Installing Symantec Encryption Server & Exchange 2010 Configuration Part3–Sending Encrypted Emails

In part1 and part 2 we explored the basics of installing the SES and configuring and managing encryption Keys, in this part we will glue part1 and part2 and send encrypted emails.

Understanding Email Policies:

Email policies are the foundation block for handling email, they determine how emails from specific senders sent to specific recipients with specific contents will be handled.

There are set of defaults policies created by default:

they determine how outbound/inbound emails will be handled, the default policy has the following settings:

the outbound client has the following settings:

which tell the SES to encrypt the emails if the source client is SMTP/MAPI to send it to the outbound chain which does the encryption actions:

if we explore the outbound chain, we will find the following settings:

which instructs the SES how to handle specific emails with specific conditions, so I edited this rule and added the “confidential rule”, which encrypts emails sent internally or externally with the word “confidential” in the subject line. You can add your own set of rules to meet your business and enforce certail delivery types link web or protected PDF:

Once you set the rules, you can send encrypted emails, let us see how:

from outlook client, I will send normal email to user@domain.com (which is fictional domain), the client will detect the policy that is set on the server and will send the email out of message steam to the SES:

Because we can’t find a key for user@domain.com, we will send the email to the SES server and the SES will send the user an email notifying him that there is a message waiting him:

In the above email, I am opening the EML file via notepad (I do have only SMTP server at the recipient side), so the message contains the link to open the email (take a look to how the email flowed from the client to keys “the SES Server” to Exchange to the recipient server)

when opening the link, the client will be prompted with the registration (to register in the SES portal with a passphrase), Then the user can login:

Once user login, he can see the email through the portal; The user can reply and interact securely with the internal user or ask for email delivery via secure PDF:

We reached the end of this series, we can send and exchange emails securely with Symantec Encryption Server now. I hope that you liked this series.

Installing Symantec Encryption Server & Exchange 2010 Configuration Part2–Understand key Management

In part 1 https://autodiscover.wordpress.com/2013/05/21/installing-symantec-encryption-management-server-and-exchange-2010-configuration-part1/ we explored the basic steps to install the Symantec Encryption Server.

In This post, we will explore a very important aspect in any encryption solution, which is key management.

Introduction:

to understand what is public/private keys, check these link:

http://www.comodo.com/resources/small-business/digital-certificates2.php

http://blogs.msdn.com/b/plankytronixx/archive/2010/10/23/crypto-primer-understanding-encryption-public-private-key-signatures-and-certificates.aspx

If you read the above articles you will now realize that we will use public and private keys; While Microsoft uses x.509 certificate based on Microsoft CA which utilizes s/MIME to encrypt the messages, Symantec Encryption server uses PGP keys which uses different structure, keys are stored in PGP LDAP server (we will see how to import x.509 certificate to Symantec encryption server later).

Keys Provisioning:

In order for a user to obtain PGP keys, the user must register for PGP keys with the server, let use see the steps to do that.

To Configure email enrolment, first you need to define email route, this tells the encryption server where to send the registration emails and any emails send to your domain, from the control panel, go to mail > mail route and add email route to your server

When you download the Desktop encryption install package and install it on the machine, the client will detect automatically the encryption server and try to contact the server, since I don’t have a valid certificate on my server it will warn me; Click on always trust this site.

enter the email address:

the user will receive an encrypted email

once the user opens the encrypted email he/she can continue the registration:

verify the username and email address:

create a passphrase to protect your key (remember this step as we will talk about it later in details when speaking about the key storage types):

the key will be generated for the user:

now when you open the Encryption Desktop, you will see the keys and policies created by the encryption server assigned to the user:

in the console, you can see the list of managed keys as well:

If you click on the key mode button (from the Desktop Encryption window), you will see that the key is operating ins SKM mode; so what is that?!

Keys in Symantec Encryption Server operates in different modes, the modes are:

• Server Key mode: In this mode, the private keys are stored on the server and users can’t manager their keys
• Client Key Mode: In this mode, the private keys are not stored on the servers and users must manage their own private key and protect it.
• Guarded Key Mode: In this mode, a pass phrased protected private key is stored on the server and clients manage their key
• Server Client Key Mode: a sub key of the private key is stored on the server, the private key still stored on the client.

you must be very careful when selecting the key mode in your environment; depending on the key mode, you will have or lose some features as per the below table:

for the first instance, SKM might be the ultimate answer, but you have to be aware that administrators have control over private keys, so this might be a security concern.

