On-Premise BCC Email Collector Deployments
This method of email collection relies on a BCC or Journal mailbox which receives copies of emails to be inspected. The Juniper ATP Appliance BCC email collector periodically pulls these emails to examine them for threats.
Microsoft Exchange Server journaling can be configured to record a copy (a journal) of enterprise email messages, and then periodically send them to a journal mailbox on the Exchange Server.
No email or email data is stored on the Traffic Collector. On the Juniper ATP Appliance Core, extracted objects and some meta data (such as source and destination email addresses, timestamp data, etc., are stored and Juniper ATP Appliance logs email header info in the log file. No text from the email is retained (except for the attachment(s) for malware detonation and analysis)
Exchange Server 2010 can be configured to support envelope journaling only. This means that a copy is made of each email message body and its transport information. The transport information is essentially an envelope that includes the email sender and all recipients. The Juniper ATP Appliance Email Collector polls the Exchange Server for journal entries and as scheduled, pulls all the emails in the journal account from the exchange server to the Collector. The Email Collector uses journaling for initial traffic analysis and email attachment monitoring/ inspection.
All urls and email attachments are sent from the Email Collector to the Juniper ATP Appliance Core for detonation in the Juniper ATP Appliance SmartCore. When email-based malware or malicious email attachments are detected, the journal entry is incorporated into the analysis results by the Juniper ATP Appliance Central Manager and sent out as a notification to the Juniper ATP Appliance administrator, with corresponding mitigation and/or infection verification actions detailed in the Central Manager Web UI.
Juniper ATP Appliance supports journaling for Exchange 2010 and later.
To setup Email Collector Journaling, refer to the next section.