This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Proofpoint Email Continuity is a cloud-based email continuity solution that enables members of your Organization to continue to receive and reply to email messages when your mail servers are temporarily off-line. It provides an always-on secondary email service for cloud services such as Office 365 and Google Apps, and platform agnostic support for on-premise solutions such as Microsoft Exchange.
When Email Continuity is licensed, copies of messages to your Organization are stored in the Proofpoint Cloud Email Continuity Service for a period of 30 days or 1 GB per mail box. Users have access to their messages using a Webmail portal to the Proofpoint Cloud, authenticating with either their Proofpoint IdP credentials or your Organization's supported SAML 2.0 Identity Provider (IdP).
In the event of an outage, end users continue to send and receive emails via the Email Continuity Web Portal. Users can access the Email Continuity portal from within Outlook using the Continuity by Proofpoint folder in Exchange or with the Email Feedback for Microsoft Outlook Plug-in. Email Continuity is a no-maintenance service that mitigates the risk of email downtime and lost productivity.
Email Continuity is also supported in an optimized web mail interface for iOS (Safari browser) and Android (Android browser) for mobile devices.
Contents
Introduction.................................................................................................................................................... 1 How Email Continuity Works ......................................................................................................................... 2
External Emails ........................................................................................................................................ 2 Internal Emails ......................................................................................................................................... 2 Contact and Calendar Synchronization Service ...................................................................................... 3 Additional Documentation ........................................................................................................................ 3
About Administrators ..................................................................................................................................... 3 Admin Center Interface ............................................................................................................................ 4 Additional Email Continuity Administrators .............................................................................................. 6
Microsoft Exchange Server Setup for Email Continuity ................................................................................ 6 Pre-requisites for Internal Email Setup .................................................................................................... 6 Exchange 2013 ........................................................................................................................................ 6
Send Connector ............................................................................................................................... 7 Mail Contact ................................................................................................................................... 12 Journal............................................................................................................................................ 14 Standard Journaling ....................................................................................................................... 14 Premium Journaling ....................................................................................................................... 16
Pre-requisites for the Contacts Synchronizer ........................................................................................ 52 Request the Contacts Synchronizer Installer ................................................................................. 52 System Requirements .................................................................................................................... 53 Exchange Impersonation User ....................................................................................................... 53 Exchange 2010/2013 – Setting up the Impersonation User .......................................................... 53 Office 365 – Setting up the Impersonation User ............................................................................ 53
Running the Synchronizer Installer ........................................................................................................ 55 Configuring Exchange 2010/2013 ......................................................................................................... 56 Configuring Office 365 ........................................................................................................................... 57 Starting the Synchronizer Service ......................................................................................................... 59 Contacts and Calendar Synchronizer Service Features ........................................................................ 60 Contacts and Calendar Synchronizer Service Operation Options ........................................................ 61
Synchronization .............................................................................................................................. 61 Credentials ..................................................................................................................................... 61 Logs................................................................................................................................................ 61 Un-installing the Service ................................................................................................................ 61
Appendix A – Configuring Exchange for Sent Messages ........................................................................... 62 PowerShell Script ................................................................................................................................... 62
Example ......................................................................................................................................... 62 Limitations to the PowerShell Script .............................................................................................. 63
Appendix B – Adding a Footer on Sent Messages ..................................................................................... 63 Adding the Footer to All Sent Messages ............................................................................................... 63 Creating Footers for Specific Groups .................................................................................................... 65 Limiting the Footer to Mail Sent Externally ............................................................................................ 66 Limiting the Footer to Mail Sent Internally ............................................................................................. 66
How Email Continuity Works
This section describes how the Email Continuity feature works.
External Emails
For external inbound emails, Proofpoint Enterprise Protection scans each message directed towards your primary email solution for viruses and spam. After scanning, a copy of each message is compressed, encrypted, and transmitted to the Proofpoint Email Continuity service. The administrator does not need to set up or configure anything.
For external outbound emails, in order for the sender to store a copy of their email in Continuity, Proofpoint requires Exchange journaling rules to be configured as described below.
