Exchange Server
This section covers the following topics:
Prerequisites
| Component | Description |
|---|---|
| Proxy agent | Windows agent Note
|
| TCP allowed connections |
|
| Version | Exchange Server 2013 and higher. |
Configure impersonation
To scan a Microsoft Exchange mailbox, you have the following options:
Use an existing service account and assign it the ApplicationImpersonation management role.
(Recommended) Create a new service account and assign it the ApplicationImpersonation management role.
While you can assign the ApplicationImpersonation management role to a global administrator and use it for scanning mailboxes, we recommend using a dedicated service account instead. Service accounts are user accounts set up to perform administrative tasks only. Because of the broad permissions granted to service accounts, we recommend that you closely monitor and limit access to these accounts.
Assigning the ApplicationImpersonation role to a service account allows that account to act as the owner of any account that it is allowed to impersonate. DDC uses the permissions granted to this service account to scan those mailboxes.
To assign a service account the ApplicationImpersonation role for all mailboxes:
On the Exchange Server, open the Exchange Management Shell and run as administrator:
# <impersonationAssignmentName>: Name of your choice to describe the role assigned to the service account. # <serviceAccount>: Name of the Exchange administrator account used to scan EWS. New-ManagementRoleAssignment –Name:<impersonationAssignmentName> –Role:ApplicationImpersonation –User:<serviceAccount>(Advanced) To assign the service account the ApplicationImpersonation role for a limited number of mailboxes, apply a management scope when making the assignment.
To assign a service account the ApplicationImpersonation role with an applied management scope:
On the Exchange Server, open the Exchange Management Shell as administrator.
Create a management scope to define the group of mailboxes the service account can impersonate:
New-ManagementScope -Name <scopeName> -RecipientRestrictionFilter <filter>For more information on how to define management scopes, see Microsoft: New-ManagementScope.
Apply the ApplicationImpersonation role with the defined management scope:
New-ManagementRoleAssignment –Name:<impersonationAssignmentName> –Role:ApplicationImpersonation –User:<serviceAccount> -CustomRecipientWriteScope:<scopeName>
Add Exchange Server data store
To add the Exchange Server data store:
Log on to the CipherTrust Manager GUI.
Open the Data Discovery and Classification application.
Click Data Stores > Data Stores > Add Data Store. The Add Data Store screen is displayed.
Complete the following steps:
Select Type & Category
Under Select Data Store Category, select Server.
From Select Server Type, select Exchange Server.
Click Next.
General Info
Specify the following details:
Data Store Name: Name for the data store.
Description (Optional): Description for the data store.
Location Name: Location of the data store.
Add Location: Click Add Location to add new locations to the Location Name drop-down. Refer to Adding Locations for detailed steps.
Sensitivity Level (Optional): Sensitivity level for the data store. Refer to Sensitivity Levels for details.
Enable Data Store: Whether to enable the newly added data store. Select the check box to enable the data store.
Click Next.
Configure Connection
Specify the credentials of the Exchange Server domain:
Field Description Domain Domain name to scan mailboxes that reside on that domain. This is usually the domain component of the email address, or the Windows domain. Note
Using the domain IP instead of the domain name will not work.
User Service account user name. Tip
The account used to scan Microsoft Exchange mailboxes must:
- Have a mailbox on the target Microsoft Exchange server. Be a service account assigned the ApplicationImpersonation management role. See Configure impersonation.
Password Service account password. In the Select Number of Agents field, set the minimum and maximum number of agents for the data store. Refer to Agents for more information.
Warning
- As there is no limit on the number of minimum and maximum agents that you can set, you should exercise caution so that you do not impact the system performance by using too many resources for a single scan.
- You will not be able to add a datastore if the minimum number of agents cannot be assigned.
- A scan will fail if the assigned agent is unavailable after adding the datastore.
- The minimum number of agents must be less than or equal to the maximum number of agents.
(Optional) In the Add Label field, enter a label. You can also remove an existing label.
Click Next.
Add Access Control & Tags
(Optional) Grant the
All groups (default)access for reports. Alternatively, select a group.Click Save.
The data store is added to the Data Stores page. If the Ready to Scan column shows Ready, then data store is properly configured.
For more information on Access control and Tags, expand the section below.
Access Control & Tags
The Access Control & Tags tab on the Add Data Store screen allows you to grant access rights to your data store and add tags. More details below:
ACCESS CONTROL - select user groups that can access the data store. Access to a data store provides ability to see reports that include scans of that data store. The available options are:
All groups: All groups of users can access the data store through reports. This is the default setting.
