Administrator’s Guide - Check Point Software...includes software written by Tim Hudson (

LIQUID MACHINES EMAIL CONTROL SERVER™

Administrator’s Guide

LIQUID MACHINES EMAIL CONTROL SERVER ENTERPRISE EDITION 7.0.0

Liquid Machines Email Control Server Enterprise Edition Administrator‟s Guide

Copyright © 2004 & 2005 by Liquid Machines, Inc. All rights reserved. Confidential and proprietary information of Liquid Machines, Inc.

The material in this guide may not in whole or in part be copied, photocopied, reproduced, translated, or converted to any electronic or machine-readable form without the prior written consent of Liquid Machines. The information in this guide is for informational use only, is subject to change without notice, and should not be construed as a commitment by Liquid Machines. Liquid Machines assumes no responsibility or liability for any errors or inaccuracies that may appear in this guide.

This guide and the software described in this guide are furnished under a license accompanying the software and may be used only in accordance with the terms of such license. By using this guide, you agree to the terms and conditions of that license.

This product may use MySQL database software which is subject to and transferable under the License Agreement for Commercial Use for

MySQL Software between MySQL AB and Liquid Machines, Inc. MySQL is a registered trademark of MySQL AB. Copyright © MySQL AB.

This product may include software developed by the JBOSS Group (<http://www.jboss.org>). JBoss and JBoss Group are a registered trademark and servicemark of MarcFleury under operation by The JBoss Group, LLC.

This product may include software developed by the Apache Software Foundation (<http://www.apache.org>). Apache and Apache Software Foundation are registered trademarks of the Apache Software Foundation. Copyright © The Apache Software Foundation.

This product may include software developed by IAIK of Graz University of Technology. Copyright © Graz University of Technology.

This product may use the "OpenSSLtoolkit" provided by "The OpenSSL Project" and licensed under a dual-license (the OpenSSL license and the original SSLeay license). This product includes software developed by the OpenSSL Project for use in the OpenSSLToolkit (<http://www.openssl.org/>). This product includes cryptographic software written by Eric Young ([email protected]). This product includes software written by Tim Hudson (<[email protected] <mailto:[email protected]>). OpenSSL and The OpenSSL Project are registered trademarks of The OpenSSL Project.

This product may include "Redistributable" software licensed under the Sun Microsystems’ Java Runtime Environment (J2RE), Standard Edition, Version 1.4.1_X Supplemental License Terms to the Binary Code License Agreement. This product includes code licensed from RSA Security, Inc. Some portions licensed from IBM are available at <http://oss.software.ibm.com/icu4j/>. Sun, Sun Microsystems, and Java are trademarks or registered trademarks of Sun Microsystems, Inc.

This product may include XMLIO software developed by Achim Gädke and Peter Pipenbacher at the Center of Applied Informatics of the University of Cologne (www.zaik.uni-koeln.de ). Source code and patches are available at http://www.liquidmachines.com/about/oss.php.

This product may use MMC software library which is subject to the Common Public License Version 1.0 and is available for download at http://sourceforge.net/projects/mmclibrary.

This product may include Zlib software developed by Jean-loup Gailly and Mark Adler. Copyright © 1995-2003.

This product may include software developed by Computing Services at Carnegie Mellon University (http://www.cmu.edu/computing/). Copyright ©

1998-2000 Carnegie Mellon University.

This product may include software developed by Boost Software (http://www.boost.org). Copyright © Boost Software.

Liquid Machines, Policy Droplet, Freedom of Security, Enabling Secure Business, Omniva, and Omniva Policy Systems are trademarks of Liquid Machines, Inc.

Microsoft, Microsoft Excel, Microsoft Word, Microsoft PowerPoint, Microsoft Project, Visio, Windows Explorer, Windows XP, Windows 2000, Office 2003, and Windows Rights Management Services (RMS) are registered trademarks of Microsoft Corporation.

Adobe and Adobe Acrobat are registered trademarks of Adobe Systems Incorporated.

Other trademarks and trade names may be used in this document to refer to either the entities claiming the marks or the names of their products. Liquid Machines, Inc. disclaims any proprietary interest in trademarks and trade names other than its own.

http://www.jboss.org/

http://www.apache.org/

http://www.openssl.org/

mailto:[email protected]

http://oss.software.ibm.com/icu4j/

http://www.liquidmachines.com/about/oss.php

http://sourceforge.net/projects/mmclibrary

http://www.cmu.edu/computing/

http://www.boost.org/

Table of Contents

1. Before You Install ................................................................................................... 1 1.1. Read the “Understanding Email Control Server” manual. ................................................... 1 1.2. Read the prerequisites for each component installation. ........................................................ 1 1.3. Check Your Skill Set ............................................................................................................... 1 1.4. Get the Team Together............................................................................................................ 2 1.5. Get a Head Start on Prerequisites ........................................................................................... 3 1.6. Get Your Users Ready ............................................................................................................. 3

2. Getting Started ........................................................................................................ 4 2.1. Starting the Administrative Console ....................................................................................... 4 2.2. Using the Console Remotely .................................................................................................... 4 2.3. Starting the Policy Server Configuration Wizard .................................................................. 6

3. Email Control Server Components ........................................................................ 7 3.1. Email Control Server .............................................................................................................. 7 3.2. External Email Control Server ............................................................................................... 7 3.3. Email Control Client ............................................................................................................... 7 3.4. Universal Viewer ..................................................................................................................... 7 3.5. Report Service ......................................................................................................................... 7 3.6. Message Cleanup Tool ............................................................................................................. 8 3.7. Gateway for BlackBerry........................................................................................................ 12 3.8. Client for BlackBerry Handhelds.......................................................................................... 13 3.9. Gateway for Exchange/SMTP ............................................................................................... 13 3.10. Email Archive Gateway ..................................................................................................... 20

4. Special Features .................................................................................................... 21 4.1. Message Contents Features ................................................................................................... 21 4.2. To Access the Features… ...................................................................................................... 21 4.3. Hide Universal Viewer Image Feature .................................................................................. 27 4.4. Pass Through Authentication Feature .................................................................................. 28 4.5. Secure Communications Feature .......................................................................................... 29 4.6. Outlook Delegate Access........................................................................................................ 30 4.7. Exchange Org Bridge ............................................................................................................ 31

5. Microsoft Rights Management Integration ......................................................... 37 5.1. To Enable Rights Management Integration… ...................................................................... 37

6. Managing Policies ................................................................................................. 39 6.1. Before You Start… ................................................................................................................ 39 6.2. What You Can Do ................................................................................................................. 41 6.3. If You Are Upgrading… ........................................................................................................ 42 6.4. Elements of a Policy............................................................................................................... 42 6.5. Precedence, Interaction, Collision ......................................................................................... 46 6.6. Checking Your Logic............................................................................................................. 50 6.7. Editing Policies ...................................................................................................................... 52 6.8. Policy Rules ........................................................................................................................... 70 6.9. Using Patterns in Rules ......................................................................................................... 86 6.10. More About SMTP Headers .............................................................................................. 98 6.11. Configuring the “Apply Controls” Menu on BlackBerry Handhelds ............................. 101

7. Managing External Recipients ........................................................................... 105 7.1. To Begin… ........................................................................................................................... 105 7.2. View a User‟s Properties ..................................................................................................... 106 7.3. Reset a User‟s Password ...................................................................................................... 108 7.4. Disable a User‟s Account ..................................................................................................... 108 7.5. Don‟t Delete Accounts! ........................................................................................................ 109 7.6. Registration Collisions......................................................................................................... 110

7.7. Partner Email Control Client .............................................................................................. 112 7.8. Customizing the Registration Page ..................................................................................... 114

8. Monitoring Activity ............................................................................................ 115 8.1. To Begin… ........................................................................................................................... 115 8.2. Who Is Installed? ................................................................................................................. 115 8.3. How Many Have Policies? ................................................................................................... 116 8.4. When Are Keys Deleted?..................................................................................................... 116 8.5. When Were Changes Made to Policies? .............................................................................. 117 8.6. Basic Read Message Activity ............................................................................................... 118 8.7. The Report Service .............................................................................................................. 121

9. Advanced Administration ................................................................................... 125 9.1. Backups ............................................................................................................................... 125 9.2. High Availability ................................................................................................................. 125 9.3. Automated Client Roll-out .................................................................................................. 130 9.4. Compromised Keys ............................................................................................................. 130 9.5. Corrupt Keys ....................................................................................................................... 130 9.6. Logging ................................................................................................................................ 131

10. The Discovery Process ..................................................................................... 134 10.1. Procedure Overview ........................................................................................................ 134 10.2. To Suspend Expiration… ................................................................................................ 136 10.3. To Resume Expiration… ................................................................................................. 137 10.4. To Extract and Decrypt Messages… ............................................................................... 137 10.5. Targeted Suspension ........................................................................................................ 148 10.6. Automating the Process ................................................................................................... 149

11. Appendices ....................................................................................................... 154 11.1. Microsoft Rights Management Analogs to Policy Manage Features .............................. 154 11.2. Regular Expression Syntax.............................................................................................. 156 11.3. PolicyPstToClearPst ........................................................................................................ 165 11.4. UpdateKeyServRegistry .................................................................................................. 169 11.5. The hotkey combinations in Client for Blackberry ......................................................... 170

Extended Table of Contents

1. Before You Install ................................................................................................... 1 1.1. Read the “Understanding Email Control Server” manual. ................................................... 1 1.2. Read the prerequisites for each component installation. ........................................................ 1 1.3. Check Your Skill Set ............................................................................................................... 1 1.4. Get the Team Together............................................................................................................ 2 1.5. Get a Head Start on Prerequisites ........................................................................................... 3

1.5.1. Acquiring the SSL Certificate ............................................................................................ 3 1.5.2. Coordinating DNS Changes ............................................................................................... 3 1.5.3. Configuring Firewalls ........................................................................................................ 3

1.6. Get Your Users Ready ............................................................................................................. 3 2. Getting Started ........................................................................................................ 4

2.1. Starting the Administrative Console ....................................................................................... 4 2.2. Using the Console Remotely .................................................................................................... 4

2.2.1. Connecting to a Different Server ........................................................................................ 4 2.2.2. Connecting Using the Canonical Hostname ........................................................................ 5 2.2.3. Connecting from a Trusted Domain or Over VPN............................................................... 5 2.2.4. Multiple Users ................................................................................................................... 5

2.3. Starting the Policy Server Configuration Wizard .................................................................. 6 3. Email Control Server Components ........................................................................ 7

3.1. Email Control Server .............................................................................................................. 7 3.2. External Email Control Server ............................................................................................... 7 3.3. Email Control Client ............................................................................................................... 7 3.4. Universal Viewer ..................................................................................................................... 7 3.5. Report Service ......................................................................................................................... 7 3.6. Message Cleanup Tool ............................................................................................................. 8

3.6.1. Requirements ..................................................................................................................... 8 3.6.2. Installation ......................................................................................................................... 8 3.6.3. Configuration .................................................................................................................... 8

3.6.3.i. Message Options ............................................................................................................ 9 3.6.3.ii. Attachment Options .................................................................................................. 10 3.6.3.iii. Servers ..................................................................................................................... 11

3.6.4. How Often Does It Run? .................................................................................................. 11 3.6.5. So Where Do I Install It?.................................................................................................. 11

3.7. Gateway for BlackBerry........................................................................................................ 12 3.7.1. Administrative Console .................................................................................................... 12 3.7.2. Logging ........................................................................................................................... 12

3.8. Client for BlackBerry Handhelds.......................................................................................... 13 3.9. Gateway for Exchange/SMTP ............................................................................................... 13

3.9.1. Configuration .................................................................................................................. 14 3.9.1.i. Modes of Operation ..................................................................................................... 14 3.9.1.ii. Updating Policies ..................................................................................................... 15 3.9.1.iii. Parameters............................................................................................................... 16

3.9.2. About SMTP Routing ...................................................................................................... 17 3.9.3. Logging ........................................................................................................................... 19

3.10. Email Archive Gateway ..................................................................................................... 20 3.10.1. Intelligent Archiving via Message Headers ....................................................................... 20 3.10.2. Logging ........................................................................................................................... 20

4. Special Features .................................................................................................... 21 4.1. Message Contents Features ................................................................................................... 21 4.2. To Access the Features… ...................................................................................................... 21

4.2.1. Message Body Retrieved from Exchange ......................................................................... 22 4.2.1.i. Requirements ............................................................................................................... 22

4.2.1.ii. What Does It Do? ..................................................................................................... 22 4.2.1.iii. What’s the Value? .................................................................................................... 22 4.2.1.iv. The Tech Scoop ........................................................................................................ 22

4.2.2. Attachments Retrieved from Exchange ............................................................................. 23 4.2.2.i. Requirements ............................................................................................................... 23 4.2.2.ii. What Does It Do? ..................................................................................................... 23 4.2.2.iii. What’s the Value? .................................................................................................... 23 4.2.2.iv. The Tech Scoop ........................................................................................................ 23

4.2.3. Messages Retained in Central Location ............................................................................ 23 4.2.3.i. Requirements ............................................................................................................... 23 4.2.3.ii. What Does It Do? ..................................................................................................... 23 4.2.3.iii. What’s the Value? .................................................................................................... 24 4.2.3.iv. The Tech Scoop ........................................................................................................ 24

4.2.4. Policy Mailboxes and the Mailbox User ........................................................................... 24 4.2.4.i. The Mailbox User ........................................................................................................ 24 4.2.4.ii. The Policy Mailboxes ............................................................................................... 24 4.2.4.iii. Configuring Email Control Server ............................................................................ 25 4.2.4.iv. Why So Many Mailboxes?......................................................................................... 26 4.2.4.v. What About Space Requirements?............................................................................. 26

4.3. Hide Universal Viewer Image Feature .................................................................................. 27 4.3.1. To Access the Feature… .................................................................................................. 27

4.4. Pass Through Authentication Feature .................................................................................. 28 4.4.1. To enable the feature… .................................................................................................... 28 4.4.2. What’s the Value?............................................................................................................ 29

4.5. Secure Communications Feature .......................................................................................... 29 4.6. Outlook Delegate Access........................................................................................................ 30 4.7. Exchange Org Bridge ............................................................................................................ 31

4.7.1. What Does It Do? ............................................................................................................ 31 4.7.2. Requirements ................................................................................................................... 32 4.7.3. Preparation ...................................................................................................................... 33 4.7.4. Configuration .................................................................................................................. 33 4.7.5. More About SMTP and NT Domains ............................................................................... 36

5. Microsoft Rights Management Integration ......................................................... 37 5.1. To Enable Rights Management Integration… ...................................................................... 37

6. Managing Policies ................................................................................................. 39 6.1. Before You Start… ................................................................................................................ 39

6.1.1. Inform Users .................................................................................................................... 39 6.1.2. Start Slowly ..................................................................................................................... 39 6.1.3. Keep It Simple ................................................................................................................. 40 6.1.4. Build Consensus .............................................................................................................. 40 6.1.5. Read This Whole Chapter ................................................................................................ 40

6.2. What You Can Do ................................................................................................................. 41 6.2.1. About Calendar Messages ................................................................................................ 41

6.3. If You Are Upgrading… ........................................................................................................ 42 6.4. Elements of a Policy............................................................................................................... 42

6.4.1. Who It Affects ................................................................................................................. 42 6.4.1.i. The Global Policy ........................................................................................................ 42 6.4.1.ii. Other Policies .......................................................................................................... 42

6.4.2. Categories........................................................................................................................ 43 6.4.2.i. Retention ..................................................................................................................... 43 6.4.2.ii. Confidentiality ......................................................................................................... 43

6.4.3. Defaults ........................................................................................................................... 43 6.4.4. Email Control Client’s Interface ....................................................................................... 44 6.4.5. Clear Text Archiving ....................................................................................................... 44 6.4.6. Policy Rules .................................................................................................................... 44

6.4.6.i. Conditions ................................................................................................................... 44 6.4.6.ii. Actions ..................................................................................................................... 45 6.4.6.iii. Not All Components Support All Actions and Conditions ........................................... 45

6.5. Precedence, Interaction, Collision ......................................................................................... 46 6.5.1. Policy Rules .................................................................................................................... 46

6.5.1.i. Adding Up Actions from Several Rules ......................................................................... 48 6.5.2. Policy Gateways .............................................................................................................. 49 6.5.3. Gateway for Exchange ..................................................................................................... 49 6.5.4. Gateway for SMTP .......................................................................................................... 49 6.5.5. Email Archive Gateway ................................................................................................... 49 6.5.6. Policy Locking ................................................................................................................ 49

6.6. Checking Your Logic............................................................................................................. 50 6.7. Editing Policies ...................................................................................................................... 52

6.7.1. To Begin… ...................................................................................................................... 52 6.7.2. To Create a New Policy…................................................................................................ 53 6.7.3. To Rename a Policy… ..................................................................................................... 54 6.7.4. To Delete a Policy… ........................................................................................................ 54 6.7.5. To Add a Retention Category… ....................................................................................... 55 6.7.6. To Edit a Retention Category… ....................................................................................... 56 6.7.7. To Add a Security Category… ......................................................................................... 57

6.7.7.ii. Configuring a Group-Confidential Category ............................................................. 59 6.7.8. To Edit a Confidentiality Category… ............................................................................... 61 6.7.9. To Set a Default Category… ............................................................................................ 62 6.7.10. To Copy a Category to Another Policy ............................................................................. 63 6.7.11. To Create Policy Templates for Email Control Client… ................................................... 63 6.7.12. To Edit, Delete or Set the Default Policy Template… ....................................................... 65 6.7.13. To Control Email Control Client’s Interface… ................................................................. 65

6.7.13.ii. Use Individual Settings. ............................................................................................ 65 6.7.13.iii. Automatically Delete Expired Policy Messages ......................................................... 66

6.7.14. To Choose Who the Policy Applies to… .......................................................................... 67 6.7.15. To Set the Archiving Policy… ......................................................................................... 69

6.8. Policy Rules ........................................................................................................................... 70 6.8.1. To create Policy Rules….................................................................................................. 71 6.8.2. To add a Policy Rule… .................................................................................................... 72 6.8.3. To Edit, Rename or Delete a Policy Rule… ...................................................................... 76 6.8.4. Conditions in Rules ......................................................................................................... 77

6.8.4.i. To choose words or phrases… ...................................................................................... 77 6.8.4.ii. To choose SMTP header values… ............................................................................. 78 6.8.4.iii. To choose Active Directory groups… ........................................................................ 79 6.8.4.iv. To choose message types… ....................................................................................... 80 6.8.4.v. To choose patterns… ................................................................................................ 81

6.8.5. Actions in Rules .............................................................................................................. 82 6.8.5.i. Allow forwarding: Confidentiality Option ..................................................................... 82 6.8.5.ii. Set retention to: Retention Option ............................................................................ 83 6.8.5.iii. Apply Setting to Attachments .................................................................................... 83 6.8.5.iv. Block recipient copying ............................................................................................ 83 6.8.5.v. Block recipient printing ............................................................................................ 83 6.8.5.vi. Do not deliver the message to anyone ....................................................................... 83 6.8.5.vii. Do not deliver the message to group members .......................................................... 83 6.8.5.viii. Alert user with: Warning Message ............................................................................ 84 6.8.5.ix. Report when this rule is applied ................................................................................ 84 6.8.5.x. Add X-Header SMTP header .................................................................................... 84 6.8.5.xi. BCC a copy of this message to: Mailbox ................................................................... 85 6.8.5.xii. BCC to without encrypting: Mailbox. ........................................................................ 85 6.8.5.xiii. Stop processing more rules. ...................................................................................... 85

6.9. Using Patterns in Rules ......................................................................................................... 86

