Documentation Version: er2.0.28-docs-1.1

Email Locations

Supported email locations:

Locally Stored Email Data

When running a Local Storage and Local Memory scan, ER2 detects and scans offline email data stores and data files for sensitive data. ER2 does not scan data files locked by the email server.

Scanning a locally stored email data file may produce matches from ghost records or slack space that you are not able to find on the live email server itself.

Directly scan Microsoft Exchange Information Store data files
  1. Stop the Microsoft Exchange Information Store service and back up the Microsoft Exchange Server.
  2. Once the backup is complete, copy the backup of the Information Store to a location that ER2 can access.
  3. Select that location as a Local Storage location. See Local Storage and Local Memory for more information.

IMAP/IMAPS Mailbox

To scan IMAP/IMAPs mailboxes, check that your system meets the following requirements:

Requirements

Description

Proxy Agent

Use any one of the following Proxy Agents to scan IMAP/IMAPs mailboxes:

  • Windows Proxy Agent
  • Linux Proxy Agent
  • macOS Proxy Agent
Email client

The Target Internet mailbox must have IMAP enabled.

To add an IMAP/IMAPS mailbox:

  1. From the New Search page, Add Targets.
  2. In the Enter New Target Hostname field, enter the name of the IMAP/IMAPS server for the mailbox you want to scan.
  3. Select the IMAP mailbox type to set up:
    1. IMAP: Select Email > Internet Mailbox.
    2. IMAPS (IMAP over SSL): Select Email > Internet SSL Mailbox
  4. In the Internet Mailbox or Internet SSL Mailbox page, fill in the following fields:

    FieldDescription
    Path

    Enter the email address that you want to scan.

    For example, <user_name@domain_name.com>.

    Credential LabelEnter a descriptive label for the credential set.
    User name Your internet mailbox user name.
    Password Your internet mailbox password.
    Agent to act as proxy host Select a Proxy Agent host with direct Internet access.
  5. Click Test. If ER2 can connect to the Target, the button changes to a Commit button.
  6. Click Commit to add the Target.

IBM Notes

To scan IBM Notes mailboxes, check that your system meets the following requirements:

Requirements

Description

Proxy Agent

Windows Proxy Agent

One task at a time

Each Agent can perform only one task at a time. Attempting to perform multiple tasks simultaneously, for example, scanning and probing a Notes Target at the same time, will cause an error.

To perform multiple tasks at the same time, use multiple Agents.

Notes client

The Agent host must have one of the following installed:

  • IBM Lotus Notes client 8.5.3
  • IBM Notes client 9.0.1

To see which versions of Domino these clients support, see the following links:

Single-user installation ER2 works best with an Agent host running a Single-user installation of the Notes client.
Admin user User credentials with administrator rights to the target mailbox.
Others

Make sure that:

  • The Agent host has a fully configured Notes client installed.
  • The Notes client can connect to the target Domino server
  • The Notes client can access emails with credentials used for scanning.

To Add a Notes Mailbox

  1. From the New Search page, Add Targets.
  2. In the Enter New Target Hostname field, enter the host name of the Domino server that the Target Notes mailbox resides on.
  3. Click Test. If ER2 can connect to the Target, the button changes to a Commit button.
  4. Click Commit to add the Target.

  5. In the Select Types dialog box, select Email > Lotus Notes.
  6. Fill in the fields as follows:

    FieldDescription
    Path

    Enter the path to scan. Use the following syntax:

    <User_name/domino_domain> is your Notes User Name.

    Syntax

    Description

    Leave Path empty.Scans all resources available for user credentials provided.

    <User_name/domino_domain>

    Scans all resources available for user credentials provided.

    <User_name/domino_domain/path>

    Scans a specific path available for the user credentials provided.

    (partition=<server_partition_name>)

    You can specify a specific server partition to connect to. Specify a server partition when:

    • Connecting to a specific server partition in a Domino domain.
    • The target Domino server has a server name that is different from its host name.
    To connect to a specific path in serverPartitionA on a Domino server, enter:
    <User_name/domino_domain/path>(partition=serverPartitionA).
    Credential LabelEnter a descriptive label for the credential set.
    User nameYour Notes User Name.
    PasswordYour IBM Notes password.
    Agent to act as proxy host Select a Proxy Agent that resides on a Proxy host with the appropriate IBM Notes client installed.
  7. Click Test. If ER2 can connect to the Target, the button changes to a Commit button.

  8. Click Commit to add the Target.

Notes User Name

To find your Notes user name:

  1. Open the Notes client.
  2. From the menu bar, select File > Security > User Security.
  3. A password prompt opens. In the prompt, your Notes user name is displayed in the format <User_name/domino_domain>.


  4. If no password prompt opens, find your Notes user name in the User Security screen.

Microsoft Exchange (EWS)

This section covers the following topics:

To scan a Microsoft Exchange domain instead of a single server, see Exchange Domain for more information.

MAPI not supported
  • The MAPI protocol has been deprecated as of ER 2.0.17. Scan Microsoft Exchange mailboxes via Exchange Web Services (EWS).
  • Scanning public folders is not supported on Exchange.

Minimum Requirements

Requirements Description
Proxy Agent
  • Windows Proxy Agent.
  • Agent type (32-bit or 64-bit) must match the Exchange Server.
Exchange Server

Exchange Server 2007 and above.

