Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

Configuring Collector Email Journaling

After installing a Juniper ATP Appliance Core or All-in-One system, both of which contain an Email Traffic Collector in the Core component, you will need to configure an exchange server journal account for the Collector to poll, and set Postfix to forward Gmail Bcc (blind carbon copies) of all mail traffic to the Collector as a default forwarding mechanism.

Email Journaling

Juniper ATP Appliance Traffic Collectors continuously monitor and inspect all network traffic for malware objects; extracting and sending objects to the Core for distribution to the Windows or Mac Detection Engines.

For Windows traffic, Microsoft Exchange Server journaling can be configured to record a copy (a journal) of enterprise email messages, and then periodically send them to a journal mailbox on the Exchange Server.

Note:

No email or email data is stored on the Traffic Collector. On the Juniper ATP Appliance Core, extracted objects and some meta data (such as source and destination email addresses, timestamp data, etc., are stored and Juniper ATP Appliance logs email header info in the log file. No text from the email is retained (except for the attachment(s) for malware detonation and analysis)

Exchange Server 2010 can be configured to support envelope journaling only. This means that a copy is made of each email message body and its transport information. The transport information is essentially an envelope that includes the email sender and all recipients.

The Juniper ATP Appliance Email Collector polls the Exchange Server for journal entries and as-scheduled, pulls all the emails in the journal account from the exchange server to the Collector. The Email Collector uses journaling for initial traffic analysis and email attachment monitoring/inspection. All email traffic (and email attachments) are sent from the Email Collector to the Juniper ATP Appliance Core for detonation in the Windows or Mac OS X detection engines.

When email-based malware or malicious email attachments are detected, the journal entry is incorporated into the analysis results by the Juniper ATP Appliance Central Manager and sent out as a notification to the Juniper ATP Appliance administrator, with corresponding mitigation and/or infection verification actions detailed in the Central Manager Web UI.

Note:

Juniper ATP Appliance supports journaling for Exchange 2010 and later.

To setup Email Collector Journaling, use the following procedures:

Create a Journaling Mailbox on the Exchange Server

Note:

See also “Configuring Microsoft Exchange Server 2013 Journaling.”

  1. Launch Microsoft Exchange Management Console.
  2. Expand Recipient Configuration node and click on Mailbox node.
  3. Select New Mailbox… from the Actions pane.
  4. Select User Mailbox option and click Next.
  5. Select New user option and click Next.
  6. Enter New user mailbox details
  7. Enter the ‘User information’ details for the Collector to which the new journaling mailbox will be assigned and click Next.
  8. Enter an ‘Alias’ for the journaling mailbox and click Next.
  9. Click Next again and review the new mailbox summary for the new mailbox to create, then click New.
  10. Now that the journaling mailbox is created, configure standard journaling by configuring a Mailbox Database.

Configuring a Mailbox Database

  • In the Microsoft Exchange Management Console>Server Configuration, click on Mailbox database.

  • In the Toolbox Actions of Selected Mailbox Database, click on Properties.

  • In the Mailbox Database Properties page, go to the General tab and select the Journal Recipient checkbox, BUT, before selecting the checkbox, first click on Browse and choose which mailbox will get all messages from the mailbox database. After checking Journal Recipient, click OK to finish.

Configuring Microsoft Exchange Server 2013 Journaling

[See also Configuring Microsoft Exchange Server 2010 Journaling in the next section.]

  1. Login to the MS Exchange Server Admin Center at: https://exchnageserverip/ecp/
  2. Select the Send Connectors tab.
  3. Navigate to mail flow>>send connectors and enter Send Connector settings:
    Figure 1: Send Connector SettingsSend Connector Settings
  4. Save the connector settings.
  5. Navigate to Compliance Management>>Journal Rules to configure Journal rules.
  6. Provide the mailboxname and ip address in the “Send Journal Reports To” field .
    Note:

    This should match the mailbox name configured at the Juniper ATP Appliance Email Collector Config>System Profiles>Email Collector Web UI page.

    Figure 2: Setting Journal RulesSetting Journal Rules

Configuring Microsoft Exchange Server 2010 Journaling

To configure Journaling on your Exchange 2010 server, follow these steps:

  • Set up a journaling contact

  • Configure an SMTP send connector

  • Activate journaling

  • Implement journal rules (select users only)

[See also Configuring Microsoft Exchange Server 2013 Journaling in the previous section.]