To change the mode of the key being used, click on the reset key button and you will be taken through a page that will help you selecting the appropriate key mode.

you can also restrict the modes available in your organization, to do so, edit the consumer policy and change the available modes:

Installing Symantec Encryption Management Server and Exchange 2010 Configuration Part1

In this blog series, we will install together Symantec Encryption Server (previously known as PGP universal server) and configure it to work with Exchange 2010. Additionally we will explore some cool features around virtual disks, disk encryption and secure email delivery.

The Symantec Encryption Server binaries are certified to be installed as virtual and this is the recommended use from Symantec, and this is the method we will use in our environment.

Symantec Encryption Server can manage several different encryption products and solutions including:

• Symantec encryption email gateway.
• Symantec Encryption Desktop.
• Symantec File share encryption.
• Symantec Encryption portable.
• Symantec Drive encryption.

In this blog, we will install the Symantec Encryption Server v3.3, the latest version (at this time) of the product. There are several design and architectural decision elements that must be taken into consideration for several features to work; we will explore them later.

To install Symantec Encryption Server, download the ISO image and create a virtual machine, the documentation and install guide mandate that the VM must be created with Kernel 2.6 x86, 4 GB memory for single instance and 8 GB for HA instances.

Once you start the VM with the ISO attached, follow the simple install wizard that will take you through the installation steps:

In the IP address field, specify the IP address for the appliance:

Specify the Gateway and DNS servers:

Specify the host name; one important point is to note that your appliance MUST be named (keys.domain.com), this is mandatory if you want to cooperate with other PGP key servers. PGP keys servers contacts the recipients keys servers “if available” (if the server can’t locate a public key for the recipients) on keys.domain.com, thus if you want to facilitate exchange secure emails with external parties you must name the server’s FQDN keys.domain.com and this name must be reachable from outside.

Once you finish the wizard, the setup will start automatically, once finished the appliance will reboot and the post complete setup will be launched:

accept the license agreement

from the installation type, choose the installation mode. since this is the first server we will choose new installation.

set the time/date:

Confirm the IP settings:

Confirm the setup summary:

Reboot:

Enter the license information:

Enter the administrator information and password:

enter the primary domain that you use to send/receive emails:

To protect the server in case it is physcially attacked you must configure the ignition keys, I will use a passphrase as my ignition keys; enter them and continue:

review the setup summary:

Once setup completes you can login to the admin console on https://keys.domain.com:9000

This completes the Symantec Encryption Server installation, in Part 2 we will continue with the initial setup and keys management, part 2 and 3 will be fun, so stay tuned .

Thoughts on DLP in modern business…

What does it mean to implement DLP?? So far as I have seen; each vendor has his own view on how to enforce DLP within the organization and how to manage it.

The reason of what brought DLP to the surface is that I had a discussion with one of my customers on DLP enforcement and how to manage it within his infrastructure. While reviewing Email encryption solutions by Sophos and Symantec last week; I found that each vendor has his own concept “if we may call it like that” on DLP and how to manage and enforce it.

First, let me state my own view of DLP; DLP is a technology that helps the organization to own the information/data and prevent leaking those information/data out.

Modern information/data is stored in different locations now, some examples:

– ERP/CRM data.

– Email, Office files, PDF documents.

– SharePoint and similar portals.

– Laptops, USB memory sticks, and portable hard disks.

Helping any organization to control data on the above sources is not easy and could be done in several manners and ways, based on my findings; I will share some thoughts with people thinking about rolling out DLP in their infrastructure:

– DLP is not controlling physical ports (USB, serial, firewire ports..Etc).

– DLP is not DRM nor Encryption.

– Permissions help in controlling the data access, but when the data is accessed; a malicious consumer of the data could share them with 3^rd parties or leak them out either intentionally or unintentionally.

– Internal users do most of the hacks/leaks.

– Encrypting the data might help in DLP, but will not help in controlling what happens if a malicious user decrypted them or encryption algorithm is broken, Also encrypting the data might not help when the organization need to share All/some data with authorized 3^rd party.

– If the IT department secured physical ports/access, what about leaking the data out using corporate emails or worst, personal emails.

