Liquid Machines™ Gateway for Exchange and SMTP ... · 8 Liquid Machines Gateway for Exchange and...

Liquid Machines™Gateway for Exchange and SMTP

Administrator’s GuideVersion 6.7.0

Liquid Machines CopyrightCopyright © 2003 - 2008 by Liquid Machines, Inc. All rights reserved. Confidential and proprietary information of Liquid Machines, Inc.

The material in this document may not in whole or in part be copied, photocopied, reproduced, translated, or converted to any electronic or machine-readable form without the prior written consent of Liquid Machines. The information in this document is for informational use only, is subject to change without notice, and should not be construed as a commitment by Liquid Machines. Liquid Machines assumes no responsibility or liability for any errors or inaccuracies that may appear in this document.

This document and the software described in this document are furnished under a license accompanying the software and may be used only in accordance with the terms of such license. By using this document, you agree to the terms and conditions of that license.

This product may include software developed by the Apache Software Foundation (<http://www.apache.org>). Copyright © The Apache Software Foundation.

This product may include software developed by IAIK of Graz University of Technology. Copyright © Graz University of Technology.

This product may use the OpenSSL toolkit provided by “The OpenSSL Project” and licensed under a dual-license (the OpenSSL license and the original SSLeay license). This product includes software developed by the OpenSSL Project for use in the OpenSSL toolkit (<http://www.openssl.org/>). This product may include cryptographic software written by Eric Young (<[email protected]>). This product may include software written by Tim Hudson (<[email protected]>). Copyright © The OpenSSL Project.

This product may include “Redistributable” software licensed under the Sun Microsystems' Java Runtime Environment (J2RE), Standard Edition, Version 1.4.1_X Supplemental License Terms to the Binary Code License Agreement. Some portions licensed from IBM are available at <http://oss.software.ibm.com/icu4j>. Copyright notice © Sun, Sun Microsystems, and Java are trademarks or registered trademarks of Sun Microsystems, Inc.

This product may include XMLIO software developed by Achim Gädke and Peter Pipenbacher at the Center of Applied Informatics of the University of Cologne (www.zaik.uni-koeln.de). Source code and patches are available at <http://www.liquidmachines.com/about/oss.php>.

This product may use MMC software library, which is subject to the Common Public License Version 1.0 and is available for download at <http://sourceforge.net/projects/mmclibrary>.

This product may include Zlib software developed by Jean-loup Gailly and Mark Adler. Copyright © 1995-2004.

This product may include software developed by Boost Software (http://www.boost.org). Copyright © Boost Software.

This product may include software developed by Computing Services at Carnegie Mellon University (http://www.cmu.edu/computing/). Copyright © 1998-2000 Carnegie Mellon University.

This product may include BusyBoxDotNet Web control library for ASP.NET. Copyright © 2006 Simone Busoli.

The Liquid Machines Viewer uses Stellent® Outside In® Viewer Technology. Copyright © 1991-2007 Stellent Chicago, Inc. All rights reserved.

Liquid Machines, Policy Droplet, Freedom of Security, Enabling Secure Business, Omniva, and Omniva Policy Systems are trademarks of Liquid Machines, Inc.

Microsoft, Excel, Word, Outlook, PowerPoint, Project, Visio, Windows Explorer, Windows XP, Windows 2000, Windows 2003, Office 2003, Exchange, SQL Server, SharePoint, Windows Rights Management Services (RMS), and Windows Information Rights Management (IRM) are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.

BlackBerry and BlackBerry Enterprise Server are trademarks of Research In Motion Limited.

Adobe and Adobe Acrobat are registered trademarks of Adobe Systems Incorporated.

Pro/ENGINEER is a registered trademark of Parametric Technology Corporation or a subsidiary.

SolidWorks is a registered trademark of SolidWorks Corporation.

Other trademarks and trade names may be used in this document to refer to either the entities claiming the marks or the names of their products. Liquid Machines, Inc., disclaims any proprietary interest in trademarks and trade names other than its own.

2

Contents

Chapter 1. Introducing the Gateway for Exchange and SMTP........................ 7Overview of this Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7What is the Liquid Machines Gateway for Exchange and SMTP? . . . . . . . . . . . . . . . . . . . . . . .7Liquid Machines Gateway for Exchange and SMTP Solutions. . . . . . . . . . . . . . . . . . . . . . . . . .8

Rights Management: Controlling Access to and Use of Data . . . . . . . . . . . . . . . . . . . . . . . .8Ethical Walls: Controlling Communication Paths . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8Compliance: Flagging Messages and Directing Copies to Archives and Auditors . . . . . . . .8Monitoring Content: Taking Action Based on Message Data . . . . . . . . . . . . . . . . . . . . . . . .9Archiving and Compliance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9Content Scanning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9

Gateway for Exchange and SMTP Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9Protection Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9Microsoft Windows Rights Management Services (RMS) . . . . . . . . . . . . . . . . . . . . . . . . .10Liquid Machines Document Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12More About Processing Protected Content . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13Gateway for Exchange and SMTP: Processing Messages . . . . . . . . . . . . . . . . . . . . . . . . . .15Gateway Rules Authoring Tool: Defining Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17

Chapter 2. Installation....................................................................................... 19Installing the Liquid Machines Gateway for Exchange and SMTP. . . . . . . . . . . . . . . . . . . . . .19

System Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19If You Are Upgrading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19Preinstallation Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20Installing the Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .22Configuring the Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .26Uninstalling the Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .26

Installing the Rules Authoring Tool. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .27System Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .27If You Are Upgrading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .28Installing the Rules Authoring Tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .28Uninstalling the Rules Authoring Tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .29

Chapter 3. Gateway for Exchange and SMTP Operations............................. 31Operational Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .31

Configuring the Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .31Specifying Rules for Rules-based Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .32

The Adapter and the Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .34The Adapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .34The Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .34

Service Account Credentials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .35Multiple Gateways and Reprocessing Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .36

Writing Rules to Tune Reprocessing Behaviors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .37Avoiding Configurations that Tax Reprocessing Behaviors . . . . . . . . . . . . . . . . . . . . . . . .37

Processing Attachments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .38Sealed in the Message Envelope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .38Protected Attachments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .38

3

Logging and Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .39Logging Applied Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .39Logging Recipient Activity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .40Logging Events, Warnings, and Errors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .40Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .40

Performance Tuning Exchange and SMTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .41

Chapter 4. Gateway for Exchange and SMTP Health and Performance ...... 43Application Event Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .43

Errors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .43Warnings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .48Informational Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .50

Diagnostic Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .51Performance Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .52

Counters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .54Levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .55Watches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .56Using Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .56

Chapter 5. Defining Rulesets and Rules ......................................................... 59Starting the Gateway Rules Authoring Tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .59Defining Rulesets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .59

Creating a Ruleset . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .59Opening an Existing Ruleset . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .61Renaming a Ruleset . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .62Deleting a Ruleset . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .63Working with a Ruleset . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .63

Defining Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .65Creating a Rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .65Setting Rule Priority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .69Editing, Renaming, or Deleting a Rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .70Activating or Inactivating a Rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .70

When Multiple Rules Apply: How Actions Add Up . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .71Protect the Message with Specific Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .71Do Not Deliver Message to Anyone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .72Do Not Deliver Message to Group Members. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .72Send Alert Message to Sender . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .72Report When this Rule is Applied . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .72Add Specific Custom SMTP Header . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .72BCC a Copy of this Message to a Mailbox . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .72BCC an Unencrypted Copy to a Mailbox . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .72

Chapter 6. Specifying Rule Conditions and Actions ..................................... 73Specifying Conditions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .73

Specifying Words or Phrases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .74Creating Patterns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .74Specifying Active Directory Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .79Specifying SMTP Header Values. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .80Specifying Message Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .81

4 Liquid Machines Gateway for Exchange and SMTP Administrator’s Guide

Specifying Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .82Protect the Message with Specific Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .82Do Not Deliver Message to Anyone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .86Do Not Deliver Message to Group Members. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .87Send Alert Message to Sender . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .87Report When this Rule is Applied . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .87Add Specific Custom SMTP Header . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .87BCC a Copy of this Message to a Mailbox . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .88BCC an Unencrypted Copy to a Mailbox. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .88Stop Processing More Rules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .89

Appendix A. Gateway Configuration File Syntax ........................................... 91Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .91

Specifying Units of Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .92Sections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .93Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .94

logging settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .94gateway-service Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .94services Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .94protection-config Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .94reporting Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .96monitoring Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .96ruleset-caching Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .96rule-action-info Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .97adapters Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .98

Variables. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .99

Appendix B. SMTP Headers ........................................................................... 101Appendix C. Differences from Perl Regular Expressions ........................... 103Appendix D. Setting Relay Access Permissions on Exchangeand IIS SMTP.................................................................................................... 105Appendix E. Adding RMS Servers to the Local Intranet Sites .................... 109Index ................................................................................................................. 111

Contents 5


Chapter 1Introducing the Gateway for Exchange and SMTP

This chapter introduces you to the Liquid Machines Gateway for Exchange and SMTP. It includes the following sections.• “What is the Liquid Machines Gateway for Exchange and SMTP?,” on page 7• “Liquid Machines Gateway for Exchange and SMTP Solutions,” on page 8• “Gateway for Exchange and SMTP Architecture,” on page 9

Overview of this GuideThe remaining chapters of this guide include the following chapters:• “Chapter 2. Installation,” on page 19• “Chapter 3. Gateway for Exchange and SMTP Operations,” on page 31• “Chapter 4. Gateway for Exchange and SMTP Health and Performance,” on page 43• “Chapter 5. Defining Rulesets and Rules,” on page 59• “Chapter 6. Specifying Rule Conditions and Actions,” on page 73• “Appendix A. Gateway Configuration File Syntax,” on page 91• “Appendix B. SMTP Headers,” on page 101• “Appendix C. Differences from Perl Regular Expressions,” on page 103• “Appendix D. Setting Relay Access Permissions on Exchange and IIS SMTP,” on page 105• “Appendix E. Adding RMS Servers to the Local Intranet Sites,” on page 109

What is the Liquid Machines Gateway for Exchange and SMTP?Liquid Machines provides a powerful suite of products that enables users to work normally, while providing strong data protection and enterprise-class administration features. Liquid Machines provides a variety of gateway products that extend Liquid Machines Document Control and/or Microsoft RMS protection to additional products and components within the IT infrastructure. The Liquid Machines Gateway for Exchange and SMTP is installed on Microsoft Exchange or Microsoft Windows Internet Information Services (IIS) SMTP servers to analyze, process, direct, and protect email.

You can use the Gateway Rules Authoring Tool to define how messages are handled by creating rules that clearly articulate company policy. Integration with Microsoft Windows Rights Management Services (RMS) ensures high security and industry-standard architecture.

The Liquid Machines Gateway for Exchange and SMTP enables you to control all the email messages flowing through your mail system. You can control where messages go and who has access to copies of them, no matter where they are stored. You can monitor how email is being used and what information is being communicated to whom. You can store messages for the record or for later analysis.The Gateway can be configured to process messages and attachments that have been protected and encrypted using either or both of the following systems:• Microsoft Windows Rights Management Services (RMS)• Liquid Machines Document Control

7

Liquid Machines Gateway for Exchange and SMTP SolutionsWith the Liquid Machines Gateway for Exchange and SMTP, you can control your company’s information by managing email messages in several ways.• You can control access and use by adding rights management protections.• You can control which groups communicate with others.• You can archive messages and send copies to auditors.

These actions follow rules that you set up, which can be based on the content, format, origin, and destination of each message.

Rights Management: Controlling Access to and Use of DataThe access control of Liquid Machines products comes from rights management, an important concept in information control. It means that access controls, along with rules about how data can be used, travel with copies of that data. Taking a copy out of a server and placing it onto a workstation or sending it out of a company's infrastructure and into the Internet does not remove the controls from the data. You can think of rights-managed mail as traveling in a locked container. Authorized recipients can look inside and see the data, but they cannot take it out. They can only copy the whole container.

Control is accomplished through encryption. Messages and documents are protected by encrypting them, and access to them is controlled by permitting or denying access to the key that was used to encrypt them.

Security Services define the way in which content is protected and determine who gets the rights to open each message. Rights Management (RM) client applications, such as Outlook 2003 or the Liquid Machines Gateway for Exchange and SMTP, allow recipients to view and manipulate the data and to send copies elsewhere if the controls allow.

Note: The RMS support in Office 2003 is known as Information Rights Management, or IRM.

The Liquid Machines Gateway for Exchange and SMTP can apply certain types of rights, or controls, to email as it passes through an Exchange or IIS SMTP server. For details, see “Specifying Actions,” on page 82.

Ethical Walls: Controlling Communication PathsEthical walls prevent parties in certain groups from communicating with each other. Whereas Rights Management might protect content created by one group from being seen by another, ethical walls prevent that group from ever sending messages to the other. For example, you can set up an ethical wall that prevents brokers from sending email to analysts, or you can warn brokers when they send messages to analysts that it is not a good practice.

The Liquid Machines Gateway for Exchange and SMTP enables you to block delivery to all recipients of a message, or just to certain recipients. You can also alert senders after they send an email that is deemed inappropriate for the circumstances.

Compliance: Flagging Messages and Directing Copies to Archives and AuditorsCompliance may require that you save messages to an email archive and retain them for a certain time. You may also need to send messages to a group of auditors or to a content scanning system for further analysis. You may be able to do this selectively, depending on what regulations bind your business. For example, you may need to archive all correspondence between accountants and analysts, but not correspondence between engineers and managers.


The Liquid Machines Gateway for Exchange and SMTP enables you to silently send a copy of messages, with protections added or removed, to a special mailbox. This mailbox may feed an archiving system or be monitored by an auditor. The Gateway also allows you to add custom flags, or headers, to messages; later the archive system or auditor can store or sort messages differently, based on their headers.

Monitoring Content: Taking Action Based on Message DataThe previous sections discussed the actions that the Liquid Machines Gateway for Exchange and SMTP can take with messages: add protections, block delivery, warn senders about actions taken, mark them for later processing, and send copies to auditors or archiving systems. Another important aspect is when to take these actions. Perhaps messages should be copied to the auditor only if they contain the words merger or acquisition. It might be that email should only have protections added if it contains Social Security numbers. The Gateway can scan protected messages to check their content.

With the Gateway, you can design a set of rules by which these actions are taken. Each message is scanned for content, format, origin, and destination, and the rules can be triggered by the presence of certain data in any of these areas. Content can be scanned for words, phrases, or patterns--like Social Security Numbers or credit card numbers--in the body, subject, message headers, or recipient lines. Senders and recipients can be tested for membership in an Active Directory group.

Archiving and ComplianceIn some cases, you may want to pass protected content, whether protected by users or by the Gateway, into an archiving system. The Gateway can operate in a mode that permanently unprotects a message so that it is discoverable in an archive.

Content ScanningIn other cases, you may want to pass protected content, whether protected by users or by the Gateway, into a third-party content scanner. The Gateway can operate in a mode that unprotects a message and, after it has passed through such a system, even reprotect it with the same controls.

Gateway for Exchange and SMTP ArchitectureThe Liquid Machines Gateway for Exchange and SMTP integrates with the following environments:• Microsoft Exchange 2003 or the Microsoft IIS SMTP Service on Microsoft Windows 2000 or

2003• Windows Active Directory 2003• Microsoft Windows Rights Management Services (RMS) - Service Pack 1 or 2

Protection SystemsWhen enabled, the Gateway for Exchange and SMTP protects or unprotects content using either or both of the following systems:• Microsoft RMS

• Protection and unprotection are based on RMS Super User capability, granted by a Windows RMS server (SP1 or SP2).

Chapter 1. Introducing the Gateway for Exchange and SMTP 9

• Liquid Machines Document Control• Protection and unprotection are based on Liquid Machines policy permissions, granted on

a Liquid Machines Document Control server, Version 6.1 or later.

Liquid Machines Document Control and RMS functionality can interact and cooperate to process documents, with Liquid Machines Document Control policies, using RMS security.

The Gateway does not decrypt or scan content protected using other kinds of rights management or encryption systems. In general, the Gateway can process any format produced by Office 2003 or the Liquid Machines Document Control client.

The following types of content are not processed:• Emails or documents protected by Office 2007.• Emails or documents encrypted by a scheme other than RMS or Liquid Machines Document

Control.• Attached email messages. These could include .EML files, .MSG files, if not attached using

Outlook, or any unknown format. For an exception see the recurse-nested-mime-messages configuration setting in “protection-config Settings,” on page 94.

• .RPMSG files. This kind of file is normally a hidden attachment to an RMS-protected email message. If a user manually detaches this hidden attachment from a protected email message and then reattaches it separately to any message, it will not be decrypted.

• Contents of archive files; for example, .ZIP, .ARJ, .GZ, .RAR, and .TAR files are not examined.

• Any other document file that is not clearly identifiable as one of the file types listed above.

Files protected or reprotected by the Gateway will be readable with Office IRM (2003 or later) for RMS-only protection, or with Liquid Machines Document Control.

Microsoft Windows Rights Management Services (RMS)The Microsoft RMS system provides infrastructure that enables messages and documents to be protected and controlled. Information Rights Management (IRM) enables users of Microsoft Office Professional Edition 2003, Microsoft Office Word 2003, Microsoft Office Excel 2003, and Microsoft Office PowerPoint 2003, to restrict access to their documents.

You should be familiar with RMS and have a working, production deployment, before installing the Gateway for use with RMS. For more information, refer to Microsoft documentation and your Microsoft-certified RMS provider.

RMS Server: Issuing Access Licenses and Authenticating Users

The RMS server provides the encryption keys, or, in Microsoft terminology, licenses, that are used to protect messages. Rights-managed applications, like Microsoft Office 2003 and the Gateway for Exchange and SMTP, need access to RMS servers to get licenses to access protected content.

When an Office user requests access so that they can read a message or a document, the RMS server also handles authenticating that user. That is, the RMS server gathers the user's credentials, verifies them against Active Directory or another trusted RMS installation, and then checks to see if they are part of the access control list on the message.

The Gateway for Exchange and SMTP is authenticated using its own credentials. Because the Gateway's service account is an RMS Super User, it is able to access the licenses used to protect messages and attachments.


RMS Client: Enabling Applications to Communicate with the RMS Server

Rights-managed applications, like Office 2003 and the Gateway for Exchange and SMTP, decrypt protected messages and documents so that the appropriate recipients can read them. Desktop applications like Office 2003 may also preserve or carry forward protections when a recipient alters, replies, copies, or forwards a message or saves or alters an attachment.

To do all this, the applications must request access to licenses from the RMS server on behalf of the user, submitting the user's credentials in the process. They may also need to generate new keys to encrypt materials and must share these with the RMS server. This interaction with the RMS server happens through the RMS client. The RMS client is a piece of middleware, standing between the server and an RMS-enabled application. It provides an API that applications use to access the Microsoft RMS system. The RMS client must be installed on the same computer as the rights-managed applications, the workstations with Office 2003, or the server with the Gateway.

The Gateway for Exchange and SMTP uses ad-hoc rights based on rules related to:• Confidentiality: Recipients Only, Group-based, or Protected Access• Expiration• Controlling User Actions: Copy, Print, and Reply/Forward• Protecting Attachments: Using the same rights as the message, and with the ability to specify

whether they should be editable or not

The Gateway can apply Rights Management controls, to a message and its attachments as it passes into the email system. A system administrator specifies which rights will be granted based on Gateway rules that can be triggered by examining the contents of a message. Some of the controls that can be applied to a message are:• Expiration: After a certain date, RMS servers will deny access to a message no matter who

requests it.• Recipient Only Access: RMS will give access only to the specified recipient of the message.• Group Access Only: RMS will give access to anyone in the specified list of users and groups.

The groups are defined in your Windows Active Directory, and you specify them by their email address. You can provide access to different groups that represent departments, divisions, or your whole company.

• Protected Access: Anyone who can obtain credentials within the RMS system can read the message. This typically means anyone with an Active Directory account in your company. If your RMS installation was configured to trust other RMS installations, such as Microsoft Passport, this setting will also include users on those systems.

