a specific domain. Directory harvest attacks (DHAs) not only consume

resources on the targeted email server, they also provide the spammers with a

valuable list of valid email addresses (targets for future spam campaigns).

Directory Service In Enterprise Vault, the Directory Service provides distributed access to a Vault

Directory Database. All other Enterprise Vault services need access to this

particular database.

disaster recovery A solution that supports fail over to a cluster in a remote location in the event

that the local cluster becomes unavailable.

discovery A process in which email servers and archives are searched within a business

enterprise to locate and reproduce specified email content pertaining to a legal

275Glossary

proceeding. Discovery is normally requested by lawyers in a court of law, to verify

or disprove arguments for or against the plaintiff or defendant.

disk group Storage Foundation for Windows organizes disks into disk groups. Disk groups

provide a way of organizing disks in a system and simplifying storage management

for systems with large numbers of disks. They also allow disks to be moved between

computers to easily transfer the storage between computers.

disk striping Disk striping writes data across multiple disk drives instead of just one disk. Disk

striping involves partitioning each drive storage space into stripes that can vary

in size. These stripes are interleaved in a repeated sequential manner. The

combined storage space is composed of stripes from each drive.

DMP DMP is a form of Dynamic Multipathing that is designed for a multipath disk

storage environment that provides Windows mini-port or SCSI port driver support.

DMZ (demilitarized

zone)

A network added between a protected network and an external network to provide

an additional layer of security. Sometimes called a perimeter network.

DNS (Domain Name

Server) proxy

An intermediary between a workstation user and the Internet that allows the

enterprise to ensure security and administrative control.

DNS (Domain Name

System)

A hierarchical system of host naming that groups TCP/IP hosts into categories.

For example, in the Internet naming scheme, names with .com extensions identify

hosts in commercial businesses.

DNS server A repository of addressing information for specific Internet hosts. Name servers

use the Domain Name System (DNS) to map IP addresses to Internet hosts.

domain 1. A group of computers or devices that share a common directory database and

are administered as a unit. On the Internet, domains organize network addresses

into hierarchical subsets. For example, the .com domain identifies host systems

that are used for commercial business. 2. A group of computers sharing the

network portion of their host names, for example, raptor.com or microsoft.com.

Domains are registered within the Internet community. Registered domain entities

end with an extension such as .com, .edu, or .gov or a country code such as .jp

(Japan).

downstream At a later point in the flow of email. A downstream email server is an email server

that receives messages at a later point in time than other servers. In a

multiple-server system, inbound mail travels a path from upstream mail servers

to downstream mail servers. Downstream can also refer to other types of

networking paths or technologies.

DVS DVS is the file extension of the messages stored by Enterprise Vault. These

messages are also referred to as DVS files.

Dynamic Multipathing In Storage Foundation for Windows, the Dynamic Multipathing option adds fault

tolerance to disk storage by making use of multiple paths between a computer

Glossary276

and individual disks in an attached disk storage system. Disk transfers that would

have failed because of a path failure are automatically rerouted to an alternate

path. Dynamic Multipathing also improves performance by allowing load balancing

between the multiple paths. Two forms of Dynamic Multipathing are available,

DMP and MPIO.

dynamic volume In Storage Foundation for Windows, dynamic volumes are volumes created on

dynamic disks in place of partitions. A dynamic volume consists of a portion or

portions of one or more physical disks and is organized in one of five volume

layout types: concatenated, mirrored, striped, RAID-5, and mirrored striped (RAID

0+1). The size of a dynamic volume can be increased if the volume is formatted

with NTFS and there is unallocated space on a dynamic disk within the dynamic

disk group onto which the volume can be extended.

