Exchange Server 2007

More Powerful Journaling in Exchange 2007

David Strome

At a Glance:

• Exchange Server 2007 journal rules
• The new Journal Wizard
• What’s in a journal report?

Have you ever had to journal e-mail messages sent to or received from one specific user, then ended up with the messages you were looking for, along with messages from the other 300 mailboxes that

reside on that mailbox store? Microsoft Exchange Server 2007 solves this issue, giving you the granular control you need.

Per-recipient journaling, available with enterprise Client Access Licenses (CALs), lets you target who to journal. Through the use of journal rules, you can now target only the recipients and senders you want to journal. You can narrow your focus to a single mailbox, or expand it to include, for example, all of the personnel in a sales department. And their mailboxes don’t need to be on the same server, in the same Active Directory® site, or even in an Exchange organization. Through Active Directory replication, your changes are automatically applied to all the computers running the Hub Transport server role in your organization.

How Journaling Works

In Exchange Server 2003, journaling was implemented on individual mailbox stores on each physical server. If you wanted to journal all of the mailboxes in your organization, you needed to configure journaling on each mailbox store. And if you wanted to journal messages for a single recipient, you either had to journal everyone on that user’s mailbox store or create a new mailbox store specifically for that user.

Journaling in Exchange Server 2007 makes use of the new role-based topology in Exchange. As shown in Figure 1, all messages are processed by Hub Transport servers when going to or coming from Mailbox and Unified Messaging servers, other Exchange systems, third-party applications, and the Internet. All Hub Transport servers contain a transport agent called the journaling agent, which is responsible for applying journal rules to messages. Since the journaling agent is located on the Hub Transport servers, it encounters and evaluates every message before the message reaches its recipient. The Journaling agent acts on messages after categorization—this ensures access to all of the message’s recipient and sender attributes, and it allows the agent to determine if the message was sent directly to a recipient or if it was received via distribution group expansion. It can also tell whether the recipient was on the To, the Cc, or the Bcc lines of a message that originated from within the Exchange Server 2007 organization.

Figure 1** Hub Transport Server Mail Flow **(Click the image for a larger view)

The journaling agent applies administrator-configured journal rules to messages as they move through the Hub Transport server. These rules determine whether the agent will capture information about a message, forwarding this info along with the original message to a journal mailbox. This data is sent in a message called a journal report.

With earlier versions of Exchange, you had to apply configurations to multiple servers. However, when you create a journal rule in Exchange Server 2007, that change is applied to all Hub Transport servers in your organization via Active Directory. All Hub Transport servers, and therefore all Journaling agents, read the same configuration from Active Directory. Therefore, this blanket coverage ensures that all journaling agents apply the same journaling configuration.

Keep Active Directory replication times in mind when you create or modify journal rules, as a configuration change needs to be replicated throughout your organization and read by the Hub Transport servers. This could take several hours. To help you identify when journaling configuration is updated, Exchange logs an event in the security event log on each server.

Exchange Server 2007 makes sure that a journal report is never lost due to an unavailable journal mailbox, be it full, misconfigured, or offline. (This is particularly handy for helping you comply with various legal and regulatory requirements, since lost messages can result in noncompliance.) If a journal report can’t be delivered to a journal mailbox, the report remains in the Hub Transport server’s queue until the journal mailbox becomes available. Since this can result in rapidly growing queues, you should monitor the availability of your journal mailbox to make sure it’s operating correctly. If a journal mailbox will remain unavailable for an extended period, you can configure an alternate to receive reports that are sitting in the queue.

Deciding What to Journal

Before you begin to create journal rules, you need a clear idea of who you want to target and what types of data you want to journal. By specifying a user on a journal rule, you can select specific users for journaling. These users may, for example, be subject to regulatory requirements, or they may be involved in legal proceedings that require e-mail messages and other communications to be collected as evidence.

In addition to specifying which recipients to journal, you can also determine the scope of messages to journal, with options for Internal, External, and Global. Internal targets only messages within your organization; External targets messages where the sender or one of the recipients is outside; and Global targets both internal and external messages. (Note that the Global option journals all messages that pass through a Hub Transport server—even those that may have already been processed by rules using the Internal and External scopes.)