• Copy Blocking: RMS clients will prevent recipients from copying the message.• Print Blocking: RMS clients will prevent recipients from printing the message• .Forwarding Prevention: RMS clients will prevent recipients from sending the message on to

anyone else.

RMS Installations and Trusts

When you install the first RMS Server into an Active Directory domain, and you register the connection point with Active Directory, it is called an RMS installation and it is associated, attached, installed into, or bound to the Active Directory forest in which the domain exists. You can install additional servers into this installation, for load-balancing or redundancy.

While it is possible to install RMS Servers into this same Active Directory in a way that is not associated with this installation, you cannot register the service connection point of these new servers with this Active Directory, and they are not the ones that rights-managed applications


would typically use if they are members of this Active Directory. If, for some reason, you are deploying this kind of infrastructure, contact Liquid Machines Product Support before installing the Gateway for Exchange and SMTP.

An RMS installation can be configured to trust other RMS installations. For example, you can configure yours to trust one in a different Active Directory in a different company. The general result is that content protected under one installation can be viewed by users in another installation, assuming the correct permissions have been set. An RMS installation can also be configured to trust the Microsoft Passport Service, which is available to individual consumers on the Internet. But if RMS Installation A trusts RMS Installation B, and Installation B trusts Installation C, it is not true that A trusts C. In other words, just because you trust some company does not mean you have to trust the other companies that they trust.

The Gateway processes content using the RMS installation bound to the Active Directory in which the Gateway computer and user account reside. When the Gateway scans the body of a protected message, or when the Gateway is running in one of its Unprotect modes, it may be able to decrypt the message only if it was protected under a trusted RMS installation, and the Gateway User account has sufficient privileges in that installation to read the message. An RMS Super User in one RMS installation does not necessarily have elevated rights in another installation. If the Gateway cannot decrypt the message, it will pass it through unprocessed.

For more information, consult your Microsoft RMS documentation.

Liquid Machines Document ControlLiquid Machines Document Control provides encryption and rights management of documents. In addition, it extends RMS protection beyond Office 2003 and 2007 Professional to Office XP and Office 2000, as well as to leading desktop and enterprise applications, such as Adobe Acrobat, Adobe Reader, and Microsoft Visio.

Liquid Machines Document Control Server: Providing Policies, Keys, and Security

Liquid Machines Document Control provides enhanced enforcement options based on policies downloaded from a Liquid Machines Document Control server. The physical security (encryption) can be provided either by RMS or by a Liquid Machines Key Service (LMKS), which is part of the Liquid Machines Document Control server. The combination of a Liquid Machines Document Control server, various physical security services, and various clients is referred to as Universal Enforcement Services (UES).

To be able to obtain policy information and cryptographic keys, the Gateway for Exchange and SMTP must communicate with one or more Liquid Machines Document Control servers, Version 6.1 or later.

The Gateway caches policies and keys locally, which maximizes performance and allows offline operation. It contacts the servers on startup and polls them for policy changes periodically, based on a frequency specified by the Liquid Machines Document Control server. The cache can also be updated dynamically if the Gateway encounters a document protected by a new policy that is not yet in the cache. The cache is stored in an encrypted form that is only accessible to the Gateway.

When policies and keys are available in the cache, the Gateway can protect and unprotect documents that use LMKS Security without communicating with any server. Liquid Machines Document Control documents that use RMS Security still require communications in order to obtain a document-specific license.


Liquid Machines Document Control Enforcement Agents: Protecting Documents

A Liquid Machines Document Control enforcement agent, such as the Liquid Machines Document Control client or the Gateway for Exchange and SMTP, can interact with both Liquid Machines Document Control servers and RMS servers. The Liquid Machines Document Control server provides policy information to Liquid Machines Document Control enforcement agents.

The Liquid Machines Document Control client provides enforcement by integrating with applications on a user's workstation. Liquid Machines Document Control can protect documents using Ad-Hoc permissions, an RMS template, or a policy defined by Liquid Machines Document Control client.

Ad-Hoc permissions and templates always make use of an RMS license and are always compatible with Microsoft Office IRM when used in IRM-supported applications (Word, Excel, and PowerPoint). Unprotection of such documents by the Gateway is based on RMS Super User capability.

The Gateway for Exchange and SMTP interacts directly with Liquid Machines Document Control servers to provide its unprotection services, so there is no prerequisite for installing any Liquid Machines Document Control software before installing the Gateway. However, before you enable this functionality in the Gateway, you must have a Liquid Machines Document Control server installed. Before this feature can be used, you must have other Liquid Machines Document Control products installed for users to generate content.

Liquid Machines Document Control policy permissions can be enforced using security from either RMS or LMKS. The Gateway's service account must be granted access to the policy in order to protect or unprotect a document. To operate correctly in all modes, the Gateway service account must be granted the permissions to Write content and to Remove a policy. A message recipient must also be granted access to the policy in order to access a protected document.

More About Processing Protected Content

RMS Processing with Liquid Machines Document Control Disabled

If RMS is enabled, but Liquid Machines Document Control (UES) is disabled, the Gateway for Exchange and SMTP can process all content from Microsoft Office IRM, as well as some documents produced by the Liquid Machines Document Control client: those that can be processed without any need for a Liquid Machines policy. This includes documents from any application protected using Ad-Hoc permissions or an RMS Template. It also includes documents from some applications that use a Liquid Machines policy using RMS security in IRM-Compatible mode. The Gateway makes a best effort for such cases and processes the document only if it knows that the document can be processed without any auditing requirements. Because of details of the file formats used by the Liquid Machines Document Control client, the Gateway (in RMS-only mode) can unprotect such documents only from Word, Excel, PowerPoint, and sometimes Visio (based on the version of the Liquid Machines Document Control client used).

Any Liquid Machines Document Control document that cannot be unprotected because of the limitations above is identified as a foreign document and passed through. To ensure unprotection of all Liquid Machines Document Control documents with proper auditing, we recommend that Liquid Machines Document Control functionality be enabled, and that the appropriate permissions be granted on the Liquid Machines Document Control server.

Foreign Protection Checking with RMS

If the Gateway fails to unprotect a document or message that it expects to be able to unprotect, it determines whether to treat the content as foreign or local content:


• A foreign document or message contains content that the Gateway will never be able to unprotect because it cannot resolve or communicate with the foreign RMS server.

• A local document or message contains content that the Gateway should be able to unprotect, but may not be able to at a given moment because of a presumably temporary error condition, such as a network failure.

When UES is disabled, or the Gateway encounters a document or message that was not protected by a Liquid Machines policy, it determines whether the content is foreign or local based on the primary RMS server and the configured domain suffixes:• The primary RMS server (the one used to configure the RMS client as part of the prerequisites)

is always treated as local. This server does not need to be listed in the Gateway's configuration, and it cannot be removed.

• By default, the Gateway computer's DNS domain is treated as local. This domain is explicitly listed in the default configuration using a special variable, but it can be removed.

• The DNS domain of any RMS installation, including the primary RMS server, must be explicitly added to the Gateway's configuration if its domain suffix does not exactly match the Gateway's DNS domain suffix.

For example, if your RMS installation is rms.acme.com, and the Gateway is installed on abc.acme.com, the default configuration automatically includes both rms.acme.com and *.acme.com. The default list of domain suffixes in the Gateway's configuration must to be modified if the Gateway needs to support multiple domains.

If a blank DNS domain is listed in the configuration, or no domains are listed, all RMS-protected messages and documents are treated as local.

When the Gateway fails to unprotect a message or document determined to be local, it logs an error in the Event log. If the message or document is determined to be foreign, an informational message is logged, but the situation is not treated as an error. In either case, the message or document remains protected.

Processing of Liquid Machines Document Control Documents

The Gateway can be configured to unprotect and reprotect documents protected by Liquid Machines Document Control. A list of policy servers can be included by host name or URL.

If a configured server cannot be contacted when it is initially configured, the Event log shows an error, and Liquid Machines policy operations fail. Otherwise, the server is polled for policy updates on startup and periodically, based on the poll interval configured on the server.

The Gateway can also be configured to automatically discover additional servers when it encounters documents protected by those servers’ policies. In such cases, processing will succeed only if the Gateway Service user can properly authenticate to the appropriate server and obtain appropriate permissions. If a discovered server is contacted successfully, it will be kept active and polled for updates for a period specified in configuration, or until the Gateway Service is restarted. After that, it will become inactive and will need to be discovered again.

When Liquid Machines Document Control (UES) is enabled, the Gateway can unprotect and reprotect documents protected by the configured Liquid Machines Document Control servers in exactly the same way as a Liquid Machines Document Control client. The Gateway User must have appropriate policy permissions, and the Liquid Machines policy permissions always take precedence over RMS Super User rights for documents protected by a Liquid Machines policy. For documents with non-Liquid Machines policies (RMS Ad Hoc or template), the RMS Super User rights are used as usual.


When Liquid Machines Document Control is enabled, and a document with a Liquid Machines policy is protected or unprotected (or such an operation is denied because of insufficient permissions), an audit message is generated, if required by the policy.

Liquid Machines Document Control Operation with RMS Disabled

If UES is enabled and RMS is disabled, the Gateway for Exchange and SMTP unprotects only Liquid Machines documents protected using LMKS security. Any RMS-protected messages or documents are identified as foreign and passed through.

Foreign Protection Checking with Liquid Machines Document Control

If a document is in a format with a policy type that the Gateway for Exchange and SMTP expects to be able to unprotect, but the unprotect fails, the Gateway determines whether to treat the document as foreign content or local content. For RMS documents with no Liquid Machines policy, even if Liquid Machines Document Control is enabled, foreign protection checking is the same as with RMS only enabled (see page 13).

For documents with a Liquid Machines policy, the check is performed slightly differently. The document's protection information is compared against the list of manually configured Liquid Machines Document Control servers (not auto-discovered services), based on both the Service ID (a unique identifier) and the Service Locator (URL) stored in the document. Any match indicates content that should be unprotectable. The identity of the RMS security service used for a document protected by a Liquid Machines policy is not used for this check. This may be important to the results if the RMS server and the Liquid Machines Document Control server are in different subdomains.

Gateway for Exchange and SMTP: Processing MessagesA Gateway resides on your email servers. It catches messages, scans them for content and other characteristics, and then processes them as they pass through Exchange or IIS SMTP. You define the conditions and actions in a ruleset and then configure the Gateway for Exchange and SMTP with that ruleset. For certain use cases, you can also put the Gateway in special modes. For more information, see “Chapter 3. Gateway for Exchange and SMTP Operations,” on page 31.

Installation Architecture

In general, you will want to install the Gateway on all your Exchange servers, so that you can catch messages in all circumstances you deem appropriate. Liquid Machines primarily recommends this approach. For caveats and best practices for this configuration, see “Multiple Gateways and Reprocessing Messages,” on page 36.

If your Exchange infrastructure and the way you have populated your mailbox servers directly reflects company divisions and policies, you may decide to install the Gateway only on certain Exchange servers. For example, if you only want to control brokers' email, and all brokers are in the same routing group, you may install the Gateway on only those Exchange servers. Note, though, that one of the great benefits of the Liquid Machines Gateway for Exchange and SMTP is that it can act as a virtual email firewall in cases where company boundaries or perimeters are not clearly defined by your Exchange infrastructures.

Mailbox to Mailbox

If you want to protect email going from one mailbox to another, you will need to install the Gateway for Exchange and SMTP on all mailbox servers where senders you want to control have their mailboxes.


Routing Group to Routing Group

If you want to control the activities of one or more routing groups, and only when they communicate with users outside the routing group, you may choose to install the Gateway for Exchange and SMTP on only the Exchange bridgehead servers for that routing group.

Outbound Messages

If you want to control only messages leaving your company that are destined for locations outside your Exchange organization, you may decide to install the Gateway for Exchange and SMTP only on the Exchange servers that are organizational, or Internet, bridgeheads.

The Gateway also works on any Windows server with IIS and the SMTP Service installed. So you might choose to install the Gateway on a Windows SMTP relay and then configure your Exchange organization to send all outbound mail through that relay.

Bracketing Other SMTP Applications

At the perimeters of your email organization, or in specially designated areas inside it, you may have other SMTP software applications that are crucial to your business process. For example, it may be that you have installed a content scanner at your perimeter that checks email attachments for certain kinds of content. You may have a special group of users in a separate Exchange environment, and all email going in and out of that environment passes through an archiving system. In each case, the other software application is housed on an SMTP relay outside your main Exchange routing infrastructure.

In these cases, it may be that the software application cannot handle email protected with Rights Management technology. Ideally, you would like to unprotect a message as it enters this software application and reprotect the message as it leaves. The Gateway for Exchange and SMTP can be installed on Windows IIS SMTP relays on either side of this application and configured to run in special Unprotect and Reprotect modes.

Decrypting Messages for Archives

Your company may have deployed a compliance email archive product. This is software that stores copies of all email messages created in your company, or all from a certain set of users, in a format that can be easily searched and extracted in order to comply with government regulations. Typically, companies choose to have these messages decrypted before they enter the archive.

If email messages flow into your compliance archive via an SMTP route, you may be able to use the Gateway for Exchange and SMTP to decrypt them before they enter the archive. For example, if you use a hosted compliance archive product, and messages are sent to the hosted product by forwarding them to a certain SMTP email address, you may be able to interpose the Gateway between your Exchange system and the hosted product and have it decrypt protected messages as they head toward the archive.

To see if your deployment architecture can accommodate this scenario, contact Liquid Machines Product Support.

The Gateway for Exchange and SMTP can support Exchange journaling, including envelope journaling and BCC journaling. However, whether the solution operates properly depends on the deployment architecture and the intended outcomes. Consult with Liquid Machines Product Support for information on how to deploy this kind of solution in your environment.


Gateway Rules Authoring Tool: Defining RulesAn important feature of the Gateway for Exchange and SMTP is that you can control what the Gateway will do to messages and when. To do so, you define rules, using the Gateway Rules Authoring Tool. You can install the Gateway Rules Authoring Tool on any supported workstation. “Chapter 2. Installation,” on page 19, contains specific requirements for installing the Gateway on a Windows server or workstation.

The output of the Gateway Rules Authoring Tool is a file that contains the rules that the Gateway will use. You can place this file on the same server as the Gateway and configure the service to look for it locally. Alternatively, you can place the file on a Web or file server to which the Gateway has access and configure the Gateway to look for it there. For more information, see “Chapter 5. Defining Rulesets and Rules,” on page 59.

The Gateway Rules Authoring Tool gives you a graphical interface for defining rules. For each rule, you define the conditions under which it triggers, for example that the message body contains the phrase top secret, and the actions it takes, for example, that it blocks delivery. You can arrange rules in a certain order of priority, label them, and activate or deactivate them. For more information, see “Chapter 6. Specifying Rule Conditions and Actions,” on page 73.



Chapter 2Installation

This chapter describes how to install the Liquid Machines Gateway for Exchange and SMTP. It contains the following sections:• “Installing the Liquid Machines Gateway for Exchange and SMTP,” on page 19

• “System Requirements,” on page 19• “If You Are Upgrading,” on page 19• “Preinstallation Requirements,” on page 20• “Installing the Gateway,” on page 22• “Configuring the Gateway,” on page 26• “Uninstalling the Gateway,” on page 26

• “Installing the Rules Authoring Tool,” on page 27• “System Requirements,” on page 27• “If You Are Upgrading,” on page 28• “Installing the Rules Authoring Tool,” on page 28• “Uninstalling the Rules Authoring Tool,” on page 29

Installing the Liquid Machines Gateway for Exchange and SMTP

System Requirements

Hardware (Minimum Requirements)• Pentium IV, 2GHz or greater• 1.5 GB RAM• 60 MB disk space

Software• Microsoft Windows 2000 Server SP4 or Windows 2003 Server SP1 or SP2, with Internet

Information Services (IIS) and the SMTP Service installed• If Microsoft Windows Rights Management Services (RMS) is to be enabled, the server must be

installed in an Active Directory 2003 domain in which Microsoft Rights Management Services server 1.0 SP1 or SP2 has been installed, provisioned for the Microsoft production environment

• If RMS is to be enabled, Microsoft Rights Management Client 1.0 SP1 or SP2• Optionally, Exchange 2003 SP1 or SP2

If You Are UpgradingIf you are upgrading from a previous version, the previous version must be uninstalled before Version 6.7.0 can be installed. See “Uninstalling the Gateway,” on page 26.

Uninstalling removes the Configuration file from the product directory. If you will upgrade, save a copy of your Configuration file before uninstalling.

19

After upgrading, you will need to manually enter any changes you have made into the new Configuration file. The Configuration file format has changed, so you cannot reuse a previous Configuration file. However, most of the settings are the same, so you can use the older file as a reference when editing the new one. The Configuration file should be reusable for future patch releases.

Preinstallation RequirementsComplete these steps before installing the Liquid Machines Gateway for Exchange and SMTP 6.7.0 from the software CD.

1. A domain user with a mailbox must exist for the Gateway. This will be the account under which the Gateway Service will run.

2. If RMS is to be enabled:• The machine on which the Gateway will be installed must be in a domain where an RMS

SP1 or SP2 server also resides. The RMS server must be provisioned for Production.• The Microsoft DRM client for RMS (SP1 or SP2) must be installed on the computer on

which the Gateway will be installed.• The RMS Client and the Gateway for Exchange/SMTP must be configured to discover the

location of the RMS Server. If the RMS Service Connection Point (SCP) was published to the Active Directory forest where the Gateway machine resides, this happens automatically, and no other action is required. Check with your RMS Server administrator to see if it was published. If it was not, you must set the following Windows registry entries:• In the key HKEY_LOCAL_MACHINE\Software\Liquid Machines\Client\MSDRM,

create a string value called CorpCertificationServer and set it to the Certification URL of your RMS server. Remove any trailing filename and slash (/) from the URL, such as /Certification.asmx.

• In that same key, create a string value called CorpLicensingServer and set it to the Licensing URL of the RMS server. Again, remove any trailing filename and slash.

• The Gateway User must be an RMS Super User:• A mail-enabled group must be created and specified as a Super User group on the

RMS server.• The Gateway User must be a member of that group.

• The Gateway User must be given the permissions to run as an RMS service. This should be accomplished by adding it to a dedicated group for RMS Service users. That group must also be given appropriate permissions on each RMS server. Note that sometimes RMS Service will create a group called RMS Service Group used for RMS itself. You should create a group with different name.• On the RMS server, find the file ServerCertification.asmx, which generally resides in

C:\Inetpub\wwwroot\_wmcs\Certification. This is distinct from the file by the same name which resides in the RMS installation directory.

• Edit the permissions on this file to grant Read and Execute permissions to the created group that contains the Gateway User. Also do this to the group RMS Service Group, if it exists.

• Restart IIS on the RMS server:

From the command line, run iisreset.


3. If UES is to be enabled:• A Liquid Machines Document Control server of Version 6.4 or later must be available.• The Gateway User must be able to authenticate to the Liquid Machines Document Control

server. It must also be a member of all relevant policies, granted Read, Write, and Remove permissions.

4. SMTP relaying must be enabled for each virtual server on which you want to enable the Gateway.• If Exchange is installed:

a. On the Start Menu, click Programs, then Microsoft Exchange, then System Manager.

b. Open Servers, then <local server name>, then Protocols, then SMTP. Each SMTP virtual server appears as a child node.

• If Exchange is not installed:

a. On the Start Menu, click Administrative Tools, then IIS Manager.

b. Open <local server name>. Each SMTP virtual server appears as a child node.• For each of the SMTP virtual servers included:

a. Right-click Properties.

b. Click the Access tab.

c. Click Relay.

d. Ensure that the Only the list below radio button is selected.

e. Click Add.

f. Click Single Computer, with the IP address 127.0.0.1, then click OK.

g. If this SMTP virtual server is listening on an IP other than All (which is the default) or 127.0.0.1, add that IP as well, by repeating steps e. and f.

