Symantec Enterprise Messaging Management for Microsoft ...
-
Upload
khangminh22 -
Category
Documents
-
view
0 -
download
0
Transcript of Symantec Enterprise Messaging Management for Microsoft ...
Symantec Enterprise Messaging Management for Microsoft Exchange
This Symantec Yellow Book is intended to help organizations deploy a combination of Symantec products to
ensure the security and availability of their messaging systems, including email in the Microsoft Exchange envi-
ronment. It explains how Symantec's email and instant messaging (IM) management solutions can reduce the
risk and potential downtime posed by security threats and spam, help meet messaging policy and regulatory
compliance needs, and optimize the accessibility and resiliency of the messaging infrastructure. It includes a
brief technical overview of Symantec's comprehensive solution for email and IM, and describes the combination
of Symantec products that are considered essential for efficient and effective messaging management.
This Symantec Yellow Book is focused on addressing the needs of Windows platform-oriented organizations with 1,000-2,500 employees,
but will be useful and of interest to both smaller and larger organizations
Symantec Yellow Books deliver skills and know-how to our partners and customers as well as to the technical
community in general. They show how Symantec solutions handle real-world business and technical problems,
provide product implementation and integration knowledge, and enhance the ability of IT staff and consultants
to install and configure Symantec products efficiently.
About Symantec Yellow Books™
www.symantec.com
Overview of email and Instant Messaging (IM) security, availability, and resilience concepts
Best practices for implementing Symantecemail and IM management solutions
Technical information on how to deploy multipleproducts, sequence their configurations, and achieveproduct synergies
Performance testing powered by IBM®
Symantec Enterprise Messaging Management for Microsoft® Exchange
A comprehensive approach to effectively managing messaging in Symantec and IBM environments
Sym
antec Yello
w B
oo
ks™
$65.00 US $75.00 CANADACopyright © 2006 Symantec Corporation. All rights reserved. 11/06 XXXXXXXX
Sym
antec E
nterp
rise Messagin
g Man
agemen
t for Microsoft E
xchan
ge
Hardware used for performance testing in this Symantec Yellow Book sponsored by Dell™. For more information, go online: www.ibm.com
Introducing Symantec Enterprise MessagingManagement for Microsoft® Exchange
The software described in this book is furnished under a license agreement and may be used
only in accordance with the terms of the agreement.
Documentation version 3.0.IBM
Legal Notice
Copyright © 2007 Symantec Corporation.
All rights reserved.
Symantec, the Symantec Logo, and Symantec Yellow Book are trademarks or registered
trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other
names may be trademarks of their respective owners.
Microsoft, Windows, Active Directory, Excel, JScript, Outlook, PowerPoint, SharePoint, and
Windows server are trademarks or registered trademarks of Microsoft Corporation.
Other brands and product names mentioned in this book may be trademarks or registered
trademarks of their respective companies and are hereby acknowledged.
The products described in this document are distributed under licenses restricting their
use, copying, distribution, and decompilation/reverse engineering. No part of this document
may be reproduced in any form by any means without prior written authorization of
Symantec Corporation and its licensors, if any.
THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS,
REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT,
ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO
BE LEGALLY INVALID. SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR INCIDENTAL
OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING,
PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED
IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.
The Licensed Software and Documentation are deemed to be commercial computer software
as defined in FAR 12.212 and subject to restricted rights as defined in FAR Section 52.227-19
"Commercial Computer Software - Restricted Rights" and DFARS 227.7202, "Rights in
Commercial Computer Software or Commercial Computer Software Documentation", as
applicable, and any successor regulations. Any use, modification, reproduction release,
performance, display or disclosure of the Licensed Software and Documentation by the U.S.
Government shall be solely in accordance with the terms of this Agreement.
Symantec Corporation
20330 Stevens Creek Blvd.
Cupertino, CA 95014 USA
http://www.symantec.com
Acknowledgments
Symantec thanks the following people for their contribution to the Symantec Yellow Book™:
Principal Authors
Rich AlfordWerner Zurcher
Christina BaribaultJohn Glen
Jeannette StarrEtsuko Kagawa
Julie Murakami
The principal authors and Symantec would like to thank the following contributors:
Kevin KnightSophia Abramovitz
Blake McConnellFaisal Z. Ahmed
Jason MeroJeffrey Armorer
Chris MillerMike Bilsborough
William S. PhillipsPar Botes
David ScottBill Chitty
Matthew SteeleMark Davis
John StoneOsama El beck
Logan SutterfieldDavid Flanders
Martin TuipScott Girvin
Jason WareMatt Hamilton
Lee WeinerDLT Solutions, Inc.
Mia WhitfieldAndy Honl
Ed WhyattJose Iglesias
Dennis WildSimon Jelley
David YePaul C. Johnson
Walt Kasha
Symantec extends a special thanks to IBM for providing hardware and software performance
testing expertise supporting the development of this Symantec Yellow Book.
Chapter 1 Introduction
About this book .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
About enterprise messaging management ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
About the Symantec solution for Enterprise Messaging
Management ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Chapter 2 Challenge of fortifying enterprisemessaging systems
New challenge .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Increasing pressure on corporate IT .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Threat innovation .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Increase of spam .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Increase of email size and email storage requirements ... . . . . . . . . . . . . . . . . 26
Lack of central management of messaging archives ... . . . . . . . . . . . . . . . . . . . 27
Need for high availability ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Mandatory compliance .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Retention of electronic messages for use as legal evidence .... . . . . . . . . . 29
Higher legal discovery costs ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Liability due to misuse .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Higher messaging infrastructure costs ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Other new messaging applications .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Symantec response to the challenges ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Chapter 3 The Symantec enterprise messaging managementsolution for Microsoft Exchange
Challenges and opportunities ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Effectively managing messaging environments ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Introducing the Symantec solution .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Resource management ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Benefits of a resilient foundation .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Benefits of storage virtualization .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Benefits of backup and recovery .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Benefits of clustering .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Threat management ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Layered approach to threat management ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Contents
Email volume reduction with traffic shaping .... . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Perimeter security ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Internal Exchange server filtering .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
Email client security ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
Archival and retention management ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
Email archiving challenges ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
Archiving with Enterprise Vault ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
Integrations with the archiving solution .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Policy and compliance management ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
Regulatory compliance .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Messaging policy compliance .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Discovery and analytics management ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
Options to meet advanced requirements ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
Advanced security requirements ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
End-point security and protection products ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
Additional gateway security products ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
Server security products ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
End-point security compliance management products ... . . . . . . . . . . . . . . . . 63
Intelligent monitoring products and services ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
Symantec Professional Services ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
Symantec Consulting Services ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
Symantec Advisory Services ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Symantec Solutions Enablement Services ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Symantec Secure Application Services ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Symantec EMM solution summary .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
Chapter 4 Enterprise Messaging Management infrastructure
Infrastructure configuration for the Symantec solution .... . . . . . . . . . . . . . . . . . . . 69
Summary checklists for the end-to-end solution .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
Pre-deployment checklist ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
Deployment checklist ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
Requirements for the Symantec solution .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
Email security hardware and software requirements ... . . . . . . . . . . . . . . . . . . 78
Email archiving hardware and software requirements ... . . . . . . . . . . . . . . . . 81
Solution foundation hardware and software requirements ... . . . . . . . . . . 82
Solution sizing and performance guidelines ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
Sizing and performance criteria ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
Hardware configuration .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
User profile ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
Baseline server and storage configurations .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
Test environment .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
Test methodology .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
Contents6
Test results ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
Results analysis ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
IM Manager performance considerations .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
Chapter 5 Stopping unwanted email
The challenge of stopping unwanted email ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
A defense-in-depth strategy .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
Network boundary tier ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
Gateway tier ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
Mail server tier ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
Desktop tier ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
Symantec’s Global Intelligence Network .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
Configuration overview .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
Best practices for protecting Exchange servers at the mail server
tier ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
Best practices for protecting the network perimeter at the
gateway server tier ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
Chapter 6 Using Symantec IM Manager
About Symantec IM Manager ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
Best practices for preparing the IM Manager environment .... . . . . . . . . . . . . . 118
Installation prerequisites ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
IM Manager installation information .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
SQL server installation requirements ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
Best practices for configuring IM Manager ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
Instant message network strategies ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
DNS rerouting configuration .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
About IM Manager configuration .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
Archiving instant messages to Enterprise Vault ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
Exchange Server setup to accept IM Manager messages ... . . . . . . . . . . . . 123
Configure IM Manager directory integration .... . . . . . . . . . . . . . . . . . . . . . . . . . . 123
Configuring IM Manager SMTP delivery to Microsoft
Exchange .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
Installing the IM Manager Enterprise Vault XSL Transformation
file ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
Configuring IM Manager export ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
Best practices for IM Manager security ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
Threat protection and SPIM filtering .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
Instant message client version control ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
Best Practices for IM Manager backup and recovery .... . . . . . . . . . . . . . . . . . . . . . . 130
SQL Server database backup recommendations .... . . . . . . . . . . . . . . . . . . . . . . 131
Recovery after an IM Manager failure ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
7Contents
IM Manager server failure ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
IM Manager data corruption .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132
IM Manager database server failure ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132
IM Manager use cases ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134
Instant message security and threat protection use cases ... . . . . . . . . . . 134
Instant message logging for journaling and policy enforcement
use cases ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
Chapter 7 Message archiving, retrieval, and storage
Microsoft Exchange as an information warehouse .... . . . . . . . . . . . . . . . . . . . . . . . . 143
Archiving, retrieval, and storage in the Exchange environment .... . . . . . . . 144
Support for structured data ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145
Seamless retrieval of archived email ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145
Control of PST archives ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146
Reduction in the size of Exchange information stores ... . . . . . . . . . . . . . . . 146
Enterprise Vault basics ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
Best practices for planning Enterprise Vault deployments ... . . . . . . . . . . . . . . 150
Documenting the existing Exchange environment .... . . . . . . . . . . . . . . . . . . 150
Documenting the new Exchange Enterprise Vault
environment .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
Considerations for planning and documenting the Enterprise
Vault deployment ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152
Best practices for sizing Enterprise Vault environments ... . . . . . . . . . . . . . . . . . . 153
Vault Store recommendations .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
Vault Store partition setting recommendations .... . . . . . . . . . . . . . . . . . . . . . . 156
About the Admin Service ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156
Selecting the level of indexing .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156
Best practices for preparing the Enterprise Vault environment .... . . . . . . . . 157
Installation software prerequisites ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158
Enterprise Vault Service account creation .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158
SQL login account creation .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159
Enterprise Vault server preparation .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159
Best practices for installing Enterprise Vault ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
Best practices for configuring Enterprise Vault ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
Enterprise Vault Configuration program tasks ... . . . . . . . . . . . . . . . . . . . . . . . . . 163
Enterprise Vault Administration Console configuration tasks ... . . . . . 165
Best practices for backing up and recovering Enterprise Vault ... . . . . . . . . . 173
SQL Server database backup recommendations .... . . . . . . . . . . . . . . . . . . . . . . 174
Enterprise Vault recovery .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
Common Enterprise Vault challenges and solutions .... . . . . . . . . . . . . . . . . . . . . . . 175
Enterprise Vault usage .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176
Contents8
Chapter 8 Enhancing Microsoft® Exchange Server availability
About Microsoft Exchange Server availability ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179
Risks to email availability ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179
Exchange service requirements ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180
Symantec solution to ensure Exchange availability ... . . . . . . . . . . . . . . . . . . 181
Modular approach .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181
Best practices for Veritas Storage Foundation for Windows .... . . . . . . . . . . . . . 183
Challenges to managing Exchange storage .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183
Storage Foundation solutions to Exchange store challenges ... . . . . . . . 184
Storage Foundation implementation and usage
recommendations .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185
Best practices for Veritas Storage Foundation High Availability for
Windows .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190
Challenges to clustering the Exchange environment .... . . . . . . . . . . . . . . . . 190
Storage Foundation HA for Windows solutions to Exchange
clustering challenges ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190
About Storage Foundation HA for Windows .... . . . . . . . . . . . . . . . . . . . . . . . . . . 191
Veritas Storage Foundation High Availability for Windows
installation recommendations .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194
Best practices for configuring storage resources for Storage
Foundation HA for Windows .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198
Clustered Microsoft Exchange deployment solution .... . . . . . . . . . . . . . . . . 200
Symantec Mail Security for Microsoft Exchange on Veritas
Cluster Server systems recommendations for use .... . . . . . . . . . . . . . 203
Best practices for Symantec Backup Exec .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205
EMM environment backup challenges ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205
Symantec Backup Exec solution to Exchange backup and recovery
challenges ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205
Backup Exec installation recommendations .... . . . . . . . . . . . . . . . . . . . . . . . . . . . 207
Best practices for backup and recovery in Exchange
environments ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208
Best practices for Enterprise Vault backup .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212
Chapter 9 Regulatory compliance and legal discovery for emailand instant messaging management
About regulatory compliance .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219
Email and instant messaging life cycle management ... . . . . . . . . . . . . . . . . . . . . . . 220
Considerations for data reduction .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222
Spam and archiving .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222
Considerations for threat reduction .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223
Considerations for record retention .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223
Applying policies across the organization .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224
9Contents
Discovery and records retention .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225
Considerations for discovery .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225
Completeness of process ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226
Timeliness of response .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226
Cost efficiency .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226
About the role of backup .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227
Chapter 10 Best practices for Veritas Enterprise Vault™ legaldiscovery and compliance options
About Veritas Enterprise Vault legal discovery and compliance
options .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229
About Enterprise Vault Discovery Accelerator ... . . . . . . . . . . . . . . . . . . . . . . . . . 230
About Enterprise Vault Compliance Accelerator ... . . . . . . . . . . . . . . . . . . . . . . 230
Comparison matrix ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231
Best practices for installing and configuring Enterprise Vault
Discovery Accelerator ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233
Prepare to install Enterprise Vault Discovery Accelerator ... . . . . . . . . . . 234
SQL Server requirements for Enterprise Vault Discovery
Accelerator ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235
Installing Enterprise Vault Discovery Accelerator ... . . . . . . . . . . . . . . . . . . . . 236
Configuring Enterprise Vault Discovery Accelerator ... . . . . . . . . . . . . . . . . . 236
Best practices for installing and configuring Enterprise Vault
Compliance Accelerator ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238
Prepare to install Enterprise Vault Compliance Accelerator ... . . . . . . . . 239
Requirements for the optional Journaling Connector ... . . . . . . . . . . . . . . . . 240
SQL Server requirements for Enterprise Vault Compliance
Accelerator ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241
Install Enterprise Vault Compliance Accelerator ... . . . . . . . . . . . . . . . . . . . . . . 241
Configuring Enterprise Vault Compliance Accelerator ... . . . . . . . . . . . . . . . 242
Best practices for customizing Enterprise Vault Discovery
Accelerator ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247
Creating roles, cases, and targets ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248
Creating searches ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250
Best practices for customizing Enterprise Vault Compliance
Accelerator ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252
Configuring searches ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256
Best practices for upgrading Enterprise Vault Compliance
Accelerator ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258
Upgrading Enterprise Vault Compliance Accelerator ... . . . . . . . . . . . . . . . . 258
Best practices for Enterprise Vault Compliance Accelerator backup
and recovery .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260
Contents10
Chapter 11 Minimizing time and risk in Exchange migrations
Overview of Exchange migration issues ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261
Benefits of using the Symantec solution to manage Exchange
migrations .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263
Using Enterprise Vault in the migration process ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264
Migrating without moving mailbox content ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264
Minimizing mailbox content to be moved .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265
Protecting the investment in Exchange 2003 .... . . . . . . . . . . . . . . . . . . . . . . . . . . 267
Application after migration .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269
Recommendations for migration .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270
PST file migration .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271
Glossary
Index
11Contents
Introduction
This chapter includes the following topics:
■ About this book
■ About enterprise messaging management
■ About the Symantec solution for Enterprise Messaging Management
About this bookThis Symantec Yellow Book™, Symantec Enterprise Messaging Management for
Microsoft® Exchange, examines the critical issues organizations face in keeping
messaging systems secure and available. The Symantec solution is designed to
eliminate unnecessary cost and risk by reducing large volumes of unwanted spam,
stopping viruses and worms, protecting confidential data, and by making the
communication infrastructure resilient against failure.
The information presented in this Symantec Yellow book is intended for Microsoft
Windows-based organizations that use email and instant messaging (IM) as
primary tools for business communications, and whose messaging infrastructure
is principally built around Microsoft Exchange. This information primarily
addresses the needs of organizations with 1000 to 2500 employees, but may also
be of use to smaller organizations, as well as larger organizations with multiple
email systems. However, the information may not fully address the specific
requirements of these organizations.
The information presented in this book addresses the challenges associated with
email management as interdependent processes, to show how business-critical
problems can be resolved through a comprehensive solution. It identifies the
challenges predicted by trends in the email environment, and helps IT
professionals gauge the costs and investment of resources required to meet email
management objectives. It contains analysis, best practices, recommendations
for use, and detailed technical guidelines.
1Chapter
Although today’s challenges and solutions focus mostly around email, Symantec’s
vision of enterprise messaging management extends beyond email to other
messaging platforms (such as IM), collaboration tools (such as Microsoft
Sharepoint®), and Voice over IP (VoIP). Email has become a critical application
for business, as its importance has grown.
As more businesses adopt other communication platforms, such as instant
messaging (IM), sharing information over websites, and VoIP, the same challenges
presented by email also appear in these new environments. This results in the
need to manage, secure, and archive these new communication platforms in the
same way that email is managed.
While this book focuses on email management for Microsoft Exchange, it also
addresses IM management. Future Symantec solutions and Symantec Yellow
Books will expand messaging management to include new applications, such as
VoIP communications, as the demand to protect these new communication
environments grows.
This information is intended for IT personnel who are responsible for designing
or implementing email- and IM-oriented solutions, Symantec business partners
helping customers deploy these solutions, and Symantec personnel supporting
all these groups. After reading this book, IT professionals should understand the
challenges surrounding Exchange and IM environments, and the Symantec
technologies designed to meet them.
The following table briefly describes the contents of this book:
Provide CIOs and IT Infrastructure Managers with an
understanding of the components, functions, and value of
Symantec’s comprehensive solution. This solution can keep
email in a Microsoft Exchange environment, as well as IM
running efficiently and securely.
Chapters 1 through 3
Provide IT Infrastructure Managers and other technical
personnel with an overview of how Symantec
messaging-oriented products can be deployed, and to help
plan such deployments. These technical professionals will
also find information about operational best practices for
email, and instant message security, availability, and
archiving solutions.
Chapters 4 through 10
This book also covers the following topics:
■ Challenges in the email and instant message environments that organizations
face today
■ Messaging security, availability, and resilience concepts
IntroductionAbout this book
14
■ How the Symantec solution for messaging management can meet the needs
of organizations
■ Technical information about the products that make up the recommended
solution for Exchange email and IM management
■ How the solution leverages synergies between products
■ Best practices for implementing the solution, developed and proven by
Symantec engineers
■ Important caveats and workarounds for implementing the solution
■ Technical information related to implementing the solution, including
multi-product installation and configuration sequences, and hardware and
software requirements
About enterprise messaging managementSince its inception, modern electronic messaging has been in a state of constant
change. Electronic messaging has changed in its applications, technologies,
mediums, and usability. We are in a period of rapid change in the electronic
messaging environment.
Currently, the most common means of electronic messaging is email. Having
become critical for corporations in the 1990s, email is now growing in its
importance as an accepted form of business record. With the increase in network
bandwidth, the use of email as transport for rich media is now common; beyond
simple text, email is now used to send rich media including html, graphics, audio
and video.
In the last few years, instant messaging (IM) has been rapidly adopted in many
organizational settings. Users in most organizations now use IM, even if the IM
is not yet supported by their IT organizations. It is estimated that IM may even
eclipse email by 2008, as measured by the number of messages sent between users.
IM protocols have been extended to allow voice and video information transfer.
Voice over IP (VoIP) is also gaining popularity after years of slow growth.
Furthermore, organizations are adopting the use of collaborative environments,
such as Microsoft SharePoint as yet another avenue for electronic messaging.
With the advent of IM, cell phones, Blackberries, SMS text messaging, VoIP, and
other technologies, IT can no longer view email as the totality of electronic
messaging. The challenges IT faces with email will also expand to encompass IM,
and other messaging mechanisms and their infrastructures. Therefore, Symantec
recommends that IT organizations take a comprehensive view of all the messaging
platforms in their organization, decide which messaging environments to actively
15IntroductionAbout enterprise messaging management
manage, and how. From this perspective, email is one of many electronic messaging
environments that must be managed.
For now, email remains the most important and resource intensive messaging
technology; one that requires active management. Exponentially increasing
volumes of email, greater reliance on email as a primary business application,
and escalating costs associated with management of the email infrastructure
drive the imperative for a comprehensive email management solution. IT
professionals are responding to the need for longer retention periods for email
data due to corporate, legal, and regulatory pressures. IT professionals must
provide high availability and accessibility of email data. Critical email systems
must also be secured, as effectively as possible, from the risks posed by diverse
threats.
When IT organizations plan migration to new email servers, add IM security, or
consolidate messaging servers, an opportunity exists to strengthen the messaging
infrastructure. As email and IM systems mature, an approach to maintaining
security and availability that encompasses the entire messaging system (hardware,
software, and network infrastructure) becomes a priority.
By contrast, a reactive or piecemeal approach to messaging management that
relies on a growing set of point products will burden IT with responsibility for
resolving interoperability and maintenance issues. In the long run, such a
piecemeal approach will likely prove ineffective and costly, and complicated by
the need to interact with multiple vendors.
Symantec believes that there are five broad areas that organizations must actively
manage in a messaging environment, regardless of format or technology.
Keep messaging systems up, and costs down. The first
requirement of any messaging environment is that the
systems are reliable and available at all times. Also
critically important is that organizations can control costs
while keeping systems available.
Resource management
Keep bad things out. Once a messaging system is up and
running reliably, steps should be taken to protect the
environment from the threats that it faces in the online
world.
Threat management
Keep things as long as needed. Companies face two
problems with messaging environments; managing the
retention of documents, and retrieving specified
documents when needed. More often than not, these needs
are being driven by legal and legislative requirements.
Archival and retention
management
IntroductionAbout enterprise messaging management
16
Keep important information within the company. This
relates to employees inappropriately sending out trade
secrets via email. It is becoming more critical for business
to have tools that allow them to ensure that messaging
tools are being used in ways that comply with company
policy, and do not put the company at risk.
Policy and compliance
management
Keep intellectual property, and search and analyze data
assets.
Discovery and analytics
management
Companies are increasingly aware of the value of the intellectual property
contained in their messaging environment. Organizations need intelligent tools
that allow them to search and analyze their intellectual property and data assets.
Symantec’s approach to providing protection for the entire organization’s IT
environment is founded on protecting infrastructure, information, as well as
interactions. When building a messaging environment, it is important to provide
all the necessary protections. This Symantec Yellow Book presents a solution that
integrates products from a single vendor to provide the necessary protections.
Both the intrinsic advantages of an integrated solutions approach, and the specific
functional benefits of the Symantec solution are covered in this book. Symantec
product synergies and individual product strengths derive from the design
expertise and the accumulated experience of Symantec.
About the Symantec solution for EnterpriseMessaging Management
The Symantec solution for Enterprise Messaging Management for Microsoft
Exchange presented in this book takes a comprehensive view of messaging
management. Although Symantec delivers market-leading products in nearly
every category needed to enable and protect a messaging environment, Symantec
does not recommend a piece-meal approach to building a messaging infrastructure.
As messaging technologies continue to evolve, making decisions one product at
a time does not render the best solution to the wide set of challenges posed by
computer-based communications.
The Symantec response is a single, comprehensive solution; one that is tested and
proven . Symantec security, availability, archiving, and other messaging
management products will continue to evolve with changing market requirements,
and can be expected to meet customer requirements. Whatever new messaging
applications rise to importance within business environments, Symantec products
will be developed to encompass changing business needs.
17IntroductionAbout the Symantec solution for Enterprise Messaging Management
As industry leaders in their respective fields, the acquisition by Symantec of
Veritas, Brightmail, IM Logic, and other companies has created a strong presence
in the broad arena of email messaging management. The companies’ combined
expertise delivers an email messaging management solution for email security,
availability, and resilience. The Symantec solution enables IT organizations to
evolve from an approach that relies on integrating point-products to a more
comprehensive solution.
Symantec’s comprehensive approach to messaging management has the following
advantages:
Standardizing or relying more on Symantec reduces the
number of different vendor tools that are required to
manage and secure your IT and email messaging
environment.
Reduces the number of tools
Fewer tools means less environmental complexity, as
there can be fewer management interfaces to learn.
Reduces complexity
Fewer vendors means dealing with fewer external
partners, and sales and support organizations when
problems arise. If the number of solution vendors in the
environment is large, it can lead to frustration.
Reduces number of vendors
Integrating products allows applications to share data
and user interfaces. Common user interfaces increases
ease of operation across all products. Data sharing
propagates information between products, and enables
more efficient and effective operation and management
capabilities.
Improves functionality and
ease of solution use
There is a fast-growing need for an integrated solution for email management.
This need is precipitated by rapid change in the messaging environment. Symantec
is uniquely positioned to deliver a strong solution composed of quality products.
Complementary areas of expertise offer protection of an organization's messaging
systems, backup and recovery, and information storage and retrieval.
The Symantec solution for Enterprise Messaging Management includes the
following products:
■ Symantec Mail Security 8160 appliance
■ Symantec Mail Security for the Email Gateway – available in software (SMS
for SMTP), appliance (SMS 8260), or hosted (Symantec Hosted Mail Security)
deployment formats
■ Symantec Mail Security for Microsoft Exchange
■ Veritas Enterprise Vault
IntroductionAbout the Symantec solution for Enterprise Messaging Management
18
■ Enterprise Vault Discovery Accelerator
■ Enterprise Vault Compliance Accelerator
■ Veritas Storage Foundation™ for Windows
■ Veritas Storage Foundation High Availability for Windows (Veritas Cluster
Server)
■ Symantec Backup Exec
■ Symantec IM Manager
Symantec Mail Security products reduce the amount of junk email that passes
into an organization and through the Exchange server. Backed by the Symantec
Global Intelligence Network and Security Response organization, Mail Security
for Exchange products protect the email network from threats.
Symantec Mail Security for Exchange products filter content and can direct email
to a Veritas Enterprise Vault email archive according to defined policies. Enterprise
Vault stores email away from the Exchange server. Enterprise Vault Compliance
Accelerator and Enterprise Vault Discovery Accelerator accelerate the search for
information that has been archived by Enterprise Vault, making data more
accessible. Symantec Backup Exec and Storage Foundation for Windows work in
the background to maintain continuous availability of the entire system, and to
ensure a rapid recovery, whatever the cause of failure.
An organization’s specific requirements may need additional products and options.
Some of these products are discussed briefly in the following chapters. A Symantec
sales or reseller partner can provide more detailed information about related
products and services.
A comprehensive solution to enterprise messaging management has many
advantages:
■ Reduction of risks that are related to complex or unproven integrations, and
avoidance of unforeseen issues that can easily follow the integration of
unrelated products
■ Better focus of IT resources to realize greater efficiencies
■ Interaction with a single responsible vendor, which simplifies support,
maintenance, and communications
■ Uniformity and consistency of experience across products, which facilitates
administration and user experience
■ Consolidation of IT knowledge around the single solution, which enables IT
expertise to develop rapidly
■ Professional services, such as consulting, support, and training can be
negotiated and delivered via a single channel
19IntroductionAbout the Symantec solution for Enterprise Messaging Management
The Symantec solution for Enterprise Messaging Management reduces complexity
in your environment by integrating quality products. The solution leverages the
experience and best practices that Symantec and partners have developed by
deploying these products together in various environments. Future revisions of
the Symantec solution will continue to integrate new products and technologies,
as needed by our customers. Customers can confidently stay current and optimize
their systems, based on their partnership with Symantec.
IntroductionAbout the Symantec solution for Enterprise Messaging Management
20
Challenge of fortifying
enterprise messaging
systems
This chapter includes the following topics:
■ New challenge
■ Increasing pressure on corporate IT
■ Symantec response to the challenges
New challengeOver the last twenty years, the widespread adoption of personal computers, popular
use of the Internet, and the establishment of corporate intranets has revolutionized
business communication. Email has become an indispensable organizational and
interpersonal communications tool.
The continuing decline in personal computer and networking costs, and the
increasing ease with which fast and cost-effective communications can occur,
guarantees the further entrenchment of email in the business environment.
Recently, business and personal communications applications that rely on PCs
or other low cost networked end-point devices, such as instant messaging (IM)
and Voice over IP (VoIP) have seen rapid user adoption.
The Internet and email have rapidly evolved and become powerful business
enablers, but not without risks. Email opens a communication door that exposes
businesses to risk, but which organizations cannot afford to close. The Web,
another open door, also serves as a route for email traffic, especially for popular
2Chapter
Web-based mail services. IM and VoIP are also rapidly becoming open doorways
that present new risk.
The simplicity and universality of email has made it a vehicle for the delivery of
diverse electronic threats. Many organizations’ productivity falls dramatically
when email stops functioning.
Email is now a critical application for many organizations, despite the risks and
added burdens associated with its use. For example, one new burden is the
requirement for organizations to ensure that their email traffic complies with
corporate and government regulations relating to audit trails. Email systems
expose organizations to security risks that can impact profitability, and jeopardize
viability. The same characteristics that make email valuable also help create the
current set of challenges facing corporate IT organizations.
According to a 2005 study by the Enterprise Strategy Group, the need to retain
email is now the primary driver of electronic records management initiatives. In
addition, email has also become the most frequently requested type of business
record by courts and regulators.
Seventy-seven percent of organizations involved in an electronic data discovery
request indicate they have been asked to produce email messages as part of a legal
or regulatory proceeding. (Source: ESG Research Report “Digital Archiving,”
December 2005). In industries such as financial services, the retention of instant
message conversations is also already being required.
Instant messaging continues to be the fastest growing communications medium,
with an estimated 390 million consumer and enterprise IM users by the end of
2006. Global services such as AOL® Instant Messenger, MSN® Messenger, and
Yahoo!® Messenger each report over 1 billion messages sent per day, and IM traffic
is expected to exceed email traffic by the end of 2006.
As one of the most successful and widely deployed applications on the Internet,
IM has increasingly become the target for attackers to propagate IM-borne viruses,
worms, spam over IM (spim), malware, and phishing attacks. Though widely
adopted, IM is generally unprotected and unmonitored in consumer and enterprise
environments, leaving it vulnerable to attacks and exploits. These attacks have
grown exponentially over the past three years, increasing the need for real-time
threat response for IM and peer-to-peer (P2P) applications .
For some organizations, including most companies that outsource customer
services, VoIP is already a critical application. An example of this is organizational
IT help desks that have been centralized in one country, and service users
worldwide. For such organizations, VoIP infrastructure availability and freedom
from security threats are critical.
Challenge of fortifying enterprise messaging systemsNew challenge
22
Increasing pressure on corporate ITThe dependency on digital communications has placed pressure on corporate IT
to maintain availability of these messaging systems. Downtime of these systems
can directly impact business revenues.
In the past, email servers were primarily message transfer agents, and were not
available to store information. With Microsoft Exchange and Lotus Notes, email
servers also function as information warehouses.
Email is now often a significant conduit for a company’s business transactions
and internal operations. Consequently, email messages often play a significant
role as evidence in legal proceedings. Email is increasingly subject to costly and
time-consuming legal discovery endeavors.
Today, companies are required to preserve email for longer periods, and to ensure
that the email cannot be tampered with during the mandated retention periods.
This mandate has increased the cost of storage required to retain email messages,
and added complexity to email data life cycle management. This is also true for
IM and VoIP conversations in specific industries, such as banking and financial
services.
The following factors have impacted email and messaging management over the
last two decades:
■ Increasing business-related, person-to-person email volume sent annually
worldwide. Volumes increased 59 percent from 2003 to 2004 (Source: IDC,
Worldwide Email Usage 2005-2009 Forecast, IDC #34504, December 2005)
■ Surge in IM use and traffic, with 85 percent of organizations already reporting
business usage of IM
■ Increasing sophistication and virulence of email- and IM-borne viruses, some
of which have brought many organizations’ business processes to a halt for
hours or even days
■ Increasing volume of email and IM spam entering corporate networks,
comprising 64 percent of incoming email (Source: Brightmail Logistics and
Operations Center monthly Spam Statistics Report)
■ Surge in phishing attacks
■ Mass-mailer bombardment
■ Advent of spyware that self-installs, records keystrokes, scans files, spies on
email, and monitors Internet activity
■ Recognition in the United States, Europe, and other markets that email is a
legal business record that must be preserved
23Challenge of fortifying enterprise messaging systemsIncreasing pressure on corporate IT
■ Emerging regulations governing retention, auditing, and monitoring of email
and IM communications
■ Misuse of corporate information assets affecting company brand, customer
trust, and legal liability
■ Litigation increasingly requires discovery of email
■ Growth in message storage requirements, with 65 percent of organizations
considering growth in messaging storage to be a serious problem, one that is
slightly more problematic than the problem of spam itself (Osterman Research,
Messaging Security Market Trends, 2005-2008, May 2005)
■ Growth in the use of IM and VoIP over corporate intranets and the Internet,
thus placing more stress on corporate networks
Threat innovation
Almost all organizations have experienced the successful penetration of the
corporate network by email-borne threats. In the last decade, email-borne threats
have evolved from accidental infection via attachments containing a macro virus,
to complex threats that can deliver a malicious payload to vulnerable users.
Viruses and mass-mailer worms, such as Blaster and Nimda, have plagued email
ever since 1997 and the advent of Melissa, and have grown in frequency every
subsequent year. Not only are they disruptive, but their payload can compromise
systems, affect security settings, steal information, set up ’bots for future exploits,
delete data, and infect other networked systems. IM-borne threats are a new
infection vector about which IT organizations have to be concerned.
Mass-mailers, in particular, have continued to innovate, moving from exploiting
vulnerabilities in the email client to running their own SMTP servers to broadcast
email inconspicuously. Emails generated automatically by these worms contribute
to the volumes of unwanted, disruptive content found in message archives.
Phishing attacks are among the fastest growing threats that use messaging
systems. Phishing represents the insidious and threatening side of spam, as
perpetrators attempt to solicit and steal passwords, social security numbers, and
identities of unsuspecting targets.
The surge in phishing attacks in recent years has placed added burden on IT staff.
The email system can be attacked through system vulnerabilities, and computers
and servers on the network can be infected. Attackers can also target addresses
of internal users, and also partners, customers, and suppliers.
Many malicious software attacks are blended threats that employ multiple methods
of self-propagation. However, the majority enter through the email gateway: it is
estimated that 80 percent of malicious software attacks enter organizations
Challenge of fortifying enterprise messaging systemsIncreasing pressure on corporate IT
24
through the email gateway and approximately 20 percent enter in other ways,
particularly through IM.
Other pathways include Web-based email from free consumer services, and forms
of removable media, such as USB flash drives, CDs, and DVDs. Early-stage threats
often penetrate gateway defenses before they are discovered and virus definitions
become available.
IM-borne threat innovation has proceeded even more quickly than email threat
innovation. As virus writers discover the IM delivery channel, IM threats have
experienced a more aggressive growth.
In calendar year 2005, over 2,400 unique IM and peer-to-peer threats were
identified: a 1700 percent growth from the previous year. The majority of these
threats were URL-based worms, but the rise of IM-based phishing attacks and
more sophisticated malware complicates IM’s risk profile.
The following factors illustrate IM threat risk:
■ IM threats utilize social engineering to propagate nearly instantly. An IM
worm typically utilizes an infected machine’s buddy list to begin propagating.
Click rates are higher than in email, and the spread of a worm throughout a
network and across the globe can almost be instantaneous.
■ IM threats are usually blended, allowing them to propagate over multiple
communication vectors, and to avoid detection.
■ IM threats mutate rapidly. They’re typically hosted, allowing them to change
the URL signature and malware signature more rapidly than traditional
file-based viruses.
These factors highlight the importance of taking a comprehensive and in-depth
approach to email and messaging security. To provide an adequate defense, a
solution needs to deploy security measures at multiple layers within the network.
Increase of spam
The increase in the number of email messages sent and received globally is in
part due to the proliferation of spam. Gartner estimates that spam accounts for
60 to 75 percent of email volume, and is trending upward. (Source: Gartner
Research Report “Enterprise Spam-Filtering Market Going Strong Into 2004,”
April 2004).
Symantec defines spam as unsolicited commercial or bulk email with the following
characteristics:
■ Email is random, untargeted, and sent by automated methods
■ Senders have no prior relationship with the recipient
25Challenge of fortifying enterprise messaging systemsIncreasing pressure on corporate IT
Spam is a cheap and effective way for small online retailers and businesses to
market to millions of people who use email. Once a minor nuisance that made up
a small subset of all Internet email, spam has evolved into a scourge that makes
up the majority of email sent around the world. IM spam, sometimes known as
spim, is a growing IM challenge.
Spam impacts organizations by lowering productivity of employees. If every
employee needs to spend a few minutes each day reviewing and deleting spam,
then the accumulated time for the entire organization will quickly add up to a
significant productivity loss.
Today, spam constitutes a major hazard whose net impact on the efficiency and
cost of sustaining email systems is large. Debate exists over whether spam is a
security threat, but adware and spyware threats are usually delivered via spam,
and hackers use spam as their preferred delivery mechanism.
The organization that can reduce the volume of incoming spam will also achieve
a reduction in threats. As a result, organizations are forced to purchase additional
software and hardware for their email infrastructure to maintain normal email
business communication.
Increase of email size and email storage requirements
As the number of email messages increases, so too does the size of the average
email. Email attachments may be rich in graphics and multimedia. When
attachments are proliferated on a one-to-many basis, the sum volume of a single
message increases.
According to IDC, the volume of worldwide, person-to-person business email
increased by 59 percent from 2003 to 2004. IDC forecasts that the number of
person-to-person emails sent daily will reach 36.3 billion worldwide in 2006.
(Source: IDC, Worldwide Email Usage 2005-2009 Forecast, IDC #34504, December
2005)
Moreover, Radicati research reports that the average corporate email user
processes about 10 MB of data per day. This figure is predicted to rise to 15.8 MB
per user, per day by 2008. This projection will place a strain on corporate
messaging servers, which cannot function properly if simultaneously storing
large volumes of data for long periods of time. (Source: E-Mail Archiving Market,
2004–2008 12 Copyright © March 2004 The Radicati Group, Inc.)
The costs associated with storage of email are rising in proportion to the demands
for storage capacity.
Challenge of fortifying enterprise messaging systemsIncreasing pressure on corporate IT
26
Lack of central management of messaging archives
Organizations are now required to retain an ever-greater proportion of electronic
messaging to demonstrate compliance with external regulations, adhere to internal
policies, and prepare for possible legal discovery requests.
However, email servers’ message storage systems are not designed to store the
amount of data that is stored on the typical messaging system. The risks and
disadvantages of storing historical data become increasingly apparent.
As the storage management problem grows, so does its impact on administrators.
Email and other message types continue to arrive, and the volume grows from
year to year. The impact of this growth includes rising costs for storage and
backup, and reduced availability and performance of messaging systems.
Messaging servers typically slow down when they reach near-capacity. IT staff
find themselves faced with longer backup times to archive the large amount of
email data.
To alleviate the problem, most IT organizations impose email quotas, restricting
their users to a fixed amount of email storage. Less than 10 years ago, limits of
10 to 50 MB per user were common. Now quotas are typically 25 to 200 MB. Legal
firms set mailbox size limits at up to 2 GB.
Users must constantly ensure their email storage is below the quota. Complying
with email quotas can affect user productivity, typically result in large numbers
of support calls, and is one of the biggest burdens of email management.
Often, companies enforce email quota policies by automating the deletion of all
messages of a specified age. In response, users often set up individual folders on
their client PCs to store old messages for safekeeping. In Microsoft Exchange,
these messages are stored as PST files. Most organizations do not include PST
files in regular Exchange backups.
The alternative of storing PST files on the network file servers requires the same
storage and backup resources. This results in the same availability and
performance problems that are experienced on email servers.
PST files are easily corrupted, which leaves the information stored in this format
susceptible to loss. Storing information in PST files removes it from the control
and oversight of IT staff, and makes it inaccessible to the organization.
Administrators can remedy storage issues by saving email data to tape, CD, or
alternative offline media. However, these alternatives shift the problem rather
than resolving it, and result in reduced accessibility.
In general, organizations are more aware that they can no longer effectively
manage non-centralized archives of information. Corporations now want the
benefits of email quotas (email server storage management) without the associated
problems. IT requires a solution that allows administrators to economize on the
27Challenge of fortifying enterprise messaging systemsIncreasing pressure on corporate IT
use of primary storage and leverage more cost-effective secondary storage, without
burdening end-users and IT staff, or risking the loss of critical information.
Need for high availability
As businesses expand globally and support operations in different time zones,
maintaining continuous availability of email systems has become an essential IT
service. IT organizations must be able to react to unexpected outages, and keep
communication systems up and running in any foreseeable situation.
To achieve this level of service, IT must now invest more resources to maintain
and upgrade the components of the email system. This includes server operating
systems, network components, and storage systems. Downtime to perform the
necessary hardware maintenance, install upgrades, apply security patches, make
configuration changes, and perform disk defragmentation becomes difficult to
schedule.
To build an infrastructure that supports high levels of availability for messaging
infrastructure, administrators must identify and respond to problems that can
potentially disrupt email and IM access. These problems include performance
degradation or outright failure to email-borne attacks. IT organizations must
create policies, establish procedures, and invest in their infrastructure to meet
their availability requirements.
Specifically, IT must protect data and systems from the following situations:
■ Database corruption and denial of service attacks
■ Performance degradation due to high email volumes
■ Server hardware failure, storage network or device failure, and site failure
Mandatory compliance
As compliance with new regulations becomes mandatory, demonstrating
compliance becomes an important objective. Email, IM, and increasingly VoIP
provide a detailed record of an organization’s transactions, communications, and
business operations. Information stored in email messages or IM and VoIP
conversations are not exempt from the standards that apply to other forms of
information. Some regulations require that electronic communication, including
email and IM messages, are saved for years, long after they are sent and are
available for review.
The following regulations apply to electronic communications:
■ The Sarbanes-Oxley Act (SOX) requires all public companies to save every
record that informs its audit process, emails included, for seven years.
Challenge of fortifying enterprise messaging systemsIncreasing pressure on corporate IT
28
■ The Health Insurance Portability and Accountability Act of 1996 (HIPAA)
defines privacy rules that dictate what information health-care companies
can and cannot include in emails. Organizations are required to monitor the
contents of all inbound and outbound emails, and ensure that no data that
could compromise the organization’s integrity enters or exits through email
communication.
■ The National Association of Securities Dealers (NASD) regulations 3010 and
3110 in the United States require supervision of email, IM and other
communications between regulated employees within member organizations,
and with customers.
■ The Securities and Exchange Commission (SEC) Rule 17(a)–4(f) in the United
States requires financial service institutions to retain emails that contain
customer account details, securities trading transactions, and trading
confirmations on non-erasable media for two years. Many financial service
institutions are applying this rule to IM messages as well.
■ The SEC requires investment companies to retrospectively sample emails sent
by their agents to ensure that communications do not contain false claims or
misleading statements, or customer information, such as social security and
credit card numbers and other personal details. Many investment companies
have applied the same practices to IM.
■ Companies with human resources policies relating to harassment or explicit
communications are monitoring employee communication to demonstrate
compliance with internal policies.
Although compliance affects specific industries in different ways, the need to
comply with government and corporate policies impacts all organizations. Email
serves a vital role in demonstrating compliance.
Whether driven by formal regulations, a desire to be prepared for legal discovery,
or the need to enforce corporate policies, companies are sensitive to the risk
associated with email, and with electronic communication in general.
Consequently, corporate IT departments are tasked with implementing practices
that meet increasingly rigorous standards for email, IM, and other forms of
messaging management.
Retention of electronic messages for use as legal evidence
Litigation increasingly requires the submission of electronic message data as
evidence, leading to the recognition in the United States, Europe, and other
markets, that email and other electronic communications constitute a legal
business record that must be preserved.
29Challenge of fortifying enterprise messaging systemsIncreasing pressure on corporate IT
The emergence of electronic messaging as legal evidence is pressuring companies
to demonstrate that their data is not only secure from tampering, but also that
specific information is quickly retrievable to support the legal discovery process.
Simple record retention alone is insufficient to meet the standards for accessibility.
Companies are must be able to make available, on demand, email and IM content
that meets specific criteria.
For example, the legal discovery process may require emails from or to a specific
individual that meet key word and date range criteria. Email servers are not
designed to cost-effectively provide the storage or the efficient search and retrieval
capabilities required by the legal discovery process.
Higher legal discovery costs
In the United States, as well as increasingly in other markets, email is considered
a relevant business record and must be produced in a legal discovery request.
Consequently, IT managers, as well as legal counsel and compliance officers must
have ready access to email messages.
The traditional way to restore required messages from backup tapes is a
cost-prohibitive and time-consuming process. Manual tape restoration costs
$2,000 to $5,000 per tape, resulting in total charges in typical litigation cases
exceeding $200,000 per case. It can cost organizations millions of dollars per
month to have lawyers or legal representatives scour email records during the
discovery phase of legal process.
For companies in highly litigious industries, the risk of incurring such costs is
unsupportable. Increasingly, such companies are implementing measures
proactively to minimize the risks.
Companies with no information retention policies, and with backup tapes as the
only source of historical messaging data, may not only face escalating discovery
costs, but also penalties for failure to produce relevant email records. If
information discovery is not completed in a timely fashion, fines or other sanctions
against companies can be imposed. Companies are now implementing internal
policies proactively that prepare them to respond to the next regulation or legal
process, rather than risk large costs or penalties.
Liability due to misuse
Messaging content that violates corporate policy, such as sexually or racially
offensive statements, inappropriate language, and copyrighted or sensitive
material, can be a corporate liability. According to Osterman Research, more than
80 percent of corporations are concerned about content inspection and forensics
to maintain security and compliance.
Challenge of fortifying enterprise messaging systemsIncreasing pressure on corporate IT
30
Electronic messaging makes it easy for disgruntled employees to cause damage
by sending sensitive material via email to large distribution lists. Unauthorized
release of confidential information can negatively impact the company brand
perception and customer trust. Violations may result in damage to corporate
reputations that lead to decreased customer recruitment or retention. The
publication of trade secrets can lead to the loss of competitive advantage, as well
as fines, or jail time.
Email and IM allows company information assets, whether copyrighted,
proprietary, or confidential company, customer, or user information, to be easily
transferred, accidentally or intentionally, to unauthorized persons. For example,
if an employee sends a customer’s credit card number, social security number, or
medical history through email in clear text, an organization could be in violation
of the Gramm-Leach Bailey rulings, California’s SB1386, or HIPAA.
Organizations are also discovering that scanning inbound messages only is not
enough. Organizations must also scan outbound messages to prevent employees
from sending corporate intellectual property, including sensitive or confidential
information.
In addition to monitoring both inbound and outbound messaging, companies
increasingly need to conduct detailed reporting, logging, alerting, and other
preventive measures to meet security goals. Consequently, organizations need a
solution to ensure that email content is monitored and handled appropriately, to
minimize the risk of compliance violations and other legal liability.
Higher messaging infrastructure costs
The volume of business email is predicted to grow 25 to 30 percent per year
through 2009, excluding spam, which currently accounts for around three-fourths
of all inbound email. IM usage is expected to grow substantially faster over the
same period. This growth reflects an important shift in the way that email and
IM are employed.
The volume of inbound emails often exceeds the capacity of organizations’ email
gateway systems, MTAs, email storage servers, and groupware servers. As email
volume continually increases, email infrastructures have to be repeatedly
expanded.
As the use of IM and other new applications grows, companies have tended to
address the issues independently of each other. This approach adds complexity
to the messaging infrastructure, which causes both capital and operational
expenses to rise.
31Challenge of fortifying enterprise messaging systemsIncreasing pressure on corporate IT
Other new messaging applications
Other new messaging and collaborative applications are evolving and will come
into wider use in the next few years. VoIP, in particular, is seen as a
communications platform that will enable new kinds of communications between
users and groups. Groupware applications, such as Microsoft SharePoint, enable
user communications and information sharing that could be exploited by hackers
and criminals.
Microsoft also plans to expand Microsoft Office to include user communications
capabilities. IT organizations will be challenged to address all the resulting threats
and challenges on a singular basis.
Symantec response to the challengesThe entrenchment and rapid growth of email and other forms of computer-based
communications in organizations today bring proportionate challenges. With the
addition of the Veritas product lines, Symantec can give IT organizations the
complementary capabilities they need to meet an array of business challenges in
one broad-based, proven solution. Corporations have the opportunity to plan for
an infrastructure that supports future business growth when they migrate to
newer versions of messaging servers, or when they consider consolidation of
servers.
The following chapters describe the Symantec solution for Enterprise messaging
management, for Microsoft Exchange email and public IM environments. The
Symantec products work together to maintain information integrity, while
ensuring fast and uninterrupted message access. By addressing the challenges
holistically, the combined products deliver a solution that meets security,
availability, and compliance objectives without compromise.
Challenge of fortifying enterprise messaging systemsSymantec response to the challenges
32
The Symantec enterprise
messaging management
solution for Microsoft
Exchange
This chapter includes the following topics:
■ Challenges and opportunities
■ Effectively managing messaging environments
■ Introducing the Symantec solution
■ Resource management
■ Threat management
■ Archival and retention management
■ Policy and compliance management
■ Discovery and analytics management
■ Options to meet advanced requirements
■ Symantec Professional Services
■ Symantec EMM solution summary
3Chapter
Challenges and opportunitiesAs computer-based communications, such as email, instant messaging (IM),
Microsoft Sharepoint or VoIP become more important, the requirements and tools
needed for managing these communications systems grow more complex. In this
context, "communications system" refers to the underlying email, IM, VoIP
architecture or messaging system: from the physical infrastructure (servers,
storage, and networks) to the application software (email systems, message stores,
and user PCs).
The following is a brief review of the evolution of the risks and challenges to
well-established communications systems, as examples of what the challenges
are that users and administrators of computer-based communications systems
will likely experience.
In the last few centuries, regional and then international postal systems became
the first worldwide communications system. The telegraph system was the first
international electronic communications system. As the reach of these systems
expanded and costs came down, they were more widely used.
The fixed line telephone system was the next major communication system to
evolve. Again, as the reach of the network expanded, and as the costs came down,
the telephone system became more widely used. During its century-long evolution
various telephone systems suffered reliability issues that kept their use limited,
because people were less willing to rely on unreliable tools or mechanisms. As
telephone system operators reduced unavailability to below a few minutes per
year, usage increased dramatically. As a consequence of this, the modern,
geographically-distributed organization actually became not only possible, but
widespread.
Recently, as the costs for telephone calls became low enough, some users exploited
the telephone system to promote their wares, eventually barraging people’s homes
and offices with telemarketing calls. Also, telephone fraud grew along the same
lines as mail fraud schemes that existed much earlier.
In less than 25 years, Internet-based email has gone from being non-existent to
eclipsing the telephone and all other mechanisms for day-to-day communications,
for many people and organizations. Just as quickly, email has become the main
conduit for computer-based productivity and economic threats, invasions of
privacy, commercial misuse, and information piracy. Let’s take a closer look at
the evolution of these email risks and threats.
It used to be that keeping email servers up and generally running was enough.
Availability and recovery requirements were equivalent to other applications like
file sharing, so doing regular backups to tape was all administrators generally
worried about. Then as email was more widely used and attachments started
The Symantec enterprise messaging management solution for Microsoft ExchangeChallenges and opportunities
34
regularly consuming 1+ megabytes, storage costs started getting out of hand. To
try to keep costs and backup times down, organizations using email programs
such as Exchange and Notes started limiting user’s mailbox sizes. This led users
to start furling away email and attachments in local files on desktops (e.g. PST
files). This decentralized method of email archiving continues to grow as PC disks
grow. Because email message attachments continue to grow in size and frequency,
email server and client storage utilization continues to explode. Follow-on effects
include difficulties related to lengthening backup and recovery windows and well
as antivirus scanning, etc.
At the same time, increasingly malicious threats started being propagated through
email. Initially viruses were most often propagated by teenage hackers. In the last
few years increasingly virulent productivity and economic threats such as worms
and phishing attacks have been propagated by criminal elements. Email
administrators and home users have had to install increasingly sophisticated
antivirus software on every system. Then spam got out of hand; email
administrators and email service providers were forced to deploy spam filtering
solutions, too.
Then the email became so important that unavailability or denial of email services
(whether caused by virus, worms, or internal failures) became very expensive to
organizations. Clustering of email servers and high availability disk storage (often
with snapshots to enable some historical data recovery) become the norm for
larger organizations. Also, it became important to be able to recover from any
kind of failure, including ones that corrupted email databases (via backup/recovery
tools) within minutes of a failure, not hours or days.
Organizations have recently needed to recover important on-line documents ever
more often due to increasing compliance demands from both government
regulations and related corporate policies. Email has become a very important
source for documents used in legal processes. Email discovery for legal proceedings
has become standard and companies need to be able to respond in a timely fashion,
or face document discovery costs that can run to millions of dollars per month.
With decentralized archives such as PST files on desktops, it is hard to find
important email messages (and it may become impossible once employees leave
the organization). So organizations are now embracing centralized email archives
instead of allowing widely scattered PST files.
There are many other risks, such as client or patient privacy rules, that affect
email in various industries and application areas. Some applications use email as
the method for sharing and presenting information. Then there are other
user-collaboration mechanisms like Sharepoint and Instant Messaging (IM) that
augment email to accomplish related tasks. Some of these new applications are
experiencing very rapid evolution in their use.
35The Symantec enterprise messaging management solution for Microsoft ExchangeChallenges and opportunities
In fact, IM is the fastest growing communications medium over the last 10 years,
and has attained widespread use in many organizations and geographies. There
will be an estimated 390 million consumer and enterprise IM users by the end of
2006. Global services such as AOL® Instant Messenger, MSN® Messenger, and
Yahoo!® Messenger each report over 1 billion messages sent per day, and IM traffic
is expected to exceed email traffic by the end of 2006. As one of the most successful
and widely deployed applications on the Internet, IM has become a target used
by attackers to propagate IM-borne viruses, worms, spam over IM (SPIM), malware,
and phishing attacks. Though widely adopted, IM is generally unprotected and
unmonitored in consumer and enterprise environments, leaving it vulnerable to
attacks and exploits. These attacks have grown exponentially over the past three
years, increasing the need for real-time threat response for IM and peer-to-peer
(P2P) applications .
Going forward, VoIP is likely to evolve and get abused just as quickly and widely.
Vendors are working on preventing VoIP numbers from being spoofed, protecting
IP phones from spam, and guarding against call eavesdropping on IP networks.
Consumer VoIP systems often do not encrypt calls, but enterprises favor
encryption. In summary, while modern digital communications systems enable
wider, better, and cheaper communications, they each come with unique, but
similar, system and user threats.
Due to importance of these communications systems to the user community, IT
professionals must strive to ensure high availability (usually 24x7), site or system
corruption recovery times under a few hours, and avoidance of
virus/worm/malware infestations altogether. IT professionals must simultaneously
protect email user productivity via spam reduction or avoidance. Many IT
organizations also define policies and procedures to meet email retention and
message recovery requirements.
However, chief among these risks is the unavailability of on-line communications
and messages, since this most affects users and the business. Availability can be
affected by external attacks such as security breaches (at any point in the
communications system), or internal failures such as component failures
(hardware, software or network), processing inefficiencies, or user/operator errors.
Effectively managing messaging environmentsEffective messaging management mainly encompasses protecting on-line
communications systems and information from external abuse and attack. It also
simultaneously assures that communications systems and information are
cost-effectively managed and protected in the event of internal failures and user
errors.
The Symantec enterprise messaging management solution for Microsoft ExchangeEffectively managing messaging environments
36
By treating email and other communications systemically, organizations gain the
efficiencies and strengths that derive from deploying an integrated solution, as
opposed to an assortment of point products. The ideal solution is one that
encompasses all of the following concepts: protecting against security threats;
assuring messaging application and data availability; assuring message retention
and accessibility; and maintaining efficient and reliable operations, while also
minimizing storage and server costs.
Specifically, for email, IM, and other open communications systems to be secure
from propagating or presenting threats, the following must be true:
■ Messaging systems, including Email and IM systems, are protected against
intentional or inadvertent attack and disruption
■ Email and IM users are protected against threats and disruptions (such as
spam and viruses) disseminated via the Internet
■ Email messages and IM that are sent to or received from customers, suppliers,
and partners are free of malicious or inappropriate content
■ Networks are protected against exposure to virus and worm infections that
circulate through email and IM
■ Company data is protected against intentional or inadvertent transfer to
unauthorized persons
■ Company data does not violate privacy requirements for personal or protected
information (social security numbers, medical records, and so on)
■ Organizations can maintain their customer's and partner's trust by assuring
that their own systems do not become a vehicle for the distribution of malicious
or junk email to customers and partners
To ensure that messaging systems are continuously available in the face of
infrastructure failures or user errors, the following should be true:
■ Disruptions to the messaging infrastructure are minimized by protecting
against performance degradation and outright failure
■ End-user systems are not compromised or taken offline by email- or IM-borne
attacks
■ Delivery and retrieval of legitimate email messages and IM is assured, amid
the volumes of spam and other unwanted content
■ Email messages and IM conversations can be preserved for long periods,
according to external regulations or internal company policies
■ Users are provided with seamless and continuous access to information in
email, whether in email systems or in long-term archives
37The Symantec enterprise messaging management solution for Microsoft ExchangeEffectively managing messaging environments
■ Users and legal personnel are able to easily and securely search through
historical email messages, email attachments, and IM conversations
■ Organizations are able to supervise employee communications for compliance
with internal and external policies
Choosing a set of tools to individually address all the risks and challenges can
increase the level of complexity. Some organizations have 40 or more tools
deployed to protect and manage their on-line communications.
As the number of independent components in a system grows, it becomes more
complex and failure-prone. By reducing complexity, systems become less
failure-prone and more available. Therefore, complexity is to be avoided in systems
that must be highly available, such as critical on-line communications systems.
One important aspect of complexity is system management complexity. As
hardware and software redundancy is built into a system, operator error becomes
the prevalent source of application downtime.
A comprehensive approach to tools acquisition creates less user interface variance,
with fewer external support personal and vendors to call. All of this reduces
complexity, improves availability, and also reduces system operating costs.
