Module 9: Configuring Messaging Policy and Compliance Course 10135B Presentation: 90 minutes Lab: 90 minutes After completing this module, students will be able to: Explain the messaging compliance requirements and options. Configure transport rules. Configure journaling rules. Configure messaging records management. Configure Personal Archives. Required materials To teach this module, you need the Microsoft® Office PowerPoint® file 10135B_09.ppt. Important: We recommend that you use PowerPoint 2002 or a newer version to display the slides for this course. If you use PowerPoint Viewer or an earlier version of PowerPoint, all the features of the slides might not display correctly. Preparation tasks To prepare for this module: Read all of the materials for this module. Practice performing the demonstrations and the lab exercises. Work through the Module Review and Takeaways section, and determine how you will use this section to reinforce student learning and promote knowledge transfer to on-the-job performance. Note about the demonstrations : To prepare for the demonstrations, start the 10135B-VAN-DC1 virtual machine and log on to the server before starting the other virtual machines. To save time during the demonstrations, log on to the Exchange servers and open the Exchange Server management tools before starting the demonstrations. Additionally, connect to the Microsoft Outlook® Web App site on the Exchange servers, and then log on as Administrator. It can take more than a minute to open the management tools and Microsoft Outlook Web App for the first time.
As you introduce this module and lesson, stress that a primary design goal with Exchange Server 2010 is to provide more tools for message policy compliance. Most organizations are now under some type of regulatory compliance legislation, and most organizations realize that email is a primary means of business communication. Messaging policy and compliance features in Exchange Server 2010 provide organizations with the tools to enforce compliance requirements for email.
Discussion time : 15 minutes As students answer the second and third questions, consider putting their answers on the white board. You can use this list for the next topic to show how Exchange Server 2010 can provide solutions to these regulatory requirements. Question : What type of business does your organization conduct? What are some legislated compliance requirements for your organization? Answer : Answers will vary depending on the business that the organization conducts. Some examples of how legislation restricts how U.S. organizations manage information include: Sarbanes-Oxley Act of 2002 (SOX) Gramm-Leach-Bliley Act (Financial Modernization Act) Health Insurance Portability and Accountability Act of 1996 (HIPAA) Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001 (USA Patriot Act) Here are other countries’ examples of this type of restriction: The Personal Information Protection and Electronic Documents Act (Canada) Federal Privacy Act (Australia) European Union Data Protection Directive (EUDPD) Japan’s Personal Information Protection Act Question : What additional compliance requirements does your organization have? Answer : Organizations might have additional requirements for managing email. For example, an organization might want to add legal disclaimers to outgoing communications or require that certain messages require an intellectual property disclosure disclaimer. Organizations also might have message-retention requirements that mandate that certain messages be retained and others deleted after a specified time. Question : How are you currently meeting these compliance requirements? Answer : Answers will vary. Quite a few organizations implement some type of archiving solution. If organizations deployed Exchange Server 2007, they might have taken advantage of its messaging compliance features. Many organizations have written policies regarding messaging compliance, but have not been able to enforce the rules except through conducting audits.
This topic provides an overview of the Exchange Server 2010 options for enforcing messaging policy and compliance requirements. Briefly describe the features here. You will provide more detail on each feature later in this module. As you describe the Exchange Server 2010 features, point out which of the requirements could be fully or partially met by each of the enforcement options.
Stress that Exchange Server applies transport rules to messages either before users send or receive them. Exchange Server applies the rules on transport servers, which means that the user has no control over whether Exchange Server actually applies the rule and that Exchange Server can apply the rules at any point during a message’s transmission. Mention that the transport rule configuration is one of the reasons why the transport server roles have been separated from the Mailbox server role, and why all messages must flow through a transport server. By forcing all messages to pass through a transport server, Exchange Server 2010 enables easy application of rules that apply to all messages. Highlight that you can configure transport rules on Edge Transport and Hub Transport servers, but that there are some differences in the types of rules and the configuration options between the two Exchange Server 2010 server roles.
As you describe the components that make up a transport rule, provide examples of some of the configuration options for each component. Some examples are: Conditions: Search for message sender or recipient, keywords in the message’s subject or body, regular patterns such as customer numbers and social insurance numbers, and other specific items. Actions: Block the message, send the message to an alternative address, add a disclaimer to the message, and other actions. Exceptions: This list is similar to the conditions list, and enables you to narrow down the conditions under which Exchange Server applies the actions. Predicates: The condition or exception can examine the To: or Subject fields, or an attachment size.
As you present the demonstration, spend time discussing some of the conditions, actions, and exceptions. Even though you are configuring only one transport rule, you should provide students with an overview of options they have when configuring transport rules. This demonstration shows how to type HTML code in the disclaimer. Using HTML in the disclaimer can be useful because it makes it easier to provide complex formatting and to link to other objects are part of the disclaimer. You can use simple text in the disclaimer if you prefer. Demonstration Steps On VAN-EX1 , open the Exchange Management Console. Under Organization Configuration , click Hub Transport . In the Actions pane, click New Transport Rule . On the Introduction page, in the Name field, type Company Disclaimer HTML . Verify that Enable Rule is selected, and then click Next . On the Conditions page, under Step 1 , select send to users that are inside or outside the organization, or partners and then click Next . On the Actions page, under Step 1 , select append disclaimer text and fallback to action if unable to apply . Under Step 2 , click the disclaimer text link. In the Specify disclaimer text box, type the following text, ensuring that you press Enter at the end of each line: <html> <body> <br>&nbsp</br> <br>&nbsp</br> <b><font color=red>This e-mail and attachments are intended for the individual or group addressed.</font></b> </body> </html> Click OK , and then click Next . Click Next , and then click New to create the new HTML disclaimer. On the Completion page, click Finish .