5. In order to process messages that use foreign language characters, install Operating System support for all code-pages, as follows:

a. On the Windows taskbar, click Start, point to the Control Panel, and then click Regional and Language Options.

b. Click the Languages tab.

c. Under Supplemental language support, select both options:

• Install files for complex script and right-to-left languages

• Install files for East Asian languages

d. Click Apply. You may be prompted to insert the Windows CD to copy necessary files.

e. Click the Advanced tab.

f. Under Code page conversion tables, select all check boxes.

Chapter 2. Installation 21

g. Click Apply. You may be prompted to insert the Windows CD to copy necessary files.

h. You may be prompted to restart, in which case you should do so before installing.

6. Log on to the Gateway computer as the Gateway User, to initialize the user profile.

7. If RMS is to be enabled, while logged on as the Gateway User, set up IE security settings to ensure access to the RMS server.

a. In Internet Explorer, on the Tools menu, click Internet Options.

b. Click the Security tab.

c. Click Local intranet, then Sites, then Advanced.

d. Add the RMS server's name (as http://qualified-hostname).

Installing the GatewayThe installation package for the Gateway provides all necessary components. However, there are also important configuration steps that must be performed after installation. All of these steps can be performed by any local or domain administrator.

1. Run setup.exe.

2. On the Welcome page, read the text and click Next to continue.


3. Read the License Agreement, click I accept the terms in the license agreement, and click Next to continue.

4. On the Customer Information page, enter a name and company information appropriate to your situation and make sure you leave Anyone who uses this computer selected. Click Next to continue.


5. On the Setup Type page, select either Complete or Custom and click Next to continue.

If you select Custom, you can select an installation directory for the Gateway.

To select a different location, click Change. Click Next to continue.


6. On the Gateway Service Credentials page, enter the domain-qualified login name and password of the Gateway User and click Next to continue.

7. On the Ready to Install the Program page, click Install. Progress bars appear while the Gateway software is installed.


8. The InstallShield Wizard Completed page indicates that the installation process was successful. Click Finish.

Configuring the GatewayAfter installing the Gateway, you must configure it:• Edit the Configuration file to enable RMS and/or UES protection as appropriate, and to

configure other features. See “Appendix A. Gateway Configuration File Syntax,” on page 91.• For each rules-based server, create a .ruleset file using the Rules Authoring Tool. See

“Specifying Rules for Rules-based Mode,” on page 32.• Use the Configuration Tool to select the mode of the Gateway on each virtual server. See

“Configuring the Mode,” on page 31.

Uninstalling the GatewayThe product can be uninstalled using Add/Remove Programs, but some cleanup steps must be done manually to ensure that the machine is clean and the next installation will be successful. Uninstallation can be performed by any local or domain administrator.

To uninstall the Gateway:

1. Close all open applications. It is particularly important to close the Configuration Tool and the Services Control Panel.

2. On the Windows taskbar, click Start, point to Control Panel, and then click Add or Remove Programs.

3. Scroll to the Liquid Machines Gateway for Exchange and SMTP and click Remove.


4. The Adapter’s data directory includes a subdirectory called SCache that contains cached policies and keys, protected in a way that is only accessible to the Gateway User. If the default location is used, the uninstall program removes it automatically, but if the Adapter's data directory has been moved to a different location, it must be removed manually. Failure to do so is a potential minor security risk (only the Gateway User can access the data); it can also cause failures when a new version of the Adapter is installed that cannot read the data. To manually clean it up, delete the SCache subdirectory of the configured data directory (default location C:\Documents and Settings\All Users\Application Data\Liquid Machines\Gateway). Failure to do this may result in errors the next time the Gateway is installed.

5. The Adapter's data directory is not deleted by an uninstall, because it might contain useful diagnostic logs that should not be lost if the uninstall is for a problem that must be investigated. If no problems occurred, the diagnostic logs are small and thus safe to leave behind. If you want the next install to be fully clean, when you are sure none of its contents are needed, manually delete the data directory (default location: C:\Documents and Settings\All Users\Application Data\Liquid Machines\Gateway). Otherwise it is left behind to preserve logs.

Installing the Rules Authoring ToolThe Rules Authoring Tool can be installed and run separately on the same computer or a different computer to generate the .ruleset files needed by the Gateway.

Version 6.7 of the Gateway uses rulesets created by the Version 6.6 Rules Authoring Tool; there is no Version 6.7 Rules Authoring Tool.

System Requirements

Hardware (Minimum Requirements)• Pentium IV, 2GHz or higher• 1.5GB RAM• 20 MB disk space

Software (Minimum Requirements)

One of the following:• Microsoft Windows 2000 SP4 (Server or Professional)• Windows XP Professional Service Pack 1 or 2• Windows 2003 Server SP1 or 2

and• .NET 1.1 Runtime Framework

Note that .NET 2.x and 3.x Framework are not supported. The Rules Authoring Tool may not operate correctly if these versions are installed.

Caution: Unpredictable product behavior will result if the client and server computers are not configured to at least the minimum requirements stated above.

Note that you can install the Rules Authoring Tool on a separate workstation, create ruleset files, and then transfer them to the Gateway computer. You need not install the Rules Authoring Tool on the Gateway computer, though it is compatible if you do.


If You Are UpgradingVersion 6.6 of the Rules Authoring Tool will not open and cannot process rulesets created with Version 6.5.x. The Gateway, however, will still correctly process these older rulesets.

Installing the Rules Authoring ToolFollow these instructions to install the Version 6.6 Liquid Machines Rules Authoring Tool from the software CD.

A Windows installer is available on the Gateway 6.7 software CD. Copy the installer files to your local hard drive before continuing.

1. To start the Rules Authoring Tool Installation Wizard, double-click the Setup.exe file located in the Gateway for Exchange and SMTP\Rules Authoring Tool folder. The Preparing to Install window appears. Follow the Installation Wizard through the process.

2. On the Welcome page, read the welcome information and click Next to continue.

3. On the Select Installation Folder page, you can choose the directory in which the program will be installed. You can also choose to make the program accessible to everyone on this system or only to the user account under which you installed it. Then click Next to continue.

4. On the Confirm Installation page, click Next to continue. Progress bars appear while the Rules Authoring Tool software is installed.

5. The Installation Complete page indicates that the installation process was successful. Click Close.

For information on starting and using this tool, see “Chapter 5. Defining Rulesets and Rules,” on page 59.


Uninstalling the Rules Authoring ToolTo uninstall the Rules Authoring Tool:

1. Close all open applications.

2. On the Windows taskbar, click Start, point to Control Panel, and then click Add or Remove Programs.

3. Scroll to the Liquid Machines Rules Authoring Tool and click Remove.



Chapter 3Gateway for Exchange and SMTP Operations

This chapter describes Liquid Machines Gateway for Exchange and SMTP operations. It contains the following sections:• “Operational Modes,” on page 31• “The Adapter and the Service,” on page 34• “Service Account Credentials,” on page 35• “Multiple Gateways and Reprocessing Messages,” on page 36• “Processing Attachments,” on page 38• “Logging and Statistics,” on page 39• “Performance Tuning Exchange and SMTP,” on page 41

Operational ModesThe Gateway for Exchange and SMTP allows you to configure each IIS or Exchange virtual SMTP server to operate in one of the following modes:• Disabled: The Gateway does not process messages. It does not scan them or take action on

them.• Rules-based: This is the primary operational mode of the Gateway. In this mode, the Gateway

catches messages, scans them for content and other characteristics, and then takes action on them based on what it finds, all according to rules you define.

• Unprotect Permanently: The Gateway only decrypts messages. It removes any protections applied, using security services the Gateway can access. The history of how the message was protected is removed; no record exists of the previous controls.

• Unprotect for Reprotect: The Gateway only decrypts messages. It removes any protections applied, using security services the Gateway can access. It leaves a record of what protections had been there, so that a Gateway in Reprotect Only mode can re-encrypt them the same way later. The record is not directly visible to any recipient.

• Reprotect Only: The Gateway only re-encrypts messages decrypted by a Gateway in Unprotect for Reprotect mode. It adds back the same protections the Unprotect for Reprotect mode left in the record.

Each virtual server for the Simple Mail Transport Protocol (SMTP) service on a machine can have a different operational mode. An Exchange server typically has only one virtual server, and you would generally set it to Rules-based. A stand-alone Windows SMTP service can have several virtual servers. You might install two instances, as well as a third-party content scanner, all onto the same machine. The first instance would be configured to decrypt and pass messages on to the content scanner. The second would receive them from the content scanner and then re-encrypt them.

Configuring the ModeWhen you configure the mode of an IIS virtual SMTP server, the Gateway Configuration Tool restarts the SMTP service on the Gateway computer. IIS is not restarted, and critical Exchange services are not affected, so you can make this change safely at any time.

31

Note: If the restart fails, it may indicate that you have selected invalid configuration options. Check the Windows Application Event log for errors.

To configure the mode, follow these steps on the computer where the Gateway is installed.

1. Log on as a user with local administrative privileges.

2. On the Windows taskbar, click Start, point to (All) Programs, point to Liquid Machines, point to Gateway for Exchange and SMTP, and then click Virtual Server Configuration.

3. Under the label for the SMTP instance, select a mode and then click the Apply button. At this point, the Gateway Virtual Server Configuration Tool restarts the SMTP service.

4. To close the dialog box, click the OK button.

Note: If the Gateway is experiencing problems such that messages are stuck in processing, or the Gateway is repeatedly crashing, you can stop new messages from being processed by setting it to Disabled. Then, to clear out pending messages, manually restart IIS by entering iisreset on the command line.

Specifying Rules for Rules-based ModeYou define rules in a ruleset file using the Gateway Rules Authoring Tool. After you create a ruleset file, you can specify that a Rules-based Gateway use it. For more information, see “Defining Rulesets and Rules,” on page 59.

1. You can place the ruleset file on the local hard drive of the Exchange or SMTP server, or you can place it on a Web server. If on a Web server, the Exchange or SMTP server must be able to access the Web URL for the file, and to access it anonymously, without authentication. HTTPS is not supported.

2. Set the SMTP instance to Rules-based mode, as described above.


3. Selecting Rules-based mode activates the Rules URL field.• If you placed the ruleset file on a Web server, type the Web server URL.

Example: http://fileserv.acme.com/rules/ACME.ruleset• If you placed the file on the computer’s hard drive, type the file URL.

Example: file:///c:/Rules/ACME.ruleset

4. To save your changes, click Apply. The Gateway Virtual Server Configuration Tool makes sure that the URL is valid and the ruleset can be fetched from it. If not, an error message appears.

5. When you are done, click OK.

Chapter 3. Gateway for Exchange and SMTP Operations 33

If the ruleset file has changed, and you want the Gateway to take up the changes immediately, launch the Gateway Virtual Server Configuration Tool, navigate to the Virtual Servers tab, and click OK. Otherwise, the Gateway will pick up the changes at the interval specified in the Gateway Configuration file.

The Adapter and the ServiceWhen you install a Gateway for Exchange and SMTP, the Windows server machine recognizes two distinct components, the Adapter and the Service.

The AdapterThe Adapter is an event sink registered with the Windows IIS SMTP service, either on Exchange or on an SMTP relay. The Adapter notices that a message is passing through the system. It gathers up the message, along with information about its properties, where it is being routed to or from, and so on, and passes it to the Service. The Service processes it and passes it back to the Adapter, and the Adapter then resubmits it to the routing infrastructure.

The Adapter is essentially invisible to an administrator and cannot be disabled or configured.

The ServiceThe Service is a process or program, one that you can see listed in the Windows Services console. It processes messages. It scans them for content and other information, and then takes action on them appropriately, according to the rules you define.

The Service is visible in Windows Services and can be stopped, started, or disabled. Other aspects of its behavior, such as what mode an SMTP virtual server is in, are configured by the Gateway Virtual Server Configuration Tool.

Stopping and Starting the ServiceYou can stop the Service, but you cannot stop the Adapter. When you configure a Virtual Server to be in Disabled Mode, the Adapter never communicates with the Service. In all other modes, it will always attempt to communicate with the Service. The following list shows what happens when the Adapter tries to pass a message up to the Service, but the Service is stopped, either normally or from a crash.

In Windows, if Services is set to:• Automatic Start (default), the Adapter holds all messages in a queue until the Service has

been successfully restarted. If the Service has crashed and it is needed to process a message, the Adapter restarts the Service. If the Service was shut down correctly, such as by a system administrator, or has not started after machine reboot because its start-up type is Manual, the Adapter reverts to Manual Start behavior and holds all messages in a queue until the Service is started.

• Disabled, the Adapter allows messages to pass through without being processed.• Manual Start, the Adapter holds all messages in a queue until the Service becomes available.

Use this setting if you want to temporarily hold all messages.


Message Flow and Service StatusIf you have several virtual servers on a single computer running in different Gateway modes, and you want to change an individual instance so that does not process messages, but does allow them to flow through the system, use the Gateway Virtual Server Configuration Tool to set its mode to Disabled.

If you want all virtual servers on a given machine to stop processing email, but want the email to continue to flow through, you can set all instances to Disabled. We also recommend that you set the Service start-up type to Disabled and then stop the Service, as a fully permanent measure.

If you need to make changes to your infrastructure that might affect message processing, and so want all messages to be held in a queue while you make changes, and then processed later, make sure the Service start-up type is set to Automatic or Manual, and then stop the Service. If you will need to reboot the machine during the maintenance procedure, set the Service type to Manual, so that it does not start processing messages automatically when the system starts up. When you are done with maintenance, set the start-up type to Automatic, and start the Service. All pending messages will then be processed.

For more information on controlling service status and message flow, see the pend-message-on-error information on page 98.

Service Account CredentialsWhen you installed the Gateway for Exchange and SMTP, you provided credentials for a service account under which the Gateway runs. This account has special privileges within your domain, such as the ability to alter certain files and folders on the Gateway server machines, or to act as an RMS Super User.

You can change the credentials under which the Gateway runs by using the Gateway Virtual Server Configuration Tool. When you cycle the passwords on your other domain service accounts, you may need to change the password for this service account.

We recommend that you allow the actual account to remain the same, but there is no harm in changing it, if need be. Make sure that if you do change the account, you give the new one the same privileges as the old one, as documented in “Installing the Liquid Machines Gateway for Exchange and SMTP,” on page 19, before you apply the new account to the Gateway. “Preinstallation Requirements,” on page 20, describes the privileges required for the service account. You will also have to manually grant full access to the data directory (or directories) specified in the Configuration file.

To change the service account credentials, follow these steps on the computer where the Gateway is installed.

1. On the Start menu, point to Programs (or All Programs), point to Liquid Machines, point to Gateway for Exchange and SMTP, and then click Virtual Server Configuration.

2. In the Gateway Virtual Server Configuration Tool, click the Service Credentials tab.


3. Type in the new service account name in domain-qualified format. Example: DOMAIN\lmexchange

4. Type in the new service account's password.

5. To save your changes, click the Apply button.

Multiple Gateways and Reprocessing MessagesYou may deploy several Gateways within your email infrastructure. In fact, for the typical organization, this is the recommended configuration. This creates the probability that messages will pass through, and therefore be processed by, more than one Gateway for Exchange and SMTP. You should consider the effect this has both on the outcome of the rules and rulesets you create and on the performance of your infrastructure.

A similar situation can also occur when desktop users use RMS-enabled client applications to protect email or documents that are then attached to email. The following sections describe how a Gateway processes a message that is already protected.

Rules-based Gateway scans content inside protected messages

When a Gateway for Exchange and SMTP encounters a message that has been protected, if a rule requires it to scan the body for words, phrases, or patterns, the Gateway puts a decrypted copy of the content into memory and scans that.

Rules-based Gateway may override protections

When a Gateway for Exchange and SMTP encounters a message that triggers one or more rules that specify protections to be applied, the Gateway removes all protections that were already on the message and replaces them with the new set specified by the rules. So, if a rule specifies that content should be protected, then any historical protections on the message are completely overridden. To avoid this situation, create a Do not override rule. (See page 37.)


Rules-based Gateway does not reprotect messages

If a Rules-based Gateway for Exchange and SMTP encounters a message that was Unprotected for Reprotection by another Gateway in that mode, the Rules-based Gateway ignores the historical information about protections that the other Gateway put in the message. If the Rules-based Gateway ends up protecting the content, the historical information is permanently lost.

This is also true of other RMS-enabled client applications. They do not reuse this historical information.

Gateway in Unprotect mode does not strip historical protection information

A Gateway for Exchange and SMTP in either Unprotect mode will not remove historical protection information put into a message by an earlier Unprotect for Reprotect Gateway.

Writing Rules to Tune Reprocessing BehaviorsYou can configure Gateways for Exchange and SMTP with rules that help modulate some of this behavior, so that performance is increased or Policy goals are better met. The outcome of this task depends on your policies, your infrastructure, and how Gateways are installed within it.

You can read more about creating rules in “Defining Rulesets and Rules,” on page 59.

Already Processed Ruleset

You can make the first priority rule in any Gateway for Exchange and SMTP be to look for a unique header-value pair, for example, X-Acme-Email-Controlled and True. If this pair is found, the rule action is to Stop processing more rules. You then make the second priority rule be to add the header X-Acme-Email-Controlled with value True to all messages. Then, once a Gateway has processed a message, all other Gateways ignore it. Because messages are only processed once, the total CPU load over all your Exchange servers may be reduced.

Do Not Override Rule

You can make the first priority rule in any Gateway for Exchange and SMTP be to look for Rights Management-protected messages. If one is found, the rule action is to Stop processing more rules. This has the effect of preventing protections on a message from being overridden.

You may want the Gateway to process protected messages in other ways, for example, BCCing them to an auditor, but still not override protections. In that case, you can place all your rules with blocking, routing, or reporting actions first, then place the rule that ignores protected messages, then place any rules that apply protections.

Another way to accomplish this is to make every rule that should not process protected messages include a message type trigger that specifies only the email message type, and not the protected message type.

Avoiding Configurations that Tax Reprocessing BehaviorsKnowing how components might interact under any circumstances is important for any administrator, for both designing and troubleshooting an installation. Ideally, though, a good configuration avoids some circumstances that might cause unintended behavior.


When you design the installation of your Gateways for Exchange and SMTP--their locations in the infrastructure and their operating mode--try to create reasonable message flow scenarios. For example, if a message flows through an unprotecting Gateway, there is little reason for the next Gateway it encounters to also be in Unprotect mode. If a message flows through an Unprotect for Reprotect Gateway, the next Gateway it flows through should be a Reprotect Gateway.

Also, try to minimize the number of Rules-based Gateways for Exchange and SMTP a message passes through and use the rules discussed above to minimize reprocessing of messages.

Processing Attachments

Sealed in the Message EnvelopeWhen a Gateway for Exchange and SMTP protects a message, all attachments associated with it become subject to a certain level of access control. That is, in order to get access to the attachment, the recipients must first open the message. If recipients are not allowed to open the message, they cannot access the attachments.

The attachments are effectively sealed in the message envelope. This happens to all attachments automatically and is not affected by the option Protect attachments, which can be specified in the rule.

If recipients can access the message, they can then save the attachment onto their computers. At this point, the attachment is no longer subject to access controls, and the recipients can send it to someone else, perhaps unauthorized, for viewing. The protection on the attachment is not complete.

Protected AttachmentsWhen you use the option Protect attachments with the action Protect the message with specific options in a rule, a second level of access control is added. The attachment itself is actually protected; the data in it is encrypted using Microsoft RMS technology, and an access control list is added to it directly. This happens in addition to the sealing in the envelope.

Now, if a recipient saves the attachment to a computer, the protections travel along with it, wherever the attachment goes, to a floppy disk, to a USB memory stick, into another email, and so on. Even if someone else receives the attachment, they will not be able to open it unless they are authorized.

Only file attachments are supported. Attached messages, and any attachments they may have, will remain unchanged, although they will still be sealed in the message envelope.