Email Firewall A set of features of Symantec Mail Security 8200 Series appliances that provide

perimeter defense, similar to a regular firewall, focused on email traffic. The Email

Firewall analyzes incoming SMTP connections and enables preemptive responses

and actions before messages progress further in the filtering process. The Email

Firewall provides attack preemption for spam, virus, and directory harvest attacks,

sender blocks based on IP address, domain, third party lists, or Symantec lists.

exploit A program or technique that takes advantage of a vulnerability in software and

that can be used for breaking security, or otherwise attacking a host over the

network.

external threat A threat that originates outside of an organization.

failover An operation in which the failure of one appliance, program, or security gateway

causes another to pick up its workload automatically.

false positive A piece of legitimate email that is mistaken for and classified as spam by an

antispam product.

fault tolerance The characteristic of ensuring data integrity and system functionality when

hardware failures occur.

filter A method for analyzing email messages, used to determine what action to take

on each message. A variety of types of filters can be used to process messages. A

filter can be provided by Symantec, created by a local administrator, created by

an end user, or provided by a third party.

firewall A program that protects the resources of one network from users from other

networks. Typically, an enterprise with an intranet that allows its workers access

to the wider Internet will want a firewall to prevent outsiders from accessing its

own private data resources.

firewall rules A security system that uses rules to block or allow connections and data

transmission between a computer and the Internet.

277Glossary

FlashSnap In Storage Foundation for Windows, the FlashSnap option is a multi-step process

that is used to create independently addressable snapshot volumes that are copies

or mirrors of the volumes on a server. These snapshot volumes can be easily

moved to another server for backup or other purposes, such as loading or updating

data warehouses or performing application testing with real production data while

business continues.

full backup In Backup Exec, the full backup methods are used to back up all selected files. A

full backup can copy all files and reset the archive bit, or it can use incrementals

and differentials based on time stamp. If the full backup option to archive the

files is used, the original files are deleted after the backup finishes successfully,

if the necessary rights to the files are granted.

gateway A network point that acts as an entrance to another network. A gateway can also

be any computer or service that passes packets from one network to another

network during their trip across the Internet.

group policies Group policies are used to specify groups of users, identified by email addresses

or domain names, and to customize message filtering for each group.

header 1. First part of an email message, containing information such as the address of

the recipient, the address of the sender, message type, routing, and time sent. 2.

In Symantec Brightmail AntiSpam, the header test command, which is a Sieve

command supported by the custom filtering features.

heuristic Filters that pro-actively target patterns common in spam and viruses.

host 1. In a network environment, a computer that provides data and services to other

computers. Services might include peripheral devices, such as printers, data

storage, email, or World Wide Web access. 2. In a remote control environment, a

computer to which remote users connect to access or exchange data.

incident The actualization of a security risk. The event or result of a threat that exploits

a system vulnerability.

incremental backup In Backup Exec, the incremental backup methods back up files that have changed

since the last full or incremental backup. An incremental backup can be based on

archive bit or time stamp information. If the incremental backup is performed

based on the archive bit, the archive bit is reset to indicate that the files have been

backed up

Indexing Service In Enterprise Vault, the Indexing Service is responsible for creation and

management of the indexes, processing of searches, and return of search results.

Indexes allows users to search their archive and view the results.

internal threat A threat that originates within an organization.

Journaling Service In Enterprise Vault, the Journaling Service works together with Microsoft Exchange

journaling to enable all messages sent and received by Exchange to be copied into

Glossary278

a single journal mailbox. The Enterprise Vault Journaling Service processes the

journal mailbox, collects items to be archived, and passes them on to the Storage

Service.

load balancing 1. Refers to the process of balancing the data load between disks so that I/O

demands are spread as evenly as possible across an I/O subsystems resources.

local device A disk or tape drive connected to a server and only available to the server to which

it is attached.

macro virus A program or code segment written in the internal macro language of an

application. Some macros replicate, while others infect documents.

mass-mailing worm A worm that propagates itself to other systems via email, often by using the

address book of an email client program.

media server The Microsoft Windows server where Backup Exec is installed and the Backup

Exec services are running.

media set In Backup Exec, a group of media on which a backup job is targeted. The media

set controls the overwrite protection period and the append period.

