Administering an Exchange Server 2013 Environment (part 7) - Understanding Journaling

5. Understanding Journaling

Journaling and archiving are two concepts that are often confused for one another. Both have to do with the retention of data, but the purpose behind the concepts is the defining factor.

Journaling is the process of recording all inbound and outbound email communications in an organization to meet the email retention or archival strategy.

Archiving is the process of managing the size of an environment’s data store by taking a backup copy of historical data, removing it from its native environment, and storing it elsewhere.

Each of these strategies can be used for meeting certain regulatory requirements, and journaling can often be used as a tool in an organization’s archiving strategy.

The Benefits of Journaling

Over the past several years, there has been a significant increase in regulations requiring organizations to maintain records of communication—especially relating to the financial services, insurance, and health-care industries. In addition, many companies have found that maintaining accurate and complete records of employee communications can assist them in the legal arena, whether they are defending against or initiating lawsuits.

For example, a disgruntled former employee might file a lawsuit against a company for wrongful termination, stating that he had never been notified that his behavior or performance was unsatisfactory. If the organization has an email journaling solution in place, they could go through the historical data and show specific examples where the behavior problems were discussed with the employee. More and more courts are accepting, and often insisting on, historical corporate messaging data to determine culpability.

Some of the more well-known U.S. regulations that, in recent years, have specified requirements that might rely on journaling technology follow:

• Sarbanes-Oxley Act of 2002 (SOX)—One of the most widely known regulatory acts, the Sarbanes-Oxley Act is a U.S. federal law that requires the preservation of records by certain Exchange Server members, brokers, and dealers. This act was passed into law in response to a number of major corporate and accounting scandals that resulted in a decline of public trust in corporate accounting and reporting practices.

• Security Exchange Commission Rule 17a-4 (SEC Rule 17a-4)—This U.S. Security and Exchange Rule provides rules regarding the retention of electronic correspondence and records.

• National Association of Securities Dealers 3010 & 3110 (NASD 3010 & 3110)—The NASD details requirements for member firms that include the supervision of registered representatives, including inbound and outbound electronic correspondence with the public. In addition, the NASD details how long this information must be maintained and what conditions must be met.

• Health Insurance Portability and Accountability Act of 1996—More commonly known as HIPAA, this U.S. federal law provides rights and protections for participants and beneficiaries in group health plans.

• Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001—Better known as the Patriot Act, this U.S. federal law expands the authority of U.S. law enforcement for the stated purpose of fighting terrorist acts in the United States and abroad.

In addition, there are regulations imposed outside of the United States that organizations with a worldwide presence might need to adhere to, such as the following:

• The European Union Data Protection Directive (EUDPD)–A directive that standardizes the protection of data privacy for citizens throughout the European Union (EU) by providing baseline requirements that all member states must adhere to.

• Japan’s Personal Information Protection Act—A law created and enforced by the Japanese government to regulate the collection, use, and transfer of personal information. The Personal Information Protection Act applies to government or private entities that collect, handle, or use personal information of 5,000 or more individuals.

Using journaling technology is one way that companies can work toward meeting these (and other) regulatory requirements.

The Journaling Agent

In an Exchange Server 2013 environment, all email is processed by at least one Hub Transport (HT) server. This includes messages that are sent to or received from external organizations, mail sent from a mailbox on one server to a mailbox on another server, or even mail sent between mailboxes located on the same server. All mail must pass through a Hub Transport server for delivery.

The Journaling agent is an agent that processes messages on HT servers and that is focused on compliance.

In Exchange Server 2013, there are two journaling options:

• Standard journaling—Standard journaling is configured on a mailbox database. It enables the Journaling agent (on the HT server) to journal all messages that are sent to or from any mailbox on that particular database. If an organization wants to journal all mail sent and received by all mailboxes in its environment, journaling must be configured on each mailbox database in the organization.

• Premium journaling—Premium journaling enables the creation and implementation of journaling rules that enable the Journaling agent to be more specific about what is and isn’t journaled. Rather than capturing all mail to all mailboxes in a database, journal rules can be configured to only journal-specific mailboxes or the mailboxes of all members in a distribution group. The implementation of premium journaling requires an Exchange Enterprise client access license (CAL).

Journal rules are composed of three key components:

• Journal rule scope—The messages that are journaled by the Journaling agent

• Journal recipients—The SMTP address of the recipient to be journaled

• Journaling mailboxes—One or more mailboxes that are used for collecting journal reports

Journal Rule Scope

When configuring a journal rule, the scope of the rule defines what type of messages will be journaled. You can choose from the following three scopes:

• Internal—When journaling entries are based on the Internal scope, messages that are sent and received by mailboxes within the Exchange Server organization are journaled.

• External—When journaling entries are based on the External scope, messages that are sent to recipients outside the Exchange Server organization, or that are received from senders outside of the Exchange Server organization, are journaled.