Only Certain File Types Supported

The Gateway can protect any file; however, the various clients have limits on the file types they allow users to access. With Office and Liquid Machines Document Control clients, Microsoft Word, PowerPoint, and Excel files attachments are protected this way by default. You can edit the Configuration file to exclude any of these or to include Adobe Acrobat (PDF) files and Visio files. The Liquid Machines Viewer supports many additional file types. Of course, in order to read these attachments, the recipient needs an appropriate RMS-enabled client, like Office 2003, or Visio or Adobe Acrobat enabled with Liquid Machines Document Control. Liquid Machines Document Control also supports Office 2000 and Office XP for documents.

You can configure the Gateway for Exchange and SMTP with a shorter list. For example, you can make it so that the Gateway will only protect PDF files. Adobe PDF and Visio files are disabled by default. For more information, see “protection-config Settings,” on page 94. If you need to protect


alternative file formats for these applications, such as CSV or RTF files, or if you have an automated application of this technology and need help making it work, contact Liquid Machines Product Support.

If the Attachment is Already Protected

Suppose a sender uses RMS-enabled Microsoft Word 2003 to protect a Word document. Then she attaches it to a message and sends that message through a Gateway for Exchange and SMTP. The Gateway finds the words top secret in the subject and decides to protect the message. What does it do to the attachment?

The attachment is sealed in the envelope. However, the Gateway leaves intact the attachment protections the sender chose. It does not override the protections with the ones specified by the rule.

Why is this so? Suppose Sally, the CEO, protects a revenue spreadsheet so that only Jim, the CFO, can see it. Then Jim emails that spreadsheet to Tom, the insurance broker. The message passes through the Gateway, and a rule is triggered, requiring that all messages to brokers be protected. If the Gateway took away Sally's protections and replaced them with the ones the rule specified, then Tom would be able to see the spreadsheet, which is not Sally's intent.

To determine whether to override attachment protections or ignore them, the Gateway compares the protections (the Policy and the access control list) on the email message with the protections on each attachment. If the protections on any individual attachment:• Are different from those on the message in any way, the Gateway leaves that attachment alone

and does not alter its protections.• Are exactly the same as those on the message, indicating that the attachment was protected

with the message, then if the Gateway changes the protections on the message, it also changes them on that attachment.

Of course, if there are no protections on the attachment and the Gateway adds or changes protections on the email message, then it also puts those protections on the attachment.

This is also true of Liquid Machines Document Control policies. Because an attachment with a Liquid Machines Document Control policy will never have the same rights as an RMS-protected message, Liquid Machines Document Control-protected attachments never have their protections overridden.

Logging and Statistics

Logging Applied RulesWhen you define rules in Gateway Administration, you can select the action Report when this rule is applied. If you select this action, an entry is written to a special log file on the Exchange or SMTP server whenever that rule is triggered. The entry includes the name of the rule that was applied and the subject line from the message that triggered it, in the following format.

YYYY-MM-DD@HH:MM:SS.SSS: <rule-applied><rule-name>Name of this rule</rule-name><msg-subject>Subject: message subject</msg-subject><comment>Description for this rule</comment></rule-applied>


The log files are located by default in c:\Documents and Settings\All Users\Application Data\Liquid Machines\Gateway\logs. The file names begin with the word audit. For information on changing the log file name, if and when the logs are cycled, and so on, see “Appendix A. Gateway Configuration File Syntax,” on page 91.

Important! If you choose to cycle the log files, be sure you save older ones before they are overwritten, so you do not lose important tracking data.

You can use a script or other technology to import log files into Excel, an SQL database, or something similar, so that you can then run analyses and reports on the activity. The following fields are available to you in each audit record:• The date and time the event occurred.• The name of the rule applied.• The subject line of each message to which it was applied.• The administrative description of the rule, from the Gateway Rules Authoring Tool.

Logging Recipient ActivityMicrosoft RMS tracks activity that has to do with protected messages. When a recipient tries to access the message, RMS logs information about the time, who tried to access it, whether access was denied, and other information about the transaction. Data is logged to Microsoft SQL Server. For more information on how to access and make use of this data, see your RMS documentation.

Logging Events, Warnings, and ErrorsThe Gateway for Exchange and SMTP logs important informational events, warnings, and critical errors to the application event log on the Gateway computer. The Gateway can also be enabled to log diagnostic data to a file, suitable for analysis by Liquid Machines engineers. You can read more about these logging capabilities in “Chapter 4. Gateway for Exchange and SMTP Health and Performance,” on page 43.

StatisticsThe Gateway for Exchange and SMTP keeps certain counters and other measures of its performance. You can use these counters to gauge the effectiveness and impact of your ruleset. For instance, they can tell you how many messages have been processed in total and how many were protected.

The counters are available from a Web page. If you are logged onto the machine where the Gateway is installed, you can access it at http://localhost:7889/status. If you want to be able to access this URL from another machine, you can change the address and port on which the Gateway listens. For more information, see “monitoring Settings,” on page 96.

The counters are reset to zero every time the Gateway Service is restarted. You can read more about these counters in “Performance Statistics,” on page 52.


Performance Tuning Exchange and SMTPThe performance of the SMTP Service, whether under Exchange or on a stand-alone Windows server using IIS, can be tuned according to several parameters. You may be familiar with these, for example, the ability to limit the size of messages that will be accepted by the SMTP Service. Installing the Gateway for Exchange and SMTP may have an effect on how you choose to set these parameters.

Note that the Gateway makes use of the SMTP service when resubmitting any message it needs to protect or otherwise alter. Therefore, these settings, when the Gateway is installed, affect not only the performance of outbound SMTP email, but also email that might pass from one user to another on the same Exchange server. For example, setting the Limit message size to parameter on the SMTP server, with the Gateway installed will affect both the size of messages permitted to leave the Exchange server and the size of protected messages permitted to be sent at all, even if they go to users on the same server.

All parameters are set from the properties of each SMTP virtual server. Find the virtual server within Exchange System Manager, under each server node under the Protocols > SMTP node, or within the SMTP Virtual Servers node in the IIS administration console. Right-click the virtual server and then click Properties.• On the General tab:

• Limit number of connections to: This value should be at least 6 more than the <working-thread-count> value in the Gateway Configuration file. Given the default value of 10 in the Configuration file, we recommend a minimum of 16 for this value. You can read more about the configuration file in “Appendix A. Gateway Configuration File Syntax,” on page 91.

• Connection-timeout in minutes: Lower values may decrease performance. Values less than 2 minutes may severely affect performance. We recommend no less than the default of 10 minutes.

• On the Messages tab:• Limit message size to: Since protected messages are compressed, it is possible

that the Gateway may process a message such that it becomes larger after processing, for example if a rule action specifies BCC an unencrypted copy to a mailbox. We suggest that, if you have set this limit already, you set it 50% larger than its current value. Because protection also adds some fixed-size overhead to any message, we caution against setting smaller limits, for example less than 1 megabyte.

• Limit session size to: Larger values may improve performance. Since protected messages are compressed, it is possible that the Gateway may process a message such that it becomes larger after processing, for example if a rule action specifies BCC an unencrypted copy to a mailbox. We suggest that if you have set this limit already, you should set it to 3 times its current value. You should never set this limit lower than the message size limit. Because protection also adds some fixed-size overhead to any message, we caution against setting smaller limits, for example less than 1 megabyte.

• Limit the number of messages per connection to: Larger values may improve performance. We recommend a default minimum value of 30.



Chapter 4Gateway for Exchange and SMTP Health and Performance

The Gateway for Exchange and SMTP logs information that you can use to assess its health and performance. This chapter describes the information:

• “Application Event Logs,” on page 43• “Errors,” on page 43• “Warnings,” on page 48• “Informational Messages,” on page 50

• “Diagnostic Logging,” on page 51

• “Performance Statistics,” on page 52• “Counters,” on page 54• “Levels,” on page 55• “Watches,” on page 56• “Using Statistics,” on page 56

Application Event LogsThe Gateway for Exchange and SMTP logs important information about its operations to the Windows Application Event Log on the Gateway machine. The following list includes errors, warnings, and informational messages you may receive. It tells what causes them and how to resolve the issues. If you are unable to resolve problems using the procedures here, or if the problems recur frequently, contact Liquid Machines Product Support.

Many events include diagnostic information, like stack traces of the code, which you may be asked to provide to Liquid Machines Product Support so that they can more closely analyze the problem.

Errors• A fatal error has occurred. An error occurred that caused a process to terminate. The reason

for the error is specified in the event description. This error may be logged either by the Adapter or by the Service, depending on where it occurred. The error may also terminate IIS.

Restart the Gateway Service, restart IIS, and contact Liquid Machines Product Support.

• A serious error has occurred. An error has occurred, but the Gateway has recovered from it. The reason for the error is specified in the event description. This error may be logged either by the Adapter or by the Service, depending on where it occurred.

Contact Liquid Machines Product Support.

43

• Liquid Machines Email Control IIS SMTP Event Sink failed to restart Gateway Service. The Adapter failed to restart the Gateway service after it crashed.

Check the Application Event Log for any errors returned by the Service. Check to see if the Service is started in the Service Control Panel. If it is, consider restarting it. If it is not, try to resolve any errors that might prevent it from starting; for example, you may need to type the correct password into the Service’s start-up credentials or give the service account the right to log in as a service on this machine.

• Liquid Machines Email Control IIS SMTP Event Sink failed to resubmit a modified message. The Adapter failed to resubmit a message to IIS after modifications. Additional text in the error message explains whether the submission will be tried again later or the original message will pass through to some recipients as is.

• Liquid Machines Email Control IIS SMTP Event Sink failed to submit a new message. The Adapter failed to submit a new message, such as an alert or BCC generated by a rule. Additional text in the error message explains whether the submission will be tried again later or the new message will be lost.

• Liquid Machines Email Control IIS SMTP Event Sink could not handle message format. The Adapter has passed a message through because of an unhandled format or encoding. The error message includes one of the following reasons:• MIME Message is malformed.• TNEF Message is malformed.• Message uses unsupported character set '<charset-name>'.

• Liquid Machines Email Control IIS SMTP Event Sink detected duplicate Event Sink bindings. The Adapter detected that two virtual server instances have settings that were intended for only one. The error message lists the instance numbers of the SMTP virtual servers with invalid event sink bindings. This probably happened because bindings were copied by Exchange when creating a new virtual server.

Run the Gateway Configuration Tool to clean up these bindings. Until then the new virtual server will use the copied settings from a previous virtual server.

• Liquid Machines Email Control Gateway initialization failed. lmecgateway.exe failed to start; the Liquid Machines Email Control Gateway initialization failed.

Check the message for the reason for the failure. It could be because of an invalid Configuration file or access permissions to configured data directories.

• Liquid Machines Email Control Gateway rejected request. A Gateway request failed. The message includes the request URL.

Contact Liquid Machines Product Support.


• Liquid Machines Email Control Gateway detected an invalid ruleset cache. The contents of a ruleset cache are invalid. The message includes the cache directory and error details.

This error will only occur if someone or something outside the Service changed the XML file used to manage cached rulesets.

You may not need to do anything. If the Gateway is still running, it was able to clear the cache itself and will fetch rulesets and store them when requested. If the Service fails to start: 1. Delete the cache directory and make sure the Gateway User has permissions to re-create

the directory.2. Restart the Gateway for Exchange and SMTP.3. If the problem doesn’t go away, contact Liquid Machines Product Support.

• Liquid Machines Email Control Gateway unable to read ruleset cache. Reading the ruleset cache information failed. The message includes the cache directory and error details.

This error will only occur if the Service cannot read from (or create when started for the first time) its cache directory. Usually this is because of a permissions error. If this occurs, the Service will fail to start.1. Delete the cache directory and make sure the Gateway User has permissions to re-create

the directory.2. Restart the Gateway for Exchange and SMTP.3. If the problem doesn’t go away, contact Liquid Machines Product Support.

• Liquid Machines Email Control Gateway failed to read cached ruleset. Reading the cache file for a ruleset failed. The message includes the cached file and ruleset URI.

This will only be seen at Service startup. It will only occur if there is an error trying read a particular previously cached ruleset; this error will not be seen if the cache directory or the database file cannot be read. This should only occur if someone or something has changed permissions on the particular file or currently has it locked.

You do not need to do anything to keep the system running. The Service will ignore the ruleset and refetch it later, if needed. If nothing is done, the error will be logged each time the Service is started. To eliminate this, read the error details and perform the appropriate remedy.

• Liquid Machines Email Control Gateway failed to store ruleset in cache. The store of a ruleset in the cache failed. The message includes the ruleset URI and error details.

This can occur any time a ruleset needs to be cached (either on the initial fetch or when detecting a modification). It will occur:• If the old file (if any) cannot be deleted (permissions, in use, etc.)• If the database cannot be updated (permissions) • If the new file cannot be created (for permission or disk space/quote reasons)

Read the error details. They will give enough information to determine if:• Disk/quota space has been exhausted.• There are insufficient permissions.

Chapter 4. Gateway for Exchange and SMTP Health and Performance 45

• Filter failed to process message. The Filter failed to process a message. The error message includes one of the following reasons:• Message with <msg subject> using ruleset <rules URI> had error: <error category>

<exception description>.• Message with <msg subject> needs unavailable <rules URI>.

Processing may fail for a variety of reasons. Read the descriptive text of the error for additional clues and check the Event log for concomitant errors, such as a failure to initialize RMS connections or to complete an Active Directory lookup.

• Failed to initialize protection environment. Generic protection features failed to initialize. Preceding events will describe the status of each enabled security service.

• Failed to initialize Microsoft RMS. The Gateway is unable to initialize its profile for interacting with RMS. For some reason, it cannot get an updated RAC (user identity) from the RMS Server. Examine the text of the message for the RMS error code:• E_DRM_AUTHENTICATION_FAILED. Possible reasons:

Service account password has been changed.Service account is locked out or disabled.Internet Explorer settings weren’t set right or have been changed inappropriately.

Check to see if other users are having problems authenticating to RMS. You may need to alert RMS administrators.

• E_DRM_SERVER_NOT_FOUND. Possible reasons:The RMS server is down.DNS or network troubles are preventing the Adapter from finding or connecting to the RMS server.

Check to see if other users are having problems connecting to the RMS server.• E_DRM_ACCESS-DENIED. Possible reason:

Someone has Outlook running on the EV machine.

When this event occurs, any attempt the Gateway makes to protect or unprotect RMS messages or attachments will fail (and log a separate error event). To fully resolve this issue, you must remedy the situation and restart the Gateway Service.

Verify that your RMS infrastructure is working correctly. From an RMS and Office 2003 workstation, log on as the service account under which the Gateway runs and see if you can create and send a protected email. Verify that someone else can read it.

You may need to reinitialize the service account’s profile. To do this, stop the Gateway and delete the service account’s profile folder from the machine. This is typically located in c:\Documents and Settings\serviceaccountloginname. Then log on to the Gateway machine as the service account user, repeat any prerequisite steps required during install, and start the Gateway.


• Failed to initialize Liquid Machines Policies and Keys (Universal Enforcement Services). Liquid Machines Document Control was enabled and failed to initialize. Examine the text of the message for the Liquid Machines error code:• SCS_NETWORK_ERROR tends to indicate a basic network connectivity problem.• SCS_NETWORK_PROTOCOL_ERROR tends to indicate a basic network connectivity

problem.• SCS_SERVICE_UNAVAILABLE tends to indicate a basic network connectivity

problem.• SCS_AUTHENTICATION_FAILURE indicates a problem with the service account

authenticating to the Liquid Machines Document Control server at a basic level.• SCS_APP_PROCOL_ERROR could possibly indicate a problem with a transparent

content router. You should probably call Liquid Machines Support.• SCS_INVALID_DATA_FORMAT could possibly indicate a problem with a transparent

content router. You should probably call Liquid Machines Support.• SCS_NOT_AUTHORIZED could possibly indicate a problem with a transparent content

router. You should probably call Liquid Machines Support.

• When this event occurs, any attempt the Gateway makes to protect or unprotect Liquid Machines Document Control attachments will fail (and log a separate error event). To fully resolve this issue, you must remedy the situation and restart the Gateway Service.

To troubleshoot your connection to the configured policy servers, go to https://thehostname/LiquidMachines-DocumentControl/login.aspx and try to log in as the Adapter service account. If you cannot get to the page, the server is down, or there is a basic network connectivity problem. You should either be able to log in or get a message saying you do not have privileges as an administrator. If not, there may a problem with the authentication infrastructure and the Liquid Machines server.

• Failed to update data for a Liquid Machines Policy Server. A poll to a Liquid Machines Document Control server has failed. The message includes the server name or URL, the server ID, and a description of the failure.

• Failed to protect a message. The Gateway was unable to encrypt a message. Protection can fail for a variety of reasons.

You may want to follow the procedures for Failed to initialize Microsoft RMS, above.

• Failed to unprotect a message. The Gateway was unable to decrypt a message. Protection can fail for a variety of reasons. For example, the message may have been generated by a foreign RMS installation.

Examine the text of the message for an error code:• E_DRM_RIGHT_NOT_GRANTED means that there is something wrong with the RMS

Super User function. Specifically, the RMS server doesn’t recognize that the service account is in the Super User group.

Have someone check to see if your service account is in the group. If it is, there is a problem on the RMS server that might be remedied by clearing some caches.


• PSR_* (for example, PSR_NO_PERMISSIONS, PSR_UKNOWN_POLICY) is a Liquid Machines error code. Make sure the service account is in the right role in the right policy, in other words, that it has Read and Remove protections rights for this document. One way to test this is to log in as the service account to a workstation that has the Liquid Machines Document Control client installed and see if you can unprotect the document.

• Failed to reprotect a message. The Gateway was unable to reprotect a message. Protection can fail for a variety of reasons.

You may want to follow the procedures for Failed to initialize Microsoft RMS, above.

• Failed to protect a document. A document protection failed.

You may want to follow the procedures for Failed to initialize Microsoft RMS or Liquid Machines, above.

• Failed to unprotect a document. A document unprotection failed.


• Failed to reprotect a document. A document reprotection failed.


Warnings• Liquid Machines Email Control IIS SMTP Event Sink state changed to PEND because

Gateway Service changed from EAS_AVAILABLE to <new state>. The Adapter entered a state in which it will delay all messages, because of an unavailable Gateway service.

• Liquid Machines Email Control IIS SMTP Event Sink state changed to PASSTHROUGH because Gateway Service changed from EAS_AVAILABLE to <new state>. The Adapter entered a state in which it will pass all messages through unprocessed, because of an unavailable Gateway service.

• Liquid Machines Email Control IIS SMTP Event Sink pended a message. The Adapter has pended a message (held it for later retry).

• Liquid Machines Email Control IIS SMTP Event Sink passed a message through unprocessed. The Adapter has passed a message through because of errors.

• Liquid Machines Email Control IIS SMTP Event Sink detected a message with a non-SMTP sender address. The Adapter processed a message whose sender has no SMTP email address. Non-SMTP addresses cannot be processed. The message will be treated as if the sender address is empty (no sender). The message includes the non-SMTP address string.

• Liquid Machines Email Control IIS SMTP Event Sink detected a message with a non-SMTP recipient address. The Adapter processed a message with a recipient with no SMTP email address. Non-SMTP addresses cannot be processed. This recipient will be ignored, and the message will pass through unprocessed for this recipient only. Frequently this means an NDR will later be generated for this recipient. The message includes the non-SMTP address string.


• Liquid Machines Email Control Gateway unable to find ruleset on refresh. Stale ruleset will be used until next poll period. ruleset uri: <ruleset URI>; error details: <exception details>. A ruleset was absent when fetched because of cache expiration. The message includes the ruleset URI and error details.

This will occur when a rule has expired and the attempt to refetch fails with a Not Found error (that is, a 404 if using HTTP to fetch or a File Not Found if using a file URL). The current, stale ruleset will continue to be used until the ruleset either is made available again at its URL or is removed from the system.