MIME Multipurpose Internet Mail Extension, a file-type definition standard that enables

different mail programs to understand and interpret non-textual file types (such

as .doc, .jpg, and .wav) in the same way.

mirrored stripedvolume RAID 0+1 volumes are mirrors of striped volumes. For example, a two-disk stripe

can be mirrored to two additional disks. This RAID type provides the advantages

of both speed (from striping) and fault tolerance (from mirroring). More mirrors

can be added to a mirrored striped volume, and this type of volume can be extended

onto additional dynamic disks within the dynamic disk group.

mirrored volume

(RAID-1)

A mirrored dynamic volume is a fault-tolerant volume that duplicates data on

two or more physical disks. A mirror provides redundancy by simultaneously

writing the same data onto two or more separate mirrors (or plexes) that reside

on different disks. If one of the disks fails, data continues to be written to and

read from the unaffected disk or disks. A mirrored volume is slower than a RAID-5

volume in read operations but faster in write operations.

monitored employee In Enterprise Vault Compliance Accelerator, an employee whose correspondence

is monitored.

mount point The directory under which a file system is accessible after being mounted.

MTA (Mail Transfer

Agent)

A generic term for programs that send and receive mail between servers.

name server A computer running a program that converts domain names into appropriate IP

addresses and vice versa.

279Glossary

node The physical host or system on which applications and service groups reside.

When systems are linked by VERITAS Cluster Server, they becomes nodes in a

cluster.

off-host backup Refers to a situation in which the processing of the backup of a server is moved

to another server. This allows the applications on the working server to be

maintained at a consistently higher performance level because the backup is

performed on another machine.

payload This is the malicious activity that the virus performs. Not all viruses have payloads,

but there are some that perform destructive actions.

plex A plex refers to an instance of the volume. Mirrored volumes have two or more

plexes. All other volumes have one plex. Plexes, columns, and subdisks are the

constituent parts of the volume.

policy 1. A set of message filtering instructions that Symantec Mail Security 8200 Series

appliances implement on a message or set of messages. 2. In Backup Exec, a method

for managing backup jobs and strategies. Policies contain templates, which provide

settings for jobs.

protected server Any computer on a network that is being backed up by Backup Exec, including

Backup Exec media servers.

providers In Storage Foundation for Windows, providers are similar to drivers. Each provider

manages a specific hardware or software storage component. For example, there

is a disk provider that manages all disks that the Windows operating system sees

as disks. The providers discover the existing physical and logical entities and store

that information in Storage Foundation for Windows’ distributed database.

Normally, providers operate in the background. The exception might be when

there is a provider error on startup.

PST file Microsoft Exchange file format. PST files are used to store messages and other

Exchange data on a user’s local drive, instead of on the Exchange server. Also

known as a Personal Folders file.

public folder archiving Enables Enterprise Vault to archive items from Microsoft Exchange public folders.

Quarantine A database that stores email messages separately from the normal message flow,

and allows access to those messages. On Symantec Mail Security 8200 Series

appliances, Quarantine is located on the Control Center appliance, and provides

users with Web access to their spam messages. Users can browse, search, and

delete their spam messages and can also redeliver misidentified messages to their

inbox. An administrator account provides access to all quarantined messages.

Quarantine can also be configured for administrator-only access.

RAID RAID (Redundant Array of Independent Disks) is a collection of specifications

that describe a system for ensuring the reliability and stability of data stored on

large disk subsystems.

Glossary280

RAID 0+1 volume See mirrored striped volume.

RAID-5 Logging RAID-5 logging ensures prompt recovery of a RAID-5 volume after a system crash.

With RAID-5 logging, updates need to be made only to the data and parity portions

of the volume that were in transit during the system crash. Thus, the entire volume

does not have to be resynchronized. A log can be created when a volume is created,

or it can be added later.

RAID-5 volume A RAID-5 volume is a fault-tolerant volume with data and parity striped

intermittently across three or more physical disks. Parity is a calculated value

that is used to reconstruct data after a failure. If a portion of a physical disk fails,

the data on the failed portion can be recreated from the remaining data and parity.