The ideal approach is one that addresses the separate but interdependent aspects
of the entire system concurrently. By leveraging the points of overlap between
components of the email infrastructure, initiatives can provide mutually
reinforcing protections and capabilities. Each component leverages the capabilities
of other components and adds value to the system. The larger and more complex
the messaging environment, the more reward for taking a comprehensive
approach.
The advantages of integrated messaging solutions are becoming readily apparent
to IT professionals. In a Ziff Davis survey conducted by The Strategy Group in
March of 2006, 77 percent of technology decision-makers indicated that having
an integrated email solution was “very important” to them.
Figure 3-1 shows the results of the survey that investigated the perceived
importance of an integrated email solution.
The results of the survey correspond to customer feedback Symantec has received
from many consulting and partner engagements. While a piecemeal approach
may be sufficient for smaller organizations that need to address fewer messaging
challenges, for larger, more complex messaging environments, an integrated
approach is more advantageous to organizations.
The Symantec enterprise messaging management solution for Microsoft ExchangeEffectively managing messaging environments
38
Figure 3-1 Importance of an integrated messaging solution
When IT organizations plan migration to new email servers or consolidation of
messaging servers, a natural opportunity presents itself to make improvements
to their infrastructure.
Introducing the Symantec solutionThe Symantec solution described in this book for Enterprise Messaging
Management assures the security and availability of email and IM environments.
It also reduces costs by simplifying the management of the email environment
and life cycle. The solution reduces the volume of SPAM email, reduces the risk
of virus infection, automatically manages the life cycle of older email through
archiving, and keeps enterprise email infrastructure resilient against failure.
Figure 3-2 illustrates the challenge IT has faced as messaging has evolved.
39The Symantec enterprise messaging management solution for Microsoft ExchangeIntroducing the Symantec solution
Figure 3-2 The Evolution of Enterprise Messaging Management
The enterprise messaging management model addresses the major challenges
related to email, IM, and other on-line messaging technologies, with a 5-step
approach that mirrors the evolution of messaging management. The next section
examines these five steps in more detail.
Resource managementResource management, as a means to keep systems up and costs down, is of critical
importance to companies today. At the highest level, the Symantec approach to
security is to protect IT infrastructure, information, and interactions. The first
step in building any secure messaging environment is to protect the IT
infrastructure. Securing Exchange and the messaging infrastructure requires
building a resilient foundation that will protect your Exchange and messaging
environment from unnecessary downtime.
A modern, properly protected, messaging environment should be built on a
foundation that can manage messaging resources, keep Microsoft Exchange
(Exchange) up and running, and keep costs down. The software foundation for
any messaging environment should address three major areas: storage
virtualization, backup and recovery, and clustering.
Symantec has a hierarchy of products that can address these needs for your
Exchange environment, regardless of its size. The use of these products can
The Symantec enterprise messaging management solution for Microsoft ExchangeResource management
40
enhance the availability of your messaging environment, and help avoid cost
incurred due to downtime.
Benefits of a resilient foundation
The benefits of building a protective software foundation for an EMM environment
are many. One of the most important benefits is that a resilient foundation can
keep an organization’s messaging systems functioning during a disaster.
Figure 3-3 shows the hierarchy of availability requirements, and the features of
the Symantec solution that support each tier or set of requirements.
Figure 3-3 Availability hierarchy
The Symantec solutions for messaging servers described in this book include
products at the first three layers: backup and restore, online volume management
(storage virtualization), and (local) clustering. The vital first step to protecting
any messaging environment is to install a proven backup and recovery solution.
Enterprise-level backup solutions can deliver high-performance data protection
that scales to protect the largest environments.
It is important that organizations take advantage of both tape-based and disk-based
backup. Disk-based backup to inexpensive storage can utilize snapshot-based
protection, which allows for the most rapid recovery.
Depending on an organization’s application recovery objectives, it is useful to
consider accelerated system recovery solutions. Having software that automatically
responds to failures based on well-defined IT policies is preferable to recovering
from an outage with no recovery plan or software recovery tool. With simple
commands, complete server and application restores can be accomplished rapidly.
By integrating the correct storage virtualization solution, administrators are able
to perform many regular storage maintenance tasks online, such as RAID
reconfiguration, defragmentation, file system resizing, and volume resizing.
41The Symantec enterprise messaging management solution for Microsoft ExchangeResource management
Storage virtualization also manages the transmission of data to multiple storage
devices for failure protection. Virtualization can also automatically migrate data
from failing disks to healthy disks, which will reduce the risk of unplanned
downtime.
IT organizations must also be able to maintain and upgrade the messaging and
email infrastructure components that provide service delivery. This includes
email server operating systems, network components, and storage systems. All
maintenance and upgrades must be done without causing additional email service
unavailability. A clustering solution can provide much of this functionality.
Adding clustering software to storage virtualization enables the highest levels of
availability and scalability. Clustering can allow the addition of new servers and
storage without downtime. Clustering can also identify and utilize existing unused
resources. This maximizes the contributions of all the server and storage
components of the email environment. Storage Foundation product options, such
as Veritas™ Cluster Server and Veritas™ Volume Replicator, can ensure 99.99
percent availability of the Exchange infrastructure.
The products that provide a resilient foundation for the Symantec solution for
Microsoft Exchange take a modular approach to resolving the range of potential
threats to email availability. These products form the protective foundation of
the Symantec solution, which are described in more detail in the following sections.
Benefits of storage virtualization
Veritas Storage Foundation for Windows provides storage virtualization
capabilities for Windows-based systems. Veritas Storage Foundation for Windows
products extend the native data management capabilities of Windows® 2000 and
Windows Server 2003. The resulting logical disk and volume capabilities provide
the basis for a scalable storage environment for Microsoft Exchange.
Storage Foundation can create a resilient storage environment in the following
ways:
■ Creates storage that automatically expands to meet growing data needs, such
as a storage volume for a transaction log
■ Designs storage configurations that use mirroring or mirroring/striping
combinations to protect from the loss of a single disk
■ Identifies and addresses storage hotspots that slow overall application
performance
■ Creates point-in-time images for rapid recovery from logical errors or data
corruption
The Symantec enterprise messaging management solution for Microsoft ExchangeResource management
42
To protect the Exchange infrastructure from site-wide disasters, Storage
Foundation products, along with iSCSI, wide-area Fibre Channel SANs, or WANs
with host-to-host replication, can be used to create a disaster recovery site.
Companies can control disaster recovery costs by using inexpensive storage at
the off-site recovery location, and by using a single data center as the off-site
recovery location for multiple data center locations. The secondary disaster
recovery site need not mirror the primary site, and can be simultaneously used
for other purposes.
It is difficult to protect Exchange data from all sources of logical errors. Data
corruption and user or operator errors are risks that are difficult to eliminate. A
good defense is to reverse the effect of errors quickly, with minimal data loss.
Storage Foundation offers point-in-time snapshots of Exchange databases and
transaction log files using the FlashSnap™ option.
A FlashSnap snapshot is an independently addressable volume that mirrors the
production volumes. The FlashSnap option creates point-in-time images of the
data that can be used as a source for quick recovery images of data. Veritas Storage
Foundation for Windows is the preferred software snapshot provider enabling
off-host backup.
Storage Foundation can keep your systems up and running by avoiding downtime
caused by a full disk on an email server. As storage space diminishes, the
traditional method is to rely on time-consuming methods of scaling, such as
installing new servers or adding expensive disk arrays to existing servers. Storage
Foundation can create extensible data storage environments, which can be
leveraged by sharing storage across all messaging servers within a data center.
Adding storage to such an environment does not involve downtime.
Benefits of backup and recovery
The combination of Backup Exec and Storage Foundation offers organizations a
single solution for building a resilient email foundation. Together, Backup Exec
and Storage Foundation enable near-instantaneous recovery from storage device
failures, and a short recovery time for application logic and other types of data
corruption.
Backup Exec is the recommended backup technology for the Symantec solution
for Microsoft Exchange, for organizations with less than 2500 employees or for
organizations that use Windows. Larger organizations may want to consider using
Veritas NetBackup™. Since this book is primarily intended for organizations with
less than 2500 employees, only Backup Exec deployment is addressed.
As the recognized leader for Windows systems backup and recovery, Symantec
Backup Exec provides complete data protection for Windows environments.
Intuitive interfaces enable organizations to manage all aspects of backup and
43The Symantec enterprise messaging management solution for Microsoft ExchangeResource management
recovery, and to maintain consistent backup policies that are deployed across
Windows servers and clients.
On Microsoft Exchange servers, Backup Exec simplifies database backup and
recovery, and performs backups without taking the Exchange server offline, or
disrupting local or remote systems. An online backup and recovery approach
ensures continued availability of Exchange services and data during backups.
Central administration, automation options, and support for all popular storage
devices create the flexibility that administrators need to maximize performance.
Backup Exec provides the following advantages:
Includes many advanced features, such as single-instance
store (SIS), global exclusion, storage group multiplexing,
Volume Shadow Copy Services (VSS) integration, and
off-host backups.
Advanced features
Flexible backup methods for scheduled, unattended backups.Scheduled backups
Rapid and precise recovery of databases and mailboxes,
including support for performing individual message
restores.
Rapid recovery
Complete and non-disruptive protection of Exchange
database and mailbox components, including incremental
mailbox backup. Data protection for all Windows
environments, from desktop to remote office to centralized
datacenter.
End-to-end data protection
Centralized management and control, high-performance
technology, and a flexible multi-tier architecture enable
Backup Exec software to adapt to the needs of
Windows-oriented IT environments.
Nearly unlimited scalability
Web-based management and reporting for enterprise users,
including real-time monitoring, historical reporting, and
centralized administration.
Management and reporting
Streamlined server recovery provided by the Backup Exec
IDR option.
Automated disaster recovery
Password protection for backup data.
For more information, see
http://seer.support.veritas.com/docs/236709.htm.
Security
The Symantec enterprise messaging management solution for Microsoft ExchangeResource management
44
Support for a range of disk, tape library, tape drive, and
Storage Area Network (SAN) interconnect technologies from
a number of vendors. Dynamic sharing of individual disk
or tape drives over SCSI or iSCSI and Fibre Channel SANs.
Storage Networking
Eliminate the backup window with the Advanced Disk-based
Backup Option (ADBO). ADBO allows users to break isolate
a mirrored copy of the Exchange Server, mount the data on
the backup server, and then at the end of the backup job,
automatically resync the mirrored copy with the Exchange
application.
For more information, refer to the article at the following
URL:
http://eval.veritas.com/mktginfo/products/White_Papers/
Data_Protection/BE_SFW_Quick_Recovery_Off-Host_
Backup_Bundle.pdf
Off-host backup
Benefits of clustering
Organizations can protect Exchange environments from a range of component
failures by implementing local and wider-area clustering for availability. Veritas
Storage Foundation High Availability (HA) for Windows integrates Veritas Cluster
Server (VCS) technology, which provides scalable failover clustering with workload
management capabilities. In a VCS cluster, multiple servers are linked with shared
storage and private, reliable Ethernet networks.
Storage Foundation HA for Windows, which includes Veritas Cluster Server,
provides the following benefits:
■ Maximize uptime of messaging data and applications
■ Reduce planned or unplanned downtime
■ Enable high-availability for local, metropolitan, or global clustering from
within a single product
■ Test disaster recovery solutions without impacting production applications
■ Optimize and plan cluster configuration and policies through portable modeling
and simulation
By using Storage Foundation with the Global Cluster and Volume Replicator
options, data can be replicated between two separated sites, and application
services can be switched between them with a single mouse click. Organizations
that require the highest levels of availability for application services when site-wide
failures occur should contact Symantec to learn about additional advanced
products.
45The Symantec enterprise messaging management solution for Microsoft ExchangeResource management
Note: Some Exchange users use Microsoft Cluster Server (MSCS), a component of
the Windows 2000 and 2003 Advanced Server package that provides functionality
similar to Veritas Storage Foundation™ High Availability for Windows. This Yellow
Book does not address the installation and configuration of Microsoft Cluster
Server (MSCS). Generally, the deployment steps are similar, whether MSCS or
Veritas Storage Foundation HA for Windows is used. However, this solution has
not been tested in its entirety, only product-by-product, with MSCS. For more
information, contact Symantec sales, Consulting Services, or a Symantec partner.
Threat managementOnce a resilient foundation is in place to keep a messaging environment up and
running, the next action is to protect the systems from external and internal
threats: in other words, keeping bad things out. Threats enter the messaging
environment from multiple sources, such as email, IM, open ports, and come in
multiple types (for example, virus, spam, and worms). The Symantec solution
recommends a layered approach, as one that provides the best way to protect the
modern enterprise messaging environment.
Layered approach to threat management
Symantec's layered approach deploys different types of protection at defined
levels inside the email and messaging architecture. The layered approach starts
with reducing spam volume outside the network. Next, the solution secures the
perimeter of the messaging environment by filtering email and IM messages
outside the organizational network. Finally, email is filtered at various points
inside the messaging environment, as well.
The Symantec solution advocates removing unwanted content from the messaging
system at the earliest possible point in time. The critical interception points in
the email and IM flow, where email and IM can be most effectively controlled are,
as follows:
■ Points of entry of incoming email and IM
■ Distribution points of internal email
■ Points of departure of outgoing email and IM
The benefits to a layered approach to email management are not limited to those
measurable by end-users' productivity. By addressing the separate but
interdependent aspects of the email infrastructure, functions can be layered to
provide mutually reinforcing protections. Each layer adds to the overall strength
of the other layers and the efficacy of the entire solution. Establishing email
The Symantec enterprise messaging management solution for Microsoft ExchangeThreat management
46
security is a critical aspect of the whole solution, as email is the source of the
majority of security threats.
When adopting a layered approach, the first step is to focus on those issues that
are most effectively addressed at the earliest point of entry onto the network. For
example, filtering email only at the endpoints, the desktop or user’s PC, does not
constitute a best practice. Filtering spam and other malware at the endpoint is
the most costly place to manage threats in terms of lost network bandwidth.
Ideally, the only email delivered by the organizational intranet to the endpoints
should be valid and clean.
Figure 3-4 depicts a model of layered functions including hardware and software
that form a best practice for enterprise messaging management in a Microsoft®
Exchange environment.
Figure 3-4 Layered approach
The illustration describes the major activities involved in protecting the messaging
environment from the following external threats:
■ Preventing spam from outside the network
47The Symantec enterprise messaging management solution for Microsoft ExchangeThreat management
■ Filtering perimeter threats
■ Fortifying the messaging servers
■ Securing the desktop PCs
Email volume reduction with traffic shaping
Reducing spam and other unsolicited email is important in achieving email system
security because spam is the delivery vehicle for the majority of threats. An
organization that can reduce the spam proportion of total email volume also
achieves a proportionate reduction in the overall security risk represented by
malicious threats.
Also important to security is keeping email system performance optimal, despite
the overall increase in email volume and the constant barrage of spam.
Eliminating unwanted email, as close as possible to the source, has multiple
benefits. Reducing spam reduces the load on resources, including the organization’s
Internet gateway, firewalls, gateways, internal network bandwidth, processing
power, and storage space. Email volume reduction benefits are seen throughout
the network, from the SMTP gateway scanners to the message stores, and to the
message archive layer.
The challenge in reducing email volume lies in accurately distinguishing legitimate
messages from junk email. Applications that are used to filter email and prevent
the unwanted email from entering the network or internal email systems must
be reliable and must not disrupt the flow of valid email.
A high-quality spam deflector is the first line of defense against unwanted email.
The spam deflector should be deployed outside the messaging infrastructure,
where it can deflect spam before it can impact internal gateways and servers. In
the Symantec solution, that first line of defense is the Symantec™ Mail Security
8160 appliance (8160 appliance).
The 8160 appliance employs a unique approach to spam prevention. It uses a
sender-reputation metrics to reduce the bandwidth of inbound TCP/IP streams.
This metric is frequently updated and targets inbound TCP/IP streams that are
known or suspected spam generators. By limiting the TCP/IP bandwidth available
to known spammers (down to one message per minute or less), significant amounts
of spam are bottled up on the spammer's system and are never received by the
8160 user. This traffic throttling mechanism is referred to as traffic-shaping.
Since 60–70 percent of incoming email is spam, traffic-shaping can translate to
a 50-percent reduction in overall email volume, without risking the loss of valid
email. This achieves a significant reduction in the message volume that is
processed by email scanners and gateways, stored in volume-sensitive message
stores, reviewed in a spam quarantine, and finally archived.
The Symantec enterprise messaging management solution for Microsoft ExchangeThreat management
48
These significant volume reductions can further translate into a reduction in the
number and size of servers required to scale to the problem, including gateway
scanning devices and mail servers. In practical terms, reducing spam from 70
percent of traffic to less than 20 percent improves the overall performance and
scalability of existing systems, and eases the burden on back-end systems and
users.
Perimeter security
The perimeter protection layer is one of the most critical layers in enhancing
network security.
Symantec’s perimeter solutions for email include the following capabilities:
■ Mass-mailer cleanup to remove entire messages and prevent unnecessary
virus notifications, based on the presence of a mass-mailer worm
■ Ability to block based on customizable rules
■ Ability to process spam based on antispam engine verdict; for example, deleting
spam messages, but quarantining suspected spam messages for further review
■ Symantec’s Web-based Spam Quarantine removes spam messages from the
messaging environment, but makes them available for further processing and
review
Symantec’s perimeter protection for email provides the following benefits:
■ Fewer non-business emails are archived
■ Fewer messages require review
■ Fewer unwanted messages enter the downstream mail environment
■ Harmful Internet content cannot reach email servers or end-user desktops,
nor spread infections, and disrupt the internal network
Symantec’s perimeter solution for IM includes the following capabilities:
■ Ability to secure corporate networks against external threats, such as IM
viruses, worms, and malware through usage of real-time content filtering
Symantec’s antispam technologies leverage the global Brightmail™ Logistics and
Operations Centers (BLOC) response infrastructure, and the Symantec™ Probe
Network, which identifies known spam sources on the Internet.
Symantec’s Norton AntiVirus™ Exchange (NAVEX™) technologies ensure
consistent virus protection and updating across all supported platforms, using
various detection technologies, including heuristics, which are also supported by
the global Symantec™ Security Response operations centers.
49The Symantec enterprise messaging management solution for Microsoft ExchangeThreat management
About perimeter threats
The two primary IM and email-borne perimeter threats are viruses and spam.
These are described, as follows:
Virus content that is most common comes from mass-mailer
worms. These are programs that exploit email address lists on
compromised systems, and automatically generate emails to
replicate and distribute their payload to other users and systems.
Mass-mailer worm emails have no intrinsic business value, so
they can be deleted automatically without the risk of data loss.
Often referred to as mass-mailer cleanup or worm purge,
automatic elimination of such content is an important capability
in antivirus solutions.
Viruses
Spam can be removed from mail streams through the use of
programs that isolate or quarantine spam. Spam quarantines are
typically housed on a server that is separate from the email
infrastructure, and are used to move unwanted spam from active
message stores (and user mailboxes) to less expensive media.
Quarantines are required, as anti-spam systems are not 100
percent accurate. Businesses cannot risk the loss of legitimate
email, so users need a place to review spam-tagged messages.
Spam
The reliability of the chosen antispam system can make a significant difference
to the quantity of data that is quarantined. The standard measure of antispam
reliability correlates detection rate to false positives (valid messages incorrectly
identified as spam) to find accuracy.
Detection and accuracy rates are dependent variables. High catch rates are often
achieved at the expense of accuracy, and vice versa. The challenge facing antispam
technology is to improve detection without compromising accuracy.
The best antispam solutions ensure the accurate elimination of spam email
messages while in transit. This minimizes the burden on the spam quarantine
and the user-reviewer. When evaluating antispam options, it is important to look
for a solution that is more than a collection of manual tools.
The ideal solution is an integrated, frequently-updated response mechanism with
highly accurate spam definitions, and techniques that are based on the latest
spamming methods.
Aboutperimeter protection solutions for email delivery formats
A key consideration in perimeter protection for email is the choice of a solution
delivery format. These formats deliver the same functionality, but vary in method.
The Symantec enterprise messaging management solution for Microsoft ExchangeThreat management
50
Availability of resources and expertise varies from company to company, so the
choice of format becomes a matter of preference and convenience.
Perimeter protection can be implemented in the following delivery formats:
■ Software-based solutions that require installation of application software on
user hardware and operating system
■ Appliance-based solutions where application software comes preinstalled on
a vendor-maintained operating system and hardware
■ Hosted solutions, where the software and systems are located off-site by a
hosted provider, and Internet email streams are redirected through this
environment to be scanned
The following are important criteria for selection of a solution:
■ Deployment flexibility through support for multiple operating
systems, including Windows®, Solaris™, and Linux®
This provides companies to not require specific operating
system expertise in all geographic locations.
■ Highly integrated solution combining antispam, virus
protection, and content filtering technologies
For emergency updates or upgrades, the fewer the number of
independent components, the easier it is to ensure
compatibility and availability.
■ A single responsible vendor for both the security technology
and response components, to ensure vendor accountability
Software
■ Hardening of the operating system for security. Non-essential
operating system services are disabled, if not removed entirely,
to limit exposure to system vulnerabilities.
■ A global support contract with 24-hour hardware replacement
is available.
■ Automated updates for applications and the operating system
are available, and usually installed without administrator
attention.
Appliance
■ Proxy-based scanning, not store-and-forward mail relay, means
the hosting provider should never take ownership of the
message, with the exception of spam quarantining.
■ Accomplished by acting as a proxy between sending server
and receiving server, holding the connection open long enough
to complete inspection of the message, and then closing out
the transaction.
Hosted solutions
The Symantec solutions for perimeter protection of email span these delivery
formats (software, appliance, and hosted), as well as key operating systems
51The Symantec enterprise messaging management solution for Microsoft ExchangeThreat management
(Windows, Solaris, and Linux), thereby offering flexibility in choosing the optimal
fit for the unique needs of an organization. The Symantec Mail Security 8200
Series appliances meet the needs of organizations favoring the appliance format.
The Symantec™ Mail Security for SMTP product delivers the same functionality
via a software-only product (deployable across Linux, Windows, and Solaris). And
Symantec Hosted Mail Security is the hosted service offering provided by Symantec
for perimeter protection.
Common to all of these perimeter protection solutions is Symantec’s
industry-leading antispam technologies, which offer a greater than 97 percent
effectiveness rate (Source: InfoWorld Product Review, 2004), and an accuracy
rate of 99.9999 percent (Source: Yankee Group Report, 2004). This is achieved
through over 20 filtering technologies, and an associated spam classification
verdict system.
Also common to these solutions is the use of Symantec’s global Email Security
Unit within Symantec Security Response infrastructure. Symantec’s Security
Response group delivers malware signature updates at 10 minute intervals. In
addition, these products utilize the same Sender Reputation Lists that leverage
the Symantec Probe Network to identify known spam sources on the Internet, to
provide added certainty along with the spam classification verdict system.
The deployment of the Symantec Hosted Mail Security solution is not addressed
in this Yellow Book, as companies with more than 1000 employees often choose
to implement their own internal email security infrastructure.
About perimeter protection solutions for instant messaging
The Symantec solution for perimeter protection of IM is Symantec IM Manager
(IM Manager). IM Manager is a software-only solution that secures and logs
corporate IM traffic.
IM Manager includes certified support for consumer IM services and enterprise
IM platforms. IM Manager provides granular policy controls for text messaging,
file transfers, audio, video, VoIP, application sharing, and other real-time
communication capabilities associated with IM. IM Manager secures corporate
networks against external threats, such as IM viruses, worms, and malware. This
is accomplished through use of real-time content filtering, worm and virus
signature detection, behavior-based threat protection, and file-based antivirus
scanning.
Integrated with the Symantec™ Security Response, IM Manager offers the
industry’s first threat protection from IM-borne viruses and worms. Utilizing a
patent-pending behavior- and signature-based system, IM Manager provides
automatic protection for new and emerging IM viruses.
The Symantec enterprise messaging management solution for Microsoft ExchangeThreat management
52
Internal Exchange server filtering
In addition to building solid perimeter protection, it is highly recommended to
inspect internal email traffic, as well. While perimeter protection generally
eliminates unwanted Internet email traffic before threats can enter email message
stores, internal email server filtering products will eliminate malicious or
inappropriate content introduced via Web downloads, early-phase virus
infestations, IM attachments, or other non-direct means.
During the initial outbreak stage of new types of viral threats, emails may enter
the message store before infections are detectable with updated definitions. Once
virus definitions are updated, then subsequent scans of the message store by
internal server filtering solutions will eliminate malicious content to protect new
users from exposure.
Email server filtering products must be able to inspect content in real-time, as
email is committed to the message store, and when email is accessed from the
store. Filtering products must also be able to inspect content on a scheduled or
on-demand basis, to conduct sweeps of message store based on updated virus
definitions, or specific content rules.
Symantec Mail Security for Microsoft Exchange provides these essential internal
email server filtering capabilities for Exchange. This solution is integrated into
the Exchange email environment using vendor-supported Application
Programming Interfaces (APIs), to ensure maximum capability and minimum
conflicts with the underlying messaging architecture.
Similar to the perimeter protection solutions, Symantec Mail Security for Microsoft
Exchange leverages the same antivirus technology, updates, and response. For
organizations that have standardized from mail server to gateway by using an
Exchange infrastructure, the same antispam technologies that are used in
perimeter protection solutions are available, providing the deployment flexibility
that is required by diverse organizations.
In addition to core scanning services, Symantec Mail Security for Microsoft
Exchange offers similar content inspection capabilities, such as subject line and
message body filtering, attachment stripping, and restrictions on message size.
Symantec Mail Security for Microsoft Exchange further contributes to data
reduction by eliminating unwanted content and early-stage mass-mailer worm
messages, and is capable of real-time detection of email policy violations and
misuse.
Email client security
The final layer of protection in the messaging environment is at the end-user
client PC or mobile device. Scanning for viruses on the local end-user system is
53The Symantec enterprise messaging management solution for Microsoft ExchangeThreat management
necessary to detect those that enter through personal Web-based email, removable
media, and remote laptop users whose virus definitions are not current.
The scope of this Yellow Book does not include an in-depth discussion of email
client antivirus solutions, or malware scanning best practices. The assumption
is that these solutions and practices are already implemented in an organization’s
foundation security infrastructure, and by end-users.
However, it is important to note that Symantec’s client security products are
evolving beyond existing anti-virus and anti-spyware solutions. Symantec client
security products now include state-of-the-art end-point compliance tools.
End-point compliance tools enable the enterprise to ensure that all client PCs are
compliant with current anti-virus definitions, before a client PC is allowed access
to the network.
End-point compliance tools are a powerful solution for any enterprise concerned
about proving compliance and policy enforcement for all of their endpoints.
See “End-point security compliance management products” on page 63.
Archival and retention managementArchiving and managing stored messages is all part of keeping things as long as
needed. Email systems were not designed to store the amount of data that goes
through the average messaging system today. Email administrators experience,
each day, the problems relating to storage management for email. Email continues
to arrive, and the volume grows dramatically from year to year. Many industries
now require the archiving of all IM traffic, which only adds to the retention burden.
The impact to the messaging environment includes:
■ Higher costs due to increased storage and backup costs
■ Lower availability and performance, as messaging servers slow when
near-capacity is reached, and long backup windows are required to back up
the large amount of email data.
Email archiving challenges
To solve these problems, most IT organizations impose email quotas, restricting
their users to a limited amount of email storage (for example, 25 MB to 200 MB).
Users must constantly ensure that their email storage is below the quota, and
store their excess messages in separate files; for example, PST files on their
computers, or on file servers.
PST files kept only on desktops or laptops are often not backed up, so company
data is subject to loss or theft. In some cases, PST files are kept on the network
The Symantec enterprise messaging management solution for Microsoft ExchangeArchival and retention management
54
file servers, and continue to use expensive storage and significantly burden backup
resources.
In either case, these files are susceptible to corruption, and perpetuate the same
availability and performance problems that occur on email servers. Typically,
email quotas affect user productivity, result in large numbers of support calls,
and are one of the larger burdens of email management.
A good solution is to provide the benefit of email quotas without the problems.
Organizations can realize the benefits, but with fewer associated problems by
minimizing the size of primary storage, and by leveraging cost-effective,
centralizing secondary storage without burdening the user or losing critical data.
Centralized message archiving solutions allow organizations to provide users
with a large mailbox while minimizing storage usage on the primary messaging
servers.
A capable messaging archiving solution allows system administrators accomplish
the following:
■ Automatically migrate email messages and attachments to a secondary, less
expensive storage location, based on business policies
■ Automatically expire or delete messages, based on business policies
■ Automatically migrate messages to a third tier of storage, based on business
policies
■ Compress the information and implement single-instance storage, to reduce
the volume of information while leveraging low cost disk or tape storage for
archived data
■ Index the messages and attachments so that users can rapidly search and
retrieve information from the vast store of archived content that accumulates
over time
■ Allow users to seamlessly access messages and attachments from the archive
■ Reduce total cost of ownership of frontline email environments
■ Achieve cost-effective compliance with legal discovery, as well as corporate
and regulatory information retention requirements
■ Perform faster platform migrations
■ Achieve server consolidation and storage optimization
Message archiving is not limited to storage management. Many companies view
archiving as a best practice; a way to preserve critical company information. If
forced into a lawsuit, companies are often required to produce email as evidence.
The old method of producing email, by restoring data from tapes, is generally
time-consuming, and often costs hundreds of thousands of dollars per month.
55The Symantec enterprise messaging management solution for Microsoft ExchangeArchival and retention management
For companies in highly litigious industries, such methods are no longer viable.
Increasingly, companies want to prepare for the next regulation or legal action,
instead of reacting.
Email is both the source and the destination of a company’s communications
records. Companies are motivated to retain email for their own internal purposes;
for example, so they can monitor it for inappropriate usage or company policy
violations.
A good message archiving solution offers the following capabilities to facilitate
discovery and prevent misuse:
■ Automatic archiving of journaled email so that the email is guaranteed to be
captured
■ Indexing of the information as it is archived, to facilitate future discovery
■ Secure search capabilities across the organization, allowing authorized
personnel to perform company-wide information requests
■ Specialized workflow tools to assist in the search and review processes of legal
discovery
■ Sampling and workflow around regulated supervision of employee email
Archiving with Enterprise Vault
Veritas Enterprise Vault provides the centralized email and IM archiving and
retrieval functions of the Symantec EMM solution, and ensures email and IM
content accessibility and availability. Enterprise Vault automatically moves email,
IM, file system, and other content from operational storage locations to a
cost-effective online vault, without impacting end-user access to the data. Users
can access archived information directly from their email client, Web browser,
or other programs, and can access it even while not connected to a network using
the optional Offline Vault functionality.
IT departments can automatically discover, collect, migrate, and eliminate PST
files, and centralize archived email through the PST migration functions provided
with Enterprise Vault. Enterprise Vault can also archive Exchange Journals and
Public Folders, in addition to Exchange mailboxes. Archived data is automatically
compressed, duplicate copies are removed, and data is retained according to
business policies.
Data can be migrated to fully searchable tertiary storage. Permissions to search
the archive can be inherited directly from the source data, or new permissions
can be granted to administrators and information custodians. Some regulated
industries require immutable storage to safeguard email archives. Enterprise
The Symantec enterprise messaging management solution for Microsoft ExchangeArchival and retention management
56
Vault can be configured to migrate data to a write-once/read-many (WORM)
storage system, such as the IBM System Storage™ DR550.
Optionally, Enterprise Vault helps manage the compliance process by enabling
the centralized archiving of all email and IM messages received through email
and IM message journaling. Also, if full indexing is implemented with Enterprise
Vault, then information search and retrieval can be thorough and efficient. This
enables significantly accelerated compliance and (legal or other process-driven)
information discovery processing.
Message archiving using Enterprise Vault provides benefits in the following core
areas:
■ Increased email message and IM conversation availability
Enterprise Vault reduces the amount of data stored in primary messaging
servers and file servers, reducing corruption and performance problems when
these servers reach capacity thresholds. By archiving data for long-term
retention and providing search capabilities, end-user access to data is
maintained.
■ Reduced email cost
Enterprise Vault reduces costs throughout the email environment. By archiving
older or less frequently accessed data to less expensive storage, Enterprise
Vault reduces primary storage costs in the environment. More importantly,
backup costs are reduced, as archived data no longer requires frequent backups.
IT reduces support and migration costs by eliminating email quotas and PST
files, and reduces the amount of data to be moved during upgrades and server
consolidation.
■ Controlled email and IM risk
Enterprise Vault facilitates email messages and IM conversation retention,
following defined business rules to meet legal discovery and regulatory
requirements.
Integrations with the archiving solution
When selecting an archive and retrieval solution for Exchange, it is vital that the
solution is compatible with the security and data management tools a company
uses to keep Exchange running. The Symantec Enterprise messaging management
solution for Microsoft Exchange offers a comprehensive approach to the problem
of archiving and retrieving all email and messaging traffic. As the premier tool
in the Symantec solution for archiving Exchange data stores, Enterprise Vault
seamlessly integrates with Microsoft Exchange and all other Symantec security
management products in the Enterprise messaging management suite.
57The Symantec enterprise messaging management solution for Microsoft ExchangeArchival and retention management
Enterprise Vault provides secondary or tertiary storage behind server systems,
such as Microsoft Exchange. Such secondary or tertiary storage needs to be backed
up through procedures described in this book. Backup Exec can be used to back
up and recover Enterprise Vault. Also, through a range of APIs and other interface
mechanisms, Enterprise Vault can extract information from various other
applications besides email and IM (such as SAP, database platforms, electronic
fax content and more), provide intelligent filtering of archive streams, and enable
access to archived content.
Enterprise Vault can be integrated with Symantec Mail Security appliances and
software. If a company is legally required to keep a copy of all the email it receives,
a Web Quarantine server can be built to store spam and other junk email messages
captured by Symantec Mail Security products. The Web quarantine server can
deliver this junk email to be journaled for compliance purposes to Enterprise
Vault. This junk mail retention legal requirement exists principally for financial
services organizations doing business in the United States.
The Symantec Mail Security 8260 appliance or Symantec Mail Security for SMTP
software can be used to forward all SMTP email communications to Enterprise
Vault servers for journaling. This is useful for customers not using Exchange who
wish to retain email from email servers, such as UNIX® Sendmail™ servers, that
do not have or maintain their own email journaling or data warehouses. Symantec
Mail Security for Exchange now supports the forwarding of filtered content, such
as emails that violate corporate policies, to Enterprise Vault servers for journaling,
review, and potentially for further action, as well as for inclusion in later discovery
processes.
Enterprise Vault can now also leverage Veritas Storage Foundation High
Availability for Windows clustering services (Veritas Cluster Server) to create
highly available archiving, search and retrieval services.
Policy and compliance managementCompliance is a relatively new term to IT professionals, but it has become most
important to the IT world. Policy and compliance management refers to keeping
important documents and communications for future reference. Monitoring and
gauging compliance with policies and laws requires the addition of new tools to
IT environments.
In the case of email, there are three areas where compliance is applicable:
Solutions that assure that PCs used with email do not have
outdated anti-virus signatures and do have an approved set of
system settings and tools implemented
Security policy
compliance
The Symantec enterprise messaging management solution for Microsoft ExchangePolicy and compliance management
58
Focus on external communications policies, and in particular on
Intellectual Property protection
Messaging policy
compliance
Laws or guidelines that government entities create, and which
require internal monitoring and possible reporting
Regulatory Compliance
Often the people most interested in whether organizations are complying with
policies are not employed by IT departments. It may be someone, for example,
from finance who is charged with monitoring regulatory compliance, or someone
in Human Resources monitoring employee communications policy compliance;
anyone charged with the responsibility of complying with policies.
This Yellow Book explores regulatory compliance requirements and tools in
chapters 9 and 10, as well as outbound email filtering tools in Chapter 5. The
Options to Meet Advanced Requirements section of this chapter provides
information about some tools available from Symantec for security policy
compliance.
Regulatory compliance
From a messaging perspective, regulatory compliance is most often an issue for
financial services organizations. In the United States and other countries, financial
institutions generally have to journal all internal and external electronic
communications. This is done to ensure that all messages that might be of future
interest are logged in the archive, and available for future search and recall.
Microsoft Exchange can be configured to journal email, and Enterprise Vault is
an ideal tool to selectively archive journaled email.
IM Manager provides organizations with the ability to further comply with
regulations and other legal requirements. IM Manager addresses compliance by
enabling the ability to insert legal disclaimers, archive IM conversations, and
integrate with Enterprise Vault for IM message retention and discovery purposes.
Once email and IM messages are journaled, Symantec’s Enterprise Vault
Compliance Accelerator allows accelerated searches of the journaled messages.
Enterprise Vault Compliance Accelerator also enables organizations to monitor
employees’ electronic messages, including email and instant messages, to ensure
compliance with corporate policies.
Messaging policy compliance
Outbound email filtering can assist organizations prevent the loss of sensitive
information or intellectual property through email. Also, by defining rules for
outgoing email, and in particular for outbound email attachments, companies can
be assured that they are not propagating malware.
59The Symantec enterprise messaging management solution for Microsoft ExchangePolicy and compliance management
By searching through outbound email and IM attachments for prohibited words
or phrases that may be deemed offensive , organizations can have more control
over how their employees interact with outsiders. Symantec’s Mail Security for
Exchange provides all such outbound email filtering capabilities.
Similarly, IM Manager also protects organizations against the loss of sensitive
information or intellectual property over IM by providing policy controls. These
policy controls extend to internal IM usage, including filtering content of instant
messages, controlling the use file transfers over IM networks, applying regular
expression pattern matching to IM, and real-time user monitoring.
Discovery and analytics managementSome organizations are deploying archiving-based capabilities that include the
ability to perform intelligent archive searches. Legal discovery is a primary
motivator for these searches.
In the past, organizations have had to rely on going through backup tapes to
discover files and messages dating from a certain period of interest. Once files
and messages from the particular period are found, they must be exhaustively
and laboriously searched for relevant information. Paying a legal firm to review
documents for evidence can run up costs nearing or exceeding one million dollars
per month.
Symantec’s Enterprise Vault Discovery Accelerator establishes appropriate
workflow processes to make complex searches of archives possible for the purposes
of legal discovery. It also facilitates the review of retrieved files to decide relevance
to a case.
Enterprise Vault Discovery Accelerator leverages the Enterprise Vault archive
platform’s full text index that can be used to find relevant emails, based on a
number of criteria. Specific items can be selected for export, and are made available
in a format that is appropriate for use as legal evidence. The savings in legal fees
can be many times the cost of the software, hardware, and storage costs.
With the growing focus on intellectual property, companies are beginning to
explore their employee communications for patterns and ideas that may lie hidden
in old messages. Discovery Accelerator’s ability to accelerate archive searches
provides a significant productivity boost for any organization considering such
historic file and communications searches.
Options to meet advanced requirementsSymantec offers products and services that are optional components of the
Symantec solution for Enterprise Messaging Management. These products and
The Symantec enterprise messaging management solution for Microsoft ExchangeDiscovery and analytics management
60
services offer capabilities to organizations with advanced requirements. Some of
these products for users with advanced requirements have already been introduced.
Advanced security requirements
Although the Symantec solution for Enterprise Messaging Management described
in this book includes many email security products that reside on email servers
and gateways, Symantec also offers security products that can significantly benefit
organizations. These products are either highly dependent on email functioning,
or are more sensitive to security threats than the average organization with
1000-2500 employees.
Depending on factors such as size, dependence on the Internet and intranets,
reliance on online systems, and regulatory concerns, organizations should deploy
products, services, and procedures that provide the level of security that is
commensurate with their risk tolerance and exposure to loss.
Symantec’s range of security products can be organized into a hierarchy depicting
the most commonly used technologies to the most sophisticated. This hierarchy
mirrors a similar hierarchy of organizational needs. Organizations select their
IT security products and services by first meeting fundamental needs, and then
moving up to the hierarchy of organizational needs at a pace that reflects their
requirements and budget constraints.
Figure 3-5 depicts a hierarchy of security requirements, from the most
fundamental to the most advanced, and the corresponding levels of investment.
Figure 3-5 Security hierarchy
End-point security and protection products
At a minimum, organizations should employ PC antivirus and personal firewall
software to provide end-point security and gateway security via firewalls
61The Symantec enterprise messaging management solution for Microsoft ExchangeOptions to meet advanced requirements
(potentially) with Virtual Private Network (VPN) capabilities for Internet-based
logins. These measures are essential to avoid penetration and disruption of an
organization’s computers and IT network.
Symantec Backup Exec Desktop and Laptop Option (DLO) or Symantec Backup
Exec System Recovery (formerly LiveState Recovery) are recommended products
for end-user computers that contain email message caches or other critical
organizational data.
These products enable users to rapidly restore corrupted email files, for example,
PSTs, and restore information deleted from local files. In addition, LiveState
Recovery enables PC users to back up their system information to disk to enable
them to rapidly restore their PC should a device failure, or malicious virus or other
malware infestation occur.
As Symantec client security products evolve to include more functions (such as
end-point security compliance functions), and also as the end-point devices and
interconnects for email and messaging evolve, future versions of this Yellow Book
will address the implementation of protection at this layer.
Additional gateway security products
The Symantec Mail Security 8160 appliance that provides traffic-shaping to avoid
receiving email from identifiable spammers is not a standard part of the Symantec
solution for organizations with 1000-2500 employees. Some organizations with
close to 2500 employees, which also receive significant amounts of email, may
want to investigate the use of the 8160 appliance to prevent delivery of up to 80
percent of spam email.
Server security products
The Symantec solution for Enterprise Messaging Management described in this
book includes Symantec Mail Security for Microsoft Exchange as the prime
component of Exchange server security. Other server security products are not
described in this book, as it is not expected that end-users will log in and use the
Exchange server, and it is expected that the Exchange server will be dedicated to
running Exchange
A best practice is to have no other applications or services running on Exchange
back-end data servers besides Exchange (that is, no file serving, IIS, or SQL), and
also to have no end-users log on and use the Exchange server for reading email.
These measures ensure that only secure Exchange services run on the Exchange
servers.
The Symantec enterprise messaging management solution for Microsoft ExchangeOptions to meet advanced requirements
62
Therefore, as long as best practices are followed, and user and service settings,
as well as other permissions, are correctly defined for the Exchange servers,
additional security for Exchange servers themselves may not be needed.
End-point security compliance management products
For organizations with an interest in improving security without foregoing remote
access of internal email, Symantec offers products and technology acquired from
Sygate Corporation, which enable end-point security compliance for various email
clients.
The Sygate Network Access Control product works with network access
infrastructure to require systems be in compliance with IT policy, before they are
allowed to connect to the LAN or VPN.
This protects the network and increases productivity and network availability.
Sygate Endpoint Protection fully automates the process of updating systems that
are out of compliance, reducing the burden on help desk staff.
The Sygate Endpoint Protection product safeguards computers, networks, and
data, as follows:
■ Ridding the network of non-compliant endpoints with universal network access
control
■ Ensuring Compliance on Contact™ with the enterprise network across all LAN,
wireless LAN, and remote access network entry points
■ Protecting endpoints with innovative desktop firewall, host-based intrusion
prevention, and peripheral device control technologies that are tightly
integrated into the Sygate Network Access Control product
The Sygate On-Demand product eliminates the exposure to risk created by
unmanaged devices and guarantees compliance on contact, as follows:
■ Delivering an On-Demand Agent to unmanaged devices that adapts its
protection to the environment
■ Ensuring that unmanaged devices are in compliance with security policies
while connected to the network
■ Preventing the unauthorized transfer of data from networks and devices
■ Protecting confidential data using a secure Virtual Desktop environment that
separates, encrypts, and erases confidential data upon session termination
These capabilities are especially useful to organizations interested in secure email
access from outside the corporate or organizational intranet.
63The Symantec enterprise messaging management solution for Microsoft ExchangeOptions to meet advanced requirements
Intelligent monitoring products and services
In addition to the products described in this book, Symantec offers a security
service that has significant appeal to customers seeking the highest possible levels
of IT security. DeepSight™ Alert Service is one of Symantec’s Managed Security
services, and serves to alert organizations to impending threats spreading on the
Internet. It also informs customers of security measures that they should take to
fortify their systems, when they receive warnings.
Symantec Professional ServicesSymantec Professional Services enables organizations to implement best-practices
security and availability measures across the enterprise, through comprehensive
security and availability assessments, and comprehensive planning and design.
Professional Services develops strategies for managing and reducing risks to help
organizations protect business-critical assets.
The needs of every organization are unique, but with many common themes. The
Symantec solution can be tailored to best meet the particular needs of an
organization, once the analysis has been done to design the solution
implementation. A good design includes not only the hardware, software, and
network components, but also corporate policy definition and translation,
implementation and deployment phasing, PST migration planning, growth
planning, and operational best practices.
Symantec Training, Customer Support, and Consulting Services are prepared to
help every customer make the most of their product purchases. Symantec services
can assure that customers make the right decisions on how, when, and where to
deploy these products through training, consulting, and support services.
Symantec Consulting Services
Symantec Consulting Services provides organizations with best-practice security
and availability measures through comprehensive assessments, planning, and
design consultation. The result is enhanced protection of critical business assets.
Symantec recommends that customers who deploy Enterprise Vault engage
Symantec Consulting Services prior to product implementation, to ensure that
customer needs are met with the deployment. Enterprise Vault enables many
varying policies for and implementations of information archiving and retrieval.
Defining the correct policies and the hardware, and software implementation is
a non-trivial exercise to which Symantec Consulting Services brings significant
experience.
The Symantec enterprise messaging management solution for Microsoft ExchangeSymantec Professional Services
64
Symantec Advisory Services
Symantec Advisory Services offers security and availability consulting services
designed for proactive security and availability risk management. The Symantec
approach addresses the enterprise risk management life cycle from strategy
development to incident readiness, with a continuous focus on minimizing risks,
stabilizing security costs, and reducing complexity.
Symantec Advisory Services consultants combine technical expertise with a
business focus to create comprehensive security and availability solutions. The
delivery process emphasizes knowledge transfer, ensuring that every aspect of a
project’s findings can be successfully implemented and managed.
Symantec Solutions Enablement Services
Symantec Solutions Enablement Services provides organizations with security
and availability product design and implementation, and knowledge transfer
services for Symantec enterprise products. Symantec security and availability
experts assess technology needs, design the best systems and architectures, and
implement the appropriate products at the client, server, and gateway tiers.
Security and availability knowledge transfer services offer detailed product and
technology information transfers and on-site training. It can also provide custom
security services to help monitor and manage the implementation.
For example, Enterprise Vault Services consultants can assist with designing,
deploying, and optimizing archive and information management systems.
Symantec Gateway Security Services consultants use best practices to effectively
implement an integrated gateway security solution based on Symantec Gateway
Security appliances.
Symantec Secure Application Services
In today’s business world, success depends on the ability to capture, analyze, and
share information. But the software applications that businesses rely on for critical
operations are increasingly exposed to security risks.
Symantec Secure Application Services helps organizations identify and mitigate
the risks that threaten applications and the integrity of a company’s valuable
information assets. Symantec consultants follow a programmatic approach,
instilling security best practices across an application’s entire life cycle.
65The Symantec enterprise messaging management solution for Microsoft ExchangeSymantec Professional Services
Symantec EMM solution summaryThe Symantec solution for Enterprise Messaging Management for Microsoft
Exchange is a comprehensive messaging solution that assures the security,
availability, and resilience of messaging systems and information. It also reduces
the total cost of maintenance of the messaging infrastructure.
The solution takes a comprehensive approach to email security, incorporating
antivirus, antispam, archiving, backup and recovery, and storage management
capabilities. Implementing the Symantec solution minimizes deployment issues,
as the solution is tested and proven, sold and supported by a single vendor.
The following products described in this book can be included in the Symantec
solution:
■ Symantec Mail Security 8160 traffic shaping appliance
■ Symantec Mail Security for the Email Gateway – available as software (SMS
for SMTP), appliance (SMS 8260), or hosted (Symantec Hosted Mail Security)
deployment options
■ Symantec Mail Security for Microsoft Exchange
■ Veritas Enterprise Vault
■ Veritas Enterprise Vault Discovery Accelerator option
■ Veritas Enterprise Vault Compliance Accelerator option
■ Veritas Storage Foundation for Windows
■ Veritas Storage Foundation High Availability for Windows (Veritas Cluster
Server)
■ Symantec Backup Exec
■ Symantec IM Manager
This Symantec solution lowers the overall cost of ownership by significantly
reducing the burden at all layers of the email infrastructure. This includes storage
costs and the operational costs associated with attempting to scale infrastructure
and maximize performance.
The solution offers the following capabilities:
■ Improved resilience to failures, which improve the availability of messaging
systems, capable of reducing messaging downtime to minutes per year
■ Multi-layered email security that works at the network and Exchange server
(groupware) tiers to prevent unwanted email from entering the organization
■ Antivirus and antispam technologies that protect against spam, phishing
attacks, and viruses
The Symantec enterprise messaging management solution for Microsoft ExchangeSymantec EMM solution summary
66
■ Archiving capabilities that can reduce email storage volumes (and costs) on
Exchange servers while assuring the availability of information, and also
facilitating Microsoft Exchange server migration
■ Integrated content compliance enforcement tools that assure that unauthorized
or inappropriate content does not leave the organization via email
■ Information search and retrieval tools that significantly aid compliance and
the legal discovery process for email, IM, and other business records
67The Symantec enterprise messaging management solution for Microsoft ExchangeSymantec EMM solution summary
The Symantec enterprise messaging management solution for Microsoft ExchangeSymantec EMM solution summary
68
Enterprise Messaging
Management infrastructure
This chapter includes the following topics:
■ Infrastructure configuration for the Symantec solution
■ Summary checklists for the end-to-end solution
■ Requirements for the Symantec solution
■ Solution sizing and performance guidelines
Infrastructure configuration for the Symantecsolution
This chapter describes the reference architecture of the Symantec™ solution for
Enterprise Messaging Management and its components. The Symantec products
that comprise this reference architecture solution reduce the risk of security
threats, increase reliability of network traffic, and protect and secure email and
instant messaging (IM) communications.
The Symantec™ Mail Security 8160 appliance (8160 appliance) can be deployed
on the network to channel email traffic at the TCP protocol level. The 8160
appliance effectively stops spam before it enters the network, while ensuring the
continuous flow of legitimate email. The deployment of the 8160 appliance is
recommended for organizations with 2,000 or more users.
The reference architecture is configured with a double firewall at the gateway.
Email and instant messages that come through the outer firewall must go through
a demilitarized zone (DMZ) containing one of two Symantec gateway security
products. Inside the DMZ, either two Symantec™ Mail Security 8260 appliances,
4Chapter
or two Symantec™ Mail Security for SMTP servers are deployed for spam and
threat removal, and content filtering on inbound and outbound messages.
In a typical deployment, for example, an organization would use either the two
Symantec 8260 appliances or the two Symantec Mail Security for SMTP servers.
One appliance or one server can be dedicated to inbound mail, while the second
appliance or second server handles inbound and outbound mail. In addition,
Symantec™ IM Manager is deployed at the gateway to manage threats and content
associated with IM traffic. Using IM Manager, all instant messaging sessions are
filtered and analyzed, and only authorized protocols and users can establish
instant messaging sessions.
Veritas Cluster Server is implemented to create an Exchange Server cluster.
Implementing a highly available Exchange cluster assures the uninterrupted
delivery and archiving of email.
Symantec™ Mail Security for Microsoft Exchange is implemented on the clustered
Microsoft Exchange™ servers to prevent internal security threats from spreading
inside the firewall. This supplements security at the gateway tier and hardens
Exchange from internal and external threats. These threats can be introduced
into email by activities such as Web browsing, and by removable media such as
USB drives.
Veritas Enterprise Vault™ is deployed to reduce the Exchange message store sizes
by migrating old messages from Exchange to the Enterprise Vault tier. Enterprise
Vault also archives messages for regulatory and other purposes. Symantec IM
Manager provides the capability to archive instant messaging conversations, and
can be integrated with Enterprise Vault. In this way, all conversations through
email or instant messages can be archived and managed by the same policies and
techniques.
Once the messages are archived by Enterprise Vault, they can be searched,
categorized, and inspected. The Enterprise Vault™ Discovery Accelerator option
allows legal teams to conduct online searches of existing archive data in response
to an inquiry. The Enterprise Vault Compliance Accelerator allows organizations
to enforce a corporate strategy for message content compliance.
Symantec Backup Exec™ provides a comprehensive backup solution, which backs
up all the systems that are running. The FlashSnap option is licensed on the
Exchange server and the Backup Exec server to provide off-host backup of these
data-intensive servers in the form of an updatable snapshot. This enables rapid
recovery in the event of a system failure.
Finally, it is recommended that Veritas Storage Foundation™ for Windows is
installed on all the servers of the reference architecture solution. This provides
comprehensive disk storage management and high availability for the critical
servers that are part of the reference architecture of the Symantec solution.
Enterprise Messaging Management infrastructureInfrastructure configuration for the Symantec solution
70
Table 4-1 lists the Symantec products included in each tier of the solution.
Table 4-1 Products in the Symantec solution
Solution TierVersionProduct
Email security: Network
boundary
N/ASymantec™ Mail Security 8160 appliance (optional)
Provides dedicated traffic-shaping features for organizations with 2,000 or
more users. This product is not a standard component of this solution, but it
may be applicable to organizations that have a high email volume.
Email security: GatewayN/ASymantec™ Mail Security 8260 appliance
Provides email security at the SMTP gateway, integrating the best antispam,
antivirus, and content filtering technologies to help organizations reduce spam
volume and eliminate threats.
Note: Either 8260 appliances or servers with Symantec Mail Security for SMTP
software can be installed as equivalent solution components.
Email security: Gateway5.0Symantec™ Mail Security for SMTP software (installed on server)
Provides email security at the SMTP gateway, using technology that stops more
than 97 percent of spam, while producing less than one false positive for every
million emails analyzed (a 99.9999 percent accuracy rate).
Note: Either 8260 appliances or servers with Symantec Mail Security for SMTP
software can be installed as equivalent solution components.
As of June 2006, Symantec Mail Security for SMTP 4.1 has merged with
Symantec BrightMail AntiSpam 6.0 to create Symantec Mail Security for SMTP
5.0.
IM security: Gateway8.0Symantec™ IM Manager
Seamlessly manages, secures, logs, and archives corporate instant-messaging
traffic; and includes certified support for public and enterprise IM networks,
including granular policy enforcement and security controls for files, audio,
video, VoIP, application sharing, and other real-time communication
capabilities. IM Manager mitigates the potential risks associated with the use
of IM in the enterprise.
Email security: Mail
Server
5.0Symantec™ Mail Security for Microsoft Exchange
Protects Exchange mail servers from viruses, messages that overload the system,
inappropriate message content, spam, and denial-of-service attacks. This
product enables organizations to create multiple sets of criteria to identify
threats and violations, and to specify what actions to take in response to
detected threats and violations.
71Enterprise Messaging Management infrastructureInfrastructure configuration for the Symantec solution
Table 4-1 Products in the Symantec solution (continued)
Solution TierVersionProduct
Email archiving:
Archive
6.0 SP2Veritas Enterprise Vault™ with Journaling
Provides policy-based archiving of business-critical information held within
Microsoft Exchange and other business environments. This product enables
organizations to more easily manage storage growth and thereby reduce
hardware and management costs. Email or other data is archived and indexed
so that it is still easily available when needed.
The Journaling option enables Enterprise Vault to work seamlessly with
Exchange journaling.
Email archiving:
Archive
6.0Veritas Enterprise Vault™ Compliance Accelerator (optional)
Enables organizations to implement a corporate strategy for regulatory and
policy compliance. Email can be monitored or collected based on criteria
established by an organization, such as words and phrases used, date ranges,
size, author, or recipient.
Email archiving:
Archive
5.0 SP4Veritas Enterprise Vault™ Discovery Accelerator (optional)
Provides robust search and export tools, and enables designated administrators
or reviewers to conduct online searches of archived data in response to an
external legal request or an internal company inquiry.
Resilient foundation:
Server
4.3 FP1Veritas Storage Foundation™ for Windows with Veritas FlashSnap™ option.
Provides comprehensive, centralized storage volume management of all disk
storage resources within and across domains. This product enables GUI-based
management of local and remote storage attached to a system while the system
remains online, including RAID configuration and performance optimization.
The FlashSnap option enables the creation of independently addressable
point-in-time snapshots that are copies of mirrors of the volumes on a server.
Resilient foundation:
Server
4.3 FP1Veritas Storage Foundation™ High Availability for Windows®
Provides the same functionality as Veritas Storage Foundation for Windows
and supports setup and management of clustering.
Veritas Cluster Server (optional)
Increases the availability of applications by monitoring application status and
automatically moving applications to an alternate server in case of a fault.
Resilient foundation:
Server
10dSymantec Backup Exec™ with SQL Agent (for Enterprise Vault and IM Manager
database backup) and Exchange Agent
Provides high-performance data management by using a client/server model
to provide fast, reliable backup and restore capabilities for servers and
workstations throughout a network.
Enterprise Messaging Management infrastructureInfrastructure configuration for the Symantec solution
72
Figure 4-1 illustrates the network topology of the solution.
Figure 4-1 Topology of the Symantec solution
Summary checklists for the end-to-end solutionDeploying the Symantec end-to-end solution can be a complex project. The
following checklists can make the implementation tasks easier:
■ Pre-deployment checklist
73Enterprise Messaging Management infrastructureSummary checklists for the end-to-end solution
■ Deployment checklist
Note: The checklists assume that Microsoft Exchange is already installed in the
environment.
Pre-deployment checklist
The pre-deployment checklist describes the prerequisites and the tasks that must
be completed during the deployment planning phase. This phase occurs before
the products in the Symantec solution are installed and configured.
To create an installation plan that best matches the needs of the organization,
complete all pre-deployment tasks in the following checklist:
Decide which products in the solution to use.
See Table 4-1 on page 71.
Decide which of the following products to use for AntiSpam and content filtering
at the gateway:
■ Symantec Mail Security 8260 appliance
■ Symantec Mail Security for SMTP on a standalone server
Decide whether to cluster the Exchange servers.
Decide which of the following Backup Exec media server deployment strategies
to use:
■ Centrally Administered Server option (CASO)
Can be used with SAN Storage Option (SSO)
■ Standalone media server option
■ SAN-configured media server
Can be used with CASO to provide centralized catalogs, which are required
for this option, and the ability to backup data over the SAN instead of the
LAN.
For more information, see the Backup Exec 10.d for Windows Servers
Administrator’s Guide.
Enterprise Messaging Management infrastructureSummary checklists for the end-to-end solution
74
Ensure that the necessary Backup Exec license is available for each Backup Exec
option that is implemented.
Required licenses for the solution are, as follows:
■ Backup Exec Agent for Microsoft Exchange
Required for Exchange servers.
■ Backup Exec Agent for Microsoft SQL Server
Required for SQL Servers.
