5.4 Exchange Module On-Premise Exchange

Retain supports:

Retain does NOT support multiple linked Exchange Forests. Ensure that the Exchange Settings have been configured correctly before continuing the Exchange module setup.

There are several prerequisites that need to be done in Exchange for Retain to successfully archive the mailbox databases:

To connect with Exchange, Retain needs a user with appropriate rights. This can be accomplished by using an existing user, or by creating a new one. It is recommended to create a new user for Retain archiving. If creating a new user, ensure that the user is an active user account and that the password does not change to ensure Retain will be able to access mail without changing settings. This user is sometimes called a ‘service account’. Retain calls this user the ‘global catalog user’.

The user created or used for Retain must be a “mailbox-enabled user” with read access to see all other users, groups, resources, and Exchange Servers in the Exchange Forest. The user will be utilized by both the Retain Server and Worker for LDAP lookups in Active Directory. The Retain user also must have Exchange impersonation rights to every mailbox user on every server in the organization to be archived. The Retain user MUST NOT be a member of any Exchange Administrator group, as Exchange denies impersonation rights for all administrator accounts.

Additional permissions need to be added to the user created for Retain. The quickest way to add these rights is through the Exchange Management Shell.

After creating the new user in Active Directory, open the Exchange Management Shell.

In Exchange 2013 and 2016 Impersonation permissions can be granted in the Exchange Admin Center under Permissions.

Under Admin Roles create a new role (e.g. Retain Impersonation Management). Add the role "ApplicationImpersonation" and add the Retain User as a member.

You can also accomplish this via PowerShell commands using the Exchange Management Shell.

The commands required are different depending on the version of the Exchange Server. Exchange 2010, and 2013 require only one command per Exchange system to be issued, whereas Exchange 2007 requires the commands to be run on every Exchange server in the Exchange system to grant required permissions. If the Exchange system contains mixed 2007, 2010, and 2013 servers, the different commands must be completed on one server of each type.

To archive Room and Equipment Resources, or to restore them, the Retain user, or Service Account, must also have delegation rights. These commands must be issued manually for each Room and Equipment or resource mailbox on every relevant server. This is required for 2013 and 2016.

These commands must be issued:

(‘Retain’ is used here as the name of the Service Account, or Retain user, and the ‘Mailbox Database’ should be changed to the appropriate name.)

(NOTE: every time a new Room and Equipment or resource mailbox is added, the first command must be re-run.)

Retain requires Basic Authentication to be enabled on each CAS Exchange server in the system for Autodiscover and EWS.

In Exchange Admin Center, go to Servers, then go to the Virtual Directories tab.

To check if this worked, run the following PowerShell cmdlets:

For EWS:

Get-WebServicesVirtualDirectory | ft server,basicauthentication

For Autodiscover:

Get-AutoDiscoverVirtualDirectory | ft server,basicauthentication

On Exchange systems prior to 2013 you may need to set basic authentication manually.

Open “Server Manager” on Exchange server.

The Exchange module must be configured in the Retain Server before any communication between Retain and an existing Exchange message system can occur. Open the Retain management page on the Retain Server, and select Module Configuration.

Select the ‘Configure’ option in the Exchange module. A new window or tab will open with the module configuration.

The module needs to be enabled on this page to make it active in the Retain system.

The module can be given a name.

The Send Method option enables either the SMTP Forwarding or FTP features. For either feature to appear and function, the Module Forwarding tab must be configured on the Server Configuration page. See that section for more information.

Normally all the checkboxes on this tab are always left selected. It is rare that you would ever deselect any of them. Two cases where you might, would be: troubleshooting (as instructed by Technical Support), or retrieving an old email system.

The Enable Address Book Caching function allows Retain to regularly cache the online email systems address book and synchronize it with Retain. This is critical for administration, authentication, and archiving purposes. It is recommended to cache the Address Book once every 24 hours to keep the Retain storage system up to date. By default, maintenance is set to cache the Address Book once every 24 hours.

The Enable Authentication checkbox determines if end-user authentication is performed when the user logs into Retain. If it is deselected, the Retain system will NOT authenticate the user against the email system and the user will not be able to log in unless another authentication method is enabled.

The Enable Jobs checkbox determines if configured data retrieval jobs are ever passed to the Worker. Even if the individual job is fully configured and enabled, if this checkbox is switched off, no jobs configured for this module will be processed.

The Message body allows the administrator to decide whether to store either the HTML or plain text message body, or both.

Send Method

The Send Method option enables either the SMTP Forwarding or FTP features. For either feature to appear and function, the Module Forwarding tab must be configured on the Server Configuration page. See that section for more information.

If the Impersonation and Core Settings tabs are not completely configured with the correct information, the hosted system will not be archived correctly.