Internal Emails
For internal emails, Proofpoint requires journaling rules to be configured on your Organization’s Exchange Servers so that a copy of the journal emails can be sent to Proofpoint Continuity. Steps to configure journaling rules are provided in this document for Exchange 2013, 2010, and Office 365 Exchange, respectively. Exchange servers allow multiple journal rules to be configured, in case you already have journal rules for other solutions.
Microsoft Exchange and Office 365 contacts and appointments can also be synchronized to Email Continuity so that users have access to their personal contact lists and calendar from within the Email Continuity Webmail portal. Instructions for setting this up are in the section “Proofpoint Email Continuity Contacts and Calendar Sync.”
See the Email Continuity User’s Guide for details on how contact and calendar synchronization is used in the Email Continuity portal. Here are the article numbers for the User’s Guide:
Proofpoint Knowledgebase – article number 3308.
Proofpoint Customer Success Center – article number 2641.
The Global Contacts list for your Organization is already available once a synchronization to the Proofpoint Cloud is completed.
Additional Documentation
Users authenticate with either their Proofpoint IdP credentials or your Organization's supported SAML 2.0 Identity Provider (IdP). The Proofpoint IdP is enabled by default and does not require further configuration. For information about setting up SAML 2.0 for Federated Authentication for Proofpoint Cloud Services, refer to these articles:
Proofpoint Knowledgebase – article number 3588
Proofpoint Customer Success Center – article number 2525
For information about setting up Email Continuity from the Proofpoint Protection server management interface, look for the PoD Admin Guide that applies to the release you are currently running.
Proofpoint Knowledgebase – article number 80.
Proofpoint Customer Success Center – on the Knowledge tab, enter PoD into the Search field.
You will need your credentials to access the Proofpoint Customer Success Center and Proofpoint Knowledgebase.
About Administrators
The podadmin role (PoD administrator) has access to the User Management > Settings > Cloud page in the PoD management interface – this is the page where you enable or disable user synchronization to the Proofpoint Cloud Services, and can control which groups to include or exclude from synchronization.
To grant access to the Admin Center to administrators, follow these steps:
1. Log in to the PoD management interface and go to the System > User Management > Groups page.
2. Create a group named ContinuityAdmin. Save your changes. 3. Go to the User Management > Users page. 4. Click the name of the user (or administrator) on the page to edit his or her settings. Add the user
to the ContinuityAdmin group and save your changes. Repeat this step for all of the users to whom you want to grant access to the Admin Center.
5. Go back to the User Management > Users page and select Sync to Cloud from the Options menu.
6. After the next synchronization to the Proofpoint Cloud, users belonging to the ContinuityAdmin group will have access to the Continuity Admin Center.
The Admin Center provides access to the following administration tasks:
Control user access to the Email Continuity web portal, where users access Continuity Mail, Contacts, and Calendar.
Control the mail retention period.
Request an immediate synchronization with the Proofpoint Cloud Services by selecting the Sync Now button in the Admin Center.
Log in to the Email Continuity portal using your podadmin credentials at:
You will see the Admin Center link in the top-right corner of the portal.
Admin Center Interface
You can control the following Email Continuity features from the Admin Center:
Continuity Mail, Contacts, and Calendar Access – the administrator can enable and disable access to the Email Continuity portal. When disabled, members of the user community will receive the message “Sorry, your access to this service is currently disabled” when they try to log in at https://continuity.proofpoint.com (US Organizations) or https://continuity-eu.proofpoint.com
(EU Organizations). However, mail for the user community is still being collected and will be available once the administrator enables the service. Administrators can still log in to Email Continuity, but they will only have access to the Admin Center page.
Mail Retention Period – the administrator can control how long email messages remain available in Email Continuity until they are automatically deleted. The options range from one to 30 days. Thirty days is the default setting. The option for zero days (no mail retention) is not available.
Domain/User Sync – the administrator can request an immediate synchronization for the domain and user data in the Proofpoint Cloud and Email Continuity services. This sync automatically runs for all customers after midnight Pacific Time. If you need to provision new users or update administrator access sooner, you can use the Sync Now feature. Once the request is made the sync will typically initiate and complete within a few minutes. You will see a “User sync request queued” message when you use this feature.
Be sure to save your changes if you make edits to the Admin Center page.