• Liquid Machines Email Control Gateway found an invalid ruleset on refresh. Stale ruleset will be used until next poll period. A ruleset failed to import when fetched, because of cache expiration. The message includes the ruleset URI and error details.

This will occur when a rule has expired and, when refetched, was found to be invalid. A rule is considered invalid if it is malformed, contains illegal data, or omits required data. The current, stale ruleset will continue to be used until the ruleset either is fixed at its URL or is removed from the system.

• Liquid Machines Email Control Gateway failed to fetch ruleset on refresh. Stale ruleset will be used until next poll period. A a ruleset fetch failed on cache expiration. The message includes the ruleset URI and error details.

This will occur when a rule has expired and couldn’t be refetched for a reason other than that there is no such ruleset. This may occur if the ruleset URI is an HTTP URL and the web server rejects the request for whatever reason. The current, stale ruleset will continue to be used until the ruleset either is made available again at its URL or is removed from the system.

• Failed to obtain a user's group memberships from directory. An AD request failed to get groups for a user. The Gateway, when processing a rule that includes the condition Is member of Active Directory Group, was unable to look up the user.

Verify that the group designated in the rule is still valid. Check the machine’s Event logs for other symptoms of Active Directory infrastructure failure, such as timeout errors when contacting domain controllers. Verify that the service account has adequate permissions to query the directory; some strict AD Group Policies can take away these privileges.

• Failed to obtain a group's members from directory. An AD request failed to get users for a group. The Gateway, when processing a rule that includes the condition Is member of Active Directory Group, was unable to look up the group.

Verify that the group designated in the rule is still valid. Check the machine’s Event logs for other symptoms of Active Directory infrastructure failure, such as timeout errors when contacting domain controllers. Verify that the service account has adequate permissions to query the directory; some strict AD Group Policies can take away these privileges.


Informational Messages• Liquid Machines Email Control IIS SMTP Event Sink has been initialized. IIS has loaded

the Event Sink (lmwinsmtp.dll). The message includes the product version and build ID.

• Liquid Machines Email Control IIS SMTP Event Sink has been shut down. IIS has unloaded the Event Sink (lmwinsmtp.dll).

• Liquid Machines Email Control IIS SMTP Event Sink event processing started. The first message is processed, at which point the Adapter creates threads and otherwise sets up processing.

• Liquid Machines Email Control IIS SMTP Event Sink state changed to PROCESS because Gateway Service changed from <previous state> to EAS_AVAILABLE. The Adapter began processing messages normally again after it had been in a PEND or PASSTHROUGH state.

• Liquid Machines Email Control IIS SMTP Event Sink restarted Gateway Service. The Adapter successfully restarted the Gateway Service after a crash.

• Liquid Machines Email Control Gateway has been initialized. The Gateway Service (lmgateway.exe) started up successfully. The message includes the product version and build ID.

• Liquid Machines Email Control Gateway has been shut down. The Gateway Service (lmgateway.exe) shut down successfully.

• Liquid Machines Email Control Gateway loaded cached ruleset. A cached ruleset was successfully loaded.

• Liquid Machines Email Control Gateway stored ruleset in cache. A cached ruleset was stored.

• Liquid Machines Email Control Gateway loaded new ruleset. A new ruleset was fetched.

• Liquid Machines Email Control Gateway reloaded existing ruleset. A ruleset was reloaded.

• Liquid Machines Email Control Gateway detected ruleset redirect. A ruleset was redirected.

The ruleset file being retrieved is located on a Web server. The file has been moved to another Web server, and the Gateway has been redirected by the old Web server to the new one. You should update the ruleset URL to the new one, using the Gateway Vitrual Server Configuration Tool.

• Liquid Machines Email Control Gateway successfully updated stale ruleset. A ruleset was updated automatically.

• Protection environment initialized. All configured protection features have been initialized. Generic features were successful. Preceding events will describe the status of each protection type.

• Microsoft RMS session initialized. RMS is enabled and initialized successfully.

• Liquid Machines Policies and Keys (Universal Enforcement Services) initialized. Liquid Machines Document Control is enabled and initialized successfully.


• Successfully updated data for a Liquid Machines Policy Server. A poll to a Liquid Machines Document Control server has completed successfully.

• Failed to protect a message from external server. A message protection failed on content that came from a server that is not determined to be local. Because the content is protected by an external server, this is not considered an error case. However, if it happens unexpectedly, you should examine the message and server information to determine whether the configuration needs to be changed.

• Failed to unprotect a message from external server. A message unprotection failed on content that came from a server that is not determined to be local. Because the content is protected by an external server, this is not considered an error case. However, if it happens unexpectedly, you should examine the message and server information to determine whether the configuration needs to be changed.

• Failed to reprotect a message from external server. A message reprotection failed on content that came from a server that is not determined to be local. Because the content is protected by an external server, this is not considered an error case. However, if it happens unexpectedly, you should examine the message and server information to determine whether the configuration needs to be changed.

• Failed to protect a document from external server. A document protection failed on content that came from a server that is not determined to be local. Because the content is protected by an external server, this is not considered an error case. However, if it happens unexpectedly, you should examine the message and server information to determine whether the configuration needs to be changed.

• Failed to unprotect a document from external server. A document unprotection failed on content that came from a server that is not determined to be local. Because the content is protected by an external server, this is not considered an error case. However, if it happens unexpectedly, you should examine the message and server information to determine whether the configuration needs to be changed.

• Failed to reprotect a document from external server. A document reprotection failed on content that came from a server that is not determined to be local. Because the content is protected by an external server, this is not considered an error case. However, if it happens unexpectedly, you should examine the message and server information to determine whether the configuration needs to be changed.

Diagnostic LoggingThe Gateway for Exchange and SMTP is also capable of generating diagnostic log file data suitable for analysis by Liquid Machines software engineers. Liquid Machines Product Support may require you to enable this logging as a part of a troubleshooting procedure. You can read more about how this is done, where the log files are located and so on, in “Logging and Statistics,” on page 39.


Performance StatisticsThe Gateway keeps a number of performance counters that you can use to see how well it is running and gauge the effectiveness or impact of your rulesets. Note that it is the Service, not the Adapter, that keeps these statistics. When the Service is started, the statistics are cleared, that is, set back to zero.

The counters are available from a Web page. If you are logged onto the machine where the Gateway is installed, you can access it at http://localhost:7889/status. If you want to be able to access this URL from another machine, you can change the address and port on which the Gateway listens. For more information, see “monitoring Settings,” on page 96.


Depending on your browser, you may be able to collapse and expand sections of the display. For example, in Internet Explorer:

• To collapse a section of the display, click its red minus sign (-). When you close a section, the minus turns to a plus (+).

• To expand a section of the display, click its red plus sign (+).

The display is written in eXtended Markup Language (XML), so scripts or tools can process the output. The string at the top indicates this:

<?xml version="1.0" encoding="UTF-8" ?>

The next line shows the time and date the statistics were retrieved, called a moment:

<statistics moment="2006-09-19T00:13:53.747Z">

It shows the year, month, and day, and then the hour, minute, second, millisecond, and time zone. Z indicates that the time is Coordinated Universal Time, not local time.


The remaining lines are grouped into sections: counters, levels, and watches. Each section contains one or more items, and each item contains one or more values.

<section>

<item one>

<value one>0</value one>

<value two>1</value two>

</item one>

</section>

CountersThe first section contains counters. Counters keep track of how many times a particular event has happened since the Gateway was restarted. When the Gateway starts, the counter is set to zero (0), and each time a particular event happens, that event's counter increases by one.

Each counter has a name and a single, unlabeled value:

<counter-name>

<value>#</value>

</counter-name>

The counters are:

• client-connections-accepted: How many times the Gateway Configuration Tool, or the Adapters for the virtual IIS SMTP instances, have initiated a network connection to the Service. This should be less than the number of requests, below, since the connections persist across requests.

• client-requests: How many times the Adapter or Gateway Configuration Tool have requested the Service to do something, such as process a message or store a new ruleset.

• client-requests-failed: How many requests the Adapter or Gateway Configuration Tool have made that have failed, because the Gateway refused them.

• filter-messages-processed: How many messages the Service has processed. Processed means that the message was scanned to see if it might trigger any rules.

• filter-messages-failed: How many messages the Service failed to process, for example, because it could not contact RMS services or Active Directory.

• filter-messages-blocked: If you have rules that take the action Do not deliver to anyone, this shows how many times those rules have blocked messages.

• filter-messages-recipients-modified: If you have rules that take the action Do not deliver to group members, this shows how many times those rules have changed the recipient lists of messages.

• filter-messages-modified: How many messages the Filter has modified.

• filter-new-messages-generated: If you have rules that take the action Alert the sender or BCC a mailbox, this shows how many times those rules have sent an alert or a BCC.

• filter-rules-evaluated: How many rules the Gateway has tested messages against.


• filter-rules-fired: How many rules have had conditions that evaluated to True, which caused the rule to perform its actions.

• directory-lookups: How many times the Gateway queried Active Directory to resolve a group into its individual members.

• messages-protected: How many messages were protected by all rules-based virtual servers, by rules that were triggered that had protection actions.

• messages-unprotected: How many messages were unprotected by all virtual servers in either of the two Unprotect modes.

• messages-reprotected: How many messages were reprotected by all virtual servers in Reprotect mode.

• documents-protected: How many documents were protected by all rules-based virtual servers, by rules that were triggered that had protection actions.

• documents-unprotected: How many documents were unprotected by all virtual servers in either of the two Unprotect modes.

• documents-reprotected: How many documents were reprotected by all virtual servers in Reprotect mode.

Levels The second section contains levels. Levels measure how high or low some value has gotten, or what it is set to right now. For example, whereas a counter may say how many client connections have occurred, a level says how many are open right now. When the Gateway is restarted, all levels are reset to zero.

Each level has a name; a minimum and maximum value, which show the lowest and highest the counter has ever been; and a current value, which shows what the level was at the moment the results were retrieved.

<level-name>

<current>#</current>

<maximum>#</maximum>

<minimum>#</maximum>

</level-name>

The levels are:

• open-client-connections: The number of open connections maintained from Adapters on all virtual servers and the Gateway Configuration Tool, to the Gateway Service.

• requests-in-progress: The number of requests from Adapters that the Service is simultaneously processing.

• filter-messages-in-progress: Actual messages being processed simultaneously by the Service.


WatchesThe last section contains watches. Watches measure the amount of time it takes to complete an action. For example, whereas a counter tells how many messages have been processed, a watch tells the longest time the Service ever took to process a message. That is, of all the messages the Gateway has processed, it has never taken more than a particular number of milliseconds to finish any one.

Each watch has a name, an average time, a maximum time, a minimum time, and a count of the events used to calculate the average. So, for example, it may have taken on average 30 milliseconds, never more than 100 milliseconds, and never less than 3 milliseconds to process a message, over the last 1000 messages processed.

<watch-name>

<average-time-extent># ms</average-time-extent>

<count>#</count>

<maximum-time-extent># ms</maximum-time-extent>

<minimum-time-extent># ms</minimum-time-extent>

</watch-name>

The watches are:

• request-processing-time: The amount of time it takes for the Service to return an answer to an Adapter or Gateway Virtual Server Configuration Tool that has made a request.

• message-filtering-time: The amount of time it takes for the Service to process a message.

• message-protecting-time: The amount of time it takes for the Service to protect a message.

• message-unprotecting-time: The amount of time it takes for the Service to unprotect a message.

• message-reprotecting-time: The amount of time it takes for the Service to reprotect a message.

• document-protecting-time: The amount of time it takes for the Service to protect a document.

• document-unprotecting-time: The amount of time it takes for the Service to unprotect a document.

• document-reprotecting-time: The amount of time it takes for the Service to reprotect a document.

Using StatisticsYou can use statistics to monitor and understand the operation of your Gateway. Consult with Liquid Machines Product Support on how best to do this for your configuration and environment. Below are some example approaches.


Monitoring Health and PerformanceA large number of client-requests-failed or a high average request-processing-time (1000 milliseconds or more) may indicate a resource exhaustion problem on the Gateway machine or within your RMS or Active Directory infrastructure. Check your machine and operating system for other symptoms in the event logs, such as out of memory errors, or timeout errors contacting RMS or Active Directory. You may want to restart the Gateway Service, and, if that does not work, then IIS, in order to alleviate the exhaustion, until the problem can be better understood.

A large number of filter-messages-failed or high average message-filtering-time may indicate a high volume of corrupt messages entering your system. They may also indicate performance problems with your Active Directory or RMS infrastructure. Check your operating system event logs for timeout errors contacting Active Directory or RMS. Check Exchange event logs for errors accessing corrupt items in the message store. Determine if you are receiving a high number of messages in unsupported character sets, and whether this is normal business for you or perhaps represents a spam attack.

Note: The list of supported character sets is available on our Web site, http://www.liquidmachines.com/, in our Customer Care Center, in Liquid Machines Email Control Knowledge Base Article Q0109.

A steadily increasing number of requests-in-progress or filter-messages-in-progress may indicate a resource exhaustion problem is impending, or that mail transport queues are backing up. Check your Exchange server for steadily increasing message queue sizes or RAM memory consumption. You may want to restart the Gateway Service, and, if that does not work, then IIS, in order to alleviate the exhaustion, until the problem can be better understood.

Monitoring Efficiency and EfficacySuppose you have three rules in your ruleset. One has the condition Membership in Active Directory group. The logic of your ruleset seems to allow that the rules can be processed in any order; no one needs to come first or test conditions before the other. You see that filter-rules-evaluated is two or three times as much as filter-messages-processed and that directory-lookups is equal to the number of messages processed. Is your Active Directory rule the first one in the list? It may be that you can move it farther down in the list and reduce significantly both the number of rules evaluated and the number of directory lookups made. The rule, being first in the list, must always be processed, but it isn't catching many messages, whereas the other rules are.

Suppose the number of rules evaluated is many times that of messages processed, but the number of filter-rules-fired is very low. You might want to add the action Report when this rule is applied to all rules and then analyze the audit logs to see which ones are firing. It may be that you do not need some of the rules, that they have little or no effect in your environment. It may also be that your rules have too many and too narrow conditions and are not catching the content you want them to.

Suppose you have a rule that blocks messages, and the triggering condition is membership in an Active Directory group. You know that this group contains several other groups, which in turn have more groups nested in them. You estimated that 10% of messages flowing through your system would be blocked by this rule, but you see that filter-messages-blocked is almost 40% of filter-messages-processed. It may be that the large group in the condition contains more groups and users than you really want to cover, and you need to better analyze what it contains. It may also be that you have discovered something new about your environment: Much more unauthorized communication was going on than you realized.


Suppose you have a rule that encrypts all messages, and the triggering condition is a set of words and phrases that supposedly indicate highly sensitive materials. You estimated that 30% of all messages would be protected. You see that filter-messages-protected is only 5% of filter-messages-processed. It may be that you need to add more words and phrases to your search. It may also be that you learned something new about your users: They are being very conscientious about protecting your company's intellectual assets.


Chapter 5Defining Rulesets and Rules

In the Liquid Machines Gateway Rules Authoring Tool, you can define rules about how email messages will be protected or otherwise handled. You save a set of rules into a file, in a special format, and then make this file available to the Gateway for Exchange and SMTP. This chapter describes how to create rulesets and rules. It contains the following sections:• “Starting the Gateway Rules Authoring Tool,” on page 59• “Defining Rulesets,” on page 59

• “Creating a Ruleset,” on page 59• “Opening an Existing Ruleset,” on page 61• “Renaming a Ruleset,” on page 62• “Deleting a Ruleset,” on page 63• “Working with a Ruleset,” on page 63

• “Defining Rules,” on page 65• “Creating a Rule,” on page 65• “Setting Rule Priority,” on page 69• “Editing, Renaming, or Deleting a Rule,” on page 70• “Activating or Inactivating a Rule,” on page 70

• “When Multiple Rules Apply: How Actions Add Up,” on page 71

Starting the Gateway Rules Authoring ToolTo start the Gateway Rules Authoring Tool, on the machine where you installed it, on the Start menu, point to (All) Programs, point to Liquid Machines, point to Gateway for Exchange and SMTP, and then click Rules Authoring Tool.

Defining Rulesets

Creating a RulesetTo create a new ruleset, follow these steps in the Gateway Rules Authoring Tool.

1. Right-click Rules Authoring and then click New.

59

2. A dialog box appears, asking you to name the new ruleset.

Type a name and then click the OK button.

3. A dialog box appears, prompting you to save the file.

To save the file, click the Save button, as you would with other Windows applications. The new ruleset is saved with the extension .ruleset and appears in the display.


Opening an Existing RulesetNote: Version 6.6 of the Gateway Rules Authoring Tool will not open and cannot process rulesets created by version 6.5.x of the tool. However, the Gateway will process these older rulesets correctly.

To open a ruleset, follow these steps in the Gateway Rules Authoring Tool.

1. Right-click Rules Authoring and then click Open.

2. A dialog box appears, asking you to find and open the file.

Chapter 5. Defining Rulesets and Rules 61

To open a file, select the file and click the Open button, as you would with other Windows applications. The ruleset appears in the display.

Renaming a RulesetTo rename a ruleset, follow these steps in the Gateway Rules Authoring Tool.

Note: Changing the name of a ruleset does not change the name of the file under which it is saved.

1. Right-click the ruleset and then click Rename.

2. The name is highlighted. To change the name, type a new name, as you would for a file in Windows Explorer.


Deleting a RulesetTo delete a ruleset, follow these steps in the Gateway Rules Authoring Tool.

Note: If you want to keep the file, make a copy of it somewhere before you delete the ruleset.

1. Right-click the ruleset and then click Delete.

2. A message asks you to confirm the deletion. Click the Yes button. The ruleset is removed from the display, and the file associated with it is deleted.

Working with a Ruleset1. Right-click the ruleset and then click Properties. The Properties window shows a description

of the rules, if any are defined.

2. Click the Edit button. The Selection Rules window appears. In this window, you can add rules (see “Creating a Rule,” on page 65), change existing rules (see “Editing, Renaming, or Deleting a Rule,” on page 70) or set the priority of rules (see “Setting Rule Priority,” on page 69).


3. When you are done working with rules, click the OK button to close the Selection Rules window.

4. In the Properties window, click the Apply button to save your changes to the ruleset file.


Defining Rules

Creating a RuleTo create a new rule, follow these steps from the Selection Rules window.

1. Click the New button. The Rules Wizard appears. It takes you through a series of four steps to create a rule:• Step 1 of 4: Select a type of rule.• Step 2 of 4: Specify conditions for the rule.• Step 3 of 4: Specify actions for the rule.• Step 4 of 4: Specify a name for the rule.


2. In Step 1 of 4, notice that you can create different types of rules. You can base your rule on one of the pre-defined templates or you can start with a blank rule. Either way, you then select parameters.

Select Create a new rule from a blank rule and then click the Next button.

3. In Step 2 of 4, in the Conditions box, select the check box next to each condition you want to look for in a message. For more information, see “Specifying Conditions,” on page 73. Conditions are based on the following parameters:• The occurrence of specific words, phrases, or patterns in the message body or in specific

message SMTP header fields. These words, phrases, or patterns are regular expressions. For more information, see “Specifying Words or Phrases,” on page 74, “Specifying Words or Phrases,” on page 74, “Creating Patterns,” on page 74, and “Specifying SMTP Header Values,” on page 80.


• Whether the message came from or will be delivered to a member of an Active Directory security or distribution group. For more information, see “Specifying Active Directory Groups,” on page 79.

• The message type, such as protected or not protected. For more information, see “Specifying Message Types,” on page 81.

As you select a check box, the condition appears in the Rule description box.

4. For each check box you selected, click the hyperlink in the Rule description box and enter the appropriate parameter: a word or phrase, an SMTP header value, an Active Directory group, a message type, or a pattern. Then click the Next button.