Selected group/s: Specified user defined groups can access the data store through reports. When this option is selected, select a group from the drop-down list. This list shows existing user defined groups. The user defined groups must already exist on CipherTrust Manager. If no user defined groups exist, ask the administrator to create a group. If needed, you can select multiple groups. Start typing the name of the desired group and select from the suggested groups.
TAGS - Select a tag from the Add Tag drop-down. See the list of prebuilt tags in Predefined tags section.
Tip
New tags can also be added. Start typing a new tag, and click the New: <new_tag> link that appears below the drop-down.
Add as many tags as needed.
To remove a tag, click the close icon in the tag name.
Add Exchange Server scan
Note
If a mailbox is a member of multiple Groups, it is scanned each time a Group it belongs to is scanned. Mailboxes that are members of multiple Groups still consume only one mailbox license, no matter how many times it is scanned as part of a separate Group.
Example: User mailbox "A" belongs to Groups "A1",and "A2". When Groups "A1" and "A2" are added to the same scan, user mailbox "A" is scanned once when Group "A1" is scanned, and a second time when Group "A2" is scanned. Mailbox "A" consumes only one mailbox license despite having been scanned twice.
To add a scan for the Exchange Server:
Open the Data Discovery and Classification application.
Click Scans > Add Scan. The Add Scan screen is displayed.
Complete the following steps:
Refer to Scans for the description of sections of the Add Scan screen.
General Info
Specify a Name for the scan.
(optional) Add a Description for the scan.
Expand Advanced Configuration and specify advanced configurations such as Scan Priority, Memory Usage Limit, and Amount of Data Object Volume. Refer to Advanced Configuration for details.
Click Next.
Select Data Stores
Under Data Store Name, select the desired data store that is Ready for scanning. You can select multiple data stores, if required.
Click Next.
Add Targets
To add a scan target, do one of the following:
Add target path manually.
Under the Add Target field, specify the correct target path and click Apply. See Target limitations.
Navigate and add target paths.
Click Browse to navigate target paths from the root level.
Alternatively, provide an initial path in the Add Target Path field and click Browse to navigate targets from that point onward.
In the left pane, navigate and select the desired target path.
Click Add Path to add the target path to the right pane. Similarly, add other target paths.
Click Add.
Tip
Either navigate the target paths from the root level (without specifying any path in the Add Target Path field) or make sure you provide the correct path to navigate further locations within it.
Click Next.
Select Profiles
Under Classification Profile Name, select the desired classification profiles to search for in the data store. You can select multiple data stores, if required. Refer to Classification Profiles for details on classification profiles.
Click Next.
Add Filters
This step is optional.
Select the desired filter from the Select Filter drop-down list.
To filter the locations to scan an Exchange Server data store, consider the following syntax.
Note
Exclude Path/DO by prefix, suffix, and expression filters support wildcard characters. See Using wildcard characters to learn how wildcards work.
Exclude Path/DO by prefix
Excludes paths or data objects that begin with a given string. It can be used to exclude entire directory trees. Specify
<string>.Exclude Path/DO by suffix
Excludes paths or data objects that end with a given string. Specify
<string>.Exclude Path/DO by expression
This filter is majorly used with wildcard characters.
Excludes paths or data objects that matches the given expression. Specify
<string>.For example, to exclude locations that contain 'blob' in their path, use expression *blob*.
Include DO modified recently
Includes data objects modified within N number of days from the current date, where the value of N ranges from 1 to 99 days. After selecting this filter, specify Days from current date.
Exclude DO greater than size
Excludes data objects that are larger than a given file size (in MB). After selecting this filter, specify the file size in MB.
Include DO's within modification date
Includes data objects modified within a given range of dates. After selecting this filter, specify Start and End dates.
Click Apply.
Repeat the above steps to apply multiple filters. Click Remove to remove any applied filter.
Click Next.
Schedule Run
Specify the scan run frequency. The two options are:
Manual: This is the default option. Select this option to run the scan manually. Select the Run Now check box to start the scan run after you save the changes.
Scheduled: Select this option to configure the scan to run automatically at the specified time.
Refer to Schedule Scan for more details on scheduling scan runs.
Click Save.
Scan additional mailbox types
The following additional mailbox types are supported:
Shared mailboxes: Shared mailboxes do not have a specific owner. Instead, user accounts that need to access the shared mailbox are assigned "SendAs" or "FullAccess" permissions.
Linked mailboxes: A linked mailbox is a mailbox that resides on one Active Directory (AD) forest, while its associated AD user account (the linked master account) resides on another AD forest.
Mailboxes associated with disabled AD user accounts: Disabled AD user accounts may still be associated with active mailboxes that can still receive and send email. Mailboxes associated with disabled AD user accounts are not the same as disconnected mailboxes.