In the Actions pane, click New Transport Rule . On the Introduction page, in the Name field, type Social Insurance Number Block Rule . Verify that Enable Rule is selected, and then click Next . On the Conditions page, under Step 1 , select when the Subject field or the message body matches text patterns . Under Step 2 , click text patterns , type \\d\\d\\d-\\d\\d-d\\d\\d\\d , click Add , click OK and then click Next . On the Actions page, under Step 1 , select send rejection message to sender with enhanced status code . Under Step 2 , click the rejection message link. In the Bounce message field, type This message has been rejected because of content restrictions Under Step 2 , click the enhanced status code link, type 5.7.1. Click OK , and then click Next . Click Next , and then click New to create the new HTML disclaimer. On the Completion page, click Finish . To test the transport rules, switch to VAN-CL1, and then open Microsoft Outlook 2010. Click New E-mail , and then create a message with the following properties: To: Administrator Subject: Disclaimer Test Content: Testing the HTML disclaimer Send the message. On VAN-EX1, open Windows® Internet Explorer®, and connect to https://VAN-EX1.adatum.com/owa . Log on to Microsoft Outlook Web App as Adatum\\Administrator with the password Pa$$w0rd . Click OK . Verify that the message from Luca Dellamore includes the HTML disclaimer. On VAN-CL1, create a new message with the following properties: To: Administrator Subject: Transport Rule Test Content: Testing the Social insurance number block rule. 111-11-1111 Course 10135B
Send the message. Verify that the user receives a NDR with the rejected message text that you configured. Question : What transport policies will you need to implement in your organization? Answer : Answers will vary. Transport rules provide many different options to restrict message flow and modify messages as they pass through the Hub Transport servers. Course 10135B
Use the definition on the slide to describe AD RMS. Then talk about intellectual property and how important it is in the business world. You can use the following example from Module 1: Tailspin Toys has developed a first-to-market product that gives them an edge over their competitors. To keep the product’s details within the confines of the company’s network, it makes sense to utilize rights management to minimize the numbers of users with permission to access the documentation, and to keep those users from printing or sending this critical documentation. The increased threat of computer-related crimes also is a reason to be more protective of information. Additionally, new legislative standards are resulting in many companies needing to protect sensitive data even more.
Describe the following points: AD RMS Cluster: There are two types of clusters, AD RMS Certification Server Cluster (root cluster) and licensing-only cluster. Root cluster: Always the first server installed in an AD RMS installation. It handles all of the licensing and certification requests for the AD DS domain in which it was installed. This can be a single server or a group of servers. Licensing-only cluster: Used for distributed environments such as departments, where different policies may be required. Does not perform certification. AD DS: The AD RMS server must be a member of an Active Directory® domain. AD DS is also used for hosting the service connection point (SCP), which is used to provide intranet clients the ability to automatically discover the URL for the AD RMS cluster. Database Services: AD RMS requires a database to store configuration information, user and server keys, and logging information. Microsoft SQL Server® typically is used, however smaller environments can use the internal database that Windows Server 2008 provides. AD RMS–Aware Applications: Users must use applications that have RMS features. Highlight that rights policy templates can be used to create custom protection rules. For example, you might decide to create an AD RMS template that enables users to access content only for a limited time.
This topic provides an overview of how AD RMS works. This is a generic description of how AD RMS works, and does not include an Exchange server. Mention that AD RMS does not require an Exchange infrastructure. Because Microsoft Office 2007 and later versions are AD RMS-aware applications, users can protect content using Office 2007 and then must be authenticated before they can access the files on a file share. Author receives a client licensor certificate the first time they rights-protect information. Author defines a set of usage rights and rules for their file, and the application creates a “publishing license” and encrypts the file. Author distributes the file. Recipient clicks the file to open it, and the application calls to the RMS server, which validates the user and issues a “use license.” Application renders the file, and enforces its rights. AD RMS is a Windows Server® 2008 server role and requires a Windows Server 2008 server deployment. Windows Vista® or later include the RMS client, but you also can install the RMS client on Windows XP.
Consider redrawing the diagram from the previous topic and inserting Exchange Server 2010 into the diagram. Exchange Server 2010 integrates with the components displayed in the previous diagram as follows: User-protected email messages can be sent through the Exchange server. A Hub Transport server can operate like the AD RMS client. For example, when a message triggers a Transport Protection Rule, the Hub Transport server can apply the protection to the message. The Exchange server can operate on behalf of the AD RMS client. For example, when an Outlook client is offline, the AD RMS Prelicensing Agent on the Exchange server can preauthorize access to messages. When features like Journal Report Decryption or IRM for Outlook Web App are enabled, the Hub Transport server or Client Access server must communicate with the AD RMS server.
Before starting this demonstration, describe the demonstration environment to the users. The AD RMS server is already deployed in the organization and is configured with the required templates. Enabling the client for AD RMS can take several minutes for both the message sender and message recipient. To save time during this demonstration, you can configure Luca’s account for AD RMS before starting the demonstration. You can also start the demonstration and continue explaining other content while waiting for the client to be configured. Demonstration Steps On VAN-CL1, open Outlook 2010. Create a new message with the following properties: To: Administrator. Subject: Testing AD RMS integration Content: This is a protected email. In the Options tab, click the Permission icon. In the Windows Security dialog box, log on as Luca using the password Pa$$w0rd . Wait while Luca’s credentials are prepared. When the message appears, verify that the message now contains the Do Not Forward header. Click Send , close Outlook, and then log off. Log on to VAN-CL1 as Adatum\\Administrator using the password Pa$$w0rd . Open Outlook 2010, and then open the message from Luca Dellamore . In the Windows Security dialog box, log on as Administrator using a password of Pa$$w0rd . Click OK . When the message opens, verify that you do not have permission to forward the message. Close the message. On VAN-DC1, open Windows Explorer, browse to C:\\inetpub\\wwwroot\\_wmcs\\certification , right-click servercertification.asmx , and then click Properties . In the ServerCertification.asmx Properties dialog box, click the Security tab, and then click Edit . In the Permissions for Server Certification.asmx dialog box, click Add . In the Select Users, Computers, Service Accounts, or Groups dialog box, click Object Types , select the Computers check box, and then click OK . In the Enter the object names to select field, type Exchange Servers , and then click OK . Click Add . In the Enter the object names to select field, type IIS_IUSRS , and then click OK twice .