This tab is not used with an On-premise Exchange system.

Retain needs to know where to access the Global Catalog Host and existing domains before any archiving can be accomplished.

Open the “Exchange Forest” tab and enter the IP address or hostname of the Global Catalog Host.

Click on the Green Plus sign to add a search base. This should be set to the highest level of the LDAP domain so the entire address book can be found. For example: DC=exchange2013,DC=qa,DC=gwava,DC=com

Retain uses Active Directory extensively when integrating with Exchange. Its uses include: populating the address book, authentication, and access to the Exchange System.

There are settings required for Exchange, see the Exchange Permissions required for Retain section.

On the Exchange Forest tab, you configure all the Active Directory information you need for an Exchange forest. There is no need to fill out any information on the User Forest tab unless the users exist in a separate forest from the Exchange Forest.

On the Exchange Forest tab, specify whether to use SSL or not for the Global Catalog Security and the search base, (use of SSL with the Global Catalog Security and search base is highly recommended). The search base is the LDAP path to the base of where Retain will start searching for valid Exchange users.

The Global Catalog Port defaults depend on whether SSL is used for security or not. (SSL is strongly recommended. Default ports are 3268 for plain text, and 3269 for SSL.) Adjust as appropriate for your system.

You also must provide the credentials of an Active Directory user. This user is special It must have full read rights to Active Directory, be a mailbox-enabled, user, and be granted various Impersonation and Delegation rights. More on this is discussed in the Exchange Permissions required for Retain section. The username must be in UPN format, (user principal name).

This search base, in LDAP form, must be high enough in the tree to include ALL users, groups, and servers. Multiple search bases can be specified, though it often results in a less efficient interface. These are LDAP search bases which allow Retain to resolve all users, groups, and servers of interest in the forest.

After the Search Base has been added, test the connection to ensure information and connection works. The test performs a simple login to confirm that the user exists, the Exchange Server is reachable, and that the credentials are accepted. The test does not confirm impersonation or delegation rights necessary for the Service Account.

If the test results in an error stating: “FAILURE: User doesn't exist or is not mail enabled,” It indicates that the user’s mailbox is unavailable. A mailbox is not required for Retain to utilize the specified user. If the user Retain utilizes does not have a mailbox, this error may be ignored. However, if the user specified does have a mailbox, this may indicate connection issues.

If the test results in an error with an LDAP error code 49 it is an authentication error. The important bit of information is what comes after the data field. That is the LDAP connection error code that applies to this case.

The Exchange Forest tab is the only tab required by the Server and the Worker to archive mail from the Exchange system. The User Forest tab, however, is required for Exchange systems utilizing a resource forest, to allow the end user to log into Retain.

If the system contains a Resource Forest, enable the checkbox on the Exchange Forest tab and save changes. If the Resource Forest checkbox is not enabled, the User Forests tab will be non-functional and all settings contained on that tab will be ignored. The checkbox must be unchecked in a single forest Active Directory deployment, but must be checked in a multiple forest Active Directory deployment.

Check all information to ensure that it is correct and save changes, and then configure the User Forest if required.

User Forest

The User Forest must have an entry for each user forest attached to the system.

Select the green ‘+’ button and input the LDAP information required by the Forests’ Global Catalog server: IP address or hostname, port, security, (SSL is strongly recommended), and all search bases to include all the users. No administrative credentials are required. Each end user’s provided credentials will be used on login.

Delegates

You can set Retain to use delegate rights with On-Premise Exchange.

Save all changes before closing the Exchange Module page.

After saving changes, return to the Retain Server's Module Configuration page, and trigger a refresh of the Address Book.

Depending on the size of the address book, it may take several minutes to return with information, but a successful configuration will return a correct address book cache date and no errors. The date should reflect the date of when the address book refresh was triggered.

The Status may show “Address Book Cache Never Run” or may list commonly misconfigured or missed items if the Refresh job fails.

Once the status is configured and the Address Book has been cached, Retain can connect to and archive messages from the Exchange server. The system is ready to have workers, schedules, profiles, and jobs configured, and those options will now appear on the main administrative interface.

The Address Book is refreshed whenever the button is pressed, during the nightly maintenance cycle, and before each job.

The job will need an Exchange profile setup to connect to the email system properly.

After the Exchange Module has been configured, the Exchange Profile will be available for configuration. If an Exchange Profile is not configured, jobs cannot be run against the Exchange system.

Click on “Add Profile” and provide a profile name, or select an already existing profile to access the configuration tabs. All changes made on this page must be saved by selecting the “save changes”, disk icon, at the top right of the page. Tabs may be changed and navigated through without affecting new settings, but any move to another page will require saving, or abandoning the changes made.

The core settings consist of an enabled/disabled option which must be enabled for any jobs based on this profile to archive anything.