■ Backup Exec Remote Agent for Windows Servers
Remote agent licenses must be purchased for every protected server.
Additional licensing options are, as follows:
■ Backup Exec Advanced Disk-based Backup Option (ADBO)
Required for off-host backup.
■ Backup Exec Advanced Open File Option (AOFO)
Ensure files on local or remote servers are protected while in use by handling
open files at the volume level.
■ Depending on the hardware used to store backup data, additional licenses
(either standalone or robotic tape library configurations) are necessary for
each additional tape drive.
Gather the following information to plan the deployment of Enterprise Vault:
■ Determine email usage and archiving tasks.
Consider the retention policy, attachment policy, end-user search capability,
PST policies, and auditing requirements.
■ Gather current Exchange environment statistics to estimate the conversion
of email messages from Exchange to Enterprise Vault vaulted messages.
Determine the average email message size, average number emails received
per day, and the average mailbox size.
For more information, search the knowledge base for Exchange on the
Microsoft Web site.
■ Decide how quickly unstructured email data must be structured and indexed.
■ Determine the number and type of Enterprise Vault servers that will be
needed, based on the estimated email usage and archiving tasks, current
Exchange environment statistics, and timetable for indexing.
75Enterprise Messaging Management infrastructureSummary checklists for the end-to-end solution
Plan for the following three conversion phases:
■ Archiving
Converting specific email from the Exchange information store to Enterprise
Vault.
■ Indexing
Making unstructured email structured and making email accessible.
■ Steady state
Migrating new email on a daily basis according to the organization’s email
archiving policy.
Note: Document the Enterprise Vault deployment plan. Deploying Enterprise
Vault usually starts with a minimum three-day engagement with Symantec
Professional Services to develop a deployment plan.
Prepare the Exchange environment for Enterprise Vault deployment.
See “Best practices for preparing the Enterprise Vault environment” on page 157.
Have all required licenses for all products, and all licensable product features
and options, that are recommended for the solution.
Ensure that all pre-installation and system requirements are met.
See “Requirements for the Symantec solution” on page 78.
Prepare the IM Manager environment for IM Manager deployment.
See “Best practices for preparing the Enterprise Vault environment” on page 157.
Deployment checklist
The deployment checklist describes the tasks that must be performed to implement
the Symantec solution. All items in the pre-deployment checklist must already
be completed. The implementation tasks should be performed in the order listed.
Note: Review the product documentation to learn the information necessary to
successfully install and configure the product before deployment.
Deploy Symantec Mail Security for Microsoft Exchange, as follows:
■ Install Symantec Mail Security for Exchange on every Exchange server in
the environment.
■ Configure the Symantec Mail Security console to manage the Exchange
servers.
Enterprise Messaging Management infrastructureSummary checklists for the end-to-end solution
76
If Storage Foundation for Windows is part of the deployment plan, install it now
on all servers.
Note: If the Exchange servers will be clustered, install Storage Foundation High
Availability for Windows on the Exchange servers to enable clustering.
If Storage Foundation High Availability for Windows is being installed to cluster
Exchange servers, configure the virtual Exchange server.
See “Best practices for Veritas Storage Foundation High Availability for
Windows” on page 190.
Deploy Backup Exec, as follows:
■ Install and configure the Backup Exec server.
■ Install the Backup Exec remote agents on all servers that are part of the
solution.
If the Symantec Mail Security 8260 appliance for AntiSpam and content filtering
at the gateway is part of the deployment plan, do the following:
■ Install the 8260 appliance.
■ Update resident software/installed software. This is not done automatically.
A live internet connection is required to update the software on the appliance.
■ Configure the 8260 appliance.
If the Symantec Mail Security for SMTP server software for AntiSpam and
content filtering at the gateway is part of the deployment plan, do the following:
■ Install the Mail Security for SMTP software on a supported Windows server.
■ Configure the Mail Security for SMTP software.
Optionally, add the Symantec Mail Security 8160 appliance outside the firewall.
Note: The 8160 appliance is not a core component of the solution. It provides
dedicated traffic-shaping features, which are useful for organizations of 2,000
or more users.
Install and configure Enterprise Vault in the Exchange environment.
See “Best practices for installing Enterprise Vault” on page 163.
Optionally, deploy Enterprise Vault Compliance Accelerator on a standalone
server.
See “Best practices for installing and configuring Enterprise Vault Compliance
Accelerator” on page 238.
77Enterprise Messaging Management infrastructureSummary checklists for the end-to-end solution
Optionally, deploy Enterprise Vault Discovery Accelerator on a standalone
server.
See “Best practices for installing and configuring Enterprise Vault Discovery
Accelerator” on page 233.
Install the Backup Exec remote agents on any remaining servers in the solution.
Install and configure the IM Manager environment.
See “Best practices for configuring IM Manager” on page 119. for more information.
Requirements for the Symantec solutionThis section provides an overview of the minimum recommended hardware and
software requirements for each Symantec product that is included in the reference
architecture for the Symantec solution for Enterprise Messaging Management
for Microsoft Exchange.
The requirements information is organized by solution tier, as follows:
■ Email security
See “Email security hardware and software requirements” on page 78.
■ Email archiving
See “Email archiving hardware and software requirements” on page 81.
■ Foundation
See “Solution foundation hardware and software requirements” on page 82.
This information is not intended as a substitute for the detailed prerequisites and
requirements that are documented in the deployment, planning, installation, and
implementation guide for each product. Before deploying any product in the
solution, refer to the appropriate guide for more information.
See “Summary checklists for the end-to-end solution” on page 73.
Email security hardware and software requirements
The email security components of the Symantec solution for Enterprise messaging
management include the products in the following list. You can use either the
Symantec Mail Security 8260 appliance or Symantec Mail Security 5.0 for SMTP.
The antispam, antivirus, and email firewall capabilities of the 8260 appliance
make it the preferred option for organizations with 1000-2500 employees.
Administrators can choose the option that best meets the organization’s needs.
■ Symantec Mail Security 8260 appliance
Enterprise Messaging Management infrastructureRequirements for the Symantec solution
78
See “Symantec Mail Security 8260 appliance requirements” on page 79.
■ Symantec Mail Security 5.0 for SMTP
See “Symantec Mail Security 5.0 for SMTP requirements” on page 79.
■ Symantec Mail Security 5.0 for Microsoft Exchange
See “Symantec Mail Security 5.0 for Microsoft Exchange requirements”
on page 80.
Symantec Mail Security 8260 appliance requirements
The Symantec Mail Security 8260 appliance has the following requirements:
The appliance is managed through a secure Web connection using
one of the following browsers:
■ Microsoft® Internet Explorer 6.0
■ Netscape® 7.2
■ Firefox® 1.0
Web browser
No more than 10,000 users is allowed.Users
Required for LDAP-based group policies or alias expansion.LDAP
The Message Transfer Agent (MTA) that is included with the appliance
relays mail to existing email servers. It does not provide final mail
delivery functions or client access to mail via POP.
MTA
For more information, refer to the Symantec Mail Security 8200 Series Planning
Guide.
Symantec Mail Security 5.0 for SMTP requirements
Table 4-2 lists the minimum requirements for Symantec Mail Security 5.0 for
SMTP
Table 4-2 Symantec Mail Security 5.0 for SMTP requirements
DescriptionRequirement
Windows 2000 Server with SP4
Windows Server 2003 with SP1
Operating system
Intel® Pentium® 4 or higher, or compatibleProcessor
1 GB of RAM, minimum; 2 GB or more, recommendedMemory
79Enterprise Messaging Management infrastructureRequirements for the Symantec solution
Table 4-2 Symantec Mail Security 5.0 for SMTP requirements (continued)
DescriptionRequirement
512 MB, minimum; 2 GB or more, recommendedDisk space for
installation
Normal filtering operations do not generally require much disk
space. The optional extended logging and statistics features,
and the Web-based Quarantine feature require additional storage
to be allocated.
Storage space
For more information about requirements for various deployment options, refer
to the Symantec Mail Security for SMTP Deployment Planning Guide.
Symantec Mail Security 5.0 for Microsoft Exchangerequirements
Symantec Mail Security for Microsoft Exchange can be added to existing Exchange
servers, or can be part of a new Exchange deployment.
For more information to support a successful deployment of this software, refer
to the Symantec Mail Security for Microsoft Exchange Implementation Guide.
Table 4-3 lists the basic Symantec Mail Security for Microsoft Exchange server
requirements.
Table 4-3 SymantecMail Security forMicrosoft Exchange server requirements
DescriptionRequirement
■ Windows 2000 Server or Advanced Server with SP4
■ Windows Server 2003, Standard Edition or Enterprise
Edition, with SP1
Operating system
■ Exchange 2000 Server (SP3) or Enterprise Server
■ Exchange Server 2003 or Enterprise Server
Exchange platform
Intel® Pentium® III or higher, or compatibleProcessor
1 GB of RAMMemory
190 MB for local installation and 260 MB for remote installationDisk space
Microsoft Internet Explorer 6.0Web browser
Enterprise Messaging Management infrastructureRequirements for the Symantec solution
80
Table 4-4 lists the requirements for the Symantec Mail Security console. This is
a Web-based management application that can be installed on the Symantec Mail
Security server, or on another workstation for remote management.
Table 4-4 Symantec Mail Security console requirements
DescriptionRequirement
■ Windows 2000 Server or Advanced Server, with SP4
■ Windows Server 2003, Standard Edition or Enterprise
Edition, with SP1
■ Windows XP
Operating system
140 MB for Mail Security Console installationDisk space
Microsoft Internet Explorer 6.0Web browser
Microsoft Management Console (MMC) 1.2Other software
Email archiving hardware and software requirements
Enterprise Vault 6.0 provides email archiving for the Symantec solution to email
security.
Each of the following components should be installed on a separate, standalone
servers:
■ Enterprise Vault with Journaling
Journaling is a licensable option that supports Microsoft Exchange journaling.
Ensures that email messages are retained to meet regulatory or legal retention
requirements.
■ Enterprise Vault Compliance Accelerator (optional)
Compliance Accelerator is a licensable option that ensures compliance with
regulatory bodies. Provides supervisory review of email. It is an optional
component of the solution.
■ Enterprise Vault Discovery Accelerator (optional)
Discovery Accelerator is a licensable option that provides a fast, efficient,
customizable email search process for legal discovery. It is an optional
component of the solution.
■ Microsoft SQL Server 2000
Enterprise Vault requires access to Microsoft SQL Server for data storage,
which means that SQL Server must be installed and licensed on a computer
to which Enterprise Vault has access. For SQL Server requirements, see the
SQL Server documentation. For additional details of the SQL Server version
81Enterprise Messaging Management infrastructureRequirements for the Symantec solution
requirements for Enterprise Vault, Discovery Accelerator, and Compliance
Accelerator, refer to Chapters 6 and 9.
Table 4-5 lists the requirements for Enterprise Vault and IM Manager.
Table 4-5 Veritas Enterprise Vault requirements
Enterprise VaultRequirement
■ Windows 2000 Server, Advanced Server, or Datacenter
Server; Service Pack 4 required
■ Windows 2003 Server, Standard Edition, Enterprise
Edition, or Datacenter; Service Pack 1 optional
Operating system
Intel® Pentium® III or higher, Dual CPU, 900 MHz or greaterProcessor
4 GB of RAM, minimumMemory
Mirrored system disk and separate local data disk
recommended
System disk
RAID, NAS, or SAN storage device recommendedStorage
For more information, refer to Installing and Configuring Enterprise Vault 6.0.
Table 4-6 lists the requirements for Veritas Enterprise Vault.
Table 4-6 IM Manager requirements
IM ManagerRequirement
Windows 2000 with SP3 or Windows 2003Operating system
1.8GHz Pentium III dual-processorProcessor
Required: 256 MB recommended: 512MBMemory
Required: 10 GB recommended: 30+ GB Hard Disk. (Disk
space is for the SQL Server, Larger implementations we
recommend a RAID array with additional spindles.
System disk
RAID, NAS, or SAN storage device recommendedStorage
For more information, refer to Symantec IMManager Installation Guide 8.0.
Solution foundation hardware and software requirements
The components of the foundation of the Symantec solution for Enterprise
messaging management include the following products:
Enterprise Messaging Management infrastructureRequirements for the Symantec solution
82
■ Storage Foundation for Windows 4.3 with FlashSnap option
See “Storage Foundation 4.3 for Windows requirements” on page 83.
■ Storage Foundation High Availability for Windows
See “Storage Foundation High Availability 4.3 for Windows requirements”
on page 85.
■ Backup Exec 10d
See “Backup Exec requirements” on page 86.
IT personnel can choose to deploy Storage Foundation for Windows or Storage
Foundation High Availability for Windows, depending on the clustering
requirements of the infrastructure.
Storage Foundation 4.3 for Windows requirements
Storage Foundation for Windows should be installed on all servers in the solution.
The FlashSnap option should be licensed for the Exchange and Backup Exec
servers.
Note: For any installation where multiple products are installed on the same
server, ensure that the server meets the requirements of all the products that are
to be installed on that computer.
Table 4-7 lists the hardware and software requirements for Storage Foundation
for Windows.
Table 4-7 Storage Foundation for Windows requirements
DescriptionRequirement
See Table 4-8 on page 84.Operating system
550 MHz Pentium III or higher, recommended.Processor
512 MB of RAM per system, minimum; 1 GB, recommended.Memory
See Table 4-9 on page 85.Disk space
Storage Foundation for Windows supports any device in the
Microsoft Windows Server Catalog, unless DMP Array Support
Libraries (ASLs) or clustering are being used.
If DMP ASLs or clustering are being used, refer to the product
documentation for more information about compatible storage
devices.
Storage devices
83Enterprise Messaging Management infrastructureRequirements for the Symantec solution
Table 4-7 Storage Foundation for Windows requirements (continued)
DescriptionRequirement
SCSI, Fibre Channel, iSCSI host bus adapters (HBAs), or iSCSI
Initiator-supported NICs to access shared storage.
Storage access
Spyware monitoring and removal software must be disabled
before installing Storage Foundation for Windows. The firewall
must also be disabled to enable discovery of the local client.
Firewall and
Anti-spyware
Storage Foundation for Windows includes server and client components.
Table 4-8 shows the operating systems that are supported by Storage Foundation
for Windows servers and clients.
Table 4-8 Storage Foundation forWindows server and client operating system
requirements
ClientServerOperating system
YesYesWindows 2000 Server, Advanced Server, or Datacenter Server
Service Pack 4 required
YesYesWindows Server 2003 (32-bit): Standard Edition, Enterprise
Edition, or Datacenter Edition
Service Pack 1 recommended, but not required
NoYesWindows Server 2003 (32-bit) Web Edition
Service Pack 1 recommended, but not required
YesYesWindows Server 2003 for 64-bit Itanium® (IA64): Enterprise
Edition or Datacenter Edition
Service Pack 1 required
YesYesWindows Server 2003 for Intel® Xeon® (EM64T) or AMD
Opteron™: Standard x64 Edition, Enterprise x64 Edition, or
Datacenter x64 Edition
YesNoWindows XP Professional
Service Pack 1 required; Service Pack 2 supported
YesNoWindows 2000 Professional
Table 4-9 shows estimates of disk space requirements for the initial installation
of Storage Foundation for Windows. Installation on a non-system drive requires
space on both the system drive and the non-system drive.
Enterprise Messaging Management infrastructureRequirements for the Symantec solution
84
Table 4-9 Storage Foundation for Windows disk space requirements
Non-system driveSystem driveStorage Foundation for
Windows components
System space: 475 MB
Non-system space: 150 MB
600 MBServer components (all options)
System space: 425 MB
Non-system space: 75 MB
475 MBClient components
System space: 500 MB
Non-system space: 200 MB
675 MBServer (all options) and client
components
System space: 200 MB
Non-system space: 125 MB
300 MBLanguage pack
For additional information about Storage Foundation for Windows requirements,
refer to the Storage Foundation High Availability Solutions 4.3 Installation and
Upgrade Guide.
Storage Foundation High Availability 4.3 for Windowsrequirements
Table 4-10 shows the operating systems that are supported by Storage Foundation
High Availability for Windows servers and clients.
Table 4-10 Storage Foundation High Availability forWindows operating system
requirements
ClientServerOperating system
YesYesWindows 2000 Server, Advanced Server, or Datacenter Server
Service Pack 4 required
YesYesWindows Server 2003 (32-bit): Standard Edition, Enterprise
Edition, or Datacenter Edition
Service Pack 1 recommended, but not required
NoFile Share
only
Windows Server 2003 (32-bit) Web Edition
Service Pack 1 recommended, but not required
YesYesWindows Server 2003 for 64-bit Itanium (IA64): Enterprise
Edition or Datacenter Edition
Service Pack 1 required
85Enterprise Messaging Management infrastructureRequirements for the Symantec solution
Table 4-10 Storage Foundation High Availability forWindows operating system
requirements (continued)
ClientServerOperating system
YesYesWindows Server 2003 for Intel Xeon (EM64T) or AMD Opteron:
Standard x64 Edition, Enterprise x64 Edition, or Datacenter
x64 Edition
Table 4-11 estimates disk space requirements for the initial installation of Storage
Foundation High Availability for Windows. Installation on a non-system drive
requires space on both the system drive and the non-system drive.
Table 4-11 Storage Foundation High Availability for Windows disk space
requirements
Non-system driveSystem driveComponents
System space: 575 MB
Non-system space: 375 MB
950 MBServer components (all options)
System space: 445 MB
Non-system space: 125 MB
565 MBClient components
System space: 650 MB
Non-system space: 450 MB
1050 MBServer (all options) and client
components
System space: 200 MB
Non-system space: 125 MB
300 MBLanguage pack
For additional information about Storage Foundation High Availability for
Windows requirements, refer to the Storage Foundation and High Availability
Solutions 4.3 Installation and Upgrade Guide.
Backup Exec requirements
Table 4-12 lists the hardware and software requirements for Backup Exec 10d
with SQL Agent (for Enterprise Vault and IM Manager database backup) and
Exchange Agent.
Enterprise Messaging Management infrastructureRequirements for the Symantec solution
86
Table 4-12 Backup Exec requirements
DescriptionRequirement
■ Microsoft Windows 2000 Server™ family
■ Microsoft Windows 2003 Server family
■ Microsoft Windows XP (Service Pack 1 or later)
■ Microsoft Windows Storage Server 2003
■ Microsoft Small Business Server 2003 Standard and Premium
Operating system
Microsoft Internet Explorer 6.0 or later.Internet browser
Intel® Pentium® III, Xeon, or higher, or compatible.Processor
256 MB RAM, minimum; 512 MB RAM or more, recommended.
RAM requirements vary depending on operations performed, the
options installed, and the specific machine configuration.
Memory
20 MB more than the Windows recommended size for total paging
file size (the total for all disk volumes) is recommended.
Virtual memory
350 MB, minimum, for typical installation.
550 MB, minimum, for all options.
Disk space requirements vary depending on the operations
performed, the options installed, and the specific system
configuration.
Backup Exec database and catalogs require additional space, up
to 2 GB or more.
Disk space
Minimum of 1 storage media drive or single-drive robotic library
with the appropriate controller card.
Storage hardware
Required agent licenses include the following:
■ Backup Exec Agent for Microsoft Exchange
■ Backup Exec Agent for Microsoft SQL
■ Backup Exec Remote Agent
Remote agent licenses must be purchased for every protected
server.
Agent licenses
For more information about Backup Exec requirements, refer to the Backup Exec
10d for Windows Servers Administrator’s Guide.
87Enterprise Messaging Management infrastructureRequirements for the Symantec solution
Solution sizing and performance guidelinesThis section provides sizing and performance considerations that expand on the
system requirements previously covered. It also focuses on the complete system
architecture to be deployed.
Guidelines and best practices are provided according to the number of computers
in the deployment. For customer environments that host between 1000 and 2500
Exchange mailboxes and run Symantec Mail Security for Exchange and Enterprise
Vault, the appropriate CPU count, memory size, and number of disks are defined.
These guidelines are not intended to replace complete deployment
recommendations, but to assist with decisions relevant to deploying and sizing
the hardware for the Symantec solution. These guidelines are based on sizing and
performance tests done by Symantec in partnership with IBM®. This partnership
provides enterprise messaging management software along with server and
storage products that offer high performance, flexibility, manageability, and
scalability for Microsoft Exchange environments.
Sizing and performance criteria
In Exchange server environments, system availability, throughput, and response
time contribute significantly to the overall service level.
From the user perspective, the most important criteria is the overall response
time. Users require response times that are under one second for email, and
sluggish performance, such as response times that are over one second, can be
frustrating.
On the Exchange server, system requirements for the workload and service-level
requirement should be determined. In addition, the performance impact of
Symantec Mail Security and Enterprise Vault on the servers storage system should
be measured. It is important to determine the scalability and storage available in
the server and storage systems that make up the solution. Running the Exchange
server systems at thresholds can cause unpredictable and unstable behavior, and
can seriously impact the availability and system service levels.
Hardware configuration
The system sizing and performance tests were performed using IBM servers and
storage.
For server systems, the IBM BladeCenter® and IBM BladeCenter® HS20 servers
were used. The BladeCenter chassis supports external storage solutions and
provides component predictive failure analysis. The HS20 server is an ultra-dense,
highly manageable, modular computing platform that is optimized for high speed
Enterprise Messaging Management infrastructureSolution sizing and performance guidelines
88
network applications. The BladeCenter chassis and BladeCenter servers provide
integrated systems management and can easily scale to meet the requirements
of demanding network applications.
The BladeCenter servers and BladeCenter chassis were configured as follows:
■ IBM BladeCenter HS20 server
■ 2 Intel Xeon 3.60 GHz processors
■ 4 GB RAM
■ 2 36 GB Ultra320 SCSI internal hard disk drives (Raid 1)
Microsoft Exchange and
Microsoft SQL
■ IBM BladeCenter HS20 server
■ 2 Intel Xeon 3.60 GHz processors
■ 2 GB RAM
■ 2 36 GB Ultra320 SCSI internal hard disk drives (Raid 1)
Enterprise Vault, Domain
Controller, and Load
Simulator
■ 14 double processor blade bays
■ DVD-ROM and diskette drive accessible from each server
■ 4 switch module bays
2 Cisco BladeCenter Gigabit Ethernet switches
2 Brocade BladeCenter Fibre Channel switches
■ 4 power supply modules (hot-swap and redundant 2000W
with load-balancing and failover)
■ 2 hot-swap cooling modules
■ 1 system management hardware module
BladeCenter® chassis
The IBM TotalStorage® DS4500 was used as the primary storage system. The IBM
TotalStorage DS4500 delivers excellent disk performance and outstanding
reliability for data-intensive applications. The IBM TotalStorage DS4500 also
offers advanced replication services to support business continuity and disaster
recovery.
The IBM TotalStorage DS4500 was configured as follows:
■ Dual active 2 GB RAID controllers
■ 2 GB cache (battery-backed)
■ Fibre Channel (FC) Switched and FC Arbitrated Loop
(FC-AL) host interface
■ 4-8 mini hubs
■ FC-AL drive interface
■ RAID level 10
■ 94 hard disk drives using 7 DS4000 EXP700 enclosures
■ Dual redundant, hot-swappable fans and power supplies
■ All hard drives in the test configuration are 15,000 RPM
IBM TotalStorage® DS4500
89Enterprise Messaging Management infrastructureSolution sizing and performance guidelines
If secondary WORM storage is required, the IBM System Storage DR550 array
can be used. The architecture of the DR550, which includes hardware redundancy
and IBM autonomic computing technologies, is designed to bring enterprise-class
reliability, scalability, and performance to open-systems environments.
The IBM DR550 is well-suited for archiving e-mail, instant messages, digital
images, contracts and other documents. It also has advanced policy-based data
archival and retention capabilities to help organizations address corporate
governance practices and emerging government and industry regulatory
requirements.
The IBM DR550 lets organizations store, retrieve, manage, share, and secure
regulated and non-regulated data by delivering an integrated solution as a single
unit. The DR550 offers both synchronous and asynchronous replication and
supports up to 112 TB of non-erasable and non-rewriteable physical disk capacity.
When used with attached tape or optical devices, the DR550 can provide essentially
unlimited storage capacity.
Table 4-13 describes the features of the IBM System Storage DR550.
Table 4-13 IBM System Storage DR550 features
DescriptionDR550 feature
Allows for the management of data without an explicit
retention period. Records are protected from deletion until
a specific event occurs.
Event-based records
management
Allows for a designated retention date to be suspended when
a record or set of records must be retained for legal, audit,
or other reasons.
Deletion hold management
Enables data management on multiple tiers of storage to
reduce the total cost of ownership (TCO) for long term
content retention.
Hierarchical storage
management
Prevents the explicit deletion of data until the specified
retention criteria is met.
Data protection
Enforces data protection policies that maintain the data in
non-erasable and non-rewriteable formats.
Policy enforcement
User profile
In order to stress the CPU, memory, and I/O subsystems of the Exchange server,
a user profile was specified to pattern a typical, real-world workload. The profile
was based on the Microsoft® Exchange Server 2003 Load Simulator (LoadSim).
Enterprise Messaging Management infrastructureSolution sizing and performance guidelines
90
The characteristics described in the profile may not be representative of the
average email user in your organization. In most organizations, email usage is
not uniform; email usage can be light, medium, or heavy. The load generated for
the heavy-use profile is an approximation, but is heavier than most organizations
would typically experience.
The heavy-use email user has the following attributes:
■ Maintains a 100 MB mailbox
■ Receives 209 mail messages per day
■ Replies to the sender of 22 messages per day
■ Replies to all recipients of 10 messages per day
■ Forwards 10 messages per day
■ Requests .1 meetings per day
■ Makes .2 appointments per day
■ Browses the calendar 3 times per day
■ Sends a total of 53 messages per day
The email data sets that were used in the testing also patterned typical real-world
examples. The data sets that were used to pre-populate the Exchange server and
to place the system under load were based on the Microsoft Exchange Server 2003
Load Simulator heavy-use profile.
The heavy-use email data set is defined as follows:
■ Average email size is 70 KB
■ Maximum email size is 5 MB
■ 85% of messages range from 2 KB to 80 KB in size and do not have attachments
■ 10% of messages have a small (less than 2 MB) attachment
■ 5% of messages have a large (2 to 5 MB) attachment
The user and data set profiles reflect the number of internal, virus-free messages
that a heavy-use email user is expected to send and receive. Typically, companies
receive the majority of email containing spam and viruses from external sources.
This challenge is addressed in the reference architecture solution by the inclusion
of the Symantec Mail Security 8260 appliance. The 8260 appliance removes spam
and virus-infected emails from external email before it reaches the Exchange
server. Including perimeter email security leaves additional bandwidth on the
Exchange server to handle legitimate email.
91Enterprise Messaging Management infrastructureSolution sizing and performance guidelines
Baseline server and storage configurations
Before deploying the Symantec solution for Enterprise Messaging Management,
the Exchange servers were configured for optimal performance. In addition, the
Enterprise Vault servers were configured to simulate a typical customer
environment.
Exchange server configuration
The Exchange server cluster was configured for optimal performance by running
the Exchange Server Best Practices Analyzer. The appropriate best practices for
tuning and configuring the Exchange servers were then followed.
Exchange is an I/O intensive application. Performance is dependant on the
performance of the disk and I/O subsystem. Implementors must understand the
different characteristics of Exchange I/O and how to optimize the storage system
for the Exchange server access. Different types of data should be stored on separate
volumes that are optimized for the predominant type of I/O access.
Enterprise Vault configuration
Deploying Enterprise Vault to archive and journal Exchange email requires the
following hardware components:
■ Enterprise Vault server
■ Microsoft® SQL Server
■ Storage for Enterprise Vault stores
■ Storage for Enterprise Vault indexes
Before starting the tests, the Enterprise Vault server was configured to simulate
a typical customer environment. To appropriately size Enterprise Vault systems
for deployment, careful examination of many variables is required. Implementors
must be aware of factors such as the amount of data to be archived, the average
size of the messages, the number of email attachments that need to be processed,
and when and how often messages are archived.
The number of messages per user that match the archiving policy per day
determines the amount of data that is archived per day. This is the most important
variable to consider when sizing Enterprise Vault systems.
An equally important Enterprise Vault performance consideration is conversion.
Before an item is moved into a user’s vault, the Enterprise Vault Storage Service
compresses the item and adds a text or HTML version of the item. This conversion
is the largest consumer of CPU cycles on the Enterprise Vault server. When
Enterprise Messaging Management infrastructureSolution sizing and performance guidelines
92
archiving data, the Enterprise Vault server typically uses 75% to 100% CPU
processing capability.
Enterprise Vault must copy email and attachment data from the Exchange server
in order to archive it. This data movement from the Exchange server requires
additional CPU, storage, and network resources. Although Symantec recommends
that Enterprise Vault archiving happen at night, for purpose of the performance
and sizing test, the archiving was run under the heavy-use email load .
When journaling is enabled, the journaling activity runs on the Exchange server
continuously to journal email as it is sent and received. When journaling, the
Exchange server copies messages to a journaling mailbox, which contains a record
of all sent and received email. This additional message processing adds additional
CPU overhead to the Exchange server and uses additional storage resources.
Storage configuration
The IBM TotalStorage DS4500 was used as the primary Exchange storage device.
The DS4500 has 96 disk spindles that are available across two array controllers.
The baseline environment included Storage Foundation for Windows on the
Exchange server, and the storage layout remained constant across all test
scenarios.
A summary of the storage layout follows:
■ The volume layout for the Exchange database was RAID 10. The database
volume had 20 disks assigned per mirror. Each was assigned to a separate
controller.
■ As shown in Table 4-14, eight arrays/volumes were created for the test
environment.
■ On the Exchange Server, Storage Foundation for Windows was used to create
a RAID 0 volume across both logical unit numbers (LUNs).
■ The Storage Foundation volume layout for the Exchange log files was RAID 1.
The log file volume had two disks.
■ All drives were15000 RPM.
Table 4-14 describes the storage arrays and volumes that were created for the
test.
Table 4-14 Storage subsystem layout
SizeVolumeArray
678.9 GBExData1 (Exchange data)Array 1 (Raid 1)
93Enterprise Messaging Management infrastructureSolution sizing and performance guidelines
Table 4-14 Storage subsystem layout (continued)
SizeVolumeArray
678.9 GBExData2 (Exchange data)Array 2 (Raid 1)
16.5 GBExLog1 (Exchange logs)Array 3 (Raid 1)
16.5 GBExLog2 (Exchange logs)Array 4 (Raid 1)
233.8 GBSpareArray 5 (Raid 1)
100.2 GBEV (Enterprise Vault data)Array 6 (Raid 1)
100.2 GBSQL (Enterprise Vault metadata)Array 7 (Raid 1)
16.5 GBEV_index (Enterprise Vault index)Array 8 (Raid 1)
16.5 GBVCS_Log (Veritas Cluster Server logs)Array 9 (Raid 1)
Test environment
Figure 4-2 shows the performance and sizing test environment:
Figure 4-2 Enterprise Messaging Management test environment
Enterprise Messaging Management infrastructureSolution sizing and performance guidelines
94
Test methodology
To measure the performance impact of the Enterprise Messaging Management
applications on the Exchange server, key performance metrics were measured
under varying loads for the baseline and test configurations.
The following performance metrics were measured:
■ User response time
■ Disk I/O operations per second (IOPS)
■ CPU utilization
First, the baseline Exchange environment was installed and configured. Then,
load tests for 1000, 1500, 2000, and 2500 users were run to measure the baseline
performance. Next, the enterprise messaging management suite was installed
and validated, and then, the load tests for each user set were run again.
The Microsoft Exchange 2003 Load Simulator (LoadSim) was used to simulate the
specified number of mail user agents. The mail user agent emulated the Microsoft
Outlook client, which uses MAPI (Messaging Application Programming Interface)
to access the Microsoft Exchange server. SMTP email traffic was not included in
the test.
LoadSim was configured to prorate an 8-hour test load over a period of four hours.
Results from the first and last hours of the test were discarded to remove ramp-up
and ramp-down effects on the data.
Test results
Performance tests were run for simulated environments of 1000, 1500, 2000, and
2500 users.
Table 4-15 shows the baseline and Enterprise Messaging Management test results
for each user count.
Table 4-15 Performance test results
EMM CPU
utilization
Baseline CPU
utilization
EMM IOPSBaseline IOPSEMM
response
time(ms)
Baseline
response
time (ms)
User Count
25.80%7.60%1131.0531.0109781000
28.30%14.32%1242.8878.01141041500
33.80%22.40%1396.51285.61311292000
38.90%26.50%1789.71519.91731542500
95Enterprise Messaging Management infrastructureSolution sizing and performance guidelines
Adding users to the baseline test resulted in the following increases in IOPS and
CPU utilization:
■ Average disk IOPS increase ranged from 200 to 400 for each additional 500
users.
■ Average processor utilization increase ranged from 4% to 8% for each
additional 500 users.
After installing the enterprise messaging management applications, the increase
of users resulted in the following increases in IOPS and CPU utilization:
■ Average disk IOPS increase ranged from 100 to 400 for each additional 500
users.
■ Average processor utilization increase ranged from 2% to 5% for each
additional 500 users.
Comparing the baseline and test results, the approximate performance impact of
the enterprise messaging management suite can be calculated.
Table 4-16 shows the increase in response time, disk IOPS and CPU utilization
for each user count.
Table 4-16 Increase due to EMM suite
Average CPU
increase
Average disk IOPS
increase
Response time
increase
User count
18%60031 ms1000
14%35610 ms1500
11%1112 ms2000
12%27020 ms2500
Comparing the Enterprise Messaging Management results for each user count,
we can approximate the performance impact of each additional 500 users as
follows:
■ Average processor utilization increase of 14%
■ Average disk IOPs increase of 340
■ User Response time increase of 16ms
Results analysis
The BladeCenter chassis, HS20 BladeCenter servers, and the DS4500 TotalStorage
system provided an excellent platform for hosting the Symantec Enterprise
Enterprise Messaging Management infrastructureSolution sizing and performance guidelines
96
Messaging Management solution. The server and storage systems easily managed
the loads generated by all tests. Even in the 2500-user case, resources remained
in reserve to support additional users. The Exchange Server performed acceptably
when Enterprise Vault archiving and journaling were performed during the test.
In all tests, the amount of Exchange server data that was archived was limited by
the CPU bandwidth of the Enterprise Vault server system. The Enterprise Vault
server maintained a data archive rate of 1 GB per hour throughout the tests. While
archiving, the Enterprise Vault server CPU ran at above 90% average utilization
while the data rates remained approximately the same between tests.
IM Manager performance considerations
There are a number of considerations when sizing and scaling IM Manager
deployments. One important consideration is the number of users that will be
connecting to consumer instant message services. These services include AOL,
MSN, Yahoo, and Google Talk. A single IM Manager supports a minimum of 5000
concurrent users.
If more than 5000 users connect to instant message services concurrently, IT
personnel should consider deploying more than one IM Manager server, and then
deploying a network load balancer in front of the IM Manager servers. IM Manager
has been tested with hardware load balancers, as well as software load balancers.
You can contact Symantec support for more information at the following URL:
http://www.symantec.com/techsupp/immanager.htm
Another consideration is that IM Manager uses a resident SQL Server database
for storage of both configuration data and logged instant message conversations
prior to exporting to Enterprise Vault via email. The appropriate sizing of the
database must be considered. As a guideline, the average user logs about 4 MB of
conversation data per year, or about 4 GB of instant message conversation data
per year, per 1000 users in the IM Manager resident SQL Server database.
Symantec IM Manager provides database management tools that allow the
scheduled, logged conversation data to be exported to
Enterprise Vault. IM Manager also allows the conversation data to be purged once
it has been exported. If logged conversation data is not regularly archived, a larger
database will be required.
97Enterprise Messaging Management infrastructureSolution sizing and performance guidelines
Stopping unwanted email
This chapter includes the following topics:
■ The challenge of stopping unwanted email
■ A defense-in-depth strategy
■ Configuration overview
The challenge of stopping unwanted emailThe challenges related to managing an organization's email infrastructure have
evolved rapidly, as email has become a mission-critical business application. Spam
and viruses present new and constantly changing threats, which amplify the risk
to email security and availability. To meet this challenge, IT personnel must
protect email infrastructure with a combined solution of accurate antispam and
antivirus technologies.
The proactive removal of spam, in combination with Symantec™ antivirus email
protection, markedly improves end user productivity and security. Stopping spam
that delivers phishing schemes, viruses, and restricted content before it reaches
a network saves the time and effort required to process the spam. It also reduces
the risk that a spam recipient may inadvertently execute a malicious file.
The automatic removal of spam combined with Symantec Backup Exec™ also
results in shorter backup and data recovery time. Only virus-free, valid emails
are backed-up, resulting in greater backup efficiency and improved security.
A defense-in-depth strategyTo ensure the security and availability of your business email, Symantec
recommends that organizations implement a multi-tiered solution. Each tier
reduces the downstream risk posed by security threats and spam. This solution
5Chapter
adds cumulative layers of protection around the desktop at strategic points
throughout your network.
Figure 5-1 shows each tier and the Symantec products that are available for
securing that tier.
Figure 5-1 Multi-tiered approach to email threat protection
The task of securing your business email system and keeping it available begins
with controlling and managing the flow of email throughout your organization.
This means removing spam, viruses, and unwanted or unneeded content from
your messaging infrastructure at specific points in time.
No single product is capable of protecting an organization against all email-related
threats. And no single tier of protection can offer 100-percent coverage, especially
against new and emerging threats. By applying different Symantec defenses at
multiple tiers, your email threat defense is strengthened as varied types of threats
are removed at multiple locations, wherever they are detected. Layered defenses
complement each other by using varying methods to thwart attacks.
This multi-tiered approach reduces both security risks and email volume, while
ensuring that messages are legitimate and clean before they pass to the next tier
in your email infrastructure.
Stopping unwanted emailA defense-in-depth strategy
100
Network boundary tier
Organizations today must significantly reduce spam before it enters their
networks, to demonstrate regulatory compliance. To accomplish this, they can
deploy a spam defender at their network boundary that works to hold traffic
volume constant, even as Internet spam volume increases. This type of defense
is called traffic-shaping.
A limitation of the SMTP protocol is its inability to authenticate senders of email.
Traffic-shaping samples and analyzes SMTP packets in real-time, and makes a
spam or not-spam determination based on the reputation of each sender. A
reputation is established from the cumulative history and reputation of the mail
path itself.
The Symantec™ Mail Security 8160 appliance is ideal for organizations with 2,000
or more employees, that require traffic-shaping at their network boundaries.
For more information on the Symantec Mail Security 8160 appliance, see the
Symantec Mail Security 8100 Series Deployment Guide.
Gateway tier
Defending mail servers and mailboxes is no longer enough to ensure the security
and availability of business email. Spammers and other attackers continuously
develop new methods to defeat internal server defenses. Prevention of spam,
viruses, phishing, and spyware must begin at the perimeter, or gateway tier, of a
network, and then layer inward to correctly provide multiple lines of defense.
The gateway tier is the layer of routers, bridges, and switches that handle all
packet transmission on your network, including email traffic. With the Symantec
Mail Security 8260 appliance or Symantec Mail Security for SMTP 5.0 deployed,
spam, viruses, and other threats are automatically detected and stopped before
they reach your email servers. The Symantec Mail Security 8260 appliance and
Symantec Mail Security for SMTP software are Symantec customer-deployment
options that fulfill the same core need at the gateway tier.
Note: As of June 2006, Symantec Mail Security for SMTP 4.1 has merged with
Symantec BrightMail AntiSpam 6.0 to create Symantec Mail Security for SMTP
5.0.
Symantec Mail Security 8260 appliance and Symantec Mail Security for SMTP
help IT organizations face the challenge of protecting your network perimeter.
Table 5-1 describes the challenges and the Symantec solution.
101Stopping unwanted emailA defense-in-depth strategy
Table 5-1 Gateway tier security challenges and solutions
SolutionChallenge
Symantec antispam technology leverages over 20
spam-prevention techniques. The embedded Symantec
antivirus technology includes real-time scanning.
Virus-protection capabilities include the mass-mailer
cleanup, which automatically removes the emails
associated with mass-mailing worms.
Preventing spam and other
unwanted email from reaching
mail servers
Email firewall technologies, which include both Directory
Harvest Attack Prevention and Sender Reputation, restrict
connections from spam-sending servers.
Reducing email infrastructure
costs
Content compliance features allow administrators to
control both inbound and outbound email. In addition to
controlling spam and viruses, this allows monitoring for
sensitive content, and enforcement of corporate and
regulatory policies.
Controlling outbound spam and
viruses
The continually changing email threat landscape requires a solution that
automatically complies with the latest antispam and antivirus policies and rules.
Symantec Mail Security 8260 appliance and Symantec Mail Security for SMTP
provide accurate antispam technology, that is frequently and automatically
updated with the latest protections and response mechanisms.
Mail server tier
The mail server tier processes outbound email while also processing and storing
inbound and internal email. Even if you have solid perimeter protection, it is still
necessary to inspect internal email traffic and stored messages. Viruses can enter
along other vectors, such as personal Web-based email or removable media (for
example, the USB drives of users whose virus definitions are not current).
Also critical is post-attack virus cleanup of message stores (after early-stage virus
infestations) using the latest antivirus definitions. Symantec™ Mail Security for
Microsoft Exchange protects Exchange email servers by providing real-time,
scheduled, and on-demand scanning for viruses. It also scans inappropriate
message content in internal email, and SMTP inbound/outbound traffic.
Table 5-2 describes common challenges that IT departments face, and the Mail
Security for Exchange solution.
Stopping unwanted emailA defense-in-depth strategy
102
Table 5-2 Mail server tier security challenges and solutions
SolutionChallenge
Viruses can enter the network via personal, web-based email or removable media
such as USB drives. Mail Security for Exchange can scan mail downstream from
your gateway servers to ensure that new threats are exposed and handled.
Scanning for viruses that enter
the network by bypassing the
network boundary and gateway
tiers
Although inbound email is a common delivery mechanism for viruses, these types
of threats can enter email systems via other sources. While gateway defenses
provide coverage of inbound email, not all threats can be detected and removed at
that tier. Addressing this need requires virus detection and cleanup at the mail
server tier.
Ensuring redundancy in email
inspection
Companies secure internal Web sites from unauthorized individual or departmental
access. However, information from a secured Web site can be downloaded to a
desktop system and easily forwarded.
This possibility risks exposure of data to unauthorized users both inside and outside
the organization. Mail Security for Exchange incorporates rule-based content
filtering to prevent unwanted content from entering—and confidential information
from leaving—the network. Rules can be created that apply to a specific user or
group to provide further granularity that may be required for specific compliance
regulations.
Preventing authorized content
from being sent to
unauthorized users
Companies enforce email policies to prevent inappropriate language in email. This
includes unwanted or oversized attachments, such as MP3 music files, AVI and
other video file types; and file types commonly used for delivery of viruses, such
as executables. Symantec Mail Security for Exchange enforces policies at the mail
server tier to prevent inappropriate email from propagating inside and outside the
company.
Enforcing email usage policies
Symantec Mail Security for Microsoft Exchange gives administrators the ability
to inspect content while in transit, and while it is being accessed from the
information store. Administrators can also conduct sweeps of information-store
content on a scheduled or on-demand basis, using updated virus definitions or
specific content rules that are designed to identify suspicious or inappropriate
content. A constant background scan can also be employed to monitor the store,
and proactively scan new messages and older messages that have not been scanned
with the latest definitions.
Desktop tier
At the innermost tier of your network, desktop users interact with their Exchange
email in boxes. At this tier, security threats and viruses are often launched by
users who remain unaware of malicious activity. Consequently, positioning
103Stopping unwanted emailA defense-in-depth strategy
protection at the desktop is critical to a tiered defense strategy. This tier represents
the last line of defense for Internet-borne threats, and is the layer that responds
and cleans up after infectious outbreaks.
Symantec antivirus solutions stop the successful launch of threats delivered by
various infection methods, such as USB memory sticks, DVD content, CD content.
They also detect and defend against threats that make it to the desktop, either
through Web-based email or Web access.
Note that while desktop-protection solutions are highly customizable and
individually effective, they cannot offer organization-wide protection because
their purpose is to protect only individual desktop mailboxes. Complete enterprise
protection is only possible with a multi-tiered solution that is implemented at the
mail server, gateway, and network boundary tiers.
Symantec’s Global Intelligence Network
A flexible, archiving framework enables the discovery of content stored within
email, file system, and collaborative environments, while helping to reduce storage
costs and simplify management. Search-and-discovery capabilities are
complemented by client applications designed to meet corporate governance, risk
management, and legal protection requirements. Spam and virus detection
technologies, as well as traffic-shaping technology, can be deployed at multiple
layers in the network.
High-resiliency technologies ensure uninterrupted access to mission-critical data.
Online storage management tools with optimized I/O performance reduce planned
and unplanned downtime, while clustering and replication technologies further
reduce downtime.
For organizations that require fast recovery of Exchange server services after site
disasters, Symantec offers metropolitan-area data mirroring and wide-area data
replication, optionally coupled with remote site standby system management
(wide-area clustering).
Supporting Symantec’s products and services is the Symantec Global Intelligence
Network security research organization. This organization aggregates, analyzes,
and delivers security notifications on security threats worldwide. It gathers
malicious code data from over 150 million antivirus desktops, 20,000 Intrusion
Detection (IDS) software clients, and firewall sensors in over 180 different
countries, and more than 43,000 managed security devices. Symantec’s global
Security Response centers monitor the Probe Network, and analyze the latest
spamming tactics across the globe. The Probe Network is an extensive array of
over 2 million decoy email addresses.
Combined with Symantec’s vulnerability database of over 10,000 entries, this
infrastructure provides Symantec’s Security Response analysts with a source of
Stopping unwanted emailA defense-in-depth strategy
104
data from which to identify emerging trends in attacks and malicious code activity.
Symantec Security Response centers are located in North America, Asia, Australia,
China, and Europe. Centers are manned by researchers who represent a
cross-section of highly regarded security experts. The centers provide 24-hour
coverage, seven days a week for important security events.
The Symantec Mail Security product line leverages security content updates from
Symantec Security Response to help organizations prepare for and respond to
any security threat. Backed by Symantec’s Global Intelligence Network and
Security Response, information and recommended actions on the latest security
threats can be obtained via Symantec’s globally distributed network of
LiveUpdate™ systems. LiveUpdate extends to all geographic locations and time
zones.
Figure 5-2 illustrates the reach of Symantec's Global intelligence Network.
Figure 5-2 Global Intelligence Network and Security Response
Configuration overviewFor organizations with 1,000 to 2,000 email users, Symantec recommends
implementing email protection at the gateway, mail server, and desktop tiers. In
high-volume email environments, additional protection at the network boundary
tier should be implemented as well.
105Stopping unwanted emailConfiguration overview
The following describes the Symantec Enterprise messaging management solutions
that are applicable at each network tier:
Symantec Mail Security for Microsoft ExchangeMail server tier
One of the following gateway protection products:
■ Symantec Mail Security 8260 appliance
■ Symantec Mail Security for SMTP software
Gateway tier
(Optional) Symantec Mail Security 8160 applianceNetwork boundary tier
Figure 5-3 shows the recommended server configurations for each network tier
in a 1,000 to several thousand employee company.
Figure 5-3 Server architecture for the Symantec solution
This figure shows Symantec Mail Security for SMTP installed at the email gateway
layer. The most effective place to deploy Symantec Mail Security for SMTP is at
the perimeter of your email network. By deploying at the gateway, you can take
advantage of all of this tool's email-firewall and connection-management features.
Using its embedded MTA, Symantec Mail Security for SMTP processes inbound
and outbound Internet mail. The SMS for SMTP filtering engine examines IP
connections, and filters mail using the latest defenses from Symantec. Every 10
minutes, updated spam filters, virus definitions, global sender reputation
information, and other critical email security defenses are updated over a secure
connection.
In this architecture, two Symantec Mail Security 8260 appliances or servers
running SMS for SMTP are recommended at the network perimeter, configured
Stopping unwanted emailConfiguration overview
106
for both inbound and outbound message traffic. The function of these products
is equivalent in this architecture. It is also recommended to install the 8260
appliances or Mail Security for SMTP servers between two firewalls in a
sub-network that separates the internal and external networks. This sub-network
is commonly known as a demilitarized zone (DMZ) or perimeter network.
The Microsoft Exchange mail servers are your company’s groupware, or
downstream servers. They reside inside the company firewall, protected by the
gateway appliances or servers.
See “Best practices for protecting the network perimeter at the gateway server
tier” on page 112.
Optionally, for companies that want to reduce traffic volume at the SMTP layer
before it enters the company network, the Symantec Mail Security 8160 appliance
is available. The 8160 appliance sits at the network boundary, inside the DMZ,
and in front of the gateway appliances or servers.
Best practices for protecting Exchange servers at the mail server tier
The Symantec solution for protecting Microsoft Exchange servers in organizations
with 1,000 to several thousand employees is Symantec Mail Security 5.0 for
Microsoft Exchange (Mail Security for Exchange). Mail Security for Exchange
provides an integrated security solution that protects against viruses, spam, and
security risks, and enforces company policies. Mail Security for Exchange allows
administrators to create and save multiple sets of criteria for identifying threats
and violations. And when a threat or violation is detected, Mail Security for
Exchange can automatically issue notifications and alerts as well as take predefined
administrative actions.
Typical configuration
In a typical configuration, Symantec Mail Security for Microsoft Exchange is
installed on each Exchange server to scan all inbound, outbound, and internal
email. Mail Security for Exchange scans all email content, including message
header, body, and attachments. Mail Security for Exchange scans all email sent
to both public folders and private mailboxes. Mail Security for Exchange provides
email message scanning and security conformity at the server level. This capability
ensures that email in Exchange is free from security risks, spam, and viruses.
Pre-installation and deployment
Before installing Symantec Mail Security for Exchange, all pre-installation and
system requirements must be met.
See “Symantec Mail Security 5.0 for Microsoft Exchange requirements” on page 80.
107Stopping unwanted emailConfiguration overview
TheSymantecMail Security forMicrosoftExchange ImplementationGuideprovides
procedures and recommendations for deploying Symantec Mail Security for
Microsoft Exchange. It is recommended that system administrators become
familiar with this guide before installing the software.
Table 5-3 shows the sequence of a typical Symantec Mail Security for Exchange
deployment for a company with fewer than 3,000 employees.
Table 5-3 Typical deployment sequence for Symantec Mail Security
DescriptionDeployment task
Symantec Mail Security for Exchange can be installed directly on a single Exchange
server, or from a multiserver console that is used to manage multiple servers on
an individual basis or as groups of servers. A console installation can be completed
on a client computer (Windows® XP or Windows 2000), but is typically installed on
one of the least-utilized Exchange servers. The console is used to manage product
settings remotely, and groups of servers can be created with similar functions for
easier management.
Task 1: Install Mail Security for
Exchange
Symantec Mail Security for Exchange is fully cluster-aware, when installed in a
Microsoft Windows or Veritas Cluster server environment. Mail Security for
Exchange should be installed on Exchange Cluster nodes while they are in a passive
state, to ensure that working Exchange Virtual Servers are not affected negatively
by the installation processes.
Each node in the Microsoft Exchange Server 2003 cluster must have Symantec Mail
Security for Exchange binaries installed in the same location on the applications
disk drive. In addition, the System Administrator installs the latest updates and
definitions for Mail Security for Exchange as installation is completed.
Task 2: Install Symantec Mail
Security for Microsoft
Exchange Cluster Nodes
Symantec recommends that a Symantec AntiVirus Corporate Edition client (or
equivalent) be installed on your Exchange servers to provide protection at the
operating-system level. This will provide comprehensive protection against both
viruses within Exchange, and file-based threats on the server itself. It should be
set to have virus definitions update automatically.
To successfully install and bring online a working Microsoft Exchange 2003 Virtual
Server with Mail Security for Exchange and Symantec Antivirus, exclusions should
be added to Symantec Antivirus for the working directories used by Symantec Mail
Security for Exchange, and for certain Exchange directories. For more information,
see Symantec Knowledge Base Document ID: 2004052416452048 at the following
URL:
http://www.symantec.com/techsupp/
Task 3: Install Symantec
AntiVirus Corporate Client on
Exchange Server Cluster Nodes
Stopping unwanted emailConfiguration overview
108
Table 5-3 Typical deployment sequence for SymantecMail Security (continued)
DescriptionDeployment task
To activate a content license, a license file must be installed on each server that is
running Mail Security for Exchange. This ensures that each server can receive the
latest virus definition updates.
The license file can be installed from the console for a remote server group, or for
a remote single server. It can also be installed on each individual server directly.
Task 4: Install (or renew)
license files to remote servers
The Spam Folder Agent allows you to route spam messages to a folder designated
for spam, in each recipient’s mailbox. The Spam Folder Agent should be installed
on Exchange servers where mailboxes physically reside. The Agent automatically
creates a Spam folder in each user’s mailbox . When spam messages are tagged for
Spam Folder Agent delivery, the messages are delivered to the Spam folder. Tagging
may be accomplished by Symantec Mail Security 8260 appliances.
Companies can use Spam folders to archive suspected spam that is delivered directly
to end users for review. To ensure that such messages are not left in Exchange
mailboxes for more than a few days, system administrators can apply a folder-level
mailbox-archiving policy in Enterprise Vault, to the Spam folder for each user. This
policy archives all messages after a short time (for example, 5 days). This can be
separate from, and override, any other default user mailbox archiving policy.
Task 5: Install Spam Folder
Agent for Exchange
Symantec Mail Security for Exchange configuration
Symantec offers configuration recommendations for Mail Security for Exchange.
This information is not intended to replace product documentation. The following
points address common questions about settings.
Table 5-4 shows the recommended configuration settings for Symantec Mail
Security for Exchange.
Table 5-4 Recommended settings
RecommendationSetting
Attachment Blocking: A list based on internal company policy should be set up in
the content directory.
General Settings (applies to all
autoscans)
Run LiveUpdate at least every 4 hours.LiveUpdate/Rapid Recovery
Utilize with filtering sub-policies to protect users from known threats that are
undetectable through other means. Example: when a virus definition does not yet
exist for a threat. a match List is referenced in the subpolicies to match specific
email text or attachment types, and perform a specified action when detected.
Match List
Threshold on Storage: Store all data for 12 months.Report Settings
109Stopping unwanted emailConfiguration overview
Table 5-4 Recommended settings (continued)
RecommendationSetting
May require customization to use match lists for detecting known threats that are
undetectable through other means (i.e., when a virus definition does not yet exist
for a threat).
Filtering sub-policies
AutoProtect must always be turned on to scan for viruses in transit, and on access.
Background scanning can be enabled. However, this adds to the Exchange server
load, and may impact performance.
Upon virus definition update, Force rescan should be enabled to ensure that
messages are scanned with the latest definitions during on-access or real-time
scanning.
Scans: Auto Protect
Manual scan is used to immediately scan the message store to find a virus, security
risk, or content violation.
Scheduled scan is used to schedule a scan of the message store during off-peak
hours.
Scans
Multiserver console configuration
The Symantec Mail Security for Exchange console can be configured to manage
one or more Exchange servers.
If your company is using multiple Microsoft Exchange servers, and wants to
manage mail security from the Mail Security for Exchange console (multiserver
console), system administrators should have an implementation plan that includes
server names and total number of Exchange servers on which Mail Security for
Exchange is to be installed.
To manage Mail Security for Exchange using the multiserver console, all Mail
Security for Exchange servers must be in the same domain as the console. System
administrators should use the multiserver console whenever multiple servers
have the same settings.
Virus definition recommendations
An Exchange server should be protected with both a file system antivirus scanner
(for example, Symantec AntiVirus Corporate Edition) and antivirus protection
for the Exchange message store (Mail Security for Exchange). If both Symantec
Mail Security for Exchange and Symantec™ AntiVirus Corporate Edition are
installed on the same server, they can share a single set of definitions. This allows
system administrators to update once, instead of separately managing definitions
for both products. In this case, virus definitions should be managed by Symantec
AntiVirus Corporate Edition, and virus updates should be turned off within
Stopping unwanted emailConfiguration overview
110
Symantec Mail Security for Microsoft Exchange, to leverage the Symantec
AntiVirus Corporate Edition definitions.
If Symantec AntiVirus Corporate edition is not installed on the Exchange server,
you must manage virus updates within Symantec Mail Security for Microsoft
Exchange. Symantec Mail Security for Exchange has two types of definitions:
■ Rapid Release definitions
Rapid Release definitions are certified, updated multiple times a day (often
hourly), and provide the fastest response for emerging threats. They are best
suited for front-end or bridgehead servers, where email from external sources
is first received and thus a higher threat level is present. These definitions are
not made available through automated processes such as LiveUpdate, and
must be retrieved either manually or through a scripting process.
■ LiveUpdate Certified definitions
Certified definitions are tested more thoroughly and updated less frequently.
They are automatically retrieved using LiveUpdate. They are more suitable
for servers with user message stores, where definition stability and automatic
updating is more important. Certified definitions are released daily, but are
not made available through LiveUpdate each day. They can also be retrieved
manually or through scripting processes.
If Certified definitions are automatically retrieved using LiveUpdate on a server
with a message store, then the On Virus Update Force Rescan option must be
enabled. This ensures that all messages are scanned with the latest virus
definitions prior to end-user access.
File Filtering Rule
Symantec Mail Security for Exchange comes with the File Filtering - File Name
Rule. This rule detects common, virus carrier file types and blocks them
automatically, even when they are contained in a zip file. The associated match
list contains examples of the most common virus carriers. Because these files are
not generally needed for regular business communication, it is relatively safe to
block them by default. Enabling this rule protects the Exchange server from new
threats, even before virus definition updates are available, by blocking based on
the file extension.
Zip file recommendations
Zip and other container files have been used to carry threats in recent outbreaks.
How a company handles zip files is dependent on its threshold for risk. Some
companies block all container files, while others take a more discriminatory,
granular approach.
Mail Security for Exchange provides the following features to handle zip files:
111Stopping unwanted emailConfiguration overview
■ Handles password-protected zip files with an exception rule (Encrypted File
Rule) to allow different dispositions to be selected.
This allows zip files, unless they are password protected. Password-protected
zips can be quarantined or deleted.
■ Blocks certain attachment types, even when they are found in a zip file.
This allows the System Administrator to specifically block dangerous
attachment types, even if they are in a zip file. Less dangerous and more
business-critical documents, for example, Microsoft Office documents, can be
allowed in a zip file, while the more frequent carriers of threats (for example,
*.exe, *.bat, and *.scr files) can be blocked.