On VAN-DC1, open a command prompt, type IISReset , and then press Enter. Wait for the service to restart, and then close the command prompt. On VAN-EX1, in the Exchange Management Shell, type get-irmconfiguration , and then press Enter. This cmdlet displays the default AD RMS integration configuration for the Exchange Server organization. At the PS prompt, type set-irmconfiguration –InternalLicensingEnabled:$true , and then press Enter. This cmdlet enables AD RMS encryption on the Hub Transport server. At the PS prompt, type test-irmconfiguration –sender Luca@adatum.com , and then press Enter. This cmdlet tests the AD RMS configuration. Note that all tests except for the acquiring use license pass. On VAN-EX1, in the Exchange Management Console, under Organization Configuration , click Hub Transport . In the Actions pane, click New Transport Rule . On the Introduction page, in the Name field, type AD RMS Test Rule . Verify that Enable Rule is selected, and then click Next . On the Conditions page, under Step 1 , select from people . Under Step 2 , click the people link. In the Specify senders dialog box, click Add , click Administrator , and then click OK twice. On the Conditions page, under Step 1 , select sent to people . Under Step 2 , click the people link. In the Specify recipients dialog box, click Add , click Luca Dellamore , and then click OK twice. Click Next . On the Actions page, under Step 1 , select rights protect message with RMS template . Under Step 2 , click the RMS Template link. In the Select RMS template dialog box, click Do Not Forward , and then click OK . Click Next twice, and then click New . Click Finish . On VAN-CL1, ensure that you are logged on as Administrator . Create a new message with a subject of Transport Rule ADRMS test , and send it to Luca . Log off VAN-CL1, and then log on as Luca. Open Outlook and verify that Luca received the message entitled “Transport Rule ADRMS test” and that the Do Not Forward template is protecting the message. You will need to authenticate again to open the message. Course 10135B
Question: Does your organization have AD RMS deployed? Are you planning to deploy AD RMS? Answer: Answers will vary. Not many organizations have deployed AD RMS. The organizations that have deployed it tend to have stringent requirements for managing access to content. Question: How will Exchange Server 2010 make it easier to deploy AD RMS? Answer: The Exchange Server 2010 features overcome two important limitations of previous AD RMS deployments. First, by using transport rules, you can apply AD RMS even if users have chosen not to do so. In previous versions, the user had to apply the protection. Secondly, the AD RMS Prelicensing Agent will make the AD RMS integration easier to use for mobile clients. Course 10135B
After describing the two options for configuring moderated transport, ask students for scenarios where they would use each option. Scenarios may include: Requiring moderation for messages sent to very large distribution groups. Requiring moderation for messages sent to confidential distribution groups or recipients. Students may respond that both options essentially provide the same functionality, and that essentially, they offer different ways to accomplish the same task.
Demonstration Steps On VAN-EX1, open the Exchange Management Console . Under Recipient Configuration , click Distribution Group . In the middle pane, right-click Marketing , and then click Properties . On the Mail Flow Settings tab, double-click Message Moderation . In the Message Moderation dialog box, select the Messages sent to this group have to be approved by a moderator check box. Under Specify group moderators , click Add . In the Select Recipient – Entire Forest dialog box, click Luca Dellamore , and then click OK . Under Specify senders who don’t require message approval , click Add . In the Select Recipient dialog box, click Marketing , and then click OK three times. Under Organization Configuration , click Hub Transport . In the Actions pane, click New Transport Rule . On the Introduction page, in the Name field, type ITAdmins Group Moderation . Verify that Enable Rule is selected, and then click Next . Under Conditions in Step 1 , select sent to a member of distribution list. Under Step 2 , click the distribution list link. In the Specify recipient distribution group dialog box, click Add . In the Select Mail Enabled Group window, select ITAdmins , click OK , and then click OK again. Click Next . Under Actions in Step 1 , select forward the message to addresses for moderation . Under Step 2 , click the addresses link. In the Specify recipients window, click Add . In the Select Recipient User or Contact window, click Luca Dellamore , click OK , and then click OK again. Click Next . On the Exceptions page, under Step 1 , select except when the message is from a member of distribution list . Under Step 2 , click the distribution list link.
In the Specify sender distribution list window, click Add . In the Select Mail Enabled Group window, select ITAdmins , click OK , and then click OK . Click Next , and then click New . On the Completion page, click Finish . Open Internet Explorer, and then connect to https://VAN-EX1.Adatum.com/owa . Log on to Outlook Web App as Adatum\\Andreas with the password Pa$$w0rd . In the Inbox, click New . In the To field, type ITAdmins . Type a subject and a short message, and then click Send . In the Inbox , click New . In the To field, type Marketing . Type a subject and a short message, and then click Send . Close Internet Explorer. On VAN-CL1, verify that you are logged in as Luca , open Outlook, and then verify that there are two messages waiting for Luca’s approval. Double-click the first email message, and then on the Vote menu, click Approve . Close the message. Double-click the second email message, and then on the Vote menu, click Approve . Close the message. Question : Will you deploy moderated transport in your organization? If so, where would you use it? Answers will vary . Because this is a new feature in Exchange Server 2010, many students may not have considered this option. Ask them to describe scenarios where they need to restrict who can send to a recipient, and then ask them to consider if moderated transport would be the best option for enabling the restrictions. Course 10135B
After describing message journaling, ask students if they will require this functionality. Many organizations require retention of certain messages for specific time periods. Message journaling is the best option for enabling this functionality. As you discuss the options for journaling messages, mention that the licensing levels depend on the type of client access license that the company deploys. With standard client access licenses (CALs), you only can enable message journaling on the mailbox databases. With enterprise CALs, you can enable per-recipient journaling. Mention that the next lesson provides more information on messaging records management.