– How you will classify data as corporate and how you will classify data as none-corporate.

– Data classification is suitable for data stored in shared folders, but what about data in SQL/Oracle databases or data copied from documents and sent as emails.

– How data will be shared with 3^rd party and secured outside the organization’s control circle.

– Monitoring, logging and alerting, and feeding other 3^rd party security applications that are used by the security team.

– What about endusers experience, do we need any input from users?

– What about data in the cloud?!

As you can read from the above, DLP will never be a single solution/technology, DLP is a mix of solutions, technologies and processes that govern the data inside the corporate.

Hope that the above thoughts will shed some light and ring some bells in your head when thinking about DLP.

Dude, What are the 5 elements I must consider in my virtual machine backups?

The new business demands and challenges pushed IT organizations and Pros to rush into using virtualization/cloud technologies, with this push comes a huge challenge in selecting the proper backup method and spotting the key factors to consider when designing backups for virtual machine.

To help you addressing this challenge and spotting those points, we will release a white paper that identifies key elements to consider when backing up and recovering virtual machines and explains them in details.

So stuff like Agent or agentless backup, unified or virtual specific backups, Data Deduplication (how, when) with virtual machines, large backup sets, granular vs. one backup/restore set, adding to that great and critical tips for applications (AD, SQL and Exchange), Hypervisors (VMware/Hyper-v) and network layer.

This unique white paper has been written by a group of the best minds in applications, virtualization and backup worlds, the authors of this white paper are:

• Thomas Maurer: Thomas is Hyper-v MVP, well known in his contributions in System Center, Hyper-v and cloud community.
• Mikko Nykyri: VMware vExpert and virtualization product mangaer for backup exec.
• me, Mahmoud Magdy

In this white paper; Published at Symantec here http://ow.ly/kOQBJ , we bring you the top points to consider, key factors and top issues to identify when backing up and restoring virtual machines, we will also go through a Google hangout session discussing those elements in details.

so start tuned, and follow us on Twitter, Linkedin and facebook and wish you all happy backup and successful restore.

Understanding Netbackup Appliances.

I got a lot of questions around my previous blog post (Install and configure Netbackup Appliances https://autodiscover.wordpress.com/2012/10/02/install-and-configure-the-netbackup-appliance-5220/) the questions where about what are the Netbackup Appliances and what are the difference between them and Netbackup solutions and other Backup Solutions.

So, in this article we will introduce these appliances and explore their capabilities.

Netbackup Appliances Architecture, Models and features:

you can think about the Netbackup Appliances as if it is you got Netbackup server with huge amount storage attached to it, there is an important point, not storage that makes Netbackup appliances sexy, it is the features that accompanies the Netbackup appliances.

Netbackup appliances comes with 2 flavours, 5020 series and 5200 series.

The 5020 Series is the smaller one, it has the following features:

Modular grow method up to 32 TB deduplicated data per box (expandable up to 192 TB). it could be plugged and managed into existing NBU infrastructure (6.5 at least) recognized and managed by existing media and master server.

Netbackup 5020 Appliance

The perfect place for those appliances in existing NBU infrastructure, and introducing deduplication infrastructure (a long with the replication capabilities these devices have, these devices also are perfect for DR hubs and branch offices), to know more about the deduplication effect for NBU devices check my article https://autodiscover.wordpress.com/2012/09/30/what-does-it-mean-to-you-have-your-backup-data-globally-de-duped-using-netabckup-appliances/ ).

The 5200 series is the bigger one, they have the same features as the 5020 series, but they have additional feature, in which they have NBU installed on the appliance itself, which means; that you don’t need to have NBU separately installed and you can introduce the 5200 series to an organization that doesn’t run NBU or looking to migrate their NBU.

The NBU appliance introduces up to 64 TB of dedplicated data. can be used as a Master, and combined with 5020 series either as disk based backup or branch office backup and replicated to the HQ (where the 5200 series resides). 5200 series can be attached with stacked 5020 appliance providing 158 TB of deduplication storage for your backups.

Why I should use the appliance ?!