• Global—When journaling entries are based on the Global scope, all messages that pass through a server with the Hub Transport server role are journaled.

Journal Recipients

In addition to the journaling scopes just discussed, specific SMTP addresses can be targeted for journaling. This can be helpful when your organization has specific individuals or positions that are subject to regulatory requirements that are more stringent than other personnel in your organization. In addition, this feature can be extremely useful when an individual is investigated for a legal proceeding and your organization wants to track his or her messages to be used as evidence.

Because every journaled message takes up storage space, customizing your journaling environment to match the actual needs of your organization, rather than simply turning it on for everyone can go a long way toward minimizing your costs.

All messages sent to or from the journaling recipients specified in a journaling rule are journaled. If a distribution group (rather than an individual user) is specified in the rule, all messages to and from members of the group are journaled. If a journal rule recipient is not specified, all messages sent to or from recipients that match the criteria of the journal rule scope are journaled.

For organizations that also utilize Unified Messaging to consolidate their voice mail and fax infrastructure into their email system, they must evaluate if they want to journal their voice mail and missed call notifications as well. Voice mail messages can be significant in size, and costly in terms of disk space, so if there is no specific requirement for your organization to save these messages, you might not want to do so. However, messages that contain faxes and that are generated by a Unified Messaging server are always journaled, even if you disable journaling of Unified Messaging voice mail and missed call notifications.

When you enable or disable the journaling of voice mail and missed call notification messages, your change is applied to all Hub Transport servers in your organization.

Journaling Mailboxes

All of these journaled messages must reside somewhere if they are ever to be utilized; a journaling mailbox is one that is used only for collecting journal reports. In Exchange Server, you have the flexibility to create a single journaling mailbox to store all journal reports, or you can create separate journaling mailboxes for each journal rule (or set of journal rules) that you configure. This flexibility even enables you to configure multiple journal rules to use one specific journaling mailbox and then configure other rules to each use their own specific one. How you configure your journaling mailboxes depends on your organization’s policies and regulatory and legal requirements.

It is important to note that journaling mailboxes collect messages that are sent to and from recipients in your organization, and that these messages might contain sensitive information, might be used as part of legal proceedings, or might be used to meet regulatory requirements. Various laws are in place that mandate that these messages remain tamper free if they are to be used by an investigatory authority. Administrators should work closely with the Legal Department in their organization (if one exists) to develop policies that specify who can access this data and security measures to ensure these policies are enforced. Access to the journaling mailboxes should be limited to those with the “need to know,” so to speak. When a journaling solution is put in place, it should be reviewed and certified by your legal representatives to make sure it complies with all the laws and regulations that govern your organization.

Journal Rule Replication

When a journal rule is created, modified, or deleted on a Hub Transport server, the change is replicated to all Active Directory servers in the organization. All Hub Transport servers in the organization get these new configuration changes from AD and apply the new or modified rules to messages that pass through them. Every time the Hub Transport server retrieves a new journal rule, an event is logged in the security log of the Event Viewer.

By utilizing replication of journal rules throughout the organization, Exchange Server 2013 ensures a consistent set of rules are utilized throughout. All messages passing through the Exchange Server organization are subject to the same journaling rules.

To reduce the number of requests that Hub Transport servers must make to AD, each one maintains a recipient cache that is used to look up recipient and distribution list information. This cache is updated every 4 hours, and the update interval cannot be modified. Changes to journal rule recipients might not be applied to journal rules until this cache is updated. To force an immediate update of the recipient cache, the Microsoft Exchange Transport service must be restarted on every Hub Transport server that you want to immediately update the cache.

Journal Reports

A journal report is the message that Exchange Server generates when a message is submitted to the journaling mailbox. Exchange Server 2013 supports envelope journaling only, which means that the original message matching the journal rule is included (unaltered) as an attachment to the journal report. The body of the journal report contains associated information such as the sender email address, message subject, message ID, and recipient address of the original message.

Creating a New Journal Rule

Unlike previous versions of Exchange Server, the Journaling agent is a built-in agent that is no longer visible in the Transport Agents tab in the EMC. It is also not included in the results when running the Get-TranportAgent cmdlet in the EMS. The Journaling agent is enabled by default in Exchange Server 2013, so administrators do not need to enable it before use.

To create a journal rule in the Exchange Management Console, follow these steps:

1. Open the Exchange Administration Center.

2. Click the Compliance Management tab.

3. Click the Journal Rules option.

4. Click the New (+) icon.

5. In the New Journal Rule dialog box, enter a name for your journaling rule.

6. For If the Message Is Sent To or From, select whether to journal mail sent to or from a specific user or all messages. If you choose to journal to or from a specific user, you will be presented with a dialog box where you can choose one or more users to journal.

7. For Journal the Following Messages, select whether to journal all, internal, or external messages.

8. In the Send Journal Reports to E-mail Address field, enter the email address of the recipient who is to receive the journal reports.

9. Click Save to save the rule.