Demonstration Steps On VAN-EX1, in the Exchange Management Console , under Organization Configuration , click Hub Transport . In the Actions pane, click New Journal Rule to start the New Journal Rule wizard. On the New Journal Rule page, in the Rule name field, type Executives Message Journaling . Beside Send Journal reports to e-mail address , click Browse . In the Select Recipient dialog box, click Luca Dellamore , and then click OK . Note In this demonstration, you are choosing another user’s mailbox as the destination for the journaled messages. In a production environment, choose a mailbox that you can dedicate as a journal mailbox. Under Scope , click Internal – internal messages only . Select the Journal messages for recipient check box, and then click Browse . In the Select Recipient dialog box, click Executives , and then click OK . On the New Journaling Rule page, click New , and then click Finish . On VAN-EX1, open Internet Explorer, and then connect to https://VAN-EX1.adatum.com/owa . Log on as Adatum\\Andreas with the password Pa$$w0rd . Create a new message, and then send it to Scott MacDonald . Scott is a member of the Executives group. Close Internet Explorer. Open a new instance of Internet Explorer, and then connect to https://VAN-EX1.adatum.com/owa . Log on as Adatum\\Scott with the password Pa$$w0rd . Confirm that the message from Andreas arrived. Reply to the message, and then close Internet Explorer. On VAN-CL1, verify that you are logged in as Luca , open Outlook, and then confirm that the journal mailbox contains both a journal report for the message sent to Scott and the reply message. Question: What are the advantages and disadvantages of using the Exchange Server 2010 message journaling feature? Answer: Answers will vary depending on what tool the organization has deployed. Exchange Server 2010 journaling has one advantage--it enables you to specify any archival location for messages, and you can filter journaling based on recipients rather than at a database level. However, Exchange Server 2010 does not provide any automated tools for managing the journal mailbox, so you will need to implement a manual management process.
Question : What are the advantages and disadvantages of using the Exchange Server 2010 message journaling feature? Answer : Answers will vary depending on what tool the organization has deployed. Exchange Server 2010 journaling has one advantage--it enables you to specify any archival location for messages, and you can filter journaling based on recipients rather than at a database level. However, Exchange Server 2010 does not provide any automated tools for managing the journal mailbox, so you will need to implement a manual management process. Course 10135B
Highlight the importance of developing policies for managing the message journal mailbox. There are several key requirements that must be met: How do you manage the mailbox size? The mailbox may grow rapidly if you are applying several journaling rules. How do you manage security for the journaling mailbox. The mailbox may contain highly confidential information so you should restrict who has access to the mailbox. Ensure legal compliance. Because you are probably setting up the journal mailbox to meet a legal or corporate requirement, make sure that your implementation has approval from your legal representatives.
Start this topic’s presentation by asking students whether they have a requirement to search multiple mailboxes. Student response will vary. Most organizations probably never require multi-mailbox searches, but organizations with high security requirements might use this feature frequently. Highlight the need to get legal approval for doing multi-mailbox searches. In some organizations, performing unauthorized mailbox searches would be immediate grounds for dismissal and possible legal action. Describe how the Multi-Mailbox Search feature works, then emphasize that only users who have appropriate permissions can perform these searches. By default, even organization administrators cannot search all mailboxes. If a user needs to be able to search all organizational mailboxes, the easiest way to provide the required permissions is to add the users to the Discovery Management role.
Define l egal h old. We recommend that you describe this feature first by providing appropriate scenario of usage. After that, describe changes in Dumpster. Question: In which scenarios is it appropriate to use legal hold? Answer: Answers may vary. One example is, if you receive a court order that someone’s correspondence must be tracked or retained, you will enable legal hold on that user’s mailbox.
In Exchange Server 2007, Exchange administrators could search mailboxes by using the Export-mailbox command. Ask students if they have ever used this tool. If they have, ask them to compare the tool to performing cross-mailbox searches using Exchange Control Panel. Demonstration Steps On VAN-DC1, open Active Directory Users and Computers , and then in the Microsoft Exchange Security Groups organizational unit (OU), double-click the Discovery Management group. In the Discovery Management Properties dialog box, on the Members tab, click Add , type Andreas , and then click OK twice. On VAN-EX1, if required, open Exchange Management Console . Under Recipient Management , click Mailboxes . Double-click George Schaller . On the Mailbox Settings tab, double-click Messaging Records Management . Select the Enable Litigation Hold check box, and then click OK three times. Right-click Discovery Search Mailbox , and then click Manage Full Access Permission . Click Add . Select Andreas Herbinger , and then click OK . Click Manage and then click Finish . Open the Services console from the Administrative Tools folder. Right-click Microsoft Exchange Active Directory Topology and click Restart . Click Yes to restart the other services. Wait for the services to restart. Restarting the Exchange Server services forces the immediate application of the litigation hold. On VAN-CL1, verify that you are logged in as Adatum\\Luca , and open Outlook. In the Inbox , click New E-mail . In the To field, type George;Parna , and then press CTRL+K to resolve the names. In the Subjec t field, type New Inventory . In the message box, type We’ve received the new ProjectX items in inventory , and then click Send . Open Internet Explorer, and then connect to https://VAN-EX1.adatum.com/owa Log on to the Outlook Web App as Adatum\\George , with the password, Pa$$w0rd . Click the message with a subject of New Inventory and then click Delete . Click the Deleted Items folder and then click Empty Deleted Items . Right-click the Deleted Items folder, and then click Recover Deleted Items . Click the message and then click the Purge Deleted Items button. Click OK to permanently delete the message, and close all Internet Explorer Windows.