You might wonder and say, why should I use the appliance, I can install the NBU software and attach it to disk pools or any storage based appliance, but there are so many benefits of running the appliances including:

• Faster deployments, as you have seen in the previous blog, installing the appliance actually takes less than an hour (I can argue it is 30 minutes max), so you don’t have to go through a complex process of installing/configuring and NBU.
• Specialized hardware that is “Telco Grade” hardware and designed/optimized to run NB.
• Those devices are protected by the Symantec security agent and running special made OS, the security agent will prevent malicious attempts to modify/tamper the data/operating system and less susceptible to attacks.
• you get the replication license and the NBU license which is transferable, once you get and AFAIK you don’t need to buy extra licenses for extra devices.

The following diagram outlines the SAN clients along with dedup/replication bases between the devices, there are so many ways these can be used and personally, I find them freakin awesome .

I hope that this short article helped you to digest the NB appliances, also make sure to check the website http://www.symantec.com/backup-appliance , and feel free to post a comment asking me anything!.

Install and Configure the Netbackup Appliance 5220

As promised, we will start today the journey of installing and configuring Netbackup Appliances, from my point of view it will be very cool blogging series, and the first of its type, in this blog series we will do the following:

• Install and Configure Netbackup 5220 Master Appliance.
• Install and Configure Netbackup 5220 DR appliance.
• Install and Configure Netbackup 5020 Master Appliance.
• Install and Configure Netbackup 5020 DR appliance.
• Backup and Restore VMware Data and hopefully….Exchange 2010

So, without any further ado, let us rock and roll…

Install and Configure Netbackup 5220 Appliance:

the install and configuration of the Netbackup appliance is fairly easy, I have to admit that I am so surprised about that, the device boots with the default IP 192.168.1.1, and then you can use the web interface to configure it by browsing to http://192.168.1.1

Once logged in, you can use the setup appliance to setup your appliance:

The first page prompt you for the network configuration, select the interface, Netbackup appliance support wide rage of bonding option (or eth channel if you like this name), set your IP configuration (make sure that you have a route defined) and click next:

In the following page, enter the DNS server and SMTP server (to receive email notification):

Make sure that DNS setup is done:

In the NNTP, setup the NTTP server:

Make sure that it is completed successfully:

In the security, you get the chance to change your password, if you don’t want to click next:

In the role selection page, you get the chance to select the appliance role (either master or media) and the media appliance can be connected to a master server or a master appliance, since this is the first device, let us configure it as a master:

Now the appliance will be online once the setup is done, it takes around 10 minutes to complete:

Once rebooted click the reconnect, now you have your Netbackup appliance up and running:

Now, if you open the normal Netbackup Console, you can type in the device name and login to the netbackup software:

Voila………..

now your device is up and running in master mode, you can start playing and creating backup policies and backup jobs, in the next blog post we will see how we can add the other devices and use their storage, and again do some Exchange backup…again.

What does it mean to you have your Backup data globally de-duped using Netabckup Appliances?!

Of course De-dupe is a great thing, the first time I realised what is De-duped was 3 years ago when I worked for a NetApp Partner and found out how they do De-Dupe on their SAN storage, I loved the ability to eliminate redundant data from your SAN.

But what does it mean to “globally” De-duped at your backup, and I will tell you later why I placed “globally” between brackets .

I didn’t care much for Backup De-Dupe, to be honest, I knew that De-dupe is cool but those are backups, they can be safely not De-Duped (if this is grammatically correct ), who cares right ?, I didn’t realise how much I was mistaken until 3 weeks ago when I attended the NetBackup Appliances training, as the same question was raised.

The trainer explained an example that blew my mind, I didn’t realise how much saving a company can achieve using De-dupe backup data Globally, how, let us see:

Assuming a company that is operating 20 TB of Data (I made the examples little bit bigger to demonstrate how much saving you are getting), those data could be any type of data (VMs, Files, Mix or anything). let us check the following table for 2 weeks worth of backup data size (2 weeks to demonstrate the effect of full backups):

Run	None De-duped size	De-duped size
First Week Full Backup	20 TB	Maybe 10 TB (remember the data is De-duped and expected to see 50 to 60 % size reduction)
Full Week of Differential Data	5 TB	2.5 TB (De-Duped Data, size reduced)
Second Week Full Backup	25 TB	maybe 0 or a worth of only 1 day of data, how much is that 100 GB ?!)
Total	50 TB	15 TB

 

What?, why is that?, Well because Netbackup Appliances with the De-dupe will see the full backup again as data that can be De-Duped and will be 100% De-duped and will only backup the data that has been changed since the latest incremental backup. (how much is that, it will be for sure much more less than the full backup ).