Best practices for protecting the network perimeter at the gatewayserver tier
For SMTP gateway perimeter protection, Symantec offers the following methods
of implementing email security solutions:
■ Software-based
■ Appliance-based
■ Hosted service
Organizations with more than a few hundred email clients typically choose either
a software-based or appliance-based solution. Smaller companies typically choose
the hosted service solution, in which the software and systems are located off-site
at a hosting provider, and internet email streams are redirected to the provider
for scanning.
Choice of solution formats
For companies with more than 1,000 nodes, Symantec offers the following
appliance-based and software-based solutions to protect the network perimeter:
■ Symantec Mail Security 8260 appliance
■ Symantec Mail Security for SMTP software (formerly Symantec BrightMail
AntiSpam software)
■ Symantec Hosted Mail Security
The availability of resources and expertise varies from company to company.
Therefore, the choice of solution format is typically based upon environmental
factors and preferences. All solution formats offer the same technology; only the
delivery format differs. Where smaller companies often choose the hosted service,
companies with more than 1,000 employees generally choose the appliance or
software formats.
Stopping unwanted emailConfiguration overview
112
Table 5-5 lists the advantages unique to the appliance and software formats.
Table 5-5 Software-based and appliance-based solutions
AdvantagesDescriptionFormat
Gives you complete control over your entire environment,
including choice of hardware and operating system.
Provides highly-integrated antispam, virus protection, and
content filtering technologies. For emergency updates or
upgrades, the fewer the number of components, the easier it
is to ensure compatibility and uptime.
A single vendor is responsible for both the security technology
and response components. This eliminates finger-pointing
between vendors.
Application software must be
installed on customer-provided
hardware and operating system
Software
No operating system or compatible hardware to acquire and
maintain.
No software to install.
Application and operating system updates can be automated.
Initial security hardening and subsequent patching provided
by vendor.
A global support contract with hardware replacement is
available.
Application software comes
pre-installed on vendor-maintained
operating system and hardware
Appliance
The preferred solution for companies with 1,000 to 2,500 employees is to deploy
the Symantec Mail Security 8260 appliance. This all-in-one deployment option
requires no ongoing administration or tuning. Timely and secure updates are
delivered automatically. This solution provides 24x7x365 protection from new
spam and virus attacks.
Symantec Mail Security deployment
Whether Symantec Mail Security is deployed on a server or by using the 8200
series appliance, Symantec Mail Security provides comprehensive, integrated
gateway messaging security. It stops spam and phishing attacks at the gateway,
prevents viruses from reaching your email servers, and controls inbound and
outbound content contained in email messages.
These technologies are integrated via an administration console that provides a
single, comprehensive method for managing and enforcing policies, and viewing
trends across multiple systems. The same set of deployment considerations applies
to both technologies.
113Stopping unwanted emailConfiguration overview
For companies who choose the appliance option, the IT staff can configure each
Symantec Mail Security server, or 8260 appliance, to operate in a number of
different roles.
Table 5-6 describes the roles performed.
Table 5-6 Symantec Mail Security for SMTP roles
DescriptionRole
Performs email filtering
One or more scanner servers or appliances can be set up
Scanner
Manages the server or appliance systems
Each SMS for SMTP installation has one Control Center.
The Control Center can manage multiple scanners. The
Control Center also hosts Quarantine, a component that
stores spam messages and provides end-users access to
their spam messages. Administrators can also configure
Quarantine for administrator-only access. Use of
Quarantine is optional.
Control Center
Performs both functions
A dual-role deployment is suitable for smaller installations
Control Center and Scanner
For companies with more than 1,000 employees, Symantec recommends that two
SMS for SMTP servers or appliances be configured as inbound and outbound
relays (scanners) as follows:
■ One system runs a scanner to scan inbound and outbound email, and also runs
the Control Center and quarantine Server.
■ The appliance system runs only the scanner to process inbound and outbound
email.
Inbound traffic configuration
Traffic enters your network through the outer firewall. With both SMS for SMTP
systems operating as inbound relays, inbound message traffic can be routed to
them via a DNS round robin server or a load balancer.
The DNS round robin server is a less expensive option than a hardware load
balancer. Hardware load balancers are more robust and responsive than DNS
servers, and provide a higher degree of flexibility. However, the DNS server option
is often sufficient for organizations with fewer than 3,000 nodes.
Table 5-7 shows how email traffic is handled by SMS for SMTP.
Stopping unwanted emailConfiguration overview
114
Table 5-7 Symantec Mail Security for SMTP traffic routing
Routing methodTraffic
Clean messages are delivered to the Exchange mail servers
via a Smart Host configuration
Clean messages
Messages that require quarantine are stored on the
Control Center/Quarantine server
Infected messages
Assigned to both 8260 appliancesPrimary MX records
Symantec recommends that your outer firewall be configured as a transparent
SMTP proxy. This configuration is necessary because it enables the SMS for SMTP
to receive information about source IP addresses. As the SMS for SMTP filters IP
addresses, it attunes itself to the local environment in order to filter more
effectively.
Symantec Gateway Security 5400 and 5600 series provide transparent SMTP
proxy features. For firewalls without this feature, it is recommended that system
administrators configure their routers to pass all port 25 traffic directly to the
SMS for SMTP servers, or 8260 appliances, thus bypassing the firewall for SMTP
traffic.
Both content and IP-based filtering are handled by SMS for SMTP. To configure
IP-based filtering, system administrators can enable the Email Firewall feature
in SMS for SMTP. The Email Firewall feature provides IP-based filtering to reduce
traffic at the TCP/IP layer, and reduce the volume of data that requires processing
by the application. Filtering at this layer is an effective complement to content
filters.
However, to set up a full TCP/IP filtering layer, administrators must install the
Symantec Mail Security 8160 appliance. The 8160 appliance provides full
traffic-shaping of incoming network traffic.
Outbound traffic configuration
Outbound email is routed through the SMS for SMTP systems. With both SMS for
SMTP systems operating as outbound relays, outbound message traffic can be
routed to them via a DNS round-robin server or a load-balancer. System
administrators can reconfigure end-user email clients, or configure the Exchange
servers to route all outbound traffic through the outbound SMS for SMTP systems.
Depending upon company policy requirements, system administrators can
implement custom content filters that are specific to outbound email compliance
policies. They can tag, report on, or spool email for later analysis and archiving
using Veritas Enterprise Vault™.
115Stopping unwanted emailConfiguration overview
Using Symantec IM
Manager
This chapter includes the following topics:
■ About Symantec IM Manager
■ Best practices for preparing the IM Manager environment
■ Best practices for configuring IM Manager
■ Archiving instant messages to Enterprise Vault
■ Best practices for IM Manager security
■ Best Practices for IM Manager backup and recovery
■ IM Manager use cases
About Symantec IM ManagerSymantec IM Manager is the industry’s most widely deployed and trusted solution
for secure IM management. IM Manager enables organizations to control the use
of public and enterprise instant messages for real-time communication, while
ensuring compliance with legal and corporate governance policies.
With scalability, reliability, and extensibility, IM Manager manages, secures, logs,
and archives all instant message traffic with certified support for public and
enterprise instant message networks, including AOL, MSN, Yahoo!, ICQ, IBM Lotus
Instant Messaging, Microsoft Office Live Communications Server 2003/2005,
Jabber, Reuters, and others.
IM Manager empowers businesses of all sizes, across all industries to perform the
following tasks:
6Chapter
■ Manage and control instant messaging to drive business value and eliminate
organizational risk
■ Secure corporate networks against IM security threats like IM viruses, malware,
spam, and intellectual property loss
■ Satisfy regulatory compliance, corporate governance, and internal IT
compliance standards for logging, archiving, and auditing instant message
conversations
IM Manager removes the burden of securing and managing disparate instant
message networks and protocols, providing a single flexible solution for instant
messaging management, security, and compliance. This further enhances the
value of real-time communication and collaboration.
Best practices for preparing the IM Managerenvironment
Before IM Manager can be installed in a Microsoft Windows environment, the
following preparations are necessary:
■ Install third party products
See “Installation prerequisites ” on page 118.
■ Gather information required to install IM Manager
See “IM Manager installation information” on page 119.
■ Determine SQL server installation requirements
See “SQL server installation requirements” on page 119.
Installation prerequisites
The following bullet items reflect minimal third-party software products that
must be installed on the host server according to each IM Manager component
that is installed. To see the full list of supported third-party software, refer to the
Symantec IMManager 8.0 Installation Guide for more information.
■ Microsoft Windows Server 2000 with SP3 or Windows 2003 latest service packs
■ Windows 2003 Components ASP.NET, IIS, MSMQ
■ Windows Internet Explorer 6.0
■ MDAC 2.8 or later
■ XML Core Services 4.0 SP2
■ Access to MS SQL or MSDE installed database
Using Symantec IM ManagerBest practices for preparing the IM Manager environment
118
IM Manager installation information
IM Manager requires the following information during the installation process:
■ Permissions for each server on which the installation is run
The installer must be run by a user who has appropriate administrator
permissions .
■ A service account for IM Manager services
In domain deployments, this account must be a member of the domain, and
be an administrator on the local machine. It is recommended that the Enterprise
Vault Service Account be used to install IM Manager.
■ A valid IM Manager License file.
The full path to the license file is required.
SQL server installation requirements
The SQL Server installation requirements consist of the following items:
■ Server location (FQDN, hostname or IP address) and database name.
The IM Manager installation program will create database schema or attach
to an existing IM Manager schema.
■ Set of administrative credentials with appropriate permissions to create
database and users
If Windows authentication is used, then the service account must have
permissions. If SQL authentication is used, then the SQL account must have
the appropriate permissions. This is usually the “sa” account, but it may be
another account that has been granted the appropriate permissions.
Best practices for configuring IM ManagerThe specific configuration strategy that is chosen depends on the goals of the
organization. For IM Manager to capture instant message traffic, instant message
clients must connect to the IM Manager server. Clients that connect directly to
the Internet without passing through the IM Manager server are not managed.
For this reason, it is important that your environment limit the ability of clients
to connect to the Internet directly.
The most secure environment is one where the user’s desktop is blocked by the
corporate firewall from making any direct external connections to the public
instant message networks. Users are permitted to connect to the public instant
message networks only through IM Manager.
It is important that the administrator read through the Symantec IMManager
DNS and Network Configuration version 8.0 documentation to become familiar
119Using Symantec IM ManagerBest practices for configuring IM Manager
with the IM Manager administrator and configuration tasks. The document also
describes how to map IM Manager to respond to the instant message client
applications, as well as firewall configurations, DMZ deployment, and how to
configure DNS redirection in Windows 2003.
Instant message network strategies
An instant message control strategy includes the following:
■ Instant message clients must connect to IM Manager, and not directly to the
Internet.
This can be done through DNS redirection, or by modification of individual
instant message clients and workstations.
Refer to Symantec IMManager DNS andNetwork Configuration version 8.0 for
more information on DNS redirection.
■ The corporate network should block any instant message connections that do
not go through IM Manager. Refer to Symantec IMManager DNS and Network
Configuration version 8.0 for more information about the ports that are
important for Public IM and IM Manager and on the specific steps necessary
to block IM over HTTP.
DNS rerouting configuration
Each of the public instant message clients depends on a DNS query to make a
connection to the instant message network. Administrators can configure your
company’s DNS to reply with the IP address of the IM Manager server, rather than
an address on the Internet. By controlling the DNS, the instant message clients
connect to IM Manager rather than to the Internet.
IM Manager must find the Internet IP addresses of the public instant message
networks. In addition, IM Manager cannot use the same DNS server as the end
users. Some IM Manager features require successful DNS lookups of internal
corporate servers. IM Manager should not use an ISP’s external DNS servers. The
solution is to install a separate DNS service on the IM Manager server for IM
Manager use. While DNS is the recommended and most secure approach, there
are other ways to route traffic to IM Manager. If your organization does not make
the required DNS change, it is possible to modify client host files. Typically, a
company will only need to make modifications to its DNS values.
Using Symantec IM ManagerBest practices for configuring IM Manager
120
Table 6-1 Public IM network domains
Domain nameService provider
login.oscar.aol.com
toc.oscar.aol.com
AOL Instant Messenger
scs.msg.yahoo.com
scsa.msg.yahoo.com
scsb.msg.yahoo.com
scsc.msg.yahoo.com
Yahoo! Messenger
messenger.hotmail.comMSN Messenger
login.icq.comICQ
Refer to Symantec IMManager DNS and Network Configuration version 8.0 for
more information on DNS and network configuration.
About IM Manager configuration
IM Manager provides a variety of configuration options for maximum flexibility
in managing instant message traffic. The following features should be configured
for IM Manager to support compliance and archiving. These configurations can
be made through the IM Manager administrative interface.
Refer to Symantec IMManager Admin Interface Guide version 8.0 for more
information on how to configure IM Manager.
IM manager can be configured to support the following features:
■ Screen Name Registration
IM Manager allows an organization to take control of public IM usage, and
attach anonymous instant message screen names to corporate identities.
Screen name registration is a configuration option in IM Manager. Specifically,
it is the ability to require screen name registration, so that a user cannot use
instant messaging unless they have gone through the process of registration.
Pairing screen name registration with logging and archiving, allows
organizations to understand instant message conversations based on actual
corporate identities, instead of public instant message names.
■ Disclaimers
IM Manager provides the ability to send each participant in a conversation a
disclaimer. This can be customized to tell each user that the conversation is
being logged and archived, as well as any other acceptable information an
organization employs.
121Using Symantec IM ManagerBest practices for configuring IM Manager
■ Logging instant messages
IM Manager can be configured to ensure that all instant messages are captured
to the local database for review and export to Enterprise Vault. For
configuration information on this, refer to the IM Manager customer
self-service portal.
Archiving instant messages to Enterprise VaultAfter deploying IM Manager, administrators can archive instant messages to
Veritas Enterprise Vault. IM Manager exports IM conversations as formatted
SMTP messages, and can be configured to forward those messages to a Microsoft
Exchange Journaling mailbox. These messages are then processed, indexed,
archived, and made accessible for search and review by Enterprise Vault.
Figure 6-1 shows the integration between Veritas IM Manager, Enterprise Vault
and the Microsoft Exchange servers.
Figure 6-1 IM Manager, Veritas Enterprise Vault and Microsoft Exchange
integration
To configure the system for instant message capture and export
1 Set up Exchange Server to accept IM Manager messages.
2 Configure IM Manager Directory Integration.
3 Configure the Symantec IM Manager server to deliver SMTP Messages to
Microsoft Exchange.
4 Install the IM Manager Enterprise Vault XSL Transformation file.
5 Configure the IM Manager Export.
Note: Details of IM Manager configuration can be found online at the Symantec
IM Manager customer self-service portal.
Using Symantec IM ManagerArchiving instant messages to Enterprise Vault
122
In order to export IM messages from IM Manager to Enterprise Vault, the
Transfrom.xsl configuration file must be downloaded from the IM Manager
customer self-service portal and installed to the IM Manager server. The IM
Manager customer self-service portal can be found on the Internet at the following
URL:
http://www.symantec.com/techsupp/immanager.htm.
To locate the Transform.xls configuration file, obtain a user account and password
from the IM Manager customer self-service portal and perform a search to find
the Knowledge Base article titled, HOWTO: Export IMManager conversations to
Veritas Enterprise Vault. You can download the "Transform.xsl" file directly from
the article.
See “Installing the IM Manager Enterprise Vault XSL Transformation file”
on page 127.
Exchange Server setup to accept IM Manager messages
In order for Microsoft Exchange to receive IM Manager instant message transcripts,
administrators must enter the following configurations:
■ Microsoft Exchange accepts incoming SMTP messages on port 25
■ Microsoft Exchange accepts incoming SMTP messages from the IM Manager
server.
In some organizations, the ability to relay messages to the Exchange server is
limited to specific machines. If so, ensure that the IM Manager server has the
ability to deliver SMTP messages to the Exchange server, and that Microsoft
Exchange Journaling is set up. The Microsoft Exchange Journaling Mailbox is used
to export IM messages between IM Manager and Enterprise Vault.
Configure IM Manager directory integration
Before configuring IM Manager to send messages to the Exchange Journaling
mailbox, your system must be prepared by adding user’s email addresses to the
message data in the IM Manager database. Enterprise Vault uses the email address
as the user’s unique identifier. In addition, this allows Enterprise Vault to associate
the transcript with the user for filtering and review purposes.
Note: Prior to performing this step or capturing messages in IM Manager,
administrators must ensure that all users have registered their instant message
buddy names with IM Manager. Refer to theSymantec IMManagerAdmin Interface
Guide version 8.0 for more information on user registration.
123Using Symantec IM ManagerArchiving instant messages to Enterprise Vault
Setting up user email addresses in IM Manager involves the following procedures:
■ Configure directory access information
See “Configuring directory access information” on page 124.
■ Configure directory field import information
See “Configuring directory field import information” on page 125.
■ Configure directory synchronization schedules
See “Configuring directory synchronization schedules” on page 125.
Configuring directory access information
The LDAP parameters must be entered before starting the LDAP service.
To configure LDAP parameters
1 From the IM Manager Administrator Console, click SystemConfiguration >
Directory Integration > Configuration.
2 Type the connection parameter information as shown:
Host name or IP address of machine where the
enterprise LDAP server is installed.
Directory Server DNS Name
Distinguished Name of the person whose LDAP user
account to use to access the LDAP directory. This is
optional and if left blank the account used by the
service is used to connect to LDAP.
User Distinguished Name
LDAP Directory user account password corresponding
to the Distinguished Name typed in the User
Distinguished Name text box. This is optional and if
left blank the account used by the service is used to
connect to LDAP.
User Password
Use to repeat the user account password, for
confirmation purposes.
Re-Enter User Password
Port number used to access the LDAP Directory server
addressed by the entry in the Directory Server DNS
Name text box. The standard port for LDAP servers is
389 (the default).
Port Number
3 Click Submit to save the parameter information.
Using Symantec IM ManagerArchiving instant messages to Enterprise Vault
124
To start the LDAP update service
1 Open the Windows Management Console, click Start.
2 Right-click MyComputer, and then click Manage.
3 To select the LDAP Update service, double-click Services andApplications.
4 Click Services > LdapUpdateService.
5 To start the LdapUpdateService , right-click LdapUpdateService, and click
Start.
When the service is started, IM Manager verifies the connection to the IM
Manager database, automatically retrieves LDAP directory attributes schema,
and inserts each attribute as a record in the IM Manager database fields table.
Configuring directory field import information
When configuring the directory field for import information, the administrator
selects which of the LDAP attribute fields to add to the IM Manager message log
table. At a minimum, the email address for import must be selected. With Active
Directory, this is the mail attribute.
To add LDAP attribute
1 Open the IM Manager Administrator Console, then clickSystemConfiguration
>Directory Integration > Field Selection.
2 Click Add orRemove Fields fromDirectory link. This opens the Manage
LDAP Fields page in a separate window.
3 On the LDAP Field Selection page, select the check boxes corresponding to
the fields you want to add to the IM Manager database.
4 ClickSubmit to save the changes and return to the LDAP Field Selection page.
The updated list of selected fields appears in the Corporate (LDAP) Directory
Fields group.
Configuring directory synchronization schedules
Both a cache update and the messages update need to be configured. The cache
update replicates user information from the Directory into the IM Manager
database. The messages update revises instant messages with additional user
information selected in the field selection page.
It is a common practice to schedule the cache update to run once a day, and to
schedule the messages update to run once every thirty minutes.
There are two elements to setting a schedule, as follows:
125Using Symantec IM ManagerArchiving instant messages to Enterprise Vault
Sets the first possible date and time for execution of the update task.Start Time
Sets the interval between updates. Set in whole minutes.Frequency
After scheduling the recurring LDAP updates, run an immediate LDAP Cache
Update sync before exporting conversations.
To run LDAP cache
1 From the Symantec IM Manager Administrator console, click System
Configuration >Directory Integration > Synchronization.
2 Select the check box for Perform a cache update at the next opportunity.
3 Click Submit to save changes
Once the LDAP Cache Update completes, IM Manager will enter a successful Mirror
Sync operation on the LDAP history table at SystemConfiguration >Directory
Integration >History.
Configuring IM Manager SMTP delivery to Microsoft Exchange
IM Manager uses the IIS SMTP service built into Windows to deliver instant
message transcripts to the Exchange Journaling Mailbox. Ensure that IIS SMTP
is installed on the same server on which the IM Manager export tool is installed.
Complete the following two procedures to configure and test the IIS SMTP service
for delivery of messages to the Exchange server.
To configure the IIS SMTP service
1 To open the Internet Services Manager, click Start > Programs >
Administrative Tools > Internet Information ServicesManager.
2 Expand the server node, right-click on Default SMTPVirtual Server, and
select Properties.
3 Click the Delivery tab, and then click Advanced. The Advanced Delivery
dialog box appears.
4 In the Smart host text box, type the hostname or IP address of your Exchange
server.
5 Click OK to save your changes.
To test the IIS SMTP configuration
1 Change the X-Receiver field to the name of the Exchange journaling mailbox.
2 Change the From field to [email protected], where
yourdomain.com is the email domain of your organization.
Using Symantec IM ManagerArchiving instant messages to Enterprise Vault
126
3 Change the To field to a valid email address for one of the users in the
organization.
4 Place the modified email message into the SMTP Pickup directory. Verify
delivery of this message to the Exchange journaling mailbox and into
Enterprise Vault Digital Vault.
The following is an example of the modified email message for test
verification:
X-Receiver: [email protected]
Message-Id: 1234513abcdedf
Date: Mon, 10 Feb 2003 14:58:08
From: [email protected]
Subject: This is a test SMTP message
This is a test message
Installing the IM Manager Enterprise Vault XSL Transformation file
The IM Manager export tool uses an XSL transformation process to generate the
final SMTP messages that are delivered to Enterprise Vault.
To set up the XSL transform file:
1 Go to the Symantec IM Manager self-service portal located at the following
URL:
http://www.symantec.com/techsupp/immanager.htm.
2 Search for the Symantec KB article "Transform.xsl", and then download the
XSL file.
3 Save the transform.xsl file to the IM Manager server where the export tool
is installed:
c:\Program Files\Symantec\IMManager\IMArchive
4 Open the transform.xsl file in a text editor.
5 Set the value of exportSystem to KVS.
6 Set the value of the journalingEmailboxname variable to the Exchange
journaling mailbox that the Enterprise Vault is processing.
127Using Symantec IM ManagerArchiving instant messages to Enterprise Vault
7 Set the value of the fromEmailaddress variable to the to a valid email address
on your network, such as:
8 Save the transform XSL file.
By default, all dates and times in the body of the email message are converted
to the timezone of the server running the export. If necessary, the timezone
can be changed to UTC by changing the value of useLocalDate to false.
The following is an example of the XSL transform file:
var fromEmailaddress = "[email protected]";
var journalingEmailboxname = "[email protected]";
var useLocalDate = true;
// Set this to 'false' if you want the dates/times in the body
// of the message to be UTC.
// Change this to one of: Legato, KVS, Exchange
var exportSystem = "KVS";
Configuring IM Manager export
Configuring the IM Manager export requires the creation and configuration of an
export account.
To configure IM Manager export:
1 At the IM Administrator console, click SystemConfiguration > Export.
2 Click AddAccount to configure a new export account.
3 In the Account Name field, type the textual description of the export account.
Keep the Message Suffix and XML Output Directory set to the defaults.
4 Ensure that the Output Directory points to the SMTP Pickup directory on the
IM Manager server.
5 Select the mail attribute in the Directory Fields To Export.
Keep the default file name in Transform XSL, unless you have chosen to
change the name of the XSL Transform file.
6 Click Submit to save the changes.
Using Symantec IM ManagerArchiving instant messages to Enterprise Vault
128
To schedule an IM Manager export
1 Click Export next to the export account name that was just created. This
displays the Export job Date Criteria tab. Most organizations run the export
on a nightly basis, and export all messages accumulated since the last export.
2 Select either the Date Range or Relative Days Range radio button.
3 Input the date range you want to search for in the At Most text box and the
Not Less Then text box, or input it manually through the calendar view.
4 Click the Filter tab.
5 Type the domain name for email addresses in your organization in the Active
Directory Fields > Mail textbox.
This is necessary so that only conversations that have been synchronized
with email addresses are exported.
6 Click the Schedule Settings tab.
7 Select the Repeating radio button.
8 Enter the starting date and time and the frequency.
9 Enter domain\username and password to start the scheduled job.
10 Click Export to set up the export job.
11 If you want to perform a test, select the Immediate radio button, and then
click Export. You will need to reconfigure the Repeating export settings.
Best practices for IM Manager securityCustomers of IM Manager have the ability to protect their organizations against
instant message security threats. With the use of content filtering, spam blocking,
and client version control, organizations can protect themselves against instant
message security threats. Adopting the following instant message security best
practices reduces the risk of compromise due to instant message security threats.
Threat protection and SPIM filtering
With Symantec IM Manager 8.0, customers using the Real Time Threat Protection
System are continually protected against known spammers and instant message
worms. When a threat is identified, the Symantec security team produces new
content filters that are automatically deployed to IM Manager customers.
Additionally, IM Manager monitors instant message traffic for any instant message
threat outbreaks in your environment. IM Manager has an heuristics-based,
anomaly-detection filter that responds if instant message traffic starts to mimic
129Using Symantec IM ManagerBest practices for IM Manager security
that of an instant message threat. If this occurs, the user is quarantined and data
is sent to Symantec Security Response for review. This provides real-time threat
protection of instant messages.
To verify that you are protected, open the IM Manager Administrator Console
and navigate to the System Dashboard. The section Threat Protection Status
indicates when your system was last updated with filtering definitions.
Instant message client version control
Organizations should standardize the set of instant message clients they use.
Standardization allows organizations to keep control of the desktop environment,
and ensures that vulnerabilities in instant message clients are less prevalent.
These vulnerabilities include buffer overflows and client side security holes. Use
of the IM Manager Client Version Control feature allows IT organizations to control
exactly what versions of clients that are sanctioned on their network. Refer to the
Symantec IMManager Administrator's Guide for information on setting up Client
Version Control.
Best Practices for IM Manager backup and recoverySymantec IM Manager 8.0 seamlessly manages, secures, logs, and archives
corporate instant-messaging traffic with certified support for public and enterprise
IM networks. The basic IM Manager 8.0 installation includes the IM Manager
server and the IM Manager database. The database manager holds all of the critical
data needed for IM Manager to operate, including configuration and data files.
Microsoft SQL Server 2000 SP4 is the database revision recommended for this
solution.
Backing up critical application data on a regular basis is crucial to an effective
backup and recovery plan for IM Manager.
The following databases and configuration files should be backed up on a regular
basis:
The SQL Server database is the repository for all instant message
conversations.
SQL
IM Manager holds critical configuration information within the
transform XSL file.
Transform.XSL file
It is important to follow all recommended backup procedures for
Enterprise Vault, with specific attention paid to the Vault Store
directories that will house the IM Manager archives.
Enterprise Vault
Using Symantec IM ManagerBest Practices for IM Manager backup and recovery
130
SQL Server database backup recommendations
It is vital that you perform data backups, and monitor database storage usage on
a daily basis. The SQL database objects associated with IM Manager are critical
to IM Manager functionality. Symantec recommends regular backups and
consistent monitoring of the database to ensure continuous availability.
As with any software that relies on a SQL database, it is highly recommended that
an administrator is familiar with SQL Server best practices, in order to determine
the point-in-time versus point-of-failure restore levels that would be acceptable
during a recovery scenario. The frequency of database and transaction log backups
should correspond to your recovery point objectives.
A complete backup of the IM Manager environment requires backing up the
following components:
■ The IM Manager database as part of the regularly scheduled infrastructure
systems backup jobs
■ The TRANSFORM.XSL file with the scheduled database backups
■ The Directory database transaction logs at least daily
■ The system databases, especially Master and MSDB, after any change
More information about SQL Server backup best practices can be found by
searching the Microsoft SQL Web site.
Recovery after an IM Manager failure
IM Manager failure can be defined in several different ways:
■ The IM Manager server may fail and need to be recovered or replaced.
■ The IM Manager database (configuration information and actual data) may
become inaccessible or unavailable.
■ The Database server may fail and need to be recovered or replaced.
With any of these scenarios, recovery is a simple process. One key point to
remember is that the database holds the IM Manager configuration and the actual
IM data. Once the IM database is available to the IM Manager software, IM Manager
is back online.
IM Manager server failure
If the IM Manager server fails, restore the server by executing your organization's
standard procedure for restoring a failed server. Once the server is brought back
into service, re-install the IM Manager software.
131Using Symantec IM ManagerBest Practices for IM Manager backup and recovery
During installation you will need to specify a database for IM Manager to attach
to. You will need to supply the location of your SQL Server and a temporary name
of the new database that the installation process requires to complete an IM
Manager install. Once the installation is complete and the original SQL Database
is restored and available, change the IM Manager Database settings to point to
the restored database location. This is done from the IM Manager Administrator
UI under the System Configuration, Database settings page.
Another consideration during recovery is the DNS or host file settings for the IM
Manager. During the initial installation of IM Manager, the DNS or host files are
configured to ensure IM traffic is routed through IM Manager. If this recovery
scenario resulted in any change to the system name or IP information, that
information will need to be updated.
Refer to the Symantec IMManager DNS and Network Configuration version 8.0
documentation for detailed information.
IM Manager data corruption
When the IM SQL server database has become corrupted or unavailable, the data
must be restored from the backups. Based on a backup schedule, recent backups
will be available with data up to the time of the last backup. Recover this SQL data
as outlined in the Backup Exec Administrators Guide. Since the SQL server name
or SQL Database name does not change, no other action should be required for
IM Manager to resume operation.
IM Manager database server failure
When the SQL Server has failed or become unavailable, replace or fix the server
based on company procedures for a failed infrastructure server. If that procedure
calls for that server to be recovered to its original state, when it is back online
and SQL has been re-installed or recovered, the IM Manager database can be
recovered. This is done by executing a SQL Database restore, as described in the
Backup Exec Administrators Guide.
Once recovery is complete, ensure the SQL Server name and database instance
information is correct in the IM Manager MMC Snap-In Database settings and
the IM Manager Administration UI Database settings. In this instance, the SQL
Server name and database instance name should not have changed from its original
state.
If the procedures call for putting a new or different SQL server into production
to minimize down time, then when that SQL server is online, perform a “redirected
SQL restore” as outlined in the Backup Exec Administrators Guide to the new SQL
instance. Once the IM Manager SQL database is recovered on the new SQL server,
Using Symantec IM ManagerBest Practices for IM Manager backup and recovery
132
change the settings in the IM Manager MMC Snap-in, as outlined earlier.
Additionally, the web services for IM Manager will need to be modified to
accommodate the database change.
In the following two recovery scenarios, it is assumed that the IM Manager server
does not change from the original installation and configuration. If that is true,
then no additional consideration for DNS or host file changes are needed, as those
settings apply only to the IM Manager server.
To modify the IM Manager Web Services to accommodate a new or different SQL
server
1 Start the Installation program from the media used to install IM Manager.
2 At the Welcome page of the installation program, choose to Modify the
installation, and click Next.
3 If asked for the user credentials, provide the ones used during the initial
installation, click Next.
4 At the prompt to continue using the existing License Key from your IM
Manager installation, click Yes to continue.
5 In the IM Manager Setup Wizard, uncheckAdministrator,UserandReviewer
Interfaces, and click Next.
This action also unchecks the Administrator Service selection. This action
may take a few minutes to complete. Wait for the instructions to continue.
6 When prompted, click Finish to reboot the server for changes to take effect.
7 Once the server has rebooted and is back online, restart the IM Manager
Installation program from the original installation media.
To restart the IMManager Installation program from the original installationmedia
1 At the Welcome page of the installation program, choose to Modify the
installation, and click Next.
2 If asked for the user credentials, provide the ones used during the initial
installation, click Next.
3 At the prompt to continue using the existing License Key from your IM
Manager installation, click Yes to continue.
4 In the IM Manager Setup Wizard, place a checkmark in Administrator, User
andReviewer Interfaces. Also place a checkmark in Administrator Service,
and click Next.
133Using Symantec IM ManagerBest Practices for IM Manager backup and recovery
5 In the Modify IM Manager Wizard, specify the name of the new SQL server
and the SQL database (as well as SQL user credentials if applicable). Click
Next.
It may take a few minutes to complete this action. Wait for the Finish page
to appear before continuing.
6 Click Finish to close the wizard and complete the procedure to recover IM
Manager.
IM Manager use casesAccording to a recent Radicati Group report, a majority of businesses are now
reporting regular use of instant messaging.Employees are often downloading and
using many different instant messaging clients, such as AOL, MSN or Yahoo!
without supervision or direction. It is clear that organizations are gaining benefits
from instant messaging use. Productivity gains include increased global real-time
communication and lower phone, travel and collaboration tool costs. However,
this highly-connected and networked world presents many security and
management challenges. Providing security for the modern multi-vendor,
multi-protocol, and ever changing instant messaging environment is a challenge
for the IT organization.
Symantec provides a complete security, compliance, and management solution,
so instant messaging can be offered as a supported, or at least a controlled service
to an organization. By implementing Symantec technologies, an organization can
log and archive all instant messages, scan all instant messages for malware and
viruses, control all instant message, and provide visibility of how instant messages
are utilized in the enterprise.
In summary, by deploying IM Manager and archiving instant message
conversations to Enterprise Vault, organizations are not restricted from the
continued use of instant messages with multiple instant message providers.
Instant message security and threat protection use cases
The following use cases serve to illustrate how IM Manager can be used to provide
security and protect instant messaging environments from external threats. Use
these IM Manager capabilities as appropriate in your organization.
■ Setup internal message routing
See “Set up internal message routing for AOL, MSN, Yahoo, Google ” on page 135.
■ Configure real-time threat protection
See “Configure the real-time threat protection system ” on page 135.
Using Symantec IM ManagerIM Manager use cases
134
■ Block outbound instant message file transfer
See “Block outbound instant message file transfer ” on page 136.
■ Integrate IM Manager with Symantec scan engine
See “Integrate IM Manager with an existing Symantec security scan engine ”
on page 136.
■ Disable use of unsanctioned instant message protocols
See “Disable use of unsanctioned protocols” on page 137.
Set up internal message routing for AOL, MSN, Yahoo, Google
All public and enterprise instant message systems, including AOL, MSN, Yahoo,
Microsoft Office Live Communications and more, enable organizations to use
different instant message networks. If an instant message conversation is occurring
between corporate employees, instant message logic can prevent that conversation
from leaving the corporate domain, and traveling over the public instant message
system.
Normally, instant message messages are routed through the Internet even when
both parties to a conversation are logged into the same organizational network.
Users may assume that their messages are secure, as long as they are directed to
people within the same enterprise (on the company intranet). These users may
unwittingly send confidential information based on that assumption. Internal
routing allows the IM Manager administrator to protect messages between internal
users by rerouting the messages within the organizational intranet.
To route instant messages within the organizational intranet
1 Open the IM Manager Administrator console, and go the following URL:
http://localhost/IMManager/Admin/IMAdminNav.asp
2 Click Security Settings > Internal Routing.
3 Select from any of the public instant message clients that you want to enable
for internal messaging (MSN, Yahoo, Google, AOL, ICQ).
Configure the real-time threat protection system
Administrators can selectively disable enterprise-wide access to specific public
instant message clients, and secure corporate networks against instant message
vulnerabilities. The Real-Time Threat Protection System integrates anti-virus
scanning, instant message content filtering, and advanced Spam detection and
blocking. It also has direct integration with the IMlogic Threat Center for predictive
threat protection, and automatic, real-time instant message worm and virus
updates.
135Using Symantec IM ManagerIM Manager use cases
To verify that outbound instant message file transfers are blocked
1 Open IM Manager Administrator console and go to the following URL:
http://localhost/IMManager/Admin/IMAdminNav.asp
2 Click Threat Protection >RTTPS.
3 Click Settings.
4 Verify the RTTPS filter is enabled in block mode. The RTTPS filter is enabled
by default during installation.
Block outbound instant message file transfer
IM Manager’s Default Rules allow instant message administrators to enable users
to transfer files through their instant message client at the enterprise level, and
retain copies of transferred files, if desired. IM Manager also provides the ability
to block files from being transferred from outside the network. By blocking files,
more security from viruses and other malicious threats is provided.
To block outbound file transfer
1 Open IM Manager Administrator console and go to the following URL:
http://localhost/IMManager/Admin/IMAdminNav.asp
2 Click RulesManager >Default Rules.
3 On the Default Rules page under Type find File transfer On/Off, and under
the control column click Edit.
4 Under Options and Values, uncheck the Enable file transfer box, if checked.
5 Click Submit.
6 Open two instant message clients, and validate that no files can be sent from
either user.
When the user goes to send a file, the user should see in their instant message
users text box, the “IM username has declined your file transfer” message, and is
not allowed to send a file
Integrate IMManagerwith an existing Symantec security scanengine
Integrated with leading anti-virus scan engines, IM Manager seamlessly scans
and filters all instant message file transfers, and ensures inappropriate or
malicious instant message content is not transmitted. IM Manager allows an
administrator to scan a file that has been transferred via instant message, but is
not exported into the Enterprise Vault archive. IM Manager places the transferred
or scanned file at the file system level.
Using Symantec IM ManagerIM Manager use cases
136
To integrate IM Manager with a security scan engine
1 Install the Symantec Scan Engine software on the IM Manager server.
2 From the IM Manager server, expand the following: StartMenu\Program
files\Symantec IMManager\Symantec IMManagerMMCSnap-In
3 Once the MMC Snap-In is open, right-click IMManager and clickProperties.
4 In the IM Properties dialog box, click Virus Scanning Tab.
5 On the Virus Scanning Tab properties page, add a checkmark in the box Enable
Virus scanning.
6 From the Virus scanning engine drop down box, select SymantecVirus
Scanning.
7 Type the Hostname or IP address, or leave the default as Local host.
8 Leave the default as Port 1334.
Disable use of unsanctioned protocols
An organization may want to standardize on one instant message network. If
there is more of a threat associated with one particular network, then it might
make sense to set rules within the company. IM Manager provides the ability to
create rules that can be managed by the administrator. It also provides the ability
to create groups that may need to communicate to customers using a medium
other than the established instant message network.
To disable use of unsanctioned protocols
1 Open IM Manager Administrator console, and go to the following URL:
http://localhost/IMManager/Admin/IMAdminNav.asp
2 Click RulesManager >Default Rules to load the Default Rules page.
3 Edit the Logging Level rule which can be found under the type column.
4 Under Options and Values select the radio button Dropmessages entirely.
5 Click Submit to save the changes.
6 In the Default Rules page, click on the instant message network that you want
your users to stop using (for example, MSN instant message network).
7 Edit the Logging level rule for MSN Login ON/OFF,
8 On the Add/Edit rule page under Options and Values, uncheck the option to
allow user to login, and click Submit.
Users should not be able to login to the instant message network you specified.
137Using Symantec IM ManagerIM Manager use cases
Instant message logging for journaling and policy enforcement usecases
The following use cases serve to illustrate how IM Manger can be used to deploy
message logging, journaling and policy enforcement. Use these IM Manager
capabilities as appropriate in your organization.
■ Require instant message screen name registration
See “Require instant message screen name registration with Active Directory”
on page 138.
■ Disable or enable conversation logging
See “Disable or enable conversation logging as a default ” on page 139.
■ Configure XML and XSL data exports
See “Configure XML and XSL data exports for instant message journaling ”
on page 140.
■ Perform an EV search for a keyword
See “Perform an Enterprise Vault keyword search” on page 141.
■ Backup IM Manager database
See “Back up IM Manager database” on page 142.
Require instantmessage screen name registrationwith ActiveDirectory
Administrators can eliminate risks from malicious instant messages by mapping
instant message screen names to business users through integration with existing
corporate user directories. Policy controls can also be set for user profiles in the
corporate directory, to ensure user authentication before allowing access to instant
message networks. IM Manager also provides support for federated and external
users to extend secure instant message management across corporate network
boundaries. IM Manager can also be configured to associate instant message
screen names to the corporate user directory.
To require instant message screen name registration
1 At the IM Manager Administrator console, and go to the following URL :
http://localhost/IMManager/Admin/IMAdminNav.asp
2 Click Security Settings >User Registration option to load the User
Registration page.
3 Ensure that the Require IM Screen-name Registration checkbox is checked,
and that the Auto Register IM Screen Names checkbox is unchecked.
Using Symantec IM ManagerIM Manager use cases
138
4 If the user is not registered they will be provided with the following message:
“You cannot login to the IM Network because you have not registered your
IM screen-name. Contact Symantec's internal global IT helpdesk for
assistance.” This message can be changed to convey whatever you want it to,
in your environment.
5 Once the user has been registered within IM Manager, then the user should
not get the message when another instant message user is registered in the
environment.
Disable or enable conversation logging as a default
Some organizations might need to restrict certain internal groups from sending
instant message messages to other internal groups. For example, a brokerage firm
may choose to enable all its employees to use instant message networks internally,
but need to restrict the Business Research Group from communicating with the
Trading Group. Conversely, a pharmaceutical company may choose to disable all
its employees from instant message network access, but need to enable only the
Regulatory Affairs Group to conduct instant message communication with Clinical
Trials Groups.
To selectively enable or disable instant message communication
1 At the IM Manager Administrator console, and go to the following URL:
http://localhost/IMManager/Admin/IMAdminNav.asp
2 Click RulesManager >Default Rules option to load the Default Rules page.
3 On the Default Rules page, edit the Logging Level rule.
4 On the Logging Level rules page under Options and Value, clickDropmessage
entirely radio button.
5 Click Submit to save changes.
6 At the IM Manager Administrator console, clickUserManagement>Groups
>AddGroups.
7 At the top of the application window, select the clickhere hyperlink to create
a new group.
8 Type a name for the new group, for example, Engineering, and click Submit
to save the changes.
9 Click ManageGroups to search for the new group that you created.
10 In the search by box, type the name of the new group that you created, in the
group name field , and click Submit.
11 In the Search Results, the new group name should be listed.
139Using Symantec IM ManagerIM Manager use cases
12 In the Search results group summary, in the options column, click AddUser
to this group icon.
13 In the Display name field, type an instant message user's name, for example,
IMuser1 and IMUser2, and click Submit.
14 In the Search result box, highlight IMuser1 IMUser2. Click the arrow button
to move the IMUsers to the new group. Click Done.
IMuser1IMuser2 are now part of the Engineering group.
15 At the IM Manager Administrator console, click RulesManager | Default
Rules | Search andAddRules.
16 From the Add a Rule drop down box, click LoggingLevel, and then click Add.
17 Under Options and Values, click Logmessages in the database radio button,
and click Submit to save changes.
Configure XML and XSL data exports for instant messagejournaling
IM Manager can archive instant messages to Veritas Enterprise Vault. IM Manager
exports instant message conversations as formatted SMTP messages, and can be
configured to forward those messages to a Microsoft Exchange Journaling mailbox.
These messages are processed, indexed, archived, and made accessible for search
and review by Enterprise Vault.
IM Manager uses the IIS SMTP service built into Microsoft Windows to deliver
instant message transcripts to the Exchange Journaling Mailbox. Ensure that IIS
SMTP is installed on the server on which the IM Manager export tool is installed.
The Symantec IM Manager export tool uses an XSL transformation process to
generate the final SMTP messages that are delivered to Enterprise Vault.
Use the following instructions to set up the IIS service for delivery of messages
to the Exchange server.
To configure IIS SMTP service
1 Open the Internet Services Manager Start > Programs > Administrative Tools
> Internet Services Manager.
2 Expand the server node, and right-click on the default SMTP Virtual Server.
From the shortcut menu that appears, click Properties.
3 Click Delivery tab, and then click Advanced. The Advanced Delivery dialog
box appears.
Using Symantec IM ManagerIM Manager use cases
140
4 Type the hostname or IP address of your Exchange server in the Smart host
text box.
5 Click OK to save the changes.
To test the IIS SMTP configuration
1 Change the X-Receiver field to the name of the Exchange journaling mailbox.
2 Change the From field to be [email protected], where
yourdomain.com is the email domain of your organization.
3 Change the To field to a valid email address for one of your users in your
organization.
4 Drop the modified email message into the SMTP Pickup directory. Verify
delivery of this message to the Exchange journaling mailbox and into
Enterprise Vault Digital Vault.
To set up the XSL file
1 Download the XSL file from the Symantec's IM Manager customers self-service
portal located at:
http://www.symantec.com/techsupp/immanager.htm.
Search for the Symantec KB article "Transform.xsl".
2 Save the transform.xsl file to the Symantec IM Manager server where you
have the export tool installed: For example, c:\Program
Files\Symantec\IMManager\IMArchive
3 Open the transform.xsl file in a text editor.
4 Set the value of exportSystem to KVS.
5 Set the value of the journalingEmailboxname variable to the Exchange
journaling mailbox that the Enterprise Vault is processing.
6 Set the value of the fromEmailaddress variable to the to a valid email address
on your network such as [email protected]
7 Save the transform XSL file.
By default, all dates and times in the body of the email message are converted
to the timezone of the server running the export. If necessary, the timezone
can be changed to UTC by changing the value of useLocalDate to false.
Perform an Enterprise Vault keyword search
Once integration between Enterprise Vault and IM Manager is completed, searching
is possible for all IM messages that have been journaled and then stored in
141Using Symantec IM ManagerIM Manager use cases
Enterprise Vault. Customers can perform searches on specific keywords or search
for entire IM conversations.
To search for a keyword in Enterprise Vault
1 At the IM Manager Administrator console, and go to the following URL:
http://localhost/IMManager/Admin/IMAdminNav.asp
2 In the username and password dialog box, type a username and password.
The Enterprise Vault browser search window appears.
3 In the Enterprise Vault browser search window, click on the category content,
and type a word, such as IM.
4 Click Search to start the search. The results show all of the IM Manager
instant messages with the word IM in the body of the messages.
Back up IM Manager database
IM Manager stores the instant message conversations and the IM Manager
configuration information within the SQL database. Using Symantec Backup Exec,
administrators can ensure that exposure to data loss is minimized by regular,
scheduled backups of that database.
For more information regarding backing up a SQL database with Backup Exec,
refer to the Backup Exec section in Chapter 8 of this Symantec Yellow Book, as
well as the Backup Exec 10d Administrator’s Guide.
To backup the IM Manager database
1 Ensure the IM Manager database is included in the selection list during the
backup job setup within Backup Exec.
2 Ensure the schedule for the backup job being created is set to run during the
normal backup timeframe.
3 If you are using Enterprise Vault to archive IM Manager data, backup the
transform.xsl file that was installed and configured during your initial IM
Manager setup.
This file is not part of the SQL database backup; it is a separate selection that
will need to be made during the backup job creation. The recommended
location is the following directory: c:\Program Files\Symantec\imarchive\ .
It is normal to have multiple selections for a single backup job.
Using Symantec IM ManagerIM Manager use cases
142
Message archiving,
retrieval, and storage
This chapter includes the following topics:
■ Microsoft Exchange as an information warehouse
■ Archiving, retrieval, and storage in the Exchange environment
■ Enterprise Vault basics
■ Best practices for planning Enterprise Vault deployments
■ Best practices for sizing Enterprise Vault environments
■ Best practices for preparing the Enterprise Vault environment
■ Best practices for installing Enterprise Vault
■ Best practices for configuring Enterprise Vault
■ Best practices for backing up and recovering Enterprise Vault
■ Common Enterprise Vault challenges and solutions
■ Enterprise Vault usage
Microsoft Exchange as an information warehouseIncreasingly, organizations are using their email storage on Microsoft® Exchange
servers as information warehouses. Because Exchange dates and time stamps
every message it processes, organizations also use Exchange to document the
progress and workflow of business projects.
7Chapter
The knowledge that is contained in email repositories makes the value of email
increasingly important in the modern business enterprise. However, this new
reliance on email has also increased the frustration of email users as they try to
manage, file, and retrieve all of the data that is stored in email archives. It has
also magnified storage issues for IT departments.
To use Exchange as a viable information warehouse, IT organizations must be
able to manage data stores of increasing size, and quickly retrieve relevant
information on request. These tasks are challenging enough, but add to them the
fact that Exchange was never designed to function as a business information
repository. Although companies may be aware of the value of the information
that is contained in Exchange information stores, the unstructured nature of the
Exchange data keeps the information out of the reach of users and organizations.
Archiving, retrieval, and storage in the Exchangeenvironment
In the same way that email security tools act as a first line of defense to keep
unwanted email out of the messaging system environment, email archiving works
to remove saved email messages from the environment, while maintaining the
availability of the data.
The Symantec Enterprise Messaging Management (EMM) solution for Microsoft
Exchange uses Veritas Enterprise Vault to archive Microsoft Exchange email and
instant messages. Enterprise Vault acts as an information warehouse for corporate
data. Organizations can mine the data by using the built-in index and search
technology.
The Enterprise Vault repository is designed to do the following:
■ Flexibly store archived content.
■ Reduce storage size by compression and single-instancing.
■ Index content for rapid and targeted retrieval.
■ Ensure future accessibility by rendering an HTML copy of all archived content.
■ Utilize user-authentication security controls.
■ Define and implement retention and expiration policies.
■ Provide a centralized archiving platform to search IM Manager journal instant
messages
Enterprise Vault can also facilitate migrations and consolidations by reducing
the size of existing data stores.
Message archiving, retrieval, and storageArchiving, retrieval, and storage in the Exchange environment
144
See “Benefits of using the Symantec solution to manage Exchange migrations ”
on page 263.
Support for structured data
Enterprise Vault provides the following support for structured data:
Enterprise Vault supports the archival of categorized
information that is appended to email information.
Categorization is a key driver in the management of email
records. It allows organizations to perform tasks such as
recalling all email messages that are marked as personal,
or retaining all records for a longer period that are marked
as business.
Categorization
Enterprise Vault works seamlessly with Exchange
5.5/2000/2003 journaling to satisfy the corporate legal and
regulatory retention requirements. You can configure
Enterprise Vault to retain a copy of all email messages that
are sent and received, for the period of time mandated by
regulatory or corporate requirements.
Archiving for compliance
and discovery
Note:Organizations that must respond to legal discovery requests or demonstrate
compliance can deploy Veritas Enterprise Vault Compliance Accelerator and
Veritas Enterprise Vault Discovery Accelerator.
See “About Enterprise Vault Discovery Accelerator” on page 230.
Seamless retrieval of archived email
The following Enterprise Vault capabilities provide seamless retrieval of archived
mail:
Enterprise Vault indexes email, attachments, and all
common file types. With an indexed online archive, users
can search available content using different keywords and
search terms, including Microsoft Outlook® message
categories. For example, a firm can quickly recall all email
messages and attachments across an organization that relate
to a particular category or search term.
Online archive access
145Message archiving, retrieval, and storageArchiving, retrieval, and storage in the Exchange environment
Enterprise Vault automatically manages the full email life
cycle. It protects corporate intellectual property by retaining
access and enabling rapid discovery of content that is based
on defined policies. These policies can be applied to an
organizational unit (OU) or an individual user.
Lifetime management of
Individual folders or folder hierarchies may be archived and
replace them with shortcuts. Folder access controls are
synchronized with Enterprise Vault access to control search
scope.
Public folder archiving
Offline Vault provides laptop access to archived email even
when it is not connected to the corporate network.
Enterprise Vault requires little bandwidth, and can be
configured to provide users with a local Vault on their PC
hard drive. At the same time, the user’s email is also
archived to the corporate archive, protects it from loss or
damage.
Offline vault laptop access
Control of PST archives
Enterprise Vault allows organizations to migrate some or all existing PST file data
into an archive repository. By restoring access and search capabilities to this data,
administrators can eliminate the need for PST files.
Enterprise Vault includes the following features:
■ Server-based pull migration, client-side push migration, or a combination of
both.
■ Identification of the ownership of PST files.
■ Central view of all of the PST files in existence on the entire network, along
with the current migration status of these files.
Reduction in the size of Exchange information stores
Archiving helps to keep email available by controlling the amount of data in the
primary messaging systems. The single best practice for ensuring peak
performance within the Exchange environment is to maintain the smallest possible
Exchange data stores.
Small data stores make the task of migrating to newer releases of Exchange. easier.
They also improve performance and significantly reduce the backup window. In
addition, smaller data stores allow for an easier restoration of an Exchange
environment in a disaster recovery scenario.
Message archiving, retrieval, and storageArchiving, retrieval, and storage in the Exchange environment
146
Administrators can improve Service Level Agreements (SLAs) for backup with
archiving. The majority of data is moved from the Exchange stores, which allows
organizations to plan and carry out SLAs. In addition, users can service their own
requests for old and lost information without using Help Desk or administration
resources.
Enterprise Vault improves performance and lowers costs in the following ways:
Reduces Exchange message store size by 50 percent or more
Supports any Windows® NTFS-conforming storage solution,
including magnetic or optical disks, Storage Area Network
(SAN), or Network Attached Storage (NAS)
Maintains single-instance storage of identical items
Optimizes storage
Saves time and money that are spent retrieving and
recovering old or lost email
Provides immediate recovery of individual mailboxes
Reduces cost of message
retrieval, recovery, and
administration
Reducing Exchange or file server storage requirements lets administrators
consolidate servers, as more users can be housed and supported on each server.
Enterprise Vault basicsEnterprise Vault provides a flexible archiving framework that lets you discover
content in email, instant messages, file systems, and collaborative environments,
while helping to reduce storage costs and simplify management. Enterprise Vault
manages content by automated, policy-controlled archiving to online stores. It
provides active retention and seamless retrieval of information.
The built-in search and discovery capabilities of Enterprise Vault are
complemented by specialized client applications that support corporate
governance, risk management, and legal protection.
Enterprise Vault is a powerful and complex product. Before it can be deployed, IT
departments should become familiar with its capabilities.
Enterprise Vault installs the following services and tasks:
All configuration information for Enterprise Vault is stored
in a SQL Server database with the default name of
EnterpriseVaultDirectory. The directory service is used to
access this database and all information that it contains.
Directory service
147Message archiving, retrieval, and storageEnterprise Vault basics
Each enabled Exchange Server has one Exchange mailbox
task that is assigned to it. The Exchange mailbox task scans
mailboxes on an associated Exchange Server. It detects any
items that are ready to be archived, based on the established
policy for users. For example, a policy could be defined to
prevent archiving of items that are less than 90 days old.
Once an Exchange mailbox task discovers items that match
the policy rules for archiving, the Exchange mailbox task
passes the items to the Storage Service.
The Exchange Mailbox task uses six Microsoft Message
Queues (MSMQ) per service. Each queue has different
functions and priorities that can be monitored to verify
progress.
Exchange mailbox task
Enterprise Vault email journaling is managed by the
journaling task. The task is configured to run when a
journaling mailbox has been set up for Exchange, and whose
contents are marked for archiving by Enterprise Vault.
Journaling task
Separate Enterprise Vault tasks are available to aid PST
migrations. Administrators can manage PST migrations
several ways with Enterprise Vault.
See “PST file migration” on page 271.
PST Migration tasks
The storage service manages the vault and archival storage
in the following ways:
■ Converts email messages to HTML or text
■ Stores compressed versions of email messages, and
stores documents
■ Retrieves archived items for viewing
■ Restores archival items for copying and conversion
■ Deletes archived items upon request
The Storage service creates a compressed version of the
item that is being archived on one of the volumes it
maintains (for example, an NTFS file system), and then
stores metadata about the archived item in the SQL
database.
Storage service
Message archiving, retrieval, and storageEnterprise Vault basics
148
Enterprise Vault indexes all the items that it archives.
Search capabilities depend on the level of indexing (brief,
medium, and full) that have been established for each Vault
Store. Each indexing service can store its indexes in multiple
locations. Indexes are created using the AltaVista® search
format. Once the index grows to a predetermined size, it
automatically creates a new index for better search
performance.
Indexing service
Each shopping service stores the shopping basket
information that is collected when users invoke the web
access application. Each time a user creates a search using
the Web application, the shopping service stores information
on the volume for that user in order to manage each
shopping basket.
Shopping service
Enterprise Vault includes the following:
A Vault Store consists of a SQL database and an NTFS
volume, or Network Appliance SnapLock™, or EMC Centera™
storage device. These components house the vault store.
When an item is archived, a copy of the item is converted
to an HTML or text file. The original and the copy are stored
in the Vault Store as a single compressed file.
Metadata is written to the database to identify who has
access to the archived item and where the item is stored in
the Vault Store.
Vault stores
Enterprise Vault uses storage partitions to collect the files
for all archives. A partition can be open to allow Enterprise
Vault to write archived data to it. A partition can also be
closed to prevent the partition from being used to archive.
Vault store partitions
To search and locate archived items, Enterprise Vault
creates an index of all the items that it archives. brief,
medium, or full indexing.
Indexes
Enterprise Vault includes a web access application that is
used to perform certain search functions using a GUI
interface. The default URL for the web access application
is http://<ServerName>/EnterpriseVault.
Web access application
149Message archiving, retrieval, and storageEnterprise Vault basics
Best practices for planning Enterprise Vaultdeployments
Administrators can customize Enterprise Vault with policies that fit many unique
environments. In general, the investment of effort required to do this is comparable
to the effort required for the implementation of an initial Exchange environment.
Symantec Enterprise Vault training is recommended before implementation.
Alternatively, Symantec Consulting Services can help guide the customization
process.
Administrators should also document the status of the current Exchange
environment as well as the deployment plan.
Documenting the existing Exchange environment
The following information is required to document the status of the existing
Exchange environment:
■ Size of the Exchange data stores
■ Average daily volume of email
■ Average size of email
■ Average size of email attachments
■ Average size of individual email mailboxes
■ Total number of email accounts
■ Current email storage requirements
Documenting the new Exchange Enterprise Vault environment
Before an administrator deploys Enterprise Vault in an Exchange environment,
they need to document the answers to the following questions on policy issues:
■ How long will email be kept?
■ What are the business goals of the retention policy?
■ When will email be removed from Exchange and moved
into Enterprise Vault stores?
■ When will email be removed from Enterprise Vault?
■ Is there a department-level (human resources, Legal)
retention policy?
■ Will email be retained indefinitely?
Email retention policy
Message archiving, retrieval, and storageBest practices for planning Enterprise Vault deployments
150
■ Can users keep their own archives?
■ Will archives be centralized?
■ Where will archives be stored? (online, near-line, or
off-line)
■ What storage volumes will contain the vaults?
■ Are policies set per department or per user?
Personal Archives (PST)
policy
■ Are policies blocked entirely?
■ Is attachment size limited?
■ Is there a limit on policy type? (such as .exe or .bat files)
Attachment policy
■ Is there a need to keep Exchange data stores small?
■ Does any email, regardless of age, need to be discovered?
■ Is there a need to provide quick access to old email?
■ Will enhanced search capabilities for users be necessary?
Email archiving policy goals
■ Will users have the ability to search all of their archives?End user search capability
■ Will all Exchange email be journaled for some period of
time?
