SCENARIO
With ProofPoint Essentials the ability to enable archive for inbound and outbound emails is now possible. The process requires the archive feature be enabled followed by creating a connector on ProofPoint Essentials and then finalizing the setup with Office 365 send connector.
Please note that we've automated the creation of connectors & rules in Office365 to get archiving up and running in the Vircom Portal. If you've never used the vircom portal before, contact our support team with your Office365 onboarding and we will assit you while showing you around the portal. The instructions below are the fully manual process that the portal automates. https://vircomportal.com Contact our support team if this the first time. |
REQUIREMENTS:
For the archiving to function properly, proofpoint requires an NDR mailbox for Non-Delivery Reports. This mailbox cannot be a shared mailbox, it has to be a licensed user in office365 with a mailbox. We recommend the use of NDR@yourdomain.com as the mailbox name although you can call it whatever you want.
IMPORT OF EXISTING ARCHIVE:
If you require the import of an existing dataset, please contact your vircom rep to make sure we can assist with the export. Normally though the expectations are that wherever that datasource is, certain requirements have to be met. We talk about this in this article: Archive Ingestion Requests.
Enable Archiving on the ProofPoint Essentials side
1- Log into ProofPoint Essentials website US or EU.
2- Select the options Account Management then Features and check Enable Email Archive and click the save button.
3- This will activate a new menu option in ProofPoint labeled Archive as shown below.
Create a Connector in ProofPoint Essentials for O365 Archive:
1- Click the Archive menu that is now displayed to configure a connection to O365.
2- A new tab will open up and select Setup then Connections and click the plus sign +
3- On the Add Connection page enter the following information. The undeliverable journal address Must be an unused mailbox but MUST exist on Azure as a mailbox. Once done click Next.
4- On the pop up page copy the address that is listed and click Done. This is the journaling mailbox on Office365's archiving servers. Keep that address preciously (in notepad for instance) - you will need it when setting up a journal account in O365.
Create Connector on Office365
A dedicated outbound connector must be created so that all archive traffic is sent directly to the ProofPoint Essentials Archive environment instead of getting routed through ProofPoint Essentials gateway.
1- Log into the Office 365 Admin Center.
2- Once logged in click the Admin button.
3- Then click on Admin Centers and then Exchange.
4- In the Exchange Admin Center click on Mail Flow -> Connectors
5- Click [ + Add a connector ] to create a new send connector.
6- On the page that opens up select from Office 365 to Partner Organization and click Next.
7- Next provide a name for the connector and turn on the rule and click Next.
8- In the new screen that opens, select Only when email messages are sent to these domains.
9- Then click the plus sign + and enter the string "*.earchive.cloud" and click OK.
10- The new connector page should have the following information below, then click Next.
11- Select the option Use the MX record associated with the partners's domain and click Next.
12- Click Next to leave the default settings for TLS and security.
13- You are then displayed with a new connector summary page, click Next.
14- We now need to test if the connector functions correctly by clicking the plus sign + .
15- Enter an email address in order to validate the connector based on your region and click OK.
- US: verification@us.earchive.cloud
- EU: verification@eu.earchive.cloud
16- You may click Validate to test if the connection is successful.
17- A successful test will be indicated after a few minutes.
At thist point, the connector is ready to go for mail going to *.earchive.cloud
Configure the O365 Journaling Rule
1- Go to the Microsoft 365 admin center and pick Compliance
2- From the Compliance menu (also called "Microsoft Purview") ... pick Data Lifecycle management > Exchange (legacy)
3- Click on Settings (This is where we setup the NDR destination)
4- Click on the NDR (Non Delivery) report destination and set the NDR mailbox
a) Make sure the user you are using here is the same as the NDR mailbox you set in proofpoint
b) This user must exist as a licensed user in Office365
c) This user MUST be in the primary domain of your organisation
(ie: ndr@yourdomain.com, not ndr@yourdomain-com.onicrosoft.com)
Click Save
5- Now we setup the rule
Click Journal Rules, +New Rule
6- In the Send journal reports to field enter the unique email address generated by ProofPoint Essentials that you copied earlier.
7- Set as below
Click Next -> SUBMIT
At this point, all emails coming in or out will be sent to the archive mailbox specified in step 6.
It's strongly suggested to do a message trace to see if messages are reaching the archiving server.
This is what archiving message deliveries should look like when successful:
Expanding the events should show the succesfull delivery:
IMPORTANT NOTE - it can take a few minutes for the emails to be ingested on the proofpoint side.