How to configure an Exchange Scanner (Exchange 2003)

book

Article ID: 159632

calendar_today

Updated On:

Products

Data Loss Prevention Network Discover

Issue/Introduction

Relevant to Exchange 2003

Overview

  • You can use the Exchange Scanner to do the following
    1. Scan a single Exchange mailbox
    2. Scan Exchange public folders
    3. Scan all Exchange mailboxes 
Installation
  • The Exchange Scanner must be installed on a machine that has Outlook installed and configured to talk to the Exchange server you want to scan

Resolution

The Exchange Scanner accesses client mailboxes on the Exchange Server using a connected Outlook client.

You can use the Exchange Scanner to perform the following tasks:

■ Scan a single Exchange mailbox.fe
■ Scan Exchange public folders.
■ Scan all Exchange mailboxes.

The Exchange Scanner supports scanning of the following targets:

■ Microsoft Exchange Server version 5.0, or higher
■ Microsoft Exchange Server 2000
■ Outlook97, Outlook98, or Outlook2000 with the optional connection to Exchange configured

The Exchange Scanner scans whatever mailboxes or public folders that the Outlook profile has rights to. For example, if you log on the client using Windows Administrator credentials and an Admin-level Outlook profile, you can scan all mailboxes or public folders that profile has access to. If you log on to Exchange using User A’s profile, you can only scan what User A has access to, typically User A's own mailbox.

When scanning other users' mailboxes using an administrative account, that account must have access to all the mailboxes as well as access to the Exchange server's Mailbox Store object.

To check the Mailbox Store permissions, perform the following steps:

■ Open the Exchange System Manager.
■ Find and right-click the Mailbox Store object.
■ Check the Security tab.

The Exchange scan includes email message text and email file attachments from the client's mailbox, as well as the content of compressed files. The Exchange Scanner, however, does not target mail that is stored in Personal Folders (.pst files) or offline folders (.ost). It does not monitor inbound or outbound messages that are sent via MAPI, SMTP, POP3, or HTML Web mail. POP3 or HTML Web mail scan types can be handled with other products of Vontu DLP.

Installing a Microsoft Exchange Scanner

Install the Microsoft Exchange Scanner on any Exchange client with Microsoft Outlook 2003 installed and a valid Outlook profile.

Outlook Web Access must be enabled.

When using IndexAllAccounts=true, you must use the profile of a user who has read permissions to all mailboxes. This does not necessarily need to be an Administrator.

The Microsoft Exchange Scanner may need to run as a user who is a member of the 'Domain Admins' group.

The Exchange Scanner may be slower than some of the other scanners because Outlook or Exchange throttles the connection. The Exchange administrator may be able to speed up things.

To install a Microsoft Exchange scanner

1. Log on to the computer where you will install the Exchange Scanner server using a Windows Administrator account that has full access rights to all files. The computer should be running Microsoft Outlook 2003 with a valid Outlook profile, and have access to the Exchange server. 

2. Download or copy (as binary) the installer ExchangeScanner_windows_9.0.exe to a temporary directory.

3. Run the Microsoft Exchange Scanner installer and follow the on screen prompts.

4. On the Welcome screen, click Next.

5. Select the Destination Directory (the folder where you would like the Vontu Exchange Scanner to be installed).

The default is C:\Program Files\ExchangeScanner

Click Next.

6. Select the Start Menu Folder (shortcut in the Start Menu).

The default is Vontu Exchange Scanner.

7. Enter the following connection information for the Network Discover Server:

■ Discover Host (IP or hostname of the Network Discover Server)

■ Discover Port

Click Next.

8. Enter the following information to configure the connection to the Exchange Server.

■ Profile Name

The MAPI profile (and associated privileges) you will use to connect to the Exchange server for scanning.

■ Start Folder

The folder to scan (only applies when IndexAllAccounts=false, which is the default) Specify the single mailbox or public folder you want to scan. Wildcards and multiple entries are not supported. Subfolders are not scanned.

Click Next.  The scanner installs.

9. Select the Startup Mode.

While testing or verifying that the scanner runs successfully, do not select either of these options, but start the scanner manually. You can select one (or none) of the following options:

■ Install as a service on a Windows system.

To run as a service, after the installation is completed, open the Service Properties (also called ‘Application Management Properties’ in Win Server 2003), from the Services control panel, and enter the user name and password on the Log On tab. The scanner needs to run as a user who is part of the Domain Admins group. To run as a service, you need to set the appropriate credentials on the Log On tab on the service config dialog box.

■ Start after installation.

10. Click Next, then click Finish.

11. Open and edit the file VontuExchangeScanner.cfg.

See “Configuring a Microsoft Exchange Scanner” on page 167 of the V9 Admin Guide.

The folder structure of the Exchange server is captured in the file /scanner/Job0.log the first time the scanner logs on to the Exchange server. Use this information to specify or modify what to include in the scan. The Exchange folder structure, that is in the Job0.log file, can be useful for figuring out what to use for the StartFolder. To see the Exchange folder structure, set the ShowFolderStructure parameter=true.

12. Save your changes and close the configuration file.

13. Open the Enforce Server administration console in a Web browser and add a new Exchange target. Incremental scanning for the Exchange Scanner is based off the last completed scan.

See “Adding or Editing a Target” on page 116 of the V9 Admin Guide.

14. Save the target, and then click to start the scan, and the refresh icon to update the screen. 

15. On the server where you installed the scanner, start the Vontu Exchange Scanner. 

Navigate to Start > Vontu Exchange Scanner > Vontu Exchange Scanner Console.

To run as a console, log into the computer using a valid user account, or use the run as command when launching the scanner.

Stop and restart the scanner whenever you make changes to the configuration file.

