Applies to: Exchange Server 2010 SP3, Exchange Server 2010 SP2
Topic Last Modified: 2009-10-26
Journaling can help your organization respond to legal, regulatory, and organizational compliance requirements by recording inbound and outbound e-mail communications. When planning for messaging retention and compliance, it's important to understand journaling, how it fits in your organization's compliance policies, and how Microsoft Exchange Server 2010 helps you secure journaled messages.
First, you must understand the difference between journaling and archiving:
Journaling is the ability to record all communications, including e-mail communications, in an organization for use in the organization's e-mail retention or archival strategy. To meet an increasing number of regulatory and compliance requirements, many organizations must maintain records of communications that occur when employees perform daily business tasks.
Archiving refers to backing up the data, removing it from its native environment, and storing it elsewhere, therefore reducing the strain of data storage. You may use Exchange journaling as a tool in your e-mail retention or archival strategy.
Although journaling may not be required by a specific regulation, compliance may be achieved through journaling under certain regulations. For example, corporate officers in some financial sectors may be held liable for the claims made by their employees to their customers. To verify that the claims are accurate, a corporate officer may set up a system where managers review some part of employee-to-client communications regularly. Every quarter, the managers verify compliance and approve their employees' conduct. After all managers report approval to the corporate officer, the corporate officer reports compliance, on behalf of the company, to the regulating body. In this example, e-mail messages might be one type of the employee-to-client communications that managers must review; therefore, journaling can be used to collect all e-mail messages sent by client-facing employees. Other client communication mechanisms may include faxes and telephone conversations, which may also be subject to regulation. The ability to journal all classes of data in an enterprise is a valuable functionality of the IT architecture.
The following list shows some of the more well-known U.S. and international regulations where journaling may help form part of your compliance strategies:
Sarbanes-Oxley Act of 2002 (SOX)
Security Exchange Commission Rule 17a-4 (SEC Rule 17 A-4)
National Association of Securities Dealers 3010 & 3110 (NASD 3010 & 3110)
Gramm-Leach-Bliley Act (Financial Modernization Act)
Financial Institution Privacy Protection Act of 2001
Financial Institution Privacy Protection Act of 2003
Health Insurance Portability and Accountability Act of 1996 (HIPAA)
Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001 (Patriot Act)
European Union Data Protection Directive (EUDPD)
Japan’s Personal Information Protection Act
In an Exchange 2010 organization, all e-mail traffic is routed by the Hub Transport server. All messages traverse at least one Hub Transport server in their lifetime. The Journaling agent is a compliance-focused transport agent that processes messages on Hub Transport servers. It fires on the OnSubmittedMessage and OnRoutedMessage transport events.
|In Exchange 2010, the Journaling agent is a built-in agent. Built-in agents aren't included in the list of agents returned by the Get-TransportAgent cmdlet. For more details, see Understanding Transport Agents.|
Exchange 2010 provides the following journaling options:
Standard journaling Standard journaling is configured on a mailbox database. It enables the Journaling agent to journal all messages sent to and from mailboxes located on a specific mailbox database. To journal all messages to and from all recipients and senders, you must configure journaling on all mailbox databases on all Mailbox servers in the organization.
Premium journaling Premium journaling enables the Journaling agent to perform more granular journaling by using journal rules. Instead of journaling all mailboxes residing on a mailbox database, you can configure journal rules to match your organization's needs by journaling individual recipients or members of distribution groups. You must have an Exchange Enterprise client access license (CAL) to use premium journaling.
When you enable standard journaling on a mailbox database, this information is saved in Active Directory and is read by the Journaling agent. Similarly, journal rules configured with premium journaling are also saved in Active Directory and applied by the Journaling agent. For more information about how to configure standard and premium journaling, see Journaling.
Here are key aspects of a journal rule that you should understand:
Journal Rule Scope Defines which messages are journaled by the Journaling agent.
Journal Recipients Specifies the SMTP address of the recipient you want to journal.
Journaling Mailbox Specifies one or more mailboxes used for collecting journal reports.
You can target the journal rule to Internal, External, or Global recipients. The following list describes these scopes:
Internal Journal rules with the scope set to Internal target messages sent and received by recipients inside your Exchange organization.
External Journal rules with the scope set to External target messages sent to recipients or received from senders outside your Exchange organization.
Global Journal rules with the scope set to Global target all messages that pass through Hub Transport servers. These include messages that may have already been processed by journal rules in the Internal and External scopes.
You can implement targeted journaling rules by specifying the SMTP address of the recipient you want to journal. The recipient can be an Exchange mailbox, distribution group, or a contact. These recipients may be subject to regulatory requirements, or they may be involved in legal proceedings where e-mail messages or other communications are collected as evidence. By targeting specific recipients or groups of recipients, you can easily configure a journaling environment that matches your organization's processes and regulatory and legal requirements, and minimize storage and other costs associated with retention of large amounts of data.
All messages sent to or from the journaling recipients you specify in a journaling rule are journaled. If you specify a distribution group as the journaling recipients, all messages sent to and from members of the distribution group are journaled. If you don't specify a journaling recipient, all messages sent to or from recipients that match the journal rule scope are journaled.
Unified Messaging-Enabled Journal Recipients
Many organizations that implement journaling may also use Unified Messaging (UM) to consolidate their e-mail, voice mail, and fax infrastructure. However, you may not want the journaling process to generate journal reports for messages generated by Unified Messaging. In these cases, you can decide whether to journal voice mail messages and missed call notification messages handled by an Exchange 2010 Unified Messaging server or to skip such messages. If your organization doesn't require journaling of such messages, you can reduce the amount of hard disk space required to store journal reports by skipping such messages. When you enable or disable the journaling of voice mail messages and missed call notification messages, your change is applied to all Hub Transport servers in your organization.
|Messages that contain faxes generated by a Unified Messaging server are always journaled, even if you configure a journal rule that specifies not to journal Unified Messaging voice mail and missed call notification messages.|
For more information about how to enable or disable voice mail and missed call notification messages, see Managing Journaling.