For systems where the administrator wishes to have archived messages removed from the system automatically, the Messaging System Deletion option may be used. Messaging System Deletion will remove messages from a mailbox after they are archived, according to the time frame specified in the settings. The amount of time to keep messages is specified in days. The recommended setting depends on the archiving scheme in the system. For instance, if messages are to persist in the system for 30 days, then the system deletion setting should be set to 30 and enabled. A setting of 0 will remove messages from the system as soon as they are archived. Be sure to configure the system before enabling the setting in the profile.

Retain can archive and select specific types of mail and Exchange system items to be archived. The Manage Settings tab provides access to manage those settings.

The Mailbox type specifies whether to include or exclude the available types of mailboxes. Because there can be multiple profiles and jobs, it may be advantageous to archive the Users and Room / Equipment mailboxes separately as needed and appropriate for the system.

The Item Type option specifies the different types of messages found in Exchange that can be archived, and allows the exclusion of or inclusion of the different individual types.

The Item Source option allows administrators to exclude or include messages that have not yet been sent or received, or posted.

The Message Status allows messages which have or have not been read or opened, or marked private or confidential to be archived. The different options in the drop-down menu are as shown.

The Scope tab dictates the date range Retain will scan in the attached archiving jobs.

Date Range to Scan

The Date Range to Scan instructs Retain to scan for, and archive, messages after, or before, a certain date. This is useful if only specific chunks or areas of mail are to be archived.

New Items: All items that have not been archived by Retain since the last time the job ran.

All Items in Mailbox: All items in the mailbox starting from 1/1/1970, duplicates will be processed but not stored if they already exist in Retain's archive.

Number of days before job start date and newer: Only items from the relative number of days from the time the job began will be archived. E.g. messages that came into the email system less than 7 days ago.

Number of days from job start date and older: Only items before the relative number of days from the time the job began will be archived. E.g. messages that came into the email system more than 7 days ago.

Specify custom date range: Only items between two absolute dates will be dredged.

Specify custom date range relative to job start: Only items between two relative dates will be dredged. E.g. messages that came into the email system between 7 and 5 days ago.

It is recommended to archive all New items.

The Miscellaneous tab allows access to settings detailing how messages are stored and what is archived. Attachments, message information such as the Internet headers, and how the data is stored and named, (by folders, year, or year and month), dictate not only the message store structure, but affect the storage size.

Miscellaneous options also allow for the archiving of the ‘recoverable items’. To enable checking and archiving of the ‘Recoverable Items’ for compliance reasons, select the checkbox next to the option.

The Advanced tab allows you to limit what is stored by Retain. This must be used with caution as this opens holes for data to be lost through. It is recommended to store everything since storage space is inexpensive.

Advanced Criteria

If you want to be more specific as to what to dredge or not to dredge, add the criteria here. Each line will be logically AND-ed together. Think “Dredge all items where the following is true:” Criteria A AND Criteria B AND Criteria C AND etc.

You may select based on:

And whether they are equal to, not equal to, contain or do not contain the item you specify.

This gives you great flexibility and granularity. It allows you to customize dredges and retention for many different groups, or even individuals.

By default, we dredge items from all folders. You can specify one or more inclusions or exclusions.

Your choices are:

How to specify the list of folders to dredge/exclude:

You may now configure Schedules, Workers and Jobs.

You can create distribution list in Exchange Admin Center to manage information dissemination. Retain will query Exchange for a list of users in each distribution list. While you can create a distribution list in Active Directory Users and Computers these changes will not be reflected in Exchange therefore Retain will not see them. If you wish to rename a distribution group it needs to be done in Exchange or Retain will not see it either.

Distribution lists can be hidden in Exchange. If a distribution list is hidden, Retain will not be able to see the users associated with the distribution list and will not be able to archive the distribution list. The distribution list will be marked as (hidden) in Job | Mailboxes | Distribution Lists.

Dynamic Distribution Lists cannot be seen by Retain as they only create a user list at the time the message is sent. So, it is more of a filter then a list. Remember to refresh the address book if you wish to see the latest list changes.

How does Retain get messages from Exchange?