Exchange Server 2007 supports Unified Messaging, so you can configure Exchange to collect a user’s e-mail, voicemail, and faxes all in his Inbox. This also means you can journal all of this data—or choose to exclude certain data.

If you’re running Exchange Server 2007 with standard CALs, you can still use per-mailbox store journaling. However, if you want to use the new per-recipient journaling features, you must upgrade to the Exchange Server 2007 enterprise CALs.

Where to Place the Journal Mailbox

Once you have decided what to journal, you need to decide where to send the journal reports. If you have multiple sites, you need to consider your current or planned network topology when deciding where to place your journal mailboxes. Depending on the size of your organization and the number of mailboxes, journaling can result in a significant number of repetitive reports.

You don’t need to stick with mailboxes on Exchange, though. You can send journal reports to any valid SMTP address. This address can point to Exchange Hosted Services, to a third-party archival solution, or to any combination of these using a distribution group. Beware, however, that there are certain security implications pertaining to where you send journal reports.

Regardless of where you decide to place your journal mailbox, you must create a recipient object for it in Active Directory. This can be an Exchange Server 2007 mailbox, a mail-enabled contact that redirects mail to Exchange Hosted Services or a third-party archival solution, or a distribution list that contains both mailboxes and contacts.

What’s in a Journal Report?

When the journaling agent journals a message, it tries to capture as much detail as possible about the original message in a journal report. This report is then sent to the journal mailbox. The information is very important in helping you determine the intent of the message, its recipients, and its senders. For example, where recipients are identified—whether directly addressed on the To field, included on the Cc field, or simply a part of a distribution list—can help determine how the recipient is involved in the message’s discussion. The original message is included as an attachment. The screenshots in Figure 2 show one journal report that indicates a message sent to david@contoso.com has been forwarded to christine@contoso.com and another journal report that indicates a message sent to the Sales_Group@contoso.com distribution group has been expanded and the recipient lukas@contoso.com, who is a member of the Sales Group distribution group, received the message. Both reports contain the original message as an attachment, show that the original sender was brian@contoso.com, and have the subject "Sales forecast".

Figure 2** Journals Reports Showing a Forwarded Recipient and an Expanded Distribution Grou Recipient **(Click the image for a larger view)

Exchange only classifies information that it knows is correct. Information that cannot be determined automatically is put into the appropriate fields in the journal report. Figure 2 explains the fields that are included in the body of the journal report.

All About Security

By default, all communication between computers running Exchange Server 2007 in the same Exchange organization is encrypted. This encryption includes journal reports. Exchange Server does a number of things to help reduce the risk of journal reports being tampered with:

• Secure links are used between Hub Transport servers and Mailbox servers in the Exchange 2007 organization.
• Journal reports are sent as "Microsoft Exchange" on behalf of the sender of the original message.
• Sessions between the Hub Transport server and Mailbox server are authenticated.
• Only authenticated connections are accepted when journal reports are sent between the Hub Transport servers and the Mailbox servers in the same Exchange 2007 organization.

When you create a journal mailbox, you must secure it since the mailbox contains messages sent to and from recipients in your organization. Some messages may be part of legal proceedings or subject to regulatory requirements, and there are various laws that require messages to remain tamper-free before they are submitted to an investigatory authority. To increase journal mailbox security, you should configure the journal mailbox to accept only messages from the Microsoft Exchange sender, and you should require that all messages sent to the journal mailbox be sent by authenticated senders. Figure 3 shows the message delivery restrictions configured on a journal mailbox. You can also use the following Exchange Management Shell command to configure these message delivery restrictions:

Set-Mailbox <Journal Mailbox Name>
-AcceptMessagesOnlyFrom "Microsoft Exchange" -RequireSenderAuthenticationEnabled $True

Figure 3** Message Delivery Restrictions **(Click the image for a larger view)

If you send journal reports to a journal mailbox outside of your Exchange Server 2007 organization, you must manually encrypt and secure the connection between your Exchange Server 2007 computers and the receiving server. You can do this by requiring the use of Transport Layer Security (TLS) between the two systems, requiring authentication on the receiving system, accepting only messages on the receiving system from the SMTP address of the Microsoft Exchange recipient (this SMTP address will be similar to Exchange_UMUnique GUID@contoso.com), and configuring the Active Directory contact used to forward the messages to accept messages only from the Microsoft Exchange recipient.