Note: maybe the example is not fair, maybe your software is using some sort of de-dupe technique, but is it a global de-dupe, do you get the full de-dupe efficiency across all the data ?! do you get it across sites, is it mixed with the replication ?!

There is another edge, there are a lot of backup software that can do De-Dupe, but who can do it globally across all the backup sets that is running within the environment, I think none, all Backup Software do the trick on the Job basis, meaning that data within the single backup Job, Folder or disk is deduped, not globally across all the backup jobs, and ….and across the appliances themselves (DR site scenario or remote Sites with NBU appliances scenario).

I loved the backup De-dupe, I loved them so much, I will start from tomorrow let you see NBU appliances in action, I setup the lab and you will see the NBU Appliances effect starting tomorrow, buckle up and enjoy the ride.

Officially recognized as BackupExec BExpert , Thank you Symantec

I spotted a tweet by Sean Regan  referring to a blog post by Matt Stephenson about Symantec’s BExperts program.

The program is still a new program, and similar to Microsoft’s MVP program and VMware’s vExperts program, to recognize the community experts who demonstrated exceptional skills within the Symantec’s and Backup Exec Community (more details could be found here ).

Today, I got the amazing news, Symantec Recognized me as one of the very early (I am according to the forum count No. 20) as a BExpert, yessssssssssssssssssssssssssssss.

The program still new and as I can see it started 5 months ago, however it is a distinguished recognition for my contribution during the past 2 years, I was blogging about Backup Exec and Exchange restoration, I knew that there was a lot of pain around the Exchange 2010 and Backup Exec and I just wanted to help, Also I was doing my best on Experts-Exchange.com on the backupexec section, just doing my best :).

I believe that the most important lessons learnt here, community effort always pays on personal and professional level .

 

Thank you Symantec for the recognition, I hope to to serve the community more and more.

Restoring Entire Mailbox Exchange 2010 Database using Backup Exec 2012 #Symantec #backupexec #msexchange

In previous posts we have seen how to backup Mailbox database and restore single item from the backup.

In this post we will explore how to restore the entire database to its original location, although you might ask why would I do that when I can restore the item that I want directly from my backup set, Well there might be some scenarios where you want to restore an entire database:

– Database corruption either physically or logically.

– reseed operation.

– restoring to restore database for finer search and extraction.

we will use the same backup we did last time to restore the entire database, let us start:

User one received 2 emails (Diff 1 and Diff2):

It looks that those emails some how caused a Database corruption, and the database is dismounted and can’t be mounted again (this simulates a logical or physical corruption at the database level):

If I try to mount it I get the error:

Also there is an error in the event viewer:

Now I need to restore the entire database, from the Backup Exec management console Select the Exchange server and click restore, in the restore type, select Microsoft Exchange databases or storage groups:

In the Resource view, select the backup job you want to restore:

In the restore location, I will choose the original location since I want to restore it on top of the current one since the current one is corrupted, you might want to restore it to another location or the recovery database or to another server in case of dial-tone recovery.

In the overwrite page, I will choose to overwrite existing DB and logs, if you trust that logs are ok and your DB is having troubles due to a corrupted harddisk for example you can restore the database set and keep exiting logs and when the replay starts it will restore the database into the most recent status, however in my case there is a logical corruption caused by bad emails thus bad logs, so I don’t want these and I will overwrite them:

In the Temporary location, I will chose the default location, but you need to make sure that the selected location has enough space to hold the restored data:

In the next screen, you have the option to wait to start mounting the database, if you are restoring from differential backup or you want to run eseutil before mounting the database for example you might want not to mount the database otherwise, the backup exec will mount the database and start playing the logs directly, in my case I will choose to mount the database:

In the job name and schedule, set your options and click next:

on done, go to the Job list, select the restore job and click run now, the job will start restoring your database:

after the restore completes, the DB is mounted and everything is back to track :

User1 can login now to his mailbox, but you will note that Diff1 and Diff2 emails (the problematic ones) are not restored since they are weren’t backed up:

 

In the next post we will see how to restore differential backup, we have been talking about the full backups and we will see how to configure and restore differential backups.