6.9.1. To Create Patterns… ........................................................................................................ 87 6.9.2. To Edit Patterns… ........................................................................................................... 93 6.9.3. To Delete, Rename or Copy Patterns… ............................................................................ 96 6.9.4. More About Regular Expressions ..................................................................................... 97

6.10. More About SMTP Headers .............................................................................................. 98 6.11. Configuring the “Apply Controls” Menu on BlackBerry Handhelds ............................. 101

6.11.1. What You Do ................................................................................................................ 101 6.11.2. Message Format............................................................................................................. 101 6.11.3. Configuration Syntax ..................................................................................................... 101

6.11.3.i. Example 1 .............................................................................................................. 103 6.11.3.ii. Example 2 .............................................................................................................. 104

7. Managing External Recipients ........................................................................... 105 7.1. To Begin… ........................................................................................................................... 105 7.2. View a User‟s Properties ..................................................................................................... 106 7.3. Reset a User‟s Password ...................................................................................................... 108 7.4. Disable a User‟s Account ..................................................................................................... 108 7.5. Don‟t Delete Accounts! ........................................................................................................ 109

7.5.1. Recreating a Deleted Account ........................................................................................ 109 7.6. Registration Collisions......................................................................................................... 110

7.6.1. To search for the colliding account… ............................................................................. 111 7.6.2. To repair the collision… ................................................................................................ 111

7.7. Partner Email Control Client .............................................................................................. 112 7.7.1. Installing Partner Client ................................................................................................. 112 7.7.2. Security Implications ..................................................................................................... 113

7.8. Customizing the Registration Page ..................................................................................... 114 8. Monitoring Activity ............................................................................................ 115

8.1. To Begin… ........................................................................................................................... 115 8.2. Who Is Installed? ................................................................................................................. 115 8.3. How Many Have Policies? ................................................................................................... 116 8.4. When Are Keys Deleted?..................................................................................................... 116 8.5. When Were Changes Made to Policies? .............................................................................. 117 8.6. Basic Read Message Activity ............................................................................................... 118

8.6.1. How Do I Clear Out Report Activity?............................................................................. 119 8.6.2. Can I Do My Own Analysis? ......................................................................................... 120 8.6.3. What About External Recipients? ................................................................................... 120

8.7. The Report Service .............................................................................................................. 121 8.7.1. To set up Microsoft SQL for the Report Service… ......................................................... 121 8.7.2. To enable the Report Service on a particular Email Control Server… .............................. 122

8.7.2.ii. More about connection strings… ............................................................................ 123 8.7.3. Database Schema ........................................................................................................... 124

8.7.3.i. Table: PolicyReport ................................................................................................... 124 8.7.3.ii. Table: SendReport .................................................................................................. 124

9. Advanced Administration ................................................................................... 125 9.1. Backups ............................................................................................................................... 125 9.2. High Availability ................................................................................................................. 125

9.2.1. Fault Tolerant Hardware ................................................................................................ 125 9.2.2. Mirroring ....................................................................................................................... 125 9.2.3. Load Balancing and Failover .......................................................................................... 126

9.2.3.i. Replicating Data ........................................................................................................ 127 9.2.3.ii. Supporting Universal Viewer .................................................................................. 127

9.2.4. Geographic Redundancy ................................................................................................ 127 9.2.4.i. DNS Views ................................................................................................................. 128 9.2.4.ii. Trusted Email Control Servers................................................................................ 128

9.2.5. Offline for Clients .......................................................................................................... 129 9.3. Automated Client Roll-out .................................................................................................. 130

9.4. Compromised Keys ............................................................................................................. 130 9.5. Corrupt Keys ....................................................................................................................... 130 9.6. Logging ................................................................................................................................ 131

9.6.1. Email Control Server ..................................................................................................... 131 9.6.2. Email Control Client ...................................................................................................... 131 9.6.3. Gateway for BlackBerry................................................................................................. 132 9.6.4. Gateway for Exchange/SMTP ........................................................................................ 132 9.6.5. Email Archive Gateway ................................................................................................. 132 9.6.6. Client for Blackberry ..................................................................................................... 133

10. The Discovery Process ..................................................................................... 134 10.1. Procedure Overview ........................................................................................................ 134

10.1.1. Suspend Expiration ........................................................................................................ 134 10.1.1.i. What the User Sees ................................................................................................. 134 10.1.1.ii. What Happens Afterward ....................................................................................... 134

10.1.2. Enable Retention............................................................................................................ 134 10.1.3. Extract and Decrypt Messages........................................................................................ 135

10.1.3.i. Extract and Store ................................................................................................... 135 10.1.3.ii. Decrypt and Save ................................................................................................... 135

10.2. To Suspend Expiration… ................................................................................................ 136 10.3. To Resume Expiration… ................................................................................................. 137 10.4. To Extract and Decrypt Messages… ............................................................................... 137

10.4.1. Set Up a Dedicated Machine .......................................................................................... 137 10.4.2. Install Software .............................................................................................................. 138 10.4.3. Create the Service Account ............................................................................................ 138

10.4.3.ii. For Exchange 2000… ............................................................................................. 138 10.4.3.iii. For Exchange 5.5…................................................................................................ 138

10.4.4. Extract Messages ........................................................................................................... 139 10.4.5. Decrypt Messages .......................................................................................................... 148

10.5. Targeted Suspension ........................................................................................................ 148 10.5.1. Configuring Email Control Server .................................................................................. 148 10.5.2. Example ........................................................................................................................ 149

10.6. Automating the Process ................................................................................................... 149 10.6.1. Example ........................................................................................................................ 150 10.6.2. DailyDiscovery.vbs........................................................................................................ 153

11. Appendices ....................................................................................................... 154 11.1. Microsoft Rights Management Analogs to Policy Manage Features .............................. 154

11.1.1. Analog to external Email Control Server ........................................................................ 155 11.1.2. Analog to Email Archive Gateway ................................................................................. 155

11.2. Regular Expression Syntax.............................................................................................. 156 11.2.1. Literals .......................................................................................................................... 156 11.2.2. Wildcard ........................................................................................................................ 156 11.2.3. Repeats .......................................................................................................................... 157 11.2.4. Non-greedy repeats ........................................................................................................ 157 11.2.5. Parenthesis .................................................................................................................... 158 11.2.6. Non-Marking Parenthesis ............................................................................................... 158 11.2.7. Forward Lookahead Asserts ........................................................................................... 158 11.2.8. Alternatives ................................................................................................................... 158 11.2.9. Sets ............................................................................................................................... 159 11.2.10. Line anchors .............................................................................................................. 160 11.2.11. Back references .......................................................................................................... 161 11.2.12. Characters by code ..................................................................................................... 161 11.2.13. Word operators .......................................................................................................... 161 11.2.14. Buffer operators ......................................................................................................... 162 11.2.15. Escape operator .......................................................................................................... 162 11.2.16. Single character escape sequences .............................................................................. 162

11.2.17. Miscellaneous escape sequences: ................................................................................ 163 11.2.18. What gets matched? ................................................................................................... 164

11.3. PolicyPstToClearPst ........................................................................................................ 165 11.3.1. Usage ............................................................................................................................ 165 11.3.2. Parameters ..................................................................................................................... 165 11.3.3. Return Values ................................................................................................................ 166 11.3.4. Logging ......................................................................................................................... 166 11.3.5. Error Codes ................................................................................................................... 167

11.3.5.i. General Error ........................................................................................................ 167 11.3.5.ii. Cryptographic Errors ............................................................................................. 167 11.3.5.iii. Offline Errors ......................................................................................................... 167 11.3.5.iv. Network Errors ...................................................................................................... 167 11.3.5.v. Email Control Server Errors................................................................................... 168 11.3.5.vi. Message format Errors (DIMF) .............................................................................. 168 11.3.5.vii. Key Cache Errors .................................................................................................. 168

11.4. UpdateKeyServRegistry .................................................................................................. 169 11.4.1. Usage ............................................................................................................................ 169 11.4.2. Parameters ..................................................................................................................... 169 11.4.3. Return Values ................................................................................................................ 169 11.4.4. Logging ......................................................................................................................... 169

11.5. The hotkey combinations in Client for Blackberry ......................................................... 170

Liquid Machines Email Control Server

Enterprise Edition 1 Administrator’s Guide

1. Before You Install

1.1. Read the “Understanding Email Control Server” manual.

It is an important overview of components, features, concepts and requirements. It prepares you for issues

you will encounter, without getting lost in the technical details of implementation.

1.2. Read the prerequisites for each component installation.

Some components require additional server software or upgrades. Some require you to install SSL

certificates, change DNS records, or make other infrastructure changes.

1.3. Check Your Skill Set

Email Control Server is tightly integrated with Microsoft Windows and Exchange network infrastructure. That means it’s dependent on appropriately configured servers, workstations, email and web browser

applications, network services, and so on. That also means that administering it requires being skilled with

many aspects of Microsoft Windows technology. Specifically, you, as a system administrator or as a

support team, should be able to…

Install applications on Windows workstations.

Configure Outlook options.

Manipulate Outlook Personal Folders files (PST’s).

Configure Internet Explorer options.

Create servers in NT or Active Directory domains.

Install applications and upgrades on servers.

Edit text-based configuration files.

Edit the Microsoft Windows Registry on client and server machines.

Start, stop, and configure services on NT or Windows 2000 servers.

Schedule tasks to run automatically on servers.

Create user accounts and groups. Also organizational units, if you use Active Directory.

Give user accounts special permissions to manipulate other accounts, groups, or organizational units.

If you have them, understand and manage NT domain trusts, or Active Directory forests.



Understand your Exchange organization.

If you have Exchange 5.5, enable address book replication between sites.

Give user accounts special permissions to access multiple Exchange mailboxes.

If you have them, understand Exchange sites or routing groups.

Acquire and install SSL certificates on Internet Information Services (IIS) servers.

Import and export an SSL certificate from one Windows computer to another.

Configure Domain Name System (DNS) records.

Configure your network routers and firewalls to allow HTTP and HTTPS access to the Email Server

from the Internet.

Configure your network routers and firewalls to allow Email Control Servers to communicate with

each other over appropriate protocols.

Interact with third parties who might manage your DNS records or network routers and firewalls.

If you will install Gateway for BlackBerry, understand and manage BlackBerry Server.

If you will install Gateway for Exchange/SMTP, understand and manage the Windows SMTP Service

that comes with IIS, and/or understand and manage Exchange servers and organizations.

If you will use it, understand and manage load balancing software or hardware.

If you will use the Reporting Service, understand and manage Microsoft SQL Server 2000.

If you will integrate with Microsoft Rights Management, understand and manage that service.

1.4. Get the Team Together

You may need to coordinate the efforts or input of several individuals in order to install Email Control

Server. It depends on the size and organization of your company.

To install servers, you may need to coordinate System Administrators, Domain Administrators, and

Network Administrators for your internal and external or DMZ network. You may also need to coordinate

service providers or consultants, if you use them to manage parts of your infrastructure.

To install client software, you may need to coordinate System Administrators, Domain Administrators, and

Help Desk personnel. You may also need to coordinate Human Resources personnel, Corporate Trainers

and your Change Management Officer. You’ll need them for training users, creating support documents,

and handling concerns about impacts on workflow and productivity.

To design good policies, you may need to coordinate Legal Counsel, Executive Management, Security

Officers, your Change Management Officer and Human Resources personnel.



1.5. Get a Head Start on Prerequisites

Liquid Machines customers have found that a few prerequisites take extra time or deserve special attention.

Start the planning and effort early for…

1.5.1. Acquiring the SSL Certificate

You may need to submit a purchasing request. You may need to provide the certificate vendor with company documents such as articles of incorporation. The certificate authority may try to contact your

manager or supervisor.

1.5.2. Coordinating DNS Changes

You may need for one DNS name, say securemail.acme.com, to point to a different machine for your internal users than for computers on the Internet. This may require you to create multiple DNS views of

your DNS domain. It may require creating new domains. You may need to work with your ISP to enact

the changes.

Email Control Server requires DNS infrastructure in your internal network. WINS is not sufficient.

1.5.3. Configuring Firewalls

You may need to enable access from the Internet to the servers. You may need to enable communication

between different servers. You may need to work with your ISP to enact the changes.

1.6. Get Your Users Ready

Have the right people let your users know what’s going on. A note from Executive Management about the

need and the purpose might come first. Then IT or Human Resources staff can send a functional overview.

Give users a chance to express concerns and ask questions. Help them understand the paradigm shift, and

the impacts on workflow.

Distribute user guides. Give users a chance to review them.



2. Getting Started

2.1. Starting the Administrative Console

1. Make sure you have installed Email Control Administrator on the server or workstation you will use.

2. Make sure your domain account is a member of the local Administrators group on the Email Control

Server machine. 3. From the Start menu on the desktop, from Program Files, from Liquid Machines choose Liquid

Machines Email Control Administration.

4. At the prompt, enter the common name of the policy service, for example securemail.acme.com.

5. The administrative console is displayed.

2.2. Using the Console Remotely

You can use Email Control Administrator from a remote workstation. You needn’t run it directly on the

Email Control Server. There are some circumstances where you may have to specially configure it in order

for it to work properly.

2.2.1. Connecting to a Different Server

Right-click on Liquid Machines Email Control Administrator and choose Connect to… In the dialog

box, type in the name of the server you want to manage and click OK.



2.2.2. Connecting Using the Canonical Hostname

If you will use the canonical hostname of the Email Control Server to connect, rather than the “common

name of the policy service,” then the connection will fail, because the hostname you use will not match the one assigned to the Email Control Server’s SSL certificate. You might do this if you had several Email

Control Servers deployed in a high-availability configuration, and needed to change server-specific

parameters.

You can get around this by configuring Email Control Administrator to use the HTTP protocol, instead of HTTPS, to contact the server. To do so, on your workstation, in the registry key

\\HKEY_CURRENT_USER\SOFTWARE\Omniva\AdminTool, create a DWORD value labeled

UnsecuredScheme, and set the value to 1.

Note that this does present a security risk. Information the Email Control Administrator sends to the Email

Control Server will travel over the network in the clear. So for example the login name and password of

the Mailbox User, something you need to create for advanced features discussed later, would travel in the

clear.

2.2.3. Connecting from a Trusted Domain or Over VPN

If you are connecting from a trusted domain or over VPN, the Email Control Administrator may need help locating the appropriate domain controllers to contact for user information. If you experience this, you can

set one or both the following registry values to try and correct the problem.

\\HKEY_CURRENT_USER\SOFTWARE\Omniva\AdminTool\OverrideDomain is a string value

you should set to the NetBIOS name of the domain where the Email Control Server resides.

\\HKEY_CURRENT_USER\SOFTWARE\Omniva\AdminTool\SidLookupMachine is a string

value you should set to the NetBIOS or fully qualified DNS name of a domain controller. The domain

controller should be in the domain where the Email Control Server resides and your workstation

should have network access to it.

2.2.4. Multiple Users

Note that it is possible that more than one Administrator could be making changes to Policies, or to the Email Control Server configuration, at the same time. The Email Control Administrator offers no file

locking, source control or other protections against this, so make sure you advise and coordinate personnel

accordingly.



2.3. Starting the Policy Server Configuration Wizard

1. From the Start menu, choose Programs, then Liquid Machines, then Liquid Machines Policy

Server Configuration.

2. You should recognize the wizard from the Email Control Server installation process.

3. Navigate through each screen, changing settings if you need. Your current settings are already

displayed.

4. Finish the wizard when you are done. Changes take effect immediately.



3. Email Control Server Components

Components are stand-alone applications. They need to be installed separately.

3.1. Email Control Server

As you can guess, Email Control Server handles all the Policy design, and enforcement for your internal users. Most of this guide applies directly to its operation. You can find installation instructions for it in the

Install Guides.

3.2. External Email Control Server

And, as you can guess, external Email Control Server handles enforcement and client-less operations for

recipients outside your organization. Much of this guide applies directly to its operation. You can find

installation instructions for it in the Install Guides.

3.3. Email Control Client

Email Control Client is a plug-in you install into your Outlook mail reader. It provides native viewing and

offline capabilities for your end users.

Also, depending on how you choose to deploy Email Control Server and configure Policies, Email Control

Client becomes the executor of enforcement. It’s the one that encrypts messages, prevents forwarding, and

so on. Instructions to install are in the Installation Guides, and there is a cheat card for end users.

3.4. Universal Viewer

Universal Viewer is a service, provided by the Email Control Server or external Email Control Server, that allows recipients without Email Control Client to read protected emails. All they need is an HTML-

compliant, graphical web browser. There is a cheat card for recipients on Universal Viewer in the

Documentation folder of the software distribution.

3.5. Report Service

The Report Service is a function provided by the Email Control Server that allows you to track user

behavior. You can read about how to configure it in Chapter 5, section 5.3.



3.6. Message Cleanup Tool

The Message Cleanup Tool interacts with your Exchange servers. It works through the Exchange

information stores, and physically deletes all protected emails that have expired.

3.6.1. Requirements

Windows 2000, XP or 2003 operating system

-- and --

Outlook 97, Outlook 98, Outlook 2000, Outlook XP SP1

-- or –

Exchange 5.5, 2000 or 2003

You can install at most one Message Cleanup Tool on an Exchange server, or other computer that will

access a given Exchange server.

3.6.2. Installation

The installer is located on the distribution media, in the Tools folder, in the Message Cleanup Tool folder.

The installer requires no special options, parameters, or input. When it finishes, it will run the

configuration utility discussed below.

3.6.3. Configuration

You can access the configuration utility from the Start menu, from Settings, in the Control Panel. It’s the Omniva Message Cleanup Utility applet. There are three main configuration tabs where you can make

changes. When you are done, click OK to save the changes.



3.6.3.i. Message Options

When it finds an expired message, you can choose whether the tool…

Takes no action,

Deletes the message completely,

“Converts” the message, or

Converts the message, and moves it to the user’s Deleted Items folder.

On the Message Options tab, select the radio button that corresponds to one of these options.

You can also have the tool wait a certain number of days to perform the action. Set the field at the bottom

to the number of days that should pass after the message expires, before performing the action.

When the tool “converts” the message, it deletes the encrypted body and attachments, and replaces that

with the simple text string “This message has expired.” That way, it takes up a lot less space.



3.6.3.ii. Attachment Options

Users might not apply security settings to attachments. On the Attachment Options tab, check the box to

let expired messages with unexpired attachments stick around.



3.6.3.iii. Servers

On the Servers tab…

Put in the name of the Exchange server you want to cleanup.

Put in the name of an internal Email Control Server.

3.6.4. How Often Does It Run?

That’s up to you. You need to schedule the tool to run with Windows Task Scheduler. Set it up according to your needs. The full path to the command line utility is C:\Program Files\Omniva\Message

Cleanup\MessageCleanup.exe.

3.6.5. So Where Do I Install It?

For every Exchange server you want to process, you need to either install this on that server, or on another computer that will access that server. You can install at most one instance of the Cleanup Tool on any

given machine, and that instance can process at most one Exchange server.



3.7. Gateway for BlackBerry

Gateway for BlackBerry allows users on your corporate BlackBerry servers to send and receive protected

emails.

3.7.1. Administrative Console

Login to the BlackBerry server using the BESAdmin account. From the Start menu, in Programs, in

Policy Gateway for BlackBerry, choose Policy Gateway for BlackBerry Service.

You can view the status of the Gateway. It should be assimilated into at least one virtual BlackBerry

server, and active.

You can view statistics about the Gateway, such as how many messages have passed through it, and how

many were protected emails.

In the pull-down menu at the bottom labeled Level, you can change the logging level. Click Apply to

enact the changes.