Implementing Journal Rules

Enough talking already. Let’s implement some rules! Journal rules in the journaling agent can be configured either in the Exchange Management Shell or in the Exchange Management Console. Each can be used to configure the recipient, scope, and journal mailbox settings. By default, journal rules are enabled when created. The value you specify for the journal e-mail address must be an existing recipient object in the Exchange Server 2007 organization. This recipient object can be a mailbox, a distribution group, a dynamic distribution group, or a contact that sends mail to an SMTP address.

When using the Exchange Management Console, the New Journal Rule wizard guides you through the creation of new journal rules. In the Organization Configuration section, select the Hub Transport server role. Then in the Action pane, click New Journal Rule. Here, you must supply values for the rule name, journal e-mail address, and scope. You don’t need to specify a value for the Recipient field if you want the journal rule to journal messages for all recipients in your organization. You can also choose whether you want the journal rule to be disabled when it is created. Figure 4 shows a sample configuration that will journal all messages sent by or to brian@contoso.com. Journaled messages are sent to a journal mailbox named Compliance Mailbox.

Figure 4** New Journal Rule Wizard **(Click the image for a larger view)

In the Exchange Management Shell, you can use these six cmdlets to administer the journaling agent:

• New-JournalRule
• Set-JournalRule
• Get-JournalRule
• Remove-JournalRule
• Enable-JournalRule
• Disable-JournalRule

The New-JournalRule cmdlet lets you create a new journal rule. The basic criteria for creating a new journal rule in this manner are the same as when using the wizard. You must specify values for the Name, Scope, and JournalEmailAddress parameters. Again, you don’t have to specify a value for the Recipient parameter if you want the journal rule to journal messages for all the recipients in your organization. And if you want the journal rule to be disabled when created, you must specify a value of $False for the Enabled parameter. To create a journal rule that has the same configuration as the one shown in Figure 4, you would use the following command:

New-JournalRule 
-Name "Brian Smith Journal Rule" 
-Recipient brian@contoso.com 
-JournalEmailAddress "Compliance Mailbox" 
-Scope Global 

You use the Get-JournalRule cmdlet to view a list of all the journal rules you’ve created. Running this cmdlet on its own displays a summary list of all the journal rules configured in your organization and their configuration settings. If you want to view all of the available information about a journal rule, you can pipe the Get-JournalRule cmdlet to the Format-List cmdlet. Piping sends the output of one cmdlet to the next cmdlet so the second cmdlet can do additional processing on the output. The Format-List cmdlet, for example, displays all of the output it receives. To view all of the information available for the journal rule created earlier, you can use this command:

Get-JournalRule -Identity "Brian Smith Journal Rule" | Format-List

To enable or disable a journal rule, you use the Enable-JournalRule and Disable-JournalRule cmdlets. When using these cmdlets, you need to specify the journal rule name in the Identity parameter. For instance, to disable the journal rule we just created, use the following command:

Disable-JournalRule -Identity "Brian Smith Journal Rule"

The Set-JournalRule cmdlet lets you modify an existing journal rule. The name of the journal rule is used with the Identity parameter to tell the journaling agent which rule you are modifying. You then specify the Recipient, JournalEmailAddress, Scope, or any combination of these parameters along with the new value. For example, to modify the value stored in the JournalEmailAddress parameter for the rule we created, use the following command:

Set-JournalRule -Identity "Brian Smith Journal Rule" -JournalEmailAddress "Seattle Users Compliance Mailbox"

Finally, you can use the Remove-JournalRule cmdlet to remove an existing journal rule. You specify the name of the journal rule using the Identity parameter. To delete our sample journal rule, use the command:

Remove-JournalRule "Brian Smith Journal Rule"

When you do this, the Exchange Management Shell will ask if you really want to delete the journal rule. And here’s one last tip: with nearly all cmdlets, you can omit the Identity parameter label and just specify the parameter value.

David Strome has been a Technical Writer with the Exchange User Education group at Microsoft for just over one year. Prior to joining Microsoft in Redmond, WA, David spent approximately 10 years designing, implementing and administering Exchange Server installations at various companies in British Columbia, Canada. He can be reached atdstrome@microsoft.com.

© 2008 Microsoft Corporation and CMP Media, LLC. All rights reserved; reproduction in part or in whole without permission is prohibited.