As the podadmin administrator, you can give other users access to the Admin Center. Any user who belongs to the group ContinuityAdmin and is synchronized to the Proofpoint Cloud will see the Admin Center tab when they log in to the Email Continuity portal.
To give other users access to the Admin Center:
1. Log in to the PoD management interface as the podadmin. 2. Go to the User Management > Groups page and create a new group named ContinuityAdmin.
Save your changes. 3. Go to the User Management > Users page. For each user to whom you want to give Admin
Center access, edit the entry, go to the Membership tab, and move ContinuityAdmin to the Member Of list. Save your changes.
4. On the User Management page, select Sync to Cloud from the Options menu.
As the podadmin, you may want to give another administrator access to the User Management > Settings > Cloud page. To do this, you must first create a Role that includes access to the User Management page and also the Email Continuity module.
To create an Email Continuity administrator:
1. Log in to the PoD management interface as the podadmin. 2. Go to the Administrator > Roles page. 3. Click Add, and then enter an ID and description for the new Role. For example, email_continuity
and Email Continuity admin. 4. Under Managed Modules, check the boxes for User Management and Email Continuity. Click
Add to save your changes. 5. Go to the Administrator > Administrators page and then click Add. 6. Fill in the fields for the new administrator. 7. Under Management, ensure that email_continuity is selected for Role. 8. Save your changes.
Any administrator with the email_continuity Role will be able to see the User Management > Settings > Cloud page when they log in to the PoD management interface.
If you need detailed instructions on how to use the PoD management interface refer to the PoD Admin Guide for the release your cluster is currently running.
Microsoft Exchange Server Setup for Email Continuity
The following sections contain instructions for setting up Microsoft Exchange servers to support Proofpoint Email Continuity.
Pre-requisites for Internal Email Setup
For internal emails, ensure that your firewall is configured to send journaling emails to the Proofpoint Continuity service IP addresses 67.231.152.162 (US) and 62.209.51.248 (EU) at port 25. Proofpoint uses Mandatory TLS for communication between your Organization’s journaling and the continuity.proofpoint.com (US) or continuity-eu.proofpoint.com (EU) email domains.
For instructions on how to configure the Proofpoint Protection Server for Email Continuity, refer to the “Email Continuity” chapter in the Proofpoint Administration Guide for Proofpoint on Demand (PoD).
Exchange 2013
Use the Exchange Admin Center web interface for management tasks.
To access the web interface, enter this URL into a browser:
Set up the journaling recipient to an external domain by first setting up a send connector for it.
1. Log in to the admin center. 2. Click mail flow. 3. Click send connectors.
4. Click + to create a new connector. 5. Enter a name for the send connector. 6. Select the Partner choice for Type, since a SSL/TLS connection is required for the journaling
Enter values into the Display name, Name, Alias, and External email address fields. The External email address value should be the Continuity journaling report recipient. If your Organization has multiple domains, enter the primary domain:
1. Enter a name for the rule into the Name field. 2. Select [Apply to all messages] for If the message is sent to or received from… 3. For Email Continuity support, select All messages. 4. Enter the recipient for the journaling report into the For Send journal reports to field. 5. Save your changes when you are done.
3. When you run the management console you will see an interface similar to this:
Send Connectors
In the Exchange Management Console, navigate to Microsoft Exchange On-premises > Organization Configuration > Hub Transport and click the Send Connectors tab.
1. Enter a name for the connector – for example, “Continuity Journaling Connector.” 2. Select Partner from the list since Continuity requires an SSL/TLS connection for the journaling
report. (For example, route the report to a trusted 3rd
party server.)
1. Click the + Add icon to add a new address space. 2. In the SMTP Address Space pop-up, enter the email domain of the Proofpoint Continuity
journaling processor where the external email messages should be sent:
4. Specify a name and an alias for the journal recipient. 5. Click Edit and specify the external SMTP address for the journal recipient. This must be an
SMTP address that points to the Proofpoint Continuity server. The email address local-part should be your Organization’s domain. If your Organization has multiple domains, use the primary domain.