3.7.2. Logging

We recommend you set logging to None unless you are troubleshooting.

Errors and warnings, which you can use to troubleshoot problems, are logged to the machine’s application

event log.

Events and traces, which Liquid Machines Engineers can use to debug problems, are logged to files in

%HOMEPATH%\Local Settings\Temp\OmnivaLogs, where %HOMEPATH% is the location of the

BESAdmin account’s user profile. The filename extension is .log. Logging at this level causes the Liquid

Machines service, the BlackBerry server, and the Liquid Machines administrative application all to log

verbosely.



3.8. Client for BlackBerry Handhelds

This component does two things:

Erases expired messages from the unit’s non-volatile memory (NVRAM).

Provides a user-friendly interface for choosing Policy Categories to apply to messages. (You can also do this with auto-complete text. Search the Liquid Machines Support KnowledgeBase for

more information on this.)

There is a cheat card for end users in the documentation.

3.9. Gateway for Exchange/SMTP

Gateway for Exchange/SMTP allows email passing through an Exchange server or Windows SMTP relay

to be converted into protected emails based on certain criteria.

Gateway for SMTP can also decrypt protected emails, and attach the Policies governing them in a hidden

format, so that they can later be re-encrypted for delivery. For example, you can set Gateway for SMTP to

decrypt a 1-year expiring message, pass it through a content scanner for further processing, and then re-

encrypt it with the 1-year expiration date, before delivering it to its final destination.

Gateway for Exchange can be placed in decryption mode, but this doesn’t make a lot of sense, and is not

recommended.




On the Gateway machine, in the Start menu, in the Omniva submenu, you will find the Omniva Policy

Gateway for SMTP configuration tool. This tool allows you to change the parameters you entered when you first installed the Gateway. It also allows you to change the Gateway’s operating mode for each

instance of the Windows SMTP Service on the machine.

Click Done when you have finished all configuration changes. You must restart the IIS Admin service for

the changes to take effect.

3.9.1.i. Modes of Operation

If you right-click on the name of the SMTP Service instance and choose Properties, you can set the

operating mode.



3.9.1.i.i. Active Mode

In this mode, Gateway for Exchange/SMTP processes messages as they pass through it. If the Gateway

finds a hidden Policy attached, from a previous handling by another Gateway, it will use that Policy to control the message. Otherwise, it will process according to whatever Policies you have defined for it in

Email Control Administrator.

3.9.1.i.ii. Decrypt Mode

In this mode, the Gateway will decrypt a protected email into a clear text format. It will attach an HTML

file to the message that contains the original Policy, so that the Gateway may re-encrypt it later.

This mode makes sense on an SMTP relay, in a situation where you might want to decrypt messages

leaving your organization. You can pass them through a content filter, and then re-encrypt them on the

other side.

This mode may make less sense on an Exchange mailbox server. There is only one instance of the

Gateway in this case, and mail may flow just from one mailbox to another, not out of the server. So no

content filter can be inserted.

3.9.1.i.iii. Disabled Mode

In this mode, the Gateway does nothing, allowing the Exchange server or Windows SMTP Service to

function normally without trying to encrypt, decrypt or otherwise handle messages.

3.9.1.ii. Updating Policies

Normally Gateway refreshes its Policies from the Email Control Server every 90 minutes. You can force it

to update immediately by clicking the Update Gateway Policies Now button on the Configuration tool.



3.9.1.iii. Parameters

If you click the Edit… button, you can change the parameters you entered at install time, namely, the

Gateway’s service accounts, the retention mailbox and Exchange server if any, and the administrative

contact.

See the Install Guide for Gateway for Exchange/SMTP for more details on how these parameters are to be

set.



3.9.2. About SMTP Routing

In order to successfully configure the Gateway on an SMTP relay, so that it can decrypt protected emails,

pass them through a content filter, and then re-encrypt them, you must understand how to configure SMTP routing. In each link in the chain of email gateways, you must be able to configure the SMTP relay service

for that gateway, so that it passes the email to appropriate next link in the chain.

For example, suppose you already have a content filter in place, scanning for proprietary information in

outbound email. The flow of your SMTP routing looks like this:

Exchange Content Filter Internet

Here, you’ve configured the SMTP Internet Connector on Exchange to use the Content Filter as its

“smarthost.”



If you want to add the Liquid Machines Gateway for SMTP into this architecture, so that it decrypts email,

hands it to the content filter, and then re-encrypts it, the email flow will then look like this:

Exchange Liquid Machines Decryptor

Content Filter

Liquid Machines Encryptor Internet

Here, you’ve configured the SMTP Internet Connector on Exchange to use the Liquid Machines Decryptor as its smarthost. And the Liquid Machines Decryptor uses the Content Filter as its smarthost. And the

Content Filter uses the Encryptor as its smarthost.

You don’t necessarily need to put each link in this chain on a separate Windows server. When you

configure an SMTP relay or connector for inbound traffic, you can ask it to listen on a non-standard TCP port. And when you configure one to use a smarthost for outbound traffic, you can ask it to send to a non-

standard TCP port on that smarthost. It may be possible for you to install the Content Filter and two

instances of a Windows SMTP Service relay all on the same machine, and configure them to pass email to

each other on these non-standard ports. A single installation of Policy Gateway for SMTP will allow you

to manage the operating modes for all the Windows relay instances, so you only have to install it once on a

particular server.

SMTP Routing can be complex and difficult, especially if your network is complex or your organization is

large. If you are unfamiliar with the terms or ideas above, or unsure about the nature of SMTP routing in

your message transport architecture (MTA), be sure to get consultation and approval from your email

system administrators before you make any routing changes.

Consult Liquid Machines Technical Support if you need more information, training or advice.



3.9.3. Logging

Gateway for Exchange/SMTP logs trace level events to the c:\WINNT\Temp\OmnivaLogs folder in files

whose names begin with sg_. There is one file for each restarted session of the Gateway.

Gateway for Exchange/SMTP logs an event to the machine application event log when the Gateway is

restarted, and when it encounters an error severe enough that it delays message delivery for 60 seconds

before retrying.



3.10. Email Archive Gateway

Email Archive Gateway allows you to decide whether the copy sent to the archive, of any protected email, is stored encrypted or as clear text. The setting is embedded in each protected email as it is generated. You

can control which Email Control Client users, or whether Gateway for Exchange/SMTP or Gateway for

BlackBerry, receive the setting by editing the Policy that applies to them. The setting is located on the

Archiving tab in the Policy dialog box.

Email Archive Gateway works with the KVS Journaling Service. If you install Email Archive Gateway on

a KVS Server, and the Server runs an instance of the Journaling Service, then the Gateway will handle all

email that arrives in the mailbox to which the Journaling Service is attached. So, you could attach the

Journaling Service to the mailbox you set up for the Liquid Machines Exchange retention feature. Or you

could enable Microsoft’s journaling on Exchange, and attach KVS to the Exchange mailbox configured for

it. Either way, Email Archive Gateway will appropriately handle all email that flows through the mailbox.

Email Archive Gateway does not work with KVS Archiving Service. You should familiarize yourself with

the different KVS services, so you can create an archiving strategy that best uses Email Control.

3.10.1. Intelligent Archiving via Message Headers

Email Archive Gateway can change the archive retention policy of a message entering the archive, based on the presence of certain message headers. That is to say, the Gateway can control how the archive

handles the message, based on the presence of the message header.

To accomplish this requires two steps:

1. Within your KVS archival installation, create the different archive retention categories you need.

Refer to your KVS documentation for instructions.

2. Within your Liquid Machines Email Control policies, configure Policy Rules to automatically add an

SMTP header to messages, a header that corresponds to the archive retention category.

Specifically…

The name of the header is x-omniva-retention-category.

The value of the header should be the name of the retention category exactly as you configured it

in KVS.

You can also add the header x-omniva-do-not-archive, setting its value to true, and then the

message will not be archived at all.

You can read more about Policy Rules in Chapter 6. Also, check the Liquid Machines Support web site for

more information on intelligent archiving.

3.10.2. Logging

To enable logging in Email Archive Gateway, in the Windows registry, in the key

\\HKEY_LOCAL_MACHINE\SOFTWARE\Omniva\KVS create a string value labeled LogLevel and

set its value to Debug. Files are logged to c:\ArchiveFilter.log.



4. Special Features

Note that some features can be accessed from the Email Control Server Administration console. Some

others require you to run the Policy Server Configuration Wizard.

4.1. Message Contents Features

Message contents features affect the experience only for Universal Viewer. Part of the technology involves your internal Email Control Server communicating with your Exchange servers. And your external Email

Control Server initiating communication with your internal Email Control Server. Ask your Exchange

Administrators and your Security Officer for their perspective and input on this.

4.2. To Access the Features…

Start the administrative console. Expand the Liquid Machines Email Control Administrator folder.

Then right-click on the Configuration folder, and choose Properties from the pop-up menu. Features are

displayed on the Messages tab of the Configuration Properties dialog box.



4.2.1. Message Body Retrieved from Exchange

If you check the box labeled Do not send HTML attachment, you enable this feature.

4.2.1.i. Requirements

The Email Control Server must be able to contact all Exchange servers in your organization.

The external Email Control Server must be able to initiate HTTP or HTTPS communication

with the Email Control Server.

You must configure policy mailboxes and the mailbox user, as documented below.

If you have Exchange 5.5 servers…

You must install Outlook 2000 or above on the Email Control Server.

You must choose a custom installation, and include the Collaboration Data Objects component.

The Mailbox User ( see below ) must be able to logon as a service to the Email Control

Server.

On the Email Control Server, Outlook must be configured as the default mail application for

the Mailbox User, and the Mailbox User must have successfully started it and logged in at

least once.

4.2.1.ii. What Does It Do?

For some mail readers and web browsers, Universal Viewer cannot render the message natively in a

window. Instead, it prompts the user to open the attached file called message_contents.html.

With this feature turned on, message_contents.html is not sent as part of the protected email. Instead,

users are prompted to click a hyperlink in the body of the email. When the Email Control Server receives

this request, it fetches the original message right out of the Exchange server. Then it decrypts and renders

this original message, and sends it back to the user.

4.2.1.iii. What’s the Value?

Some companies block HTML attachments from entering their mail system. So the message_contents.html attachment gets removed, and the users with these certain mail readers can’t read

the message. Sometimes the companies block the entire message, so it never even gets to the recipient.

You can get around that with this feature.

4.2.1.iv. The Tech Scoop

Messages can’t be rendered “natively” in certain mail readers because it requires advanced HTML code the

mail reader doesn’t understand.

Email Control Server stores a copy of the encrypted message in a special mailbox on the Exchange server.

Then it puts information about where to find the message in the “envelope” along with the message. Later,

Universal Viewer can use the information in the envelope to find and retrieve the message from Exchange.



4.2.2. Attachments Retrieved from Exchange

If you check the box labeled Get message attachments from Exchange server, you enable this feature.


The requirements are the same as for the first feature.


If there are attachments to the protected email, Universal Viewer will provide hyperlinks for each one, at the top of the message body. When a user clicks on a hyperlink, Email Control Server retrieves the

attachment right out of the Exchange server. Then it decrypts it and sends it back to the user.


Users don’t have to install Attachment Reader for Windows in order to view encrypted attachments.


Email Control Server stores a copy of the encrypted attachment in a special mailbox on the Exchange server. Then it puts information about where to find the attachment in the “envelope” along with the

message. Later, Universal Viewer can use the information in the envelope to find and retrieve the

attachment.

4.2.3. Messages Retained in Central Location

When you configure Policy Mailboxes, if you specified a retention mailbox for a particular Exchange server, then you enabled this feature for all users on that server. See “Policy Mailboxes and the Mailbox

User” below for more instructions.

This feature can offer you a basic archiving system. If you need a professional solution, Liquid Machines offers a Gateway for the KVS Enterprise Vault archiving system that can help you maximize its value as

well as protect your messages.


You only need to set up one policy mailbox and the mailbox user. You can set up more than one mailbox if

you have more than one Exchange server.


A copy of every protected email is sent to the mailbox.




Your company policies may require that documents be shredded after a certain time, but that they must be

kept until that time. With this feature, even if all users delete their copies, you still have this one. Until it

expires, that is. And you can search all the records right in one place.


Client and Gateway applications send a copy of every protected email to the email address of the mailbox.

If you have a lot of Exchange servers, placing the mailbox on any one server might overwhelm its storage capacity. You should consider deploying a separate Exchange server as your “archive server,” and place

the mailbox there. Or you can have a different retention mailbox for each server. Read more about it in the

“What About Space Requirements?” section below.

4.2.4. Policy Mailboxes and the Mailbox User

4.2.4.i. The Mailbox User

In the Windows NT trust realm or Active Directory forest where the Email Control Server resides, create a normal user account. You do not need to create a mailbox for the account. This user will be given

permission to access all the Policy Mailboxes.

4.2.4.ii. The Policy Mailboxes

If you will use either of the “retrieved from Exchange” features, you must create a mailbox on each Exchange server in your organization. You must also change the permissions on each mailbox so that the

Mailbox User can access them. ( If not everyone in your company will use Email Control Client or Client

for BlackBerry, you don’t need as many mailboxes. You only need one for each Exchange server where

client users’ mailboxes reside.)

If you will use only the “Retained in Central Location” feature, you can create only one mailbox, or a few

as suits your needs. Read the section below on “Why So Many Mailboxes?” and “What About Space

Requirements?” in order to help inform your decision.

Make sure you don’t put quotas on these special mailboxes, or if you do, put ones that reflect their

increased capacity needs.



4.2.4.iii. Configuring Email Control Server

1. On the Messages tab, click the Change… button.

2. In the Exchange Account dialog box that pops up, type in the authentication information for the

mailbox user, then click OK.

3. On the Messages tab, click the Add… button.

4. In the Exchange Mailboxes dialog that pops up type in the…

Fully qualified hostname of an Exchange server,

The SMTP email address of the policy mailbox you created on that server, and

The SMTP email address of the policy mailbox you created for retention.

5. Click OK to close the dialog. Repeat this process for every relevant Exchange server. Be sure to

close the Messages window when you are done.

You can use the Edit button on the Messages tab to change the mailboxes for a particular Exchange server,

or you can use the Delete button to remove an Exchange server.

Note that if your DNS records contain multiple aliases for an Exchange server, and Outlook clients have been configured with these aliases, you must add an entry like the one above for each alias. You can and

should use the same policy mailbox and retention box for each alias.



4.2.4.iv. Why So Many Mailboxes?

First of all, why any mailbox at all? Suppose that everyone in the company deletes their copy of the

message. Even the sender deletes it from his Sent Items folder. But then some external recipient tries to read the message. How is Universal Viewer supposed to retrieve it? If Email Control Server stores a copy

in a special box, then it can protect against this happening.

Now, why one for each Exchange server? First of all, remember that Email Control Server includes

information, about how to retrieve a message body or an attachment from Exchange, in the protected email “envelope.” It’s actually the Email Control Client or Gateway that does this. It turns out that these

components can only know the retrieval information for the Exchange server to which they are connected

via a MAPI session. They can’t learn any message ID’s for other servers in the organization. So you need

to have a Policy Mailbox on that same server, which means lots of mailboxes if you have lots of servers.

4.2.4.v. What About Space Requirements?

The answer is “It depends.”

Exchange uses a technology called single-instance storage to save space. For each information store, it

only keeps one copy of the actual message data on disk. Then it puts “pointers” to that copy in every

appropriate mailbox. So the copy in the Policy Mailbox is really just a pointer. What this means is that, no

matter how many “copies” of the message you have on a given server, only enough space to house one

copy of the message is actually taken up.

Whether you actually end up using more space depends on how long you will need to retain messages, how

long your users usually keep them around anyway, and whether it’s a Client or Gateway that’s creating the

messages. If you are going to make all messages expire in 90 days, and your Email Control Client users

have the habit of keeping items in their Sent Items folder for 6 months to a year, then your space

requirement will not increase. If you are going to make all messages expire after 9 months, but you

generally encourage your users to archive or delete messages after 30 days, your storage requirements will

increase. Also, if you have a single Gateway encrypting messages, then storage will all occur on the one

Exchange server to which the Gateway is connected.

If you are using only the “Retained in Central Location” feature, you can take a different approach to

storage requirements. You can create one or more new Exchange servers as sort of “archive servers.” You

provision them with plenty of disk space, and you place only the retention mailboxes on those servers.

Make sure you don’t put quotas on special mailboxes.



4.3. Hide Universal Viewer Image Feature

As you know, Universal Viewer offers a transparent experience for most email readers, even without the Email Control Client for Outlook installed. Messages render right in a recipient’s reading window, and

require the recipient to take no action in order for that to happen. But for a minority of older or esoteric

email readers, the recipient must click once on a link, or open an attachment, in order to read the message.

The “Hide Universal Viewer Image” feature allows you to turn off this transparency, and force all

Universal Viewer recipients to click a link or open an attachment in order to view the messages. Liquid

Machines customers have experienced issues in the field for which this might be an appropriate solution.

Recipients have security turned on in their email readers that disables the transparency, and in a

way that disrupts or hides the one-click experience.

Recipients prefer to have clearer warning, or to have to take deliberate action, in order to read

protected messages.

Replying to a protected message when using Outlook and Word as Editor creates a long delay

while the compose window launches.

Users with Email Control Client installed, on Outlook 2003 with Windows XP SP2, find

themselves periodically prompted for their login credentials, for no apparent reason.

4.3.1. To Access the Feature…

1. Start the administrative console. Expand the Liquid Machines Email Control Administrator

folder. Then right-click on the Configuration folder, and choose Properties from the pop-up

menu. Navigate to the Advanced tab of the Configuration Properties dialog box.

2. Check the box labeled Hide Universal View Image in policy messages. 3. Click OK when you are done.

Clients and Gateways must be restarted in order to pick up this change. The feature only effects messages

composed after Clients and Gateways adjust to the new setting.



4.4. Pass Through Authentication Feature

This feature allows the external Email Control Server to handle requests normally meant for the internal Email Control Server. The requests “pass through” to the internal server, which honors them and passes

the data back.

This feature requires the external server to be able to initiate HTTP or HTTPS communications with the

internal server. You may need your Network Administrator to configure firewalls and routers

appropriately. You may want to solicit the opinion of your Security Officer on enabling this feature.

4.4.1. To enable the feature…

1. Start the Policy Server Configuration Wizard on the external server. Navigate to the second screen.

2. Check the box labeled “Pass though authentication.”

3. Enter the IP address of the internal server ( any one if you have many ).

4. Then finish the wizard.



4.4.2. What’s the Value?

It lets traffic meant for the internal Email Control Server originate from outside your company network.

For example, a company employee is using Outlook Web Access (OWA) to read a message from an airport kiosk. He needs to authenticate using his company Windows domain credentials. So the external server

catches the request and passes it in to the internal server. Or a company employee has installed Email

Control Client on his home computer. His network setup resolves the name of the external server as if he

were a computer on the Internet. The external server catches the requests from the client – for keys, for

policy settings – and passes them in.

4.5. Secure Communications Feature

This feature secures network traffic between Email Control Servers. It uses the Secure Sockets Layer

(SSL) protocol. Your Security Officer may appreciate this feature.

Start the Policy Server Configuration Wizard on the internal Email Control Server. Navigate to the last

screen. Features are enabled via the checkbox in the section labeled Protocol Encryption Options. When

you are done, be sure to finish the wizard.

Now you must do the same thing on the external server, in order for the feature to be fully enabled.