RAID-5 volumes can be created only on dynamic disks. RAID-5 volumes cannot

be mirrored.

region Contiguous area of storage on a disk. These regions can also be referred to as

subdisks.

resource discovery A Backup Exec operation that allows detection of new backup resources within a

Windows domain.

resource types In VERITAS Cluster Server, each resource in a cluster is identified by a unique

name and classified according to its type. VERITAS Cluster Server includes a set

of predefined resource types for storage, networking, and application services.

Retrieval Service In Enterprise Vault, a Retrieval Service is associated with a specific Microsoft

Exchange Server. The Retrieval Service retrieves items from archives and stores

them in that Microsoft Exchange Server.

review marks In Enterprise Vault Discovery Accelerator, review marks are a set of marks that

can be applied to items in all cases. These marks are set out in the scheme template.

For each new case that is created, Discovery Accelerator makes a copy of these

marks, which can then be adapted for a specific case.

review set In Enterprise Vault Compliance Accelerator, a collection of captured messages

that are relevant to a particular department.

reviewer In Enterprise Vault Compliance Accelerator, a user who is responsible for reviewing

one or more departments.

robotic library A high-capacity data storage system for storing, retrieving, reading, and writing

multiple magnetic tape cartridges. It contains storage racks for holding the

cartridges and a robotic mechanism for moving the cartridge to the drive or drives.

roles In Enterprise Vault Compliance Accelerator, roles are used to group the

permissions needed to perform specific application or department tasks. Once

roles are created, they are assigned to specific employees. Employees who do not

have permission for a particular task do not see it in their view of the Compliance

Accelerator web interface.

281Glossary

Scanner A component in an appliance or set of appliances or software that filters mail.

Each site can have one or many Scanners.

security life cycle A method of initiating and maintaining a security plan. It involves assessing the

risk to a business, planning ways to reduce the risk to a business, implementing

the plan, and monitoring the business to verify that the plan reduced the risk.

security response The process of research, creation, delivery, and notification of responses to viral

and malicious code threats, as well as operating system, application, and network

infrastructure vulnerabilities.

security services The security management, monitoring, and response services that let organizations

leverage the knowledge of Internet security experts to protect the value of their

networked assets and infrastructure.

shopping baskets Part of the Enterprise Vault Shopping Service. When users search using the Web

Access application they are able to save these search results in containers called

shopping baskets. The Shopping Service is responsible for managing these

shopping baskets and instructs the Retrieval Service to retrieve the contents of

any shopping baskets when necessary.

Shopping Service In Enterprise Vault, the Shopping Service works in conjunction with the Enterprise

Vault Web Access application. This service enables users to save search results

from different searches and to restore selected items.

signature 1. A state or pattern of activity that indicates a violation of policy, a vulnerable

state, or an activity that may relate to an intrusion. 2. Logic in a product that

detects a violation of policy, a vulnerable state, or an activity that may relate to

an intrusion. This can also be referred to as a signature definition, an expression,

a rule, a trigger, or signature logic. 3. Information about a signature including

attributes and descriptive text. This is more precisely referred to as signature

data.

snapshot A consistent point-in-time view of a volume that is used as the reference point

for the backup operation. After a snapshot is created, the primary data can

continue being modified without affecting the backup operation.

spam 1. Unsolicited commercial bulk email. 2. An email message identified as spam by

a Symantec security product, using its filters.

spyware Programs that have the ability to scan systems or monitor activity and relay

information to other computers. Among the information that may be actively or

passively gathered and disseminated by spyware are passwords, log-in details,

account numbers, personal information, individual files or other personal

documents. Spyware may also gather and distribute information related to the

user’s computer, applications running on the computer, Internet browser usage

or other computing habits.