Open Internet Explorer, and then connect to https://VAN-EX1.adatum.com/ecp . Log on to the Exchange Control Panel as Adatum\\Andreas , with the password, Pa$$w0rd . In the Select what to manage drop-down list, ensure that Manage My Organization is listed. In the left pane, click Mail Control . Under Multi-Mailbox Search , click New . In the Keywords box, type ProjectX . Expand Mailboxes to Search . Under Select the mailboxes to search , click Add . In the Select Mailbox window, click George Schaller, Luca Dellamore , and Parna Khot , click Add , and then click OK . Expand Search Name,Type and Storage Location . In the Search name field, type ProjectX Discovery . Click Copy the search results to the destination mailbox . Clear the Enable deduplication check box. Next to Select a mailbox in which to store the search results , click Browse . In the Select Mailbox to Store Search Results window, click Discovery Search Mailbox , and then click OK . Click Save . Wait until the search status changes to Succeeded . Click Open in the right pane. Click OK . In the Navigation pane, expand the ProjectX Discovery folder. Note that separate search folders have been created for each mailbox. Expand George’s mailbox, expand Primary Mailbox , expand Deleted Items , and verify that the purged message is listed. Close Outlook Web App and Outlook. Course 10135B
In this lab, students will: Configure transport rules. Configure journal rules and Multi-Mailbox Search. Exercise 1: Configuring Transport Rules Inputs: The students will be provided with set of instructions regarding the transport rules that they must configure to meet a set of business and legal requirements. This lab will require a domain controller, one Exchange server, and a client computer with Outlook installed. Students also need to configure the domain controller as an AD RMS server. Outputs: Students will implement and verify transport rules by using the following options: AD RMS integration Message filtering Moderated transport Exercise 2: Configuring Journal Rules and Multi-Mailbox Search Inputs: The students will be provided with set of instructions regarding the journal rules that they need to configure to meet a set of business and legal requirements. This lab will require a domain controller, one Exchange server, and a client computer with Outlook installed. Outputs: Students will implement journaling rules and verify that the journaling rules work.
Use the questions on the slide to guide the discussion after students complete the lab exercises. Question : In this lab, you implemented a transport rule that added a disclaimer to all messages sent to users outside the organization. What other option do you have for implementing this type of disclaimer? Answer : You could configure the transport rule on an Edge Transport server, and configure it to apply the disclaimer to all messages sent from the organization. Question : How can you verify that the Executives journal rule that you enabled in this lab is working properly? Answer : One option for verifying that the rule is working is to send a message to a group member, and verify that the message appears in the journal mailbox. Another option would be to use an account with Discovery Management permissions to search an Executive mailbox for all messages sent and received during a specific time. You then could validate that a copy of each message is in the journal mailbox.
Discussion time : 15 minutes Question : Do you have any archiving or journaling requirements in your organization? Answer : Answers will vary. Many organizations have requirements for archiving certain messages. For example, an organization may require that messages with business-transaction information be archived for several years. Question : How are you currently meeting these requirements? Answer : Most organizations that implement an archiving solution do so using third-party applications. Previous Exchange Server versions only enabled journaling at the mailbox store level, where all messages sent and received from that store were archived. If students implement a third-party archiving tool, ask them to describe how the archiving tool works and what types of functionality the tool provides. If none of the students currently use an archiving product, you should be prepared to describe how most archiving products work. There are three primary architectures for archiving products: A product archives messages immediately as they are sent to or from an Exchange server Some archive messages by using an agent to scan mailbox contents, and then archive messages based on predefined criteria. Some archive solutions integrate with Exchange Server 2007 or Exchange Server 2010 journaling. With this model, the archive product monitors the journal mailbox and archives messages from the journal mailbox. Almost all archive solutions have two other features: They enable using cheaper storage for archived messages. They retain a stub of the archived message in the user mailbox so that the user can access archived messages.
Stress that the Exchange Server 2010 implementation of Personal Archives uses a different architecture than most other archiving solutions. The Exchange Server 2010 solution takes advantage of the improvements to disk input/output (I/O) to enable very large mailboxes that are easily accessible to users. Mention that one of the goals of Personal Archive is to move PST files into an Exchange Server database, where Exchange backs up data and indexes it for easy searching. Mention that Personal Archive mailboxes will be visible only in Outlook 2007 with the appropriate updates, Outlook 2010 or when users access their mailboxes through Outlook Web App.
Demonstration Steps On VAN-EX1, in the Exchange Management Console , click Recipient Management , and then click Mailbox . Right-click Luca Dellamore , click Enable Archive , and then click OK . Right-click Luca Dellamore , and then click Properties . On the Mailbox Settings tab, click Archive Quota , and then click Properties . Notice that you can configure a mailbox quota for the archive mailbox. Click Cancel . In the Exchange Management Shell , type get-mailbox Luca | FL archive* , and then press Enter. Review the archive mailbox settings. On VAN-CL1, verify that you are logged on as Luca , open Outlook, and then verify that you can see the archive mailbox. If the archive mailbox is not visible, close Outlook, wait a minute, and then open Outlook again. Question : Will you implement Personal Archives in Exchange Server 2010? Answer: Answers will vary. In some organizations, PST files store a great deal of critical information, and these organizations may have an urgent requirement to manage those PST files more effectively. Organizations with limited storage space for the Exchange servers are not likely to implement Personal Archives because of the significant increase in database size that this requires. Question: What are the benefits and disadvantages of the Personal Archives feature? Answer: Benefits include: You can enable it per mailbox Provides users with easy access and searching of archived content Requires very little user training because the UI is familiar to the users Disadvantages include: Significantly increases the storage requirements for the organization Does not provide the option of moving the archive mailbox to cheaper, slower storage
Ask students who have deployed an alternate messaging-archiving solution whether they would consider switching to Personal Archives. Discuss benefits and disadvantages of each option, and then provide some considerations for deploying Personal Archives in Exchange Server 2010. Highlight the significance of the Exchange Server 2010 Service Pack 1 (SP1) changes to the Personal Archives. Having the option to separate the primary and archive mailboxes makes it possible to create mailbox databases that contain only archive mailboxes. These databases can be stored on less expensive storage, or you can configure fewer copies of the databases within the DAG, or you might choose a different backup configuration for the database.
As you start this lesson, highlight the email retention or deletion policies that students mentioned during the previous lesson’s discussion.