4.6. Outlook Delegate Access

This feature allows assistants, who have Outlook delegate access to a supervisor’s mailbox, to have the same access to confidential messages as the supervisor. For example, suppose Fred Jensen, VP of Sales,

delegates access to his mailbox, through the standard Outlook mechanism, to his assistant Helga. If you

enable this feature, then Helga will be able to read recipient-confidential messages, and “VP’s Only”

group-confidential messages, sent to Fred.

This feature requires that both the supervisor and the assistant have Email Control Client installed.

If you remove delegation, then the delegator must also change his Windows network password, in order to

completely remove the delegate’s ability to read protected emails.

If you subsequently remove delegate access from the delegator’s configuration, the delegate may still be

able to read old protected emails in the delegator’s folders, because the delegate’s client will have cached

the keys. Remove the delegate’s key cache in order to solve this problem.

1. Start the administrative console. Expand the Liquid Machines Email Control Administrator

folder. Then right-click on the Configuration folder, and choose Properties from the pop-up menu

2. In the Configuration Properties dialog box, select the Advanced tab.

3. Check the Extend confidentiality to delegates checkbox.

4. Click OK to close the Properties dialog box.



4.7. Exchange Org Bridge

In its basic configuration, Email Control Server generally considers the Exchange Organization as its measure of what the “company” is. That is, it sees mailbox-enabled users in the Organization as internal

recipients, and others, even contacts and other mail-enabled (but not mailbox-enabled) objects, as external

recipients.

But this may not work for you. You may have, as the result of acquisitions or ethical walls or whatever,

more that one Exchange Organization serving your company. You don’t want Email Control Server to

treat the users in one Organization as “foreign” to another Organization. You don’t want them to get

external recipient registration messages or get blocked from reading a group-confidential message. If that’s

the case, you want to configure the Exchange Org Bridge feature.

4.7.1. What Does It Do?

Email Control Server relies on being able to associate a user’s Windows login credentials with their email address. And it does that by looking at the values in particular fields within your Exchange 5.5

Organization (5.5 Org) or Active Directory (AD) database. If you have more than one Organization, there

is no single database where all users (with the right fields put in) are listed. For example, a user with a

mailbox in 5.5 Org “SPERRY” is probably listed as a contact in AD “BURROUGHS.” Which means that an Email Control Server integrated with “BURROUGHS” won’t know what that user’s Windows login

credentials are.

The Exchange Org Bridge feature allows Email Control Server to connect all the databases together. You

provide Email Control Server with the ability to access the directory – communicate with an “LDAP” server – for each Organization. Then you configure it with a table of your Exchange Organizations,

Windows NT or Active Directory domains, and the SMTP domains and aliases you house, in a way that

ties them all together.



4.7.2. Requirements

If a certain Email Control Server will handle a certain user when they read messages, that Email

Control Server must reside in a Windows NT or Active Directory domain that trusts the domain where the user’s Windows account resides. So if Email Control Server is in the SPERRY

domain, and BURROUGHS\jsmith connects to it, SPERRY needs to trust BURROUGHS.

For a given internal recipient, any email alias assigned to them, that some other internal sender

will use, must be listed in their Exchange directory as an alias for their mailbox. For example,

suppose Bob’s real email address in Exchange is [email protected], and his buddy John’s real

email address is [email protected]. But Bob can also receive email sent to [email protected],

and this is the SMTP address John often uses when sending email to Bob. [email protected] needs

to be listed as a valid SMTP address in the properties of Bob’s Exchange mailbox.

The Windows account with which a user connects to Email Control Server must be the primary

account on their mailbox. Just being one of the accounts on the mailbox’s permissions list is not

sufficient.

In an Exchange 2000 or 2003 Organization, it’s OK if the account credentials exist in the

msMasterAccountSid attribute of the mailbox, or sidHistory attribute of the primary Windows

account associated with the mailbox. If you are unfamiliar with what these terms mean, you can contact

Liquid Machines Technical Support, or read about Active Directory Migration Strategies on the Microsoft

Active Directory web site.







4.7.3. Preparation

1. In each Exchange Organization you will support, create a user account and mailbox especially for use

with this feature.

2. Make sure this user can make LDAP queries in the AD or 5.5 Org where it resides. The user should

be able to query and read all user object properties. (You shouldn’t have to do this if your Active

Directory or Exchange 5.5 installation is “out of the box.” You have to do extra domain

configuration work to restrict access to these queries.)

3. Make sure the Email Control Server can access at least one directory server via the LDAP protocol.

This is typically TCP port 389. In a 5.5 Org, this “LDAP” server is an Exchange server. For

Exchange 2000 or 2003 it will be an Active Directory Global Catalog server. (Again, if you are “out of the box,” and there are no firewalls in the way, this shouldn’t be an issue.)

4. Make sure you have a list of all the Windows NetBIOS domain names and SMTP domains that each

Organization supports.


1. In Email Control Administrator, right-click on Configuration and choose Properties. Navigate to the Exchange Organizations tab.



2. Right-click on Exchange Organizations and choose New…

Type in the fully qualified host name of an LDAP server for this Organization. Also type in the

domain-qualified login name and password for the service account you created for this Organization, for use with this feature. Click OK when you are done.

3. Expand the node labeled with the host name you used in step 2.

4. Right-click on NT Domains underneath the LDAP server name, and choose New…

Type in the NetBIOS domain name of one of the Windows user account domains that this

Organization serves. Click OK to save it. Repeat this action for all Windows account domains this

Organization serves.



5. Right-click on SMTP Domains underneath the LDAP server name, and choose New…

Type in the SMTP domain name of one of the SMTP domains this Organization serves. Click OK

to save it. Repeat this action for all SMTP domains served by this Organization.

6. Repeat steps 2 through 5 for each Exchange Organization in your company.

7. If you expand the NT Domains or SMTP Domains nodes under any Organization’s LDAP server,

you can see the list of names you input.

If you want to delete a name, right-click and choose Delete.

8. Click OK to save the Configuration properties.



4.7.5. More About SMTP and NT Domains

Let’s be a little clearer about what all NT Domains and SMTP Domains we need:

When users access an Exchange mailbox, they use some Windows login credentials. These

reside in a Windows domain. For any given Organization, you have to list out all the Windows

domains where there are accounts that might be used to access mailboxes.

An Exchange mailbox has one or more SMTP email addresses associated with it. For example, a mailbox might have [email protected], [email protected], [email protected] and

[email protected] all associated with it. For any given Organization, you have to list out all

the SMTP domains that all the mailbox aliases range into. So in this example you have to list out

at least acme.com, eng.acme.com and acmeinc.com.

If you need help with planning and deployment in a company with multiple Exchange Organizations,

please contact Liquid Machines Professional Services for assistance.







5. Microsoft Rights Management Integration

You can now integrate Liquid Machines Email Control with your Microsoft Rights Management Services

(RMS) installation. A single configuration setting switches you over to using Microsoft RMS encryption, servers and authentication technologies to protect messages. Your Policies and Rules continue to function

exactly as you would expect. Liquid Machines Email Control Server brings you centralized and automated

management of policies, while RMS brings you additional control features and Microsoft core platform

technology.

Here are some things to be aware of when you choose to integrate with Microsoft RM:

You now have much greater control over Office documents. You can enforce print-blocking,

confidentiality, retention and other security features even when viewing an Office attachment.

You no longer install the Liquid Machines Email Control Client, but rather Microsoft Office 2003 and the Microsoft RM Client, or the RM Client and the RM add-in for Internet Explorer.

This becomes your protected mail reader or Universal Viewing technology.

All Policies will be applied by a Policy Gateway product, according to Policy Rules you

configure.

Rights Management core technology does not provide for forensic deletion. Although expired

messages will be inaccessible in the normal world, a computer forensics expert might be able to

recover them from the server storage media.

If you wish to interact with recipients outside your organization, you will need to publish your

Rights Management servers according to one of several Microsoft-recommended practices. You

will not need to deploy an external Email Control Server.

The following features and components are not supported with Rights Management Integration:

Message Contents Features

BlackBerries or the Gateway for BlackBerry

Outlook delegation

Email Archive Gateway

Message Clean-up Tool

Logging “access denied” events to the Report Service.

Discovery Tools

Some components have no relevant functionality when installed within an RM-integrated context, for

example Email Control Client or Pass-through authentication.

Some of these features have analogs within the basic Rights Management infrastructure. For example,

Pass-through authentication in Email Control Server maps to publishing Rights Management Services to

the Internet. In the Appendices, you can find a more complete list of these analogs. Consult your

Microsoft documentation, or contact Liquid Machines Professional Services if you need help with

configuring Microsoft RM, or mapping Email Control Server functionality to the RM platform.

5.1. To Enable Rights Management Integration…

Before you do this, if you have Gateway for SMTP/Exchange installed on any machines, you should also

install the Microsoft Rights Management Client on those machines.



1. In Liquid Machines Email Control Administrator, right-click on the Configuration node and

choose Properties.

2. On the Messages tab, click the Key Management System… button.

3. Select the radio button labeled Microsoft Rights Management Services.

4. In the field at the bottom, type in the SMTP address of an Active Directory mail-enabled security

group or distribution list that does or will contain all company employees’ user accounts as

members.

5. Click OK to exit both dialog boxes.

Liquid Machines is a Microsoft Independent Solutions Provider. Please call us if you need advice or

expertise in building a Microsoft Rights Management environment.



6. Managing Policies

6.1. Before You Start…

Once you start to expire and secure messages, there will be an impact on both your employees and your customers. People may be used to saving messages, so that they can reference them at a later date. But of

course now they will expire. They may be used to printing messages to put away in their files, but of

course now they might be print-blocked. Customers may have older browsers or email readers that require

a couple steps to read the message. They may need to download or install Attachment Reader. Or they

may just be surprised to see a new message format.

You can ease the impact and minimize the disruption if you follow these guidelines as your roll out your

email policy.

6.1.1. Inform Users

Let your users and your customers know what’s coming and why. Distribute user guides. Provide

additional training if necessary. And allow them time to react, to offer their concerns and questions, and have them addressed. The more they are prepared, the fewer questions there will be about usability and

impact.

6.1.2. Start Slowly

Create policies that enable only some of the security features. Distribute them to a pilot group, so that you can work through any issues within a smaller scope. Make sure to allow users to opt out by enabling one

policy category that avoids expiration or confidentiality.

As you stabilize deployment, expand the policies to a larger group, until you cover the whole organization.

Then enable additional features with the pilot group, test, and roll out again.

Make sure that highly restrictive features come at the last stages of deployment. For example, requiring

copy- and print-blocking, or preventing users from opting out, should come later.



6.1.3. Keep It Simple

Try to create as few different policies as possible. Focus on your most fundamental needs and where you

can add the most value, and then construct a few blanket policies accordingly.

A simple policy architecture will be…

Easier to implement. You will have fewer categories to create and fewer user groups against which

you must apply and deny access.

Easier to understand and troubleshoot. You will have fewer interactions between defaults and override

settings. You’ll have to know less about an individual user in order to understand what policies apply

to them.

Easier for your users. They will be able to rely on default settings, and will need to choose from fewer exception cases.

For example, you could create a blanket, corporate-wide policy that makes all email confidential to the

company, and expiring after 90 days. You can add some extra categories for Executive Management, like

“30 days” and “7 days” and “For Your Eyes Only.” You could have anything that comes out of the Human Resources department, that has a Social Security number in it, be recipient-confidential and expire after one

year. And finally, you could restrict copy-blocking and print-blocking on any email that goes out to your

retail sales offices. The parameters in this case are few and simple, but they cover a wide variety of

workflow and security issues.

6.1.4. Build Consensus

Make sure that your team agrees on what policies should be created and enforced. If you know what everyone’s requirements are, you can author a simple, stable set of policies right from the start. You won’t

need to change policies a lot, which means your users won’t experience new snags because a policy

changed. You’ll be able to anticipate conflicts that might occur in production. And you’ll be on the same

page when it comes to training users and handling their concerns.

Make sure Executive Management and Counsel have primary input about where to add the most value.

They may have legal or regulatory concerns which take first precedent. Get in touch with Human Resource

about privacy issues and retention requirements. Work with middle managers regarding productivity and

workflow. Involve your Change Management Office if you have one, and make sure IT and Helpdesk staff

know what’s coming.

6.1.5. Read This Whole Chapter

The variety of policies you can apply, combined with the constraints of Email Control Server’s application logic, can make things pretty complex. Read this whole chapter. You want to gain a thorough

understanding of the rules governing and the elements within policies.



6.2. What You Can Do

You can have one or more policy categories that expire messages after a certain amount of time you

define.

You can have one or more policy categories that make messages confidential to the company, to the

individual recipients of the message, or to specific groups of employees you define.

You can make a certain expiration or confidentiality category be applied by default.

You can allow users options other that the defaults, or allow them only the defaults.

You can disallow any non-expiring or non-confidential email.

You can have users choose a single menu item that applies a variety of Policy Settings.

You can have policy categories apply automatically, based on message content. For example, you can

mark any email with “TOP SECRET” in the subject line, or “private formula” in the body, confidential

to the company.

You can require attachments to be encrypted, or prevent them from being encrypted.

You can require that messages be copy- and print-blocked, or prevent them from being so.

You can lock, disable or hide parts of the user interface in Email Control Client. This way, users

cannot change settings, or could be completely unaware of the product and its operation.

You can automatically apply policies to email entering or leaving your organization, based on Policy

Rules you create.

You can prevent a message from being delivered at all, or prevent delivery only to certain recipients.

You can send clear text or encrypted copies of a message to another mailbox, for archival or for audit

and review.

You can add text to the headers of a message.

You can warn the sender if he takes certain actions, or is prohibited from taking them.

You can log violations to a database.

If you have installed Email Archive Gateway, you can decide whether protected emails are archived in

an encrypted format, or as clear text.

You can have expired messages automatically deleted from certain Personal Folder Files (PST’s) on

workstation hard drives.

You can control how long message data is kept within an archive system.

6.2.1. About Calendar Messages

Email Control Client and Gateway for BlackBerry do not process Calendar messages. If you send a

meeting request, no encryption will occur and no Policy Rules will trigger, regardless of anything else.

Gateway for Exchange/SMTP will process Calendar messages. So for example, a Rule that triggers on

messages sent from the “Brokers” groups that blocks all messages, will also block all meeting invitations

sent from “Brokers” members.

However, the Gateway will never encrypt Calendar messages, via Liquid Machines or Microsoft Rights

Management technology. So for example, the Gateway cannot set a meeting request to expire.



6.3. If You Are Upgrading…

As you probably know, when Policies and Rules overlap, there are rules about the precedence and interaction. The logic has changed some from Liquid Machines Email Control Server 5.1. You should

read the next two sections until you thoroughly understand the changes, and then verify, before you

upgrade, that your existing Policies will not be adversely affected. You may need to include offline time

spent re-authoring Policies as part of your upgrade strategy.

6.4. Elements of a Policy

Policies have several different parts or elements.

6.4.1. Who It Affects

6.4.1.i. The Global Policy

The global policy, named “Global” in the display, affects everyone in the company. Its settings apply to

everyone.

The global policy settings also apply to messages that pass through Gateway for Exchange/SMTP or come

from BlackBerry handheld users via Gateway for BlackBerry.

6.4.1.ii. Other Policies

When you create other policies besides the global one, you choose which users and groups they affect.

If you want messages that pass through the Gateway for Exchange/SMTP to be affected by policy settings,

you must apply the policy to the service account that runs the Gateway.

If you want messages that come from BlackBerry handheld users to be affected by policy settings, you

must apply the policy to the BESAdmin service account that runs the user’s BlackBerry Server.



6.4.2. Categories

6.4.2.i. Retention

Retention categories are those that cause messages to expire. You can choose expiration times ranging from 1 hour to 10 years. 1 year corresponds to 365 days and 1 month corresponds to 30 days. You can also

create categories that apply no retention.

If you do not create a category that applies no retention, all messages created will expire. The user will not

be able to choose to send a non-expiring message.

6.4.2.ii. Confidentiality

Confidentiality categories are those that prevent messages from being read by certain people. There are

three types.

Original recipients in To, Cc, Bcc only (recipient-confidential): Messages in this category can be

read only by the people who were originally sent the message.

Users in company directory only (company-confidential): Messages in this category can be read by

anyone who has a user account in a Windows domain that is trusted by the domain in which the Email

Control Server resides.

Users who are members of a group or distribution list (group-confidential): Messages in this

category can be read only by people in the group or distribution list.

In an Active Directory environment, this can be a mail-enabled security group or

distribution list.

In a Windows NT and Exchange 5.5 environment this can only be a distribution list.

People on the distribution list who are contacts ( not mailbox users ) must already be

registered with the external Email Control Server.

If you send a new message ( you don’t reply or forward an existing protected email ), marked company- or group- confidential, to some people outside the company or group, these people specifically will be able to

read the message. However, no one else outside the group or company will, even if they forward it on.

If you do not create a category that applies no confidentiality, all messages created will be confidential.

The user will not be able to choose to send a non-confidential message.

6.4.3. Defaults

Every policy must have one default retention and one default confidentiality category. These are the

settings applied if the user takes no action.

Defaults do not apply when Policy Rules are in effect. See below.

Policy Gateways have no concept of defaults. You must instead create a “rule of last resort” in the Policy

Rules, which are discussed below.



6.4.4. Email Control Client’s Interface

You can control what options are available in Email Control Client’s interface.

You can enforce or prevent copy-blocking.

You can enforce or prevent print-blocking.

You can enforce or prevent automatic application of policies via Policy Rules.

You can enforce or prevent attachment encryption.

You can hide certain elements of the client interface, so that the user is unaware it is operating on the

message.

You can have users choose a single menu item, or “template,” that sets a variety of Policy items.

You can have expired protected emails automatically deleted from certain PST files on workstation

hard drives.

6.4.5. Clear Text Archiving

If you have Email Archive Gateway installed, you can specify that all messages generated by certain users

or groups of users are archived in clear text.

6.4.6. Policy Rules

You can create a list of Global Policy Rules. You can then configure Clients and Gateways to obey these

rules when applying various Policy Settings.

Each Policy Rule has one or more conditions that trigger it, and one or more actions that it takes. The

priority of a Rule is controlled by you; you can decide which one will trigger first.

6.4.6.i. Conditions

Conditions that can trigger a rule are…

Membership of the sender or recipient in a mail-enabled security group or distribution list in Active Directory. Nested groups are supported.

Occurrence of a text string or pattern in the header or body of the message.

Presence of a certain particular message format, specifically…

clear text,

encrypted using Liquid Machines Email Control Server algorithms,

encrypted using Microsoft Rights Management algorithms,

a non-delivery report (NDR), or

an Outlook calendar message.

You can have multiple conditions apply to a rule. Conditions are joined using a logical AND.



6.4.6.ii. Actions

Once a rule is triggered by its conditions, it takes action on a message. Specifically, it can…

Apply any Policy Category settings.

Apply copy-blocking, print-blocking or attachment encryption.

Block delivery of the message completely.

Block delivery only to certain recipients.

Copy the message, either encrypted or in clear text, to another mailbox.

Add an item to the message headers.

Log a violation to the audit log.

Send or display an alert for the message sender.

Stop processing more rules.

You can have multiple actions taken on a message. And you can have multiple rules apply these actions.

How actions “add up” is discussed in the next section.

Note that not all message types can accept all actions. For example, you cannot encrypt a Calendar

message.

6.4.6.iii. Not All Components Support All Actions and Conditions

Specifically, Email Control Client and Gateway for BlackBerry do not support all of them.

The conditions these two do not support are:

From or to a member of an Active directory group,

Presence of a particular message format, and

Occurrence of a certain value in an SMTP header other than the recipient lines or subject line.

The actions these two do not support are:

Set an SMTP X-header, and

Block delivery only to certain recipients.

They do support blocking delivery to anyone.