5. In Step 3 of 4, in the Actions box, select the check box next to each action you want the rule to take against the message. For more information, see “Specifying Actions,” on page 82. Actions include:• Protect the message with specific options related to confidentiality, expiration, restricted

permission, and attachments• Do not deliver the message to anyone or to group members• Send an alert message to the sender• Report when the rule is applied• Add a specific custom SMTP header• Send a blind copy or unencrypted copy to a mailbox• Stop processing more rules (Selected by default. See “Setting Rule Priority,” on page 69.)

As you select a check box, the action appears in the Rule description box.

6. For each check box you selected, click the hyperlink in the Rule description box and enter information about the action you want to take, for example, the specific options for protecting the message.


7. Click the Next button.

8. In Step 4 of 4, enter a descriptive name for the rule.


9. To save the rule, click the Finish button. The rule appears in the Selection Rules window.

Setting Rule PriorityIf you clear the check box for the Stop processing more rules action (which is selected by default in each rule), the Gateway continues with the next rule in the Selection Rules window, evaluating its conditions and actions as well. So it is important to order the rules according to priority.• To move a rule up in priority, select the rule and then click the Move Up button.• To move a rule down in priority, select the rule and then click the Move Down button.


Editing, Renaming, or Deleting a Rule1. To open the Selection Rules window, in the Gateway Rules Authoring Tool, right-click the

ruleset and click Properties, and then click the Edit button.

2. In the Selection Rules window, select the rule you want to work with.

3. Do one of the following:• To edit a rule, click the Edit button and navigate through the steps in the same way you

add a rule.• To rename a rule, click the Rename button and type the new name in the dialog box that

comes up. Then click the OK button.• To delete a rule, click the Delete button.

Activating or Inactivating a RuleThe Gateway for Exchange and SMTP ignores inactive rules, so you don’t have to delete a rule if you might want to use it again. Instead, you can make it inactive, and then make it active again when you need it.

1. To open the Selection Rules window, in the Gateway Rules Authoring Tool, right-click the ruleset and click Properties, and then click the Edit button.

2. Do one of the following.• To make a rule inactive, clear the check box next to it.• To make an inactive rule active again, select the check box next to it.


When Multiple Rules Apply: How Actions Add UpWhen you clear the check box for the action Stop processing more rules, it is possible that more than one rule will apply to a message, and therefore a series of like or same actions will be taken.

When two actions of the same type apply, it may not be obvious how they add up, for example, if one rule applies a 90-day expiration and another applies a 30-day expiration. The following sections describe how these actions add up.

Protect the Message with Specific Options

Confidentiality Options

To Original Recipients takes precedence over To Users Within Groups, which in turn takes precedence over To Anyone. The action that takes precedence is the only one that applies. In the event that To Users Within Group takes precedence, and more than one rule applies it, the first rule wins. That is, the first rule that was triggered, that applied a group, gets its group applied, and the other rules are nullified, for this operation only.

Example: If one rule defines bankers and another defines accountants, only bankers will be allowed to read the message.

Expiration Options

The earliest expiration time applies.

Example: If one rule defines 90 days and the other 30 days, 30 days is applied to the message. If one rule defines 1 month and another applies 30 days, the system calculates what occurs sooner, the day 30 days from now, or the day with the same number as today but one month hence.

Attachment Options

Protect Attachments

If any rule sets this option, it applies.

Make Attachments Read Only


Restricted Permission Options

Block Forward


Block Reply


Block Reply-All


Block Copy



Block Printing


Do Not Deliver Message to AnyoneIf any rule sets this option, it applies, and delivery is blocked to everyone. The message does not go to any of the original recipients. However, if any rules specify a BCC action, those copies are delivered.

Do Not Deliver Message to Group MembersAll the lists of matched recipients are added up, and delivery of the message is blocked for anyone in the total list. That is, if a would-be recipient exists in any of the groups in any of the triggered rules, that recipient does not receive the message. However, BCCs specified by rules are still delivered.

Example: One rule blocks delivery to the Finance group, and another to the Brokers group. Both rules trigger. No one in the Finance or Brokers group gets the message.

Send Alert Message to SenderMultiple alerts are sent, every one specified by each of the triggered rules.

Report When this Rule is AppliedMultiple events are logged, every one specified by each of the triggered rules.

Add Specific Custom SMTP HeaderIf the header name existed before the Gateway received the message, it is overwritten by whatever is specified in the rule(s).

If multiple rules within the Gateway define the same header name, the header is written multiple times to the message. That is, there is more than one header of the same name, each with a value specified by each different rule.

Example: Two rules specify the X-Acme-Retention header, one with value 10 Days and the other with 30 Days. The SMTP headers show X-Acme-Retention twice, once with value 10 Days and once with value 30 Days.

If multiple rules define different headers, then each different header and value is written.

BCC a Copy of this Message to a MailboxAll addresses specified by all rules get a blind copy.

BCC an Unencrypted Copy to a MailboxAll addresses specified by all rules get an unencrypted blind copy.


Chapter 6Specifying Rule Conditions and Actions

In Step 2 of 4 of the Rules Wizard, you select the conditions you want to include in the rule you are creating. When you select a check box for a condition in the Conditions box, the condition appears in the Rule description box, where you click its hyperlink and enter any required parameters.

In Step 3 of 4 of the Rules Wizard, you select the actions you want to include in the rule you are creating. When you select a check box for an action in the Actions box, that action appears in the Rule description box, where you click its hyperlink and enter any required parameters.

This chapter describes how to enter the parameters. It contains the following sections:• “Specifying Conditions,” on page 73

• “Specifying Words or Phrases,” on page 74• “Specifying Words or Phrases,” on page 74• “Creating Patterns,” on page 74• “Specifying Active Directory Groups,” on page 79• “Specifying SMTP Header Values,” on page 80• “Specifying Message Types,” on page 81

• “Specifying Actions,” on page 82• “Protect the Message with Specific Options,” on page 82• “Do Not Deliver Message to Anyone,” on page 86• “Do Not Deliver Message to Group Members,” on page 87• “Send Alert Message to Sender,” on page 87• “Report When this Rule is Applied,” on page 87• “Add Specific Custom SMTP Header,” on page 87• “BCC a Copy of this Message to a Mailbox,” on page 88• “BCC an Unencrypted Copy to a Mailbox,” on page 88• “Stop Processing More Rules,” on page 89

Specifying ConditionsYou can check for messages that match any or all of the following conditions:• With specific words or phrases in the subject or message body: See page 74.• With a specific pattern in the subject; the message body; the To, CC, or BCC address; or the

From address: See page 74.• To or from a member of a specific group: See page 79.• With custom header values in the SMTP header: See page 80.• Of a particular message type: See page 81.

73

Specifying Words or PhrasesWhen you create a rule, you can specify that it check for messages with specific words or phrases in the subject or message body. When you select the check box next to one of these conditions and then click its hyperlink in the Rule description box, the Search Text dialog box appears.

1. Type the word or phrase in the Search Text dialog box and then click the Add button.

The search matches only the exact full word or phrase. For instance, a search for “Secret” does not also match the word “Secrets.” The search is not sensitive to capitalization, but it is sensitive to punctuation, symbols, and other special characters. The condition will be true if any one of the words or phrases is found.

The search condenses any string of spaces, tabs, line ends, and/or other whitespace down into a single space, in both the phrase to search for and the content being searched. If you want to catch a specific number of spaces or other whitespace characters, use a pattern instead.

2. When you are done, click the OK button.

Creating PatternsWhen you create a rule, you can specify that it check for messages with a specific pattern in the subject; the message body; the To, CC, or BCC address; or the From address. When you select the check box next to one of these conditions and then click its hyperlink in the Rule description box, the Create New Pattern dialog box appears.

In the Create New Pattern dialog box, you can add a regular expression, one element at a time. The following example shows how to add an expression to match a Social Security Number, although Social Security Number is one of a few patterns that are built in, and you can just select it. For more information, see “Regular Expressions,” on page 78.


1. Click the Add Pattern button. The Pattern Fragment Wizard appears.

2. A Social Security Number starts with 3 decimal digits, so on the left, click the One of these radio button, and then select the Numbers [0-9] check box. On the right, click the Exactly radio button, and set times equal to 3.

Chapter 6. Specifying Rule Conditions and Actions 75

3. Click the Add button. In the Create New Pattern dialog box, you see the regular expression syntax that the wizard added to the pattern.

4. To add the dash (-), click the Add Pattern button.


5. In the Pattern Fragment Wizard, click the Exact phrase radio button and type the dash (-).

6. To add the dash to the pattern, click the Add button.

7. Add more fragments, for certain numbers of decimal digits or dashes, until you have what you think matches a Social Security Number.


8. When you are done, to see if your pattern works, click the Test Pattern button.

9. Type in a Social Security number. When you have typed in a valid number, the test text turns green, and the message at the bottom of the dialog box says Pattern found in sample!

10. To stop testing, click the Done button.

11. To save the pattern, click the OK button.

Regular Expressions

Regular expressions are a kind of programming language for matching patterns. You can match something as simple as a credit card number or as complex as a list of chemical formulas. You can use these patterns to trigger rules.


If you know how to use regular expressions, you can type them into the Pattern field in the Create Pattern dialog box or the Edit Pattern dialog box. The syntax of regular expressions used by Liquid Machines products is very much like that used by the programming language Perl, and, in general, you can look at a Perl reference to learn this syntax. Notable exceptions to it are in “Appendix C. Differences from Perl Regular Expressions,” on page 103.

If you are not familiar with regular expressions, various training materials are available. A Web search for the words regular expression tutorial will yield several online resources. O'Reilly & Associates, Inc., publish several titles covering the subject, including Mastering Regular Expressions and Regular Expression Pocket Reference. All these materials will help you gain a better understanding of and facility with regular expressions.

Although training materials can help you understand and manipulate regular expressions, they may not teach you the exact syntax of the implementation the Gateway for Exchange and SMTP uses. For that you must refer to Perl and to Appendix C, on page 103.

Specifying Active Directory GroupsWhen you create a rule, you can specify that it check for messages to or from a member of a specific group. When you select the check box next to one of these conditions and then click its hyperlink in the Rule description box, the Group Add/Remove dialog box appears.

Any existing groups appear in the box. You can add or remove groups, using the appropriate buttons. Groups are identified by their email addresses, so only mail-enabled groups are supported.

Nested groups are supported. For example, if Henry is a member of the group Architects, and the group Architects is a member of the group Techs, then a rule that triggers on membership in Techs will be triggered by Henry. The condition is true if membership in any listed group is true.


Adding a Group

To add a group, follow these steps.

1. Click the Add button. The Select Group window appears.

2. Double-click the group. It is added to the list.

3. When you have finished making changes, click the OK button.

Removing a Group

To remove a group, follow these steps.

1. Select the group.

2. Click the Remove button.


Specifying SMTP Header ValuesWhen you create a rule, you can specify that it check for messages with custom header values in the SMTP header. When you select the check box next to this condition and then click its hyperlink in the Rule description box, the Search SMTP Headers dialog box appears.


1. Type the name of the SMTP header in the Header name field. This should be only the name of the header, not including the trailing colon (that is,.specify “To” not “To:”).

2. Type a value for the header in the Add new field and then click the Add button.

The condition is true if the header's value exactly matches any value in the list. The test is not case sensitive.

3. When you are done, click the OK button. For more information, see “Appendix B. SMTP Headers,” on page 101.

Specifying Message TypesWhen you create a rule, you can specify that it check for messages of a particular message type. When you select the check box next to this condition and then click its hyperlink in the Rule description box, the Message Type dialog box appears.• Select one or more options from the dialog box.

• Email message: Plain email, not protected.• Delivery report: A message sent by an email server, telling the sender the delivery status

of the email they sent, for example, a non-delivery report (NDR). It has a standardized format that you can read about in Internet RFCs.

• Rights Protected message: A message that is encrypted using Microsoft Rights Management Services technology.

• Other message: A message that is not one of the other types. An Outlook calendar invitation is one example.

If you select multiple boxes, the condition is true if the message is one of the selected types.


Specifying ActionsYou can apply any or all of the following actions in a rule:• Protect the message with specific options, based on:

• Confidentiality: See page 84. Mail can be read when forwarded:

• To Anyone

• To Original Recipients

• To Users Within Groups• Expiration: See page 86.• Restricted Permission: See page 86.

• Block Forward

• Block Reply

• Block Reply-All

• Block Copy

• Block Printing• Attachments: See page 86.

• Protect Attachments

• Make Attachments Read-Only• Do not deliver message to anyone: See page 86.• Do not deliver message to group members: See page 87. • Send alert message to sender: See page 87.• Report when this rule is applied: See page 87.• Add specific custom SMTP header: See page 87.• BCC a copy to a mailbox: See page 88.• BCC an unencrypted copy to a mailbox: See page 88.• Stop processing more rules: See page 89.

Protect the Message with Specific OptionsThe action Protect the message with specific options encrypts the message using Microsoft RMS technology. The Gateway can apply certain types of controls to an email as it passes through the server. These are:• Expiration: After a certain date, RMS servers deny access to a message no matter who

requests it.• Group Access Only: RMS gives access to anyone in the specified groups. The groups are

defined in your Windows Active Directory. You can define this right for several different groups that represent departments, divisions, or your whole company. Any recipients specifically named in the email are also allowed access, as is the sender.

• Recipient Access Only: RMS gives access only to the recipients named in the original email, and, of course, to the sender.


• Protected Access: Anyone who can obtain credentials within the RMS system can read the message. Typically, this means anyone with an Active Directory account in your company. If your RMS installation was configured to trust other RMS installations, such as Microsoft Passport, this setting includes users on those systems, too.

• Clipboard Blocking: RMS-enabled clients (as well as non-RMS-enabled clients) prevent recipients from copying data in the message to the Clipboard or to other applications.

• Print Blocking: RMS-enabled clients (as well as non-RMS-enabled clients) prevent recipients from printing data in the message.

• Forwarding Prevention: RMS-enabled clients disable the Forward button in the email client interface. Note that this does not prevent the user from choosing to reply to a message and then adding a recipient, or from adding this message as an attachment to a new message. The new recipient will not be able to read the message, but it will be delivered to his or her mailbox.

• Reply Prevention: RMS-enabled clients disable the Reply button in the email client interface. Note that this does not prevent the user from choosing to forward a message and then adding the originator as a recipient, or from adding this message as an attachment to a new message. The new recipient will not be able to read the message, but it will be delivered to his or her mailbox.

• Reply-All Prevention: RMS-enabled clients disable the Reply-All button in the email interface. Note that this does not prevent the user from choosing to reply to a message and then adding recipients, or from adding this message as an attachment to a new message. The new recipient will not be able to read the message, but it will be delivered to his or her mailbox.

These controls can be combined into a package, or a policy, that includes an access control list (ACL). So, for example, a message can expire, allow only group access, and block printing. This policy is then used to generate an RMS Publishing License to protect the content.

If you apply any control other than one of the Access type controls but do not specifically apply an Access type control, then Protected Access is implied. For example, if you apply only print blocking, the message cannot be printed, and only people who can obtain credentials within your RMS system are able to read it.

Note: As a standard feature of RMS, an RMS Super User may be able to override protections on a message, including its expiration.

Selecting Protection Options

When you apply the action Protect the message with specific options and click its hyperlink in the Rule description box, the Select Protect Options dialog box appears.

1. Select all the appropriate protection options, as described below.

2. Click the OK button.


• Confidentiality: Click the appropriate radio button.• To Anyone (Any Authenticated RMS User): Allows anyone who can obtain credentials

within the RMS system to read the message.• To Original Recipients: RMS gives access only to the recipients named in the original

email, and, of course, to the sender.• To Users Within Groups: RMS gives access to anyone in the specified groups in the

Active Directory, as well as anyone specifically named as a recipient of the message, and, of course, the sender.

To specify groups, follow these steps:

1. Click the Browse button. Any existing groups appear in the Group Add/Remove dialog box.

2. Add or remove groups.


• To add a group, follow these steps.

A. Click the Add button. The Select Group window appears.

B. Double-click the group. It is added to the list.

• To remove a group, select the group and click the Remove button.



• Expiration: Select a quantity and a unit of time, such as 30 and Days.

• Restricted Permission: No further parameters are needed for these options.• Block Forward: Recipients of the message are prevented from forwarding it to anyone

else because the Forward button is disabled.• Block Reply: Recipients of the message are prevented from replying to it because the

Reply button is disabled.• Block Reply-All: Recipients of the message are prevented from replying and including all

original recipients because the Reply-All button is disabled. They can, however, reply to the sender or to a subset of the original recipients, if Reply is not also blocked.

• Block Copy: Recipients of the message are prevented from copying data in the message.• Block Printing: Recipients of the message are prevented from printing data in the

message.• Attachments

• Protect Attachments: All rights and controls applied to the message are also applied to attachments.

Note: Because blocking of forwarding, replying, and replying to all does not make sense for attachments, these options are irrelevant for attachments.

• Make Attachments Read Only: In addition to the protections applied above, the ability to edit or export (save as…) the attachment is blocked.

Do Not Deliver Message to AnyoneNo further parameters are needed for this action. A non-delivery report is not sent. To get the effect of an NDR, combine this with the action Send alert message to sender (see below).


Do Not Deliver Message to Group MembersNo further parameters are needed for this action. This action is only reasonable when one of the rule conditions is that recipients are members of a certain Active Directory group. Anyone on the recipient list who is a member of that group does not receive the message. Any recipient not a member of that group receives it. No NDR is sent. To get the effect of an NDR, combine this with the action Send alert message to sender. (See below.)

Send Alert Message to SenderWhen you apply the action Send alert message to sender and click its hyperlink in the Rule description box, the Edit Warning Message dialog box appears. Type a warning message in the box and click the OK button. The Gateway delivers an email notice to the sender.

Report When this Rule is AppliedWhen you apply the action Report when this rule is applied, an entry is logged to a special log file on the Exchange or SMTP server machine. The entry contains a timestamp, the name of the rule that was applied, and the subject of the message to which it applies.

Add Specific Custom SMTP HeaderWhen you apply the action Add specific custom SMTP header and click its hyperlink in the Rule description box, the Add SMTP X-Header dialog box appears. Type in the name for the SMTP header (not including the trailing colon) and the value it takes and click the OK button.


Examples:• Name: X-Subject-Flag

Value: Test Email• Name: Acme-Hazard-Level

Value: Low Risk

For more information, see “Appendix B. SMTP Headers,” on page 101.

BCC a Copy of this Message to a MailboxWhen you apply the action BCC a copy of this message to a mailbox and click its hyperlink in the Rule description box, the Mailbox Address dialog box appears. Type the SMTP address of the mailbox and click the OK button.

The mailbox can be anywhere inside or outside your organization.

BCC an Unencrypted Copy to a MailboxWhen you apply the action BCC an unencrypted copy to a mailbox and click its hyperlink in the Rule description box, the Mailbox Address dialog box appears. Type the SMTP address of the mailbox and click the OK button.

The mailbox can be anywhere inside or outside your organization.

If the rule or rules performing actions on this message were also going to encrypt the message, they make sure the copy that goes to the mailbox is not encrypted. This action also decrypts an existing protected email, such as one generated from Outlook 2003, for the BCC copy only.


Stop Processing More RulesWhen you apply the action Stop processing more rules, no further parameters are necessary. The Gateway finishes processing this rule, stops processing any more rules after this one, and queues the message for delivery. By default, this action is selected in all rules.

If you want the Gateway to continue processing more rules, clear the check box for this action when you are editing the rule. See “Setting Rule Priority,” on page 69.

Note also that the stop only occurs if the rule is actually triggered. If it is not, rule processing continues.