The journaling mailbox is used for collecting journal reports. How the journaling mailbox is configured depends on your organization's policies, regulatory requirements, and legal requirements. You can specify one journaling mailbox to collect messages for all the journal rules configured in the organization, or you can use different journaling mailboxes for different journal rules or sets of journal rules.
|Journaling mailboxes contain very sensitive information. You must secure journaling mailboxes because they collect messages that are sent to and from recipients in your organization. These messages may be part of legal proceedings or may be subject to regulatory requirements. Various laws require that messages remain tamper-free before they're submitted to an investigatory authority. We recommend that you create policies that govern who can access the journaling mailboxes in your organization, limiting access to only those individuals who have a direct need to access them. Speak with your legal representatives to make sure that your journaling solution complies with all the laws and regulations that apply to your organization.|
For more information about how to configure the journaling mailbox, see Managing Journaling.
For more information about how to protect journaling mailboxes, see Protecting Journal Reports.
Journal rules are stored in Active Directory and applied by all Hub Transport servers in the Exchange 2010 organization. When you create, modify, or remove a journal rule on a Hub Transport server, the change is replicated to all Active Directory servers in the organization. All Hub Transport servers in the organization then retrieve the updated journal rule configuration from the Active Directory servers and apply the new or modified journal rules.
By replicating all the journal rules across the organization, Exchange 2010 enables you to provide a consistent set of journal rules across the organization. All messages that pass in or through your Exchange 2010 organization are subject to the same journal rules.
|Replication of journal rules across an organization is dependant on Active Directory replication. Replication time between Active Directory domain controllers varies depending on the number of sites in the organization and the speed of links and other factors outside the control of Microsoft Exchange. Consider replication delays when you implement journal rules in your organization. For more information about Active Directory replication, see Active Directory Replication Technologies.|
|Each Hub Transport server caches distribution group membership to avoid repeated round trips to Active Directory. The expanded groups cache reduces the number of requests that each Hub Transport server must make to an Active Directory domain controller. By default, entries in the expanded groups cache expire in four hours. Therefore, if you specify a distribution group as the journal recipient, changes to distribution group membership may not be applied to journal rules until the expanded groups cache is updated. To force an immediate update of the recipient cache, you must stop and start the Microsoft Exchange Transport service. You must do this for each Hub Transport server where you want to forcibly update the recipient cache.|
A journal report is the message that the Journaling agent generates when a message matches a journal rule and is to be submitted to the journaling mailbox. The original message that matches the journal rule is included unaltered as an attachment to the journal report. The body of a journal report contains information from the original message such as the sender e-mail address, message subject, message-ID, and recipient e-mail addresses. This is also referred to as envelope journaling, and is the only journaling method supported by Exchange 2010 and Exchange 2007.
For more information about journal reports and how to manage and protect them, see the following topics:
When implementing journaling in an Exchange 2010 environment, you must consider journaling reports and IRM-protected messages. IRM-protected messages will affect the search and discovery capabilities of third-party archiving systems that don't have RMS support built-in. In Exchange 2010, you can configure Journal Report Decryption to save a clear-text copy of the message in a journal report. For more information, see Understanding Journal Report Decryption.
Exchange 2010 supports journaling in a mixed Exchange 2010 and Exchange 2003 organization. Exchange 2010 can read the Exchange 2003 journaling configuration present on Exchange 2010 mailbox databases, and then journal messages to either an Exchange 2003 or Exchange 2010 journaling mailbox.
Exchange 2003 can't read the journaling configuration used by Exchange 2010. However, Exchange 2010 stamps journaled messages and journal reports with properties that Exchange 2003 can read. If a message has already been journaled by Exchange 2010 and the journal reports are sent to the same journaling mailbox, Exchange 2003 doesn't journal the message again. If a message is a journal report, Exchange 2003 treats the Exchange 2010 journal report as if it was an Exchange 2003 journal report.
For more information about journaling in a coexistence environment, see Understanding Journaling in a Mixed Exchange 2003 and Exchange 2010 Environment.
There is little difference between journaling functionality in Exchange 2010 and Exchange 2007. However, Exchange 2010 journal rules use a different format than journal rules in Exchange 2007. Exchange 2010 Setup creates a separate container in Active Directory to store Exchange 2010 journal rules. When you set up the first Exchange 2010 server in an Exchange 2007 organization, Setup creates a copy of the Exchange 2007 journal rules and stores them in the new container. When Setup finishes, the journal rules used by both versions are consistent. After Setup completes, if you change he journal rule configuration on an Exchange 2007 server, you must make the same change on an Exchange 2010 server to ensure they're consistent. You can also export journal rules from Exchange 2007 and import them on an Exchange 2010 server. For details, see Export and Import Exchange 2007 Journal Rules.
Journaling is enhanced by or is also available as a service from Microsoft Exchange Hosted Services.
Exchange Hosted Services is a set of four distinct hosted services:
Hosted Filtering, which helps organizations protect themselves from e-mail-borne malware
Hosted Archive, which helps them satisfy retention requirements for compliance
Hosted Encryption, which helps them encrypt data to preserve confidentiality
Hosted Continuity, which helps them preserve access to e-mail during and after emergency situations
These services integrate with any on-premises Exchange servers that are managed in-house or Hosted Exchange e-mail services that are offered through service providers. For more information about Exchange Hosted Services, see Microsoft Exchange Hosted Services.