To scan the above supported mailbox types, use a service account with “FullAccess” rights to the target mailbox.
Grant access rights to mailboxes
Note
Adding "FullAccess" privileges to an existing user account may cause issues with existing user configuration. To avoid this, create a new service account and use only that account for scanning Exchange shared mailboxes with DDC.
Changes may not be immediate. Wait 15 minutes before starting a scan on the exchange server.
After the service account is granted access to the target mailboxes, you can add them as targets.
Note
Linked mailboxes as service accounts
You cannot use a linked master account (the owner of a linked mailbox) to scan Exchange Targets in DDC. To successfully scan an Exchange Target, use a service account that resides on the same AD forest as the Exchange Target.
Shared Mailboxes
To grant a service account "FullAccess" rights to shared mailboxes, run the following commands in the Exchange Management Shell:
Grant full access to a specific shared mailbox:
Add-MailboxPermission -Identity <SHARED_MAILBOX> -User <SERVICE_ACCOUNT> -AccessRights FullAccess -Automapping $false
Here, <SHARED_MAILBOX> is the name of the shared mailbox, and <SERVICE_ACCOUNT> is the name of the account used to scan the mailbox.
Grant full access to all existing shared mailboxes on the Exchange server:
Get-Recipient -Resultsize unlimited | where {$_.RecipientTypeDetails -eq "SharedMailbox"} | Add-MailboxPermission -User <SERVICE_ACCOUNT> -AccessRights FullAccess -Automapping $false
Here <SERVICE_ACCOUNT> is the name of the account used to scan the mailboxes.
Linked Mailboxes
To grant a service account "FullAccess" rights to linked mailboxes, run the following commands in the Exchange Management Shell:
Grant full access to a specific shared mailbox:
Add-MailboxPermission -Identity <LINKED_MAILBOX> -User <SERVICE_ACCOUNT> -AccessRights FullAccess -Automapping $false
Here <LINKED_MAILBOX> is the name of the shared mailbox, and <SERVICE_ACCOUNT> is the name of the account used to scan the mailbox.
Grant full access to all existing shared mailboxes on the Exchange server:
Get-Recipient -Resultsize unlimited | where {$_.RecipientTypeDetails -eq "LinkedMailbox"} | Add-MailboxPermission -User <SERVICE_ACCOUNT> -AccessRights FullAccess -Automapping $false
Here <SERVICE_ACCOUNT> is the name of the account used to scan the mailboxes.
Mailboxes associated with disabled AD user accounts
To grant a service account "FullAccess" rights to mailboxes associated with disabled AD user accounts, run the following commands in the Exchange Management Shell:
Grant full access to a specific mailbox:
Add-MailboxPermission -Identity <USER_DISABLED_MAILBOX> -User <SERVICE_ACCOUNT> -AccessRights FullAccess -Automapping $false
Here, <USER_DISABLED_MAILBOX> is the name of the mailbox associated with a disabled AD user account, and <SERVICE_ACCOUNT> is the name of the account used to scan the mailbox.
Unsupported mailboxes and folders
Currently, DDC doesn't support the following mailbox types and folders for the Exchange Server target:
Disconnected mailboxes: Disconnected mailboxes are mailboxes that have been:
Disabled: Disabled mailboxes are rendered inactive and retained until the retention period expires, while leaving associated user accounts untouched. Disabled mailboxes can only be accessed by reconnecting the owner user account to the mailbox.
Removed: Removing a mailbox deletes the associated AD user account, renders the mailbox inactive, and retains it until its retention period expires. Removed mailboxes can only be accessed by connecting it to another user account.
Moved to a different mailbox database: Moving a mailbox from one mailbox database to another leaves the associated user account untouched, but sets the state of the mailbox to "SoftDeleted". "SoftDeleted" mailboxes are left in place in its original mailbox database as a backup, in case the destination mailbox is corrupted during the move. To access a "SoftDeleted" mailbox, connect it to a different user account or restore its contents to a different mailbox.
Resource mailboxes: Resource mailboxes are mailboxes that have been assigned to meeting locations (room mailboxes) and other shared physical resources in the company (equipment mailboxes). These mailboxes are used for scheduling purposes.
Remote mailboxes: Mailboxes that are set up on a hosted Exchange instance, or on Microsoft 365, and connected to an email user on an on-premises Exchange instance.
System mailboxes
Legacy mailboxes
Note
The following are not mailboxes, and are not supported as scan locations:
All distribution groups.
Mail users or mail contacts.
Public folders.
Target limitations
Scanning the entire data store is not supported, hence you must specify a scan target path.