Introduce Exchange S erver 2010 options for messaging records management . Explain that m anaged f olders are still supported , but we recommend instead to use r etention t ags and retention policies. Do not spend too much time discussing retention tags and retention policies, as both options will be described later. Question: How do you handle messaging records management right now? Answer: Answers may vary, but some students may report that they use journaling or some kind of .pst files management.
Define retention tags and retention policies as methods to manage content in user mailboxes in an automated way. Be sure to describe that retention tags must be assigned to policies and the policy must be applied to mailbox. The main goals for retention policies is to reduce the time that users spend managing their email, by automatically applying default policies to default email folders and by enabling users to assign their own policies to nondefault folders.
Demonstration Steps On VAN-EX1, in Exchange Management console, expand Organization Configuration and then click Mailbox . In the Actions pane, click New Retention Policy Tag . In the Tag name field, type Deleted Items removal . In the Tag Type drop-down list, select Deleted Items . In the Age limit for retention (days) field, type 30 . In Action to take when the age limit is reached select Permanently Delete . In the Comments field, type: Deleted Items are purged after 30 days . Click New , and then click Finish . In the Actions pane, click New Retention Policy . In the Name field type ITAdmins policy , and then click Add . Select the Deleted Items removal tag, and then click OK . Add several additional retention policy tags including the Default 2 year move to archive tag . Click Next . On the Select Mailboxes page, click Add . In Select Mailbox – Entire Forest click the Scope menu, and then click Modify Recipient Picker Scope . Click View all recipients in specified organizational unit , and then click Browse . Click ITAdmins , and then click OK twice. After the scope is changed, select all users in the list, and then click OK . Click Next , click New , and then click Finish . On VAN-EX1, in the Exchange Management Shell, type Start-ManagedFolderAssistant –identity [email_address] and press Enter. On VAN-CL1, verify that you are logged on as Luca , open Outlook, and then verify that you can see the Archive and Retention policy tags when you right-click a message. If the tags are not visible, close Outlook, wait a minute, and then open Outlook again.
Question: Do you think you will implement retention policies? Answer: Answers will vary. Many organizations do not have specific email retention requirements, so they are unlikely to implement retention policies. Other organizations may choose to use retention policies as a way to help users manage the contents of their mailboxes. Question: Which messaging records management option are you more likely to implement: managed custom or default folders, or retention policies? Answer: Answers will vary. Organizations that are using messaging records management to manage project-related messages may be more likely to use managed custom folders. Organizations are more likely to use retention policies if the goal is automating the process of tagging email. Course 10135B
Managed folders were first introduced in Exchange Server 2007. Mention that Exchange Server 2010 still supports the same managed folder features as Exchange Server 2007 supported. The functionality provided by managed folders has largely been replaced by retention policies in Exchange Server 2010. With Service Pack 1, you can manage retention policies in the Exchange Management Console, while managed folders can only be managed in the Exchange Management Shell. Because of the change in focus in the product, you may want to move quickly through the Managed Folder content in this lesson. Describe the components that make up managed folders. Ensure that you use the terminology consistently, because some of the terminology has changed since Exchange Server 2007. For example, in Exchange 2007, the term “managed folders” was used almost synonymously with messaging records management. In Exchange Server 2010, managed folders are only one part of messaging records management. One of the limitations of managing the content using custom folders is that this requires cooperation from email users, because they must store messages in the correct Inbox folder. Ask students to compare the experience of using custom folders with using retention tags.
This topic provides an overview of implementing messaging records management. Mention that the following demonstration provides more detail on these steps.
Start this topic by asking students when they would use custom folders for messaging records management versus retention policies. Retention policies are easier to use, because you can apply them automatically to all folders, and they do not require any user interaction. You still might consider using custom folders for specific project-based folders Emphasize the importance of obtaining business and legal signoff for any policies that delete messages from user mailboxes.
In this lab, students will: Configure Personal Archives. Configure retention policies. Exercise 1: Configuring Personal Archives Inputs: The students will be provided with a set of instructions for configuring Personal Archives for specific users. Outputs: Students will configure the Personal Archives, and will verify the Personal Archive mailbox integration with the user’s regular mailbox. Exercise 2: Configuring Retention Policies Inputs: The students will be provided with a set of instructions regarding the messaging records management configuration that they need to implement to meet business and legal requirements. This lab will require a domain controller, one Exchange server, and a client computer with Outlook installed.
Use the questions on the slide to guide the discussion after students have complete the lab exercises. Question : Which of the following two approaches is better for ensuring that you retain a copy of specific email messages: journalling rules or retention policies? Answer : Use journaling rules to ensure that you retain a copy of specific email messages. Users can bypass retention policies easily by deleting the messages. Question : How can you ensure that users move their PST files to their archive mailbox ? Answer : It is difficult to ensure that users are moving their PST files into the archive mailboxes, but you can use Group Policy to prevent users from using PST files with Outlook. If you tell users that you are applying this policy, they are more likely to move the PST file into the archive mailbox.