Create a journaling contact

  1. Select Start > All Programs > Microsoft Exchange Server 2010 > Exchange Management Console.
  2. Click the + sign to the left of your Exchange server.
  3. Click the + sign to the left of Recipient Configuration.
  4. Click Mail Contact under Recipient Configuration.
  5. In the Mail Contact page (a), click New Mail Contact in the Actions pane (b).
  6. Select the New Contact option (a) and then click Next (b).
  7. In the New Mail Contact window, type Journaling in the First Name field, Contact in the Last Name field and Journaling Contact in the Alias field (a). Click Edit (b).
  8. Type the journaling address (a) and click OK (b).
    Note:

    The journaling address is unique to your organization. If you were provided with this address, please contact customer support.

  9. Click Next.
  10. Click New.
  11. Click Finish.

Create an SMTP send connector

  1. Select Start > All Programs > Microsoft Exchange Server 2010 > Exchange Management Console.
  2. Click the + sign to the left of your Exchange server.
  3. Click the + sign to the left of Organization Configuration.
  4. Click Hub Transport.
  5. Click the Send Connectors tab.
  6. In the Actions pane, click New Send Connector.
  7. Type Journaling Connector for the Name field, for the Select the intended use for this Send connector dropdown list, select Custom (a). Click Next (b).
  8. Click Add. The SMTP Address Space window opens.
  9. In the Address field, type the Address Space (a). Leave the cost at 1 and then click OK (b).
  10. Click Next.
  11. Select the Route mail through the following smart hosts option and then click Add.
  12. Select the Fully qualified domain name (FQDN) option, type the smart host provided to you and then click OK.
  13. Click Next.
  14. Select None for the Configure smart host authentication settings and then click Next.
    Note:

    Exchange 2010 servers automatically send all outbound email via TLS encryption: no outbound security configuration is required by the Administrator.

  15. Click Next.
  16. Click New.
  17. Click Finish. The configured send connector is shown below.

Activate journaling

  1. Select Start > All Programs > Microsoft Exchange Server 2010 > Exchange Management Console.
  2. Click the + sign to the left of your Exchange server.
  3. Click the + sign to the left of Organization Configuration.
  4. Click Mailbox.
  5. In the Database Management tab, right click your mailbox database and select Properties.
  6. Click the Maintenance tab.
  7. Select the Journal Recipient check box (a), and then click Browse (b).
  8. Select Journaling Contact (a) and then click OK (b).
  9. Click OK. Message journaling is now activated.

Implement journal rules (select users only)

  1. Select Start > All Programs > Microsoft Exchange Server 2010 > Exchange Management Console.
  2. Click the + sign to the left of your Exchange server.
  3. Click the + sign to the left of Organization Configuration.
  4. Click Hub Transport.
  5. Click the Journal Rules tab.
  6. In the Actions pane, click New Journal Rule. The New Journal Rule window appears.
  7. In the Rule Name field, type Journaling Rule (a) and then click Browse (b).
  8. Select Journaling Contact from the list and then click OK.
  9. Select the Journal messages for recipient check box and then click Browse.
  10. Select Journaling Distro from the list (a) and click OK (b).

  • Click OK to complete configuration of journal rules for select users in your organization.

Configuring Exchange-Server Journal Polling from the Juniper ATP Appliance CM Web UI

  1. From the Juniper ATP Appliance Central Manager Config> System Profiles> Email Collector, click the Add New Email Collector button, or click Edit for an existing Collector listed in the Current Email Collectors table.
  2. Enter and select the email journaling settings in the displayed configuration fields: Email Server [IP], Protocol, SSL, Mailbox Name, Password, Poll Interval (in minutes), Keep Mail on Server, and Enabled.

Configuring Office 365 Journaling

To set up Office 365 Journaling for Juniper ATP Appliance email mitigation:

  1. Log in to the Microsoft Office 365 Admin Center.
  2. From the Office 365 Admin Center, select Admin Centers > Exchange.
    Figure 3: Microsoft Office 365 Admin CenterMicrosoft Office 365 Admin Center
  3. Select Compliance Management > Journal Rules.
  4. Click on the + sign to add a new Journal Rule.
  5. Complete the new journal rule form fields.
    Figure 4: Setting a New Journal RuleSetting a New Journal Rule

Related Documentation