6.5. Precedence, Interaction, Collision

Policy categories are cumulative. That is, if you apply two different policies to a user, they will have

access to all categories and client interface settings in both policies.

As you can imagine, this means there could be conflict between policies. Which one will specify the

default? Which Policy Rules will trigger first? The paragraphs below explain the system.

The Global Policy always loses when it comes to categories and rules:

The default retention or confidentiality category in the Global policy will be overridden by those in

custom policies.

If a category in a custom policy has the same name as one the Global policy, the settings in the custom

policy’s category will take precedence.

Policy Rules in the Global policy are always processed after rules in custom policies.

You can‟t know which custom policy will win when it comes to categories and rules. When multiple

custom policies apply:

You can’t know which default categories will win out.

If two categories have the same name, you can’t know which category’s settings will win out.

You can’t know which Policy Rules will be processed first.

When it come to client interface settings, the rule is, any exception wins. That is, if any applicable policy specifies something other than the default, then the opposite of the default will take effect. The

defaults are:

Messages can be copied.

Messages can be printed.

Policy Rules do not apply.

Settings are not applied to attachments by default.

Users are notified if a Policy Rule applies a policy to a message.

Users can select expiration options.

Users can select confidentiality options.

Users can access the Security Options dialog box.

If a message is marked confidential, settings will be applied to attachments.

Also, with archive settings, any exception wins. So if you check this box in any policy that applies to a

user, the checked box is what will be applied.

You can allow or deny access to sets of policy categories and rules. So, when creating a hierarchy of

policies, you should allow access to a larger group, and then deny access to a smaller group, for a specific

policy set. You can then allow access to another policy for that smaller group, and deny access to an even

smaller subgroup. That way you can create an efficient administration of policy without causing conflicts.

6.5.1. Policy Rules

With Email Control Client, if Policy Rules are turned on and no rule applies, the user’s default options will

be applied.



With Policy Gateways, policy defaults do not apply. Instead the Policy Rules must include a “rule of last

resort.”

To make Gateway for BlackBerry applies policy rules, in the policies that you create for it, ensure that in

the “Client” section, the “Automatically select policy settings” option is set.

Policy Rules do not automatically override policy settings chosen by the user. You must prevent user

choice and/or enforce Policy Rules by manipulating the Policy Client interface.

Policy Rules do not fill in settings the user has not chosen for an original message. For example, a message

sent with no confidentiality but an expiration time will not gain an expiration time through a Policy Rule.

What about protected emails which are not original, replies or forwards generated without an Email Control

Server component that contain a protected email somewhere within them? These are “derived” messages,

where a setting can be added when no setting exists.

Example: You send a recipient-confidential message to your friend at Hotmail. They reply back to you

and include your original message. The reply goes through Gateway for SMTP. The Gateway turns the

text of their reply into a protected email, and combines that with your original. It applies the recipient-confidential setting to this new message. Now, it tests the new message against its Policy Rules, and

discovers that email from Hotmail is supposed to be marked company-confidential, and expire in 90 days.

The Gateway adds the 90-day expiration, but does not override the recipient-confidential setting.

There is a nuance here, which is how Email Control Client and Gateway for BlackBerry view replies and forwards they create themselves. Are they original, or “derived?” That is to say, if John uses Email

Control Client to send Betsy a protected email, and Betsy replies using Email Control Client, will Betsy’s

Client consider her reply original or derived? The answer is “derived,” which means that her Client can

add settings.

This nuance makes it seem like Email Control Client and Gateway for BlackBerry can always add settings,

but Gateway for Exchange/SMTP can only add them sometimes.



6.5.1.i. Adding Up Actions from Several Rules

Since you can apply several actions to a given message within a given Rule, and since multiple Rules can

apply actions to a single message, you have to consider how these actions “add up.” For example, it makes sense that if one rule blocks delivery to Finance and another to Accounting, then neither group will receive

the message. But what do you do if you want an expiration of 30 days, and of one year? The chart below

describes what happens for each type of action.

Confidentiality Settings The first rule that applies such a setting wins. That

setting sticks.

Expiration The rule with the shortest expiration time wins.

Block Delivery to Anyone Any occurrence of this blocks delivery to everyone,

regardless of what other rules might specify.

Copy-blocking:

Any rule that sets this wins.

Additional rule has no impact

Print-blocking:

Any rule that sets this wins.

Additional rule has no impact

Copy to a mailbox in clear text All mailboxes specified by the set of rules will get

copies.

Copy to a mailbox decrypted All mailboxes specified by the set of rules will get

copies.

Set X-Header:

A different header than other rules.

The header is added to the list to be inserted.

Set X-Header:

The same header as some other rule.

The first rule that sets the header wins.



6.5.2. Policy Gateways

Policy Gateways use only the Global policy and any custom policies applied to their respective service

accounts. They use them exclusively. Gateways do not enforce policies that apply to users or groups of users. Gateways can however, apply a “policy rule of last resort,” can apply policies based on the presence

of certain email addresses in the message headers, or apply policies based on the membership of senders or

recipients in an Active Directory group.

After you create or change policies for a Gateway, you must wait 90 minutes, restart the Gateway, or click

the Update Gateway Policies Now button on the configuration tool, in order for the changes to take effect.

To make sure Gateway for BlackBerry applies Policy Rules, in the policies that you create for it, make sure

that in the “Client” section, the “Automatically select policy settings” option is set.

6.5.3. Gateway for Exchange

In order to support message blocking features in Policy Rules, for example for ethical walls applications, you must install Gateway for Exchange on all Exchange servers in your Organization. Installing on only

some servers may result in messages not being properly blocked.

Gateway for Exchange does not consistently support the “full blocking” feature in environments where certain Exchange servers have been designated as “expansion” servers. Liquid Machines does not

recommend you use expansion servers if you are deploying Gateway for Exchange for an ethical walls

application.

6.5.4. Gateway for SMTP

When Gateway for SMTP is not installed on an Exchange server, it has a certain limitation when expanding groups. Specifically, it cannot expand a group named in the recipient list, to see if some user is a member.

This means that, if you create Policy Rules for it that use membership of the sender or recipient in an

Active Directory group, the Rules may not cover as many emails as you expected.

For example, someone outside your company sends a message to, say [email protected]. And Bob is a

member of this group. Bob is also a member of the [email protected] group, and you have set up a Rule on

Gateway for SMTP that is supposed to block all inbound mail destined for members of [email protected].

The Gateway cannot expand [email protected] to find out if Bob is in it, and so cannot enforce the Rule.

The Gateway can expand groups in a Rule, to see if some recipient is named there. So in the example, if

Bob were named directly as one of the recipients, the Gateway would enforce the Rule.

6.5.5. Email Archive Gateway

Email Archive Gateway will decrypt a message with the clear text option set, even if that message is

embedded in a regular, non-protected email reply email.

6.5.6. Policy Locking

You may have noticed from the descriptions above that, if a protected email contains a certain setting, any

Email Control Server component will respect that setting while reprocessing the message. For example, if







you reply to a protected email with Email Control Client, Email Control Client locks your reply to the

settings on the original message.

There are a couple exceptions to this:

Archiving: The archive setting is not preserved when a protected email is processed. So if Bob sends

a message to Alice that is to be archived in the clear, and Alice’s Policy settings forbid clear text

archiving, Alice’s reply to Bob will be archived encrypted.

Encrypting Attachments: The attachment encrypting setting is not preserved. So if Bob sends Alice

a message with encrypted attachments, and Alice replies and adds a new attachment, the new

attachment will not be encrypted unless Alice’s Policy mandates it.

6.6. Checking Your Logic

In a way, the different elements you can add to a policy, and the rules about precedence and so on, create a kind of programming language. It’s easy to understand, because there are few variables and few rules. It’s

easy to “write code” because you check boxes and choose menu items from a graphical interface. But as

you put more and more elements together, the rules about how they interact can have some unintended

consequences. You can end up having to “debug your program” by tracing back through the policy

elements and the rules step by step.

As you are developing your policies, before you apply them, check your logic. Create a graph or flow chart

of your policies, and apply it to representative users to verify the outcome. The flowchart below shows a

simple example. The yellow outcomes may not be what was intended. The red outcome is bad.





6.7. Editing Policies

6.7.1. To Begin…

1. Start the administrative console on the Email Control Server.

2. Select the Policies node. Existing policies show in the right frame of the window.



6.7.2. To Create a New Policy…

1. Right-click on the Policies node.

2. From the pop-up menu, choose the New submenu, and then the Policy item.

3. A dialog box appears asking you to name the policy.

4. Then the new policy shows in the right frame of the window.



6.7.3. To Rename a Policy…

1. Right-click on the policy and choose Rename from the pop-up menu.

2. The name becomes highlighted in a text box.

3. Type in the new policy name.

4. Select the policy again to save the change.

6.7.4. To Delete a Policy…

Right-click on the policy and choose Delete from the pop-up menu.



6.7.5. To Add a Retention Category…

1. Right-click on the policy and choose Properties.

2. Select the Retention tab.

3. Click the Add button.

4. Type in a name for the policy, for example “For the Record – 90 Days”. It can be very helpful to

include the expiration time as part of the name.

5. Choose a unit of time, for example, “months”, from the pull-down menu on the right.



6. Type in the number of units in the field on the left.

7. Click OK to save the category.

8. Click OK to save the policy settings.

6.7.6. To Edit a Retention Category…

You can select the category and then click the Properties button.



6.7.7. To Add a Security Category…

1. Right-click on the policy and choose Properties from the pop-up menu.

2. Select the Confidentiality tab.

3. Click the Add button.

4. Type in a name for the policy.



5. Choose a type of confidentiality by clicking a radio button.

6. Click OK to save the category.

7. Click OK to save the policy settings.



6.7.7.ii. Configuring a Group-Confidential Category

If you selected the group-confidential option, you need to configure the group.

Click the Group… button.



6.7.7.ii.i. If you use Exchange 2000 or higher… 1. Select the top radio button and click the Browse button. You get the standard user/group selector for

your platform.

2. Select the distribution list you want. Click OK.

3. Click OK in all dialog boxes to save the changes.



6.7.7.ii.ii. If you use Exchange 5.5… 1. Select the bottom radio button.

2. Type the fully qualified domain of an Exchange 5.5 server.

3. Type in the SMTP address of the distribution list you want.

4. Click OK in all dialog boxes to save the changes.

6.7.8. To Edit a Confidentiality Category…

You can select the category and then click the Edit button.



6.7.9. To Set a Default Category…

The retention and confidentiality categories each have a default.


2. Select either the Retention or Confidentiality tab, depending on where you want to change the

default.

3. The current default is listed in bold type.

4. To change to another category, click that category, then click the Set Default Button.

5. Click OK to save the changes.



6.7.10. To Copy a Category to Another Policy

While you are creating or editing any expiration or confidentiality category, you can copy in the settings

from any other category in any other policy you have created.

1. In the Properties dialog for the category, click the Copy… button.

2. Select the category you want to copy settings from, and click OK.

6.7.11. To Create Policy Templates for Email Control Client…

Policy Templates allow the Email Control Client user to select a single menu item that sets a variety of Policy controls. Rather than being presented with an Allow forwarding and Expiration pull-down menu

in their compose window, they are afforded a single Apply policies menu.



1. Right-click on the Policy and choose Properties.

2. Select the Templates tab.

3. Click the Add… button.

4. Type a Name for the template. This is the label that users will see in the pull-down menu.

5. Choose Retention and Confidentiality categories that you have created on the Retention and

Confidentiality tabs. The categories you choose will be applied when the user activates the

template.

6. Check the appropriate box if you also want the template to Block Copying, Block Printing, or Apply

Settings to Attachments.

7. Click OK when you are done.

You must also enable templates, as discussed in the Client Interface section below, in order for your

changes to affect the users.



6.7.12. To Edit, Delete or Set the Default Policy Template…

1. Right-click on the Policy and choose Properties.

2. Select the Templates tab.

3. Click the Edit…, Set Default or Delete button as appropriate

6.7.13. To Control Email Control Client’s Interface…

1. Right-click on the policy and choose Properties.

2. Select the Client tab.

3. Enable or disable options as appropriate, by checking or unchecking boxes.

Use Templates

If you select Use Templates, then only the Apply Controls pull-down menu appears on the Email Control

Client. The Security Options dialog is not available; instead the options available in it are defined by the

templates. Also, automatic processing of Policy Rules is not available.

6.7.13.ii. Use Individual Settings.

If you select Use individual settings, the Email Control Client shows an Expiration and Allow

forwarding pull-down, as well as the Security Options dialog. Automatic processing of Policy Rules

becomes an option. And you can control the Client’s default settings by checking boxes in the two sections

discussed here:



6.7.13.ii.i. “Options” Section

Show „Expiration‟ drop-down menu on toolbar: If you disable this, users will not see the

Expiration menu, and will not be able to choose from retention categories you give them. The default category will be applied, unless automatic policy selection changes it.

Show „Allow Forwarding‟ drop-down menu on toolbar: If you disable this, users will not see the

Allow Forwarding menu, and will not be able to choose from confidentiality categories you give

them. The default category will be applied, unless automatic policy selection changes it.

Show „Security Options‟ button on toolbar: If you disable this, users will not be able to access the

Security Options dialog box, and will not be able to make choices about copy- or print-blocking,

attachment encryption, or whether automatic policy selection is turned on. Defaults will apply unless

automatic policy selection changes them.

Selecting confidentiality option automatically encrypts attachments: With this enabled, if a

confidentiality category is in force, then attachments will be encrypted, even if the default is not to

encrypt attachments.

6.7.13.ii.ii. Defaults Section

These defaults can be overridden by the user, only if the Security Options dialog box is visible to them.

Automatically select policy settings: This means that, by default, any policy rules associated with the

policy will decide policy settings for messages.

Tell me when policies are applied to messages I send: If automatic policy selection is in force, the

user will receive notification when the policy rules do apply policy settings to a message.

Messages cannot be printed: Enabling this means messages are print-blocked by default, as long as

some retention and/or confidentiality setting is also applied.

Messages cannot be copied: Enabling this means messages are copy-blocked by default, as long as

some retention and/or confidentiality setting is also applied.

Apply settings to attachments: Enabling this means that by default, attachments will carry the same

policy settings as the message to which they are attached.

6.7.13.iii. Automatically Delete Expired Policy Messages

If you check this box, then, when Outlook is running, Email Control Client will automatically process certain kinds of Outlook Personal Folder Files (PST’s) on the local workstation. It will delete permanently

from the folders any protected emails whose expiration has passed. Protected emails for this purpose

include clear text replies that contain an embedded protected email, and protected emails that were

generated by foreign Email Control Servers. The specific kinds of PST’s are…

Any PST mounted directly in the user’s Outlook profile.

Any PST specified in the user’s Outlook auto-archive settings.

If you want to delete expired protected emails from Exchange folders, use the server-side Message Clean-

up Tool mentioned in section 3.6.



6.7.14. To Choose Who the Policy Applies to…


2. Select the Users tab.

3. Click the Add… button in the first section.

4. Scroll through the list, double-clicking whatever group or users you want. When you are finished,

click OK.



5. If you want to exclude certain subgroups or users from being affected by this policy, click the Add…

button in the second section, and follow the same procedure as in step 4.

6. In either section, if you want to remove certain users or groups from the list, select them and click the

Remove button.

You can also clear the list in each section by clicking the Remove All button.



6.7.15. To Set the Archiving Policy…

On the Storage tab, check the box to allow clear text archiving, or leave it unchecked so that archive copies

remain encrypted.

You must have Email Archive Gateway installed for this setting to have any effect.



6.8. Policy Rules

If you will use one or more of the Policy Gateways, or you will configure Email Control Client to automatically select Policy settings, you create Policy Rules. Each rule has one or more conditions – “Is

from Bob,” or “Covers TOP SECRET materials” -- and one or more actions – “Make company-

confidential,” or “Expire in 30 days.” If all the conditions are true for any given message, the actions are

applied.

You can have several Policy Rules. Rules are applied in the order you specify. You can configure any rule

to “stop rule processing” or to let processing of other rules in the list continue. If no condition in any rule is

true, no action is applied to the message.



6.8.1. To create Policy Rules…

1. Right-click on the policy category and choose Properties.

2. From the Properties dialog box, select the Rules tab.

3. Click the Manage… button.



6.8.2. To add a Policy Rule…

1. Click the New… button

Notice that you can create different kinds of rules. Truthfully all rules are based on a blank

template. The other rule types on this page are rules with some of the blanks already filled in.

Select Create a new rule from a blank rule, and click Next.



2. From the next screen, check the box next to one or more conditions you want to apply.

Conditions are based on the occurrence of certain words, phrases, or patterns – regular expressions

which you can read about below –, in the message body or in specific message SMTP header fields.

Or on whether the message came from or will be delivered to a member of an Active Directory

security or distribution group. Or on what kind of message it is, like encrypted or not encrypted.

3. For each blue-colored hyperlink in the Rule description… click on it to choose words, phrases, patterns, SMTP header values, Active Directory groups, or message types.



4. Click Next. On this screen, check the box next to one or more actions you want the rule to take.

Actions include setting confidentiality and expiration policies, archiving the message, blocking the

message, setting SMTP headers, alerting users or administrators, and halting rule processing.

5. For each blue-colored hyperlink in the Rule description… click on it to enter more information about

the action you want to take, for example what group to block.



6. Click Next. On this last screen, enter a descriptive name for the Rule.

Notice that in some cases, you may author a rule that not all Email Control Server components can

process. If you do so, you’ll receive a warning at this screen.

Also, the name of the Rule may be visible to your end users in some cases, such as for alerts or blocked messages. Make sure you name Rules with this exposure in mind.

7. Click Finish to save the rule.



6.8.3. To Edit, Rename or Delete a Policy Rule…

1. From the Policy Selection Rules screen, select the rule you want to take action against.

2. Click the Edit, Rename or Delete button as appropriate.

If you choose to edit a policy, you can navigate through the screens in the same way you would to add a

policy.

If you choose to rename a policy, type the new name in the dialog box that comes up, and click OK.



6.8.4. Conditions in Rules

Remember that Email Control Client and Gateway for BlackBerry do not support all conditions.

The conditions these two do not support are:

From or to a member of an Active directory group,

Presence of a particular message format, and

Occurrence of a certain value in an SMTP header other than the recipient lines or subject line.

6.8.4.i. To choose words or phrases…

1. Type the word or phrase in the Add new: field and click the Add button.

The search is not sensitive to capitalization. The condition will be true if any one of the words or

phrases is found.




6.8.4.ii. To choose SMTP header values…

Only Gateway for SMTP and for Exchange can search for SMTP headers. Email Control Client and

Gateway for BlackBerry will ignore this condition.

1. Type the name of the SMTP header in the Header name: field. Type a value for the header in the

Add new: field and click Add.

The condition will be true if the header’s value matches any value in the list.


You can read more about SMTP headers below.



6.8.4.iii. To choose Active Directory groups…

Only Gateway for SMTP and for Exchange can process Active Directory groups. Email Control Client and

Gateway for BlackBerry will ignore this condition.

1. Double-click the group from the selection window.

Note that, when Email Control Server decides what groups a user belongs to, the “primary group” is

ignored. By default, “Domain Users” is any user’s primary group, so you shouldn’t use this one to make

Policy Rules. You might want to check with your Active Directory administrator to see if this default has

been changed.

Nested groups are supported.



6.8.4.iv. To choose message types…

1. Select one or more options from the dialog box.

Email message: Plain email, not encrypted or anything.

Policy Mail message: encrypted using Liquid Machines Email Control Server algorithms.

Rights Protected message: encrypted using Microsoft Rights Management algorithms.