To stop the scanner, type Ctrl-C in the console window.

16. Check the following information for the scanner you added:

■ Items Scanned
■ Bytes Scanned (to confirm that the scanner is working)
■ Incidents (to confirm that the policy is being applied)

Confirm that the scanner is running by checking the Program Files/ExchangeScanner/outgoing directory for .idx files.

This directory is a good indication of scanner function because it is unrelated to issues from the Network Discover Server or Vontu DLP configurations. The scanner adds scan data to this location, and then sends the data to the Network Discover Server.

If no files are queuing in Program Files/ExchangeScanner/outgoing, then check the configuration.

If there is an issue with scanning, simplify and use default values (for example, no filters) until the scan is working properly. Restart the scanner after each save. View the log files in the /scanner_type Scanner/logs directory for information about the status and progress of the scan.

See “Troubleshooting Scanners” on page 157 of the V9 Admin Guide.

Table 8-19 in the V9 Admin Guide provides an explanation of the VontuExchangeScanner.cfg file.

Configuring a Microsoft Exchange Scanner

Finding the ProfileName

The Exchange Scanner uses a configured Outlook profile to scan the Exchange server. Profiles are managed from Control Panel > Mail > Show Profiles.

Finding Settings For IndexAllAccounts

To obtain the settings of DNServer, DNMail, and DNMailbox for IndexAllAccounts, download ASDI Edit support tool from the following location and install it.

http://technet2.microsoft.com/windowsserver/en/library/
ebca3324-5427-471a-bc19-9aa1decd3d401033.mspx?mfr=true

The ASDI Edit support tool is normally installed in the following location:

C:\Program Files\Support Tools\adsiedit.msc

To find the setting for the DNServer value, open the ASDI Edit application and locate the DNServer value, for example, the msExchHomeServer attribute value under Microsoft Exchange System Objects, SystemMailbox.

Finding the Setting For the DNMail Value

To find the setting for the DNMail value, open the ASDI Edit application and locate the DNMail value, for example, the legacyExchangeDN attribute value of the First Storage Group.

Finding the Setting For the DNMail Value

To find the setting for the DNMail value, open the ASDI Edit application and locate the DNMail value, for example, the legacyExchangeDN attribute value of the First Storage Group.

Finding the Setting For the DNMailbox Value

To find the setting for the DNMailbox value, open the ASDI Edit application and locate the DNMailbox value, for example, the legacyExchangeDN attribute value of the Administrator User. Note that the DNMailbox value is case sensitive.

Example Configuration for Scanning the Exchange Archive Public Folder

Scan the Archive public folder, configured in the file VontuExchangeScanner.cfg.

//##########################################################
//# Jobs
//##########################################################

[Jobs]
Number=1
0=Job0

[Job0]
ProfileName=Administrator
password=passwordforoutlookprofile
StartFolder=IPM_SUBTREE\Archive 

Example Configuration for Scanning an Exchange Inbox

Scan the Administrator profile's Inbox, configured in the file VontuExchangeScanner.cfg.

//##########################################################
//# Jobs
//##########################################################

[Jobs]
Number=1
0=Job0

[Job0]
ProfileName=Administrator
StartFolder=IPM_SUBTREE\Inbox

Example Configuration for Scanning Another User's Inbox

Scan the Inbox of user Test2, using the Administrator profile, as configured in the file VontuExchangeScanner.cfg.

//##########################################################
//# Jobs
//##########################################################

[Jobs]
Number=1
0=Job0

[Job0]
ProfileName=Administrator
Password=mypassword

IndexAllAccounts = true
DNServer=/o=Dar Test Lab/ou=First Administrative Group
   /cn=Configuration/cn=Servers/cn=DAR-EXCHANGE
DNMail=/o=Dar Test Lab/ou=First Administrative Group
   /cn=Configuration/cn=Servers
   /cn=DAR-EXCHANGE/cn=Microsoft Private MDB
DNMailbox=/o=Dar Test Lab/ou=First Administrative Group
  /cn=Recipients/cn=Administrator

Mailbox = /O=DAR TEST LAB
   /OU=FIRST ADMINISTRATIVE GROUP/CN=RECIPIENTS
   /CN=PROTECT.TEST2
StartFolder = Top of Information Store\Inbox

Example Configuration for Scanning all Exchange Mailboxes

Scan all mailboxes, configured in the file VontuExchangeScanner.cfg.

//##########################################################
//# Jobs
//##########################################################

[Jobs]
Number=1
0=Job0

[Job0]
IndexAllAccounts = true
ProfileName = Administrator
Password = mypassword
DNServer =

/o=organization/ou=First Administrative Group
/cn=Configuration/
cn=Servers/cn=COMPANY-EXCHANGE

DNMail =

/o=organization/ou=First Administrative Group
/cn=Configuration/
cn=Servers/cn=COMPANY-EXCHANGE/cn=Microsoft Private MDB

DNMailbox =

/o=organization/ou=First Administrative Group
/cn=Recipients/cn=Administrator

Example Configuration for Running Multiple Exchange Scanner Jobs

Scan multiple Exchange mailboxes, using multiple jobs in the same configuration file, configured in the file VontuExchangeScanner.cfg.

//##########################################################
//# Jobs
//##########################################################

[Fetch]
FetchName0=Job0
FetchName1=Job1

[Jobs]
Number=2
0=Job0
1=Job1

[Job0]
ProfileName=Nesti,Sergio
StartFolder=IPM_SUBTREE\Archive\DL-NPI

[Job1]
ProfileName=Nesti,Sergio
StartFolder=IPM_SUBTREE\Inbox\AEP

**NOTE: This information is located in the V9 Admin Guide**