Data Loss Prevention

Hello everyone,

I have been desperately trying to find any sort of documentation or explanation on how this can be achieved.

When using reflect mode we are forced to have such a topology:

mail client <> Exchange 2010 <> DLP (Network Prevent Server) <> Exchange <> Internet

Dealing with the Exchange 2010 Setup we have the following:

1- A send connector that forwards emails to a smart host which is in our case the DLP Server

2- A receive connector that will accept emails reflected back from the DLP Server

3- A send connector that forwards emails to the internet. Here is where we have the problem. How will this send connector know how to send the mail since the connector we created in (1) will think the email is destined to it and end up looping the email infinately.

Can anyone shed some light and if it works using Exchange 2010

Thank you,

Won't work in this configuration...you need an MTA to reflect off of (or foward from DLP to the MTA).  Or, if you're using a hosted service for mail delivery, you could forward directly to that.  I suggest reading the SMTP Prevent Integration guide.

All the email that detected by the DLP will be added a special X-Header.

But, the real problem is: the Exchange Server cannot detect this X-Header. That's mean, if you configure the DLP as reflect mode, then, the Exchange Server doesn't know this email is detected by the DLP already, then, the Exchange Server will send this email to the DLP again. Finally, there is a email loop, and all the email will not be send out.

So, you need to change your topology. You can configure the DLP as forward mode that forward the email to the Internet directly.

Thank you for the input guys,

There is nothing in the documentation that mentions Exchange as a compatible MTA.

Forward mode is the only way out.

Is the sender and the receiver are in the same Exchange Domain, Exchange will not allow forward mode. If they are not, then you can connect DLP Network Prevent Mail as usual. As well there is nobody able to tell, what happens if Exchange is getting the same mail twice, which would happen if DLP send mail back to Exchange in forward mode.

We are currently developing such a solution for a client. Main business case is internal cross border or cross legal entity traffic. The key is the integration with the Exchange Transport Hub. Took as many hours do discuss with Symantec and Microsoft about the best approach.

The following two approaches are feasible (we analysed 4 alternatives):

1. Based on Transport Hub Rules, Exchange sends eMail to a moderated queue. DLP then plays the moderator. there is a component required between Exchange and DLP. The full solution will be available as add on product once the solution is finished (current planing mid Q4 2012). Purchase price of the solution is not yet clear.
    
2. Implement a Transport Hub Agent (same a AV solution in Exchange). this is actually the favourite approach of Symantec. Since are a partner only, I strongly believer such a transport hub agent must come from Symantec directly.

Do not forget the journaling aspect.

Thanks Thomas for sharing, It really means.

Hello Thomas,

I have gone through this thread, i want to ask that is there any progress by either Microsoft or Symantec? is it possible to configure Exchange and network prevent in reflect mode now?

use SMG to do reflect mode

If you wish to do reflect mode with exchange 2010 you must configure linkedconnectors using exchange powershell. You should also set the auth to "externally secured" for the connector prevent is calling back in on.....

Best regards, Peter.