Non-delivery report: A message sent by a Policy Gateway, or possibly some other

Exchange or other email server, telling the sender that the email they sent was not delivered.

It has a standardized format that you can read about in Internet RFC’s.

Calendar message: A calendar message from Outlook. These are sent when people

schedule meetings with others, accept or decline meeting invitations, and so on.

If you select multiple boxes, the message type conditions are joined with a logical OR. So a whole Policy

Rule condition would look like…

Subject=”Hello!” AND ( Message-type=”Email message” OR Message-

type=”Calendar Message” ) AND Recipient=”Joe”

Note that not all message types can be affected by all Policy Actions. Refer to section 6.8.5 below for more

information.



6.8.4.v. To choose patterns…

1. From the dialog box, choose a pattern from the list and click OK.

You can read more about patterns in the sections below.



6.8.5. Actions in Rules

Remember that Email Control Client and Gateway for BlackBerry cannot perform the “Add SMTP header”

action.

You should know that, when choosing actions in Rules, not all actions can affect all message types. For

example, you cannot encrypt a Calendar message. The rules of thumb with this are:

You cannot encrypt Calendar messages.

You cannot change the Policy on any original protected email. So if Email Control Client sends a

message through Gateway for Exchange, the Gateway will not change the Policy or add settings

to it.

You can add settings to a derived protected email.

You cannot decrypt an existing protected email in order to place a clear text copy of it in the

archive.

Also, remember from the beginning of the section on Precedence, Collision and Interaction that Email

Control Client and Gateway for BlackBerry may have a different idea about what constitutes an original

message, and what is a “derived” one.

6.8.5.i. Allow forwarding: Confidentiality Option

Select an option from the list of confidentiality categories associated with this Policy. Then click OK. The

message will be marked confidential in this way.



6.8.5.ii. Set retention to: Retention Option

Select an option from the list of retention categories associated with this Policy. Then click OK. The

message will be set to expire in this way.

6.8.5.iii. Apply Setting to Attachments

No further parameters are needed for this action. All actions applied to the message will also be applied to

attachments.

6.8.5.iv. Block recipient copying

No further parameters are needed for this action. Setting is applied to the message.

6.8.5.v. Block recipient printing

No further parameters are needed for this action. Setting is applied to the message.

6.8.5.vi. Do not deliver the message to anyone

No further parameters are needed for this action. No one will receive the message, and the sender will

receive a non-delivery report.

6.8.5.vii. Do not deliver the message to group members

No further parameters are needed for this action.

This action makes sense when one of the Rule conditions is that recipients are members of a certain Active

Directory group. Anyone on the recipient list who is a member of that group will not receive the message.

And any recipient not a member of that group will receive it. The sender will receive a non-delivery report

explaining who did and did not get the message.



6.8.5.viii. Alert user with: Warning Message

Type your warning message in the box, and click OK. Email Control Client users will receive an error

dialog. Gateway components will deliver an email notice to the sender.

6.8.5.ix. Report when this rule is applied

An entry will be logged to the Report Service, discussed in section 6.7.

6.8.5.x. Add X-Header SMTP header

Type in the name for the header, and the value it will take, and click OK.

For example, you could put in X-Subject-Flag and Test Email. Or Acme-Hazard-Level and

Low Risk.

Use only letters, numbers, spaces and dashes when creating SMTP header names or values.

You can read more about SMTP headers below.

Also, you can use this action to control how Email Archive Gateway sets retention policies in the archive.

Read more about the Gateway in the chapter on Components.



6.8.5.xi. BCC a copy of this message to: Mailbox

Type in the SMTP address of the mailbox and click OK.

The mailbox could be anywhere, in or outside your organization.

6.8.5.xii. BCC to without encrypting: Mailbox.

Type in the SMTP address of the mailbox and click OK.

The mailbox could be anywhere, in or outside your organization.

How this works is that, if the Rule performing this action was also going to encrypt the message, it will

make sure the copy that goes to the archive is not encrypted. This action will not decrypt an existing

protected email, such as one generated from Email Control Client.

6.8.5.xiii. Stop processing more rules.

No further parameters are necessary. This action stops rule processing and initiates message delivery. If this action is not present, then the message gets passed on to the next rule for more processing, even if this

rule took some action on it already.



6.9. Using Patterns in Rules

As you saw in the previous section, you can have Policy Rules trigger on the existence, not just of words or phrases, but of more general patterns. For example, you could trigger a rule if a message contained any

Social Security Number, or any credit card number.



6.9.1. To Create Patterns…

1. Create a new policy rule from a blank rule. In the Policy Rules Wizard, when you reach the screen

where you can select conditions, check the box labeled with specific pattern in the Subject.

Then click on the specific pattern hyperlink.

2. In the Select Pattern dialog box, click the New button.



3. In the Create New Pattern dialog box, type in a name for the pattern, and a description.



4. Now you can click the Add Fragment… button to add, one element at a time, a regular expression,

which would match a Social Security Number.

(You can read more about regular expressions below.)

5. A Social Security Number starts with 3 decimal digits. So on the left, you choose the One of these:

radio button, and then the Numbers [0-9] checkbox. On the right you choose the Exactly radio

button, and set times equal to 3.



6. Click the Add button. You return to the Create New Pattern screen, and you see the regular

expression syntax that the wizard added to the pattern.



7. Now let’s add a dash (-). Click Add Fragment… then choose the Exact phrase: radio button, and

type in the dash (-).

8. Then click Add. The dash gets added to the pattern.



9. Go ahead and add more fragments, for certain numbers of decimal digits or dashes, until you have

what you think matches a Social Security Number.

10. When you are done, you can test to see if your pattern really works. Click the Test… button.

11. Type in a Social Security number. When you have typed in a valid number, the text of the number

turns green, and the message at the bottom of the dialog box says Pattern found in sample!



12. Click Done to stop testing. Then click OK to save the pattern.

13. And now you can actually click Cancel to exit all dialog boxes. The pattern is already saved. You

needn’t save the Policy Rule or the Policy. You can go back at any time and use the pattern in any

Policy Rule.

6.9.2. To Edit Patterns…

You will notice that several patterns have already been created and saved for you. You can edit these patterns, or any other ones you create. In particular, you will want to edit the Internal Email Address and

the External Email Address patterns, to reflect the SMTP domain of your company.



1. From the Select Pattern screen, select the pattern and click the Edit button.



2. From the Edit Pattern screen, you can change the name and description. You can also click directly

in the Pattern ( as a regular expression ): field. Position the cursor, then type, delete, or paste text.

For example, highlight yournamehere and type in replacement text that corresponds to your

company’s SMTP domain name.

You can also use the Add Fragment… button to launch the Pattern Wizard, which can help you

create the regular expression.


If you edit the Internal Email Address pattern, you only need to put your root domain name in. It will match any subdomain. For example, typing in LiquidMachines will match eng.LiquidMachines.com,

tech.LiquidMachines.com, etc.

Make sure that, if your root domain has dots (.) in it, you put a backslash (\) in front of them. For example,

mystore\.isp.

You can follow a similar procedure for the External Email Address pattern. However, in this pattern, do

not type in any top level domain, like “.com” or “.net”. The end part of the pattern handles this for you.



6.9.3. To Delete, Rename or Copy Patterns…

1. From the Select Pattern dialog box, select the pattern and click Delete, Rename or Copy as

appropriate.

2. If you click Rename, type the new name in the dialog box that comes up, and click OK.

3. If you click Copy, a new pattern appears in the Select Patterns dialog box, with the words “Copy of”

appended to the name of the original pattern.

You can edit the copy to suit your needs.



6.9.4. More About Regular Expressions

Regular expressions are a kind of programming language for matching patterns. You can match something

as simple as a credit card number, or as complex as a list of chemical formulas. You can use these patterns

to trigger Policy Rules.

If you know how to use regular expressions already, you can type them directly into the Pattern: field in

the Create Pattern or Edit Pattern dialog box. For the syntax of regular expressions used by Liquid

Machines products, click the hyperlink at the bottom of the Create Pattern or Edit Pattern dialog box.

You will see a web page that explains the syntax.

The syntax is also explained in an appendix in this manual.

If you are not familiar with regular expressions, there are various training materials available. A web

search for the words “regular expression tutorial” will yield several online resources. O’Reilly &

Associates, Inc. publish several titles covering the subject, including Mastering Regular Expressions and

Regular Expression Pocket Reference. All these materials will help you gain better understanding and skill

with regular expressions.

Remember that, although training materials can help you understand and manipulate regular expressions,

they may not teach you the exact syntax of the implementation Email Control Server uses. For that you

must refer to the link at the bottom of the Create Pattern or Edit Pattern dialog box, or to the appendix in

this manual.



6.10. More About SMTP Headers

All email messages contain a text body. That’s the part the sender composes, and the recipient reads. All email messages also contain headers, information the sender and recipient do not see, but that control the

behavior of the message, or give details about how it was created and how it traveled. You can use that

information to trigger Policy Rules.

Below is an email message displayed in Outlook. You can see the body, which contains a hyperlink. You

can also see information from some of the SMTP headers displayed at the top, in a user-friendly format.

For example, you can see that the sender is John Berkeley and the message was sent on March 24, 2003.



In Outlook, if you right-click in the list of messages, on a message you received from outside your

company, and choose Options from the pop-up menu, you can see the SMTP headers. For example, in this

message, you can see that the “Sensitivity” header has been set to “Company-Confidential.” There is a

header showing the expiration date of the message, one showing it passed through Gateway for

Exchange/SMTP, and one showing which machine it originated from.



If you scroll through the headers, you can find out when the message was sent, whether it contains HTML

or attachments, and maybe even what mail reader was used to compose the message.



6.11. Configuring the “Apply Controls” Menu on BlackBerry Handhelds

Client for BlackBerry provides a friendly interface for creating protected emails. You can read the user

guide for Policy Client for BlackBerry, to see it in action.

You have to take special measures to configure the policy category menu on the handheld. Settings from

the Email Control Server administrative console do not go out to handhelds automatically.

The policy menu you configure for handhelds must contain a subset of policy categories, specifically the

ones contained in the policies that apply to the BESAdmin account on the user’s BlackBerry server.

Gateway for BlackBerry will not apply a user-selected policy that does not match one of these categories.

If you want to take control about choosing policies away from users, make sure the policy that applies to

the BESAdmin has only a default and no other categories, and/or applies Policy Rules.

6.11.1. What You Do

You send an email message to the BlackBerry user. They will see it in their Inbox in Outlook. They won’t

on their handheld. It will be processed and used to configure the options.

6.11.2. Message Format

The message must be sent in “plain text” format. It must not be a protected email, or HTML or Rich Text.

6.11.3. Configuration Syntax

The subject of the message must be exactly <Handheld_Policy_Settings>

The first three lines of the message body must be exactly 

<?xml version="1.0"?>

<Omniva_Admin>

Now, for each expiration category, you want to put in a group of lines that look almost like this:

<Policy_Category>

<Type>Expiration</Type>

<Name>policy name</Name>

<Expires_In>nn</Expires_In>

<Time_Units>Units</Time_Units>

</Policy_Category>



For the text in bold, you need to substitute in real values. They need to conform to the policies you set up

on Email Control Server. They should be the same ones that apply to the BESAdmin.

For policy name, put in the name of the policy category exactly as you configured it on Email Control

Server, including any capitalization.

For Units, put in Hours, Days, Weeks, Months, or Years. Notice that all these words are

capitalized and in the plural.

For nn, put in the number of units you want, as a numeral.

Then, for each confidentiality category, you want to put in a group of lines that look almost like this:

<Policy_Category>

<Type>Confidential</Type>


</Policy_Category>





The last line of the message should look exactly like

</Omniva_Admin>

You can send a new configuration message to the handheld anytime. You cannot set a default category.

If you want to make changes to policy categories that are already on the handheld, you have to delete the

old ones before you create the new ones. So before the category definition, put in a group of lines that

looks like this:

<Policy_Category_Delete>


</Policy_Category_Delete>







6.11.3.i. Example 1

You want to configure the policy category menu for Bob Johnson’s handheld. Your global policy includes

the following categories:

Category Name Settings

Memos 30 Days

Documents 90 Days

Records 1 Year

Company Only Users in company directory only

Eyes Only Recipients in TO, CC, BCC only

Bob is also a member of senior management. You have a policy called “For Execs” that also has the

following category:

Conversations 7 Days

(“For Execs” is also applied to the BESAdmin, or there is another policy applied to the BESAdmin that has

the same category.)

Also, Bob already has a category in his menu called Exec Test. You had put it there as a test.

Here’s what the whole configuration message looks like:



<add name="Global" value="3" />

</switches>

In the string value=”3”, change the 3 to 1, 2, 3, or 4 as appropriate. Then restart IIS.

The IIS logs also contain valuable information about the operation of Email Control Server. IIS logs are

located in c:\%WINDOWS%\system32\LogFiles\W3SVC1 by default. There is generally one file for

each 24-hour period. The string W3SVC1 may be different, if there are multiple virtual web servers

running on this machine.

9.6.2. Email Control Client

Email Control Client sends all log output to the user’s profile folder, to the

Local Settings\Temp\OmnivaLogs subfolder.

There are log files for each Outlook session. Three types of logs exist, one for the add-in, one for

Attachment Reader, and one if you are using Word as your email editor. The filenames begin with oc_,

ar_, and wa_, respectively.

You can set the max size of log files by setting the registry key

\\HKEY_LOCAL_MACHINE\Software\Omniva\Policy Client\LogLimit. This key must be a string

value key and to contain a file size in Mb. If key value is equal to 0 or greater than 4000 or illegal number

the logger does not split files.

In the folder c:\Program Files\Liquid Machines\Email Control Client there are three files,

logDefault.reg, logOn.reg, and logOff.reg. These are Registry Editor scripts, which set logging to

normal, verbose, or off, respectively.



9.6.3. Gateway for BlackBerry

The amount of logging can be controlled through the Gateway’s administrative console. Please see the

Components chapter for more information.

Errors and warnings are logged to the machine’s application event log.

Events and traces are logged to files in %HOMEPATH%\Local Settings\Temp\OmnivaLogs, where

%HOMEPATH% is the user profile directory of the BESAdmin account. The filename extension is .log.

Logging at this level causes the service, the BlackBerry server, and the administrative application all to log

verbosely.


\\HKEY_LOCAL_MACHINE\Software\Omniva\Policy Gateway for Blackberry\LogLimit. This key

must be a string value key and to contain a file size in Mb. If key value is equal to 0 or greater than 4000 or

illegal number the logger does not split files. Also a new log file is created with every Gateway restart.

9.6.4. Gateway for Exchange/SMTP

Gateway for Exchange/SMTP logs events to files in c:\%WINDOWS%\Temp\Liquid Machines\Logs.

The filenames begin with sg_.


\\HKEY_LOCAL_MACHINE\Software\Omniva\Policy Gateway for SMTP\LogLimit. This key must

be a string value key and to contain a file size in Mb. If key value is equal to 0 or greater than 4000 or

illegal number the logger does not split files. Also a new log file is created with every Gateway restart.

You can set the logging level by setting the registry key

\\HKEY_LOCAL_MACHINE\Software\Omniva\Policy Gateway for SMTP\LogLevel to one of

Verbose, Info, Warning, or Error. The default is Info.

Gateway for Exchange/SMTP also logs events to the server’s application event log under the following

circumstances:

The Gateway is started or stopped.

The Gateway encounters an error that causes it to retry sending the message after 60 seconds.

The Gateway encounters an unknown error.

9.6.5. Email Archive Gateway

To enable logging in Email Archive Gateway, in the Windows registry, in the key

\\HKEY_LOCAL_MACHINE\SOFTWARE\Omniva\KVS create a string value labeled LogLevel and

set its value to Debug.

File are logged to c:\ArchiveFilter.log.

Email Archive Gateway shares some code with Gateway for Exchange/SMTP. So you can enable

additional logging via the Gateway mechanism.



9.6.6. Client for Blackberry

For management of logging in Client for Blackberry:

1. Click on Omniva application icon to get "Control Categories" screen.

2. Click the wheel and choose "About".

3. Use following hotkey combinations:

Type the letter 'l' and then the letter 'g' to launch the log output screen.

Type the letter 'l' and then the letter 'e' to turn on logging.

Type the letter 'l' and then the letter 'd' to turn off logging.

Type the letter 'l' and then the letter 'c' to clear all log entries.



10. The Discovery Process

Some day your company may be involved in a lawsuit. Once the suit is filed, your company is not allowed

to destroy any evidence – like email and paper documents -- until it’s over. During the proceedings, the other party will be given a chance to “discover” any evidence that might help their case. Depending on

what a judge says, they may be allowed to search – possibly electronically – through some or all of your

company’s existing email messages.

That’s the discovery process. And it has a few implications regarding Email Control Server, namely that…

Messages must not expire during the lawsuit, or they may be considered destroyed, and you could be

penalized.

The other party must receive readable versions of any email messages that they can and do request.

The company must continue to protect its intellectual assets from unauthorized access, and itself from future liability.

10.1. Procedure Overview

10.1.1. Suspend Expiration

The first thing to do, immediately upon being served with the lawsuit, is suspend expiration. You should never suspend expiration, or re-enable it, without a directive from Executive Management as advised by

Legal Counsel. If you do either without their mandate, you could expose the company to legal liability.

Once you do this, Email Control Server will not destroy any encryption keys, until you enable expiration

again. That way, you can extract and make readable any email that is requested as part of discovery.

10.1.1.i. What the User Sees

The user experience will continue to be that messages are kept confidential, or expire, or cannot be printed or copied. Email Control Server will not grant access for end-users to messages that should have expired,

even though it keeps the key available. That way, company assets are still protected.

10.1.1.ii. What Happens Afterward

When you do re-enable expiration, Email Control Server will delete all keys that should have expired

immediately. That way any documents not subpoenaed will cease to be a possible liability.

It can take Email Control Server up to 24 hours to physically delete the keys. However, it will not hand out

any keys it intends to delete during that time. You cannot “abort” the process and expect that whatever

keys were not yet deleted will become available.

10.1.2. Enable Retention

If you have not already enabled the message retention features when a lawsuit is served, then you might want to do so. This will protect against users who unwittingly destroy email by deleting it from their

mailboxes. Or, if you have a professional archival solution deployed, such as KVS Enterprise Vault, then

this system can protect you also.



10.1.3. Extract and Decrypt Messages

Once expiration is suspended, and as discovery requests come in, you will need to extract email messages,

decrypt them, and send them to counsel. You may be asked to send all email messages on all servers and backup tapes. Or you may be asked to send email messages sent only by certain people during certain

periods of time

It may be to your advantage to extract messages only upon request. Or, if the process will last a long time

and messages created during the process will be requested, it may be smarter to extract and save new

messages on a daily basis.

10.1.3.i. Extract and Store

The first task is to extract and store the relevant email.

The Microsoft Exchange utility Exmerge is used if you are retaining the messages in an Exchange mailbox. Exmerge is highly configurable, and can be used to target and retrieve precisely what emails are needed.

Extraction criteria can include time, mailbox user, subject line content, and other parameters.

If you have a professional archiving system, refer to its instructions for extracting messages. For purposes

here, they must be saved to a Microsoft Personal Folder File (PST).

10.1.3.ii. Decrypt and Save

The second task is to decrypt the messages and save them in a readable format. The Liquid Machines tools

are used to decrypt the messages, and then they are saved in Microsoft Personal Folder (PST) files.



10.2. To Suspend Expiration…

NOTE: Suspension of key destruction in the Liquid Machines Email Control Administrator will result in the suspension for all messages managed by the Email Control Server. Suspension of key destruction is an

“all or nothing” proposition.