Review Questions Question: You need to ensure that a copy of all messages sent to a particular distribution group is saved. You only want copies of messages sent to the distribution group, not copies of all messages sent to individual group members. What should you configure? Answer: Configure a transport rule that sends a copy of all messages to a mailbox. If you set up a journaling rule, all messages sent to members of the distribution group also will be saved. Question: You need to ensure that a user can search all Exchange Server organization mailboxes for specific content. What should you do? What user training will you need to provide? Answer: Add the user to the Discovery Manager security group in AD DS or Active Directory. This will give the user the required permissions. Then you need to show the user how to use the ECP to perform mailbox searches. Common Issues and Troubleshooting Tips Point the students to possible troubleshooting tips for the issues that this section presents. Real-World Issues and Scenarios Question: A. Datum Corporation has deployed an AD RMS server, and users are using it to protect email. However, users report that when they protect email messages, users outside the organization cannot read the messages. What should A. Datum messaging administrators do? Answer: To read AD RMS-protected emails, users must have an account in the Active Directory forest. In most cases, users outside the organization will not have an account in the organization’s forest. This means that users are unable to send AD RMS-protected email to external users. If this is a requirement and the other organization also runs AD RMS, you can integrate the AD RMS environments. Course 10135B
Question: Woodgrove Bank has implemented message journaling for all messages sent to and from the legal and compliance teams. These messages need to be available to auditors for seven years. The mailboxes used for journaling are growing rapidly. What should the messaging administrators at Woodgrove Bank do? Answer: If the organization does not have the capacity to retain the messages in the journaling mailboxes, they will need to investigate options to store the messages elsewhere. One of the easiest ways to manage this is to ensure that the journal mailboxes are backed up regularly, and then to delete messages from the mailboxes after they have been backed up. The organization could also consider using a Microsoft SharePoint® site as the message journal location. Best Practices Help the students understand the best practices presented in this section. Ask students to consider these best practices in the context of their own business situations. Course 10135B
10135 b 09
Module 9Configuring MessagingPolicy and Compliance
Module Overview• Introducing Messaging Policy and Compliance• Configuring Transport Rules• Configuring Journaling and Multi-Mailbox Search• Configuring Personal Archives• Configuring Messaging Records Management
Lesson 1: Introducing Messaging Policyand Compliance• What Is Messaging Policy and Compliance?• Discussion: Compliance Requirements• Options for Enforcing Messaging Policy and Compliance
What Is Messaging Policy and Compliance?Messaging policy and compliance features in Exchange Server2010 provide organizations with the tools to enforce compliancerequirements for email Exchange Server 2010 has features that help you manage information distribution and comply with regulatory and legal requirements, such as: • Restricting message flow • Managing messages in user mailboxes • Retaining copies of all or specific messages • Searching for messages
Discussion: Compliance Requirements• What type of business does your organization conduct?• What are some legislated compliance requirements for your organization?• What additional compliance requirements does your organization have?• How are you currently meeting these compliance requirements?
Options for Enforcing Messaging Policy and Compliance • Transport rules • Rights management integration • Message journaling • Mailbox searching • Personal Archives • Message retention and deletion
Lesson 2: Configuring Transport Rules• What Are Transport Rules?• Transport Rule Components• Demonstration: How To Configure Transport Rules• What Is AD RMS?• AD RMS Components• How AD RMS Works• How AD RMS Integration Works• Demonstration: How to Configure AD RMS Integration• Options for Configuring Moderated Transport• Demonstration: How to Configure Moderated Transport
What Are Transport Rules?Transport rules restrict message flow or modify messagecontents for messages in transitTransport rules on a Hub Transport server are: • Stored in the Active Directory site • Applied by all Hub Transport servers • Used to apply compliance requirementsTransport rules on an Edge Transport server are: • Stored in AD LDS • Unique to each Edge Transport server • Used to manage inbound or outbound messages
Transport Rule Components • Conditions: Specify which email message components are used to identify the email messages • Actions: Specify the processes to be applied to messages • Exceptions: Specify which email messages to exclude from having an action applied • Predicates: Used by conditions and exceptions to define what part of an email message will be examined
Demonstration: How to Configure Transport RulesIn this demonstration, you will see how to configuretransport rules that apply:• A disclaimer to messages sent to external recipients• A restriction based on a regular expression
What Is AD RMS?AD RMS is an information protection technology that workswith AD RMS-enabled applications to help safeguard digitalinformation from unauthorized useYou can use AD RMS to: • Restrict access to an organization’s intellectual property • Limit the actions users can perform on content • Limit the risk of content being exposed outside the organization
AD RMS ComponentsAD RMS components include: • AD RMS Certification Server Cluster • Active Directory Domain Services • SQL Server • RMS-aware clients and applications • Certificates and licenses • Rights policy templates
How AD RMS Works RMS Server 1 4 5 2 3 Information Author Recipient
How AD RMS Integration WorksBy integrating AD RMS with Exchange Server 2010, you can: • Enable users to protect content • Use AD RMS prelicensing • Configure Outlook Protection rules to apply AD RMS templates automatically • Configure Transport Protection rules to apply AD RMS templates • Enable Journal Report Decryption • Enable Transport Decryption • Enable IRM in Outlook Web App • Use new IRM-related features in Exchange Server 2010 SP1
Demonstration: How to Configure AD RMS IntegrationIn this demonstration, you will see how to:• Protect email messages by using AD RMS• Configure a transport rule that applies AD RMS protection
Options for Configuring Moderated TransportModerated transport enables the moderator to approvemessages before deliveryIn Exchange Server 2010, you can configure: • Recipients that require moderation • Transport rules that require moderation
Demonstration: How to Configure Moderated TransportIn this demonstration, you will see how to:• Configure a distribution group for moderation• Configure a transport rule that enables moderation
Lesson 3: Configuring Journaling andMulti-Mailbox Search• Message Journaling Options• Demonstration: How to Configure Message Journaling• Considerations for Managing the Message Journal Mailbox• What Is Multi-Mailbox Search?• What Is Legal Hold?• Demonstration: How to Configure Multi-Mailbox Search
Message Journaling Options Message journaling enables you to send copies of messages to any mailbox or valid SMTP addressYou can configure message journaling by configuring: • Per-recipient journal rules • Journal mailboxes per mailbox database A journal report is a new message that includes the original message as an attachment
Demonstration: How to Configure Message JournalingIn this demonstration, you will see how to configure ajournal rule
Considerations for Managing the MessageJournal Mailbox• Consider using a SharePoint document library configured with an SMTP address as the messaging journal mailbox• Determine what will occur if a journaling mailbox exceeds the configured mailbox quota• Use a retention policy to routinely remove messages that have been backed up• Create policies that govern access to the journaling mailboxes in your organization• Ensure compliance by obtaining plan approval from legal representatives
What Is Multi-Mailbox Search?Multi-Mailbox Search: • Enables cross-mailbox searches • Uses the Exchange Control Panel • Requires that users have discovery permissions Enhancements in Exchange Server 2010 SP1: • Results preview • Annotations • Data de-duplication
What Is Legal Hold?Legal hold enables administrators to:• Place a hold on users mailboxes and keep mailbox items in an unaltered state• Preserve mailbox items that users attempt to delete or modify after the hold is placed• Preserve mailbox items automatically deleted based on messaging records management retention policies• Keep the legal hold transparent from the user by not having to suspend messaging records management• Enable discovery searches of items placed on holdThe base structure of legal hold is Dumpster 2.0
Demonstration: How to Configure Multi-Mailbox SearchIn this demonstration, you will see how to:• Add a user to the Discovery Management role group• Perform a Multi-Mailbox Search by using Exchange Control Panel
Lab A: Configuring Transport Rules, Journal Rules,and Multi-Mailbox Search• Exercise 1: Configuring Transport Rules• Exercise 2: Configuring Journal Rules and Multi-Mailbox SearchLogon informationEstimated time: 50 minutes
Lab ScenarioYou are a messaging administrator in A. Datum Corporation.Your organization has deployed Exchange Server 2010.The legal and audit departments at A. Datum provided you withseveral requirements for implementing messaging policy andcompliance. These requirements include applying rightsprotection to some messages sent inside and outside theorganization, restricting message flow based on information inmessage subjects, and restricting which messages are sent tocritical distribution lists. You also must ensure that you establisha separate and secure mailbox in which to retain all messagesthat the legal department sends and receives. Additionally, anauditor must be able to retrieve all messages sent and receivedby users with legal hold enabled.