10. On the General tab, change Use MAPI rich text format to Never. 11. Select Hide from Exchange address lists. This step ensures that no Outlook user can select
the contact from the Address book and send messages to the journal address. 12. Click OK when you are done.
This section contains instructions to configure standard and premium journaling.
Standard Journaling
In the Exchange Management Console, navigate to Microsoft Exchange On-Premises > Organization Configuration > Mailbox and then select the Database Management tab.
In the Exchange Management Console, navigate to Microsoft Exchange On-Premises > Organization Configuration > Hub Transport and click the Journal Rule tab.
Check Always use Transport Layer Security (TLS) to secure the connection (recommended). TLS is a security protocol that encrypts and delivers email messages securely so that no one except the sender and recipient can access or tamper with the message. Select this option so that messages will be rejected if the TLS connection is not successful.
Select Issued by a trusted certificate authority (CA).
The validation will fail, since the journaling report mail server only accepts messages in Exchange journaling format. The test mail Office 365 sends for validation is not in this format, so the failure message is the expected behavior.
Click the Pencil icon to view the validation details. In a future release a 550 error will prevent the MTAs from re-attempting delivery of invalid journal reports.
Click Save to save the new connector (ignore the connection validation failed message).
Click compliance management > journal rules on the Exchange admin center page.
If you have not set up any journal rules before, the first step is to set up an email address to receive undeliverable journal reports. Click the Select address link to display the non-delivery reports pop-up.
Click Browse, select a recipient, and click the Save button.
We can now create a new journal rule by clicking the + button.
A new wizard window pops up. Configure the following parameters:
1. Send journal reports to: This field specifies the target recipient of the journaling report. Enter your journaling recipient here.
2. Name: Enter a name for the journaling rule. 3. If the message is sent to or received from...: this option allows you to limit the journal rule to
specified users or groups. For Email Continuity, this option should be Apply to all messages. 4. Journal the following messages: for Email Continuity, select All messages.
Click Save to create the journaling rule. The Exchange admin center page will look similar to this:
Proofpoint Email Continuity Contacts and Calendar Synchronizer
Microsoft Exchange and Office 365 (O365) personal contacts and calendars can be synchronized to the Proofpoint Email Continuity service via the Exchange Web Service (EWS) and Email Continuity WebDAV APIs. The Email Continuity Synchronizer runs as a Windows service using an Exchange impersonation user. Users have access to their contacts list and appointments from within the Email Continuity Webmail portal – however, they are read-only – users cannot add, delete, or modify contacts or appointments while in the Email Continuity Webmail portal.
Pre-requisites for the Contacts Synchronizer
This section describes the pre-requisites and system requirements for the Contacts Synchronizer.
Request the Contacts Synchronizer Installer
Request the Email Continuity Synchronizer installer from Proofpoint by opening a CTS ticket. Please include if you want personal contacts synced, calendars synced, or both. The installer will include custom
configuration files for your specific service, including a one-time password for the Proofpoint Email Continuity WebDAV integration. Once installed, the sync service runs every 24 hours.
System Requirements
To run the Proofpoint Email Continuity Sync Service, you will need the following hardware and software:
Exchange 2010/2013 or O365
Windows Server 2008/2008 R2/2012/2012 R2
1 GHz x64 CPU
1 GB of RAM free
4 GB HD available
Microsoft.NET framework 4.5+
Exchange Impersonation User
An Exchange impersonation user is required to run the Email Continuity sync service. The Email Continuity sync client must run as this impersonation user.
Exchange 2010/2013 – Setting up the Impersonation User
1. Log onto the Windows server as an Administrator of the Organization Management group. 2. In the Exchange Management Shell, run the following command:
2. In the left navigation pane, click Exchange under ADMIN to open the Exchange admin center page.
3. In the left navigation pane, click permissions and then click admin roles at the top. 4. Click the + at the top to add a new role. 5. After entering the Name and Description, click the + under Roles and select
ApplicationImpersonation in the list.
6. Click the + in the Members section and add the account which will have the Impersonation role to run the sync service and then click Save.
The installation steps are identical for on-premise Exchange 2010/2013 and O365.
1. Log on as a local Administrator on the Windows server where the Continuity Sync Service will run. If you are using Exchange on-premise, the sync client must be installed and run on a server within the Exchange Windows domain.