Appendix AGateway Configuration File Syntax

This appendix describes the Gateway Configuration file. It contains the following sections:• “Overview,” on page 91

• “Specifying Units of Time” on page 92• “Sections,” on page 93• “Settings,” on page 94

• “logging settings,” on page 94• “gateway-service Settings,” on page 94• “services Settings,” on page 94• “protection-config Settings,” on page 94• “reporting Settings,” on page 96• “monitoring Settings,” on page 96• “ruleset-caching Settings,” on page 96• “rule-action-info Settings,” on page 97• “adapters Settings,” on page 98

• “Variables,” on page 99

OverviewThe operational behavior of the Gateway for Exchange and SMTP is controlled with the Gateway Configuration file. Note that, if you are upgrading to version 6.7, it will not read or process Configuration files for previous versions. Before you install version 6.7, back up your old Configuration file. After you install the Gateway, manually copy any changes you have made to the new Configuration file.

The file is located in the folder where the Gateway is installed. It can typically be found at C:\Program Files\Liquid Machines\Gateway for Exchange and SMTP\lmgateway-config.xml.

The file is written in the XML language. You can use Notepad or another text editor to make changes to it. XML uses elements, delimited by angle brackets (<>). An element usually begins with a start-tag (<enabled> in the first example below) and ends with an end-tag that begins with a slash (</enabled>).

In the Configuration file, the tags surround settings (like false). Elements can include other elements, as in the second example; we call the outer elements sections. Sections can be nested, in which case we call the inner sections subsections.

You can use variables in the file: type in a certain string, and, when the Gateway runs, it changes the string to a value particular to that computer.

You can add comments to the file that the Gateway will ignore when processing the file, so you can include information about your company policies or your IT infrastructure. Enter a comment between , like this: .

91

Example:

<enabled>false</enabled>

This setting controls whether functionality is enabled. The enabled setting is opened, the value false is put in, and then the setting is closed.

Example:

<logging>

<max-logfile-size>10 MB</max-logfile-size>

</logging>

This shows the setting max-logfile-size, with a value of 10 MB, or 10 megabytes. It also shows the tag embedded within the logging setting, or section.

Example:

<bind-addr>${system:host:ip-addr}</bind-addr>

This shows the setting bind-addr. A variable is used for the value. When the Gateway starts, it changes the variable to the IPv4 address of the first Ethernet interface of this computer.

Extra whitespace can be included between elements and will be ignored. However, do not include extra whitespace between the start and end tags that define a value (for example, a path).

To cause the Gateway to pick up changes you have made to the Configuration file, restart the Gateway Service. If the Service fails to start, check the Application Event Log for an error indicating a problem with the Configuration file, such as an invalid value or improper syntax. Note that, when the Service and the Configuration file are correctly configured, restarting the Service neither disrupts message flow nor affects the operation of other critical services, such as Exchange.

Some settings, namely those in the <gateway-service>, <reporting>,and <adapters> subsections, affect the Adapter, and thus require that IIS be restarted as well. You should always restart the Gateway Service first, because it can validate all parameters and report any problems before you have to restart IIS.

Specifying Units of TimeSome settings require you to specify a time value as the number of milliseconds, seconds, minutes, hours or days. When configuring these settings, the following values are valid:• infinite• a number followed by one of the following time units:

• ms, mss• sec, secs• min, mins• hr, hrs• day, days

For example, the following setting would configure the Gateway to examine any pending batches of log entries for reporting in the Event Log every minute.

<batching-period>1 min</batching-period>


SectionsThese are the main sections in the Gateway Configuration file:• logging: Parameters that control how and where the Gateway logs diagnostic information.

(See page 94.)• gateway-service: Parameters that control the behavior of the Gateway Service and the

ability of the Adapter to communicate with it. (See page 94.)• services: Parameters that control how the Gateway finds external network services. (See

page 94.)• protection-config: Parameters that control how the Gateway protects and unprotects

content. (See page 94.)• reporting: Parameters that control the behaviors of application event logging. (See

page 96.)• monitoring: Parameters that control the behavior of the Performance Statistics XML page.

(See page 96.)• ruleset-caching: Parameters that control how a Gateway manages its ruleset file. (See

page 96.)• rule-action-info: Parameters that control the behavior of rule actions. (See page 97.)• adapters: Parameters that control behaviors of the Adapters that integrate Gateway

functionality into third-party applications. (See page 98.)

Appendix A. Gateway Configuration File Syntax 93

SettingsSettings are grouped by section. For most settings, default values are in parentheses.

Some settings in the Configuration file are marked Do not change this without consulting Liquid Machines Support. These settings are not documented here.

logging settingslogging settings control the diagnostic logging configuration. By default, very little information is included in diagnostic logs. Liquid Machines Support may ask you to enable more logging using the settings in this section.• root-dir: The root directory for log files when diagnostic logging has been turned on. It

must be a valid directory or a directory the Gateway can create; it cannot be a file. The path must be absolute. The default value is:${system:dirs:common-app-data}\Liquid Machines\Gateway\logs

• max-backup-logfile-count (2): The maximum number of old log files to keep around before deleting the oldest. The minimum value is 0; the maximum value is 100 (inclusive). If -1 is specified, old log files are not deleted.

• max-logfile-size (10 MB): The maximum size any log file is allowed to reach before being rolled over to backup files. The minimum value is 100 KB; the maximum value is 1 TB (inclusive).

• max-logfile-lifetime (1 day): The maximum amount of time any log file is allowed to be used before being rolled over to backup files. The current remaining time is calculated from the previous midnight. The minimum value is 1 hr; the maximum value is infinite (inclusive). See “Specifying Units of Time,” on page 92.

gateway-service Settingsgateway-service settings control how other components communicate with the Gateway Service. None of the settings in this section should be changed without consulting with Liquid Machines Support.

services Settingsservices settings control how the Gateway connects to infrastructure services that it needs.• Ldap-server-name (${system:host:primary-domain-name}): The name of the

LDAP server to use to resolve groups into lists of users.

protection-config Settingsprotection-config settings control how the Gateway for Exchange and SMTP protects and unprotects messages and attachments.• unprotectable-server-suffixes: This subsection contains a list of domain suffixes

to match against the name of the server that protects a piece of content to be unprotected. If one of these suffixes matches, a failure to unprotect will be treated as an error. If no suffix matches, a failure to unprotect will not be treated as an error, but will result in content remaining protected. Matching is non-case-sensitive. An empty suffix, or no setting at all, will match anything; that is, all domains will be treated as local. For more information on how this variable affects the Gateway, see “Foreign Protection Checking with RMS,” on page 13 and “Foreign Protection Checking with Liquid Machines Document Control,” on page 15.


• unprotectable-server-suffix: Explicitly adds a domain suffix that the Gateway should treat as local. The default list item, ${system:host:primary-domain-name}, includes the DNS domain of the Gateway machine.

• attachment-mime-types: The types of attachments to be protected, if attachments are to be protected. The Gateway can only add protections to certain types of documents: Microsoft Word, Excel, PowerPoint, and Visio files, and Adobe Acrobat PDF documents. You can use these settings to remove support for file types or to help the Gateway recognize files that are of these types but have the wrong file extensions.• attachment-mime-type: A type of attachment to be supported. Types can be

specified either as a MIME type (for example, application/pdf) or as a file extension (for example, *.pdf). The default is to protect Microsoft Word, Excel, and PowerPoint files. Configuration for Adobe and Visio files is included, but turned off by commenting it out, like this:



To turn it on, remove the .• unprotect-attachments (true): When a protected message passes through a Gateway in

Unprotect or Unprotect for Re-protect mode, or when a rule action includes to BCC an unencrypted copy, this controls whether the Gateway also unprotects any protected attachments to the message and cleartext BCCs.

• recurse-nested-mime-messages (false): Set to true, and also set unprotect-attachments to true, if you want to process nested (attached) MIME-encoded messages, in Unprotect, Unprotect for Reprotect, and Reprotect modes, as well as when generating cleartext BCCs. The messages processed are only those that are encoded in MIME format (non-TNEF, non-MAPI) using message/rfc822 or message/rfc2822. This explicitly excludes submessages nested within RMS-protected messages, which are MAPI-encoded.

This setting is required to support Envelope Journaling, which has an unprotected top-level MIME message containing the real message as an attachment.

Do not change this without consulting with Liquid Machines Support.• ms-rms: Configuration options for protection based on Windows RMS.

• enabled (false): Enables or disables all RMS functionality.• lm-ues: Configuration options for protection based on Liquid Machines Universal

Enforcement Services (allowing access to Liquid Machines Document Control documents).• enabled (false): Enables or disables all Universal Enforcement Services.• policy-servers: Policy servers that should be contacted to obtain policy information.

Servers can be identified by host name or by URL, for example, <policy-server>server.mydomain.com</policy-server>.

• allow-server-discovery (true): Enables the ability to contact new Liquid Machines Document Control servers based on document contents.

• discovered-server-lifetime (60 min): Configures the time for which discovered servers will be kept active (and polled) before they must be discovered again. See “Specifying Units of Time,” on page 92.

• discovered-server-cleanup period (5 min): Configures how often discovered servers will be examined to see if they should be deactivated. See “Specifying Units of Time,” on page 92.


reporting Settingsreporting settings control the verbosity and other behaviors of Application Event Logging.• event-log-severity (all): The minimum severity of events that are sent to an

Application Event Log. Values are fatal, error, warning, info, and all.• log-frequency-error (1 minute): The maximum frequency at which the same type of

error can be reported in the Event Log before multiple occurrences are batched in a single entry, and how frequently such batches are reported. See “Specifying Units of Time,” on page 92. Note that the most serious and fatal errors are never batched, but are always reported immediately.

• log-frequency-warning (1 minute): The maximum frequency at which the same type of warning can be reported in the Event Log before multiple occurrences are batched in a single entry, and how frequently such batches are reported. See “Specifying Units of Time,” on page 92.

• log-frequency-info (1 minute): The maximum frequency at which the same type of Info message can be reported in the Event Log before multiple occurrences are batched in a single entry, and how frequently such batches are reported. See “Specifying Units of Time,” on page 92.

• batching-period (1 minute): How often the Gateway examines any pending batches of log entries for reporting in the Event Log. Batched log entries can be logged any time after the time defined by their frequency has passed, but are not examined for possible logging unless another of the same event occurs or a batching period elapses. See “Specifying Units of Time,” on page 92.

monitoring Settingsmonitoring settings control the behavior of the Performance Statistics XML page.• enabled (true): Enables or disables monitoring statistics.• networking: This section has the following subsections:

• bind-addr (127.0.0.1): The IP address on which the performance statistics listen for Web client connections. If you want to make the statistics available to a Web browser not on the machine, change this to one of the real IP addresses of the machine, or to 0.0.0.0 (all).

• bind-port (7889): The TCP port on which the performance statistics listen.

ruleset-caching Settingsruleset-caching settings control how a Gateway manages its ruleset files.• cache-dir (${system:dirs:common-app-data}\Liquid

Machines\Gateway for Exchange and SMTP\rule-cache): The directory to use for storing and retrieving cached ruleset definitions. It must be a valid directory or one that the Gateway can create; it cannot be a file. The path must be absolute.

• cache-expiration (1 hr): How long a cached ruleset file can be used before it is refetched and recached. See “Specifying Units of Time,” on page 92.

• url-fetch-retry-delays: If the Gateway cannot access your ruleset file for some reason, how long it waits before trying to access it again.• url-fetch-retry-delay: A delay interval. In the case of repeated failures, the

Gateway uses each of these intervals in order. If failures persist, it continues to use the last value in the list. For example, if you put in one for 5 seconds, one for 30 seconds, and one for 5 minutes, the Gateway retries after 5 seconds, then retries again after an additional 30


seconds, then retries again after an additional 5 minutes, then retries again every 5 minutes after that.

The defaults are one at 5 seconds and one each 10 seconds thereafter.• http-fetch-user-agent (Liquid Machines Gateway): When the Gateway fetches a

ruleset file from a web server, the friendly name it uses to identify itself. It corresponds to the HTTP_USER_AGENT field outlined in the HTTP protocol. This usually shows up in Web server logs.

rule-action-info Settingsrule-action-info settings control behavior of rule actions. This section has the following subsections:• alert: Controls the appearance of Alert messages sent by the action Alert sender

with warning message.• sender (no default): When the Gateway sends an Alert, the sender from whom it appears

to come, from the point of view of an SMTP server, and so who will receive any nondelivery report. This value is put in the SMTP envelope.

• from (Liquid Machines Gateway): When the Gateway sends an Alert, the sender from whom it appears to come, from the point of view of an Alert recipient, and so who will receive any replies from the Alert recipient. This value is put in the From header. Note that, typically, reply-to, described below, overrides to whom the recipient automatically replies.

• reply-to (no default): If a user replies to an Alert, the address to which the reply goes to by default.

• subject (Liquid Machines Gateway Alert): The value of the Subject header of the Alert message.

• x-mailer (Liquid Machines Gateway): The value of the x-mailer SMTP header in the Alert message.

• audit: Controls the behavior of audit log entries generated by the action Report when this rule is applied.• logfile-root-dir (${system:dirs:common-app-data}\Liquid

Machines\Gateway\logs): The root directory for log files. It must be a valid directory or one that the Gateway can create; it cannot be a file. The path must be absolute.

• logfile-name (audit-${run:moment:yyyyMMdd}-${app:logging:file:roll-index}.log): The actual name, or the format for the names, of the logfile(s) in which audit actions should be reported.

• logfile-entry-prefix-format (${run:moment:yyyy-MM-dd@HH:mm:ss.sss}: The format of the timestamp at the beginning of each entry.

• max-backup-logfile-count (-1): The maximum number of audit files the Gateway keeps around. If this many already exist, and it needs to create a new one, it overwrites the oldest one. The default value, -1, means that an infinite number can be kept around, or never overwrite. A negative value indicates no maximum.

Important! Use an automated procedure of some sort to archive or delete old logs, or they can eventually use all available disk space.

• max-logfile-size (1 PB): The maximum size the audit file is allowed to grow to before a new one is created. The minimum value is 100 KB, and the maximum value is 1 PB (inclusive). Commenting this out removes any restrictions to the max file size.


• max-logfile-lifetime (1 day): The maximum age the oldest entry can be in a log file before a new one is created. The current remaining time is calculated from the previous midnight. The minimum value is 1 hr and the maximum value is infinite (inclusive). See “Specifying Units of Time,” on page 92.

• bcc: Controls the appearance of BCC copies sent by the BCC a copy actions. • sender (no default): When the Gateway BCCs a copy, the sender from whom it appears

to come, from the point of view of an SMTP server, and so who will receive any non-delivery report.

adapters Settingsadapters settings control behaviors of the Adapters that integrate Gateway functionality into third-party applications. The Gateway for Exchange and SMTP includes a single Adapter, which is an IIS SMTP Transport Event Sink.• pend-message-on-error (true): How the Adapter handles messages that pass through

the system while the Gateway or some other service is unavailable.• if false: Messages pass through unprocessed.• if true: Mail delivery is halted, and messages are held in a queue until the Service is

restarted, then submitted to the Service for processing.

For more information, see “Message Flow and Service Status,” on page 35.• ping-gateway-service (5 seconds): How often the Event Sink tests the Service to see if

it is up and communicating, and to restart it if it has crashed. This value should be short enough that a ping will occur and the Service can be restarted if necessary before a message exhausts its retry-connection-delays, described below. See “Specifying Units of Time,” on page 92.

• retry-connection-delays: How many times and at what intervals the Adapter tries to connect to the Service before giving up. The delay of the first retry is always 0 seconds. The defaults are at 1, 2, 4, and 8 seconds, and every 16 seconds after that.• retry-connection-delay: A delay interval. In the case of repeated failures, the

Gateway uses each of the intervals in order. If failures persist, it continues to use the last value in the list.

For example, if you enter an interval of 5 seconds, one for 30 seconds, and one for 5 minutes, the Gateway retries after 5 seconds, then retries again after an additional 30 seconds, then retries again every 5 minutes after that.

• transport-sink: Controls the configuration of the IIS SMTP Transport Event Sink.• working-thread-count (10): The maximum number of program threads the

Adapter uses to process messages asynchronously. Using more may yield better performance but also consumes more resources.

• ignored-content-classes: Classes of messages that can be wholly ignored when messages are submitted for processing, in order to improve performance or avoid certain rules triggering on unexpected content.

• ignored-content-class: A class of messages to be ignored. Possible values include calendar messages and recall messages. Examples are provided in the comments in the Configuration file


VariablesThe following variables can be used in the log file. To use one, enclose it in curly brackets {} and preface it with a dollar sign ($), like this: ${run:thread:id}. Place the variable in the Configuration file in the place where you want its value to be substituted.• env: The value of any system environment variable; it is case insensitive on Windows. For

example ${env:HOMEDRIVE} yields the value of HOMEDRIVE, typically C:.• run:thread:id: The ID of the current thread.• run:thread:name: The descriptive name of the current thread (if any).• run:moment: The current moment in time.• run:host:name: The current fully-qualified DNS name of this host, for example,

rms1.acme.lan, as it is set at runtime.• run:host:ip-addr: The current IPv4 address of the first Ethernet adapter on this host, for

example, 192.168.130.1, as it is set at runtime.• system:dirs:cwd: The current working directory.• system:dirs:temp: The current user's temp directory, typically C:\Documents and

Settings\currentuser\Local Settings\Temp.• system:dirs:user: The current user's home directory, typically C:\Documents and

Settings\currentuser.• system:dirs:common-app-data: The directory containing application data common to

all users, typically C:\Documents and Settings\All Users\Application Data.

• system:dirs:user-app-data: The directory containing application data specific to the current user, typically C:\Documents and Settings\currentuser\Application Data.

• system:host:name: The fully-qualified DNS name of this host, as it is set at system start.• system:host:ip-addr: The IPv4 address of the first Ethernet adapter of this host, as it is

set at system start.• system:host:primary-domain-name: The fully-qualified DNS name of the domain

name of the first Ethernet adapter for this host, as it is set at runtime. For example, if this hostname is rms1.acme.com, then the domain is acme.com.

• app:dirs:install: The installation directory for the application, by default, C:\Program Files\Liquid Machines\Gateway for Exchange and SMTP.

• app:logging:channel:severity: The string form of the severity of a diagnostic logging statement.

• app:logging:channel:name: The unqualified name of a diagnostic logging channel being used in the logging statement.

• app:logging:channel:scoped-name: The qualified name of a diagnostic logging channel.

• app:logging:channel:scope: The qualifying portion of the scoped-name of a diagnostic logging channel.

• app:logging:file:roll-index: The numeric index of the next log file to be cycled.



Appendix BSMTP Headers

All email messages contain a text body: the part the sender composes and the recipient reads. All email messages also contain headers, information the sender and recipient do not see, but that control the behavior of the message or give details about how it was created and how it traveled. You can use that information to trigger rules.

An email message displayed in Microsoft Outlook is illustrated below. You can see the body of the message. You can also see information from some of the SMTP headers displayed at the top, in a user-friendly format. For example, you can see that the sender is Kelly Jones, and that the message was sent on June 29, 2007.

In Outlook, to see the SMTP headers, right-click in the list of messages, on a message you received from outside your company, and click Options. For example, in this message, you can see that the Subject header has been set to Please respond to this questionnaire. A header shows the electronic ID of the message, and one shows which machine it originated from.

Note: For messages sent within Exchange that have never been to the Internet or modified by a Gateway, SMTP headers are not available.

101

If you scroll through the headers, you can find out when the message was sent, whether it contains HTML or attachments, and maybe even what mail reader was used to compose the message.


Appendix CDifferences from Perl Regular Expressions

Perl constructs not supported by the Liquid Machines Gateway for Exchange and SMTP ruleset regular expressions:• The conditional constructs (?{X}) and (?(condition)X| Y)• The embedded code constructs (?{code}) and (??{code})• The embedded comment syntax (?#comment)• The preprocessing operations ( \l, \u, \L, and \U )

Constructs supported by the Liquid Machines Gateway for Exchange and SMTP ruleset regular expressions but not by Perl: • Possessive quantifiers, which match as much as they can and do not back off, even when doing

so would allow the overall match to succeed. • Character-class union and intersection. Character classes may appear within other character

classes, and may be composed by the union operator (implicit) and the intersection operator (&&). The union operator denotes a class that contains every character that is in at least one of its operand classes. The intersection operator denotes a class that contains every character that is in both of its operand classes.