■ Will legal discovery and compliance searches be
required?
Email Auditing requirements
Enterprise Vault deployments vary widely, so the responses to these questions
will also vary by organization. However, most organizations deploy Enterprise
Vault to solve messaging challenges in one of three critical areas: 1) mailbox
management, 2) records management, or 3) message journaling for compliance.
Enterprise Vault is most frequently deployed to simplify mailbox management.
Enterprise Vault addresses the need for quicker recovery times, less email
corruption, elimination of PST files, and better performance, by downsizing
Exchange data stores.
Simplifying Exchange storage and data management improves email availability.
Deployments of this type often use quota-based policies, which specify that email
be migrated to archival storage when a user’s Exchange mailbox reaches a specified
threshold; for example, 80% or 90% of their mailbox size. An indicator for the
age of the email may or may not be set. Automatic archiving and the ability to
view archived items while disconnected from any network or storage with the
offline vault option make such archiving transparent to users.
A records management orientation for Enterprise Vault deployment will lead to
age-based archiving policies. Items in user mailboxes may be automatically
archived after 30 days of receipt. At that point, email that exceeds a certain size,
for example 1 megabyte in size, can be archived. Archiving may then be done for
151Message archiving, retrieval, and storageBest practices for planning Enterprise Vault deployments
all email held 90 days, regardless of size, and retained for 3 or 7 years, or as long
as necessary.
Customers with a compliance focus often deploy Enterprise Vault in order to
create a journal of all email and instant messages. The journal allows recovery of
all email messages and instant message conversations for the retention period
specified.
The archiving of journaled email and instant messages is generally immediate.
Retention periods for journaled email may be as short as 30 days or as long as 7
years in regulated industries, such as financial services. Answering the many
archiving policy questions is simpler for customers with a message-journaling
focus, as their focus is often driven by specific laws, regulations, or high-level
corporate policies. Message journaling adds a significant load to the Exchange
and Enterprise Vault servers, as all email, email attachments, and instant message
traffic have to be converted to text or HTML, and archived for future access.
Of course, Enterprise Vault customers may have other orientations or goals that
drive their archiving requirements. These sample orientations are provided to
assist customers in planning their deployments.
Considerations for planning and documenting the Enterprise Vaultdeployment
Symantec recommends that administrators have a written plan for the deployment
of Enterprise Vault into your organization. Administrators should consider the
following factors when developing a Enterprise Vault deployment plan:
Message archiving, retrieval, and storageBest practices for planning Enterprise Vault deployments
152
■ Keep in mind that migration typically takes place over
days or weeks.
■ Consider that the speed of migration is dictated mostly
by the size and type of attachments that need to be
converted as part of archive process. The size of the
message is also important. In addition, the amount of
server resources that are dedicated to the migration
process also impacts the speed of the migration.
■ Consider processor load requirements when you migrate
aged email. Email migration significantly increases the
processor load on the Exchange server. Simple
maintenance of new email in Enterprise Vault it is much
less resource intensive, and therefore less of an impact
to the Exchange server.
■ Plan for test runs that can help develop accurate
conversion estimates for your environment.
■ Determine hardware needs using Symantec expertise
and the particular experiences gained from initial
deployments in your environment.
Migration strategy
■ Determine how deployment will proceed.
■ Consider whether archiving will be deployed department
by department.
■ Determine who are the key users.
Deployment and migration
sequence
■ Decide on the levels of indexing available: Brief, Medium,
and Full. Full indexing requires more storage space, and
is required for deployments using Enterprise Vault
Compliance Accelerator and Enterprise Vault Discovery
Accelerator.
Indexing
■ Know the indexing policy that will be implemented and
communicate the policy to the end-user community.
■ Get trained and use consulting services before
implementation.
■ Set user expectations regarding the appearance and
retrieval of archived or Vaulted email.
Best practices for sizing Enterprise Vaultenvironments
To avoid unexpected results or downtime, administrators should always contact
a Symantec Enterprise Vault Consulting Services Center before deploying
Enterprise Vault. The Enterprise Vault Consulting Services Center can provide
153Message archiving, retrieval, and storageBest practices for sizing Enterprise Vault environments
the appropriate estimates for scalability, Vault Store growth, speed of searches,
data retention requirements, and other factors.
Estimates are determined by the number and location of Exchange servers, the
size of items that are archived, the frequency of archiving, the retention policies,
the number of users, and how often searches need to run, among other variables.
Administrators can contact Symantec Consulting Services through their local
Symantec sales office, or at the following email addresses:
Symantec Consulting Services has published some estimates on the size of Vault
Stores and indexes, and the amount of information that is stored Enterprise Vault
over a period of five years.
Based on the information that is provided by Symantec Consulting Services,
administrators can produce estimates for a deployment by reviewing the following
factors:
■ Total volume of email that is archived from users’ mailboxes in one year.
■ Total disk space that is consumed by the Vault Store files, Vault Store
databases, and indexes after all of the user mailboxes have been initially
migrated and archived for one year.
Table 7-1 provides an example of how these sizing factors are estimated.
The figures are based on the following assumptions:
■ The organization has 1,528 email users.
■ All user mailboxes are archived by Enterprise Vault.
■ All messages over 90 days old are archived from all user mailboxes.
■ Each user archives 12 messages per day.
■ There are 250 working days in each year.
■ The average message size is 77 KB.
■ Each mail message is sent to five internal users.
■ Growth of email volume is 15-40 percent annually.
■ Growth of average message size is 30 percent annually.
Message archiving, retrieval, and storageBest practices for sizing Enterprise Vault environments
154
Table 7-1 Example sizing estimate for deployment planning
Year 5Year 4Year 3Year 2Year 1Sizing factor
1,5281,5281,5281,5281,528Number of users
2320171412Number of messages archived per day per
user
22417213210177Average message size in KB
34,196,09025,410,09017,770,09011,276,0905,928,090Total number of messages that are archived
65043127315978Size of Vault Store NTFS in GB
75421.19Size of Vault Store Database in GB
7164202239520Size of Indexes in GB
1,372.71856.79499.55255.6398.89Size of information that is stored in
Enterprise Vault in GB
Figure 7-1 shows the projected growth of information over five years.
Figure 7-1 Example of projected growth in information storage requirements
Vault Store recommendations
It is recommended that administrators create a new Vault Store for each archive
source.
Organizations that use Veritas Storage Foundation dynamic disk groups can
enable capacity monitoring for any volume. Administrators can also receive email
notification when an established percent-of-filled-capacity threshold is reached.
This enables administrators to take action before a critical condition is reached
that might otherwise stop the archiving process.
155Message archiving, retrieval, and storageBest practices for sizing Enterprise Vault environments
Vault Store partition setting recommendations
Enterprise Vault uses storage partitions to collect the files for all archives.
Administrators should determine whether to set individual partitions as either
open or closed. The Open setting allows Enterprise Vault to write archived data,
while the Closed setting prevents items from using that partition when archiving
occurs.
Enterprise Vault saves the archived files that reside on vault store partitions as
DVS files (Digital Vault Save sets). Administrators can configure an Enterprise
Vault policy to later collect DVS files into CAB Container files. CAB files can be
backed up more quickly, since larger files are faster to back up than multiple,
smaller files.
Administrators are not required to view the DVS file from inside the Outlook
client. Each DVS file can be opened directly from inside the partition. Since email
messages can be viewed in the open DVS file, administrators must maintain a
form of security on this directory to ensure that end users do not have access to
it.
The CAB collection process occurs once a day, at a predefined time that is
previously configured. There must be at least 15 DVS files before a CAB file is
generated. Each CAB file can contain a maximum of 1,000 DVS files.
About the Admin Service
The Admin Service monitors space for all local hard drives on the system on which
it is installed and running. If necessary, the Admin Service writes warning
messages to the Windows Application Log. It will also shut down Enterprise Vault
services before the storage space allocated to Enterprise Vault is exceeded. It does
this to maintain data integrity across the Exchange Server and its Vault Stores.
The Veritas Storage Foundation for Windows capacity monitoring capability can
be configured to send an email notification automatically when an established
capacity threshold is reached. For example, an administrator can define a
notification that delivers a warning message when a volume reaches 95 percent
capacity. If more space is not allocated before a partition fills, Enterprise Vault
shuts down the Admin Service to prevent any more data from being accepted into
its queue.
Selecting the level of indexing
Administrators can set one of the following three levels of indexing for archived
items:
■ Brief
Message archiving, retrieval, and storageBest practices for sizing Enterprise Vault environments
156
Enables searching of common Outlook fields and metadata searching. Author,
Subject Recipient, Created Date, Expiry Date, File Extension, Retention
Category, and Original Location attributes are all searchable.
■ Medium
Enables all the same searching that Brief Indexing offers, as well as allowing
single word searches of any item that is archived, including attachments.
■ Full
Enables all the same searching that Brief and Medium Indexing offers, as well
as allowing the ability to perform full-text, phrase-level searches on any items
that are archived.
Note: Full indexing is required for Enterprise Vault Compliance Accelerator and
Enterprise Vault Discovery Accelerator searching.
The three levels of indexing have the following impact on storage size:
Every item that is archived increases the index file by 3
percent of the actual size of the item archived.
Brief indexing
Every item that is archived increases the index file by 8–12
percent of the actual size of the item archived.
Medium indexing
Every item that is archived increases the index file by 12–20
percent of the actual size of the item archived.
Full indexing
It is highly recommended to store Index files (flat files) on SAN or DAS storage
devices due to heavy I/O usage. To improve performance, administrators should
store Index files on separate volumes from the Enterprise Vault Partition being
used for the Enterprise Vault Store files and databases.
Note: Once an index is created, its location cannot be easily changed.
Administrators must allocate adequate space to enable the index to grow over
time.
Best practices for preparing the Enterprise Vaultenvironment
Before Enterprise Vault can be installed in a Microsoft Windows® Server 2003
environment, administrators must complete the following preparation tasks:
■ Installation software prerequisites
157Message archiving, retrieval, and storageBest practices for preparing the Enterprise Vault environment
■ Enterprise Vault Service account creation
■ SQL login account creation
■ Enterprise Vault server preparation
Installation software prerequisites
Administrators must install the following software in a Windows Server 2003
environment:
■ Microsoft Windows Server 2003 with the latest service packs and patches
■ Windows 2003 ASP.NET and Active Server Pages components
If the Enterprise Vault Compliance Accelerator and Discovery Accelerator will
be installed, an Authenticated User account with Full Control privileges must
be added to the Windows TEMP folder and ASP.NET folder.
■ Microsoft Internet Explorer with the latest service packs
■ Microsoft SQL Server 2000 with Service Pack 3, a, or 4 (SP4 is preferred)
Case-sensitive installations are not supported.
■ Microsoft Exchange Server 2003 with Service Pack 1
■ Microsoft Outlook 2003 with Service Pack 2
See “Email archiving hardware and software requirements” on page 81.
For more information, see the Installing and Configuring Enterprise Vault 6.0
manual.
It is highly recommended that Veritas Storage Foundation for Windows software
be installed in a Windows 2003-based Exchange environment.
Finally, verify that administrators have obtained an Enterprise Vault license for
all computers that will be running the Enterprise Vault Services.
Enterprise Vault Service account creation
Administrators must create a Windows service account on the server on which
Enterprise Vault will be installed. An example of a Windows service account name
for Enterprise Vault might be EVAdmin.
The account must meet the following criteria:
■ Be a domain-based Windows security account belonging to the local
Administrators group on each computer that runs Enterprise Vault services.
■ Be a member of the Exchange Administrators group for the Exchange store
that will be archived.
Message archiving, retrieval, and storageBest practices for preparing the Enterprise Vault environment
158
■ Be given Full Control privileges to each Exchange server to be archived using
Enterprise Vault.
■ Should not be a Domain Administrator account
It is better to assign Exchange Server permissions to the user account explicitly,
as described in the Installing and Configuring Enterprise Vault 6.0 manual.
■ Be given database access rights to the Microsoft SQL Server(s) that are deployed
for Enterprise Vault.
See “SQL login account creation” on page 159.
SQL login account creation
To create an SQL login account, administrators must complete the following tasks
in SQL Enterprise Manager:
■ Expand the SQL Server container and select Security. Then right-click Logins
and, on the shortcut menu, click New Login. Select and enter the name of the
Vault Service Account. For example, domain\EVAdmin.
■ On the General tab, verify that Windows Authentication is set, Grant Access
is enabled, and that the correct domain for the account is selected.
■ On the Server Roles tab, enable the Database Creators role.
■ On the Database Access tab, in the Permit column for the Master database,
place a checkmark.
■ On the Database Access tab, under Roles, assign the user db_owner permissions.
Enterprise Vault server preparation
Before Enterprise Vault is installed, the administrator must prepare the server
for installation, as follows:
■ Perform a custom installation of Microsoft Outlook and select the Collaboration
Data Objects option.
■ Add and configure the following Windows components:
■ Message Queuing with Active Directory® Integration disabled.
■ Application Server Console enabled.
■ Active Server Pages enabled.
■ Active Server Pages scripts that are enabled to run.
■ Install Microsoft Exchange System Manager 2003 with System Management
Tools.
159Message archiving, retrieval, and storageBest practices for preparing the Enterprise Vault environment
■ Create a Vault Site Alias on the DNS server.
For complete instructions for preparing the Enterprise Vault server, see the
Installing and Configuring Enterprise Vault 6.0 manual.
Installing and configuring Microsoft Outlook
Enterprise Vault requires an installation of Microsoft Outlook 2003 SP3 that has
the Collaboration Data Objects option enabled.
To install and configure Microsoft Outlook
1 Log on to the Enterprise Vault server by using the Enterprise Vault service
account.
2 Begin installing Microsoft Outlook 2003 SP2.
3 During installation, enableChooseAdvancedcustomizationofapplications
to access the Outlook component options for installation.
4 In the panel containing the Outlook custom component options, expand the
Outlook tree options and select CollaborationDataObjects.
Enterprise Vault 6.0 and later releases now perform this step automatically.
Adding and configuring Windows components
Administrators must first log on to the Enterprise Vault server with the Enterprise
Vault service account.
Table 7-2 shows the components that administrators must add and configure.
Table 7-2 Windows components to add and configure
Configuration procedureWindows component
In the Windows Control Panel, in Add or Remove programs, do the following:
■ In the Add or Remove Windows Components program, click Application Server
and then click Details.
■ Click MessageQueuing and uncheck ActiveDirectory Integration.
Unless Active Directory Integration is disabled, its installation will result in a
sizeable performance loss.
Note:Microsoft Message Queuing is I/O intensive, so it should always be moved from
the default installation drive of C:\ to another local drive.
Message Queuing with Active
Directory Integration
disabled
Message archiving, retrieval, and storageBest practices for preparing the Enterprise Vault environment
160
Table 7-2 Windows components to add and configure (continued)
Configuration procedureWindows component
In the Windows Control Panel, in Add or Remove programs, do the following:
■ In the Add or Remove Windows Components program, click Application Server
and then click Details.
■ Click Application Server Console.
Application Server Console
In the Windows Control Panel, in Add or Remove programs, do the following:
■ In the Add or Remove Windows Components program, click Application Server
and then click Details.
■ Click IIS and then click Details.
■ Click WorldWideWeb Service and then click Details.
■ Click Active Server Pages.
Active Server Pages
On the Windows desktop, do the following:
■ Click MyComputer >Manage.
■ In the Computer Management dialog box, in the directory tree, expand Services
andApplications > IISManager >Web Service Extensions.
■ In the Web Service Extensions pane, verify that Active Server Pages is set to
Allowed.
Active Server Pages scripts
enabled to run
Installing Exchange System Manager 2003 with SystemManagement tools
As part of the preparation for installing Enterprise Vault, the Microsoft Exchange
System Manager 2003 needs to be installed on the Enterprise Vault server.
To install Microsoft Exchange System Manager 2003 with System Management
tools
1 Verify that the server meets the minimum system requirements for Exchange
System Manager 2003.
For more information, go to the following URL:
www.Microsoft.com
2 Log on to the Enterprise Vault server with the Enterprise Vault service
account.
3 Begin an installation of Microsoft Exchange System Manager.
4 Select a custom installation.
5 Disable Messaging and Collaboration Services
6 Enable SystemManagement Tools
161Message archiving, retrieval, and storageBest practices for preparing the Enterprise Vault environment
Creating an Enterprise Vault Site Alias on the DNS server
Administrators can install Enterprise Vault without a Vault Site alias. However,
the best practice is to define a Vault Site alias before installing Enterprise Vault,
as the alias cannot be changed after it has been configured.
Additionally, a Fully Qualified Domain Name (FQDN), such as,
EnterpriseVaultServer.yourdomain.com, should not be used. Instead, use an alias
such as “EnterpriseVaultServer”. If the Enterprise Vault server name is changed
or moved to a different domain, or if clustering is later used, an administrator
can reassign the DNS alias to the new server, domain, or cluster. It is also a best
practice to assign and refer to all Enterprise Vault servers by an alias.
To create an Enterprise Vault Site Alias on the DNS server
1 Have the DNS administrator log on to the DNS server.
2 Select Start > Programs >Administrative Tools >DNS.
3 Expand the DNS server, and then expand Forward Lookup Zone.
4 Select the domain in which Enterprise Vault is to reside.
5 Right-click the domain, and then select NewAlias.
6 Under Alias, type the name of the Enterprise Vault alias.
7 Under FQDN for Target Host, type the fully qualified name (FQN) of the
Enterprise Vault server.
Creating an Outlook profile on the Enterprise Vault server
After Outlook is installed, the administrator must create an Outlook profile on
the Enterprise Vault server.
To create an Outlook profile on the Enterprise Vault server
1 On the Exchange server, in Windows, expand ActiveDirectoryUsers and
Computers >NewUser.
A new user wizard launches.
2 In the wizard, verify that the Create an Exchange mailbox option is enabled.
3 Select First Organization/First Administrator Group/Your_Server.
4 Select First Storage Group/Mailbox Store (the server).
5 In Outlook, while still logged on with the Enterprise Vault service account,
open the mailbox just specified.
Opening the mailbox registers the MAPI connection, which enables
administrators to analyze Exchange stores.
Message archiving, retrieval, and storageBest practices for preparing the Enterprise Vault environment
162
Best practices for installing Enterprise VaultWhen administrators use the Enterprise Vault Installation Wizard to install
Enterprise Vault, they should perform the following tasks:
■ Select the option to install Enterprise Vault Services and Administration
Console only.
Avoid installing additional options at this time.
■ After installation completes, leave the Run the configuration option enabled,
and then click Finish to exit the wizard.
Best practices for configuring Enterprise VaultThe Enterprise Vault Configuration program guides administrators through the
creation of a Vault directory and database, and a Vault site. The wizard also assists
administrators to add Vault service properties on the new server. After completing
these directory setup tasks, the Administration Console can be used to further
configure Enterprise Vault.
Enterprise Vault Configuration program tasks
Administrators can create a Vault directory and database, and a Vault site; add
Vault services; and add and configure Vault service properties.
Table 7-3 shows the basic steps involved in using the Enterprise Vault
Configuration Wizard.
163Message archiving, retrieval, and storageBest practices for installing Enterprise Vault
Table 7-3 Directory setup tasks using the Configuration Program
Wizard optionsTask
Configure the following wizard options:
■ Do you want to create a new Vault Directory on this computer: Type Yes
■ Vault service account: Type the Enterprise Vault service account that was already
created. Use the format DomainName\VaultAdminAccount.
The following permissions are automatically granted: Logon as service, Act as
part of operating system, Debug program rights.
■ SQL Server location: Type the location that was previously installed to host the
databases. Use the format ServerName\InstanceName if using Instance Names,
or ServerName, if instance Names are not being used.
Note:An existing SQL Server computer or the server that is dedicated to Enterprise
Vault can be used. Folders must be created below the root level of the volume to
create the database; for example, F:\Folder. This database grows at the rate of 250
bytes per archived item.
■ Where MDF and LDF database files are hosted: Type the location on the SQL Server
computer where MDF and LDF database files are hosted.
Creating a new Enterprise
Vault directory database
Configure the following wizard options:
■ Vault site name: Type the name of the new Enterprise Vault site.
The name of the site cannot be changed after it has been created.
■ Vault Site Alias: Type the site alias that was created on the DNS server.
Creating a new Enterprise
Vault site
Configure the following wizard options:
■ After the Enterprise Vault services are created, right-click Index Service, and
then select Properties.
■ On the Index Locations tab, add the location to which Index Services should store
the index.
Note: The default location for the index files is the C:\ drive. As indexes increase
in size, it is recommended that another location be used. If another location is
used, remember to delete the existing entry. Indexes cannot be stored on a
read-only disk, and should not be moved after creation.
■ Complete the wizard. View the properties of the other Enterprise Vault services
and make changes, if necessary.
■ Start all Enterprise Vault Services.
Adding Enterprise Vault
service properties
Note: The services will not start unless an administrator has installed the
appropriate license keys. The license keys should be installed as described in the
instructions that are supplied with the keys.
Message archiving, retrieval, and storageBest practices for configuring Enterprise Vault
164
Enterprise Vault Administration Console configuration tasks
After an administrator completes the Enterprise Vault Configuration Program,
the Enterprise Vault Administration Console can be launched. When prompted
for the Directory Service Computer to connect to, the Enterprise Vault server
name must be entered.
In the Enterprise Vault Administration Console, an administrator must complete
the following configuration tasks in the order presented:
■ Creating a Vault Store
■ Creating the Exchange Mailbox task
■ Microsoft Exchange forms distribution
■ Folder creation
■ Installing Microsoft Exchange forms
■ Enabling archiving for mailboxes
■ Policy creation
■ Retention categories setup
■ Site properties view
■ Enterprise Vault configuration to support Exchange email journaling
■ Configuring Enterprise Vault to support Symantec IM Manager
■ Archiving public folders
■ User desktops setup
■ Generating reports
Creating a Vault Store
After the Vault directory is configured using the Enterprise Vault Configuration
Program, administrators can use the Administration Console to create and
configure a Vault store.
To create a Vault store
1 Open the Enterprise Vault Administration Console.
2 Expand the tree view until the Vault Store directory is visible.
3 Right-click the directory and select New>Vault Store.
4 Type a name for the new Vault Store.
165Message archiving, retrieval, and storageBest practices for configuring Enterprise Vault
5 Type the SQL Server location that was previously installed to host the
databases. Use the following format: ServerName\InstanceName if using
Instance Names. Use the format: ServerName if not using Instance Names.
To see all directories, authenticate to the SQL Server computer.
6 Name the partition and determine whether the new vault store should be
Open.
If it is the first vault store partition, create the partition as Open.
7 Complete the remainder of the wizard, accepting default settings or
configuring wanted settings.
8 When prompted, clickSharearchiveditems to enable single-instance storage.
Single-instance storage optimizes the use of storage space. For example, with
this option enabled, a large Microsoft PowerPoint® slide deck that is sent to
multiple email addresses on the same Vault store is archived only once.
At the time of install, it is also recommended that administrators set the File
Collection Software option to None. As the data collection continues to
increase, this setting can be changed in Enterprise Vault by selecting Vault
Stores > Vault Store Name > Properties.
Creating the Exchange Mailbox task
After the Vault Store is created, administrators can then create the Exchange
Mailbox task.
Note that if Compliance Accelerator and Discovery Accelerator are to be installed
and used, indexing must be set to Full.
To create the Exchange Mailbox task
1 In the Enterprise Vault Administration Console, expand the tree view until
the Archiving Targets > Exchange directory is visible.
2 Right-click Exchange and select New>Domain.
3 Type the name of the domain that contains the Exchange Server to be
archived.
It is recommended not to enable the Use specific Global Catalog server option.
4 Expand the tree view until the newly added domain is visible.
5 Right-click the Exchange Server and select New>Exchange Server.
6 Type the name of the Exchange Server on which items should be archived.
7 Leave the Exchange Mailbox Task option enabled, and verify that the
Enterprise Vault server that is listed is the correct one.
Message archiving, retrieval, and storageBest practices for configuring Enterprise Vault
166
Microsoft Exchange forms distribution
To distribute the Microsoft Exchange forms that are installed from the Enterprise
Vault kit, it is recommended that the forms be placed in the Microsoft Exchange
Organization Forms Library. Administrators must provide all Enterprise Vault
users access to the Forms Library. However, before access to the forms can be
provided, administrators may need to create a folder in the Organization Forms
Library to hold the forms (for example, VaultIcons).
For complete instructions, administrators can refer to the Distributing the
Microsoft Exchange forms section in the Installing and Configuring Enterprise
Vault 6.0 manual.
Folder creation
Administrators must create a folder in the Organizations Forms Library with
access provided to all Microsoft Exchange users who are going to use Enterprise
Vault. Administrators can use Exchange Systems Manager’s Administrative
Groups management facility to create a folder that is accessible throughout an
Exchange organization.
Installing Microsoft Exchange forms
Administrators can install the forms from Microsoft Outlook using a mailbox that
has Owner permissions for the folder in the Organization Forms Library. This is
done on the computer to which the Microsoft Exchange Forms from the Enterprise
Vault kit have been installed. Users can access the new forms when they install
the Enterprise Vault User Extensions.
To install Microsoft Exchange Forms
1 Open Microsoft Outlook.
2 In the Tools menu, click Options >AdvancedOptions > CustomForms >
Manage Forms.
3 Locate the Forms Library and set the filter to show Form Message (*.fdm).
4 Install the Enterprise Vault Archive Item, Delete Pending Item, Pending Item
and Restore Pending Item forms to the Enterprise Vault folder (not Personal
Forms).
For complete instructions, administrators can refer to the Installing and
Configuring Enterprise Vault 6.0 manual.
167Message archiving, retrieval, and storageBest practices for configuring Enterprise Vault
Enabling archiving for mailboxes
An Exchange Mailbox task allows mailboxes to be archived using the Vault store.
After an Exchange Mailbox task is created, individual mailboxes can be assigned
to that task. Before archiving can begin, administrators must configure the
archiving and retention policies for the mailboxes.
To enable archiving for a mailbox
1 If necessary, create a Vault store and partition.
2 If necessary, do the following to add an Exchange Organization:
■ Expand VaultSite >Archiving Targets > Exchange >Domain >
OrganizationUnit.
■ Right-click OrganizationUnit and select New>OrganizationUnit.
■ Proceed through the wizard.
■ Enter the name of an Organization Unit in the Domain that you want to
add, or check Whole Exchange Organization check box.
■ Select an Exchange Mailbox Policy and PST Migration Policy.
■ Select a default Retention Category.
■ Select a default Vault Store.
■ Select a default Indexing Service.
■ If mailboxes are to be enabled automatically, select the Automatically
enable mailboxes option.
When mailboxes are enabled automatically, they are put into certain
default policy groups, and some flexibility is lost. To determine whether
it is appropriate to enable this option, administrators should review the
Enterprise Vault documentation.
3 To enable archiving for particular mailboxes, in the Administration Console,
click EnableMailbox on the Tools menu or click the Enable Mailboxes for
Archiving icon on the toolbar. Then complete the wizard.
It is not necessary to use the Synchronize option when enabling or disabling
mailboxes, as Enterprise Vault automatically performs a full synchronization.
However, to enable a newly created mailbox for archiving, run the Synchronize
option. New mailboxes do not appear in the list of new mailboxes to add for
archiving until a synchronize has occurred.
Message archiving, retrieval, and storageBest practices for configuring Enterprise Vault
168
Policy creation
Enterprise Vault includes a default Mailbox, Journal, and Public Folder policy.
Administrators can create new policies and edit existing policies. A Lock option
can be enabled to prevent users from changing their personal settings.
Note:Review the Policy Properties\Archiving Rules tab. Consider setting the policy
to Start with items larger than X. When this option is set, larger items are archived
first, which reduces the size of the mailboxes.
See the Installing and Configuring Enterprise Vault 6.0 manual for complete
instructions. Alternatively, search on quota-based archiving in the Enterprise
Vault online Help documentation.
Retention categories setup
Enterprise Vault includes predefined retention categories. Administrators can
create new retention categories and edit existing retention categories.
It is recommended that a retention category be assigned to items at the time that
they are archived. This makes it easier for Enterprise Vault to retrieve items, as
it is possible to search by category.
Note: Once an item is archived, its retention category cannot be changed. Only
the name of the retention category and the retention period can be changed. For
a workaround, an administrator must first restore the item, then change the
retention category, and finally archive it again.
See the Installing and Configuring Enterprise Vault 6.0 manual for complete
instructions.
Site properties view
Administrators can view vault site properties by clicking the Review Site Properties
toolbar icon.
Before reviewing site properties, administrators should refer to the Installing and
Configuring Enterprise Vault 6.0 manual for information about each setting.
Enterprise Vault configuration to support Exchange emailjournaling
Administrators can archive Enterprise Vault email journaling by configuring an
Enterprise Vault Journaling Task. Before an Enterprise Vault Journaling Task can
169Message archiving, retrieval, and storageBest practices for configuring Enterprise Vault
be configured, the Exchange Server must be configured to direct all mail to one
or more designated journal mailboxes. To do this, administrators must enable the
option: Archive all messages sent or received by mailboxes on this store. After
enabling Exchange to journal, a Journal Task can be created in Enterprise Vault.
Note: Exchange email journaling is a resource-intensive activity for Exchange
servers. For organizations with 1000-2500 email users, it is possible that additional
Exchange servers and storage will be required for journal processing.
Administrators can contact their Symantec partner or Symantec Professional
Services for more information.
All journaled mailboxes should be stored in a different Vault Store from user
mailboxes or public folders that are being archived.
After Journaling is set up, administrators can review the types of emails that are
being archived. Decisions about whether to remove read receipts or system
messages from the list can also be made.
Administrators should refer to the Installing and Configuring Enterprise Vault 6.0
manual for more information. Alternatively, they can refer to theEnterpriseVault
Settings for a Journal Mailbox topic in the Enterprise Vault online Help.
Configuring EnterpriseVault to support Symantec IMManager
Symantec IM Manager uses the Exchange journal mailbox to export IM messages
to Enterprise Vault. The IM Manager export tool uses an XSL transformation
process to generate the final SMTP messages that are delivered to Enterprise
Vault.
Note:By default, all dates and times in the body of the email message are converted
to the timezone of the server running the export. If preferred, an administrator
can change the timezone to UTC by changing the value of useLocalDate to false.
var fromEmailaddress = "[email protected]";
var journalingEmailboxname = "[email protected]";
var useLocalDate = true;
// Set this to 'false' if you want the dates/times in the body of
// the message to be UTC.
// Change this to one of: Legato, KVS, Exchange var exportSystem = "KVS";
Message archiving, retrieval, and storageBest practices for configuring Enterprise Vault
170
To enable archiving for a mailbox
1 Download the XSL file from the Symantec KB article INFO: Transform.xsl.
2 Save the transform.xsl file to the IM Manager server where the export tool
is installed: c:\Program Files\Symantec\imarchive\.
3 Open the transform.xsl file in a text editor.
4 Set the value of exportSystem to KVS
5 Set the value of the journalingEmailboxname variable to the Exchange
journaling mailbox that the Enterprise Vault is processing.
6 Set the value of the fromEmailaddress variable to the to a valid email address
on your network, for example, [email protected]
7 Save the transform XSL file.
Searching Enterprise Vault for Symantec IM Manager instantmessages
Before searching on Symantec IM Manager instant messages, administrators need
to refer to the following section in chapter 6, which describes the steps to search
for instant messages using the Enterprise Vault browser search:
See “Instant message logging for journaling and policy enforcement use cases”
on page 138.
Administrators must also make sure that EV journaling is configured properly.
For more information on setting up archiving of journaled messages, see Installing
and Configuring Enterprise Vault 6.0.
Administrators can easily archive instant messages to Veritas Enterprise Vault.
IM Manager exports instant messages as formatted SMTP messages, and can be
configured to forward those messages to a Microsoft Exchange Journaling mailbox.
Once they are forwarded to Exchange Journaling, the messages can be processed,
indexed, archived, and made accessible for search and review by Enterprise Vault.
Enterprise Vault provides search capabilities through a web browser that allows
a user to search messages within any vault store.
To perform a web browser search on existing IM Manager instant messages
1 From a web browser, enter the following URL:
http://<ev server name>/ Enterprise Vault/search.asp
2 If prompted, enter a domain\username and password in the dialog box.
3 Select the category Content, and then type IM
4 Click the Search button to start the search.
171Message archiving, retrieval, and storageBest practices for configuring Enterprise Vault
Archiving public folders
Before Enterprise Vault can begin archiving public folders, administrators should
create an Exchange Public Folder Task for the Exchange server. When a public
folder root path is specified, all folders in that path are archived by default.
Administrators can refer to the Installing and Configuring Enterprise Vault 6.0
manual for more information. Alternatively, they can also view the Public folder
archiving, best practices topic in the Enterprise Vault online Help.
User desktops setup
Enterprise Vault provides three ways to grant users access to items in the archive
Vault. Administrators can deploy Vault User Extensions for Outlook, enable
Enterprise Vault shortcuts, or use the Enterprise Vault Web access application.
With User Extensions, an administrator can restrict or enable actions to determine
what a user is allowed to do with the installation of Enterprise Vault User
Extensions for Outlook. Users can archive emails, perform searches on multiple
archives, view, restore, delete items, and set access permissions on archive folders.
Administrators can refer to the Installing and Configuring Enterprise Vault 6.0
manual for complete instructions.
With Enterprise Vault shortcuts, users do not need User Extensions installed on
their desktops. The shortcuts give users browser access to archives, enabling them
to view, search, restore and delete items, but not to manually archive items.
See the Installing and Configuring Enterprise Vault 6.0 manual for more
information.
With the Enterprise Vault Web access application, users can search, view, restore,
and delete items in their archives by using their browsers. With this option, users
cannot manually archive items.
See the Installing and Configuring Enterprise Vault 6.0 manual for complete
instructions. Alternatively, see the Web Access application topic in the Enterprise
Vault online Help.
If users are allowed to delete from the vault, auditing must also be enabled.
Auditing logs information so that deleted items can be retrieved from backups,
if necessary. To disable the delete option, modify the desktopsettings.txt file.
Offline Vault provides users with the ability to view and retrieve items from their
Archives when they are disconnected from the Exchange Server. Offline Vault is
enabled automatically for any user that uses an Outlook .OST file. When a user
is working offline, all requests to retrieve items are re-routed to the Offline Vault.
Message archiving, retrieval, and storageBest practices for configuring Enterprise Vault
172
Generating reports
Reports that are created by Exchange Mailbox and Exchange Public Folder Tasks
display the number and total size of items that are scheduled for archiving. In
addition, reports display the number of expired shortcuts that can be deleted.
Reports can be generated when enabling, disabling, or creating new mailbox
archives, to see how much space would be saved by enabling more mailboxes for
archiving. When running a task in Report mode, nothing is archived at the time
of the report run.
To generate a one-off report for individual mailboxes
1 Open the Mailbox Archiving Task properties for the Exchange Server.
2 Click the Schedule tab.
3 Under Run, click RunNow.
4 In the Run Now window, do the following:
■ Under Run Mode, click Report.
■ Under Number of mailboxes, click Selectmailboxes.
5 In the Mailbox Filter window, provide the search information for the mailbox.
6 Click OK.
Reports are saved in the Enterprise Vault installation folder. The default
location is:
C:\Program Files\Enterprise Vault\Reports
Best practices for backing up and recoveringEnterprise Vault
Enterprise Vault is a distributed application that installs software components
across multiple servers. To ensure a backup of Enterprise Vault, administrators
must back up the original deployment install directories and file sets, as well as
other critical components, such as MSMQ, IIS, SQL and Exchange.
For more information on this topic, see theEnterpriseVaultAdministrator’sGuide.
Regardless of the backup software used, an administrator must ensure that these
components are backed up properly.
See “Best practices for Symantec Backup Exec” on page 205.
The following Enterprise Vault components must be backed up:
■ Directory Service SQL database
173Message archiving, retrieval, and storageBest practices for backing up and recovering Enterprise Vault
■ Directory Service computer
Perform a full system and file backup, including registry
■ Index Service file locations
View Properties for each Service to locate install directories
■ Shopping Service files
View Properties for each Service to locate install directories
■ Vault Store SQL databases
■ Vault Store files
Use Enterprise Vault Admin Console to locate each Storage Service and the
vault store files
■ Enterprise Vault Servers
Perform a full system and file backup, including registry
It is recommended to shut down all Enterprise Vault services during backups.
Alternative methods exist that allow services and tasks to be placed in a read-only
state during backups.
For information about alternative methods for backup, see the Enterprise Vault
Administrator's Guide 6.0.
SQL Server database backup recommendations
As with any SQL database, it is important to have a daily backup plan in place,
and to monitor the amount of space allocated to the databases.
Administrators should review corporate policies and procedures and the SQL
Server best practices documentation to determine the acceptable levels of data
restoration, for example, point-in-time or point-in-failure. This documentation
review will also assist administrators to plan how frequently to run backups of
any database and all transaction logs.
The following backup schedules are recommended:
■ Back up all vault store databases daily after the main run of the Exchange
Mailbox task
■ Back up the Directory database at least weekly
■ Back up the Directory database transaction logs at least daily
■ Back up all system databases, especially Master and MSDB, after any change
For more information, search the Microsoft web site for information on best
practices for SQL Server backup.
Message archiving, retrieval, and storageBest practices for backing up and recovering Enterprise Vault
174
Enterprise Vault recovery
Restoring an Enterprise Vault environment from backup requires multiple
considerations.
For a comprehensive discussion of what is required to properly restore an
Enterprise Vault environment see the Enterprise Vault Administrator's Guide 6.0.
Common Enterprise Vault challenges and solutionsTable 7-4 presents some of the challenges faced by users, and the solutions to
those challenges.
Table 7-4 Solutions to common Enterprise Vault challenges
SolutionChallenge
Enterprise Vault automatically moves older items from
the Exchange Server to the Enterprise Vault archive.
Administrators can specify the time to deploy the archive
by utilizing age-based archiving policies or specific
size-quota-based archiving policies.
Administrators can give end-users the ability to archive
manually by deploying client-side utilities, or can prevent
end-users from changing any policy.
End-users can keep large volumes of email and
attachments stored in their Outlook clients., This can
reduce Exchange Server performance, and add to the
administrative tasks manage storage.
If end-users have their data archived by Enterprise Vault
and client-side tools are deployed, users can restore
directly from their Vault Store.
End-users may delete important mail or data, either
inadvertently or purposefully, to gain needed space on
their local drives. This requires an administrator to
restore the data, which can be costly and time consuming,
especially if archives are stored off-site.
Existing data stored in local PST files can be migrated
and archived to Enterprise Vault. End-users can retain
access to their data by deploying client-side tools.
Administrators can restrict the deployment of PST files
to maintain a central storage of corporate data.
End-users may keep their mailbox stored in local PST
files instead of utilizing the corporate storage, which
leads to greater mail storage requirements and data
management overhead. IT Managers cannot manage
email when it is stored in local PST files.
Enterprise Vault’s mailbox archiving can reduce the
Information Store size once archiving is enabled, which
reduces the necessary backup window, and allows the
backup job to run successfully.
Exchange Servers can require a longer backup window
than what is available. In this case, a backup will fail
unless the window is extended to accommodate the longer
backup job.
175Message archiving, retrieval, and storageCommon Enterprise Vault challenges and solutions
Table 7-4 Solutions to common Enterprise Vault challenges (continued)
SolutionChallenge
Enterprise Vault’s Journal archiving functionality, in
conjunction with the Exchange Server Journaling option,
can collect and archive all email sent or received by all
users on each enabled Exchange Server. Sites can
maintain a copy as long as required by law, or by internal
policies.
All mail must be maintained in a location where it can be
accessed for legal discovery, auditing, or compliance
purposes.
Enterprise Vault usageTable 7-5 lists guidelines for using Enterprise Vault.
Table 7-5 Enterprise Vault usage guidelines
DescriptionGuideline
From the Tools menu, you can select Enable Mailboxes and proceed through the
wizard. When prompted to Automatically enable mailboxes, it is recommended
that administrations not enable this option. Enabling the option can remove
some flexibility in the administration of Enterprise Vault.
Set Enterprise Vault to restrict
any new mailboxes from being
archived automatically.
Message archiving, retrieval, and storageEnterprise Vault usage
176
Table 7-5 Enterprise Vault usage guidelines (continued)
DescriptionGuideline
The Admin Service monitors all local disks by default, whether or not they are
used by Enterprise Vault. If a disk that is not used by Enterprise Vault becomes
too full, the Admin Service could shut down Enterprise Vault, even though
Enterprise Vault has enough available space. In this case, the Admin Service
can be stopped, if necessary, and set to restart without monitoring that disk.
To stop monitoring disks, open Services and select Pause or Stop the Enterprise
Vault Admin Service.
Note: Do not stop the Admin Service unnecessarily. Enterprise Vault requires
the Admin Service to be present at all times. If the Admin Service is stopped, all
the other Enterprise Vault services on the same computer are also shut down.
Modify the behavior of the Admin Service by initializing the Admin Service with
the following startup parameters:
■ To specify a list of disks to monitor (and to omit other disks), use the
/DISKS=<list> parameter, where <list> is the list of disks that will be
monitored. Do not include any spaces or tabs in the list value. The colon (:)
in the disk name is optional.
For example, to monitor only disks C:, E:, and F:, type /DISKS=C:E:F:
■ To restore the default behavior (to monitor all disks), type /DISKS
■ To turn off monitoring for the next instance of the Admin Service, type
/NOMONITOR
■ To turn on monitoring for the next instance of the Admin Service, type
/MONITOR
■ To make a parameter apply every time the Admin Service starts, add the
/SAVE parameter. For example:
/DISKS=C:E:F: /SAVE
/NOMONITOR /SAVE
Control which disks the Admin
Service monitors.
Forcing shortcut deletion is useful for PST migrations in which older shortcuts
need to be removed from mailboxes. For more information, review Site Properties
on the Vault Store.
Alternatively, see the Shortcut deletion topic in the Enterprise Vault online
Help.
Force shortcut deletion to occur
immediately instead of waiting for
a scheduled deletion.
If a mailbox is not archiving, the archiving function can be forced to process
only a specific mailbox, even if other mailboxes are enabled for archiving. To
archive a specific mailbox, go to Site Properties > Schedule > Run Now, and then
set Number of Mailboxes to Select Mailboxes.
Force archiving to process a
specific mailbox.
177Message archiving, retrieval, and storageEnterprise Vault usage
Table 7-5 Enterprise Vault usage guidelines (continued)
DescriptionGuideline
By default, messages within the Deleted Items folder will not be archived.
Administrators can configure Enterprise Vault to archive the Deleted Items
folder by doing the following:
■ Follow the directions in Editing Settings in the Enterprise Vault
Administrator’s Guide.
■ Configure the Enterprise Vault Policy Manager scripting tool to apply a policy
to the Deleted Items folder. Administrators can configure the Policy Manager
tool to apply a policy to the Deleted Items folder. A policy of 0 days can be
created with a Janitor retention category specifying that these items are
deleted from Enterprise Vault in a specified number of days.
Policy Manager allows administrators to apply settings to individual mailboxes
more specifically than when the EV Administration Console is used.
For more information, see the Enterprise Vault Administrator’s Guide .
Archiving deleted items from the
Deleted Items folder for a period
of time.
By modifying the properties of the archiving task, administrators can force the
update of the number of threads in the Exchange Mailbox task to reduce the
impact on an Exchange server. The threads for off-peak periods can then be
increased.
Configure Enterprise Vault to run
slower or faster as needed.
The following errors can be ignored:
■ 8 byte boundary error from MSMQ Performance object
■ MSMQ has no privilege to create audit log
■ DCOM errors in system log after reboot
Ignore some errors.
If Exchange connectivity issues occur, locate the file fixmapi.exe on the
Enterprise Vault server. Launch the executable file and then reboot the server.
Troubleshoot connectivity issues.
Message archiving, retrieval, and storageEnterprise Vault usage
178
Enhancing Microsoft®
ExchangeServer availability
This chapter includes the following topics:
■ About Microsoft Exchange Server availability
■ Best practices for Veritas Storage Foundation for Windows
■ Best practices for Veritas Storage Foundation High Availability for Windows
■ Best practices for Symantec Backup Exec
About Microsoft Exchange Server availabilityThis chapter describes the Symantec availability solution within the network
perimeter. The potential sources of disruption to email and Microsoft Exchange
servers are so numerous that ensuring continuous availability of a Exchange email
environment can be a daunting challenge.
Risks to email availability
As a critical component of IT service, Exchange email is subject to a number of
risks.
Table 8-1 categorizes the major risks that threaten the continuous availability of
Exchange email.
8Chapter
Table 8-1 Risks to email availability
DescriptionRisk
Severe weather or earthquakes can disrupt entire geographic
regions for a prolonged period of time.
Major disasters
A power failure or fire can affect a local data center.Localized disasters
Spam, viruses and worms with the potential to bring down
the server, either by attacking the operating system or the
Exchange server, or by overloading the capacity of the
Exchange server.
External data threats
The power supply can fail to a storage subsystem, network
router, or server.
Hardware component
failures
User errors, index corruption or application problems can
result in data loss.
Logical data threats
The Exchange application environment depends on many
different components, which require constant maintenance.
Maintenance includes: firmware updates, OS patches,
capacity upgrades, preventative maintenance on storage
hardware, and driver updates. These updates, while
necessary to maintain the Exchange environment, can
introduce instability and downtime.
Exchange environment
changes
Exchange service requirements
Microsoft Exchange is a resource-intensive application that often requires the
best server hardware and storage available to the datacenter. IT organization are
painfully aware that Exchange data stores grow daily and can rapidly fill the most
expensive storage space on their network.
To meet ever increasing demands, IT organizations must ensure a resilient
foundation for the Exchange environment that can provide the following
functionality:
■ Storage management
Storage management systems allow IT to grow and shape Exchange storage
while keeping it available.
■ High availability clustering
Recent clustering technology allows the Exchange service to continue running
even after complete failure of an Exchange server.
■ Backup protection
Solid backup protection lets IT recover and restore data, even from a disaster.
Enhancing Microsoft® Exchange Server availabilityAbout Microsoft Exchange Server availability
180
Ensuring the availability of an Exchange service begins with providing all of this
functionality. In addition, administrators must be able to constantly monitor
these functions so that they can be alerted to potential problems. IT organizations
must continually assess whether their Exchange environment can deliver. If not,
organizations are risking Exchange downtime and sacrificing availability.
Symantec solution to ensure Exchange availability
The Symantec solution for Enterprise Messaging Management ensures high
availability for Microsoft Exchange with the following combination of products:
■ Veritas Storage Foundation™ for Windows®
This product provides the ability to monitor, manage, and grow Exchange
storage with a unified interface and without downtime. Storage Foundation
extends and enhances Windows with the industry’s leading volume
management technology. Administrators can configure, share and manage
storage for optimal performance and availability, creating a scalable foundation
for storage growth.
■ Veritas Storage Foundation™ High Availability (HA) for Windows®
This product adds Veritas™ Cluster Server to Storage Foundation, which allows
administrators to cluster critical applications and resources, and further
eliminates planned and unplanned downtime. Resource and application-specific
agents, including an agent for Exchange, monitor and manage the critical
components of the Exchange environment to ensure maximum application
availability.
■ Symantec Backup Exec™
This product provides Exchange server with complete backup protection,
ensuring that IT organizations can implement a complete disaster recovery
plan. Backup Exec together with Storage Foundation also enables off-host
backup, thus offloading the burden of backup processing from the Exchange
server.
Modular approach
The Symantec solution for Enterprise Messaging Management takes a modular
approach to ensuring email availability. Organizations can implement different
components in a phased approach, depending on their specific needs.
By implementing the Symantec availability solutions, IT organizations can ensure
the constant availability of their Exchange services, and protect their company’s
investment in the Exchange infrastructure. The products that comprise the
Symantec solution are Microsoft-certified, and are integrated into the Windows
environment. Symantec and Microsoft have collaborated to improve storage
181Enhancing Microsoft® Exchange Server availabilityAbout Microsoft Exchange Server availability
manageability on the Windows platform. Veritas Storage Foundation builds on
the dynamic volume capabilities now native to the Windows platform.
Table 8-2 describes the necessary features for implementing high availability in
an Exchange environment.
Table 8-2 Symantec availability solution features
product featuresSymantec solution
product
Capacity monitoring that allows threshold alerts to be set
over all Exchange storage. In the event of a triggered alert,
notification can be sent to the administrator, or storage can
be increased automatically, as set by policy.
Design storage configurations that use mirroring or
mirroring/striping combinations to protect from the failure
of a disk or array LUN.
Point-in-time image creation of storage groups for quick
recovery from logical errors or data corruption.
In the event of a triggered alert, SNMP notification can be
sent to the administrator or to management software, such
as HP OpenView or IBM Tivoli, or storage can be
automatically increased.
Storage Foundation
Hot-failover and load balancing of the Exchanger server on
up to 32 cluster nodes to provide high availability and
performance scalability of the Exchange environment.
Ability to perform maintenance and testing by proactively
moving application services to alternate servers in the
cluster.
Ability to meet service level agreements (SLAs) by
automatically monitoring application delivery, and failing
over to alternative resources.
Storage Foundation HA for
Windows (using Veritas
Cluster Server)
Special dedicated backup agents that integrate with the
Exchange server ensuring smooth operation of back-up
process with Exchange service.
Single console interface to monitor backups regardless of
how many backup servers are involved.
Off-host backup capability that natively integrates with
Storage Foundation, providing extra backup protection and
improved backup performance.
Backup Exec
Enhancing Microsoft® Exchange Server availabilityAbout Microsoft Exchange Server availability
182
Best practices for Veritas Storage Foundation forWindows
Symantec provides best practices and recommendations for the deployment and
configuration of Storage Foundation in a Microsoft Exchange environment.
To implement Symantec availability products in an Exchange environment, IT
organizations should follow the instructions in the Symantec product
administration guides for Veritas Storage Foundation for Windows, Veritas Storage
Foundation High Availability for Windows, and Symantec Backup Exec.
TheVeritas StorageFoundationandHighAvailability Solutions 4.3 SolutionsGuide
for Microsoft Exchange is also useful for Exchange server configurations.
These guides, including this Symantec Yellow Book, provide recommendations
that will make the implementation of these products successful.
Challenges to managing Exchange storage
One of the more important considerations relating to the availability, security,
and performance of an Exchange environment is the definition and maintenance
of an efficient storage layout. The way in which storage is planned, significantly
affects the Windows and Exchange environment. Optimally, administrators in
the Exchange environment should have the best tools to give them the most
flexibility and ease of use at their disposal.
Storage Foundation includes the following items:
■ Host-based storage virtualization
Through volumes and other storage abstractions, Storage Foundation provides
the ability to dynamically allocate new storage and perform data migrations
(while applications like Exchange remain on-line) across all types of disks
(whether ATA-,SCSI-, Fibre Channel-, or iSCSI-attached), including RAID
arrays. All Storage Foundation data and storage operations are transparent
to applications, such as Exchange, file systems, databases, and so forth.
■ Advanced Dynamic Disk support
Storage Foundation builds on the dynamic disk capability that Veritas built
into Windows 2000 and 2003 for Microsoft. Storage Foundation provides
mirrored stripes, concatenated mirrors, more than two mirrors, clustering
support, Windows-compliant disk multi-pathing, storage monitoring and
notifications, and other features
■ Veritas FlashSnap™ option
This option provides a Microsoft approved (for Exchange), Volume Shadow
Copy Service (VSS)-compliant snapshot mechanism that can accelerate the
183Enhancing Microsoft® Exchange Server availabilityBest practices for Veritas Storage Foundation for Windows
recovery of Exchange to a point in time or the point of failure through the use
of point-in-time snapshots. FlashSnap can also enhance backup performance
through alternative, host-accessible snapshots that are integrated with Backup
Exec’s Advanced Disk-based Backup Option (ADBO).
Storage Foundation solutions to Exchange store challenges
Table 8-3 describes the ways in which Storage Foundation solves the storage
challenges of the Exchange environment.
Table 8-3 Exchange storage challenges
SolutionChallenge
Capacity monitoring: This feature monitors storage activity and provides
alerts when storage levels reach pre-defined thresholds. Actions and
Thresholds are fully user-definable.
Storage requirements are
approaching Exchange server
thresholds
Dynamic Volume growth: Storage Foundation can increase the size of
Exchange data stores manually or automatically without impacting the
Exchange server.
Exchange server needs more storage
Enhanced RAID management: Storage Foundation can manage any block-level
storage devices including FC, iSCSI, and DAS, all with a consistent, unified
user interface.
Managing complex RAID
configurations from multiple vendors
Storage flexibility: Storage Foundation enables control of storage costs by
providing maximum flexibility in storage choice. There is a single, consistent
management interface to heterogeneous storage hardware such as Hitachi®,
HP, and EMC®. Storage Foundation allows the use of inexpensive storage in
a RAID configuration.
Managing Exchange storage across
different hardware vendors
FlashSnap snapshots: Provide point-in-time recovery from hard disk storage
that is much faster than tape restores. FlashSnap snapshots are fully
integrated with Windows Server 2003 Volume Shadow Copy Service (VSS).
FlashSnap provides built-in VSS Provider and VSS Requester support to allow
creation of Microsoft supported and approved snapshots.
VSS integration ensures that the Exchange application is quiesced before
taking a snapshot, ensuring high integrity snapshots for recovery. FlashSnap
is also fault-tolerant as it prepares a full mirror copy and is not reliant on
the original volume if it fails (as in the case of copy-on-write snapshots).
Tape restores do not provide a rapid
recovery from an Exchange outage
Reduced backup window: Reduces the server load to Exchange by providing
off-host backups. Off-Host backups can be performed from a secondary server
location, thereby decreasing the processor load on the Exchange server.
Backup window for Exchange is long
due to processor load
Enhancing Microsoft® Exchange Server availabilityBest practices for Veritas Storage Foundation for Windows
184
Storage Foundation implementation and usage recommendations
There are many tasks to consider when implementing Storage Foundation in an
Exchange environment. Administrators should use the following sequence of
tasks for a Storage Foundation implementation:
■ Study the Storage Foundation documentation and system requirements for
Microsoft Exchange.
■ Plan Exchange storage layout. (Layout examples are provided.)
See “Suggested Exchange storage group layout with Storage Foundation”
on page 189.
■ Deploy Storage Foundation in the Microsoft Exchange environment.
Storage Foundation documentation and prerequisites
The Veritas Storage Foundation for Windows Administrator Guide contains
information on storage technologies and how to best use them. It is also an
excellent resource for information on general storage management features,
capacity monitoring, and Auto Grow.
The Veritas Storage Foundation and High Availability Solutions 4.3 Solution for
Microsoft Exchangeprovides best practices regarding snapshot solutions for Quick
Recovery.
The following are Storage Foundation installation prerequisites :
■ Ensure that hardware, software, and system requirements are met.
■ Ensure that networking and firewall requirements are met.
■ Make available the license keys for the Storage Foundation options to be
implemented.
■ Perform a system reboot after installation of Storage Foundation.
These tasks are covered in theVeritas StorageFoundation forWindows Installation
and Upgrade Guide.
Plan the Exchange storage layout
Dynamic volumes and RAID play an integral part in providing reliability and
performance in the Exchange environment. There are different benefits for each
RAID type in relation to different Exchange objects.
For more information on the different RAID types, see the Veritas Storage
Foundation for Windows Administration Guide.
Administrators should also research the best practices regarding Exchange storage
layout. In addition to Microsoft documentation, the Veritas Storage Foundations
185Enhancing Microsoft® Exchange Server availabilityBest practices for Veritas Storage Foundation for Windows
and High Availability Solutions 4.3 Solutions Guide for Microsoft Exchange, is a
helpful resource for mapping out Exchange storage. The guide is available from
Symantec.
RAID volumes can be optimized in a variety of environments. For Exchange
environments with Storage Foundation, Symantec recommends the following
practices:
■ Increase read performance and failure tolerance with host-based mirroring
■ Plan disk group usage
■ View the suggested configuration of disk groups and volumes for an Exchange
server for help in planning Exchange storage layout.
See “Suggested Exchange storage group layout with Storage Foundation”
on page 189.
Increase read performance and failure tolerancewith host-basedmirroring
Administrators can use host-based mirroring of virtual disks to increase overall
system read performance and failure tolerance. In a mirrored configuration, read
requests are handled in a round-robin fashion. The round-robin algorithm
distributes read requests across all members, or plexes, of a mirrored volume.
Mirroring can increase read performance significantly.
Host-based mirrored volumes provide protection against hardware failures such
as I/O bus, host bus adapter, power and cooling, RAID controller, and disk.
Plan disk group usage
Table 8-4 describes two methods for use of disk groups.
Table 8-4 Disk group usage methods
DescriptionMethod
Storage Foundation defines labeled disk groups. Disk groups
provide a way of organizing physical disks in a system into
logical entities, which simplifies storage management for
systems with large numbers of disks. Disk groups are useful
for managing storage in clusters, as well as convenient for
organizing and managing disk storage resources on an
application basis.
Use multiple disk groups
Enhancing Microsoft® Exchange Server availabilityBest practices for Veritas Storage Foundation for Windows
186
Table 8-4 Disk group usage methods (continued)
DescriptionMethod
Storage Foundation is a group of disks that can be migrated
from one cluster node to another as a unit. (Only entire disk
groups migrate or fail over). The disks that hold a clustered
application's data should belong to the cluster disk groups
that are associated with that application. The disk groups
should be part of the application’s resource group, so that
failover can occur.
In a cluster, each application that fails over independently
of other applications should have its data stored on volumes
in disk groups that are exclusive to that application. This
allows an application’s storage to fail over with the
application without having an adverse effect on other
applications or their associated storage.
Allocate disk groups in
clusters
Use Veritas FlashSnap option
The Storage Foundation FlashSnap option enables storage administrators to
create multiple point-in-time copies, or snapshots, of dynamic volumes. The can
be done with minimal impact on applications and users. The snapshot is a
broken-off mirror of the original volume and functions as an independent volume.
It can be retained on the same host or moved to another host. It can be merged
back with the original volume until another snapshot is implemented.
On-host snapshots can be used for quick recovery of an application, such as a
Microsoft Exchange. Off-host snapshots allow users to perform resource-intensive
processes, such as application testing, decision support, data mining, and backups,
without affecting production servers and data.
Plan the Exchange storage groups
By using the following recommendations, administrators can better leverage the
functionality of Storage Foundation, including snapshots and Quick Recovery for
Exchange:
■ Database stores and transaction logs for each storage group must be stored
on disks contained within a single dynamic disk group.
■ Each database should be in a separate volume, but the volumes may share the
same dynamic disks.
■ Mailbox stores and public stores must be stored on separate volumes to enable
independent recovery.