Glossary282

Storage Service In Enterprise Vault, the Storage Service serves the following functions: vault store

and archive management, conversion and storage of various message classes and

documents, retrieval of archived items for viewing, copy and conversion of archived

items for restoration, and automatic and manual deletion of archived items.

striped volume (RAID-0) A volume that stores data in stripes on two or more physical disks. Data in a striped

volume is allocated alternately and evenly (in stripes) to the disks of the striped

volume. Striped volumes can be created only on dynamic disks. Striped volumes

by themselves are not fault tolerant; however, they can be mirrored to be made

fault tolerant. They also can be extended.

subnet mask A local bit mask (set of flags) that specifies which bits of the IP address specify a

particular IP network or a host within a subnetwork. Used to "mask" a portion of

an IP address so that TCP/IP can determine whether any given IP address is on a

local or remote network. Each computer configured with TCP/IP must have a

subnet mask defined.

suspected spam A category of messages separate from spam. Messages fall into the suspected

spam category based on their spam scores. Different actions can be specified for

spam and suspected spam.

Suspected Spammers

list

A list of IP addresses from which virtually all of the outgoing email is spam,

provided by Symantec based on data from the Probe Network.

Symantec Security

Response

Symantec Security Response is a team of dedicated intrusion experts, security

engineers, virus hunters, threat analysts, and global technical support teams that

work in tandem to provide extensive coverage for enterprise businesses and

consumers. Symantec Security Response also leverages sophisticated threat and

early warning systems to provide customers with comprehensive, global, 24x7

Internet security expertise to proactively guard against today’s blended Internet

threats and complex security risks.

Symantec Spam Folder

Agent for Exchange

An application designed to work on Microsoft Exchange Servers. Installed

separately, the Symantec Spam Folder Agent for Exchange creates a subfolder

and a server-side filter in each user’s mailbox. The filter gets applied to messages

that a Scanner identifies as spam, routing spam into each user’s spam folder,

relieving end users and administrators of the burden of using their mail clients

to create filters.

target In Enterprise Vault Discovery Accelerator, targets are a way of listing all the

available email addresses for one person. This enables an administrator to enter

a person’s name once when searching, to include all of that person’s different

addresses. Target groups, which are named collections of targets, can also be set

up.

template In Backup Exec, a required element of a policy that defines how and when a job

is processed. Templates specify the device, settings, and schedule options to be

used for the job. Each policy must contain at least one template.

283Glossary

threat A circumstance, event, or person with the potential to cause harm to a system in

the form of destruction, disclosure, modification of data, or denial of service.

threat assessment The severity rating of the virus, worm, or Trojan horse. The threat assessment

includes the damage that this threat causes, how quickly it can spread to other

computers, and how widespread the infections are known to be.

threshold The number of events that satisfy certain criteria. Administrators define threshold

rules to determine how notifications are to be delivered.

traffic shaping An antispam technique that prioritizes sources with good traffic and throttles

sources that are sending spam, thus reducing the load downstream in the network.

vault directory The vault directory holds configuration information for one or more Enterprise

Vault Sites. The vault directory consists of a vault database and a directory service.

vault partition In Enterprise Vault, the vault partition is part of the vault store. A partition

contains either UNC paths to an NTFS volume or addresses to a tertiary storage

device. These are the physical locations where archived items are stored in

Enterprise Vault.

vault site In Enterprise Vault, a vault site consists of one or more computers running one

or more Enterprise Vault Services and sharing the same configuration information.

vault site alias In Enterprise Vault, this alias is a pointer to the Directory Service computer. Each

vault site must have a vault site alias, which is used by Enterprise Vault to refer

to the vault site by name.

vault store In Enterprise Vault, a vault store consists one or more vault partitions which

consist of UNC paths to an NTFS volume or addresses to a tertiary storage device.

The vault store is managed by the Storage Service.

vault store database In Enterprise Vault, this database holds all pointers to the actual items that are

stored in the partitions, as well as data pertaining to what accounts have access

to what items.

virus A program or code that replicates; that is, infects another program, boot sector,

partition sector, or document that supports macros, by inserting itself or attaching

itself to that medium.

virus attack A series of virus-infected emails from a specific domain.

virus definitions file A file that provides information to antivirus software to find and repair risks.

vulnerability A state in a computing system which either allows an attacker to execute

commands as another user, allows an attacker to access data that is contrary to

the specified access restrictions for that data, allows an attacker to pose as another

entity, or allows an attacker to conduct a denial of service.

worm A special type of virus. A worm does not attach itself to other programs like a

traditional virus, but creates copies of itself, which create even more copies.

