Archiving
refers to reducing the amount of data in a user's primary mailbox by
moving it to different storage (another mailbox, in the case of
Exchange Server 2010 archiving); journaling
is the ability to record all e-mail communications in an organization
for archival purposes to meet with compliance and regulatory
requirements. We'll discuss archiving in detail in the "Designing and
Implementing Archiving" section of this chapter.
Although a specific
regulation may not specifically require journaling, journaling may
achieve compliance under certain regulations. One example is corporate
officers in a financial sector that may be held liable for the claims
made to their customers by their employees. To verify that the claims
are accurate, a system can be set up where a portion of
employee-to-client communications is regularly reviewed by managers on
a quarterly basis to verify compliance and approve employees' conduct.
When every manager has formally reported
approval to the corporate officer, the corporate officer can, on behalf
of the company, report compliance to the regulating body. E-mail
messages are likely one type of the employee-to-client communications
reviewed by managers; in this case, all e-mail messages sent by
client-facing employees can be collected by journaling. Other client
communications that may also be subject to regulation, and thus
monitored, include faxes and telephone conversations; journaling all
classes of data in an enterprise is an ability that is a valuable
functionality of the IT architecture.
Journaling
can be a requirement in particular regions or industries because of
governmental regulations such as the European Union Data Protection
Directive (EUDPD), Sarbanes-Oxley Act of 2002 (SOX), and the Securities
and Exchange Commission Rule 17a-4 (SEC Rule 17a-4). Because these are
regulatory or business issues, journaling
requirements for your Exchange Server 2010 environment are best
determined through consultation with your organization's compliance and
security staff.
Journaling is implemented in Exchange Server 2010 via the Journaling agent and journal rules, and the output from the Journaling agent is journal reports—one report for each message
that is journaled; this output is stored in designated journaling
mailboxes (one mailbox per journal rule). We will discuss each of these
concepts in detail in the following sections of this chapter.
Note:
Journaling mailboxes can contain sensitive data, so access to these mailboxes should be tightly controlled and monitored.
1. Journaling Agent
The Journaling agent is a
transport agent focused on compliance; it processes messages on Hub
Transport servers. The Journaling agent fires on the OnSubmittedMessage and OnRoutedMessage transport
events. The Exchange Server 2010 Journaling agent is a built-in agent;
agents of this type are not included in the output of the Get-TransportAgent cmdlet.
The Journaling agent in Exchange Server 2010 provides two types of journaling:
Standard journaling
Standard journaling is configured on a per-mailbox database basis and
allows the journaling of all messages sent to and from mailboxes
located on the targeted mailbox database. You must configure journaling
on all mailbox databases in the organization to journal all messages in
the organization.
Premium journaling
More granular journaling is accomplished by using premium journaling
with journal rules. You can configure journal rules to match your
organization's needs by journaling individual recipients or members of
distribution groups instead of journaling all mailboxes residing on a
mailbox database. An Exchange Enterprise client access license (CAL) is
required to use premium journaling.
Both types
of journaling store their configuration information in Active Directory
where it is read by the Journaling agent and applied to the appropriate
database in the case of standard journaling, or recipient in the case
of premium journaling. The journaling rules used with premium
journaling are also stored in Active Directory and accessed by the
Journaling agent from there.
Standard journaling is implemented on a mailbox database using the Set-MailboxDatabase cmdlet and specifying the journaling mailbox with the JournalRecipient
parameter; the journaling mailbox is the mailbox used to store the
journal reports generated by the Journaling agent. Standard journaling
can also be configured with the EMC on the properties of the mailbox
database, as shown in Figure 1.
Premium journaling is
implemented with journal rules on an organizational level as a
component of the Hub Transport configuration, similar to transport
rules. You can start the New Journal Rule Wizard from the Actions pane of the Hub Transport organization configuration, as shown in Figure 8-9. Exchange Server 2010 SP1 also introduced the ability to create journal rules from the ECP.
2. Journal Reports
The output generated by both standard and premium journaling is a journal report; this is the message generated by the Journaling
agent when submitting a message to the journaling mailbox. The original
message matching the journal rule is attached unaltered to the journal
report. Information from the original message such as the sender e-mail
address, message subject, message-ID, and recipient e-mail addresses is
included in the body of the journal report. This is the only journaling technique supported in Exchange Server 2007 and Exchange Server 2010, and is referred to as envelope journaling.
Exchange Server 2010 also supports journaling Information Rights Management (IRM)–protected messages. When IRM support is configured, Journal
Report Decryption can include a clear-text copy of the message as an
attachment to the journal report, along with the original IRM-protected
message. Any IRM-protected attachments are also decrypted, provided
that the attachment was protected at the same time as the message.
Thierry Demorre
Senior Director, Avanade, USA
Exchange Server 2010 Hub
Transport servers have a default value for the distribution list
chipping size (how many recipients are processed when expanding the DL
to start sending messages as soon as possible) of 1,000. So if a DL has
1,001 members, Exchange will send two messages, one with 1,000
recipients and one with 1 recipient, which will translate into two
journal reports being generated. Some companies consider this to be
non-compliant because neither of the two messages accurately captures
the envelope recipients.
In this case, the only option is to bump up the ExpansionSizeLimit
setting in the edgetransport.exe.config file on the Exchange Server
2010 Hub Transport servers to a value that will exceed the maximum DL
size in the enterprise or whichever one the legal department is
monitoring; this setting should be changed on all Hub Transport servers
in the environment to ensure consistency. This setting has no
significant performance implication because the DL has to be expanded
anyway; the only difference between expanding a 50,000-member DL with ExpansionSizeLimit set to 1,000 and with ExpansionSizeLimit
set to 50,000 is that in the former 50 messages would be sent, whereas
in the latter only 1 message would be sent but after the time required
to expand the 50,000 members.
|
3. Journal Rules
The journal rules used by premium journaling are composed of three components:
Journal Rule Scope The scope determines which messages are to be journaled:
Internal A journal rule with an internal scope targets messages sent and received by recipients inside the organization.
External Setting an external scope targets the journal rule on messages sent to or received from recipients outside the organization.
Global A global scope targets all messages that pass through the Hub Transport server, whether external or internal.
Journal Recipients The journal recipient specifies the SMTP address of the recipient to be journaled; specifying a journal recipient causes all messages both sent to or from that recipient to be journaled.
Journaling Mailbox The journaling mailbox is used to store the journal reports generated by standard or premium journaling.
Note:
You
can also opt to journal or to not journal messages containing voicemail
messages and missed call notification messages generated by Unified
Messaging. However, messages containing faxes that have been generated
by a Unified Messaging server are always journaled; this is true even
if you have specified to not journal voicemail and missed call
notifications.