2. Expand the Liquid Machines Email Control Administrator node, right-click the Configuration

node and select Properties. Select the Advanced tab.

3. In the dialog box, choose the radio button labeled Suspended. Click YES in the ensuring

confirmation dialog.



10.3. To Resume Expiration…

WARNING: If expiration has been suspended, resuming expiration will result in the immediate expiration of all messages that should have expired while the suspension was enabled. These messages will become

unrecoverable immediately.


2. Expand the Liquid Machines Email Control Administrator node, right-click the Configuration

node and select Properties. Select the Advanced tab.

3. In the dialog box, click the radio button labeled Normal to restart expiration.

10.4. To Extract and Decrypt Messages…

10.4.1. Set Up a Dedicated Machine

The discovery process can take up a lot of hardware resources. Decrypting so many messages at once can

use a lot of processor time. And, depending on how much information is needed by the court, the process

can take a lot of disk space.

You should expect to consume twice as much disk space as it would take to store all the messages you need

in an Outlook Personal Folder (PST) file.

The Discovery Tools cannot be run on the same machine as where Email Control Server resides.



10.4.2. Install Software

On the machine dedicated to the discovery process you will need to install…

Windows 2000 Server, Service Pack 3 or later.

Microsoft Outlook 2000 or later.

Liquid Machines Email Control Client.

Either… ExMerge, which you can find for Exchange 2000 in the Support folder on your Exchange 2000 distribution disk. For Exchange 5.5, ExMerge can be found in the second edition of the

BackOffice Resource Kit.

Or… the tools necessary to extract messages from your professional archiving system and store them

in PST files.

The Liquid Machines Email Control Administrator. Run the setup program in the Email Control

Administrator folder on your product CD, and install the Administrator, just as you would in other

circumstances.

10.4.3. Create the Service Account

1. In the domain where the dedicated machine resides, create a user account with login DiscoveryUser.

Make sure the login name and display name are spelled exactly that way, capital letters, no space

and all.

2. In the same domain, create a domain local group called Discovery Users. Add the service account to

this group.

3. Add the service account to the Administrators group local to the dedicated machine (not the domain

group).

4. Make the service account an Exchange administrator…

10.4.3.ii. For Exchange 2000…

1. Create a mailbox for the service account.

2. Add the service account to the Exchange Domain Servers security group.

10.4.3.iii. For Exchange 5.5…

1. Create a mailbox for the service account.

2. In the properties of the Organization, Site and Configuration objects in Exchange System

Manager, add the service account to the permissions list as a Service Account Admin.



10.4.4. Extract Messages

You can use the Microsoft Exchange support utility ExMerge to extract messages from an information

store. ExMerge provides a graphical interface that allows you to select messages for extraction based on a number of different criteria. It then saves the extracted messages to PST files. You can also save the

settings so that you can run ExMerge in batch mode, and automate the discovery process.

Or, you can use the tools that come with your archiving solution to extract messages and store them in PST

files.

Before you extract messages, consider how much disk space, processor power, and hours you have each

day. You may want to extract and process messages in separate lots. For example, you might extract all

messages sent in a given week, or all messages from a certain group of users.

Note that the following procedure uses the ExMerge tool for Exchange 2000 as the example.



1. Start the ExMerge utility. You see the welcome screen for the Mailbox Merger Wizard. Click Next.

2. On the next screen, select the second option, the two-step procedure.



3. On the next screen, select the first option, step 1. (We’ll never do step 2.)

4. On the next screen, type in the name of your Exchange server.

5. Click Options… to select the extraction criteria.



6. On the Data tab, check only the first box.

7. On the Import Procedure tab, select the second option, to merge data.



8. On the Folders tab, select the “Ignore these folders” radio button, and check the “Apply actions to

subfolders” checkbox.

9. Click the Modify… button to choose folders.

10. In the Select Folders dialog box, double-click \Calendar, \Contacts, \Journal, \Notes, and \Tasks.

None of these things could contain protected emails.



11. Click OK to save the folder selections.

12. On the Dates tab, you can select all messages, or you can choose a range of dates. Here we have

selected any messages delivered on a particular day.



13. On the Message Details tab, you can search for messages based on the subject line, or on the names

of any attached files. Here we are searching for messages whose subject contains the string “pin

number”.

14. Click OK to save the changes. Then click Next to go to the next screen. This may take a few

moments while the address book is retrieved.

15. Select the mailboxes you want to extract. Then click Next.



16. On the next screen, you can select a locale, if you are in a country other than the U.S.

17. On the next screen, you can select what folder the PST files will go into.



18. On the next screen, you can save the settings you have chosen, and you can choose where the settings

files will be located.

19. On the last screen, the Wizard shows progress of the extraction. You can click Finish when it’s done.

You can use Outlook to view the messages, by opening the PST files in the target folder.

You don’t have to use ExMerge to extract messages. Although ExMerge offers powerful features, any tool

that creates PST files will do. Use the tools from your professional archiving solution. Or you could even

use Outlook to open a user’s mailbox and export the contents.



10.4.5. Decrypt Messages

Once you have extracted the messages, you need to decrypt them. The Liquid Machines utility will decrypt

all the messages you extracted to the PST file, in place.

1. Login to the discovery machine as the DiscoveryUser service account.

2. Make sure that you have set up the Outlook profile for the service account so that you can access its

mailbox.

3. Open a command prompt. 4. Move to the directory where you installed the Discovery Tools.

cd c:\Program Files\Omniva\Discovery Tools

5. Run the PolicyPstToClearPst.exe program with appropriate parameters. The syntax is:

PolicyPstToClearPst –logdir WhereToPutTheLogs –pstdir

WhereThePstFilesAre –domain dc.domain.top

You need to replace some strings in the command with parameters appropriate for your installation:

WhereToPutTheLogs gets replaced with the full path to a folder where you’d like to keep the log.

WhereThePstFilesAre gets replaced with the full path to the folder where the extracted PST files

are.

dc.domain.top gets replaced with the fully qualified name of one of your domain controllers.

The program runs silently. When it’s done, you can check the log for success or errors. If it succeeds, then the extracted PST files will now contain all plain-text messages. All protected emails that were stored there

will be converted.

10.5. Targeted Suspension

In some legal circumstances, it may be that you don’t have to provide all email messages for discovery. A subpoena may specifically state that you need only provide messages from or to a certain person, or

containing a certain word in the subject. If this is the case, it may be appropriate for you to suspend

expiration for only those messages. That way, you meet your legal obligations while at the same time

mitigating risk in other areas.

The Liquid Machines discovery tools make this possible via a round-about procedure. Basically, you

suspend expiration, then extract and archive the relevant messages. You wait a week, extract and archive

all relevant messages created during that week, then configure Email Control Server to go ahead and expire

any messages that should have expired during that week.

10.5.1. Configuring Email Control Server

Normally, when expiration is suspended, the Email Control Server will expire no messages. In this case, we will modify the behavior so that it expires no messages whose expiration should occur after a

certain date and time.



For example, if you suspend expiration on January 1, Email Control Server will stop expiring messages.

On June 1, if you configure the server with a March 1 targeted suspension date, it will immediately expire

all messages that should have expired during January or February, but not any that should have expired in

March, April, or May.

1. Open a command prompt.

2. Move to the directory where you installed the Discovery Tools..

cd c:\Path\To New Folder\Discovery Tools

3. Run the UpdateKeyServRegistry.exe program with appropriate parameters. The syntax is:

UpdateKeyServRegistry -ComputerName machine.domain.com –

SuspendedAfterDate yyyymmddhhmmss

You need to replace some strings in the command with parameters appropriate for your installation:

machine.domain.com gets replaced with the fully qualified domain name of the Email Control

Server.

yyyymmddhhmmss gets replaced with the date and time. For example, 20030101000000, for

January 1, 2003.

10.5.2. Example

Your company is involved in a patent suit regarding some chemical formulas. A company researcher

named Harvey Smythe always uses a custom Outlook template to draft patent forms for review by his

supervisor, and it automatically puts the name of the chemical formula in the subject line. You briefed

your corporate counsel about this, and they expect that within a couple months, the court will subpoena all email Harvey sent or received with “carbon dioxide” in the subject line. They tell you to recover as much

you can now, and to be sure you collect whatever else comes up in the next few months. No one else in

your company is part of the suit, and so your legal department requests that you still mitigate risk where

you can. You get the order on July 1, 2003. Here’s what you do:

1. Suspend expiration on the Email Control Server.

2. Enable retention on the Email Control Server, or rely on your archiving solution.

3. Extract and decrypt all email in Harvey’s mailbox with “carbon dioxide” in the subject line.

4. Wait a week. Then extract and decrypt all email in the retention mailbox sent or received by Harvey

between July 1 and July 8 with “carbon dioxide” in the subject line.

5. Configure the Email Control Server with a targeted expiration date of July 8.

Repeat the last two steps, changing the dates accordingly, until corporate counsel tells you otherwise. Be

sure to archive the messages to stable media.

You don’t have to repeat the last two steps each week. You can repeat them once a month, or every day,

depending on your needs.

10.6. Automating the Process

Depending on the nature of your Exchange infrastructure, the hardware resources available to you, and whether you make use of targeted suspension, you may find yourself frequently extracting messages,



archiving files, reconfiguring the server, and so on. The labor involved may be significant enough to

warrant automation of the process. You have all the necessary tools at your disposal:

PolicyPstToClearPst.exe can be configured from the command line, returns exit codes, and can log

all output to a file.

UpdateKeyServRegistry.exe can be configured from the command line, returns exit codes, and can

log all output to a file.

And in fact, ExMerge can be configured with plain-text configuration files, can run silently from the

command line, and can log all output to a file. (Maybe your archiving system is scriptable, too.)

You could combine these utilities together with a batch file or Visual Basic script, and then run the batch

file or script at regular intervals using Windows Task Scheduler.

10.6.1. Example

Liquid Machines does not warranty the operation of, nor is responsible for any damage caused by, this

pseudo-code or any code based on its likeness.

Suppose you have 3 different Exchange servers in your organization. You have been subpoenaed to submit

for discovery all messages sent or received by Patty Johnson, and all messages with the word “Merger” in

the subject line. Your legal counsel generally picks up whatever electronic documents are available at the

end of each week. The procedures and pseudo-code below outline how to automate the process.



To begin…

Suspend expiration.

Enable retention on the Email Control Server.

Create a folder, on the machine dedicated to discovery, that will hold all configuration and data, for

example c:\Discovery.

In that folder create 6 subfolders, one for each combination of Exchange server and search criteria, for

example, exch1-patty, exch1-merger, exch2-patty, and so on.

Use ExMerge to create and save settings files for each of these combinations. Be sure you target all

output, and save each set of files, to the appropriate subdirectory. (You don’t have to finish the

ExMerge process. You can cancel out after you save the settings.)

Now write a script or batch file that combines the utilities, these settings and folders, some error checking

and some incremental date changes. Whatever scripting tools you use, they must be able to:

Loop through several items in a list.

Search for text strings or patterns in a file.

Find and replace text string or patterns in a file.

Run another program and check its exit status.

Get the current date, add or subtract from it, and format it in a certain way.

Below is pseudo-code demonstrating what the script might look like:

$date = function( getTheDate )

$newstartdate = $date – ( 1 hour )

$newenddate = $newstartdate + ( 7 days )

For each $server in ( exch1 exch2 exch3 )

For each $criterion in ( patty merger )

Run exmerge, settings = c:\Discovery\$server-$criterion\exmerge.ini

If ( exmerge exit status = good )

Move c:\Discovery\$server-$criterion\outputfile.pst \

to c:\Discovery\$server-$criterion\outputfile-$date.pst

Else

Print “exmerge failed on $server-$criterion”

Quit

End if

Run PolicyPstToClearPst.exe, settings = “ \

–logdir c:\Discovery\$server-$criterion\ \

–pstdir c:\Discovery\$server-$criterion\ \

–domain acme.com”

If ( PolicyPstToClearPst.exe exit status = good )

Goto next

Else

Print “PolicyPstToClearPst failed on $server-$criterion”

Quit

End if

Find “SelectMessageStartDate” in c:\Discovery\$server-

$criterion\exmerge.ini, \

Replace with “SelectMessageStartDate = $newstartdate”

Find “SelectMessageEndDate” in c:\Discovery\$server-

$criterion\exmerge.ini, \

Replace with “SelectMessageEndDate = $newenddate”

End for



End for

Run UpdateKeyServRegistry.exe, settings = “ \

-ComputerName securemail.acme.com \

–SuspendedAfterDate format( $newstartdate, “yyyymmddhhmmss” )”

If ( UpdateKeyServRegistry.exe exit status = bad )

Print “UpdateKeyServRegistry failed on $server-$criterion”

End if

Quit

You should run the script from the DiscoveryUser account.

You should run a script like this by hand the first time to make sure it works correctly. You might want to

comment out the part that runs UpdateKeyServRegistry.exe, until you verify the script’s operation. Then

you can schedule the script in Windows Task Scheduler to run once a week.



10.6.2. DailyDiscovery.vbs

Liquid Machines does not warranty the operation of, nor is responsible for any damage caused by,

DailyDiscovery.vbs.

In the c:\Program Files\Omniva\Discovery Tools folder on the internal Email Control Server, you’ll find

DailyDiscovery.vbs, which is a functioning example of an automation script written in VBScript. The

script performs the following actions:

Validates the environment and establishes configuration parameters.

Deletes any temporary PST files from the folders where extracted date and decrypted data go.

Updates the SelectMessageEndDate parameter contained in the ExMerge.ini file to the current

date and time.

Calls the ExMerge program to create the set of PST files specified in the ExMerge.ini file.

Validates that the ExMerge program ran successfully by scanning the ExMerge.log file.

Copies the extracted data in the PST files to the decrypted data directory.

Validates that there are PST files that require decryption.

Calls the PolicyPstToClearPst program to process the PST files in the decrypted data directory.

Validates that the PolicyPstToClearPst.exe program ran successfully by scanning the PolicyPst.log

file.

Moves decrypted PST files to an archive folder whose name is based on the date and time.

Validates that all processing to this point has been successful.

Updates the SelectMessageStartDate parameter contained in the ExMerge.ini file to the

current date.

Calls the UpdateKeyServRegistry program to set the target suspension date to the current date.

You can review the code for hints on how to create your own.



11. Appendices

11.1. Microsoft Rights Management Analogs to Policy Manage Features

The following table briefly outlines RM analogs to native Email Control Server functionality.

Email Control Server Native

Component or Feature

Analog Achieved Using Windows Rights Management (possibly with Email Control Server)

Email Control Server

Email Control Server + Windows Rights Management Services (RMS)

Cluster

external Email Control Server RMS with support for Microsoft Passport Service (more discussion below)

Email Control Client Outlook 2003 + Windows Rights Management (RM) Client

Attachment Reader Office 2003 + RM Client (or same as Universal Viewer)

Universal Viewer Microsoft Internet Explorer (IE) + RM Client + RM Add-in for IE

Report Service Report Service + RMS Cluster Audit Logs

Message Clean-up Tool none

Gateway for BlackBerry none

Client for BlackBerry none

Gateway for Exchange/SMTP Gateway for Exchange/SMTP

Email Archive Gateway Email Control Server Intelligent Archiving (more discussion below)

Message Contents Features none, or for just retention then Intelligent Archiving

Secure Communications Feature IPSec

Pass-Thru Auth Expose part of RMS Cluster to Internet

Outlook Delegation none

Liquid Machines Policy Systems is a Rights Management Independent Solutions Vendor. Please call us if

you need advice or expertise in building a Microsoft Rights Management environment, or with maximizing

the potential of a Email Control Server and RMS combined solution



11.1.1. Analog to external Email Control Server

The most direct analog in Windows RM to Email Control Server external Email Control Server

functionality is enabling your RMS cluster to trust the Microsoft Passport Service. The conceptual steps

are

Add a server to your RMS Cluster and expose this server to the Internet

On this server, in IIS Manager, change the authentication mechanism on the RMS application to the “Passport” type.

In the RMS configuration, add an “external licensing URL,” and make the Internet-exposed

server available via this URL.

External recipients will need to register with the Microsoft Passport Service in order to read the protected

message sent to them.

There are other ways to publish content to the Internet with Windows RM, including making external

recipients part of an Organizational Unit within your Windows domain, deploying a separate Windows

domain and RMS installation in your DMZ and “trusting” it with your internal installation, and even

“trusting” other companies’ RMS installations.

11.1.2. Analog to Email Archive Gateway

Email Control Server’s Policy Rules include actions that can set message headers, and copy messages to special mailboxes, either in an encrypted or clear text format. These features can be combined to create an

“Intelligent Archive System” which is platform independent.

For example, suppose you want to use Rights Management to encrypt all email flowing through your

organization. At the same time, you want to archive messages in clear text for compliance reasons. And

you want to archive messages for different time periods based on their content. You can set up Policy

Rules that both encrypt messages so that they expire, and send clear text copies to a different mailbox

depending on the expiration time. You could then backup the mailboxes each to different media, and retain

the media only as long as the associated expiration time.



11.2. Regular Expression Syntax

Copyright (c) 1998-2001 Dr John Maddock

Permission to use, copy, modify, distribute and sell this software and its documentation for any purpose

is hereby granted without fee, provided that the above copyright notice appear in all copies and that

both that copyright notice and this permission notice appear in supporting documentation. Dr John

Maddock makes no representations about the suitability of this software for any purpose. It is provided

"as is" without express or implied warranty.

This section covers the regular expression syntax used by this library, this is a programmers guide, the actual syntax presented to your program's users will depend upon the flags used during expression

compilation.

11.2.1. Literals

All characters are literals except: ".", "|", "*", "?", "+", "(", ")", "{", "}", "[", "]", "^", "$" and "\". These

characters are literals when preceded by a "\". A literal is a character that matches itself, or matches the

result of traits_type::translate(), where traits_type is the traits template parameter to class reg_expression.

11.2.2. Wildcard

The dot character "." matches any single character except : when match_not_dot_null is passed to the matching algorithms, the dot does not match a null character; when match_not_dot_newline is passed to the

matching algorithms, then the dot does not match a newline character.



11.2.3. Repeats

A repeat is an expression that is repeated an arbitrary number of times. An expression followed by "*" can

be repeated any number of times including zero. An expression followed by "+" can be repeated any number of times, but at least once, if the expression is compiled with the flag regbase::bk_plus_qm then

"+" is an ordinary character and "\+" represents a repeat of once or more. An expression followed by "?"

may be repeated zero or one times only, if the expression is compiled with the flag regbase::bk_plus_qm

then "?" is an ordinary character and "\?" represents the repeat zero or once operator. When it is necessary

to specify the minimum and maximum number of repeats explicitly, the bounds operator "{}" may be used,

thus "a{2}" is the letter "a" repeated exactly twice, "a{2,4}" represents the letter "a" repeated between 2

and 4 times, and "a{2,}" represents the letter "a" repeated at least twice with no upper limit. Note that there

must be no white-space inside the {}, and there is no upper limit on the values of the lower and upper

bounds. When the expression is compiled with the flag regbase::bk_braces then "{" and "}" are ordinary

characters and "\{" and "\}" are used to delimit bounds instead. All repeat expressions refer to the shortest

possible previous sub-expression: a single character; a character set, or a sub-expression grouped with "()"

for example.

Examples:

"ba*" will match all of "b", "ba", "baaa" etc.

"ba+" will match "ba" or "baaaa" for example but not "b".

"ba?" will match "b" or "ba".

"ba{2,4}" will match "baa", "baaa" and "baaaa".

11.2.4. Non-greedy repeats

Whenever the "extended" regular expression syntax is in use (the default) then non-greedy repeats are possible by appending a '?' after the repeat; a non-greedy repeat is one which will match the shortest

possible string.