187Enhancing Microsoft® Exchange Server availabilityBest practices for Veritas Storage Foundation for Windows
■ Database stores and transaction logs must be in separate volumes in order to
perform a roll-forward recovery to the point of failure.
■ Database stores and transaction logs should be on separate disks so that disk
failure does not affect both the database stores and transaction logs.
■ Configure transaction logs in a redundant layout. The preferred software
layout is RAID 0+1 (mirrored stripes) volumes as this provides better read and
write performance than RAID 1 (mirrored) alone. The transaction log will
generate the most I/O and thus should use the highest performance disks
available.
■ Use the preferred layouts for the database stores, which are hardware RAID
5, software RAID 1 (mirroring) with logging (DRL) enabled, or software RAID
0+1 (mirrored striped).
FlashSnap option is not supported for software RAID 5 volumes.
■ Associate no more than six volumes with a storage group. One volume should
contain the transaction logs. Up to five other volumes may contain databases.
■ Move the components of the first storage group to new volumes off of the boot
drive. By default, the first storage group is mapped to the boot drive. A snapshot
image cannot be taken of the boot drive.
■ Use Exchange System Manager to move production databases and logs off of
the boot drive onto newly created volumes that are created with Storage
Foundation.
■ Use Exchange transaction logs to roll forward a database to achieve a
point-of-failure recovery. The circular logging option should not be enabled.
If circular logging is enabled, a database cannot be rolled forward to achieve
a point-of-failure recovery.
■ Optionally create another shadow copy set after an incremental tape backup.
Create this shadow copy set on a separate set of disks rather than refreshing
the shadow copy set taken after the full backup. This practice ensures that the
shadow copy set of a clean database is not being overwritten with an image of
a potentially corrupted database.
Note: As a quick recovery practice, Symantec recommends that administrators
create or refresh a shadow copy set immediately after a full tape backup of
Exchange. At this point, the database has been checked for corruption and the
transaction logs have been truncated. This ensures a clean database image.
Enhancing Microsoft® Exchange Server availabilityBest practices for Veritas Storage Foundation for Windows
188
Suggested Exchange storage group layout with StorageFoundation
Table 8-5 shows a sample configuration and layout to create the appropriate disk
groups and volumes in an Exchange environment.
Table 8-5 Example configuration for Exchange server EXCH1
Volume contentDrive letterVolume nameDynamic disk
group
Exchange
storage group
Exchange
server
Volume for storing
the Microsoft
Exchange Server
SG1 transaction log
files
T: (or Mount Point)EXCH1_SG1_TLogsEXCH1_SG1EXCH1_SG1EXCH1
Volume for storing
the Microsoft
Exchange Server
SG1 database
S: (or Mount Point)EXCH1_SG1_DB1EXCH1_SG1EXCH1_SG1EXCH1
Volume for storing
the Microsoft
Exchange Server
public folders DB
P: (or Mount Point)EXCH1_SG1_PubEXCH1_SG1EXCH1_SG1EXCH1
Volume for storing
the Microsoft
Exchange Server
SG2 transaction log
files
J: (or Mount Point)EXCH1_SG2_TLogsEXCH1_SG2EXCH1_SG2EXCH1
Volume for storing
a Microsoft
Exchange Server
SG2 database
K: (or Mount Point)EXCH1_SG2_DB1EXCH1_SG2EXCH1_SG2EXCH1
Volume for storing
another Microsoft
Exchange Server
SG2 database
L: (or Mount Point)EXCH1_SG2_DB2EXCH1_SG2EXCH1_SG2EXCH1
In the example, the dynamic disk group EXCH1_SG1 is a concatenation of the
names of the Exchange server, EXCH1, and the Storage Foundation dynamic disk
group, SG1. SG1 corresponds to the first Exchange storage group for the EXCH1
server (Storage Group 1). The configuration assumes that two Exchange storage
groups and two databases are used in this configuration.
189Enhancing Microsoft® Exchange Server availabilityBest practices for Veritas Storage Foundation for Windows
Deploy Storage Foundation in the Exchange environment
Storage Foundation is an integral part of the storage management infrastructure
in the Exchange environment. Symantec recommends installing Storage
Foundation on all Exchange mailbox servers in the Exchange environment before
installing any other product in the Symantec solution.
Administrators should read the Storage Foundation product documentation and
review the recommendations in this book to prepare for a deployment of Storage
Foundation.
Best practices for Veritas Storage Foundation HighAvailability for Windows
In the enterprise environment, high availability can describe any software or
hardware that provides fault tolerance. The term has become associated more
specifically with clustering. Clustered systems offer advantages, including fault
tolerance, high availability, scalability, simplified management, and support for
rolling upgrades.
The following sections describe concepts relating to Veritas Storage Foundation
High Availability for Windows and its clustering component, Veritas™ Cluster
Server. Also provided are best practices for the implementation of Veritas Cluster
Server 4.3 clustered solutions in an Exchange environment.
Challenges to clustering the Exchange environment
As a critical application, Exchange must be highly available to the organization.
Veritas Cluster Server, the clustering component for Storage Foundation HA for
Windows, can enable service availability of less than 52 minutes of downtime per
year. Clustering provides redundancy with a hot-failover mechanism to one of
the multiple server nodes within the cluster. This failover is mostly transparent
to users, which is a desirable configuration.
Storage Foundation HA for Windows solutions to Exchange clusteringchallenges
By capitalizing on the key strengths of Veritas Cluster Server, Storage Foundation
HA for Windows can do the following:
■ Automatically monitor all Exchange components and respond appropriately
in the event of a problem, failing over to other resources if necessary.
Enhancing Microsoft® Exchange Server availabilityBest practices for Veritas Storage Foundation High Availability for Windows
190
■ Allow administrators to proactively switch Exchange functions to other
resources to perform routine maintenance or upgrades on components, such
as server upgrades or OS patch applications.
Table 8-6 describes Exchange clustering challenges and how Veritas Cluster Server
meets the challenges.
Table 8-6 Exchange clustering challenges and Veritas Cluster Server solutions
SolutionChallenge
With Veritas Cluster Server, up to 32 nodes can be
clustered. Nodes can be configured as load balancing or
failover.
Creating high availability regardless of hardware brand
Exchange servers can share passive nodes one at a time
or as a group.
Controlling costs of cluster hardware
Veritas Cluster Server can be removed temporarily from
the Exchange environment to allow for troubleshooting,
and then reinstated.
Troubleshooting Exchange problems without third-party
programs interfering
Veritas Cluster Server can cluster most applications.Clustering other applications in addition to Exchange
Veritas Cluster Server can cluster heterogeneous server
hardware. Hardware does not need to be identical.
Clustering different brands and types of server hardware
Veritas Cluster Server can cluster the Exchange
environment, even if Exchange is already installed.
Clustering an existing Exchange server installation
without reinstalling Exchange
Veritas Cluster Server provides a detailed level of rights
management of the cluster.
Providing granular administrative rights
Veritas Cluster Server can cluster heterogeneous storage.Using external storage hardware from different vendors
About Storage Foundation HA for Windows
Veritas Storage Foundation High Availability for Windows (including both Veritas
Storage Foundation for Windows and Veritas Cluster Server) provides a framework
for application management and availability. Storage Foundation HA for Windows
lets administrators monitor systems and application services, and restart services
on a different system when hardware or software fails.
Veritas Cluster Server clusters
A Veritas Cluster Server cluster is composed of a set of systems that provide
scalability and high availability for specific applications. Veritas Cluster Server
monitors and controls the applications in a cluster, and can restart or move them
191Enhancing Microsoft® Exchange Server availabilityBest practices for Veritas Storage Foundation High Availability for Windows
in response to a variety of hardware and software faults. A cluster consists of
multiple systems connected by a dedicated communications infrastructure. This
infrastructure enables cluster members to exchange information on the status of
cluster resources.
Each cluster has a unique cluster ID. Systems in a cluster are connected by
redundant cluster communication links. Clusters can have from 1 to 32 member
systems, or nodes. Applications can be configured to run on specific nodes within
the cluster. Nodes can be individual systems, or they can be created with domains
or partitions on enterprise-class systems.
Individual cluster nodes run their own operating system and possess their own
boot device. Each node must run the same operating system within a single Veritas
Cluster Servercluster.
Most applications in a cluster require access to shared application data for systems
hosting the application. Nodes sharing storage access are eligible to run an
application. Nodes without common storage cannot fail over an application that
stores data to disk.
Resources
Resources are hardware or software entities, such as disk groups and file systems,
network interface cards (NICs), IP addresses, and applications. Controlling a
resource means bringing it online (starting), taking it offline (stopping), and
monitoring the resource.
Service groups
A service group is a logical grouping of resources and resource dependencies. It
is a management unit that controls resource sets.
For example, a database service group may be composed of resources that manage
logical network (IP) addresses, the database management software (DBMS), the
underlying file systems, and the logical volumes. A database service group also
includes a set of physical disks managed by the volume manager (typically Veritas
Storage Foundation for Windows in a Veritas Cluster Server cluster).
A single node may host any number of service groups, each providing a discrete
service to networked clients. Each service group is monitored and managed
independently. Independent management enables a group to be failed over
automatically, or manually idled for administration or maintenance, without
affecting other service groups. If the entire server crashes, all service groups on
that node must be failed over elsewhere.
Veritas Cluster Server monitors each resource in a service group and, when a
failure is detected, restarts that service group. This could mean restarting it locally
Enhancing Microsoft® Exchange Server availabilityBest practices for Veritas Storage Foundation High Availability for Windows
192
or moving it to another node and then restarting it. The method is determined by
the type of failure. In the case of local restart, the entire service group may not
need to be restarted. Restarting a single resource within the group may be
sufficient to restore the application service.
Administrative operations are performed on resources, including starting,
stopping, restarting, and monitoring at the service group level. Service group
operations initiate administrative operations for all resources within the group.
For example, when a service group is brought online, all resources within the
group are also brought online. When a failover occurs in Veritas Cluster Server,
resources never fail over individually; the entire service group fails over. If there
is more than one group defined on a server, one group may fail over without
affecting the other groups on the server.
Agents
Agents are Veritas Cluster Server processes that manage resources of predefined
resource types according to commands received from the Veritas Cluster Server
engine, HAD. A system has one agent per resource type, which monitors all
resources of that type; for example, a single IP agent manages all IP resources.
When the agent is started, it obtains the necessary configuration information
from Veritas Cluster Server. It then periodically monitors the resources, and
updates Veritas Cluster Server with the resource status.
The agent provides the type-specific logic to control resources. The action required
to bring a resource online or take it offline differs for each resource type. Veritas
Cluster Server employs agents to handle this functional disparity between different
resource types. For example, bringing a disk group online requires importing the
disk group. Bringing a database online requires starting the database manager
process, and issuing the appropriate startup commands.
Veritas Cluster Server agents are multithreaded, which means a single Veritas
Cluster Server agent monitors multiple resources of the same resource type on
one host. For example, the IP agent monitors all IP resources.
Veritas Cluster Server monitors resources when they are online and offline to
ensure that they are not started on systems upon which they are not intended to
run. For this reason, Veritas Cluster Server starts the agent for any resource
configured to run on a system when the cluster is started. If no resources of a
particular type are configured, the agent is not started. For example, if there are
no Exchange resources in the configuration, the Exchange agent is not started on
the system.
193Enhancing Microsoft® Exchange Server availabilityBest practices for Veritas Storage Foundation High Availability for Windows
Veritas Storage Foundation High Availability for Windows installationrecommendations
While there are many tasks to consider when implementing a Storage Foundation
HA for Windows in an Exchange environment, the following practices are essential
for a successful implementation:
■ Study the documentation and different cluster topologies
■ Meet hardware, network, and software requirements
■ Review installation preparation
For more information about these tasks, refer to the Veritas Cluster Server
InstallationGuide and theVeritasCluster ServerAdministrationGuide. TheVeritas
Storage Foundations and High Availability Solutions 4.3 Solutions Guide for
Microsoft Exchange also provides essential information on storage and cluster
configuration.
Storage foundation documentation and different clustertopologies
Clustering is a critical service that must be highly reliable, but is technically
complex. Storage Foundation HA for Windows and Veritas Cluster Server provide
reliability while shielding IT organizations from the underlying complexity.
Storage Foundation HA for Windows provides tools to make it as easy as possible
to perform clustering tasks. However, software of this type requires planning
before any implementation can begin.
An understanding of the differences and advantages of the different cluster
topologies (active/active versus active/passive) is necessary to implement Veritas
Cluster Server in a particular Exchange environment. This Symantec Yellow Book
provides information on how to create an active/passive cluster environment,
and covers prerequisites for deploying the clustered Exchange solution, including
networking components and hardware configurations, such as static IP address
configuration and internal network cardconfiguration.
Meet hardware, network, software, and configurationprerequisites
Table 8-7 lists Veritas Cluster Server hardware prerequisites in an Exchange
environment.
Enhancing Microsoft® Exchange Server availabilityBest practices for Veritas Storage Foundation High Availability for Windows
194
Table 8-7 Veritas Cluster Server hardware prerequisites
PrerequisiteHardware component
Recommend three NICs per cluster member. Two NICs
are used exclusively for the private network. The
remaining NIC is used for the public network.
Three NICs
Require one of these components to access shared
storage from all systems in the cluster. All systems in
the cluster must have the same HBA model and be
configured at the same driver and firmware levels.
SCSI, Fibre Channel, iSCSI host
bus adapters (HBAs), or iSCSI
Initiator-supporting NICs
Require shared disks to support applications that
migrate between nodes in the cluster. Verify that each
system can access the shared storage.
Shared disks
Ensure that Fiber Switch zoning is done correctly, if the
cluster is using a Fibre Channel SAN, so that cluster
nodes can access the correct, shared disks in the
network.
Fibre Channel SAN (if used)
Table 8-8 lists the Veritas Cluster Server network prerequisites in an Exchange
environment.
Table 8-8 Veritas Cluster Server network prerequisites
Network prerequisiteNetwork entity
Connect each private (cluster heartbeat) NIC through a
separate hub or switch to avoid single points of failure.
Private NICs
Disable the Windows firewall on systems running
Windows Server 2003 SP1 and any other third-party
firewall applications on the local nodes.
Windows firewall
Obtain the following static IP addresses:
■ One IP address for each physical server or node in
the cluster
■ One IP address for each cluster
■ One IP address for each virtual Exchange server and
any other clustered services
IP addresses
Configure name resolution for each node.Name resolution
Verify the availability of DNS Services. Active
Directory-integrated DNS or BIND 8.2 or higher are
supported.
DNS services
195Enhancing Microsoft® Exchange Server availabilityBest practices for Veritas Storage Foundation High Availability for Windows
Table 8-8 Veritas Cluster Server network prerequisites (continued)
Network prerequisiteNetwork entity
Make sure a reverse lookup zone exists in the DNS. Refer
to the application documentation for instructions on
creating a reverse lookup zone.
Reverse lookup zones
Make sure that the DNS server has lookup zones defined
correctly for all subnets within the network. Ensure that
forward lookup and reverse lookup entries are created
correctly. The zone type recommended is Active
Directory Integrated.
Lookup zones for subnets
Turn off (recommended) DNS scavenging for resource
records corresponding to virtual servers configured as
LanMan resources. DNS scavenging affects virtual
servers configured in Cluster Server because the
LanMan agent uses DDNS to map virtual names with IP
addresses.
Note: Administrators can add the static IP address of
the virtual server node if they choose to turn on
scavenging.
DNS scavenging
Verify that Active Directory Services are available. Make
sure that an Exchange Forest preparation and Domain
preparation is performed and that the Exchange schema
is propagated based on the selected topology.
Active Directory Services
The following software is required for Veritas Cluster Server in an Exchange
environment:
■ Windows 2003 Enterprise Server with Service Pack 1
Microsoft support for Microsoft Exchange Server 2003 is limited to 32-bit
versions of the Windows 2003 operating system
■ Remote control software (for example, Symantec PC Anywhere™)
Remote control software helps manage remote servers
■ Windows 2003 operating system installed on the same local drive on all nodes
The Veritas Cluster Server application agent for Microsoft Exchange requires
the operating system to be installed on the same local drive on all nodes. For
example, if Windows 2003 is installed on the C: drive of one node, installations
on all other nodes must be on their respective C: drives. Make sure that the
same drive letter is available on all nodes and that each node has adequate
space for the installation.
Enhancing Microsoft® Exchange Server availabilityBest practices for Veritas Storage Foundation High Availability for Windows
196
Table 8-9 lists the Veritas Cluster Server network configuration prerequisites in
an Exchange environment.
Table 8-9 Veritas Cluster Server network configuration prerequisites
Configuration prerequisiteAction
Establish a separate naming convention for public and
private NICs to avoid confusion (Recommended).
Naming of public and private
NICs
Disable TCP/IP and Microsoft File Sharing. Also disable
the Client for Windows on the private heartbeat NICs.
Disabling settings
Set each Heartbeat NIC to 100MB Half Duplex. On the
Window Server 2003, on the NIC Properties page, click
Configure next to the adapter name. Then, on the
Advanced tab, select Media Type in the property listing.
In the Value drop-down list, select 100Mbps Half Duplex.
Setting heartbeat NIC media type
value
Set the systems hardware driver signing level to Ignore.
This ensures that Storage Foundation will validate the
system during installation checks.
Setting the systems hardware
driver signing level
Make sure every cluster server has its Internet Protocol
(TCP/IP) properties configured to use the public NIC,
with preferred and alternative DNS pointing to the same
main DNS server.
Configuring TCP/IP for clustering
Review installation preparation
Symantec recommends that administrators prepare for installation with the
following best practices:
■ Ensure that the appropriate and identical OS level, Service Pack level, firmware,
and driver revisions are installed on all systems to be clustered. Check the
Symantec Veritas Cluster Server Hardware Compatibility List (HCL) and
Software Compatibility List (SCL) for tested and supported versions.
The Veritas Cluster Server HCL and SCL are available at the following URL:
http://support.veritas.com/menu_ddProduct_SFHFW_view_CL.htm.
■ Ensure that the necessary remote control software to manage your remote
servers is available.
■ Make a note of all the necessary IP addresses available before starting the
installation. Each system has an IP address, in addition to one for the Cluster
Service, and one for each instance of Microsoft Exchange.
■ Ensure that all network cards are configured for Auto Negotiate, and that the
speed and duplex mode are forced from both the NIC and the Switch port to
197Enhancing Microsoft® Exchange Server availabilityBest practices for Veritas Storage Foundation High Availability for Windows
the preferred speed and duplex mode. All cards on the same network segment
must be configured identically.
■ Ensure that all systems are members of the appropriate domain and are
configured to connect to the same DNS server.
■ Ensure that the DNS server is appropriately configured for forward/reverse
lookup.
■ Ensure that DNS entries for each virtual Exchange Server to be installed are
created before installation.
■ Verify that all systems on which Exchange Server will be installed have
Microsoft IIS installed. SMTP, NNTP, and WWW services must be installed on
all systems. If Exchange is installed on Windows 2003, make sure to install
the ASP.NET service as well.
■ Ensure that the appropriate administrator(s) have proper access rights to
install Exchange.
See “Veritas Cluster Server Agent for Exchange permissions ” on page 201.
See theVeritas Storage Foundations and High Availability Solutions 4.3 Solutions
Guide for Microsoft Exchange for more information about cluster installation.
Best practices for configuring storage resources for Storage FoundationHA for Windows
Storage Foundation HA for Windows helps administrators configure Exchange
storage volume and disk groups. The following sections describe some of the best
practices for a clustered Exchange storage configuration.
Volume layout recommendations
Volumes for database files, transaction log files, and MTA and Exchange registry
replication for Veritas Cluster Server should be mirrored to separate hard drives
(physical disks) or arrays. For transaction logs, Symantec recommends RAID 1+0
(mirrored stripes) volumes for better performance.
The Veritas Cluster Server application agent for Microsoft Exchange requires at
least four volumes to be created per virtual Exchange server. One each is created
for the first Exchange database, registry replication information, transaction logs
(for the first storage group), and MTA data. These volumes must be accessible
from all cluster nodes.
Enhancing Microsoft® Exchange Server availabilityBest practices for Veritas Storage Foundation High Availability for Windows
198
Disk group layout recommendations
When creating Storage Foundation disk groups that will contain disks used by
clustered services, select the option to create a cluster disk group.
All volumes and cluster disk groups should be configured using Storage Foundation
from the same node.
Each Exchange storage group should have its own cluster disk group. If there are
four storage groups per Exchange virtual server (EVS), then there should be four
cluster disk groups.
Storage configuration example
Table 8-10 shows one example of a configuration and layout to create the
appropriate disk groups and volumes to maintain a high availability environment.
In the example, the cluster disk group, EVS1_SG1 derives its name from the
Exchange virtual server EVS1. SG1 refers to the Storage Foundation disk group
that corresponds to the Exchange storage group (first storage group or storage
group 1). Two Exchange Storage groups and two databases are used in the Example
configuration.
This example includes Registry replication (RegRep) volumes in one of the
clustering disk groups.
Table 8-10 Example of disk groups and volumes for an Exchange virtual server
Volume contentDrive
letter
Volume
name
Cluster disk
group
Exchange
storage group
Exchange
virtual
server
Veritas Cluster
Server service
group
Volume that contains
the list of registry
keys that must be
replicated among the
cluster systems
R:EVS1_
RegRep
EVS1_SGInot applicableEXCHVS1EVS1
Volume for storing
Microsoft Exchange
Server MTA database
for the Exchange
Server
N:EVS1_MTAEVS1_SGInot applicableEXCHVS1EVS1
Volume for storing
the Microsoft
Exchange Server SG1
transaction log files
T: (or
Mount
Point)
EVS1_SG1_
TLogs
EVS1_SG1EVS1_SG1EXCHVS1EVS1
199Enhancing Microsoft® Exchange Server availabilityBest practices for Veritas Storage Foundation High Availability for Windows
Table 8-10 Example of disk groups and volumes for an Exchange virtual server
(continued)
Volume contentDrive
letter
Volume
name
Cluster disk
group
Exchange
storage group
Exchange
virtual
server
Veritas Cluster
Server service
group
Volume for storing
the Microsoft
Exchange Server SG1
database
S: (or
Mount
Point)
EVS1_SG1_
DB1
EVS1_SG1EVS1_SG1EXCHVS1EVS1
Volume for storing
the Microsoft
Exchange Server
public folders DB
P: (or
Mount
Point)
EVS1_SG1_
Pub
EVS1_SG1EVS1_SG1EXCHVS1EVS1
Volume for storing a
Microsoft Exchange
Server SG2
transaction log file
J: (or
Mount
Point)
EVS1_SG2_
TLogs
EVS1_SG2EVS1_SG2EXCHVS1EVS1
Volume for storing a
Microsoft Exchange
Server SG2 database
K: (or
Mount
Point)
EVS1_SG2_
DB1
EVS1_SG2EVS1_SG2EXCHVS1EVS1
Volume for storing
another Microsoft
Exchange Server SG2
database
L: (or
Mount
Point)
EVS1_SG2_
DB2
EVS1_SG2EVS1_SG2EXCHVS1EVS1
Note: Additional storage groups (such as EVS1 _SG2_DG) only contain data and
log volumes. The RegRep and MTA volumes are included only in the first storage
group.
After the storage configuration for the Exchange cluster portion of the installation
is implemented, verify the following information:
■ Disk group is imported on the first node of the cluster
■ Volume containing the information for registry replication (EVS1_SG1_Regrep
in the table.) is mounted
Clustered Microsoft Exchange deployment solution
During deployment of a clustered Exchange solution, make sure that the user for
the preparation, installation, and post-installation phases of Exchange
Enhancing Microsoft® Exchange Server availabilityBest practices for Veritas Storage Foundation High Availability for Windows
200
implementation remains the same. In addition, make sure that the cluster ID is
unique if one or more cluster exists on the same subnet.
Veritas Cluster Server Agent for Exchange permissions
Verify that the following is true for the administrator that is responsible for
installing Veritas Cluster Server in an Exchange environment:
■ The administrator must be a domain user.
■ The administrator must be an Exchange Full Administrator.
■ The administrator must be a member of the Exchange Domain Servers group
■ The administrator must be a member of the Local Administrators group for
all nodes where he or she is installing are installing Veritas Cluster Server
Agent for Exchange.
■ The administrator must have write permissions for objects corresponding to
installation nodes in the Active Directory.
■ The administrator must have delete permissions on the object, if a computer
object corresponding to the Exchange virtual server exists in the Active
Directory.
■ The administrator must be an Enterprise Administrator, Schema Administrator,
Domain Administrator, and Local Machine Administrator to run ForestPrep.
In addition, the administrator must be a Domain Administrator and Local
Machine Administrator to run DomainPrep.
the HAD Helper domain user account should have the Add workstations to domain
privileges setting enabled in the Active Directory.
To verify that the HAD Helper domain user account is set up as recommended,
complete the following steps:
■ Click Start > Administrative Tools > Local Security Policy on the domain
controller to launch the security policy display.
■ Click Local Policies > User Rights Management and make sure the user account
has this privilege.
Microsoft Exchange andVeritas Cluster Server ExchangeAgentinstallation recommendations
The StorageFoundationandHighAvailability Solutions 4.3 forMicrosoft Exchange
Solutions guide contains checklists of installation prerequisites in the following
sections:
■ Installing Exchange on the first node
201Enhancing Microsoft® Exchange Server availabilityBest practices for Veritas Storage Foundation High Availability for Windows
■ Installing Exchange on additional nodes
The prerequisites describe new installations of Microsoft Exchange. Make sure
that all items in the checklist are completed on all Exchange nodes before installing
the Veritas Cluster Server Exchange Agent on the nodes.
Installing Microsoft Exchange on the first node
In addition to the installation prerequisites provided in the Storage Foundation
and High Availability Solutions 4.3 for Microsoft Exchange Solutions guide, the
following installation recommendations can help administrators successfully
install Exchange on the first node:
■ Administrators who are installing Exchange 2003, but do not want to install
Exchange Server Service Pack 1 as part of the installation process, can obtain
SP1 installation steps from the Veritas Storage Foundation for Windows
documentation.
■ After a virtual name has been assigned to the Exchange server, it cannot be
changed unless Exchange is uninstalled from the Veritas Cluster Server
environment and then reinstalled.
To ensure proper failover in the cluster beforemoving a database to shared storage
1 Open Veritas Storage Foundation for Windows and import the cluster Disk
Group on the local node.
2 Mount the volumes for the Exchange database, MTA data, and transaction
logs.
3 Assign a drive letter to the volumes.
Microsoft Exchange installation on additional nodes
In addition to the installation prerequisites provided in the Storage Foundation
and High Availability Solutions 4.3 for Microsoft Exchange Solutions guide, the
following installation recommendations can help administrators successfully
install Exchange on additional nodes:
■ When installing Microsoft Exchange Server 2003 on additional nodes,
administrators must use the disaster recovery switch on the second node.
■ Administrators who are installing Exchange 2003 on additional nodes, but do
not want to install Exchange Server Service Pack 1 as part of the installation
process, can obtain SP1 installation steps from the Veritas Storage Foundation
for Windows documentation.
Enhancing Microsoft® Exchange Server availabilityBest practices for Veritas Storage Foundation High Availability for Windows
202
Post-deployment recommendations
After installing Microsoft Exchange, Symantec recommends the following
post-deployment practices:
■ Change the admin password for the Veritas Cluster Server console.
■ Do not use the virtual name or virtual IP address when connecting and
administering a cluster node through Storage Foundation HA for Windows.
Connecting to a computer from the Veritas Enterprise Administrator (VEA)
GUI using a virtual name or the virtual IP address causes the VEA GUI to
display the computer name of the cluster node that currently owns the virtual
name and IP resources. Therefore, use the actual computer name or the IP
address of the cluster node instead.
■ When running Veritas Cluster Server in Exchange environments, always store
the anti-virus/anti-spam definitions update log on the shared disk device. This
ensures that any node running Exchange has up-to-date virus and spam
signatures.
Symantec Mail Security for Microsoft Exchange on Veritas ClusterServer systems recommendations for use
The following list describes recommendations for use of Symantec Mail Security
for Microsoft Exchange on a system in a Veritas Cluster Server-managed cluster:
■ When installing Symantec Mail Security for Exchange, ensure that the
Symantec Mail Security for Exchange binaries are installed using the same
drive letter and directory location on each node in the cluster that will run
Exchange services. Also ensure that the virus signatures and quarantine queues
are stored in directories local to each node in the cluster, which is the default.
■ After installing Symantec Mail Security for Exchange on each cluster node,
the Symantec Mail Security for Exchange service Startup Type value should
be set to Automatic, by using the Windows Services Manager.
■ After installing Symantec Mail Security for Exchange, freeze the Exchange
Service Group in the Veritas Cluster Server and add a process agent resource
to control the Symantec Mail Security for Exchange service. If there are
multiple Exchange virtual servers, repeat for each Exchange group.
To do this, create a process resource for each Symantec Mail Security for
Exchange service in the Exchange Service Group. Generic Services should not
be used because of concurrency issues.
No additional resource should be created to control the spam statistics
gathering process (SAVFMSESpamStatsManager). The service should not be
started (which is the default) because the best practice is to perform spam
filtering at network gateways, not on Exchange servers.
203Enhancing Microsoft® Exchange Server availabilityBest practices for Veritas Storage Foundation High Availability for Windows
■ Use the Veritas Cluster Server vcsgensvc.vbs script to control the services for
the online, offline, and monitor attributes. The absolute path to the script must
be included in the attribute value. It must also be prefixed by the word
cscript.exe. The following is an example :
cscript c:\program files\VERITAS\Cluster Server\bin\samples\process\
vcsgensvc.vbs online SMSME
■ Use the service name (SMSME) to control the service. Place it as the argument
after the online, offline, or monitor directive. The virtual name attribute, as
listed in the LanMan resource, follows the SMSME argument for only the
monitor attribute value (cscript “c:\program files\VERITAS\Cluster Server\
bin\samples\process\vcsgensvc.vbs” monitor SMSME <virtualname>).
■ In the Veritas Cluster Server Management console, connect dependencies for
the SMSME resource where the Information Store resource is a parent to the
SMSME resource and the SMSME resource is parent to the System Attendant
resource. The Information Store Resource should also continue to depend on
the System Attendant.
■ If Symantec AntiVirus™ Corporate Edition is not being used to update virus
signatures, configure a post-offline trigger to restart the Symantec Mail
Security for Exchange services. This ensures that updates to virus signatures
can be maintained on passive Exchange nodes.
■ If Symantec AntiVirus™ Corporate Edition and Symantec Mail Security for
Microsoft Exchange are both present on the clustered Exchange nodes, all
directories for Veritas Cluster Server should be excluded from virus scanning.
In addition, all Exchange directories (local and shared storage) should be
excluded. For more information on configuration in an Exchange environment,
see the Symantec AntiVirus Corporate Edition and Symantec Mail Security for
Microsoft Exchange documentation.
Note: For more information on configuring Symantec Mail Security for Exchange,
including information about registry key path information and how to keep virus
definitions up to date for non-active nodes, contact Symantec Professional Services.
Also, review the latest knowledge base article at the following URL:
http://library.veritas.com/docs/281043
Enhancing Microsoft® Exchange Server availabilityBest practices for Veritas Storage Foundation High Availability for Windows
204
Best practices for Symantec Backup ExecThe cornerstone of any availability solution is its backup and recovery plan.
Choosing a reliable backup product is important to every IT organization. Backups
may be the last line of defense against data loss.
This section describes best practices for using Symantec Backup Exec. It also
includes best practices for using Backup Exec with Veritas Enterprise Vault.
EMM environment backup challenges
IT organizations are faced with the need to ensure continuous business
communications. The loss of a single message may generate hours of unnecessary
labor for system administrators. Email or instant message loss can lower
productivity, even slowing the progress of the entire organization.
Microsoft Exchange and IM Manager server data protection challenges include
the following backups:
■ Windows operating system and system state
■ Exchange server application directory
■ Exchange databases
■ Enterprise Vault
■ IM Manager Data
A secure backup plan is a critical component in a complete availability solution
for any enterprise messaging management environment.
Symantec Backup Exec solution to Exchange backup and recoverychallenges
Symantec Backup Exec and Backup Exec Agent for Microsoft Exchange Server
meet the criteria for fast, flexible, and reliable Exchange Server data protection.
Backup Exec has supported Microsoft Exchange since its introduction in 1996,
and supported Windows Server operating systems since their introduction in
1992. Backup Exec provides established experience and proven reliability in the
Exchange server market.
Backup Exec is an easy-to-use product. It integrates with Windows operating
systems and provides native agents for Microsoft Exchange backup. Native backup
agents for Microsoft® SQL Server are also available.
Table 8-11 lists the Exchange backup challenges that Backup Exec addresses.
205Enhancing Microsoft® Exchange Server availabilityBest practices for Symantec Backup Exec
Table 8-11 Exchange backup challenges and Backup Exec solutions
Backup Exec solutionExchange backup challenge
Backup Exec has the ability to manage all backup jobs from a single console.Administering multiple backup
jobs
Backup Exec provides centralized management of all media servers (tape or disk)
with the Centralized Administration Server option.
Administering multiple backup
servers
Backup Exec can load balance backup jobs.Ensuring optimal Backup
performance
Backup Exec Restore can automatically dismount the Exchange database. This
feature ensures that a valid database is brought on line quickly when traditional
or snapshot backups are performed.
Restoring Exchange databases
quickly and accurately
Backup Exec has integrated Snapshot protection with consistency checks. This
feature leverages Microsoft virtual snapshot (VSS) technology to provide on-host
or off-host backup from consistent snapshot image.
Ensuring the integrity of
snapshots
Backup Exec can perform mailbox or message level restores from a full,
incremental or differential traditional backup without requiring the installation
of a separate Exchange 2003 server.
Leveraging Exchange Recovery
Storage Groups
Backup Exec can protect Exchange data at the individual storage group, database,
or mailbox level, and with full, incremental, copy, or differential backups.
Providing flexible levels of
backup
Backup Exec supports the protection of multiple databases on a single Exchange
2000 or Exchange 2003 server.
Backing up all Exchange
components
Backup Exec can transparently integrate an online, or hot, Exchange Server 5.5,
Exchange 2000, and Exchange 2003 server backups within regularly scheduled
network backup routines.
Performing hot Exchange
backups
Backup Exec can relocate any database to another server or storage group with
the move database (MDB) relocation feature.
Relocating Exchange databases
Backup Exec can store single instances of attachments to eliminate backing up
redundant copies of files that are sent to large numbers of users. This reduces
the time required to perform mailbox backups and reduces the amount of media
required to protect the Exchange environment.
Reducing the size of Exchange
data stores
Backup Exec has an Automated Data Staging feature that can quickly back up
and recover Exchange Server databases or transaction logs by staging backups
to disk or RAID system prior to a nightly full or differential to tape.
Staging data for backup
Backup Exec supports cluster fail-over in a Veritas Cluster Server environment,
providing improved fault tolerance.
Supporting clustered Exchange
servers
Enhancing Microsoft® Exchange Server availabilityBest practices for Symantec Backup Exec
206
Table 8-11 Exchange backup challenges and Backup Exec solutions (continued)
Backup Exec solutionExchange backup challenge
Backup Exec has a LAN-Free Exchange Server backup feature that supports
storage area networks (SAN), with the SAN Shared Storage Option. This increases
backup and recovery performance over a fiber channel or iSCSI network.
Supporting SANs
Backup Exec uses the native Exchange Server Backup APIs and Messaging APIs
for reliable Exchange protection.
Ensuring reliable backups
Backup Exec supports off-host backups in conjunction with the Advanced
Disk-based Backup Option (ADBO) to eliminate the backup window. This support
frees the Exchange server to serve its users 24x7x365 and perform backups at
any point in time. For more information on ADBO, go to the following URL:
http://eval.veritas.com/mktginfo/products/White_Papers/Data_Protection/
BE_SFW_Quick_Recovery_Off-Host_Backup_Bundle.pdf
Providing off-host backups
Backup Exec installation recommendations
While there are many tasks to consider when implementing a backup and recovery
solution in an Exchange environment, the following practices and considerations
are essential for a successful backup and recovery plan:
■ Obtain licenses for Backup Exec components
■ Become familiar with Backup Exec documentation
■ Version considerations for Backup Exec
Obtain licenses for Backup Exec components
Licenses for the required options of Backup Exec must be purchased and specified
during the Backup Exec installation. To protect the complete solution described
in this Symantec Yellow Book document, licenses are required for the following
Backup Exec components:
■ Backup Exec Agent for Microsoft Exchange
■ Backup Exec Agent for Microsoft SQL Server (for backing up the Enterprise
Vault SQL Server database).
■ Backup Exec for Windows Servers
Optionally, if an enterprise wants to use the Advanced Disk-based Backup Option
(ADBO) for off-host backups of Exchange and SQL, a separate license for that
option must also be specified during installation.
207Enhancing Microsoft® Exchange Server availabilityBest practices for Symantec Backup Exec
A license for one tape drive is included with each license of Backup Exec for
Windows Servers. A separate license is also required if more than one tape drive
is to be used for backup. For each additional tape drive, whether standalone, in
an autoloader, or in a robotic tape library, a Library Expansion Option (LEO) license
is required.
Information on Backup Exec licensing is contained in the SymantecBackupExec™
forWindows Servers Quick Installation Guide.
Become familiar with Backup Exec documentation
Symantec Backup Exec provides comprehensive documentation to create and
implement a backup and recovery plan with Exchange environments. IT
organizations considering the installation of Backup Exec should become
thoroughly familiar with following guides:
■ Symantec Backup Exec™ forWindows Servers Administrator’s Guide
■ Symantec Backup Exec™ forWindows Servers Quick Installation Guide
Version considerations for Backup Exec
The Symantec solution for Enterprise Messaging Management was tested using
the latest version of Backup Exec (10d). The features described in this section are
available in Backup Exec starting with version 10.0.
Symantec recommends using the latest version available. If an earlier version of
Backup Exec is currently in use in the Exchange environment, an upgrade to the
current version (10d) is recommended.
After the Backup Exec software and necessary licenses are purchased, refer to
the Symantec Backup Exec™ for Windows Servers Quick Installation Guide for
information on upgrade instructions.
Best practices for backup and recovery in Exchange environments
Symantec recommends a number of best practices for configuring and using
Backup Exec with Exchange 2003. For more information on backing up, restoring,
and disaster recovery of Exchange, and configuring users, media sets, and backup
devices, refer to the Symantec BackupExec™ forWindows ServersAdministrator’s
Guide.
Backup preconfiguration tasks
To use Backup Exec in Exchange environments, at least one Backup Exec Media
Server is required. The Media Server must have backup storage devices (disk or
tape devices) connected to the network.
Enhancing Microsoft® Exchange Server availabilityBest practices for Symantec Backup Exec
208
Before using Backup Exec in an Exchange environment, make sure the following
tasks are performed:
■ Provide network and rights access to Backup Exec servers
■ Disable Write Caches on Fibre Channel, SCSI or iSCSI controllers
■ Disable circular logging
Provide network and data access to Backup Exec clients from Backup Execservers
The Backup Exec Media Server must have access to all of the systems it will protect.
In addition, the Backup User account must have proper permissions to carry out
a backup or restore operation.
Disable Write Caches on Fibre Channel, SCSI or iSCSI controllers
Windows does not use buffers, so when Exchange (or other applications) receives
a write-complete notice from Windows, the write-to-disk action has already been
completed. If Write Cache is enabled, Windows responds as though a write-to-disk
has been completed, and will provide this information to Exchange (or other
applications) incorrectly. A system failure that occurs before the operation is
actually written to disk could cause data corruption.
Disable circular logging
Circular logging minimizes the risk for filling the hard disk with transaction log
files. However, if a solid backup strategy is in place, transaction log files are purged
during the backup, thus freeing disk space. If circular logging is enabled,
transaction log histories are overwritten, and incremental and differential backups
of storage groups and databases are disabled. Recovery is possible only up to the
point of the last full or copy backup.
Types of backups in an Exchange environment
The optimal type of Exchange backup to use varies depending on the size of the
Exchange environment, the number of transactions processed each day, and the
recovery time target desired.
Table 8-12 describes the different types of Backup Exec backups, their Exchange
recovery advantages and disadvantages, and their effects on Exchange data
structures.
209Enhancing Microsoft® Exchange Server availabilityBest practices for Symantec Backup Exec
Table 8-12 Backup Exec backup types
Impact on Exchange data storageBackup type
Full backups are the best way to backup the entire information store,
the directory database, and the transaction logs. Many organizations
run full backups on a weekly basis, as they prefer to run incremental
backups throughout the week to keep backup run time to a minimum.
The trade-off with this technique occurs at recovery time when
recovery must begin with restoring from the full backup, and then
restoring each subsequent incremental backup. After full backups,
administrators can choose whether or not to purge the transaction
logs.
Full
Incremental backups are used to provide more frequent recovery
point options throughout the day and to manage log file growth. In
an incremental backup, the transaction logs that were created since
the last full or incremental backup are backed up. Once the logs are
backed up, the log files are purged.
Incremental
Differential backups back up only if the transaction log files are not
purged.
Differential
Brick-level backups back up each mailbox separately and back up
the folders and messages. Performing brick-level backups allow
administrators to restore a single mailbox or single folder. Some
organizations use brick-level backups only for designated mailboxes.
These recoveries are also very I/O intensive. They can take much
longer to recover than standard file recovery operations.
Brick level
Best practices for ensuring successful backups
To ensure successful backups, Symantec recommends the following practices:
■ Perform trial restores.
■ Test the backup and recovery dependencies.
Ensure that the Exchange System Manager is working.
Ensure that the domain controllers maintain contact with the Exchange server
during a backup.
■ Backup the necessary items and make copies of those items that will aid in the
event of a disaster recovery. Document everything, including any custom
configurations to the Outlook Web Access (OWA) logon page with forms-based
authentication. Store a copy of the certificates used for HTTPS and SSL along
with the private keys. A best practice for these items is to copy them to a
separate server for Disaster Recovery.
■ Understand the pros and cons of backing up the System State
Enhancing Microsoft® Exchange Server availabilityBest practices for Symantec Backup Exec
210
Symantec recommends backing up the System State as part of a complete
disaster recovery solution. This includes the OS, the boot files, the Registry
and the COM+ class registration database.
■ If the Exchange environment is running a domain controller, then the Active
Directory database and the SYSVOL directory should also be backed up. If
running in a cluster, administrators must have the quorum resource recovery
log and the cluster service resource registry checkpoints.
If installed, the Certificate Services database should be backed up.
■ For ease of disaster recovery, create a replica of the EFORMS Registry folder
in a public folder store or in a different routing group.
■ When using Backup Exec with clustered Exchange servers, backups should
include the System State of all nodes in the cluster.
Importance of online backups
Online backups perform operations one database file at a time. As each database
file is transferred to the backup medium, Exchange performs a cyclic redundancy
check. If there are problems with the data, the backup stops and the event is
logged. Administrators do not have the capability to do this type of check with a
regular offline backup.
It is not a good practice to delete transaction logs manually. Administrators who
are only doing offline backups will not be able to automatically purge the
transaction logs. However, it is good practice to run a daily maintenance schedule
with the Information Store Service. Once archived, this will remove deleted
messages and mailboxes and perform online defragmentation. Defragmentation
will not run if the backup process is running on any database in the storage group.
Schedule backups and IS maintenance to run at different times.
Optimizing backup and recovery performance
Symantec recommends that administrators follow these practices with Microsoft
Exchange to ensure the most efficient backup and recovery performance:
■ Locate transaction log files on separate physical disks from the database.
Separating transaction log files from the database is the single most important
configuration detail affecting the performance of Exchange servers. This
configuration detail also has recovery implications, because transaction logs
provide an additional recovery resource (enabling up-to-date email recovery).
■ Archive (or expunge) HTTP, SMTP, IMAP protocol logging directories. Exchange
will not automatically wrap these log files. If not archived, these logs can grow
large quickly.
211Enhancing Microsoft® Exchange Server availabilityBest practices for Symantec Backup Exec
■ Periodically check the BadMail directory of any significant SMTP servers in
the Exchange environment. The directory is located at \Program Files\
Exchsrvr\Mailroot\vsi1\Badmail. Because of the manner in which SMTP
messages are logged, customers might see hundreds of these files a week, if
there are failed SMTP relay attempts. Such files can almost always be safely
deleted.
■ Check mailbox usage as part of an overall backup and recovery strategy. One
method is to use Exchange System Manager to simply export mailbox usage
information to a text file. Over time administrators can use this data to get a
quick trend analysis, and look for any unusual patterns that might impact
performance. Administrators will also get a look at mailboxes that have
exceeded their storage capacity, or are getting near that point.
Off-host backup usage recommendations
Performing a full system backup of a server is a CPU-intensive activity that can
limit the availability of Exchange email. Using Shadow Copy Sets for off-host
backup provides the ability to offload this processor-intensive activity from the
Exchange server to secondary staging server. The staging server is then used for
a full backup process. Creating a Shadow Copy will put less strain on the Exchange
server than a full backup.
Before backup up using Shadow Copy Sets, make sure the following conditions
are met:
■ The Advanced Disk-based Backup option is selected during Backup Exec
installation.
■ The staging server is equal in capacity to the Exchange server.
■ The Backup Exec Agent for Microsoft Exchange is installed on Exchange server.
A shared storage environment (such as a Fibre Channel or iSCSI SAN, or at least
a shared SCSI bus) is required.
Best practices for Enterprise Vault backup
When companies implement Veritas Enterprise Vault and want to use Backup
Exec for Enterprise Vault backup and recovery operations, the following additional
practices are essential for a successful backup and recovery plan:
■ Observe the best practices to back up critical Enterprise Vault components
identified in the table below.
■ Determine the backup window for Enterprise Vault.
■ Ensure that Enterprise Vault services are in the correct service state during
backup.
Enhancing Microsoft® Exchange Server availabilityBest practices for Symantec Backup Exec
212
■ Return registry keys to read-write mode after backup event completes, if
necessary.
Enterprise Vault critical components
Enterprise Vault has several critical components that must be backed up to ensure
complete restore capability.
Table 8-13 identifies some of the best practices associated with these components.
Table 8-13 Enterprise Vault components that are critical to backup operations
Best practiceComponent
Back up all databases with the name EV<store name>.
Schedule an SQL backup just before the main backup job.
After the SQL backup is complete, point the main backup
process to the destination directory of the SQL backup,
thereby allowing backup of the backup.
SQL databases:
■ EVEnterpriseVaultDirectory
Stores structural information about the Enterprise
Vault system architecture.
■ Vault store
Stores the individual databases for each store that
Enterprise Vault users create.
Both types of databases use the naming convention
EV<store name>.
always use the Enterprise Vault Administration Console
to obtain the actual location, as the Program Files\
Enterprise Vault\Indexing location can be customized.
Indexes
By default, the indexing engine stores its index files in
Program Files\Enterprise Vault\Indexing.
Like the indexing location, the shopping basket location
can also be customized. Therefore, always use the
Enterprise Vault Administration Console to obtain the
current location of these shopping baskets.
Note: Some organizations elect not to back up shopping
baskets because they do not contain any email messages.
They only contain pointers to message IDs.
Shopping baskets
When users perform a search of the Vault, they have the
option to group items from their search results logically
in what the application calls a “shopping basket”.
The Enterprise Vault application saves these baskets as
individual files that are stored by default in Program
Files\Enterprise Vault\Shopping.
213Enhancing Microsoft® Exchange Server availabilityBest practices for Symantec Backup Exec
Table 8-13 Enterprise Vault components that are critical to backup operations
(continued)
Best practiceComponent
Always back up the entire Vault Store folder structure so
that all email and instant messages can be restored
properly with the vault store databases pointing to the
appropriate locations.
To obtain the file location of a vault store, use the
Enterprise Vault Administration Console.
Some organizations with multiple Vault Stores may have
Vault Stores spread across different drives and media
types. Stores are not always grouped under a single
directory structure on one drive.
Always back up each Vault Store’s full directory structure
daily.
Vault stores
Archived email and instant messages are stored as
individual files in an elaborate directory structure starting
with the name of the vault store. For example, a typical
directory structure might be:
\Enterprise Vault Stores\<vault store name>\<year>\
<month>\<date>\<GMT hour>\<file>
Note: Enterprise Vault is being used to vault both
Exchange email and Instant Message data from IM
Manager. During the creation of the backup job, the
administrator should ensure that both types of vault data
is selected for backup.
Only one backup copy is necessary, as the license key
does not change over time.. This file does not need to be
backed up daily.
The file naming convention of the license key is
Keys_<servername>.txt.
License key
The license key is saved as a text file in the Program Files\
Enterprise Vault\directory.
Backing up Microsoft SQL Server
Backup Exec incorporates online, non–disruptive SQL database protection as part
of everyday backup routines, which increases the chance of data recovery and
minimizes data loss without inhibiting daily database activity. Using database,
differential, and log backups provides a good balance between backup windows,
and minimizes the amount of time that will be spent recovering a database.
To decide which backup methods to use for the best data protection, consider the
following typical environments:
Consider running a daily full database backup every evening
and daily transaction log backups.
Small environment
Consider running a weekly full database backup and daily
transaction log backups along with daily differential backups
except on the day when the full backup is run.
Mid-sized environments
Enhancing Microsoft® Exchange Server availabilityBest practices for Symantec Backup Exec
214
Consider running daily differential database backups, weekly
full database backups, and transaction log backups as
necessary. Many shops run full backups on a weekly basis,
preferring to run differential backups throughout the week
to keep backup run time to a minimum.
Extremely large environments may need to run file group
backups in order to split the full backup over several days.
Log backups are required to be able to recover a system from
a file group backup.
Large environments
The trade-off with running fewer full backups with more differential backups
occurs at recovery time. The last full database backup must be restored along with
the last differential database backup and all subsequent log backups. The method
with the best outcome is determined by factors such as the size of the environment,
the number of transactions processed each day, and the expectations of users
when a recovery is required. It is also considered a best practice to separate SQL
backup jobs from other backup jobs.
Backup, restore and recovery strategies are presented in more detail in the
Symantec Backup Exec™ forWindows Servers Administrator’s Guide.
The following items are required for the SQL Agent:
■ Backup Exec must have access rights to read both of the following SQL registry
keys:
HKEY_LOCAL_MACHINE\Software\Microsoft\Microsoft SQL Server
HKEY_LOCAL_MACHINE\Software\Microsoft\MSSQLServer
■ If Backup Exec does not have access to these registry keys, a restore to the
default directory may not work, and the Automate master database restore
option on the Restore Job Properties for SQL dialog box will not work.
■ To ensure that Backup Exec has access rights, verify that the logon account
used has Administrator rights to the Windows server on which the SQL instance
is installed.
■ The media server must have access to the SQL installation.
■ The credentials stored in the Backup Exec logon account used for backing up
and restoring SQL must have been granted the System Administrator role on
the SQL instance.
■ To back up SQL, use a Backup Exec logon account that stores the credentials
of a Windows user account. The Windows user account must have been granted
the System Administrator role on the SQL instance.
■ If SQL Server Authentication is being used, add a Backup Exec logon account
that stores the credentials of the SQL user account. In the backup selections
215Enhancing Microsoft® Exchange Server availabilityBest practices for Symantec Backup Exec
list, apply the Backup Exec logon account for the Windows user account to the
Windows server that SQL is installed on, and then apply the logon account for
the SQL user account to the SQL instance.
More information regarding backing up, restoring and disaster recovery of SQL
can be found in the Symantec Backup Exec™ forWindows Servers Administrator’s
Guide.
Determine the backup window for Enterprise Vault
Determine the backup window, which is the best time for backing up Enterprise
Vault data and the Enterprise Vault SQL data. These components have pre– and
post–backup operation procedures that must be executed. These times are used
when setting up the schedule for the backup jobs.
Change Enterprise Vault service states for backup
During a backup, a user or process must not add new data to the Enterprise Vault
archives, as integrity will be lost between the databases, indexes, and Vault Stores.
A backup (and restore) should represent a single snapshot, to which the server
can revert. Therefore, to preserve data integrity, most organizations shut down
their Archiving, Retrieval, Journaling, Public Folder, Shopping, Storage, and
Indexing services during the allocated time for backups. Then restart them when
the backup is complete.
Some organizations may want to leave the services running during a backup. Such
organizations have the option to shut down only the key components of the storage
and indexing services that affect backup integrity. The Admin, Directory, Storage,
Indexing, and Shopping services can be left running. Users will be able to access
archived messages from both Outlook and the search application.
To accomplish this, an administrator must create Registry keys to control specific
components of the storage and indexing services that affect backup integrity.
After these keys are created, the administrator must change specific keys so that
those services change to read-only mode before a backup event occurs.
Restore Registry keys to read-write mode
If administrators have created Registry keys to disable Archiving, Public Folder,
and Journaling services during backup, they must return the keys to read-write
mode after the backup event has completed successfully for Enterprise Vault to
return to normal operation.
Registry key creation and modification tasks can be done with automated scripts,
and can be scheduled to run by the Windows scheduler. Scheduling backups and
having a backup window that allows backup operation before the scheduled
Enhancing Microsoft® Exchange Server availabilityBest practices for Symantec Backup Exec
216
read-write revert script runs, will allow successful backups of the Enterprise Vault
archives.
These scripts are described in the Enterprise Vault Administrator's Guide, and are
available from Symantec technical support services.
Backup Exec allows the running of a script (or command file) before and after a
backup via pre- and post-commands. This could simplify the pre- and post-backup
process. Refer to the Symantec Backup Exec Administrator’s Guide for more
information about configuring pre- and post-commands.
Enterprise Vault backup sequence
Table 8-14 shows the sequence of tasks that summarize the process for backing
up Enterprise Vault with Backup Exec.
Table 8-14 Enterprise Vault backup sequence forBackup Exec
TaskSequence
Schedule the Enterprise Vault pre-backup task to run at the start of the
backup window.
Step 1
Create a backup policy to backup the following during the backup
window, allowing 15 minutes for the Enterprise Vault Pre-backup task
to run:
■ Enterprise Vault
■ Enterprise Vault SQL database
■ IM Manager SQL database
■ IM Manager .XSL file
■ Exchange data
Step 2
Create a selection list within Backup Exec to back up the vault stores,
indexes, shopping and license key information, as described in the
Enterprise Vault documentation. Be sure to include all vaults for both
Exchange email data and IM Manager instant message data.
Step 3
Create a selection list within Backup Exec to back up the SQL databases
for Enterprise Vault, the IM Manager SQL database, and the SQL master
database.
Step 4
Create a policy to back up the Enterprise Vault data, and create a
template that has scheduling information that will start the backup 15
minutes after the pre-backup script has run.
Step 5
Ensure the Reset Archive Bit operation is selected in Backup Exec
(default).
Step 6
217Enhancing Microsoft® Exchange Server availabilityBest practices for Symantec Backup Exec
Table 8-14 Enterprise Vault backup sequence forBackup Exec (continued)
TaskSequence
Create one of the following backup policies:
■ A policy to backup the Enterprise Vault-related SQL data that is
scheduled to run when other jobs are not running
■ A policy to backup the Enterprise Vault-related SQL data that backs
up to a separate resource and can be done in parallel with other
backup jobs
Step 7
Schedule the Enterprise Vault post-backup task to run at the end of the
backup window.
Step 8
Enhancing Microsoft® Exchange Server availabilityBest practices for Symantec Backup Exec
218
Regulatory compliance and
legal discovery for email
and instant messaging
management
This chapter includes the following topics:
■ About regulatory compliance
■ Email and instant messaging life cycle management
■ Considerations for data reduction
■ Considerations for threat reduction
■ Considerations for record retention
■ Considerations for discovery
About regulatory complianceIn the past two decades, email has evolved from a simple, quick method of personal
communication to a de facto record archive for business transactions and
operations. In addition, business organizations have seen a steep rise in the use
of instant messaging (IM) as a form of communication. IM has also become a
critical business communications tool for many companies. Businesses need to
consider the record of IM conversations much in the same way as they consider
email.
9Chapter
Whether communications happen in the form of an email or an instant message,
these messages serve as detailed transaction records for businesses. These
messages are critically valuable as evidence in a court of law, and proof that
companies are following compliance regulations. They are also a record of implied
business transactions, and a source for identifying violations of internal company
policies.
Consequently, modern business organizations are storing and guarding legacy
email and instant message conversation records for years. This is done to comply
with external rules and internal corporate governance guidelines. This relatively
new regulatory practice has increased the cost of storage required to retain legacy
email and instant message records, as well as added complexity to enterprise
message management.
The need to prepare for discovery and to enforce corporate policies, creates the
necessity for companies to establish messaging controls for email and IM.
Regulatory compliance is making it mandatory for organizations to implement
IT controls and processes for message management. In particular, companies
need to effectively store, protect, and search legacy email and instant message
conversation records. Whenever a message is sent by business personnel, or
received at an organization’s email or IM gateway, it must be controlled, monitored,
protected, and managed.
If an organization is unable to comply with regulatory requirements or its own
internal policies governing email and instant messaging, the use of email and
instant messaging may be banned. In practice, this type of prohibition is rarely
implemented for email communication, and is more likely to be applied to instant
messaging communication. However, most organizations have begun to embrace
instant messaging as an important, business communication tool.
Note: The impact of regulatory compliance mandates varies greatly between
regulations, industries, and individual companies. The implementations of the
Symantec™ solution for enterprise message management that are recommended
in this Symantec Yellow Book may not apply to all organizations.
Moreover, IT organizations must deal with a wide array of non-email or instant
message electronic records. Discussion of regulatory compliance as it relates to
these other types of electronic records, as well as the impact of specific regulations,
is outside the scope of this chapter.
Email and instant messaging life cycle managementManagement of regulatory compliance and legal discovery requirements has
brought new considerations and requirements for email and instant messaging.
Regulatory compliance and legal discovery for email and instant messaging managementEmail and instant messaging life cycle management
220
From the time a message is either sent by an individual in the organization or
received at the gateway, it must be managed through each phase of its life cycle.
At some point in time, the message is deleted and permanently destroyed, in
accordance with the relevant business policy or regulation.
There are numerous regulations relating to records retention that require email
and instant messages be archived. In addition to archiving the messages, the
ability to subsequently search archived messages and to provide this information
in a timely manner to support legal discovery is also required.
The following factors should be considered when developing a message retention
and retrieval implementation:
Message data reduction involves the automated, proactive
removal of spam and spim (spam received over IM). Today, these
unsolicited and unwanted messages consume the majority of
message volume on the Internet. Reducing unwanted message
volume in a business enterprise, will greatly reduce the presence
of non-business-related information in message archives.
Data reduction
Email and instant message threat reduction involves stopping
phishing attacks, viruses, worms, and restricted content before
these threats reach the organization’s network and message
servers.