Lab Review• In this lab, you implemented a transport rule that added a disclaimer to all messages sent to users outside the organization. What other option do you have for implementing this type of disclaimer?• How can you verify that the Executives journal rule that you enabled in this lab is working properly?
Lesson 4: Configuring Personal Archives• Discussion: Options for Implementing Mailbox Archiving• How Personal Archives Work in Exchange Server 2010• Demonstration: How to Configure Personal Archives• Considerations for Implementing Personal Archives
Discussion: Options for ImplementingMailbox Archiving• Do you have any archiving or journaling requirements in your organization?• How are you currently meeting these requirements?
How Personal Archives Work in Exchange Server 2010Exchange Server 2010 Personal Archives feature creates asecondary or archive mailbox for the userThe Personal Archive mailbox: • Can be in the same mailbox database as the primary mailbox, in another mailbox database or server, or on Exchange Online • Appears as a folder in Outlook 2007, Outlook 2010, or Outlook Web App • Is indexed and searchable • Is not cached in Outlook • Can be managed using archive and retention policiesPersonal Archives can help organizations meet legal andcorporate requirements by ensuring that all messages arestored in an Exchange Server mailbox
Demonstration: How to Configure Personal ArchivesIn this demonstration, you will see how to:• Configure a Personal Archives mailbox• Access the Personal Archives mailbox• Manage messages with a Personal Archives mailbox
Considerations for Implementing Personal ArchivesImplementing Personal Archives can significantly increase thestorage requirements on the Exchange servers • Consider implementing Personal Archives for critical mailboxes • Consider reducing the storage costs for mailbox databases that contain only archive mailboxes • Use archive mailbox quotas to manage the archive mailbox size • Consider removing the option of using PST files in Outlook
Lesson 5: Configuring Messaging Records Management• Messaging Records Management Options• What Are Retention Tags and Retention Policies?• Demonstration: How to Configure Retention Tags and Policies• What Are Managed Folders?• Process for Deploying Managed Folders• Considerations for Implementing Messaging Records Management
Messaging Records Management OptionsMessaging records management helps organizations managemessage retention for messages in user mailboxesExchange Server 2010 supports the following messagingrecords management options:• Retention policies • New technology in Exchange Server 2010 • Used with retention policy tags• Managed folders • Technology introduced with Exchange Server 2007 • Used with managed content settings
What Are Retention Tags and Retention Policies? Retention tags define managed content settings: •Retention policy tags •Default policy tag •Personal tagsRetention policies group one or more retention tags, andapply the tags to mailboxes • Apply retention policy to mailboxes by using Exchange Management Shell or the Exchange Control Panel
Demonstration: How to Configure RetentionTags and PoliciesIn this demonstration, you will see how to:• Configure retention policy tags• Configure custom content settings for the retention policy tags• Configure a retention policy that groups the retention policy tags• Apply the retention policy to a user account
What Are Managed Folders?Managed folders manage the contents of folders in usermailboxes Managed folders can include default folders and custom managed folders Managed content settings can be used to: Configure retention periods Configure the retention expiration action Configure journal settings Managed folder mailbox policies group managed folders and apply the settings to user mailboxesUsers must move messages in to the custom managed foldersbefore content settings will be applied
Process for Deploying Managed FoldersTo deploy Managed Folders: • Specify the folders where you will apply managed content settings • Specify the managed content settings for the selected folders • Create a managed folder mailbox policy • Apply the managed folder mailbox policy to users’ mailboxes • Configure the managed folder assistant to apply the changes to users’ mailboxes
Considerations for Implementing MessagingRecords Management • Ensure business and legal acceptance before configuring policies that delete messages • Plan retention policies or managed folder mailbox policies based on business groups with unique requirements • Use managed custom folders for project based folders • Use retention policies to automate messaging records management • Consider the default retention policy configuration • Consider using retention policies to manage mailbox sizes • Consider migrating managed folder settings to retention policies
Lab ScenarioYou are the messaging administrator for A. Datum Corporation.Your organization has deployed Exchange Server 2010.The legal and audit departments at A. Datum provided you withseveral requirements for implementing messaging policy andcompliance. First, you must enable Personal Archives for all ofthe users in the Marketing department. These Additionalrequirements include configuring rules that will ensure thatsome messages are retained for an extended period, while othermessages are deleted when they expire.
Lab Review• Which of the following two approaches is better for ensuring that you retain a copy of specific email messages: journaling rules or retention policies?• How can you ensure that users move their PST files into their archive mailbox?
Module Review and Takeaways• Review Questions• Common Issues and Troubleshooting Tips• Real-World Issues and Scenarios• Best Practices