For example to match html tag pairs one could use something like:

"<\s*tagname[^>]*>(.*?)<\s*/tagname\s*>"

In this case $1 will contain the text between the tag pairs, and will be the shortest possible matching string.



11.2.5. Parenthesis

Parentheses serve two purposes, to group items together into a sub-expression, and to mark what generated

the match. For example the expression "(ab)*" would match all of the string "ababab". The matching algorithms regex_match and regex_search each take an instance of match_results that reports what caused

the match, on exit from these functions the match_results contains information both on what the whole

expression matched and on what each sub-expression matched. In the example above match_results[1]

would contain a pair of iterators denoting the final "ab" of the matching string. It is permissible for sub-

expressions to match null strings. If a sub-expression takes no part in a match - for example if it is part of

an alternative that is not taken - then both of the iterators that are returned for that sub-expression point to

the end of the input string, and the matched parameter for that sub-expression is false. Sub-expressions are

indexed from left to right starting from 1, sub-expression 0 is the whole expression.

11.2.6. Non-Marking Parenthesis

Sometimes you need to group sub-expressions with parenthesis, but don't want the parenthesis to spit out

another marked sub-expression, in this case a non-marking parenthesis (?:expression) can be used. For

example the following expression creates no sub-expressions:

"(?:abc)*"

11.2.7. Forward Lookahead Asserts

There are two forms of these; one for positive forward lookahead asserts, and one for negative lookahead

asserts:

"(?=abc)" matches zero characters only if they are followed by the expression "abc".

"(?!abc)" matches zero characters only if they are not followed by the expression "abc".

11.2.8. Alternatives

Alternatives occur when the expression can match either one sub-expression or another, each alternative is separated by a "|", or a "\|" if the flag regbase::bk_vbar is set, or by a newline character if the flag

regbase::newline_alt is set. Each alternative is the largest possible previous sub-expression; this is the

opposite behavior from repetition operators.

Examples:

"a(b|c)" could match "ab" or "ac".

"abc|def" could match "abc" or "def".

http://localhost/KeyServ/Help/boost/libs/regex/template_class_ref.htm#query_match

http://localhost/KeyServ/Help/boost/libs/regex/template_class_ref.htm#reg_search

http://localhost/KeyServ/Help/boost/libs/regex/template_class_ref.htm#reg_match

http://localhost/KeyServ/Help/boost/libs/regex/template_class_ref.htm#reg_match



11.2.9. Sets

A set is a set of characters that can match any single character that is a member of the set. Sets are

delimited by "[" and "]" and can contain literals, character ranges, character classes, collating elements and

equivalence classes. Set declarations that start with "^" contain the compliment of the elements that follow.

Examples:

Character literals:

"[abc]" will match either of "a", "b", or "c".

"[^abc] will match any character other than "a", "b", or "c".

Character ranges:

"[a-z]" will match any character in the range "a" to "z".

"[^A-Z]" will match any character other than those in the range "A" to "Z".

Note that character ranges are highly locale dependent: they match any character that collates between the

endpoints of the range, ranges will only behave according to ASCII rules when the default "C" locale is in

effect. For example if the library is compiled with the Win32 localization model, then [a-z] will match the ASCII characters a-z, and also 'A', 'B' etc, but not 'Z' which collates just after 'z'. This locale specific

behavior can be disabled by specifying regbase::nocollate when compiling, this is the default behavior

when using regbase::normal, and forces ranges to collate according to ASCII character code. Likewise, if

you use the POSIX C API functions then setting REG_NOCOLLATE turns off locale dependent collation.

Character classes are denoted using the syntax "[:classname:]" within a set declaration, for example

"[[:space:]]" is the set of all whitespace characters. Character classes are only available if the flag

regbase::char_classes is set. The available character classes are:

alnum Any alpha numeric character.

alpha Any alphabetical character a-z and A-Z. Other characters may also be included

depending upon the locale.

blank Any blank character, either a space or a tab.

cntrl Any control character.

digit Any digit 0-9.

graph Any graphical character.

lower Any lower case character a-z. Other characters may also be included depending upon

the locale.

print Any printable character.

punct Any punctuation character.



space Any whitespace character.

upper Any upper case character A-Z. Other characters may also be included depending upon the locale.

xdigit Any hexadecimal digit character, 0-9, a-f and A-F.

word Any word character - all alphanumeric characters plus the underscore.

unicode Any character whose code is greater than 255, this applies to the wide character traits

classes only.

There are some shortcuts that can be used in place of the character classes, provided the flag

regbase::escape_in_lists is set then you can use:

\w in place of [:word:]

\s in place of [:space:]

\d in place of [:digit:]

\l in place of [:lower:]

\u in place of [:upper:]

Collating elements take the general form [.tagname.] inside a set declaration, where tagname is either a single character, or a name of a collating element, for example [[.a.]] is equivalent to [a], and [[.comma.]] is

equivalent to [,]. The library supports all the standard POSIX collating element names, and in addition the

following digraphs: "ae", "ch", "ll", "ss", "nj", "dz", "lj", each in lower, upper and title case variations.

Multi-character collating elements can result in the set matching more than one character, for example

[[.ae.]] would match two characters, but note that [^[.ae.]] would only match one character.

Equivalence classes take the general form [=tagname=] inside a set declaration, where tagname is either a

single character, or a name of a collating element, and matches any character that is a member of the same

primary equivalence class as the collating element [.tagname.]. An equivalence class is a set of characters

that collate the same, a primary equivalence class is a set of characters whose primary sort key are all the

same (for example strings are typically collated by character, then by accent, and then by case; the primary

sort key then relates to the character, the secondary to the accentation, and the tertiary to the case). If there

is no equivalence class corresponding to tagname, then [=tagname=] is exactly the same as [.tagname.].

Unfortunately there is no locale independent method of obtaining the primary sort key for a character,

except under Win32. For other operating systems the library will "guess" the primary sort key from the full

sort key (obtained from strxfrm), so equivalence classes are probably best considered broken under any

operating system other than Win32.

To include a literal "-" in a set declaration then: make it the first character after the opening "[" or "[^", the

endpoint of a range, a collating element, or if the flag regbase::escape_in_lists is set then precede with an escape character as in "[\-]". To include a literal "[" or "]" or "^" in a set then make them the endpoint of a

range, a collating element, or precede with an escape character if the flag regbase::escape_in_lists is set.

11.2.10. Line anchors

An anchor is something that matches the null string at the start or end of a line: "^" matches the null string

at the start of a line, "$" matches the null string at the end of a line.



11.2.11. Back references

A back reference is a reference to a previous sub-expression that has already been matched, the reference is

to what the sub-expression matched, not to the expression itself. A back reference consists of the escape character "\" followed by a digit "1" to "9", "\1" refers to the first sub-expression, "\2" to the second etc. For

example the expression "(.*)\1" matches any string that is repeated about its mid-point for example

"abcabc" or "xyzxyz". A back reference to a sub-expression that did not participate in any match, matches

the null string: NB this is different to some other regular expression matchers. Back references are only

available if the expression is compiled with the flag regbase::bk_refs set.

11.2.12. Characters by code

This is an extension to the algorithm that is not available in other libraries, it consists of the escape character followed by the digit "0" followed by the octal character code. For example "\023" represents the

character whose octal code is 23. Where ambiguity could occur use parentheses to break the expression up:

"\0103" represents the character whose code is 103, "(\010)3 represents the character 10 followed by "3".

To match characters by their hexadecimal code, use \x followed by a string of hexadecimal digits,

optionally enclosed inside {}, for example \xf0 or \x{aff}, notice the latter example is a Unicode character.

11.2.13. Word operators

The following operators are provided for compatibility with the GNU regular expression library.

"\w" matches any single character that is a member of the "word" character class, this is identical to the

expression "[[:word:]]".

"\W" matches any single character that is not a member of the "word" character class, this is identical

to the expression "[^[:word:]]".

"\<" matches the null string at the start of a word.

"\>" matches the null string at the end of the word.

"\b" matches the null string at either the start or the end of a word.

"\B" matches a null string within a word.

The start of the sequence passed to the matching algorithms is considered to be a potential start of a word unless the flag match_not_bow is set. The end of the sequence passed to the matching algorithms is

considered to be a potential end of a word unless the flag match_not_eow is set.



11.2.14. Buffer operators

The following operators are provide for compatibility with the GNU regular expression library, and Perl

regular expressions:

"\`" matches the start of a buffer.

"\A" matches the start of the buffer.

"\'" matches the end of a buffer.

"\z" matches the end of a buffer.

"\Z" matches the end of a buffer, or possibly one or more new line characters followed by the end of

the buffer.

A buffer is considered to consist of the whole sequence passed to the matching algorithms, unless the flags

match_not_bob or match_not_eob are set.

11.2.15. Escape operator

The escape character "\" has several meanings.

Inside a set declaration the escape character is a normal character unless the flag regbase::escape_in_lists is

set in which case whatever follows the escape is a literal character regardless of its normal meaning.

The escape operator may introduce an operator for example: back references, or a word operator.

The escape operator may make the following character normal, for example "\*" represents a literal "*"

rather than the repeat operator.

11.2.16. Single character escape sequences

The following escape sequences are aliases for single characters:

Escape sequence Character code Meaning

\a 0x07 Bell character.

\f 0x0C Form feed.

\n 0x0A Newline character.

\r 0x0D Carriage return.

\t 0x09 Tab character.

\v 0x0B Vertical tab.

\e 0x1B ASCII Escape character.

\0dd 0dd An octal character code, where dd is one or more

octal digits.



\xXX 0xXX A hexadecimal character code, where XX is one or

more hexadecimal digits.

\x{XX} 0xXX A hexadecimal character code, where XX is one or

more hexadecimal digits, optionally a unicode

character.

\cZ z-@ An ASCII escape sequence control-Z, where Z is

any ASCII character greater than or equal to the

character code for '@'.

11.2.17. Miscellaneous escape sequences:

The following are provided mostly for perl compatibility, but note that there are some differences in the

meanings of \l \L \u and \U:

\w Equivalent to [[:word:]].

\W Equivalent to [^[:word:]].

\s Equivalent to [[:space:]].

\S Equivalent to [^[:space:]].

\d Equivalent to [[:digit:]].

\D Equivalent to [^[:digit:]].

\l Equivalent to [[:lower:]].

\L Equivalent to [^[:lower:]].

\u Equivalent to [[:upper:]].

\U Equivalent to [^[:upper:]].

\C Any single character, equivalent to '.'.

\X Match any Unicode combining character

sequence, for example "a\x 0301" (a letter a

with an acute).

\Q The begin quote operator, everything that

follows is treated as a literal character until a

\E end quote operator is found.

\E The end quote operator, terminates a sequence

begun with \Q.



11.2.18. What gets matched?

The regular expression library will match the first possible matching string, if more than one string starting

at a given location can match then it matches the longest possible string, unless the flag match_any is set, in which case the first match encountered is returned. Use of the match_any option can reduce the time taken

to find the match - but is only useful if the user is less concerned about what matched - for example it

would not be suitable for search and replace operations. In cases where their are multiple possible matches

all starting at the same location, and all of the same length, then the match chosen is the one with the

longest first sub-expression, if that is the same for two or more matches, then the second sub-expression

will be examined and so on.



11.3. PolicyPstToClearPst

11.3.1. Usage

PolicyPstToClearPst -logdir LogDirectory -pstdir PstDirectory -domain DomainName [-username

UserName -password Password] [-ErrorFilter |nnn|[...|mmm|]][-verbose]

11.3.2. Parameters

-LogDir LogDirectory

Directory where log file is Located.

-PstDir PstDirectory

Directory where PST files are located.

-Domain DomainName

Domain name used for authentication.

-Username UserName

Username used for authentication.

-Password Password

Password used for authentication.

[-ErrorFilter |nnn|[...|mmm|]]

Pipe delimited list of errors to ignore.

[-verbose]

Verbose log file flag.



11.3.3. Return Values

EXIT_SUCCESS (0)

Processing was successful

EXIT_FAILURE (1)

Processing was NOT successful

11.3.4. Logging

Date field: 'MM/DD/YYYY'

Contains the date that the log entry was written.

Time field: 'HH.MM.SS'

Contains the time that the log entry was written.

Context field 1 '[PST directory name OR PST file name]:

For the 'Info:Processed' log file entry, contains the directory that the PST files were processed from.

For all other log file entries, contains the name of the PST file being processed.

Context field 2 '[MAPI folder name]'

Contains the name of the MAPI folder being processed.

Context field 3 '[MAPI message details]'

Contains information about the MAPI message being processed: [SenderName - MessageSubject -

MessageDeliveryTime]

Context field 4 '[MAPI attachment file name]'

Contains the name of the MAPI attachment file being processed.

Log entry type field

'Info:' – Specifies that the log entry is an informational message.

'Warning' - Specifies that the log entry is a warning message.

'Error:' - Specifies that the log entry is an error message.

'Debug:' - Specifies that the log entry is a verbose (debugging) message.

Log entry text field

Contains the text of the log entry.

GETDIJOBERROR

Contains a numeric code identifying the error that occurred.



11.3.5. Error Codes

11.3.5.i. General Error

0 DIEI_UNKNOWN - Unknown error

1 DIEI_OPERATION_CANCELLED - A pending operation was cancelled.

2 DIEI_OPERATION_TIMEOUT - A pending operation timed out.

3 DIEI_EOF - End-of-file was reached prematurely.

4 DIEI_NO_SUCH_POLICY_PROPERTY - A setting was requested for an unknown policy property.

5 DIEI_NO_SUCH_USER_PROPERTY - A setting was requested for an unknown user property.

6 DIEI_NOT_LOGGED_IN - Not logged in.

7 DIEI_ALREADY_LOGGED_IN - Already logged in.

8 DIEI_ACCESS_DENIED - User does not have access rights to the requested service/function.

9 DIEI_INVALID_ARG - One or more arguments were invalid.

10 DIEI_UKNOWN_EVENT_TYPE - The event type was unknown.

11 DIEI_NOT_IMPLEMENTED - Operation not implemented.

11.3.5.ii. Cryptographic Errors

100 DIEI_UNKNOWN_ALGORITHM - The requested cryptographic algorithm is not supported.

101 DIEI_CIPHER_ERROR - A cipher error occured.

102 DIEI_PADDER_ERROR - A padder error occured.

11.3.5.iii. Offline Errors

201 DIEI_NO_KEY_IN_CACHE - A required key does not exist in the key cache.

202 DIEI_NO_RECOVERY_KEY_IN_CACHE - A required recovery does not exist in the key cache.

203 DIEI_NO_USER_KEY_IN_CACHE - The user key does not exist in the key cache.

204 DIEI_NO_USER_KEY_DESCRIPTOR_IN_CACHE - The user key descriptor does not exist in

the key cache.

205 DIEI_NO_RNGSTATE_IN_CACHE - The RNG state data does not exist in the key cache.

206 DIEI_NO_CACHED_SERVER_TIME_OFFSET - The server time offset has not been cached.

11.3.5.iv. Network Errors

300 DIEI_NETWORK - General network error.

301 DIEI_ACCESS_TO_KEYSERVER_DENIED - Access to the keyserver was denied.

302 DIEI_PROXY_AUTH - Proxy authorization required.

303 DIEI_PROXY_AUTH_WEB - Proxy authorization from web page required.

304 DIEI_KEYSERVER_NOT_AVAILABLE - Keyserver not available.

305 DIEI_CERTIFICATE - Certificate error.



11.3.5.v. Email Control Server Errors

400 DIEI_NO_KEY - A required key does not exist.

401 DIEI_UNEXPECTED_KEYSERVER_RESPONSE - Keyserver returned an unexpected response.

402 DIEI_UNEXPECTED_KEYSERVER_DATA - Keyserver returned unexpected data.

403 DIEI_KEYSERVER_IS_FOREIGN - Keyserver is foreign.

11.3.5.vi. Message format Errors (DIMF)

500 DIEI_EXTRACT_ERROR - An error occurred while extracting a protected email.

501 DIEI_NOT_DIMF - Message contents is not recognizable as a protected email.

502 DIEI_DIMF_VERSION - Message is a protected email, but cannot be extracted (requires

upgrade).

503 DIEI_MESSAGE_CORRUPTED - Message is a protected email, but has been corrupted.

11.3.5.vii. Key Cache Errors

600 DIEI_WRITE_HEADER_ERROR - Error writing KeyCache file header.

601 DIEI_WRITE_INDEX_ERROR - Error writing KeyCache index.

602 DIEI_READ_HEADER_ERROR - Couldn't read KeyCache header.

603 DIEI_BAD_HEADER - Improper KeyCache header.

604 DIEI_SEEK_INDEX_ERROR - Couldn't seek to KeyCache index.

605 DIEI_READ_INDEX_ERROR - Couldn't read KeyCache index.

606 DIEI_READ_URLTABLE_ERROR - Couldn't read KeyCache URL table.



11.4. UpdateKeyServRegistry

In the Windows registry on the Email Control Server, sets or updates the value of the string value (REG_SZ) SuspendedAfter in the key HKEY_LOCAL_MACHINE\Software\Policies\Liquid

Machines\Expiration.

Stored as UTC time with format yyyy-mm-dd

11.4.1. Usage

UpdateKeyServRegistry –ComputerName KeyServiceComputerName –SuspendedAfterDate

yyyymmddhhmmss

11.4.2. Parameters

-ComputerName ComputerName

Name of computer where Email Control Server is installed.

-SuspendedAfterDate YYYYMMDDHHMMSS

Suspended after date in yyyymmddhhmmss format.

11.4.3. Return Values

EXIT_SUCCESS (0)

Registry was successfully updated.

EXIT_FAILURE (1)

Registry was NOT successfully updated.

11.4.4. Logging

Warning: Received duplicate - ComputerName parameters, using 'COMPUTERNAME'.

Warning: Received duplicate - SuspendedAfterDate parameters, using 'YYYYMMDDHHMMSS'.

Warning: Received unknown 'UNKNOWN' parameter.

Error: Must specify - ComputerName and -SuspendedAfterDate parameters.

Error: Could not convert - SuspendedAfterDate 'YYYYMMDDHHMMSS' to valid local time.

Error: Could not convert - SuspendedAfterDate 'YYYYMMDDHHMMSS' to valid UTC time.

Error: Could not update registry using - ComputerName 'COMPUTERNAME', WinEr



11.5. The hotkey combinations in Client for Blackberry

For management of scrubbing and logging in Client for Blackberry use the special hotkey combinations.

1. Click on Omniva application icon to get "Control Categories" screen.

2. Click the wheel and choose "About".

3.1. For the hotkey combinations for management of logging look 9.6.6 “Logging Client for Blackberry”.

3.2. The hotkey combinations for management of scrubbing:

For Blackberry smartphones with QWERTY keyboard layout (57xx, 58xx, 65xx, 67xx, 72xx, 75xx,

77xx, 87xx, 88xx series):

Type the letter 's' (or 'a') and then the letter 'f' (or 'g') to launch the scrub frequency screen.

Type the letter 'x' (or 'z') and then the letter '!' (or 'q') to force scrubbing.

Type the letter 'x' (or 'z') and then the letter '*' (or 'c') to clear the scrubber map.

For Blackberry smartphones with reduced QW-ER-TY-OP keyboard layout (71xx and 81xx series):

Type the letter 'a' and then the letter 'g' to launch the scrub frequency screen.

Type the letter 'z' and then the letter 'q' to force scrubbing.

Type the letter 'z' and then the letter 'c' to clear the scrubber map.

Date post:	03-Jun-2020
Category:	Documents
Upload:	others
View:	8 times
Download:	0 times