Glossary284

AAdmin Service

overview 156

Administration Console

Enterprise Vault configuration tasks 165

Archive service

creating 166

archives

accessing in Enterprise Vault 172

creating Exchange Public Folder Task 172

developing policies for 223

enabling for mailbox 168

archiving systems

as a best practice 54

BBackup Exec

backing up Enterprise Vault 212

best practices 205

configuring 205

licenses 205

requirements 86

scripts for backing up 216

upgrading 205

using for spam removal 99

Cclustering. See Veritas Cluster Server

Collaboration Data Objects 160

compliance

examples of 28

legal considerations 219

Compliance Accelerator. See Enterprise Vault

Compliance Accelerator

Ddesktop tier

challenges of 103

Discovery Accelerator. See Enterprise Vault

Discovery Accelerator

discovery requests

establishing efficiency 226

preparing for 225

simplifying to reduce costs of 225

Eemail filtering

internally 53

email legal evidence

as 29

email management

archiving 54, 144, 223

backup regulations 227

business email life cycle 220

compliance factors 219

configuring protection environment 105

costs of 31

factors of 23

migrating

legacy systems 261

minimizing mailbox content 265

recommendations 270

without moving mailbox content 264

quota policies 26

reducing volume of 48

regulatory compliance 219

risks to availability 179

unwanted mail 99

violation of policies 30

email security

internal 53

management considerations 36, 48

multi-tiered approach 105

reducing bandwidth 48

Email security and availability. See Symantec

Enterprise Messaging Management solution

email threats 21, 24

multi-tiered approach to reducing 99

spam 99, 222

viruses 223

Index

Enterprise Messaging Management. See Symantec

Enterprise Messaging Management solution

Enterprise Vault

Administration Console 165

administrator toolbar utility for recovery 175

backup and recovery 173

backup sequence 217

components of 213

configuration best practices 163

configuring Windows components 160

IM archiving 122

installation best practices 163

installed tasks and services 147

installing Exchange System Manager 2003 161

installing with Enterprise Vault Compliance

Accelerator 238

installing with Enterprise Vault Discovery

Accelerator 233

managing Exchange migrations 263

offline vault, using with archives 172

overview 147

planning for deployment 150

preparing for installation 157

reducing database size 269

requirements 81

scalability recommendations 153

scalable storage solution 57

selecting archive index levels 156

setting retention categories 169

shortcuts, using with archives 172

Site Alias

creating on DNS server 162

software prerequisites 157

SQL login account 159

structured data 145

usage tips 176

using with Backup Exec 212

Windows service account, creating for 158

Enterprise Vault Compliance Accelerator

Application Administration page 247

backup and recovery best practices 260

browser interface recommendations 246

configuration best practices 242

configuring searches 256

customization best practices 252

Department Administration page 247

installing best practices 238, 241

Journaling Connector requirements 240

overview 230

Enterprise Vault Compliance Accelerator (continued)