The precedence of character-class operators is as follows, from highest to lowest:

1 Literal escape

2 Grouping [...]

3 Range a-z

4 Union [a-e][i-u]

5 Intersection [a-z&&[aeiou]]

Notable differences from Perl: • In Perl, \1 through \9 are always interpreted as back references; a backslash-escaped number

greater than 9 is treated as a back reference if at least that many subexpressions exist, otherwise it is interpreted, if possible, as an octal escape. In the Gateway ruleset regular expressions, octal escapes must always begin with a zero. In the Gateway ruleset regular expressions, \1 through \9 are always interpreted as back references, and a larger number is accepted as a back reference if at least that many subexpressions exist at that point in the regular expression, otherwise the parser drops digits until the number is smaller than or equal to the existing number of groups or it is one digit.

• In Perl, embedded flags at the top level of an expression affect the whole expression. In this class, embedded flags always take effect at the point at which they appear, whether they are at the top level or within a group; in the latter case, flags are restored at the end of the group, just as in Perl.

• Perl is forgiving about malformed matching constructs, as in the expression *a, as well as dangling brackets, as in the expression abc], and treats them as literals. The Gateway ruleset regular expressions also accepts dangling brackets, but is strict about dangling metacharacters like +, ?, and *, and rejects the pattern if it encounters them.

103


Appendix DSetting Relay Access Permissions on Exchange and IIS

SMTP

To set relay access permissions on Exchange and IIS SMTP:

1. Access the Properties of each SMTP instance and write down what IP address it listens on. If the address listed is All Assigned, write down 127.0.0.1.• To access the properties on an Exchange server:

a. Open Exchange System Manager.

b. Navigate to the Administrative Groups or Routing Groups node if you have it, to the routing group where the Gateway machine resides, to the Gateway machine, to Protocols, to SMTP.

c. Right-click the Default SMTP Virtual Server or other SMTP instances and click Properties.

105

• To access the properties on a stand-alone Windows SMTP server:

a. Start Internet Services Manager.

b. Right-click each SMTP instance and select Properties.

2. For each SMTP instance, add all the IP addresses you have written down to the relay access permissions.

a. In the Properties of each instance, click the Access tab.


b. Click the Relay button.

c. In the Relay Restrictions dialog box:

• If the radio button Only the list below is selected, add all the IP addresses you have written down, if they are not already in the list.

• If the radio button All except the list below is selected, make sure none of the IP addresses you have written down is in the list.

Appendix D. Setting Relay Access Permissions on Exchange and IIS SMTP 107


Appendix EAdding RMS Servers to the Local Intranet Sites

1 Log on to the Gateway machine as the user account under which the Gateway will run.

2 In Internet Explorer, on the Tools menu, click Internet Options.

3 In the Internet Options dialog box, click the Security tab.

4 On the Security tab, click Local intranet, and then click Sites.

5 On the Local intranet dialog box, click Advanced.

109

6 In the Add this web site to the zone field, enter the common name of the RMS Server, for example, rms1.fkolabs.com. Then click Add.

7 Click OK to close all dialog boxes.


Index

AA fatal error has occurred. 43A serious error has occurred. 43access control list (ACL) 38, 83access controls

attachments 38access licenses

issuing 10account

service 35ACL (access control list) 83Acrobat (PDF) files

attachment protection 38protection-config settings 95

actionsrules 17specifying 67

Actions box 67, 73activating

rules 70Active Directory 2003 9Active Directory groups 84, 87

adding 80, 84removing 80, 84specifying 79

Adapter 34no stopping 34

adapters settingsGateway Configuration file 98

Add SMTP X-Header dialog box 87Add specific custom SMTP header 87

multiple rules 72adding

Active Directory groups 80, 84Ad-Hoc permissions 13Adobe Acrobat 12Adobe Acrobat (PDF) files


Adobe Reader 12ailed to obtain a group's members from directory. 49alert 97alerting senders 8allow-server-discovery 95app:dirs:install 99app:logging:channel:name 99

app:logging:channel:scope 99app:logging:channel:scoped-name 99app:logging:channel:severity 99app:logging:file:roll-index 99Application Event Logs 43architecture

installation 15Liquid Machines Gateway for Exchange and SMTP 9

archiving 8archiving system 9Attachment Options

multiple rules 71attachment-mime-type 95attachment-mime-types 95attachments 86

processing 38audit 97

log file names 40audit records 40auditing 8authenticating users 10Automatic Start

Service 34

Bback references 103batching-period 96bcc 98BCC a copy of this message to a mailbox 88

multiple rules 72BCC an unencrypted copy to a mailbox 72, 88bind-addr 96bind-port 96Block Copy 86Block Forward 86Block Printing 86Block Reply 86Block Reply-All 86blocking delivery 8Bracketing Other SMTP Applications 16brackets 103bridgeheads

Exchange 16Internet 16organizational 16

111

Ccache-dir 96cache-expiration 96character classes 103character-class operators 103client-connections-accepted 54client-requests 54client-requests-failed 54Clipboard Blocking 83comments

Gateway Configuration file 91compliance 8conditional constructs

Perl constructs not supported 103conditions

rules 17specifying 66, 73

Conditions box 66, 73Confidentiality 84Confidentiality Options

multiple rules 71Configuration file 91configuring

Configuration Tool 26modes 31

content of messagesmonitoring 9

content scanner 8, 9, 16content scanning 9copy blocking 11counters

Gateway 52, 54performance 40

Create New Pattern dialog box 74Create Pattern dialog box 79creating

patterns 74rules 65rulesets 59

credentialsservice account 35

CSV filesattachment protection 39

Ddecrypting

messages 31defining

rules 17rulesets 59

defining rulesets and rules 59deleting

rules 70rulesets 63

Delivery report 81destination of messages

monitoring 9diagnostic logging

Gateway 51differences from Perl regular expressions 103directory-lookups 55Disabled

Service 34Disabled mode

Gateway 31discovered-server-cleanup period 95discovered-server-lifetime 95Do not deliver message to anyone 86

multiple rules 72Do not deliver message to group members 87

multiple rules 72Document Control 7document-protecting-time 56document-reprotecting-time 56documents-protected 55documents-reprotected 55documents-unprotected 55document-unprotecting-time 56

EEdit Pattern dialog box 79editing

rules 70elements

Gateway Configuration file 91Email message 81email messages 7embedded code constructs

Perl constructs not supported 103embedded comment syntax

Perl constructs not supported 103embedded flags 103enabled

lm-ues 95monitoring 96ms-rms 95

encryptionLiquid Machines Document Control 12

encryption keys 10env 99errors

Gateway 43event-log severity 96Excel files



Exchange 7tuning performance 41

Exchange bridgehead servers 16Exchange servers 8, 15, 105Exchange System Manager 105Expiration 82, 86expiration 11Expiration Options

multiple rules 71eXtended Markup Language 53

FFailed to initialize Liquid Machines Policies and Keys

(Universal Enforcement Services). 47Failed to initialize Microsoft RMS. 46Failed to initialize protection environment. 46Failed to obtain a user's group memberships from

directory. 49Failed to protect a document from external server. 51Failed to protect a document. 48Failed to protect a message from external server. 51Failed to protect a message. 47Failed to reprotect a document from external server. 51Failed to reprotect a document. 48Failed to reprotect a message from external server. 51Failed to reprotect a message. 48Failed to unprotect a document from external server. 51Failed to unprotect a document. 48Failed to unprotect a message from external server. 51Failed to unprotect a message. 47Failed to update data for a Liquid Machines Policy

Server. 47file types

supported for attachments 38Filter failed to process message. 46filter-messages-blocked 54filter-messages-failed 54filter-messages-in-progress 55filter-messages-modified 54filter-messages-processed 54filter-messages-recipients-modified 54filter-new-messages-generated 54filter-rules-evaluated 54filter-rules-fired 55firewalls 15flagging messages 8foreign protection checking with Liquid Machines Document

Control 15foreign protection checking with RMS 13format of messages

monitoring 9Forwarding Prevention 83forwarding prevention 11from 97

GGateway

installing 22modes 15processing messages 15uninstalling 26

Gateway Configuration file syntax 91Gateway for Exchange and SMTP 7Gateway for Exchange and SMTP operations 31Gateway Rules Authoring Tool 17, 59Gateway Virtual Server Configuration Tool 31Gateways

multiple 36gateway-service Settings

Gateway Configuration file 94Group Access Only 82group access only 11Group Add/Remove dialog box 79, 84

Hheaders 9

SMTP 101health

Gateway 43, 57historical protection information 37http-fetch-user-agent 97HTTPS 32

Iignored-content-class 98ignored-content-classes 98IIS 7

configuring modes 31IIS SMTP 8, 9inactivating

rules 70Information Rights Management (IRM) 8informational messages

Gateway 50Installation 19installation architecture 15installations

RMS 11installing the Gateway 22installing the Rules Authoring Tool 27, 28Internet bridgeheads 16Internet Information Services (IIS) 7intersection operator 103IP address 105IRM 8, 13

Kkeys

Liquid Machines Document Control 12

Index 113

LLdap-server-name 94levels

Gateway 55licenses 10Liquid Machines Document Control 7, 12Liquid Machines Document Control clients 13Liquid Machines Document Control operation with RMS

disabled 15Liquid Machines Document Control policies 10Liquid Machines Document Control protection 10Liquid Machines Document Control servers 12Liquid Machines Email Control Gateway detected an invalid

ruleset cache. 45Liquid Machines Email Control Gateway detected ruleset

redirect. 50Liquid Machines Email Control Gateway failed to fetch

ruleset on refresh. 49Liquid Machines Email Control Gateway failed to read

cached ruleset. 45Liquid Machines Email Control Gateway failed to store

ruleset in cache. 45Liquid Machines Email Control Gateway found an invalid

ruleset on refresh. 49Liquid Machines Email Control Gateway has been

initialized. 50Liquid Machines Email Control Gateway has been shut

down. 50Liquid Machines Email Control Gateway initialization

failed. 44Liquid Machines Email Control Gateway loaded cached

ruleset. 50Liquid Machines Email Control Gateway loaded new

ruleset. 50Liquid Machines Email Control Gateway rejected

request. 44Liquid Machines Email Control Gateway reloaded existing

ruleset. 50Liquid Machines Email Control Gateway stored ruleset in

cache. 50Liquid Machines Email Control Gateway successfully

updated stale ruleset. 50Liquid Machines Email Control Gateway unable to find

ruleset on refresh. 49Liquid Machines Email Control Gateway unable to read

ruleset cache. 45Liquid Machines Email Control IIS SMTP Event Sink could

not handle message format. 44Liquid Machines Email Control IIS SMTP Event Sink

detected a message with a non-SMTP recipient address. 48

Liquid Machines Email Control IIS SMTP Event Sink detected a message with a non-SMTP sender address. 48

Liquid Machines Email Control IIS SMTP Event Sink detected duplicate Event Sink bindings. 44

Liquid Machines Email Control IIS SMTP Event Sink event processing started. 50

Liquid Machines Email Control IIS SMTP Event Sink failed to restart Gateway Service. 44

Liquid Machines Email Control IIS SMTP Event Sink failed to resubmit a modified message. 44

Liquid Machines Email Control IIS SMTP Event Sink failed to submit a new message. 44

Liquid Machines Email Control IIS SMTP Event Sink has been initialized. 50

Liquid Machines Email Control IIS SMTP Event Sink has been shut down. 50

Liquid Machines Email Control IIS SMTP Event Sink passed a message through unprocessed. 48

Liquid Machines Email Control IIS SMTP Event Sink pended a message. 48

Liquid Machines Email Control IIS SMTP Event Sink restarted Gateway Service. 50

Liquid Machines Email Control IIS SMTP Event Sink state changed to PASSTHROUGH. 48

Liquid Machines Email Control IIS SMTP Event Sink state changed to PEND. 48

Liquid Machines Email Control IIS SMTP Event Sink state changed to PROCESS. 50

Liquid Machines Gateway for Exchange and SMTP 7Liquid Machines Key Service (LMKS) 12Liquid Machines Policies and Keys (Universal Enforcement

Services) initialized. 50LMKS security 12lm-ues 95log files

events and diagnostics 40Report when this rule is applied 39, 87

log-entry-prefix-format 97log-file-name 97log-file-root-dir 97log-frequency-error 96log-frequency-info 96log-frequency-warning 96logging

applied rules 39events, warnings, errors 40Gateway 51recipient activity 40

logging settingsGateway Configuration file 94


MMailbox Address dialog box 88Mailbox to Mailbox 15Make Attachments Read Only 86Manual Start

Service 34max-backup-logfile-count 94, 97max-logfile-lifetime 94, 98max-logfile-size 94, 97Message Type dialog box 81message types

specifying 81message-filtering-time 56message-protecting-time 56message-reprotecting-time 56messages

decrypting 31flow 35Gateway 50processing 15re-encrypting 31reprocessing 36, 38reprotecting 37

messages-protected 55messages-reprotected 55messages-unprotected 55message-unprotecting-time 56Microsoft Excel files


Microsoft Exchange 7Microsoft Exchange 2003 9Microsoft Passport 83Microsoft Passport Service 12Microsoft PowerPoint files


Microsoft RMS 82Microsoft RMS session initialized. 50Microsoft SQL Server

logged data 40Microsoft Visio 12Microsoft Visio files


Microsoft Windows Internet Information Services (IIS) 7Microsoft Windows Rights Management Services (RMS) 7

Service Pack 1 or 2 9Microsoft Word files


modes 16configuring 31Gateway 15, 31

monitoring content 9monitoring settings

Gateway Configuration file 96ms-rms 95multiple Gateways 36multiple rules 71

Nnetworking 96

Ooctal escapes 103Office 2000 12Office 2003 Professional 12Office XP 12open-client-connections 55opening

rulesets 61operand classes 103operational modes

Gateway 31operations

Gateway for Exchange and SMTP 31organizational bridgeheads 16origin of messages

monitoring 9Other message 81Outbound Messages 16overriding

protections 36

Ppasswords

service account 35Pattern Fragment Wizard 75patterns

creating 74specifying 74

PDF filesattachment protection 38protection-config settings 95

pend-message-on-error 98performance

Gateway 43, 57tuning 41

performance statisticsGateway 52

Perl 79phrases

specifying 74ping-gateway-service 98

Index 115

policies 13, 83Liquid Machines Document Control 12

policy-servers 95possessive quantifiers 103PowerPoint files


preinstallation requirements 20preprocessing operations

Perl constructs not supported 103Print Blocking 83print blocking 11priorities

rules 17, 37priority

setting for rules 69privileges

service account 35processing

attachments 38messages 15

processing of Liquid Machines Document Control documents 14

Propertiesrulesets 63

Protect Attachments 86protect options

selecting 83Protect the message with specific options

multiple rules 71selecting protection options 83specifying actions 82

Protected Access 83protected access 11protected messages

scanning 36Protection environment initialized. 50protection systems 9protection-config settings

Gateway Configuration file 94protections

overriding 36

RRecipient Access Only 82recipient only access 11recurse-nested-mime-messages 95re-encrypting messages 31regular expressions 74, 78

Perl 103relay access permissions 105removing

Active Directory groups 80, 84

renamingrules 70rulesets 62

Reply Prevention 83Reply-All Prevention 83reply-to 97Report when this rule is applied 39, 87

multiple rules 72reporting settings

Gateway Configuration file 96reprocessing

messages 36, 38reprotect 9Reprotect Only mode

Gateway 31reprotecting

messages 37request-processing-time 56requests-in-progress 55requirements

Gateway 19preinstallation

Gateway 20Rules Authoring Tool 27

Restricted Permission 86Restricted Permission Options

multiple rules 71retry-connection-delay 98retry-connection-delays 98Rights Management 8rights management

Liquid Machines Document Control 12Rights Management Services (RMS) 7, 10Rights Protected message 81RMS 7, 10, 82

installations 11Super User 83trusts 12

RMS clients 11RMS processing with Liquid Machines Document Control

disabled 13RMS protection 9

Liquid Machines Document Control 12RMS servers 10RMS Super User 10, 13, 35RMS templates 13root-dir 94Routing Group to Routing Group 16RTF files

attachment protection 39


Rule description box 67, 73rule priority

setting 69rule-action-info settings

Gateway Configuration file 97rules 9, 17

activating 70creating 65deleting 70editing 70Gateway 31, 32inactivating 70renaming 70setting priority 69types 66

Rules Authoring Tool 17, 59installing 27, 28requirements 27uninstalling 29upgrading 28

Rules Wizard 65Rules-based mode

Gateway 31specifying rules 32

ruleset-caching settingsGateway Configuration file 96

rulesets 15, 32, 103creating 59defining 59deleting 63opening 61Properties 63renaming 62working with 63

run:host:ip-addr 99run:host:name 99run:moment 99run:thread:id 99run:thread:name 99

Sscanning protected messages 36Search SMTP Headers dialog box 80Search SMTP Headers window 81Search Text dialog box 74sections

Gateway Configuration file 91, 93security

Liquid Machines Document Control 12Select Group window 80, 85Select Protect Options dialog box 83selecting

protection options 83Selection Rules window 63, 65, 69, 70

Send alert message to sender 86, 87multiple rules 72

sender 97, 98Service 34

stopping and starting 34service account 35

credentials 35passwords 35privileges 35

services settingsGateway Configuration file 94

settingrule priority 69

Setting relay access permissions on Exchange and IIS SMTP 105

setting rule priority 69settings

Gateway Configuration file 91, 94SMTP 7, 16

configuring modes 31tuning performance 41

SMTP address 88SMTP header values

specifying 80SMTP headers 101SMTP relay 16SMTP servers 8Social Security Number

specifying patterns 75Specify words or phrases to search for 74specifying

actions 67Active Directory groups 79conditions 66, 73message types 81patterns 74Rules-based mode rules 32SMTP header values 80units of time 92words or phrases 74

SQL Serverlogged data 40

startingGateway Rules Authoring Tool 59Service 34

statistics 40Gateway 52, 56

statusService 35

Step 1 of 4, create rule 66Step 2 of 4, specify conditions 66, 73Step 3 of 4, specify actions 67, 73Step 4 of 4, name and finish 68

Index 117

Stop processing more rules 89multiple rules 71

stoppingService 34

subexpressions 103subject 97subsections

Gateway Configuration file 91Successfully updated data for a Liquid Machines Policy

Server. 51Super User

RMS 35, 83system:dirs:common-app-data 99system:dirs:cwd 99system:dirs:temp 99system:dirs:user 99system:dirs:user-app-data 99system:host:ip-addr 99system:host:name 99system:host:primary-domain-name 99

Ttime

specifying 92To Anyone 84To Original Recipients 84

multiple rules 71To Users Within Groups 84

multiple rules 71transport-sink 98trusts

RMS 11types of rules 66

UUES 12uninstalling the Gateway 26uninstalling the Rules Authoring Tool 29union operator 103units of time

specifying 92Universal Enforcement Services (UES) 12unprotect and reprotect 9Unprotect and Reprotect modes 16Unprotect for Reprotect mode

Gateway 31

Unprotect Permanently modeGateway 31

unprotectable-server-suffix 95unprotectable-server-suffixes 94unprotect-attachments 95Upgrading

Rules Authoring Tool 28url-fetch-retry-delay 96url-fetch-retry-delays 96users

authenticating 10

Vvariables

Gateway Configuration file 91, 99Visio 12Visio files


Wwarning message

alert 87warnings

Gateway 48watches

Gateway 56Windows 2000 or 2003 9Windows Active Directory 82Windows Active Directory 2003 9Windows Rights Management Services (RMS) 7Word files


wordsspecifying 74

working withrulesets 63

working-thread-count 98

Xx-mailer 97XML 53, 91

Date post:	26-Sep-2019
Category:	Documents
Upload:	others
View:	10 times
Download:	0 times