Introducing Journaling
A lot of people confuse journaling, which is the process of capturing a set of communications for future use, with archiving, which is the practice of removing less frequently accessed message data from the message store in favor of a secondary storage location. Archival is all about getting stuff out of your mailboxes, usually older and bulkier messages and attachments, so you can reduce the performance hit on your comparatively expensive mailbox server storage systems and reduce your backup windows. Journaling is record keeping; you're defining a set of users whose traffic you must keep track of, and Exchange dutifully captures faithful copies of every message they send or receive.
As we stated before, journaling is one of the main strategies that compliance and archival vendors use to get messaging data into their solutions.
| Note | Archival solutions are outside the scope of this book; Exchange 2007 offers no native archival abilities. |
Although you may not have any explicit applicable regulatory language that forces you to implement journaling, it can often be one of the easier ways to meet what requirements you do have. As compliance becomes more of an issue, the ability to quickly and easily put your hands on complete and accurate records of messaging communications will become critical.
Legacy Exchange offered rudimentary journaling; Exchange 2003 offered the ability to do envelope journaling, which finally captured sufficient information to be of general use. The base journaling mechanism used by Exchange 2007 is envelope journaling, which captures all recipient information (even Bcc: headers and forwards). However, you have two options for journaling:
-
Standard journaling (per-mailbox database journaling) uses the Journaling agent on HT servers to journal all messages sent to and from recipients and senders whose mailboxes are homed on specified mailbox databases. also called per-mailbox database journaling.
-
Premium journaling (per-recipient journaling) also uses the Journaling agent on HT servers, but it's more granular. It offers you the ability to design journaling rules for groups or even specific users if need be.
| Note | You must have an Exchange Enterprise Client Access License (CAL) to use premium journaling. |
Implementing Journaling
The Journaling agent, present on your Hub Transport servers, is responsible for detecting whether a given message falls under your journaling rules. When you use standard journaling, you enable it for an entire mailbox database. Any messages sent to or by recipients whose mailboxes are located on a journal-enabled database will be detected by the Journaling agent and copies will be sent to a designated journal recipient. This journal recipient can be another recipient in the Exchange organization - if it is an Exchange mailbox it must be dedicated to the purpose - or an SMTP address on another messaging system.
| Note | Journaling to an external recipient may seem like a crazy idea at first blush. However, this allows Exchange 2007 to be used with compliance and archival solutions that are not part of the Exchange organization or even with hosted solution providers. |
| Tip | If you use an external journal recipient, you should ensure that your SMTP transport connections to the external system are fully secure and authenticated. Exchange 2007 supports the use of the TLS protocol; see Chapter 20 for details on how to configure TLS connections to specific domains and how to enable SMTP authentication. |
When you use Premium journaling, you create journal rules that define a subset of the recipients in your organization. The Journaling agent on the Hub Transport server detects that the rule matches a given messages and again sends a copy of the message to the journal recipient.
Journaling rules can have three scopes, which helps the Journaling agent decide whether or not it needs to examine a given message:
-
The Internal scope matches messages where all senders and recipients are members of the Exchange organization.
-
The External scope matches messages where at least one sender or recipient is an external entity.
-
The Global scope matches all messages, even those that may have already been matched by the other scopes.
| Note | Premium journaling rules are stored in Active Directory and propagated to all Hub Transport servers, depending on the normal AD replication mechanism. |
If you are using an internal mailbox as your journaling recipient, you should be aware that it may collect a large amount of traffic. While you can use the same mailbox for all journal reports generated in your organization, you may need to create multiple mailboxes to control mailbox size and ensure that your backup windows can be maintained. These mailboxes should be kept very secure and safe from everyday access because they may one day be material evidence in the event that your business is sued or must prove compliance to auditors.
To guard against the loss of journaling reports in the event of trouble within your Exchange organization, you can designate an alternate journaling mailbox. This mailbox will receive any non-delivery reports that are issued if your journaling recipient cannot be delivered to. Unfortunately, you get to configure a single alternate mailbox for your entire organization. Not only can this cause performance and mailbox size issues, your local regulations may prevent you from mixing multiple types of journal information in one mailbox.
| Note | If you are using the Unified Messaging role in your organization, you may not want to journal UM-generated messages such as voicemail. On the other hand, you may be required to preserve these types of messages as well as your regular e-mail. |
Reading Journal Reports
The journaling process creates a special Exchange message known as the journal report.This message is essentially a wrapper that contains a summary of the original message properties. It also contains a pristine copy of the original message that generated the report, neatly attached to the report. The reports are designed to be human and machine readable, allowing you to automate processing of journal reports via a third-party application as well as perform manual checks on the data.
Table 13.1 shows the fields that Exchange 2007 places in the journal report.
 |
| Field | What It Contains |
|---|---|
| To | The SMTP address of a recipient in the To header or the SMTP envelope recipient. If the message was sent through a distribution list, this field contains the Expanded field. If the message was forwarded, this field contains the Forwarded field. |
| Cc | The SMTP address of a recipient in the Cc header or the SMTP envelope recipient. If the message was sent through a distribution list, this field contains the Expanded field. If the message was forwarded, this field contains the Forwarded field. |
| Bcc | The SMTP address of a recipient in the Bcc header or the SMTP envelope recipient. If the message was sent through a distribution list, this field contains the Expanded field. If the message was forwarded, this field contains the Forwarded field. |
| Recipient | The SMTP address of a recipient who is not a member of the Exchange 2007 organization, such as Internet recipients or recipients on legacy Exchange servers. |
| Sender | The sender's SMTP address, found either in the From or Sender header of the message. |
| On-Behalf-Of | The relevant SMTP address if the Send on Behalf Of feature was used. |
| Subject | The Subject header. |
| Message-ID | The internal Exchange Message-ID. |
Open table as spreadsheet |
Depending on your routing topology and journal rule configuration, you may receive multiple journal reports for a given message. This is not an error; it reflects the fact that any given Hub Transport server may not have a complete view of the organization, depending on AD replication, recipient caching, and other factors.
EAN: 2147483647
Pages: 198