Service Account

The account used to scan Microsoft Exchange mailboxes must:

  • Have a mailbox on the target Microsoft Exchange server.
  • Be a service account assigned the ApplicationImpersonation management role. See Configure Impersonation for more information.

To Add an EWS Mailbox

  1. From the New Search page, Add Targets.
  2. In the Enter New Target Hostname field, enter the host name of your Microsoft Exchange Server.
  3. Click Test. If ER2 can connect to the Target, the button changes to a Commit button.
  4. Click Commit to add the Target.

  5. Select Email > Microsoft Exchange Web Services (EWS).
  6. Fill in the fields as follows:
    FieldDescription
    Path

    Enter the path to scan. Use the following syntax:

    Path

    Syntax

    All mailboxesLeave Path empty.
    Specific user mailbox<Mailbox Display Name>
    Specific folder in mailbox<Mailbox Display name\folder_name>
    Credential Label

    Enter a descriptive label for the credential set.

    Username<Domain\Username>

    Where Username is user name of the service account created in Configure Impersonation.

    If your Exchange Server uses a CAS server, enter either of the following as your username:
    • <Domain\CAS_FQDN\Username>
    • <Domain\CAS_Array_FQDN\Username>
    Password Enter your service account password.
    Agent to act as proxy hostSelect a Windows Proxy Agent.
  7. Click Test. If ER2 can connect to the Target, the button changes to a Commit button.
  8. Click Commit to add the Target.

Scan Additional Mailbox Types

The following additional mailbox types are supported:

To scan the above supported mailbox types, use a service account with "FullAccess" rights to the target mailbox.

Adding "FullAccess" privileges to an existing user account may cause issues with existing user configuration. To avoid this, create a new service account and use it only for scanning Exchange shared mailboxes with ER2.

The following sections contain instructions on how to grant "FullAccess" permissions for each mailbox type:

Changes may not be immediate. Wait 15 minutes before starting a scan on the exchange server.

Once the service account is granted access to the target mailboxes, follow the instructions above to add the shared mailbox as a Target.

Linked mailboxes as service accounts

You cannot use a linked master account (the owner of a linked mailbox) to scan Exchange Targets in ER2. To successfully scan an Exchange Target, use a service account that resides on the same AD forest as the Exchange Target.

Shared Mailboxes

To grant a service account "FullAccess" rights to shared mailboxes, run the following commands in the Exchange Management Shell:

Linked Mailboxes

To grant a service account "FullAccess" rights to linked mailboxes, run the following commands in the Exchange Management Shell:

Mailboxes associated with disabled AD user accounts

To grant a service account "FullAccess" rights to mailboxes associated with disabled AD user accounts, run the following commands in the Exchange Management Shell:

Archive Mailbox and Recoverable Items

Requirements: Exchange Server 2010 SP1 and newer.

When enabled for a user mailbox, the Archive mailbox and the Recoverable Items folder can be added to a scan:

By default, adding a user mailbox to a scan also adds the user's Archive mailbox and Recoverable Items folder to the scan.

To add only the Archive mailbox or Recoverable Items folder to the scan:

  1. Configure impersonation for the associated user mailbox. See Configure Impersonation for more information.

  2. Add the Exchange Target to the scan.
  3. In the Select Locations page, expand the added Exchange Target and browse to the Target mailbox.
  4. Expand the target mailbox, and select (ARCHIVE) or (RECOVERABLE).

Unsupported Mailbox Types

ER2 currently does not support the following mailbox types:

Not mailboxes

The following are not mailboxes, and are not supported as scan locations:

  • All distribution groups.
  • Mail users or mail contacts.
  • Public folders.

Configure Impersonation

To scan a Microsoft Exchange mailbox, you can:

While it is possible to assign a global administrator the ApplicationImpersonation management role and use it to scan mailboxes, we recommend using a service account instead.

Service accounts are user accounts set up to perform administrative tasks only. Because of the broad permissions granted to service accounts, we recommend that you closely monitor and limit access to these accounts.

Assigning a service account the ApplicationImpersonation role allows the account to behave as if it were the owner of any account that it is allowed to impersonate. ER2 scans those mailboxes using permissions assigned to that service account.

To assign a service account the ApplicationImpersonation role for all mailboxes:

  1. On the Exchange Server, open the Exchange Management Shell and run as administrator:

    # <impersonationAssignmentName>: Name of your choice to describe the role assigned to the service account.
    # <serviceAccount>: Name of the Exchange administrator account used to scan EWS.
    New-ManagementRoleAssignment –Name:<impersonationAssignmentName> –Role:ApplicationImpersonation –User:<serviceAccount>

(Advanced) To assign the service account the ApplicationImpersonation role for a limited number of mailboxes, apply a management scope when making the assignment.

To assign a service account the ApplicationImpersonation role with an applied management scope:

  1. On the Exchange Server, open the Exchange Management Shell as administrator.
  2. Create a management scope to define the group of mailboxes the service account can impersonate:

    New-ManagementScope -Name <scopeName> -RecipientRestrictionFilter <filter>

    For more information on how to define management scopes, see Microsoft: New-ManagementScope.

  3. Apply the ApplicationImpersonation role with the defined management scope:

    New-ManagementRoleAssignment –Name:<impersonationAssignmentName> –Role:ApplicationImpersonation –User:<serviceAccount> -CustomRecipientWriteScope:<scopeName>