Proofpoint Enterprise Archive: Archiving Appliance

The Proofpoint Archiving Appliance is a sealed fixed purpose server that is installed within your corporate network to provide the tight integration and security typically only afforded to internal systems. At the same time, the vast majority of search processing and all of the storage is maintained on the Proofpoint network, reducing overhead and maintenance headaches.

The Proofpoint archiving appliance provides integration with Microsoft Exchange to ensure reliable, native format email message archiving. Its integration with Active Directory facilitates unified login and access control management. The Proofpoint web-based user interface (where authorized users perform searches) is provided on the Proofpoint archiving appliance for fast, local response times. Finally, as the Proofpoint archiving appliance is the only holder of an organization's encryption keys along with Proofpoint DoubleBlind Encryption (read more on DoubleBlind Encryption), any processing that involves encryption or decryption happens on the Proofpoint archiving appliance.

Microsoft Exchange features a capability called journaling. When enabled, a pointer to any email message that is sent or received though Exchange is added to the journaling mailbox. At configurable time intervals, the Proofpoint archiving appliance uses MAPI calls (and a user account that our customer provides) to login to Exchange and access the journaling mailbox, in exactly the same way that Outlook accesses a user's mailbox. If there are email messages in the journaling mailbox, the Proofpoint archiving appliance divides them into batches, creates a subfolder for each batch of email messages and moves the message references into the folders.

The batches are then processed by the Proofpoint archiving appliance, DoubleBlind Encryption is applied, and email messages are submitted to the Proofpoint network for archival. Periodically the Proofpoint archiving appliance requests confirmation from the Proofpoint network that the batch has been fully processed. Upon confirmation, the batch folder is removed from the journaling mailbox.

The Proofpoint archiving appliance uses a Windows account (provided by the customer) to login and retrieve user and group membership information. This information is used to authenticate user names and passwords for the user interface. It is also used to resolve email addresses and distribution lists back to the actual Active Directory user accounts. With this information, the Proofpoint network can effectively allow access by individual users to their mail without having to maintain separate user accounts or email address/user account relationships.

All data is processed on the Proofpoint archiving appliance and fully encrypted before it is transmitted to the Proofpoint network. This data is further secured in transit over a secure HTTP connection, using 128-bit SSL encryption. The encryption of the content and the transfer protocol allow for data to flow over the public Internet. For added security, customers may configure router/firewall rules to constrain which IP addresses the Proofpoint archiving appliance can talk to.

The Proofpoint archiving appliance is designed to horizontally scale to meet the largest of enterprise needs. In most environments, a single Proofpoint archiving appliance easily services the archiving and search requirements of all of the mailboxes on an Exchange server. Adding additional appliances will increase capacity, with multiple appliances pointing to the same email archive for unified search and discovery across the enterprise. An upfront assessment based on the number of users and simultaneous access user requirements will determine each customer's set-up.

Depending on how much email is generated within your organization, there may be a slight increase in outbound corporate traffic. However, the Proofpoint archiving appliance applies compression and provides customers with the capability to control when email is sent to the Proofpoint network.

According to Microsoft, enabling journaling adds about 15% to the load on the Exchange server. Retrieving the email messages from the journal is similar to having an additional user accessing their own mailbox, albeit a highly active user. All told, you can expect to see a 20% increase in load on your Exchange server with Proofpoint in place (as compared to a system without journaling enabled).

With all of the mail archived, however, you may find it easier to enforce tighter restrictions on how much mail or how long mail can be stored within users' mailboxes. As Exchange performance is highly related to the size of the email message stores, the performance gains from tighter restriction may exceed the load created from the journaling/archiving process.

The only data that resides on the Proofpoint archiving appliance is the customer's set of encryption keys. While Proofpoint encourages customers to back up the keys internally, we also partner with an escrow service to maintain a copy of them on your behalf.

In the event of a Proofpoint archiving appliance failure, Proofpoint will ship a replacement unit within 36 hours. When it arrives, simply replace the defective unit and enter the encryption keys. Because the data is never removed from the batch folders within the journaling mailbox until the Proofpoint network confirms that the batch has been fully archived, even email messages that were in transit at the point of failure are safe. Any new items added to the journaling mailbox while the Proofpoint archiving appliance is out of commission simply stay within Exchange until the new unit is operational.

The Proofpoint archiving appliance runs Microsoft Windows Server 2003, which is one of the most secure versions of Windows available. Security experts have designed the server hardening practices we perform on the appliance. Services that are unnecessary for the appliance to function are disabled. Proofpoint also employs TCP/IP filtering to block access to all ports the appliance does not need. There is only one logon for the appliance and NTFS permissions secure application files and folders.

The email archiving appliance is configured to accept critical Windows Updates automatically. Proofpoint can also push updates to the appliance as necessary.

Proofpoint support personnel monitor the appliance's reporting patterns and use that information to diagnose issues and remedy problems.