Troubleshooting Exchange Performance

In general, we have found that acceptable throughput is in the 3-5 messages per second range. In well designed systems with sufficient hardware resources we have seen throughput above 10 m/s. There is definitely an issue if the throughput is less than 3, and we have seen instances of less than 0.1. The first place to look is the worker log.

enterMailbox
Discovered endpoint

2015-09-25 12:00:07,256 TRACE [RTWQuartzScheduler_Archive_Worker-1] com.gwava.caapi.MailboxArchivingStats: enterMailbox: JDoe@RETAIN.GWAVAUTAH
2015-09-25 12:02:14,177 DEBUG [RTWQuartzScheduler_Archive_Worker-1] com.gwava.ews.archiveimpl.process.ExchangeUser: Discovered endpoint: https://ad.test.sys/ews/exchange.asmxscreen

2015-07-22 00:25:25,056 TRACE [Thread-1341102] com.gwava.ews.RetainExchangeWebserviceFactory: retry, exception :
javax.xml.ws.WebServiceException: java.net.SocketException: Software caused connection abort: recv failed
at com.sun.xml.ws.transport.http.client.HttpClientTransport.readResponseCodeAndMessage(Unknown Source)
...
at com.gwava.ews.archiveimpl.process.CursorFetchThread.run(CursorFetchThread.java:1334)
Caused by: java.net.SocketException: Software caused connection abort: recv failed
at java.net.SocketInputStream.socketRead0(Native Method)
...
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getResponseCode(HttpsURLConnectionImpl.java:318)
... 27 more
2015-07-22 00:25:25,056 DEBUG [Thread-1341102] com.gwava.ews.RetainExchangeWebserviceFactory: EWS request failed: null. Will retry after 2 seconds

The error indicates that either you have a throttling policy applied or the Exchange server is busy. Microsoft Exchange 2010 uses client throttling policies by default to track bandwidth for each Microsoft Exchange user and enforce bandwidth limits as necessary. Throttling policies should be turned off for the Retain Service Account, because they can affect the performance of Retain for Exchange when accessing mailboxes with a large number of folders and mail items.

Using Exchange Journaling Mailbox is not recommended, but there are some situations were it is an option.

According to a Microsoft technician, they recommend at least 1 journaling mailbox per mail server. Exchange can only effectively support mailboxes under 5 - 10G. Exchange will begin to suffer from performance issues when the Inbox begins to exceed 2500-5000 messages. http://blogs.technet.com/b/exchange/archive/2005/03/14/395229.aspx

This means that, once you enable a journaling mailbox, you should begin archiving its contents and using the Retain option to delete the items from the mailbox once archived. However, if there are delays in getting those journaling mailboxes archived, you should watch the size. If it gets to 5G, turn it off and re-route email to another journaling mailbox until you get all of them archived and emptied out.

Important note: As Retain archives the journal mailbox it creates a list of messages to be deleted but will only send the delete request when it exits the mailbox. If the job fails before it exits then the messages won't be deleted. Limiting the scope of the job to allow Retain to finish the job successfully will ensure that the messages are deleted.

Symptoms you may notice when experiencing problems with default IIS limitations:

15:15:15,668 RetainServerCommunication - Attempt to connect, but Server returned HTTP status (404): Not found (this line is typically repeated several times over the course of 5 minutes) 15:15:15,668 RetainServerCommunication - Giving up...too many retries! 15:15:15,668 ArchiveAttachment - Send a nice healthy blob:Archive: ERROR: Fatal Error Result=AddedEMails: 0, emailID=null, parentID=null 15:15:15,691 JobUtilities - HandleArchivingException

*Note: IIS is not supported by GWAVA. These are suggested methods for allowing Retain to archive large emails through IIS. For further information visit the MicroSoft support pages: http://www.iis.net/configreference/system.webserver/security/requestfiltering/requestlimits Some other useful information can also be found on the IIS forums: http://forums.iis.net/t/1066272.aspx

This may not be as much of an issue in Retain installations that were created with 3.x and newer. The RetainWorker will now communicate, by default, directly to the RetainServer on port 48080 thereby bypassing IIS. If you'd like to change this for an older installation, change the connection address of the worker. See the manual (look up "Worker Configuration") for your particular installation for more information. You may still have this be an issue on your Exchange server when Retain tries to collect from it if there are message attachments or messages that are larger than whatever ISS is set to allow through. This would be a setting on the Exchange side that would need to be changed. Default is 30000000 bytes.

For getting exports out of Retain you can also choose to bypass IIS and use http://(RetainIP):48080/RetainServer. IIS integration is more of a convenience to point users at Retain so that you don't have to deal with port information in a URL and other advantages that this can provide.

IIS, by default, limits the amount of data that can be imported by Retain. You can remove, or at least mitigate, this limitation by changing 4 settings. This example will be assuming you'd like to archive files up to 931 MB.

If you need to move your users to a new Exchange domain without changing their email addresses (for example from user@organization.local to user@organization.org) you will need to use the moveMailboxes tool to keep the users associated with their existing archive, otherwise a new archive will be created for all users.

If jobs fail with the error: 421 4.3.2 The maximum number of concurrent connections has exceeded a limit, closing transmission channel.

It may be because we are hitting the maximum inbound connections per source limit connecting to Exchange. You will need to increase the MaxInboundConnectionPerSource parameter. See “Understanding message rate limits and throttling” for details.