2. Add the impersonation user that will run the sync service as a member of the local Administrators group.
3. Copy the provided ProofpointContinuitySync.zip package to the server and extract the
files.
4. Double-click the ProofpointContinuitySync.msi file and start the installation steps.
5. Click Run in the Open File - Security Warning dialog box if it appears. 6. Enter the path to the folder for the sync client:
7. Click Yes in the User Account Control dialog box if it appears. 8. When the Set Service Login dialog box appears, enter the credentials for the impersonation user
that will run the sync service:
Where user is the impersonation account preceded by the Windows domain.
9. Complete the remaining installation steps.
Configuring Exchange 2010/2013
1. Log on as a local Administrator on the Windows server where the Synchronizer service will run. 2. Click the Windows Start Menu and select All Programs > Proofpoint > Sync >
SyncConfigTool to open the Email Continuity Sync Configuration Tool. 3. Select Exchange Server On-Premises and then click Next:
4. Specify the URL for your on-premise Exchange Web Services (EWS) API:
Typically the EWS path is at https://<EXCHANGE_URL>/ews/exchange.asmx. If you do not know the location of your Exchange server, you can try using auto-discovery to find the EWS API when running the sync service.
Configuring Office 365
1. Log on as the impersonation user on the Windows server where the Continuity Sync Service will run.
2. Click the Windows Start Menu and then select All Programs > Proofpoint > Sync > SyncConfigTool to run the Continuity Sync Configuration Tool.
3. Select Exchange Server Online (Office 365) and then click Next:
4. If you want to restart the Synchronizer Service, you may need to go to the Windows Task
Manager and stop the SyncService.exe process first.
Contacts and Calendar Synchronizer Service Features
The Proofpoint Synchronizer Service automatically syncs contacts and calendars once every 24 hours. For contacts, only personal contact items (VCards) within the top-level Exchange/O365 folders of type Contact are included in the sync of each Exchange account. For calendars, only the appointment items in the Exchange/O365 Calendar folder at the Top of Information Store are included in the sync of each Exchange account.
For contacts, their folders and contents are read-only in the Continuity Webmail portal under the Contacts section.
Contacts are searchable in the Webmail portal under each contact folder and the All Contacts folder, which includes all the user’s personal contacts as well as all other synchronized users within the same organization.
See the Email Continuity User’s Guide for details on how the calendar and contacts appear to users in the Email Continuity portal after synchronization.
Proofpoint Knowledgebase – article number 3308.
Proofpoint Customer Success Center – article number 2641.
Contacts and Calendar Synchronizer Service Operation Options
This section describes various options available to the administrator.
Synchronization
The Proofpoint Synchronizer Service automatically synchronizes contacts and calendar appointments once every 24 hours. The process starts with a full synchronization and then synchronizes incremental changes since the full synchronization. If the contact or calendar data becomes out-of-sync, administrators can request a data reset on the Email Continuity server by contacting Proofpoint via a support ticket. This process will initiate a full sync on the next run to reset all data. Administrators can also request if they wish to only sync contacts or only calendars via a support ticket.
Credentials
Administrators can request that credentials shared between the Email Continuity synchronization client and the WebDAV API be reset by issuing a CTS ticket. Proofpoint will provide a new one-time password (OTP) file via secure communication. The default location for the password is:
Once the sync service is restarted, the new Email Continuity WebDAV password will be securely shared and stored on the Windows sync server using the Data Protection API (DPAPI).
Logs
The default location for the Continuity Synchronizer Service logs is:
Appendix A – Configuring Exchange for Sent Messages
This appendix covers examples for how to configure your Exchange servers to place messages sent by Email Continuity in user’s Sent folder when the Exchange servers are back online.
PowerShell Script
The following script places the Email Continuity Sent messages in user’s Sent folders when the Exchange server is back online. You can run the script periodically to provision the rule for new users, since it will skip mailboxes that already have the rule configured.
You should save the commands in the example below as a PowerShell script file (for example, continuityRule.ps1) and run it as an administrator who has full access rights to all of the mailboxes.