Threat reduction
Message retention is the automatic capture and secure storage
of email, instant messages, and attachments sent or received
by business personnel. An organization’s message retention
policy must also allow for subsequent expiration and deletion
of retained messages, based on the organization’s established
regulatory policies. Determining what messages are retained,
and for how long, is a vital consideration.
Record Retention
Organizations must comply with possible legal obligations,
should a court of law demand access to specified email or instant
message records. Message discovery is the process of searching
and classifying archived message content to meet these
requirements.
Discovery
Email backup is typically a required, regularly scheduled process.
Backups entail copying and archiving email content and
attachments to offline media, and storing email archives at
secure locations, both onsite and offsite. Similarly, logs of
instant message conversations may also be backed up.
Determining what part backup plays in the overall compliance
strategy has important implications for both regulatory
compliance and legal discovery.
Backup
221Regulatory compliance and legal discovery for email and instant messaging managementEmail and instant messaging life cycle management
Considerations for data reductionManaging spam and spim, non-business email, and instant messages is a challenge
to business organizations. Although tougher government legislation and
enforcement of anti-spam laws is ongoing, this unwanted communication still
exists as a major problem. Comprehensive email messaging management solutions
enable organizations to significantly reduce the effects of spam and spim on
business email traffic and server throughput.
Companies must take definitive steps to maintain normal email business
communications despite growing spam volumes. They must also be aware of how
spam may impact regulatory compliance.
The risks associated with unwanted messages are many. Left ignored, spam and
spim could create the following risks or concerns for your business:
■ Large amounts of non-business-related messages can negatively impact the
ability of business personnel to be responsive to requests for historical email.
Particularly with email, when a significant amount of spam is present, email
discovery becomes more difficult. Whether stored messages are located in an
inbox, a PST, or an archive, the presence of spam can result in additional time
and cost to complete discovery.
■ The content of unsolicited and unwanted messages is a serious concern. Spam
and spim are frequently used as a launching vehicle for viruses, worms, and
other malicious content. These threats use ever-changing forms of deception,
such as phishing and other social engineering schemes, to expose confidential
information. Depending on the success of the attack, and the type of
information obtained, it can put company computers and information at risk.
■ Spam and spim content is commonly malicious, inappropriate, or not conducive
to business. Mailboxes on corporate email servers, instant message
conversations, or messages in archives with inappropriate, illegal content, are
potential liabilities for companies.
■ Computers that have been compromised by malicious software can be used by
spammers to anonymously steal use of company equipment. This can
significantly increase a company's hardware and bandwidth costs. Inside an
organization, these so-called zombie computers can generate spam messages
without the knowledge or approval of business management.
Spam and archiving
Since regulations do not provide clear guidance on how to handle unsolicited
messages such as spam, deleting these messages may not be advisable. It may be
appropriate for some businesses to archive spam and spim messages as a matter
Regulatory compliance and legal discovery for email and instant messaging managementConsiderations for data reduction
222
of caution. In this case, the messages would still be filtered before reaching the
recipient’s Inbox, but would be archived instead of deleted.
Through the integration of Symantec™ Mail Security 8200 appliance and Veritas
Enterprise Vault™, the Symantec Enterprise Messaging Management solution
allows spam to be automatically redirected to an archive.
Considerations for threat reductionAs email and instant message communication grows in importance as a
business-critical service, there is a corresponding evolution of related threats.
The primary delivery vehicle for malicious attacks into modern business
organizations is through email and instant messaging.
The benefits of taking steps to proactively filter and provide messages that are
free of viruses, worms, and other malicious code are apparent to most
organizations. However, the connection between these threats and regulatory
compliance is not as obvious.
Malicious code most commonly attempts various forms of deception and fraud
that are targeted at individuals and organizations. In addition, the methods used
to transmit malicious content in both email and instant messages are continually
evolving and employ more sophisticated exploits.
Maintaining a message archive that is clean of viruses, phishing attempts, and
other types of malicious code is important. This not only reduces the possibility
that malicious code could be accidently executed by recipients, but also prevents
the inadvertent release of confidential company or individual information.
Considerations for record retentionIn most unregulated industries, deciding what business messages must be archived
is often a subjective process. An organization needs to consider not only regulatory
requirements, but also the practicality of implementing the policy.
A definitions of what constitutes record and non-record messages, and what needs
to be preserved, should be established, along with the regulatory compliance and
legal discovery requirements. Typically, executive management, the legal
department, and outside legal counsel jointly determine what constitutes record
and non-record messages.
Each business, through examination of the current regulations, must interpret
how these regulations apply to their enterprise and industry. It is clearly beyond
the scope of any single group or person to determine what constitutes record and
non-record messages.
223Regulatory compliance and legal discovery for email and instant messaging managementConsiderations for threat reduction
The role of the IT organization in meeting compliance needs to be considered as
part of an enterprise-wide compliance- and risk-management program. The duties
of IT are still critical to the success of any regulatory compliance program. In the
United States, the courts recognize and expect that IT management plays a vital
role in message-preservation efforts. In some cases, IT professionals may be called
upon to testify in court about their message-preservation efforts and policies, and
to demonstrate due diligence in their processes.
When developing a compliance program, it is highly recommended that an
organization include legal expertise both from inside and outside the organization
Applying policies across the organization
Once policies are established for the business, a strategy for implementation must
be developed. Symantec recommends that enterprises identify how current
regulations apply, and which policies, schedules, and procedures are required for
specific business units and specific individuals. Alternatively, IT can implement
the required policies, schedules, and procedures for everyone in a uniform manner
across the entire enterprise.
When it comes to compliance and message retention, individual business units
may have different requirements for managing internal records. By identifying
key business units that generate or receive email and instant messages that are
subject to retention requirements, specific policies can be put in place for each
business unit.
As with business units, compliance requirements for specific roles within a
business can vary. Specific titles or scopes of authority may require different
email or instant message archiving requirements.
When scrutinizing individuals, it is worthwhile to consider the importance of
implementing legal holds on an individual’s email and instant message
communication. In order to avoid reliance on an individual's follow-up actions to
achieve compliance with a legal hold, it may be necessary to automatically archive
all an individual's communications. An automatic-hold mechanism is a more
effective method than the alternative, which is to instruct individuals to retain
all messages that may potentially pertain to a matter undergoing litigation.
Organizations can also opt to take a uniform approach by archiving messages for
all email and instant message users, regardless of their role or organization. By
applying the same policies and procedures across the entire company, all
communications are captured. The benefit is that all sent and received messages
are archived regardless of sender, content, origin, and destination. However,
depending on the size of the organization, and type of regulations, this approach
may be neither feasible or advisable.
Regulatory compliance and legal discovery for email and instant messaging managementConsiderations for record retention
224
Applying the same policies and procedures across the entire company may have
the following drawbacks:
■ Email and instant messages may be retained for longer periods than required.
■ Non-essential email and instant messages may be retained.
■ Potentially relevant messages may not be recovered in a timely, cost-effective
manner.
Discovery and records retention
Retention of relevant message data for long periods of time requires sufficient
system, storage, and networking resources. Any decision that a business makes
about what, where, and how to archive email and instant messages plays a direct
role in determining hardware requirements.
It is important to consider potential discovery requirements to which the business
may be subject. Companies must be prepared to produce records for legal discovery
upon demand, and a large message archive could make discovery more challenging.
The need to analyze potentially irrelevant messages that still match search criteria
could increase the time, cost, and accuracy of the discovery effort.
Message retention schedules and procedures should be relevant to the particular
industry or business, and the applicable regulations. An intensive assessment of
these considerations should be made before deciding how to implement a message
retention system.
Considerations for discoveryCompanies must be prepared to produce records for legal discovery upon demand.
The following considerations are key in the message discovery process:
Ensuring that search results are accurate, and flagging all relevant
messages
Completeness
Responding to discovery requests in the time allottedTime
Reducing logistical and cost issues when responding to discovery
requests
Cost
The process of evaluating the risk trade-offs and determining a suitable balance
of each of the factors is different for each industry, business, and situation.
225Regulatory compliance and legal discovery for email and instant messaging managementConsiderations for discovery
Completeness of process
Thoroughness in a discovery search is critical. This includes the accuracy of the
search results in flagging all message content that is potentially relevant to the
specific discovery request, subpoena, or litigation.
Organizations are required to turn over all relevant information over which they
have custody, regardless of its location. Discovery of relevant message content
can involve multiple search locations, including personal computers, laptops,
email servers, spam quarantines, backup servers, archive servers, and offline disk
or tape. Without a coordinated and automated approach to message management,
discovery can be a challenging task.
With email, the message or messages being searched for are not necessarily
contained in a user’s inbox, but could also be located in locally stored PST email
archives or in offline backups. With instant messages, there are similar
considerations. Instant messages may be logged locally on end-user machines.
These logs may also get backed up as part of regular user backups, so searching
backups need to be considered. Even if email and instant messages are being
centrally archived, it is important to consider that these archives may not be the
only location from where a message record might be recovered.
Timeliness of response
Responding to discovery requests in a fixed amount of time is a common
requirement. While the amount of time spent identifying and producing requested
messages depends on what is requested, turnaround time can be impacted in other
ways.
Preventing non-business information from populating an archive is an important
goal. The fewer personal and non-business related messages cluttering the storage
space will enable an organization to improve search times and the average number
of search hits. The ideal result is a much higher percentage of relevant information
with every discovery search that is performed.
The accessibility of email and instant messages stored in archives is an important
consideration. Inaccessible messages archived on offline media or stored on
individual computers in PST files, are significantly more difficult to search for
than messages stored in an automated online archive.
Cost efficiency
It is important to reduce the cost of responding to discovery requests. A message
retention plan should exist to manage discovery requests in a minimally disruptive
way to the business, including the individuals, business units, or groups involved
in the discovery.
Regulatory compliance and legal discovery for email and instant messaging managementConsiderations for discovery
226
Being able to minimize the number of individuals that need to be actively involved
in responding to the discovery is beneficial. By having a message retention policy
and automatic enforcement mechanisms in place, the burden of taking additional
steps to recover and protect any potentially relevant messages is removed from
individuals.
Being able to minimize the number of locations, including systems and physical
locations, is critical. Itemizing, locating, and examining systems for potentially
relevant messages, or recovering data from offline media can be costly. Having a
comprehensive message retention system in place may substantially reduce the
number of locations in which a copy of a potentially relevant message may exist.
By archiving email and instant messages, the process required to search for and
recover potentially relevant messages may be simplified.
About the role of backup
The need to provide regular backup and restore services for Exchange servers is
a well-established requirement for most IT organizations. However, the
relationship between backup and regulatory compliance is not necessarily
straightforward.
Although backups provide a periodic snapshot of the message records that reside
on an organization’s servers, reliance on backup alone may be inadequate. Backups
can create the following areas of exposure:
■ Backups are periodic.
Backups only provide- access to messages existing on the server at the time
the backup was created.
■ Backups contain unfiltered data.
Backups contain everything in the inbox, not just what may be required by
company policy for compliance.
■ Backups are difficult to search.
Backups often require lengthy restore operations to stage the email back to
an Exchange server before the actual search can be performed. Oftentimes,
inefficient and time-consuming searches usually result from discovery in
backup message archives.
■ Backups are typically kept offline.
Backups must be restored to an online Exchange server to be efficiently
accessed for email This process can be iterative, when multiple backups must
be reconstructed to create a time line of related messages.
■ Backup media have physical profiles that must be tracked and managed.
■ Backups typically do not expire uniformly.
227Regulatory compliance and legal discovery for email and instant messaging managementConsiderations for discovery
Most likely, using backup tapes as a generic cover for regulatory compliance will
be insufficient for most organizations faced with regulatory requirements.
Discovery searches by companies with no message-retention policies in place,
who are forced to rely on backups as their historical archive, will take more time,
incur more costs, and involve greater risks.
Regulatory compliance and legal discovery for email and instant messaging managementConsiderations for discovery
228
Best practices for Veritas
Enterprise Vault™ legal
discovery and compliance
options
This chapter includes the following topics:
■ About Veritas Enterprise Vault legal discovery and compliance options
■ Best practices for installing and configuring Enterprise Vault Discovery
Accelerator
■ Best practices for installing and configuring Enterprise Vault Compliance
Accelerator
■ Best practices for customizing Enterprise Vault Discovery Accelerator
■ Best practices for customizing Enterprise Vault Compliance Accelerator
■ Best practices for upgrading Enterprise Vault Compliance Accelerator
■ Best practices for Enterprise Vault Compliance Accelerator backup and recovery
About Veritas Enterprise Vault legal discovery andcompliance options
Veritas Enterprise Vault provides full email and other information retrieval and
content search capabilities based on the indexes that are maintained by Enterprise
Vault. For those organizations that desire or require advanced information search
10Chapter
and retrieval capabilities, Symantec offers the Enterprise Vault Discovery
Accelerator and Enterprise Vault Compliance Accelerator options. These options
work in association with email journaling to provide users with complete and
accelerated information search and retrieval capabilities.
About Enterprise Vault Discovery Accelerator
Veritas Enterprise Vault™ Discovery Accelerator is a case management system
designed to facilitate and audit internal work flows for legal teams running
searches and marking records.
Veritas Enterprise Vault Discovery Accelerator’s robust search and export tool
allows an assigned administrator or reviewer to conduct online searches of their
existing archived data in response to an external legal request or an internal
company inquiry. Enterprise Vault Discovery Accelerator can search user mailbox
archives, journal mailbox archives, file system archives, Microsoft SharePoint®
archives and public folder archives. If an item of interest is found during the
search, administrators can permanently attach comments or marks to the item,
for example, ranking it by relevance to the search request, and then export the
items or reports as PST or XML files for later use in pending or threatened
litigation.
Veritas Enterprise Vault Discovery Accelerator does not alter the original contents
of the email or document, but appends additional information to the data, in order
to preserve the integrity of the items returned by the search. Once an item is
tagged with comments by a reviewer, comments can not be removed, in this way,
maintaining an auditable trail. Enterprise Vault Discovery Accelerator is ideal for
ad hoc searches. Most searches that are performed for discovery purposes are
created on an as-needed basis. Enterprise Vault Discovery Accelerator can produce
information in formats that are suitable for presentation in a formal, legal context.
About Enterprise Vault Compliance Accelerator
Veritas Enterprise Vault™ Compliance Accelerator enables organizations to
implement corporate strategies for regulatory compliance.
Enterprise Vault Compliance Accelerator allows administrators to create searches
that align with an organization’s compliance strategy, such as collecting a
percentage of all generated email and monitoring for inappropriate language or
conduct. After formal retention policies are established, compliance requirements
can be accurately fulfilled using Enterprise Vault Compliance Accelerator.
Enterprise Vault Compliance Accelerator can be configured to search archives
for defined words and phrases, to search by date ranges and message size, type
of email, or the direction (inbound or outbound) of the email. Administrators can
Best practices for Veritas Enterprise Vault™ legal discovery and compliance optionsAbout Veritas Enterprise Vault legal discovery and compliance options
230
also search for the email author, domain name, recipient, and attachments. Finally,
administrators can search using any ad hoc search criteria they choose.
Comparison matrix
Table 10-1 lists the features and functionality supported by Enterprise Vault
Compliance Accelerator and Enterprise Vault Discovery Accelerator.
Table 10-1 Matrix comparingComplianceAccelerator andDiscovery Accelerator
Discovery
Accelerator
Compliance
Accelerator
Functionality
YesYesWeb-based interface
YesYesStore data within SQL Database
YesYesSearch Enterprise Vault index
NoYesCreate scheduled searches
YesYesPerform ad hoc searches
NoYesEmployee and group synchronization from Active Directory
NoYesSearch by file extension (.exe, .mp3, .htm)
NoYesSearch by number of attachments
NoYesSearch by size of attachment
NoYesSearch by minimum number of items discovered
YesYesSearch by date range
NoYesSearch by absolute limit (set upper limit on number of items to discover)
NoYesSearch by message size
Can be configuredYesSearch by message type (IM, Bloomberg®)
NoYesSearch by retention category
YesYesSearch using existing templates
NoYesSearch by external domain
Can be configuredYesSearch by message direction (recipient or sender; incoming or outgoing)
NoYesSearch and monitor emails between business units
231Best practices for Veritas Enterprise Vault™ legal discovery and compliance optionsAbout Veritas Enterprise Vault legal discovery and compliance options
Table 10-1 Matrix comparingComplianceAccelerator andDiscovery Accelerator
(continued)
Discovery
Accelerator
Compliance
Accelerator
Functionality
NoYesApplication searches
YesYesKey word and hot word searches
YesNoAssign Bates numbers for legal inquiries
YesYesComply with legal discovery requests
NoYesRandom sampling of user data (by percentage)
NoYes (requires
Journaling
Connector)
Department index tagging
NoYesReporting
YesNoReport and view assignments (marked, status, reviewer)
YesYesAssign reviewer and supervisor levels and permissions
YesYesCustomize review marking (comments)
YesYesAutomatically accept search results
YesYesAudit history and workflow of searched and discovered items
YesYesExport search results to PST file
YesYesExport data to PST file
NoYesExport configuration data to XML file
YesYesExport search results to MSG file
YesYesExport search results to HTML file
YesYesImport configuration data
NoYesCreate exception employees (special grouping and searching restrictions
or monitoring, such as executive or sensitive team data)
NoYesDesigned for use with human resources departments (internal policy and
procedure tracking and enforcement)
YesNoDesigned for use with legal departments and workflow audits of legal cases
(reduces cost of scrubbing and reviewing data)
Best practices for Veritas Enterprise Vault™ legal discovery and compliance optionsAbout Veritas Enterprise Vault legal discovery and compliance options
232
Table 10-1 Matrix comparingComplianceAccelerator andDiscovery Accelerator
(continued)
Discovery
Accelerator
Compliance
Accelerator
Functionality
NoYesDesigned to assist with regulatory control
NoYesDesigned to assist with monitoring and surveillance
NoYesFacilitates compliance with government (federal, state, and local)
regulations
NoYesFacilitates compliance with financial regulations (NASD and SEC)
NoYesFacilitates health care compliance (HIPAA; privacy regulations and public
records requests)
YesYesDesigned to assist energy companies comply with government
policies(scandal discovery and regulations)
YesYesDesigned to support academic research
NoYesFacilitates compliance with Sarbanes-Oxley Act (internal controls and
reporting
NoYesDesigned to assist Microsoft Exchange administrators with data discovery
Best practices for installing and configuringEnterprise Vault Discovery Accelerator
It is recommended that the Enterprise Vault Discovery Accelerator software be
installed and configured to run on a server that is not an Enterprise Vault server.
While Enterprise Vault Discovery Accelerator can be installed and run on an
Enterprise Vault server, this may significantly degrade performance and so it is
not recommended.
Nonetheless, Enterprise Vault software must be installed on the Enterprise Vault
Discovery Accelerator server, but the Enterprise Vault software can be installed
without completing all of the configuration steps. In this type of configuration,
Symantec™ recommends setting the Enterprise Vault Admin Service Startup Type
to Disabled.
Enterprise Vault Discovery Accelerator must be configured and installed using
the Vault Service account. The computer on which Enterprise Vault Discovery
Accelerator is installed and runs must be in the same domain as the Enterprise
Vault Server, or in a trusted domain. The computer on which Enterprise Vault
233Best practices for Veritas Enterprise Vault™ legal discovery and compliance optionsBest practices for installing and configuring Enterprise Vault Discovery Accelerator
Discovery Accelerator is installed and runs must have the exact same operating
system release and patches, and the exact same Enterprise Vault release, as the
computers running the Enterprise Vault services.
Prepare to install Enterprise Vault Discovery Accelerator
Make sure that the following prerequisites are met before installing Enterprise
Vault Discovery Accelerator:
■ The Vault Stores to be searched must have Indexing set to Full.
■ Enterprise Vault 6.0 is used with Enterprise Vault Discovery Accelerator 5.0
SP3 or later. Enterprise Vault supports only Enterprise Vault Discovery
Accelerator 5.0 SP3 or later.
■ Microsoft Internet Explorer 6.0 or later is installed, as well as the Internet
Explorer WebControls from the Redistributable folder in the install kit.
Symantec recommends disabling pop-up blockers. Pop-up blockers may disrupt
the dialog boxes that appear when reviewing messages with Enterprise Vault
Compliance Accelerator.
■ Microsoft .NET Framework v1. 1 with Service Pack 1 is installed. The Microsoft
.NET Framework can be found in the Redistributables folder of the Enterprise
Vault Discovery Accelerator install kit. Microsoft .NET SP1 should be installed
to address known memory leaks and security issues.
■ Automatic updates of Microsoft .NET should be disabled. All updates should
be reviewed before installing.
Any Microsoft .NET patches should be installed one at a time in a test
environment before installing in a production environment.
■ Microsoft Internet Information Services (IIS) is installed to the Enterprise
Vault Discovery Accelerator system and the IIS worker process has write access
to the Enterprise Vault Discovery Accelerator installation folder.
■ Microsoft Active Server Pages (ASPs) are installed and the Web Service
Extension option is set to allow Active Server Pages scripts to run.
■ The Vault Service account in which the IIS worker process is running has Full
Control access to the Windows® Temp folder and Allow inheritable permissions
from parent to propagate to this object enabled.
■ The Authenticated Users group has Full Control access to the Windows Temp
and TMP folder and Allow inheritable permissions from parent to propagate
to this object enabled. If the ASP.NET service logs on under a different account
than Authenticated Users, the different account should be given Full Access
rights as well.
Best practices for Veritas Enterprise Vault™ legal discovery and compliance optionsBest practices for installing and configuring Enterprise Vault Discovery Accelerator
234
■ The Enterprise Vault Discovery Accelerator database requires 600 MB minimum
of free space on the SQL Server computer.
■ The Microsoft MIME type, JScript® (JSE), is enabled in the IIS properties.
■ The Default Web Site in IIS Manager can be browsed to and opened from
Computer Management and IIS Manager.
If the Under Construction page cannot be opened, IIS is not configured properly
and the Enterprise Vault Discovery Accelerator Web application will not
function. For IIS troubleshooting information, see the following URL:
http://www.microsoft.com/WindowsServer2003/IIS/default.mspx
■ If Enterprise Vault Discovery Accelerator is on a different server than
Enterprise Vault, the correct version of MAPISVC.INF is installed on the
Enterprise Vault Discovery Accelerator server. To verify the version, open
Help in the Enterprise Vault Administrator Console and search on
MAPISVC.INF.
■ The Enterprise Vault Discovery Accelerator server has a minimum of 2 GB of
memory. If the Enterprise Vault Discovery Accelerator computer is not a
standalone computer, it must have a minimum of 4 GB, with at least 2 GB
allocated for Enterprise Vault Discovery Accelerator use.
Note: Running Enterprise Vault Compliance Accelerator and Enterprise Vault
Discovery Accelerator on the same computer is not supported. Only Enterprise
Vault Discovery Accelerator 5.0 SP3 or later is supported with Enterprise Vault
6.0.
See the Enterprise Vault Discovery Accelerator Installing and Configuring guide
for more information.
SQL Server requirements for Enterprise Vault Discovery Accelerator
Because of the amount of resources that searching requires, the Enterprise Vault
Discovery Accelerator database should be installed on a standalone computer.
Enterprise Vault Discovery Accelerator SQL Server database requires 600 MB
minimum of disk space to be created.
For other requirements:
See “SQL Server requirements for Enterprise Vault Compliance Accelerator”
on page 241.
235Best practices for Veritas Enterprise Vault™ legal discovery and compliance optionsBest practices for installing and configuring Enterprise Vault Discovery Accelerator
Installing Enterprise Vault Discovery Accelerator
Enterprise Vault must be installed before installing Enterprise Vault Discovery
Accelerator. Before installing Enterprise Vault Discovery Accelerator, ensure that
all prerequisites to install Enterprise Vault Discovery Accelerator have been met.
To install Enterprise Vault Discovery Accelerator
1 Start the Enterprise Vault Administrator Console, and then point to the
Enterprise Vault server to be used by Enterprise Vault Discovery Accelerator.
2 Launch the Enterprise Vault Discovery Accelerator installation wizard, and
when prompted for the Enterprise Vault Discovery Accelerator Service login,
provide the Domain\UserName for the Vault Service account.
3 After the installation is complete, copy the Enterprise Vault Discovery
Accelerator license key to C:\Program Files\KVS\Discovery Accelerator.
An Enterprise Vault license key is not required for Enterprise Vault Discovery
Accelerator to run.
4 Verify that the IIS Admin Service and WWW Publishing Service are started.
5 After installation completes, wait approximately 10 seconds before starting
the Enterprise Vault Discovery Accelerator Service to ensure that the services
are registered.
Note: Installations of Enterprise Vault Discovery Accelerator and Enterprise Vault
Compliance Accelerator are not supported on the same computer.
Configuring Enterprise Vault Discovery Accelerator
The Vault Service account must be used to configure Enterprise Vault Discovery
Accelerator to manage the Enterprise Vault server. Configuring Enterprise Vault
Discovery Accelerator includes the following tasks:
■ Launching the Enterprise Vault Discovery Accelerator Web application
■ Completing the configuration
Best practices for Veritas Enterprise Vault™ legal discovery and compliance optionsBest practices for installing and configuring Enterprise Vault Discovery Accelerator
236
To launch the Enterprise Vault Discovery Accelerator Web application
1 Launch the Web browser and browse to the Enterprise Vault Discovery
Accelerator home page, http://<Discovery Accelerator server name>/
EVDiscovery/.
To eliminate the need to authenticate every time a connection is made, use
the localhost connection method (http://localhost/EVDiscovery/) instead of
using the Enterprise Vault Discovery Accelerator server name.
2 When prompted for login information, provide the Vault Service account
information that was used during the installation process.
3 Click the Configure link to begin the configuration process.
To complete the configuration
1 Provide a valid SQL Server computer name and the Instance name, if
applicable (ServerName\InstanceName).
2 If desired, specify a new name for the database. The default name for the
database to be created is EVAccelerator.
Specify a unique database name if Enterprise Vault Compliance Accelerator
is also installed, if a previous version of Enterprise Vault Discovery Accelerator
is installed, or if there are multiple installations of Enterprise Vault Discovery
Accelerator on different computers.
3 Point to an existing volume on the SQL Server computer where the MDF
database files will be hosted.
A local or mapped drive can be used, but not a UNC path. Whatever volume
is used should reside on the SQL Server computer, and not on the Enterprise
Vault Discovery Accelerator computer.
4 Point to an existing volume on the SQL Server computer where the LDF
database files will be hosted.
A local or mapped drive can be used, but not a UNC path. Whatever volume
is used should reside on the SQL computer, not the Enterprise Vault Discovery
Accelerator computer.
5 Verify or provide the DNS alias or server name of the Enterprise Vault
Directory Service computer.
6 After configuration is complete, when prompted to restart the Enterprise
Vault Discovery Accelerator Service, wait approximately 10 seconds before
starting the Enterprise Vault Discovery Accelerator Service to ensure that
all services are registered.
237Best practices for Veritas Enterprise Vault™ legal discovery and compliance optionsBest practices for installing and configuring Enterprise Vault Discovery Accelerator
Note: To install the database files to a hidden share, the databases must first be
installed to a non-hidden share. The Enterprise Vault Discovery Accelerator
installer does not allow a database to be created in a hidden share (for example
D:\SQL$). However, Enterprise Vault Discovery Accelerator does function correctly
when using hidden shares. Use SQL Server to move the databases to a hidden
share after they are created.
Enterprise Vault Discovery Accelerator browser interfacerecommendations
Symantec recommends the following practices when using the Enterprise Vault
Discovery Accelerator browser interface:
■ Use the links provided in the application to navigate from page to page instead
of using the Internet Explorer browser toolbar Back button, or the Backspace
or other shortcut keys. The bottom of each Enterprise Vault Discovery
Accelerator page displays a Close button to close the page and return to the
previous page.
■ To refresh the current Enterprise Vault Discovery Accelerator page, right-click
the page, and then select Refresh from the context menu. Clicking Refresh in
the browser toolbar opens the Enterprise Vault Discovery Accelerator home
page.
■ Run the browser in full screen mode by using the function key F11 to toggle
between views.
Best practices for installing and configuringEnterprise Vault Compliance Accelerator
Enterprise Vault Compliance Accelerator and SQL Server should not be installed
on the same computer as the Enterprise Vault system, except perhaps during
evaluation or pilot deployments. Because of the additional demands placed on
system resources, the ability to conduct quick searches and archiving is reduced
when these components are all co-located on a single computer. Installing
Enterprise Vault Compliance Accelerator on a separate computer reduces the
impact of intensive searching on the Enterprise Vault system.
Also, running Enterprise Vault Compliance Accelerator and Enterprise Vault
Discovery Accelerator on the same computer is not supported.
The Enterprise Vault software must be installed on the server where the
Compliance Accelerator software will be run to allow access to the messages in
the Enterprise Vault archives. However, it is not necessary to configure the
Best practices for Veritas Enterprise Vault™ legal discovery and compliance optionsBest practices for installing and configuring Enterprise Vault Compliance Accelerator
238
Enterprise Vault management services to run on the computer running Enterprise
Vault Compliance Accelerator, so you can set the Enterprise Vault Admin Service
Startup Type on this computer to Disabled.
Enterprise Vault Compliance Accelerator must be installed and configured using
the Vault Service account. The computer used for installation must be in the same
domain as the Enterprise Vault server, or in a trusted domain. The same release
of Enterprise Vault software as is used on the Enterprise Vault server(s) must also
be installed on the Enterprise Vault Compliance Accelerator computer.
Instead of using Enterprise Vault Compliance Accelerator to search the Vault
Stores containing archived email messages from users, Symantec recommends
that administrators create a new Vault Store for all the journaled email, and
configure Compliance Accelerator to depend upon the data in that Vault Store.
This new Vault Store can then be searched with Enterprise Vault Compliance
Accelerator.
Prepare to install Enterprise Vault Compliance Accelerator
Make sure that the following prerequisites are met before installing Enterprise
Vault Compliance Accelerator:
■ Microsoft Internet Explorer 6.0 or later is installed, as well as the Internet
Explorer WebControls. These can be downloaded from the website links
provided in the installation documentation.
■ Microsoft Active Server Pages (ASPs) are installed and the Web Service
Extension option is set to allow Active Server Pages scripts to run.
■ Microsoft IIS is installed on the Enterprise Vault Compliance Accelerator
computer, and the IIS Worker Process has write access to the Enterprise Vault
Compliance Accelerator installation folder.
■ Symantec recommends disabling pop-up blockers. Pop-up blockers may disrupt
the dialog boxes that appear when reviewing messages with Compliance
Accelerator.
■ The Enterprise Vault Compliance Accelerator database requires 600 MB
minimum of disk space on the SQL Server computer.
■ Microsoft .NET Framework version 1.1 with Service Pack 1 (SP1) is installed.
In addition, Microsoft .NET SP1 should be installed to address known memory
leaks and security issues. These can be downloaded from the website links
provided in the installation documentation.
■ Automatic updates of Microsoft .NET should be disabled. All updates should
be reviewed before installing.
239Best practices for Veritas Enterprise Vault™ legal discovery and compliance optionsBest practices for installing and configuring Enterprise Vault Compliance Accelerator
Any Microsoft .NET patches should be installed one at a time in a test
environment before installing in a production environment.
■ A PDF reader or spreadsheet viewer is installed for printing and viewing
Enterprise Vault Compliance Accelerator reports.
The Microsoft Excel® Viewer can be downloaded from Microsoft.
■ The Microsoft MIME type, JScript (JSE), is enabled in the IIS properties.
■ The Authenticated Users group has Full Control access to the Windows Temp
and TMP folder and Allow inheritable permissions from parent to propagate
to this object enabled. If the ASP.NET service logs on under a different account
than Authenticated Users, the different account should be given Full Access
rights as well.
■ If Enterprise Vault Compliance Accelerator is on a different server than
Enterprise Vault, the correct version of MAPISVC.INF is installed on the
Enterprise Vault Compliance Accelerator server. To verify the version, open
Help in the Enterprise Vault Administrator Console and search on
MAPISVC.INF.
■ An Enterprise Vault Compliance Accelerator license key is obtained for any
computer on which the Enterprise Vault Compliance Accelerator Service is to
run. The service can not start until the license key is installed.
■ The Enterprise Vault Compliance Accelerator server has at least 2 GB of
memory. If the Enterprise Vault Compliance Accelerator computer is not a
standalone, it must have a 4 GB minimum of memory, with at least 2 GB
allocated for Enterprise Vault Compliance Accelerator usage.
Requirements for the optional Journaling Connector
Installing the optional Journaling Connector allows organizations to increase
performance and search capabilities. The Journaling Connector lets administrators
randomly sample a department’s or individual’s messages.
By default, the Journaling Connector does not add report type messages (such as
delivery receipts, read receipts, out of office auto replies, auto replies from
Microsoft Outlook® rules, or quota warnings) to the review set.
Before installing the Journaling Connector, note the following requirements:
■ The Journaling Connector component must be installed on all servers running
the Enterprise Vault Journaling Task (formerly the Enterprise Vault Journaling
Service).
■ The Journaling Connector component can be installed using the Custom Install
option for Enterprise Vault Compliance Accelerator.
Best practices for Veritas Enterprise Vault™ legal discovery and compliance optionsBest practices for installing and configuring Enterprise Vault Compliance Accelerator
240
■ Install Microsoft .NET Framework v1.1 on any computer on which the
Journaling Connector is to run.
■ Set indexing to Full on the Enterprise Vault archives.
Note: Computers with only the Journaling Connector component do not need an
Enterprise Vault Compliance Accelerator license key installed.
SQL Server requirements for Enterprise Vault Compliance Accelerator
Symantec strongly recommends that the Enterprise Vault Compliance Accelerator
database reside on a standalone computer. This is because of the amount of
resources used during searches.
The SQL Server database that Enterprise Vault Compliance Accelerator uses
requires 600 MB of disk space (minimum) to be created.
Other requirements for the SQL database are as follows:
■ Enterprise Vault Compliance Accelerator is supported for use with SQL Server
2000 SP3a and SP4. It is expected to support the use of SQL Server 2005 in
2006.
■ The SQL Server should have at least 2 GB of memory. If the Enterprise Vault
Compliance Accelerator computer is not standalone, it must have a minimum
of 4 GB of memory, with at least 2 GB allocated for Enterprise Vault Compliance
Accelerator.
■ The Vault Service account must be a System Administrator on the SQL server.
In addition, the SQLAgent service must be running. If the Enterprise Vault
Compliance Accelerator database is created on a different computer than the
Enterprise Vault databases, the administrator must create a SQL login for the
Enterprise Vault Service account that is identical to the one used on the
Enterprise Vault database server.
■ The volume that will be used for the Enterprise Vault Compliance Accelerator
database must be created before Enterprise Vault Compliance Accelerator is
installed. When prompted to select the volume in which to create the database,
point to the SQL computer volume, not to the Enterprise Vault Compliance
Accelerator volume.
Install Enterprise Vault Compliance Accelerator
Verify that all requirements to install have been met. Enterprise Vault must be
installed before installing Enterprise Vault Compliance Accelerator.
241Best practices for Veritas Enterprise Vault™ legal discovery and compliance optionsBest practices for installing and configuring Enterprise Vault Compliance Accelerator
To install Enterprise Vault Compliance Accelerator
1 To verify the correct functioning of Enterprise Vault, start the Administrator
Console and then point to the Enterprise Vault server to be used for Enterprise
Vault Compliance Accelerator.
2 Log on to the Vault Service account and run the Enterprise Vault Compliance
Accelerator\Setup.exe installer.
Follow the prompts in the installation wizard.
3 When the setup program prompts you for details of the account under which
to run the enterprise Vault Accelerator Manager Service, enter the name of
the Vault Service account with which you manage your Enterprise Vault
server in the form domain\username. The setup program may also prompt
you for the name of the SQL Server computer that hosts the database for the
Enterprise Vault Directory.
4 When prompted to select an installation option, do one of the following:
■ To install the basic Compliance Accelerator components but not the
Journaling Connector, select the Typical option.
■ To pick the components that you want to install, select the Custom option.
For example, select this option to install both the basic Compliance
Accelerator components and the Journaling Connector on the same
computer, or to install the Journaling Connector only. (The Journaling
Service must be installed for the Journaling Connector option to appear.)
5 Click Next, and then follow the on-screen instructions.
6 When the installation completes, verify that the correct license is in the KVS
directory, and then start the Enterprise Vault Compliance Accelerator Service.
See “Upgrading Enterprise Vault Compliance Accelerator” on page 258.
Configuring Enterprise Vault Compliance Accelerator
In a Web application, the Vault Service account must be used to configure
Enterprise Vault Compliance Accelerator to set up and manage the Enterprise
Vault server. Configuring Enterprise Vault Compliance Accelerator consists of
the following tasks:
■ Before launching the Enterprise Vault Compliance Accelerator Web Application
in a browser, add server names and paths to the Trusted Sites in the browser,
or ensure that the Compliance Accelerator server is in the same domain as the
Enterprise Vault server.
■ Configure Enterprise Vault Compliance Accelerator
Best practices for Veritas Enterprise Vault™ legal discovery and compliance optionsBest practices for installing and configuring Enterprise Vault Compliance Accelerator
242
To add server names and paths to Trusted Sites
◆ Add the following server name and application paths to the browser’s Trusted
Sites:
■ http://LocalHost/EVBACompliance
■ http://<computer name>/EVBACompliance
To configure Enterprise Vault Compliance Accelerator
1 In a supported Web browser, type one of the following URLs:
http://LocalHost/EVBAComliance
or, if you are not logged on to the Compliance Accelerator server, type
http://<YourComplianceAcceleratorIISServerName>/EVBACompliance.
When a prompt appears for login information, provide the Vault Service
account information that was used during the installation.
2 Click the Configure link to begin the configuration process.
3 Type the following to provide configuration database information:
■ Server Name
Provide a valid SQL server name (ServerName\InstanceName).
■ Database Name
The default name for the Configuration database is created as
EVConfiguration. If Compliance Accelerator 6.0 has been previously
installed, a database called EVConfiguration may already exist. In this
case, you must give the new Compliance Accelerator configuration
database a different name, or select Use Existing Database, if applicable.
■ Data file folder
Point to an existing volume on the SQL Server computer to host the MDF
database files.
■ Log file folder
Point to an existing volume on the SQL Server computer to host the LDF
database files.
■ Verify or provide the DNS alias or server name of the Enterprise Vault
Directory Service computer.
4 Type the following to provide customer database and Enterprise Vault
information:
■ Name
Specifies a unique name for the customer.
243Best practices for Veritas Enterprise Vault™ legal discovery and compliance optionsBest practices for installing and configuring Enterprise Vault Compliance Accelerator
■ VaultID
Identifies the journal vault that the customer uses. Leave Blank to use all
Enterprise Vault Site Journal Vaults or obtain the ID by looking at the
property page for the journal vault in the Vault Administration Console.
■ Directory DNS alias
Specifies the DNS alias or server name of the Enterprise Vault Directory
Service computer.
■ Administrator User or Group
Specifies the Windows group or user account that has administration
permissions in the customer site.
■ Enable Customer tasks
When selected, enables users to perform activities in the Compliance
Accelerator Web interface. If you clear this check box, only automatic
tasks like scheduled searches are permissible.
■ IIS
This section enables you to specify details of the IIS server that is to host
the Compliance Accelerator site.
■ Virtual Directory
Specifies the unique name of the IIS virtual directory for this customer.
(A virtual directory is a directory that is not contained in the home
directory but appears to client browsers as though it were.) The name
must not include any of the following characters:
\ : * ? " < > |
■ IIS Server
Identifies the IIS server that is to host the Compliance Accelerator site.
■ Manage Virtual Directory
When selected, enables you to administer the virtual directory using the
Compliance Accelerator Web interface.
■ Database Details
This section enables you to specify details of the SQL Server database in
which to store Compliance Accelerator customer data.
■ SQL Server
Identifies the SQL Server on which the Compliance Accelerator database
is stored.
■ Database
Specifies the name of the Compliance Accelerator database.
■ Use Existing Database
Best practices for Veritas Enterprise Vault™ legal discovery and compliance optionsBest practices for installing and configuring Enterprise Vault Compliance Accelerator
244
When selected, instructs Compliance Accelerator to use the specified
existing database instead of creating a new one. If you choose this option,
the remaining fields in the page are unavailable.
■ Data file folder
Specifies a location for the database file. This should be a valid, existing
path on the SQL Server computer. It can be a local or network share path.
■ Log file folder
Specifies a location for the database log files. This should be a valid,
existing path on the SQL Server computer. It can be a local or network
share path.
■ Initial Database Size
Sets the initial size in megabytes of the Compliance Accelerator database
file. In the Growth % field at the right, you can specify, as a percentage
of the file size, the amount of space that is automatically added to the file
each time more is needed.
■ Initial Log Size
Sets the initial size in megabytes of the database log files. In the Growth
% field at the right, you can specify, as a percentage of the file size, the
amount of space that is automatically added to a file each time more is
needed.
■ Windows Authentication
Specifies whether to use a Microsoft Windows user account to connect to
the Compliance Accelerator database. If you clear this check box, then
you must set the SQL login name and password to use for the database
connection.
■ Connection Time Out
Specifies the amount of time in seconds to wait for connections to the
Compliance Accelerator database to complete before terminating the
attempt and generating an error.
■ Connection Life Time
Specifies the time in seconds that a connection to the Compliance
Accelerator database is considered valid. When the time has elapsed, the
connection is disposed of.
When a connection is returned to the pool, its creation time is compared
with the current time, and the connection is destroyed if that time span
exceeds the value specified by Connection Life Time. This is useful in
clustered configurations to force load balancing between a running server
and a server just brought online. A value of 0 causes pooled connections
to have the maximum connection timeout.
245Best practices for Veritas Enterprise Vault™ legal discovery and compliance optionsBest practices for installing and configuring Enterprise Vault Compliance Accelerator
■ Max Pool Size
Specifies the maximum number of database connections that can be
simultaneously opened to the Compliance Accelerator database.
■ DSN
Specifies the full connection string, or Data Source Name (DSN), to use
when connecting to the Compliance Accelerator database.
5 After the configuration process has completed, restart the Enterprise Vault
Compliance Accelerator Manager Service when prompted and wait
approximately 10 seconds to ensure that all services have registered.
Note: To install the database files to a hidden share, the databases must first be
installed in a non-hidden share. The Enterprise Vault Compliance Accelerator
installer does not allow a database to be created in a hidden share (for example
D:\SQL$). However, Enterprise Vault Compliance Accelerator does function
correctly when using hidden shares. Use SQL Server to move the databases to a
hidden share after creation.
Enterprise Vault Compliance Accelerator browser interfacerecommendations
When using the Enterprise Vault Compliance Accelerator browser interface, follow
these practices:
■ Use the links provided in the application to navigate from page to page instead
of using the Internet Explorer browser toolbar Back button, or the Backspace
or other shortcut keys. The bottom of each Enterprise Vault Compliance
Accelerator page contains a Close button for closing the page and returning
to the previous page.
■ To refresh the current Enterprise Vault Compliance Accelerator page,
right-click the page and then select Refresh from the context menu. You can
use the browser Refresh button or the application logo to open the Enterprise
Vault Compliance Accelerator home page.
■ Run the browser in full-screen mode. You can press the function key F11 to
toggle between the views.
■ A red exclamation mark on an Enterprise Vault Compliance Accelerator page
indicates an error or warning. To view the message, hold the cursor over the
exclamation mark.
■ If a pop-up blocker application is running, an Internet Explorer pop-up icon
may appear in the browser footer. Modify the settings, if necessary.
Best practices for Veritas Enterprise Vault™ legal discovery and compliance optionsBest practices for installing and configuring Enterprise Vault Compliance Accelerator
246
■ If a question mark appears over the Department name, note that the
administrator has not assigned a Department Reviewer.
If upgrading from Enterprise Vault 5.x, Department Reviewer is a new
functionality and the administrator must add the role to the Departments task
after it has been created under the Roles tasks.
■ Use the tasks under the Application Administration column to add employees,
create departments and roles, and set up schedules for searches. Note that
Application Administration tasks are applied system-wide, and are not
restricted to a specific department.
■ Use the tasks in the Department Administration column to create a department
or department group, grant users access to a specific department group, assign
employees to be monitored, and select the monitoring policy with which
monitored employees must comply.
Best practices for customizing Enterprise VaultDiscovery Accelerator
After Enterprise Vault Discovery Accelerator is installed and configured,
administrators can customize the Vault Store for their particular environments
by doing the following:
■ Creating roles, cases, and targets.
■ Creating site specific marks (comments) to search archived data.
Users see only the departments, features and tasks for which they have
permissions, as defined by the Roles options. The user’s view can be changed by
assigning either a different role to the user or by changing the permissions
included in a role.
Administrative users perform the following functions:
■ Application administrators
Application administrators create roles, set up targets to be searched, and
establish the marks to be added as comments for each case. To perform
case-specific tasks, users with application roles need to be given a case role
for each case they need to access.
■ Case administrators
Case administrators have the ability to perform case-specific tasks in the Case
Administration and Review Messages columns on the home page.
It is recommended that at least one power user should exist to perform
troubleshooting. This user should have access to all the functions in Case
247Best practices for Veritas Enterprise Vault™ legal discovery and compliance optionsBest practices for customizing Enterprise Vault Discovery Accelerator
Administration and Application Administration. Symantec recommends that the
Vault Service account hold both permissions.
Creating roles, cases, and targets
The following tasks should be performed by users with the appropriate
administrative privileges:
■ Assign a role
After the Discovery database is created, the program returns to the Enterprise
Vault Discovery Accelerator home page. Application administrators can access
the Application Administration options page to create roles and cases. Roles
and cases must be created before searches can be performed.
■ Create or edit Scheme Templates
The Case administrator can create or edit existing Scheme Templates. Scheme
Templates provide a set of marks, or comments, that reviewers can apply to
any item discovered in a case. The templates are available to all cases. If a new
Scheme Template is created, the reviewer marks can be customized for a
particular organization, industry, or level of reviewer. Custom Scheme
Templates allow organizations to limit certain comments to certain reviewers,
based on level of authority. For example, a higher level of review comments
would be given to a member of the internal legal counsel team than to the
paralegal team.
To add any new mark to a customized template, the Application administrator
must create the marks using the Marks task option.
■ Select a Vault Store
Enterprise Vault Discovery Accelerator automatically synchronizes with the
Enterprise Vault server and displays all available Vault Stores that are on the
Enterprise Vault server. After a Vault Store is selected, the administrator can
enable the user mailbox to be searched.
Only Case administrators can override the existing Vault Stores used for a
specific search.
■ Create a target
Before beginning a search, administrators can establish which mailbox is the
target of the search, and designate targets or specific users for cases that will
be searched. Case Managers can create specific Target Groups by using the
Address Manager. Make sure to enter all the email addresses for a given user
to search, and separate each address with a carriage return.
A new Target Group can include all users from one or more departments, or
only specific users. For example, to create a Target Group that holds the entire
sales and marketing team, an administrator would first ensure that all sales
and marketing users are created as individual targets. Next, the administrator
Best practices for Veritas Enterprise Vault™ legal discovery and compliance optionsBest practices for customizing Enterprise Vault Discovery Accelerator
248
would create a Target Group, and then add the mailboxes for the sales and
marketing team to the new Target Group.
After the targets are established, they are displayed under the Case
Administration column, but only if the login account being used has
permissions to view cases.
For more information about how to bulk-load, or import data into Enterprise
Vault Discovery Accelerator, see Enterprise Vault Discovery Accelerator
Installing and Configuring guide.
■ Create a case
A case is an organized search of large volumes of email in a selected Vault
Store. Multiple cases can be created by a Case administrator for a given piece
of mail with different markups and comments. Each case is maintained within
the specific case history. Once a case is created, it can be closed, but not deleted.
This allows an audit trail to be maintained. Only one case owner can be
assigned, but the case owner can be a group that has multiple users. Only one
case owner can be assigned, but the case owner can be a group that has multiple
users.
An existing Bates number can be assigned to the case by using the Size Export
ID field for tracking and search purposes. The output results can be stored to
a network share using \\my_computer\case. Alternatively, the results can be
stored to a local drive.
■ Use target shortcuts when creating a case
When creating a new case, if the name of the target or Target Group to be
searched is known then the administrator can type the shortcut (instead of
browsing the list), following these guidelines:
■ For targets, use the format T:<TargetName>.
■ For target groups, use the format TG:<TargetGroupName>.
■ For example, to search through all mail for a group called Executives, type
TG:Executives.
■ To enter multiple targets, separate each line with a carriage return.
■ If desired, enter only part of an address or display name, for example, User1.
A wildcard can be used to denote part of the search term, for example, Use*.
Note that three characters must precede the wildcard character.
■ If a target in the address book is referenced, the display name must be
preceded by T:. Do not include wildcard characters in an address book
reference.
■ Add user roles
249Best practices for Veritas Enterprise Vault™ legal discovery and compliance optionsBest practices for customizing Enterprise Vault Discovery Accelerator
After a case is created, a Case administrator can add a user from the Case
Administration column to define users and roles. After the user is added to
the case, the administrator can apply specific marks for the user to the case.
Creating searches
The following tasks relate to searches:
■ Create a search
Enterprise Vault archives copies of inbound and outbound messages and
documents so that all copies can be searched. To create a search, from the Case
Administrator column, select any case created earlier, then select Options >
Searches.
New searches can be created that contain key words or phrases, specific data
that was sent between individuals, or data sent within a date range. Completed
searches can not be deleted or re-executed. However, once a search is saved,
it can be used as a template for subsequent searches. If a search is in progress,
it can be stopped before it is complete to change the search criteria.
Note: Do not enable Auto Accept on any search that will not be permanently
saved. When this option is disabled, the administrator will have to manually
accept or reject the search results. After the administrator chooses to accept
a search, the search is permanently stored in the Enterprise Vault Discovery
Accelerator database.
Type the keyword or phrase to be searched in the Contents field. Separate each
line by a carriage return.
When creating a search, a display name can be used for the target. For example,
in addition to the full email address name of [email protected], a shorter
version, User1, can also be queried and discovered during a search. The
following search specification rules apply:
■ Selecting Any of in the drop-down menu allows a search for messages to
or from any of the targets that are entered.
■ Selecting All of in the drop-down menu means search for messages with
all of the words or phrases in the subject line.
■ To search for messages with specific text in the subject line, enter the words
or phrases in the Subject box. Enter one word or phrase per line. The
wildcard character * can be used to denote one or more characters, but it
must be preceded by at least three characters.
■ Selecting Any of in the drop-down box means search for messages with
any of the words or phrases in the subject line.
Best practices for Veritas Enterprise Vault™ legal discovery and compliance optionsBest practices for customizing Enterprise Vault Discovery Accelerator
250
■ Selecting All of means search for messages with all of the words or phrases
in the subject line.
■ Selecting Any of in the small drop-down box means search for items with
any of the words or phrases in the content.
■ Selecting All of means search for items with all of the words or phrases in
the content.
■ There may be additional criteria boxes if the administrator has added
custom search attributes to the system.
■ Accept or reject search
The search provides the administrator with data to review. The administrator
can then accept or reject the search. Accepting the search allows the
administrator to send it to a reviewer and permanently store it in the Enterprise
Vault Discovery Accelerator database. Rejecting the search deletes it, so that
it does not get stored in the Enterprise Vault Discovery Accelerator database.
■ Assign review marks
Once a search result returns data that is of interest, and the search is accepted,
comments called marks can be added to the searches to indicate progress. New
custom, site-specific marks can be created under the Application
Administration column. Marks can be used to inform reviewers or supervisors
that a case is unreviewed, pending review, already questioned by appropriate
legal teams, reviewed by appropriate legal teams, and so on.
■ Review and apply comments to messages
Once a search has been accepted, reviewers can access the appropriate case
from the Review Message column of Enterprise Vault Discovery Accelerator.
Once in the case, the status of the work can be seen, and items can be selected
to work on, such as current status, last marked by or Item ID. When a reviewer
adds a comment to a case or email, the comment attaches itself to the original
email, but it does not alter the email, thus preserving the integrity of the
document. All comments applied to a case are permanent.
■ Export findings
After all items for a case have been reviewed and are ready to be sent to the
appropriate parties, for example, the legal team, human resources department,
or third-party reviewer, the case administrator can create a New Run from the
Production task to format the findings in PST, MSG or HTML format. If
exporting to PST files, the file can be password-protected, and the maximum
size of the PST file specified. Exporting to a PST file can be time consuming.
However, saving the file to a directory on the local computer speeds the process.
251Best practices for Veritas Enterprise Vault™ legal discovery and compliance optionsBest practices for customizing Enterprise Vault Discovery Accelerator
Best practices for customizing Enterprise VaultCompliance Accelerator
After Enterprise Vault Compliance Accelerator has been installed and configured,
search configuration data can be set up. Roles and role assignments, employees
and groups, permissions and departments must be created in order to search
archived data. Users can only see the departments, features, and tasks that they
have permission to access, as defined by the Roles options. User views can be
changed by assigning a different role to the user, or changing the permissions
included in a role.
The following tasks relating to creating roles, groups, and departments should
be performed by users with the appropriate privileges:
■ Create roles
The Enterprise Vault Compliance Accelerator administrator must create and
assign roles to the users of the application. Application permissions or
department permissions can be assigned to a specific role. To perform tasks
in a specific department, employees with application roles must also be assigned
the appropriate department role in that department. To perform tasks in more
than one department, they must be assigned the role in each department that
they need to access.
For more information on adding and modifying roles, see the Enterprise Vault
Compliance Accelerator Installing and Configuring guide.
■ Create employee groups
To create employee groups, a user must be an Application administrator. To
create searchable employee groups more efficiently, the Automatically
synchronize group members option should be enabled.
Once an employee has been selected for monitoring, the employee cannot be
deleted from Enterprise Vault Compliance Accelerator. If the monitored
employee leaves the company, select Suspend all monitoring on the Employee
properties page to disable all monitoring for the employee.
The following methods can be used to synchronize group members:
■ Active Directory search (LDAP filter)
Using the Active Directory search is the most time consuming because it
can only be run against user objects. Make sure to type the LDAP path
correctly. If the synchronization process has begun, exit the Enterprise
Vault Compliance Accelerator application to stop the synchronization
search and correct any mistakes. Use the ADSI Edit tool to verify the
ADsPath of a container. Do not modify any attributes of the Active Directory
objects when viewing the ADsPath Container with the ADSI tool.
Best practices for Veritas Enterprise Vault™ legal discovery and compliance optionsBest practices for customizing Enterprise Vault Compliance Accelerator
252
For example: Search Filter
(&(objectCategory=person)(department=Marketing)) Search Root
LDAP://ou=users,dc=mydomain,dc=com
■ Active Directory Container (LDAP Search)
In the ADsPath field, provide the Distinguished Name of the Active
Directory container that holds the users to add to the group. All users in
the container will be added to the group. If the organization is organized
by cities and the created groups are named after cities, look for the object
whose with a city name, for example, Redmond.
ADsPath LDAP:// ou=users,dc=mydomain,dc=com
■ Windows Group import
This is generally the fastest way to create employee groups, provided that
the environment is configured to use groups.
Example: Group Name: MyDomain\GroupName
After an import option has been selected, click Synchronize Now.
Synchronization of the employees and groups occurs on a four hour schedule
(see example, below), or every time the service is restarted. Both are
configurable in the ComplianceService.exe.config file. Do not reconfigure
synchronization to occur during the window used to run the synchronization.
For example, If synchronization takes more than two hours, do not reconfigure
Enterprise Vault Compliance Accelerator to sync every hour.
<add key="Synchronization interval (hours)" value="4" />
Employee Management profiles for members are created automatically if they
do not exist at the time of Employee Group creation. If an existing group
member is no longer found on a subsequent synchronization run, the employee
profile will be removed from the list of members. Also, employees can be
manually added at the Employee task option.
In the Employee profile\Email Addresses field, verify that all variations of a
user’s mailbox addresses are provided. Use carriage returns to separate each
new address.
One example is as follows: The legal department makes a request to the human
resources department, informing them that [email protected] has been
sending emails with proprietary information to a competitive company. Human
resources wants to monitor email from User1 emails for a specified period by
using the Enterprise Vault Compliance Accelerator scheduled search. The
Enterprise Vault Compliance Accelerator searches are enabled to locate all
email addressees for User1 as well as any outbound emails to the
CompetitiveDomain.Com. All variations of the User1 email address should be
created as a searchable item in order to ensure discovery of violation of
company policy. For example:
253Best practices for Veritas Enterprise Vault™ legal discovery and compliance optionsBest practices for customizing Enterprise Vault Compliance Accelerator
■ Create departments
The administrator can search archives and monitor employees once department
groups and employee groups have been created. Department employees can
be monitored by using the Journaling Connector or by running searches that
meet specific criteria. While setting up a department, a monitoring policy can
be created for all monitored employees in a department. This is done by
enabling the policy to capture a percentage of Message Type and Review
Requirements options.
Each department must be given an owner. The owner must have a Windows
login, but does not need special Windows or Enterprise Vault Compliance
Accelerator system privileges. Symantec recommends setting the Vault Service
account as the owner of the department in case an administrator needs to
connect to the system to troubleshoot problems. The department owner has
the same permissions that the User Admin role is granted. By default, all
departments use the Vault Store selected at configuration. However, the
administrator can customize the Vault selections. If searches are returning
empty when known data exists for a user, verify that the correct department
Vault Store has been searched. If the Vault Store must be changed, enable the
Customize for this Department option, and then choose the correct Vault Store.
Change the location of the Output folder for exported items to a local computer
or a network share.
Note: If the organization has a legal requirement to monitor a certain
percentage of messages per employee, setting a limit for the Review
Requirement option of the Monitoring Policy may prevent the requirement
from being met.
■ Configure departments
After the Application administrator has created a department, the Department
administrators can configure the departments by adding specific employees
or employee groups as monitored employees. To do this, open the specific
department to be configured and click the Monitored Employees option. Add
monitored employees by name or by a configured Employee Group. Only
previously configured Employee Groups and Employees can be selected.
■ Configure searches
Searches can be scheduled and run by one or more departments. Searches can
be done at the application administration or department administration level.
Best practices for Veritas Enterprise Vault™ legal discovery and compliance optionsBest practices for customizing Enterprise Vault Compliance Accelerator
254
If the Search option does not appear in the Department Application tasks,
verify that the owner has permission to run searches under the Roles tasks.
The sampling percentage for the configured Monitoring Policy will default to
the existing department properties. Search results that occurred in prior
searches can be captured by enabling Include Captured Messages.
■ Accept or reject search results
Leave the Automatically accept results option disabled unless all searches
should be saved automatically into Enterprise Vault Compliance Accelerator.
After a search is accepted or the search results screen is closed, Enterprise
Vault Compliance Accelerator stores the search for auditing purposes, and it
can no longer be removed. Any accepted search is stored in Enterprise Vault
Compliance Accelerator and can be used for future searches as a template.