SQL Server requirements 241

upgrading best practices 258

Enterprise Vault Discovery Accelerator

browser interface recommendations 238

creating roles and cases 248

creating searches 250

customization best practices 247

installing best practices 233, 236

overview 230

post-installation best practices 236

SQL Server requirements 235

Enterprise Vault server

configuring baseline environment 92

Enterprise Vault Store

creating 165

creating Archive service on 166

enabling mailbox archiving 168

partition settings 155

recommendations 155

Exchange. See Microsoft Exchange

Exchange Mailbox reports

generating 173

Exchange server. See Microsoft Exchange server

Exchange System Manager 2003

installing with System Management tools 161

FFlashSnap 187

Ggateway tier 101

groupware

environment protection 53

Hhigh availability 28

HIPAA 28

IIBM

performance test

results 95

user profile 90

server configuration 89, 92

storage configuration 89, 92

IM. See instant messaging

Index286

IM Manager

best practices for 129

directory integration 123

overview 117

SMTP delivery to Microsoft Exchange 126

use case 134

indexing levels

Enterprise Vault 156

installation

best practices 236, 241

Enterprise Vault

installation best practices 163

preparing for 157

instant messaging

growth 36

increase in use 23

part of messaging management 13

security 129

security risk 24

JJournaling Connector

adding or upgrading 258

requirements 240

MMail Security for Exchange

adding to Cluster Server 203

file filtering rules 111

multiserver console 110

recommended settings 109

updating virus definitions 110

zip files 111

mail server tier 102

Mailbox Archiving Task 168

mass-mailer worms 50

message archiving 54

messaging applications

new 32

messaging security

Symantec product hierarchy 60

Microsoft Exchange

email risks 179

forms installation and distribution 167

migration considerations 261

minimizing migration risks 267

reducing size of data stores 146

storage group recommendations 187

Microsoft Exchange (continued)

Symantec Enterprise messaging management

solution, relation to 181

Microsoft Exchange server

configuring baseline environment 92

creating an Outlook profile on 162

email storage 143

protection best practices 107

Microsoft Outlook

configuring for use with Enterprise Vault 160

Microsoft SQL Server. See SQL Server

Ooff-host backup 212

Pperformance guidelines 88

perimeter

protecting 49

protection solutions

email 50

instant messaging 52

threats 50

phishing attacks 24

policies

creating in Enterprise Vault 169

PST archive migration 146, 272

Rrecovery solutions 43

retention categories

setting in Enterprise Vault 169

SSarbanes-Oxley Act

compliance demands of 28

security. See messaging security

end-point security 63

service groups

Veritas Cluster Server 192

Site Alias

using with Enterprise Vault 162

SMTP gateway perimeter protection 112

SOX. See Sarbanes-Oxley Act

spam. See email threats

spim

defined 21

filtering 129

287Index

SQL

backing up server 214

Backup Exec 214

creating login account for Enterprise Vault 159

database backup recommendations 174

SQL Server

requirements

Enterprise Vault Compliance

Accelerator 241

Enterprise Vault Discovery Accelerator 235

storage configuration

for Exchange server 93

Storage Foundation

best practices 183

FlashSnap option 187

Storage Foundation HA for Windows

best practices 190

configuring storage resource 198

implementation planning 194

requirements 86

storage virtualization

benefits 42

Symantec email security and availability for

Microsoft Exchange. See Symantec Enterprise

Messaging Management solution

Symantec Enterprise Messaging Management

solution

about 13

checklist

deployment 76

pre-deployment 73

components of 149

controlling flow of information 46

evolution of 39

history of 34

how it works 39, 56

IBM hardware configuration 88

need for a comprehensive solution 38

overview 13

perimeter protection 49

reducing email volume 48

requirements 78

server architecture 105

solution components 17

Symantec products 69

topology 69

Symantec Enterprise Vault Consulting Services

Center 153

Symantec Global Intelligence Network 104

Symantec Mail Security for Microsoft Exchange

server requirements 80

Symantec Professional Services 64

Tthreat management

layered approach 46

traffic-shaping 101

Uuser extensions

using with archives 172

VVeritas Cluster Server

agents 193

benefits of 45

overview 191

Symantec Mail Security for Exchange, operating

with 203

Veritas Enterprise Vault. See Enterprise Vault

Veritas Storage Foundation for Windows

requirements 83

Veritas Storage Foundation High Availability for

Windows

best practices 198

requirements 85

viruses

minimizing threat of 223

perimeter threats 50

Voice over IP. See VoIP

VoIP 13

WWindows service account

creating for Enterprise Vault 158

worms

mass-mailer threats, as 24, 50

ZZiff Davis survey 38

Index288

Symantec Enterprise Messaging Management for Microsoft ...

Documents

Transcript of Symantec Enterprise Messaging Management for Microsoft ...