To add full access rights to an administrator, run the following command in the PowerShell window –
replace <AccountName> with the account name for the administrator:
If a recently-created user has not yet logged in to their Exchange account, the Sent folder will not have been provisioned yet, so the rule for the new user will not be created when you run the script.
New users added after you run the script will not have their rules automatically created. You must run the PowerShell script again to create the rules for new users.
Appendix B – Adding a Footer on Sent Messages
This appendix provides instructions on how to add a footer to messages sent from the Email Continuity web portal using the Proofpoint on Demand (PoD) Email Firewall Rules. You must have the podadmin role (PoD administrator) to configure the footer.
Please note the footer will not appear in the sender’s saved copy of the message in the Continuity web portal Sent folder, nor will it appear in the Bcc copy the Continuity server sends to the sender’s Exchange mailbox. It will only be appended to the copies of the message the recipients receive.
Adding the Footer to All Sent Messages
To add the footer to all sent messages (internal + external), please follow these steps:
1. Log in to the PoD management interface and go to the Email Protection > Email Firewall > Rules page.
2. Click Add Rule to configure a new rule. 3. Under Rule Settings, set Enable to On and enter a unique ID and Description. 4. Under Conditions, click Add Condition to display the configuration window. 5. Select Envelope Sender for the Condition, is in Domain Set for the Operator, and
6. In the new page, select And for Add Condition as, select Message Headers for Condition, select User Defined for the Header and enter X-Proofpoint-Continuity-Sent. Select Equals for the Operator, and enter true for the Value as shown:
7. Then click Add Condition to close the window. Your rule condition should appear as:
8. On the rule page, leave the Delivery Method as Continue, check Annotate message based on detected language, select Add message, and select Bottom of the message as the Annotate Location as shown:
9. In the Message text area, enter your footer message in either plain text or an HTML block. If you
choose to use HTML, include <body> tags around your block as shown above.
10. Click Add Rule at the top of the page to save and enable your rule.
Note that when sending mail from the Continuity web portal to yourself (including through distribution lists and alternate email addresses), there are two copies of the message sent to your Exchange mailbox: the sent message (with the footer), and the additional Bcc copy to the sender (no footer). Due to Exchange’s de-duping by the Message-ID, only the first copy received will be retained. In this case it may appear that the footer intermittently does not appear, but this is a result of the Bcc copy sometimes arriving first.
To create a footer that applies only to all mail sent from specific PoD User Management Groups, first follow the steps above for creating a new Email Firewall Rule to add a footer to all sent mail. Then follow these steps:
1. In the Email Firewall Rules list, click Edit Rule for the new rule you have just created. 2. Under Conditions, click Add Condition to open the configuration window. 3. In the new page, select And for Add condition as and select Envelope Sender Belongs to
Group from the Condition list. 4. Select Equals for the Operator.
5. Click Select Group to open the Select Groups window. Select the Groups to which you want to apply the rule from the Available Groups list and then click the arrow button to move them to the Selected Groups list.
Click Done to save your changes.
6. On the Add Condition page, your groups should be listed in the Groups field. Click Add Condition to save and return to the Rule page.
7. Your Rule will be updated with the new group condition as shown:
8. Click Save Changes at the top of the page to save the rule.
Limiting the Footer to Mail Sent Externally
Follow these steps to edit the Email Firewall rule if you only want to add the footer to Continuity messages sent to external users.
1. In the Email Firewall Rules list, click Edit Rule for the footer rule. 2. Under Conditions, check the Disable processing for selected policy routes check box. 3. Select default_inbound in the Available list and use the arrow button to move it to the Disable
For Any Of list.
4. Click Save Changes at the top of the page to save the rule. In the rules list the rule will display Deny: default_inbound in the Routes column.
Limiting the Footer to Mail Sent Internally
Follow these steps to edit the Email Firewall rule if you only want to add the footer to Continuity messages sent to internal users.
1. In the Email Firewall Rules list, click Edit Rule for the footer rule. 2. Under Conditions, check the Restrict processing to selected policy routes check box. 3. Select default_inbound in the Available list and use the arrow button to move it to the Require
Any Of list.
4. Click Save Changes at the top of the page to save the rule. In the rules list the rule will display Allow: default_inbound in the Routes column.