The percentage searched of the item being searched is derived from the
Department properties page.
When auto accept is disabled, the administrator must reject a search to keep
it from being stored in the Enterprise Vault Compliance Accelerator database.
When the results of a finished search are rejected, the search is deleted.
■ Search departments
When creating department searches, the Any of value under Authors &
Recipients means that messages for any of the employees in the selected
department are searched. The All of value means that only messages that
include as recipients all the employees in the selected department are searched.
When searching by departments, increase the performance and accuracy by
using the Journal Connection option.
For more information on searching with department tags, see the Enterprise
Vault Compliance Accelerator Installing and Configuring guide.
A department in partitions can only search messages to and from other
departments if both departments reside within the same partitions.
■ Schedule searches
Use Enterprise Vault Compliance Accelerator to search Vault Stores on a set
time\schedule. The SQLAgent must be enabled. Symantec recommends that
the Agent is set to automatically start.
■ Review searches
During the search process, Search Details can be expanded to see the percentage
searched, number of hits discovered for that particular searched item, and so
on. After the search is completed, the Reviewer column can be checked from
the Enterprise Vault Compliance Accelerator home page to review any
discovered data. From the review menu, administrators can modify the review
criteria, download the original message to a MSG format file, and print the
message, attachments, and comment history.
255Best practices for Veritas Enterprise Vault™ legal discovery and compliance optionsBest practices for customizing Enterprise Vault Compliance Accelerator
Any comments added to the search will be stored in the Enterprise Vault
Compliance Accelerator database and remain as part of the permanent vaulted
message. Enterprise Vault Compliance Accelerator comes with six default
review status, however the administrator can add different marks as needed.
■ Create exception employees
There may be occasions when content from the executive team could contain
sensitive data. In this case, Enterprise Vault Compliance Accelerator can be
enabled to use exceptions when administrators are reviewing search results.
For example, using Exceptions, a Tier-1 reviewer may be limited from accessing
data generated by Executive Employee Groups or Senior Management
Departments. However, access to this sensitive data can be given to a Tier-3
reviewer who has the appropriate authority. Exception employees can be
created and managed using the Department Explorer view or Exceptions Task
links.
For more information on customizing Exceptions Task links, see theEnterprise
Vault Compliance Accelerator Installing and Configuring guide.
Configuring searches
Searches can be scheduled and run by one or more departments. Searches can be
done at the application administration or department administration level. If the
Search option does not appear in the Department Application tasks, verify that
the owner has permission to run searches under the Roles tasks. The sampling
percentage for the configured Monitoring Policy will default to the existing
department properties. Search results that occurred in prior searches can be
captured by enabling Include Captured Messages.
The following are guidelines for defining and utilizing searches:
■ Search departments
When creating department searches, the Any of value under Authors &
Recipients means that messages for any of the employees in the selected
department are searched. The All of value means that only messages that
include as recipients all the employees in the selected department are searched.
When searching by departments, increase the performance and accuracy by
using the Journal Connection option.
For more information on searching with department tags, see the Enterprise
Vault Compliance Accelerator 6.0 - Installing and Configuring guide. A
department in partitions can only search messages to and from other
departments if both departments reside within the same partitions.
■ Accept or reject search results
Leave the Automatically accept results option disabled unless all searches
should be saved automatically into Enterprise Vault Compliance Accelerator.
Best practices for Veritas Enterprise Vault™ legal discovery and compliance optionsBest practices for customizing Enterprise Vault Compliance Accelerator
256
After a search is accepted or the search results window is closed, Enterprise
Vault Compliance Accelerator stores the search for auditing purposes, and it
can no longer be removed. Any accepted search is stored in Enterprise Vault
Compliance Accelerator and can be used as a template for future searches.
The percentage searched of the item being searched is derived from the
Department properties page.
When auto accept is disabled, the administrator must reject a search to keep
it from being stored in the Enterprise Vault Compliance Accelerator database.
When the results of a finished search are rejected, the search is deleted.
■ Schedule searches
Use Enterprise Vault Compliance Accelerator to search Vault Stores on a set
time schedule. The SQL Agent must be enabled. Symantec recommends that
the Agent is set to automatically start.
■ Review searches
During the search process, Search Details can be expanded to see the percentage
searched, number of hits for a specific search request, and other information.
After the search is completed, the Reviewer column can be checked from the
Enterprise Vault Compliance Accelerator home page to view any discovered
data. From the Review menu, administrators can modify the review criteria,
download the original message to a MSG format file, and print the message,
attachments, and comment history.
Any comments added to the search will be stored in the Enterprise Vault
Compliance Accelerator database and remain with the archived message
permanently. Enterprise Vault Compliance Accelerator comes with six review
status options, however the administrator can add new status marks, as needed.
■ Create search exceptions
There may be occasions when search results contain sensitive material from
an unintended source, for example, from executive management., In this case,
Enterprise Vault Compliance Accelerator can implement exceptions when
administrators are reviewing search results. For example, using exceptions,
a Tier-1 reviewer can be restricted from accessing data generated by executive
employee groups or senior management departments. Review access to
sensitive data can be given to a Tier-3 reviewer who has the appropriate
authority. Exception employees can be created and managed using the
Department Explorer view or Exceptions Task links.
For more information on customizing Exceptions Task links, see theEnterprise
Vault Compliance Accelerator 6.0 - Installing and Configuring guide.
257Best practices for Veritas Enterprise Vault™ legal discovery and compliance optionsBest practices for customizing Enterprise Vault Compliance Accelerator
Best practices for upgrading Enterprise VaultCompliance Accelerator
This section describes how to upgrade an existing installation of Enterprise Vault
Compliance Accelerator 5.0 or 5.1 to version 6.0 or change the installation to
include the Journaling Connector. If upgrading, you must upgrade both the main
Compliance Accelerator components and any instances of the Journaling
Connector.
For more information on upgrading Enterprise Vault Compliance Accelerator,
see the Enterprise Vault Compliance Accelerator 6.0 Installing and Configuring
guide.
Note: It is not possible to upgrade an Enterprise Vault Compliance Accelerator
1.5 installation to Enterprise Vault Compliance Accelerator 6.0.
The Journaling Connector can be used to improve the performance and accuracy
of searches that are run against messages to or from all members of a specific
department. If the Compliance Accelerator was installed without the Journaling
Connector, the Journaling Connector can be installed later by following the steps
below.
To add the Journaling Connector
1 Log on as the Vault Service account and verify the IIS worker process has
write access to the Enterprise Vault Compliance Accelerator installation
folder.
2 Open the Control Panel and double-click Add/Remove Programs.
3 SelectEnterpriseVaultComplianceAccelerator and selectChange/Remove.
4 Select the Modify option and click Next.
5 In the component selection window ensure that both the Enterprise Vault
Compliance Accelerator and Journaling Connector check boxes are selected.
There must be an Enterprise Vault Journaling Service installed for the
Journaling Connector option to be displayed.
6 Click Next, and then follow the on-screen instructions.
Upgrading Enterprise Vault Compliance Accelerator
An upgrade can be performed from an existing installation of Enterprise Vault
Compliance Accelerator 5.0. If the Journaling Connector is installed, it must be
upgraded as well. Back up the existing SQL Enterprise Vault Compliance
Best practices for Veritas Enterprise Vault™ legal discovery and compliance optionsBest practices for upgrading Enterprise Vault Compliance Accelerator
258
Accelerator database and the configuration files in the installed directory before
beginning the update process.
To upgrade Enterprise Vault Compliance Accelerator
1 Log on as the Vault Service account and verify the IIS worker process has
Write access to the Enterprise Vault Compliance Accelerator installation
folder.
2 In Control Panel, double-click the Administrative Tools applet, and then
double-click Services.
3 Stop the Enterprise Vault Compliance Accelerator Service.
4 Run the Compliance Accelerator installation program (\Compliance
Accelerator\Setup.exe).
5 Follow the prompts in the installation wizard for the new version.
6 In a Web browser, open the Enterprise Vault Compliance Accelerator home
page.
7 Click Update. After the update process, the existing Enterprise Vault
Compliance Accelerator database will be updated and the Update in progress
page is displayed. The browser window can be closed while the update is in
progress.
8 Select a Department Reviewer role for the new Department Explorer feature.
If you want to use an existing reviewer role for department reviewers, select
Use existing role.
Note: The Department Reviewer role cannot be renamed or deleted after the
upgrade. For more information on upgrading Enterprise Vault Compliance
Accelerator, see the Enterprise Vault Compliance Accelerator 6.0 Installing
and Configuring Guide.
259Best practices for Veritas Enterprise Vault™ legal discovery and compliance optionsBest practices for upgrading Enterprise Vault Compliance Accelerator
9 Start a new Enterprise Vault Compliance Accelerator browser session, and
click Update. A message reports when the update is complete.
Note: If you close the browser window while the upgrade is in progress, the
next time you start a Compliance Accelerator browser session, you must click
Update again. A message will indicate whether the update has completed or
is still in progress. If an error occurs during the update, make a note of the
problem indicated in the message and then click Retry to restart the update.
When the upgrade has finished, do not click OK yet.
10 After the update status displays, restart the Enterprise Vault Compliance
Accelerator Service, and then click OK. You should see all the tasks that the
login is permitted to access.
Best practices for Enterprise Vault ComplianceAccelerator backup and recovery
If a disaster recovery of Enterprise Vault Compliance Accelerator must be
performed, Enterprise Vault Compliance Accelerator must be reinstalled and then
pointed to an existing backup of the database.
To prepare for a Enterprise Vault Compliance Accelerator recovery, the
administrator should have backups of the following Enterprise Vault Compliance
Accelerator configuration files and databases:
■ Enterprise Vault Compliance Accelerator SQL database
■ The configuration files in the KVS\Business Accelerator - Compliance folder,
except for the Compliance Accelerator license file.
The backups/copies should be stored in a different location than the installed
files.
To recover Enterprise Vault Compliance Accelerator
1 Uninstall Enterprise Vault Compliance Accelerator, removing all files.
2 Re-install the product on the server.
3 Replace the newly installed configuration files directory with the saved copy,
excepting the license file.
4 Restart the Enterprise Vault Compliance Accelerator Service and verify a
connection to the correct database.
5 Wait 10 seconds before restarting the service.
Best practices for Veritas Enterprise Vault™ legal discovery and compliance optionsBest practices for Enterprise Vault Compliance Accelerator backup and recovery
260
Minimizing time and risk in
Exchange migrations
This chapter includes the following topics:
■ Overview of Exchange migration issues
■ Benefits of using the Symantec solution to manage Exchange migrations
■ Using Enterprise Vault in the migration process
■ Recommendations for migration
Overview of Exchange migration issuesMany companies today face the challenge of replacing a legacy mail system with
Microsoft® Exchange, or upgrading an older version of Exchange. Whatever the
reason for migrating to Exchange 2003, the migration process can require
considerable time and cost in resources.
Reducing the risk associated with migrating a business-critical application is of
paramount importance. For email migration, the major areas of risk that need to
be considered and managed include the following:
■ The migration of data
■ The value of that data to the business
■ The potential downtime of the core email business system should something
go wrong
The time, effort, and cost associated with a migration project is in proportion to
the amount of email that must be migrated. Focusing on reducing the physical
volume of data to be migrated reduces the overall risk and minimizes the
11Chapter
coexistence time, which in itself is a major load on administration and support
resources.
When migrating from a legacy email system, the following items must be
considered:
■ Mailbox profile
■ Mailbox content
■ Personal folder content
■ Public folder content
■ Address books, both personal and corporate
While the overall migration is typically managed through the use of standard
Microsoft Exchange or third-party migration tools, nearly all of these tools have
an unwanted impact on storage. Migration scenarios usually involve running
parallel mailboxes in the legacy system and in Exchange 2003, which doubles the
email storage required for the duration of the migration.
Even after the completion of the migration, the amount of storage consumed is
likely to be significantly higher as a result of the loss of single-instance, or
rationalized, message storage, where shared messages and attachments are stored
only once per Exchange server. Single-instance storage uses the unique
MESSAGE-ID of each message, and the migration process must leave MESSAGE-IDs
intact and in context in order to maintain single-instance storage.
Migration tools operate on a MAPI basis, with no provision for the single-instance,
which is usually provided through the Exchange Message Transfer Agent (MTA).
In effect, every migrated message becomes unique, and the new email environment
consumes more email storage space, in some cases two-to-three times more than
the originating mail system. The impact on storage space of the loss of
single-instance storage depends in part on the size of the organization. The larger
the organization, the less likely it is that groups of mail users who have common
mail threads and attachments will all reside on the same server.
This issue is well documented by Microsoft and experts in the field of migration,
as outlined in the following article:
http://www.windowsitpro.com/Articles/ArticleID/23819/23819.html
There is no way to avoid this problem when using Microsoft tools to migrate from
a non-Exchange system to Exchange. When migrating Exchange versions, the
only method of mitigation is to perform an in-place upgrade of the existing system.
This method requires system downtime, and all mailboxes must be converted at
once—a high-risk approach when compared to a phased approach. Should anything
go wrong, the whole process must be abandoned and the entire system reinstated.
Minimizing time and risk in Exchange migrationsOverview of Exchange migration issues
262
Throughout the migration process, it is important to consider the needs of
end-users. Ideally, users should have uninterrupted access to the mail system,
complete access to their personal email knowledge base, and a single point of
access with no need to run parallel systems.
The aim of any migration or upgrade is to deliver the benefits of the new
technology without introducing undue risk and ongoing costs.
To provide a solid foundation for successful deployment of new technology, the
following core principles should be addressed:
■ Controlling storage
■ Reducing administration resources
■ Maintaining end-user transparency
Benefits of using the Symantec solution to manageExchange migrations
Whether an organization is upgrading Exchange or migrating to Exchange from
an alternate mail environment, the Symantec solution can help minimize storage
costs and migration time and reduce project risk.
In a typical Exchange migration, moving mailbox content is the area where
Symantec adds the most benefit. In addition, Symantec reduces mail storage needs
on an ongoing basis after migration to the new Exchange environment.
By deploying Enterprise Vault, an organization can minimize the amount of email
to be moved before migration. Specifically, Enterprise Vault can be used to reduce
the size of the Exchange message store by 50 percent or more by moving older
items out into a separate Enterprise Vault repository. This repository is Exchange
version–independent and has its own single-instance and compression methods
for storage.
Once in Enterprise Vault, data does not need to be converted when the organization
moves to Exchange 2003. Data remains accessible to the user, and if required, can
be restored to Exchange in the correct native format.
Note: Enterprise Vault does not perform the actual Exchange Server migration.
Rather, it reduces the amount of data that must be moved when an Exchange
migration takes place.
263Minimizing time and risk in Exchange migrationsBenefits of using the Symantec solution to manage Exchange migrations
Using Enterprise Vault in the migration processThe following describes possible approaches to an Enterprise Vault–assisted
migration:
This approach uses Enterprise Vault in both the source
environment and the target environment.
All content from the source environment is archived.
See “Migrating without moving mailbox content” on page 264.
Migrate without
moving mailbox
content
This approach uses Enterprise Vault in both the source
environment and the target environment.
From the source environment, only content that meets specified
criteria, such as age, is archived. Mailboxes and public folders are
migrated.
See “Minimizing mailbox content to be moved” on page 265.
Minimize mailbox
content to be moved
during migration
This approach is applicable when Exchange migration is already
in progress or when content is being migrated from a
non-Exchange legacy mail system. It uses Enterprise Vault in the
target environment only.
Migrated content is consolidated in the target environment.
See “Protecting the investment in Exchange 2003” on page 267.
Migrate all mailbox
content
This approach is applicable when Exchange migration is already
complete. Enterprise Vault is deployed in a standalone Exchange
environment with no further migration requirements.
Size of the Exchange databases is reduced and controlled.
See “Application after migration” on page 269.
Reduce the size of
email storage after
migration
The choice of approach is dependent on the status of an organization’s Exchange
migration and on overall email storage needs and goals.
Migrating without moving mailbox content
When migrating Exchange, Enterprise Vault can archive all existing mailbox
content without migrating it to the new environment. The migration effort is
reduced to migrating personal address books and mailbox profiles.
This approach realizes a significant reduction in time, effort, risk, and cost during
a migration project. Cost savings are achieved as end-users maintain ongoing
access to historical mail without the need to move that mail into the new Exchange
environment.
Minimizing time and risk in Exchange migrationsUsing Enterprise Vault in the migration process
264
Figure 11-1 shows the migration approach in which email is archived rather than
migrated.
Figure 11-1 Migrate without moving mailbox content
This approach is implemented as follows:
■ All mailbox content and PSTs from the source environment are archived.
Mailbox profiles and address books are migrated to the target environment.
(1)
■ Archived mailbox and PST content is accessed from the target environment
by using Enterprise Vault’s Archive Explorer™. (2)
■ Public folders in the target environment are archived on a ongoing basis. (3)
Minimizing mailbox content to be moved
Enterprise Vault is most commonly used to minimize the amount of mailbox
content that is physically migrated across the two environments. This approach
represents a significant reduction in time, effort, risk, and cost.
265Minimizing time and risk in Exchange migrationsUsing Enterprise Vault in the migration process
In this scenario Enterprise Vault is used before migration to aggressively archive
content from the mailbox into the Enterprise Vault repository. Either all content
or a percentage of content is archived from the source environment and replaced
with shortcut links in the mailboxes and public folders in the new Exchange
environment. The data migration effort is then focused on moving the residual
shortcuts and the remaining content.
A common approach is to archive content older than 30 days. Residual shortcuts
are left behind for all the archived content, or for a portion of it, for example,
content up to a year old. Such policies can reduce the source mailbox and public
folder content by up to 80 percent.
This action significantly reduces the data migration effort, while maintaining
seamless access from the target mailboxes to content archived from the source
environment.
Figure 11-2 depicts Enterprise Vault being deployed in both the source
environment and target environment to minimize the content migration effort.
Figure 11-2 Minimize mailbox content to be moved during migration
This approach is implemented as follows:
Minimizing time and risk in Exchange migrationsUsing Enterprise Vault in the migration process
266
■ Archive a percentage of content from the source environment based on age
or mailbox quota. Archive all PST files from the source environment. (1)
■ Migrate mailbox profiles, residual content, archive shortcuts, and address
books to the target environment. (2)
■ Provide access to archived mailbox, public folder and PST content via
Enterprise Vault shortcuts created in mailboxes and via Enterprise Vault’s
Archive Explorer™. (3)
■ Deploy ongoing archiving in the target environment, with access to archived
content via both Archive Explorer and shortcuts in mailboxes. (4)
Protecting the investment in Exchange 2003
When a company has already begun an Exchange migration project or is migrating
content from legacy mail systems, it may not be possible or appropriate to
introduce a new technology into the legacy environment. In this case, Enterprise
Vault can be introduced solely into the Exchange 2003 environment to ensure
best-practice mailbox management from day one.
Although this approach does not reduce the amount of time taken to perform the
migration, it does minimize the risk associated with migration and the storage
costs associated with managing the migrated content.
Enterprise Vault can be used to minimize the impact of migrated data that is
taking up more physical storage than necessary because single-instancing has
been lost. Enterprise Vault can reduce the physical requirements for storage
through archiving as well as recreating lost single-instance storage. The process
is seamless to users, who have their original items replaced with shortcuts.
Exchange 2003 adopts a storage group model that allows mailboxes and content
to be organized more efficiently within an Exchange site. To optimize the migration
process and ensure that migrated mailboxes experience the least fragmentation,
Symantec recommends maintaining a transitory storage group into which
mailboxes are migrated.
Enterprise Vault can be configured to constantly and aggressively archive from
these mailboxes according to a defined business policy. The archiving services
can be scheduled to run, ideally, every 15 minutes during the migration to archive
content rapidly into the target environment as it arrives from the Exchange
migration wizards. Shortcuts then replace the original items. After a mailbox has
been migrated, the resultant archived mailbox is transferred to the target storage
group, where it is consolidated and any fragmentation eliminated.
The migration of PST files can be undertaken independently of the mailbox
migration, in this way, mitigating a significant risk to the project. Additionally,
the need to populate the new target mailboxes with residual shortcuts for the
267Minimizing time and risk in Exchange migrationsUsing Enterprise Vault in the migration process
migrated PST content can be avoided by using Enterprise Vault’s Web-based
Archive Explorer.
Figure 11-3 depicts a scenario in which the data migration is underway prior to
the introduction of Enterprise Vault. Consequently, Enterprise Vault is deployed
only in the target environment.
Figure 11-3 Migrate all mailbox content
This approach is implemented as follows:
■ Migrate mailbox profiles, mailbox and public folder content, and address books
from the originating Exchange system or legacy mail system to the transitory
storage group in the target Exchange environment, using the Microsoft
migration wizards or similar tools. (1)
■ Archive all PST files from the source environment to the archive deployed in
the current environment. SID history is required to map permissions.
Aggressively archive content from mailboxes and public folders in the
transitory storage group until archiving thresholds are reached. (2)
Minimizing time and risk in Exchange migrationsUsing Enterprise Vault in the migration process
268
■ Move the archived mailboxes and public folders into the target storage group
for fragmentation elimination and storage consolidation. (3)
■ Provide access to archived mailbox and PST content via Enterprise Vault
shortcuts created in mailboxes and also via Enterprise Vault’s Archive Explorer.
(4)
■ Deploy ongoing archiving in the target environment, with access to archived
content via both Archive Explorer and shortcuts in mailboxes. (5)
Application after migration
Enterprise Vault can help in instances where an organization has already
completed the Exchange migration and, as a result, large private and public
databases are negatively affecting backup and recovery times.
In this case, the primary concern is to reduce the size of the Exchange databases
quickly and to cap them if necessary to control growth. The goal is to provide a
defined service level agreement (SLA) on Exchange, a predictable backup and
recovery strategy, and ongoing reductions in associated storage costs.
Mailbox quotas may be used to cap mailbox sizes, but this approach is highly
intrusive for the end-user and may result in corporate records being lost. The
introduction of an archiving policy that works together with a mailbox quota
provides the ability to control Exchange growth. This policy is non-intrusive to
the end user, preserving long-term access to important Exchange content.
Archiving policy, following this model, might constrain mailbox sizes by archiving
at 75 percent of a mailbox quota of 100 MB, thus effectively capping Exchange to
75 MB multiplied by the number of mailboxes, with an effective mailbox size
governed by the amount of storage allocated to a mailbox archive.
As with the other migration scenarios, migration of PST files can be treated as a
separate project, and can be undertaken independently of the archiving of
mailboxes to reduce the risk and cost of storage.
Figure 11-4 shows a scenario where Enterprise Vault is effectively deployed into
a standalone Exchange implementation with no mailbox migration requirements.
269Minimizing time and risk in Exchange migrationsUsing Enterprise Vault in the migration process
Figure 11-4 Reduce the size of email storage after migration
This approach is implemented as follows:
■ Mailbox content has already been migrated to the target environment. (1)
■ Archive all PST files from the source environment to the archive deployed in
the current environment. SID history is required to map permissions. (2)
Initially, content from mailboxes and public folders in the target environment
should be archived aggressively until the quota archiving thresholds are
reached. Subsequently, ongoing archiving in the target environment should
be done on a nightly schedule, with access to archived content via both Archive
Explorer and shortcuts in mailboxes.
■ Provide access to archived mailbox and PST content via Enterprise Vault
shortcuts created in mailboxes and via Archive Explorer. (3)
Recommendations for migrationSuccessful and painless migration to Exchange 2003 depends on many factors,
and is never entirely risk-free. Using Enterprise Vault to assist in the management
Minimizing time and risk in Exchange migrationsRecommendations for migration
270
of Exchange content can be a critical success factor by reducing the risks associated
with storage and administration overhead and by providing end-user transparency.
The approach to use for Enterprise Vault–assisted Exchange migration depends
on the following factors:
■ Perception of the risk inherent in the migration project
■ Current status of the migration project
■ Availability of storage to address migrated mail content
■ Availability of backup technology to address migrated mail content
■ Time available to perform the migration
■ Resources and software tools available to perform the migration
In a normal migration scenario, where Symantec becomes involved early in the
planning of a migration project, the benefits of Enterprise Vault are easily justified
in terms of project time, storage and resource cost-savings, and a general reduction
in overall project risk. The later Symantec is engaged in a migration project, the
more Enterprise Vault’s benefits are focused on storage cost-savings.
PST file migration
Regardless of the stage of a migration project, PST file migration always benefits
significantly from the use of Enterprise Vault. Symantec understands very well
the pain that PST files cause organizations. By using a proven Exchange modeling
and ROI process, Symantec can justify the use of its technology on the basis of
the risk mitigation, cost and time savings resulting from the migration,
repatriation, and consolidation of PST file content into an archive that is
seamlessly accessible by Windows® users.
Enterprise Vault provides the following tools for migrating (importing) the
contents of PST files to archives:
■ Locate and Migrate — This locates PST files on users’ computers, copies them
to a central location, and then migrates them.
■ Client-Driven Migration — This uses the Locate and Migrate tool, but finding
PST files and sending them to a PST collection area is performed automatically
by the user’s computer, instead of by the Enterprise Vault Server Tasks. This
can be useful in the following cases:
■ You do not have permission to access PST files on the user’s computer.
■ The user’s computer is available on the network only occasionally.
For example, a user with a laptop computer who visits the office on one
day each week.
271Minimizing time and risk in Exchange migrationsRecommendations for migration
■ Scripted migration using Policy Manager — This is ideal for performing bulk
migrations of PST files, but you need to collect the PST files in a central
location.
■ PST Migrator wizard-assisted migration — If you have a small number of PST
files, this provides a quick and easy way of migrating them to Enterprise Vault.
If the PST files then continue to have more items stored in them you will need to
perform repeated migrations in order to archive new items, which is probably not
what you want to do. If you attempt to migrate thousands of PST files at the same
time the migration can take a long time to run. The time taken will be roughly
comparable to the amount of time your Enterprise Vault system would take to
archive the same amount of data from mailboxes. Symantec recommends that
you experiment by migrating a few PST files and then gradually increase the
numbers that you work with.
PST migration tips
The following are useful tips and guidelines for migrating PST files:
■ Unless you have only a few PST files to migrate, Locate and Migrate is likely
to require the least effort. If the end-user population is very mobile, then the
Client- Driven Migration variation will be most beneficial.
■ Migrate a few PST files and then, when you are familiar with the process,
increase the numbers.
■ Migration is much easier if you have PST files in only a few locations, rather
than in many.
■ Ensure that the appropriate permissions exist on the PST files before running
PST Migrator, otherwise the process will fail.
■ You can use the Windows 2000 command-line utility (CACLS) to grant the
Vault Service account Full Control access to the PST files.
■ You can run more than one instance of PST Migrator. For maximum overall
throughput, it is recommended that you run 10 instances. If the computer is
also archiving at the same time, then reduce the number of PST Migrator
instances.
Minimizing time and risk in Exchange migrationsRecommendations for migration
272
active/active In VERITAS Cluster Server, active/active is a failover configuration where each
systems runs a service group. If either fails, the other one takes over and runs
both service groups. Also known as a symmetric configuration.
active/passive In VERITAS Cluster Server, active/passive is a failover configuration consisting
of one service group on a primary system, and one dedicated backup system. Also
known as an asymmetric configuration.
AdministrationConsole In Backup Exec, the Administration Console provides a user interface to Backup
Exec operations. The user interface can be run from the media server or a remote
computer.
adware Programs that facilitate delivery of advertising content to the user through their
own window, or by utilizing another program’s interface. In some cases, these
programs may gather information from the user’s computer, including information
related to Internet browser usage or other computing habits, and relay this
information back to a remote computer.
antispam A subcategory of a security policy that controls the receipt of unsolicited email,
often referred to as spam.
antivirus A subcategory of a security policy that pertains to computer viruses.
Anti-Virus Cleaner The Anti-Virus Cleaner receives messages from the Brightmail Server. The Cleaner
parses the message, decodes most attachments, and cleans them using the
Symantec AntiVirus engines and definitions. It then adds a header and message
text advising the recipient of its actions, and returns the message via SMTP to
the incoming mail stream.
application roles In Enterprise Vault Compliance Accelerator, application roles enable users to
perform tasks in the Application Administration area on the home page, but not
in the Department Administration and Reviewer areas.
archive bit In Backup Exec, a file attribute that is set whenever a file is modified. For full and
incremental backups that use archive bits, this bit is turned off after the backup
completes, indicating to the system that the file has been backed up. If the file is
changed again before the next incremental or full backup, the bit will be turned
on and Backup Exec will back up the file.
Archive Explorer In Enterprise Vault, Archive Explorer provides users a searchable folder view of
their archives that is similar to the Microsoft Outlook folders view. The folder
Glossary
names and structure match the original mail folders from which their items were
archived.
Archiving Service In Enterprise Vault, the Archiving Service archives items from the Exchange
Private Information Stores. At the times scheduled by the administrator, the
Archiving Service scans mailboxes for items that satisfy the archiving policy of
the site, mailbox, or folder in question.
audit log A running history of all actions performed in the Backup Exec system. An entry
into the log is created each time an action that is configured to display in the audit
log occurs.
backup A process where selected files on a computer drive are copied and stored on a
reliable form of media.
blended threat Blended threats combine the characteristics of viruses, worms, Trojan Horses,
and malicious code with server and Internet vulnerabilities to initiate, transmit,
and spread an attack. By using multiple methods and techniques, blended threats
can rapidly spread and cause widespread damage.
Brightmail Agent The Brightmail Agent resides on each Brightmail Scanner and communicates with
the Brightmail Control Center to support centralized configuration and
administration activities.
Brightmail Client The Brightmail Client receives messages from the MTA and communicates with
the Brightmail Server to provide message filtering. The Brightmail Client resides
on a Brightmail Scanner.
Brightmail Control
Center
The Brightmail Control Center is a Web-based cross-platform configuration and
administration center built in Java. Each Symantec Brightmail Anti-Spam
installation has one Brightmail Control Center, which also houses Brightmail
Quarantine and supporting software.
Brightmail Server The Brightmail Server filters messages and assigns verdicts to messages based
on the filtering results. The Brightmail Server resides on a computer hosting a
Brightmail Scanner.
capacity monitoring In Storage Foundation for Windows, capacity monitoring refers to monitoring
dynamic volume capacities, so that when any volume reaches preset size
thresholds, an alert message is sent.
CASO See central administration server.
catalog In Backup Exec, a database for keeping track of the contents of media created
during a backup or archive operation. Information can only be restored from fully
cataloged media.
central administration
server
A Backup Exec media server with the Central Admin Server Option (CASO)
installed. In a CASO environment, the central administration server becomes the
centralized focal point of the Backup Exec enterprise. It is the media server where
Glossary274
an administrator makes decisions on what data and servers are to be protected
in the environment. It is also the media server where the building blocks of job
creation take place—the creation of policies and the association of selection lists
to those policies.
clean An action that consists of deleting virus infections that cannot be repaired, and
repairing repairable virus infections.
cluster One or more computers linked together for the purpose of multiprocessing and
high availability.
concatenation Storing data either on one disk (simple) or on disk space that spans more than
one disk (spanned).
Content Compliance A set of features in Symantec Mail Security 8200 Series appliances that enable
administrators to enforce corporate email policies, reduce legal liability, and
ensure compliance with regulatory requirements. These features include
annotations, streamlined filter creation using multiple criteria and multiple
actions, flexible sender specification, dictionary filters, and attachment
management.
content filtering A subcategory of a security policy that pertains to the semantic meaning of words
in text (such as email messages). It can also include URL filtering.
Control Center A Web-based configuration and administration center for Symantec Mail Security
8200 Series appliances. Each site has one Control Center. The Control Center also
houses Quarantine and supporting software.
device In Backup Exec, device can refer to a robotic library drive, a stand-alone drive, a
backup-to-disk folder, a backup-to-disk device, or a cascaded drive pool.
differential backup In Backup Exec, the differential backup methods are used to back up files that
have changed since the last full or incremental backup. A differential backup can
be based on archive bit or time stamp information.
directory harvest attack A high-volume email campaign addressed to dictionary-generated recipient
addresses on a specific domain. Directory harvest attacks (DHAs) not only consume
resources on the targeted email server, they also provide the spammers with a
valuable list of valid email addresses (targets for future spam campaigns).
Directory Service In Enterprise Vault, the Directory Service provides distributed access to a Vault
Directory Database. All other Enterprise Vault services need access to this
particular database.
disaster recovery A solution that supports fail over to a cluster in a remote location in the event
that the local cluster becomes unavailable.
discovery A process in which email servers and archives are searched within a business
enterprise to locate and reproduce specified email content pertaining to a legal
275Glossary
proceeding. Discovery is normally requested by lawyers in a court of law, to verify
or disprove arguments for or against the plaintiff or defendant.
disk group Storage Foundation for Windows organizes disks into disk groups. Disk groups
provide a way of organizing disks in a system and simplifying storage management
for systems with large numbers of disks. They also allow disks to be moved between
computers to easily transfer the storage between computers.
disk striping Disk striping writes data across multiple disk drives instead of just one disk. Disk
striping involves partitioning each drive storage space into stripes that can vary
in size. These stripes are interleaved in a repeated sequential manner. The
combined storage space is composed of stripes from each drive.
DMP DMP is a form of Dynamic Multipathing that is designed for a multipath disk
storage environment that provides Windows mini-port or SCSI port driver support.
DMZ (demilitarized
zone)
A network added between a protected network and an external network to provide
an additional layer of security. Sometimes called a perimeter network.
DNS (Domain Name
Server) proxy
An intermediary between a workstation user and the Internet that allows the
enterprise to ensure security and administrative control.
DNS (Domain Name
System)
A hierarchical system of host naming that groups TCP/IP hosts into categories.
For example, in the Internet naming scheme, names with .com extensions identify
hosts in commercial businesses.
DNS server A repository of addressing information for specific Internet hosts. Name servers
use the Domain Name System (DNS) to map IP addresses to Internet hosts.
domain 1. A group of computers or devices that share a common directory database and
are administered as a unit. On the Internet, domains organize network addresses
into hierarchical subsets. For example, the .com domain identifies host systems
that are used for commercial business. 2. A group of computers sharing the
network portion of their host names, for example, raptor.com or microsoft.com.
Domains are registered within the Internet community. Registered domain entities
end with an extension such as .com, .edu, or .gov or a country code such as .jp
(Japan).
downstream At a later point in the flow of email. A downstream email server is an email server
that receives messages at a later point in time than other servers. In a
multiple-server system, inbound mail travels a path from upstream mail servers
to downstream mail servers. Downstream can also refer to other types of
networking paths or technologies.
DVS DVS is the file extension of the messages stored by Enterprise Vault. These
messages are also referred to as DVS files.
Dynamic Multipathing In Storage Foundation for Windows, the Dynamic Multipathing option adds fault
tolerance to disk storage by making use of multiple paths between a computer
Glossary276
and individual disks in an attached disk storage system. Disk transfers that would
have failed because of a path failure are automatically rerouted to an alternate
path. Dynamic Multipathing also improves performance by allowing load balancing
between the multiple paths. Two forms of Dynamic Multipathing are available,
DMP and MPIO.
dynamic volume In Storage Foundation for Windows, dynamic volumes are volumes created on
dynamic disks in place of partitions. A dynamic volume consists of a portion or
portions of one or more physical disks and is organized in one of five volume
layout types: concatenated, mirrored, striped, RAID-5, and mirrored striped (RAID
0+1). The size of a dynamic volume can be increased if the volume is formatted
with NTFS and there is unallocated space on a dynamic disk within the dynamic
disk group onto which the volume can be extended.
Email Firewall A set of features of Symantec Mail Security 8200 Series appliances that provide
perimeter defense, similar to a regular firewall, focused on email traffic. The Email
Firewall analyzes incoming SMTP connections and enables preemptive responses
and actions before messages progress further in the filtering process. The Email
Firewall provides attack preemption for spam, virus, and directory harvest attacks,
sender blocks based on IP address, domain, third party lists, or Symantec lists.
exploit A program or technique that takes advantage of a vulnerability in software and
that can be used for breaking security, or otherwise attacking a host over the
network.
external threat A threat that originates outside of an organization.
failover An operation in which the failure of one appliance, program, or security gateway
causes another to pick up its workload automatically.
false positive A piece of legitimate email that is mistaken for and classified as spam by an
antispam product.
fault tolerance The characteristic of ensuring data integrity and system functionality when
hardware failures occur.
filter A method for analyzing email messages, used to determine what action to take
on each message. A variety of types of filters can be used to process messages. A
filter can be provided by Symantec, created by a local administrator, created by
an end user, or provided by a third party.
firewall A program that protects the resources of one network from users from other
networks. Typically, an enterprise with an intranet that allows its workers access
to the wider Internet will want a firewall to prevent outsiders from accessing its
own private data resources.
firewall rules A security system that uses rules to block or allow connections and data
transmission between a computer and the Internet.
277Glossary
FlashSnap In Storage Foundation for Windows, the FlashSnap option is a multi-step process
that is used to create independently addressable snapshot volumes that are copies
or mirrors of the volumes on a server. These snapshot volumes can be easily
moved to another server for backup or other purposes, such as loading or updating
data warehouses or performing application testing with real production data while
business continues.
full backup In Backup Exec, the full backup methods are used to back up all selected files. A
full backup can copy all files and reset the archive bit, or it can use incrementals
and differentials based on time stamp. If the full backup option to archive the
files is used, the original files are deleted after the backup finishes successfully,
if the necessary rights to the files are granted.
gateway A network point that acts as an entrance to another network. A gateway can also
be any computer or service that passes packets from one network to another
network during their trip across the Internet.
group policies Group policies are used to specify groups of users, identified by email addresses
or domain names, and to customize message filtering for each group.
header 1. First part of an email message, containing information such as the address of
the recipient, the address of the sender, message type, routing, and time sent. 2.
In Symantec Brightmail AntiSpam, the header test command, which is a Sieve
command supported by the custom filtering features.
heuristic Filters that pro-actively target patterns common in spam and viruses.
host 1. In a network environment, a computer that provides data and services to other
computers. Services might include peripheral devices, such as printers, data
storage, email, or World Wide Web access. 2. In a remote control environment, a
computer to which remote users connect to access or exchange data.
incident The actualization of a security risk. The event or result of a threat that exploits
a system vulnerability.
incremental backup In Backup Exec, the incremental backup methods back up files that have changed
since the last full or incremental backup. An incremental backup can be based on
archive bit or time stamp information. If the incremental backup is performed
based on the archive bit, the archive bit is reset to indicate that the files have been
backed up
Indexing Service In Enterprise Vault, the Indexing Service is responsible for creation and
management of the indexes, processing of searches, and return of search results.
Indexes allows users to search their archive and view the results.
internal threat A threat that originates within an organization.
Journaling Service In Enterprise Vault, the Journaling Service works together with Microsoft Exchange
journaling to enable all messages sent and received by Exchange to be copied into
Glossary278
a single journal mailbox. The Enterprise Vault Journaling Service processes the
journal mailbox, collects items to be archived, and passes them on to the Storage
Service.
load balancing 1. Refers to the process of balancing the data load between disks so that I/O
demands are spread as evenly as possible across an I/O subsystems resources.
local device A disk or tape drive connected to a server and only available to the server to which
it is attached.
macro virus A program or code segment written in the internal macro language of an
application. Some macros replicate, while others infect documents.
mass-mailing worm A worm that propagates itself to other systems via email, often by using the
address book of an email client program.
media server The Microsoft Windows server where Backup Exec is installed and the Backup
Exec services are running.
media set In Backup Exec, a group of media on which a backup job is targeted. The media
set controls the overwrite protection period and the append period.
MIME Multipurpose Internet Mail Extension, a file-type definition standard that enables
different mail programs to understand and interpret non-textual file types (such
as .doc, .jpg, and .wav) in the same way.
mirrored stripedvolume RAID 0+1 volumes are mirrors of striped volumes. For example, a two-disk stripe
can be mirrored to two additional disks. This RAID type provides the advantages
of both speed (from striping) and fault tolerance (from mirroring). More mirrors
can be added to a mirrored striped volume, and this type of volume can be extended
onto additional dynamic disks within the dynamic disk group.
mirrored volume
(RAID-1)
A mirrored dynamic volume is a fault-tolerant volume that duplicates data on
two or more physical disks. A mirror provides redundancy by simultaneously
writing the same data onto two or more separate mirrors (or plexes) that reside
on different disks. If one of the disks fails, data continues to be written to and
read from the unaffected disk or disks. A mirrored volume is slower than a RAID-5
volume in read operations but faster in write operations.
monitored employee In Enterprise Vault Compliance Accelerator, an employee whose correspondence
is monitored.
mount point The directory under which a file system is accessible after being mounted.
MTA (Mail Transfer
Agent)
A generic term for programs that send and receive mail between servers.
name server A computer running a program that converts domain names into appropriate IP
addresses and vice versa.
279Glossary
node The physical host or system on which applications and service groups reside.
When systems are linked by VERITAS Cluster Server, they becomes nodes in a
cluster.
off-host backup Refers to a situation in which the processing of the backup of a server is moved
to another server. This allows the applications on the working server to be
maintained at a consistently higher performance level because the backup is
performed on another machine.
payload This is the malicious activity that the virus performs. Not all viruses have payloads,
but there are some that perform destructive actions.
plex A plex refers to an instance of the volume. Mirrored volumes have two or more
plexes. All other volumes have one plex. Plexes, columns, and subdisks are the
constituent parts of the volume.
policy 1. A set of message filtering instructions that Symantec Mail Security 8200 Series
appliances implement on a message or set of messages. 2. In Backup Exec, a method
for managing backup jobs and strategies. Policies contain templates, which provide
settings for jobs.
protected server Any computer on a network that is being backed up by Backup Exec, including
Backup Exec media servers.
providers In Storage Foundation for Windows, providers are similar to drivers. Each provider
manages a specific hardware or software storage component. For example, there
is a disk provider that manages all disks that the Windows operating system sees
as disks. The providers discover the existing physical and logical entities and store
that information in Storage Foundation for Windows’ distributed database.
Normally, providers operate in the background. The exception might be when
there is a provider error on startup.
PST file Microsoft Exchange file format. PST files are used to store messages and other
Exchange data on a user’s local drive, instead of on the Exchange server. Also
known as a Personal Folders file.
public folder archiving Enables Enterprise Vault to archive items from Microsoft Exchange public folders.
Quarantine A database that stores email messages separately from the normal message flow,
and allows access to those messages. On Symantec Mail Security 8200 Series
appliances, Quarantine is located on the Control Center appliance, and provides
users with Web access to their spam messages. Users can browse, search, and
delete their spam messages and can also redeliver misidentified messages to their
inbox. An administrator account provides access to all quarantined messages.
Quarantine can also be configured for administrator-only access.
RAID RAID (Redundant Array of Independent Disks) is a collection of specifications
that describe a system for ensuring the reliability and stability of data stored on
large disk subsystems.
Glossary280
RAID 0+1 volume See mirrored striped volume.
RAID-5 Logging RAID-5 logging ensures prompt recovery of a RAID-5 volume after a system crash.
With RAID-5 logging, updates need to be made only to the data and parity portions
of the volume that were in transit during the system crash. Thus, the entire volume
does not have to be resynchronized. A log can be created when a volume is created,
or it can be added later.
RAID-5 volume A RAID-5 volume is a fault-tolerant volume with data and parity striped
intermittently across three or more physical disks. Parity is a calculated value
that is used to reconstruct data after a failure. If a portion of a physical disk fails,
the data on the failed portion can be recreated from the remaining data and parity.
RAID-5 volumes can be created only on dynamic disks. RAID-5 volumes cannot
be mirrored.
region Contiguous area of storage on a disk. These regions can also be referred to as
subdisks.
resource discovery A Backup Exec operation that allows detection of new backup resources within a
Windows domain.
resource types In VERITAS Cluster Server, each resource in a cluster is identified by a unique
name and classified according to its type. VERITAS Cluster Server includes a set
of predefined resource types for storage, networking, and application services.
Retrieval Service In Enterprise Vault, a Retrieval Service is associated with a specific Microsoft
Exchange Server. The Retrieval Service retrieves items from archives and stores
them in that Microsoft Exchange Server.
review marks In Enterprise Vault Discovery Accelerator, review marks are a set of marks that
can be applied to items in all cases. These marks are set out in the scheme template.
For each new case that is created, Discovery Accelerator makes a copy of these
marks, which can then be adapted for a specific case.
review set In Enterprise Vault Compliance Accelerator, a collection of captured messages
that are relevant to a particular department.
reviewer In Enterprise Vault Compliance Accelerator, a user who is responsible for reviewing
one or more departments.
robotic library A high-capacity data storage system for storing, retrieving, reading, and writing
multiple magnetic tape cartridges. It contains storage racks for holding the
cartridges and a robotic mechanism for moving the cartridge to the drive or drives.
roles In Enterprise Vault Compliance Accelerator, roles are used to group the
permissions needed to perform specific application or department tasks. Once
roles are created, they are assigned to specific employees. Employees who do not
have permission for a particular task do not see it in their view of the Compliance
Accelerator web interface.
281Glossary
Scanner A component in an appliance or set of appliances or software that filters mail.
Each site can have one or many Scanners.
security life cycle A method of initiating and maintaining a security plan. It involves assessing the
risk to a business, planning ways to reduce the risk to a business, implementing
the plan, and monitoring the business to verify that the plan reduced the risk.
security response The process of research, creation, delivery, and notification of responses to viral
and malicious code threats, as well as operating system, application, and network
infrastructure vulnerabilities.
security services The security management, monitoring, and response services that let organizations
leverage the knowledge of Internet security experts to protect the value of their
networked assets and infrastructure.
shopping baskets Part of the Enterprise Vault Shopping Service. When users search using the Web
Access application they are able to save these search results in containers called
shopping baskets. The Shopping Service is responsible for managing these
shopping baskets and instructs the Retrieval Service to retrieve the contents of
any shopping baskets when necessary.
Shopping Service In Enterprise Vault, the Shopping Service works in conjunction with the Enterprise
Vault Web Access application. This service enables users to save search results
from different searches and to restore selected items.
signature 1. A state or pattern of activity that indicates a violation of policy, a vulnerable
state, or an activity that may relate to an intrusion. 2. Logic in a product that
detects a violation of policy, a vulnerable state, or an activity that may relate to
an intrusion. This can also be referred to as a signature definition, an expression,
a rule, a trigger, or signature logic. 3. Information about a signature including
attributes and descriptive text. This is more precisely referred to as signature
data.
snapshot A consistent point-in-time view of a volume that is used as the reference point
for the backup operation. After a snapshot is created, the primary data can
continue being modified without affecting the backup operation.
spam 1. Unsolicited commercial bulk email. 2. An email message identified as spam by
a Symantec security product, using its filters.
spyware Programs that have the ability to scan systems or monitor activity and relay
information to other computers. Among the information that may be actively or
passively gathered and disseminated by spyware are passwords, log-in details,
account numbers, personal information, individual files or other personal
documents. Spyware may also gather and distribute information related to the
user’s computer, applications running on the computer, Internet browser usage
or other computing habits.
Glossary282
Storage Service In Enterprise Vault, the Storage Service serves the following functions: vault store
and archive management, conversion and storage of various message classes and
documents, retrieval of archived items for viewing, copy and conversion of archived
items for restoration, and automatic and manual deletion of archived items.
striped volume (RAID-0) A volume that stores data in stripes on two or more physical disks. Data in a striped
volume is allocated alternately and evenly (in stripes) to the disks of the striped
volume. Striped volumes can be created only on dynamic disks. Striped volumes
by themselves are not fault tolerant; however, they can be mirrored to be made
fault tolerant. They also can be extended.
subnet mask A local bit mask (set of flags) that specifies which bits of the IP address specify a
particular IP network or a host within a subnetwork. Used to "mask" a portion of
an IP address so that TCP/IP can determine whether any given IP address is on a
local or remote network. Each computer configured with TCP/IP must have a
subnet mask defined.
suspected spam A category of messages separate from spam. Messages fall into the suspected
spam category based on their spam scores. Different actions can be specified for
spam and suspected spam.
Suspected Spammers
list
A list of IP addresses from which virtually all of the outgoing email is spam,
provided by Symantec based on data from the Probe Network.
Symantec Security
Response
Symantec Security Response is a team of dedicated intrusion experts, security
engineers, virus hunters, threat analysts, and global technical support teams that
work in tandem to provide extensive coverage for enterprise businesses and
consumers. Symantec Security Response also leverages sophisticated threat and
early warning systems to provide customers with comprehensive, global, 24x7
Internet security expertise to proactively guard against today’s blended Internet
threats and complex security risks.
Symantec Spam Folder
Agent for Exchange
An application designed to work on Microsoft Exchange Servers. Installed
separately, the Symantec Spam Folder Agent for Exchange creates a subfolder
and a server-side filter in each user’s mailbox. The filter gets applied to messages
that a Scanner identifies as spam, routing spam into each user’s spam folder,
relieving end users and administrators of the burden of using their mail clients
to create filters.
target In Enterprise Vault Discovery Accelerator, targets are a way of listing all the
available email addresses for one person. This enables an administrator to enter
a person’s name once when searching, to include all of that person’s different
addresses. Target groups, which are named collections of targets, can also be set
up.
template In Backup Exec, a required element of a policy that defines how and when a job
is processed. Templates specify the device, settings, and schedule options to be
used for the job. Each policy must contain at least one template.
283Glossary
threat A circumstance, event, or person with the potential to cause harm to a system in
the form of destruction, disclosure, modification of data, or denial of service.
threat assessment The severity rating of the virus, worm, or Trojan horse. The threat assessment
includes the damage that this threat causes, how quickly it can spread to other
computers, and how widespread the infections are known to be.
threshold The number of events that satisfy certain criteria. Administrators define threshold
rules to determine how notifications are to be delivered.
traffic shaping An antispam technique that prioritizes sources with good traffic and throttles
sources that are sending spam, thus reducing the load downstream in the network.
vault directory The vault directory holds configuration information for one or more Enterprise
Vault Sites. The vault directory consists of a vault database and a directory service.
vault partition In Enterprise Vault, the vault partition is part of the vault store. A partition
contains either UNC paths to an NTFS volume or addresses to a tertiary storage
device. These are the physical locations where archived items are stored in
Enterprise Vault.
vault site In Enterprise Vault, a vault site consists of one or more computers running one
or more Enterprise Vault Services and sharing the same configuration information.
vault site alias In Enterprise Vault, this alias is a pointer to the Directory Service computer. Each
vault site must have a vault site alias, which is used by Enterprise Vault to refer
to the vault site by name.
vault store In Enterprise Vault, a vault store consists one or more vault partitions which
consist of UNC paths to an NTFS volume or addresses to a tertiary storage device.
The vault store is managed by the Storage Service.
vault store database In Enterprise Vault, this database holds all pointers to the actual items that are
stored in the partitions, as well as data pertaining to what accounts have access
to what items.
virus A program or code that replicates; that is, infects another program, boot sector,
partition sector, or document that supports macros, by inserting itself or attaching
itself to that medium.
virus attack A series of virus-infected emails from a specific domain.
virus definitions file A file that provides information to antivirus software to find and repair risks.
vulnerability A state in a computing system which either allows an attacker to execute
commands as another user, allows an attacker to access data that is contrary to
the specified access restrictions for that data, allows an attacker to pose as another
entity, or allows an attacker to conduct a denial of service.
worm A special type of virus. A worm does not attach itself to other programs like a
traditional virus, but creates copies of itself, which create even more copies.
Glossary284
AAdmin Service
overview 156
Administration Console
Enterprise Vault configuration tasks 165
Archive service
creating 166
archives
accessing in Enterprise Vault 172
creating Exchange Public Folder Task 172
developing policies for 223
enabling for mailbox 168
archiving systems
as a best practice 54
BBackup Exec
backing up Enterprise Vault 212
best practices 205
configuring 205
licenses 205
requirements 86
scripts for backing up 216
upgrading 205
using for spam removal 99
Cclustering. See Veritas Cluster Server
Collaboration Data Objects 160
compliance
examples of 28
legal considerations 219
Compliance Accelerator. See Enterprise Vault
Compliance Accelerator
Ddesktop tier
challenges of 103
Discovery Accelerator. See Enterprise Vault
Discovery Accelerator
discovery requests
establishing efficiency 226
preparing for 225
simplifying to reduce costs of 225
Eemail filtering
internally 53
email legal evidence
as 29
email management
archiving 54, 144, 223
backup regulations 227
business email life cycle 220
compliance factors 219
configuring protection environment 105
costs of 31
factors of 23
migrating
legacy systems 261
minimizing mailbox content 265
recommendations 270
without moving mailbox content 264
quota policies 26
reducing volume of 48
regulatory compliance 219
risks to availability 179
unwanted mail 99
violation of policies 30
email security
internal 53
management considerations 36, 48
multi-tiered approach 105
reducing bandwidth 48
Email security and availability. See Symantec
Enterprise Messaging Management solution
email threats 21, 24
multi-tiered approach to reducing 99
spam 99, 222
viruses 223
Index
Enterprise Messaging Management. See Symantec
Enterprise Messaging Management solution
Enterprise Vault
Administration Console 165
administrator toolbar utility for recovery 175
backup and recovery 173
backup sequence 217
components of 213
configuration best practices 163
configuring Windows components 160
IM archiving 122
installation best practices 163
installed tasks and services 147
installing Exchange System Manager 2003 161
installing with Enterprise Vault Compliance
Accelerator 238
installing with Enterprise Vault Discovery
Accelerator 233
managing Exchange migrations 263
offline vault, using with archives 172
overview 147
planning for deployment 150
preparing for installation 157
reducing database size 269
requirements 81
scalability recommendations 153
scalable storage solution 57
selecting archive index levels 156
setting retention categories 169
shortcuts, using with archives 172
Site Alias
creating on DNS server 162
software prerequisites 157
SQL login account 159
structured data 145
usage tips 176
using with Backup Exec 212
Windows service account, creating for 158
Enterprise Vault Compliance Accelerator
Application Administration page 247
backup and recovery best practices 260
browser interface recommendations 246
configuration best practices 242
configuring searches 256
customization best practices 252
Department Administration page 247
installing best practices 238, 241
Journaling Connector requirements 240
overview 230
Enterprise Vault Compliance Accelerator (continued)
SQL Server requirements 241
upgrading best practices 258
Enterprise Vault Discovery Accelerator
browser interface recommendations 238
creating roles and cases 248
creating searches 250
customization best practices 247
installing best practices 233, 236
overview 230
post-installation best practices 236
SQL Server requirements 235
Enterprise Vault server
configuring baseline environment 92
Enterprise Vault Store
creating 165
creating Archive service on 166
enabling mailbox archiving 168
partition settings 155
recommendations 155
Exchange. See Microsoft Exchange
Exchange Mailbox reports
generating 173
Exchange server. See Microsoft Exchange server
Exchange System Manager 2003
installing with System Management tools 161
FFlashSnap 187
Ggateway tier 101
groupware
environment protection 53
Hhigh availability 28
HIPAA 28
IIBM
performance test
results 95
user profile 90
server configuration 89, 92
storage configuration 89, 92
IM. See instant messaging
Index286
IM Manager
best practices for 129
directory integration 123
overview 117
SMTP delivery to Microsoft Exchange 126
use case 134
indexing levels
Enterprise Vault 156
installation
best practices 236, 241
Enterprise Vault
installation best practices 163
preparing for 157
instant messaging
growth 36
increase in use 23
part of messaging management 13
security 129
security risk 24
JJournaling Connector
adding or upgrading 258
requirements 240
MMail Security for Exchange
adding to Cluster Server 203
file filtering rules 111
multiserver console 110
recommended settings 109
updating virus definitions 110
zip files 111
mail server tier 102
Mailbox Archiving Task 168
mass-mailer worms 50
message archiving 54
messaging applications
new 32
messaging security
Symantec product hierarchy 60
Microsoft Exchange
email risks 179
forms installation and distribution 167
migration considerations 261
minimizing migration risks 267
reducing size of data stores 146
storage group recommendations 187
Microsoft Exchange (continued)
Symantec Enterprise messaging management
solution, relation to 181
Microsoft Exchange server
configuring baseline environment 92
creating an Outlook profile on 162
email storage 143
protection best practices 107
Microsoft Outlook
configuring for use with Enterprise Vault 160
Microsoft SQL Server. See SQL Server
Ooff-host backup 212
Pperformance guidelines 88
perimeter
protecting 49
protection solutions
email 50
instant messaging 52
threats 50
phishing attacks 24
policies
creating in Enterprise Vault 169
PST archive migration 146, 272
Rrecovery solutions 43
retention categories
setting in Enterprise Vault 169
SSarbanes-Oxley Act
compliance demands of 28
security. See messaging security
end-point security 63
service groups
Veritas Cluster Server 192
Site Alias
using with Enterprise Vault 162
SMTP gateway perimeter protection 112
SOX. See Sarbanes-Oxley Act
spam. See email threats
spim
defined 21
filtering 129
287Index
SQL
backing up server 214
Backup Exec 214
creating login account for Enterprise Vault 159
database backup recommendations 174
SQL Server
requirements
Enterprise Vault Compliance
Accelerator 241
Enterprise Vault Discovery Accelerator 235
storage configuration
for Exchange server 93
Storage Foundation
best practices 183
FlashSnap option 187
Storage Foundation HA for Windows
best practices 190
configuring storage resource 198
implementation planning 194
requirements 86
storage virtualization
benefits 42
Symantec email security and availability for
Microsoft Exchange. See Symantec Enterprise
Messaging Management solution
Symantec Enterprise Messaging Management
solution
about 13
checklist
deployment 76
pre-deployment 73
components of 149
controlling flow of information 46
evolution of 39
history of 34
how it works 39, 56
IBM hardware configuration 88
need for a comprehensive solution 38
overview 13
perimeter protection 49
reducing email volume 48
requirements 78
server architecture 105
solution components 17
Symantec products 69
topology 69
Symantec Enterprise Vault Consulting Services
Center 153
Symantec Global Intelligence Network 104
Symantec Mail Security for Microsoft Exchange
server requirements 80
Symantec Professional Services 64
Tthreat management
layered approach 46
traffic-shaping 101
Uuser extensions
using with archives 172
VVeritas Cluster Server
agents 193
benefits of 45
overview 191
Symantec Mail Security for Exchange, operating
with 203
Veritas Enterprise Vault. See Enterprise Vault
Veritas Storage Foundation for Windows
requirements 83
Veritas Storage Foundation High Availability for
Windows
best practices 198
requirements 85
viruses
minimizing threat of 223
perimeter threats 50
Voice over IP. See VoIP
VoIP 13
WWindows service account
creating for Enterprise Vault 158
worms
mass-mailer threats, as 24, 50
ZZiff Davis survey 38
Index288