MOVEit DMZ DLP Module
Created exclusively by HANDD Business Solutions, the Ipswitch MOVEit DMZ DLP Module is an application that extends the functionality of the MOVEit DMZ Ad Hoc file delivery system. The module intercepts all emails delivered by the MOVEit DMZ Server and determines if the email constitutes an Ad Hoc package delivery. If so, the Ad Hoc DLP Integrator will pass a copy of the message and attachments to any DLP Server that uses the ICAP protocol. If any portion of the message or attachments is determined to be in violation of the DLP policy, the MOVEit DMZ DLP Module will revoke the Ad Hoc Package in the MOVEit DMZ system and send a “bounce” message back to the package originator rather than deliver the original message.
Key Features and Benefits
The MOVEit DMZ DLP Module consists of a Mail Transfer Agent (MTA) that accepts SMTP traffic from the MOVEit DMZ server. This MTA software, which runs as a Windows Service, includes the application-specific logic to process all incoming traffic in order to perform DLP analysis on Ad Hoc package deliveries. This MTA sits as a gateway between the MOVEit DMZ server and the normal SMTP service which, prior to insertion of this module, delivered email generated by MOVEit DMZ.
If the MTA receives a message that contains specific triggering text – that is, text which indicates the email is an Ad Hoc package notification – then it will hold that email and spawn a DLP-validation task. It passes that file to the DLP server using ICAP, and evaluates the response. All temporary files are deleted immediately after use. If, at any step of the process, the DLP server indicates that the message or file contents should be blocked, the MTA will discard the original message and send a “bounce” message back to the originator indicating that the package could not be delivered due to DLP violations. Also, the MOVEit DMZ system will be updated so that the Package is revoked, meaning that the recipient cannot obtain the message nor attachments even by logging into the MOVEit DMZ server directly.
- MOVEit DMZ Enterprise v7.0 or higher, with Ad Hoc Transfer Module
- MySQL or SQL Server database configured for MOVEit DMZ
- Java 32-bit Virtual Machine 1.6 or higher (JRE or JDK)
- 25MB available disk space for the application, plus sufficient hard disk space for temporarily decrypted files (2GB or greater recommended)
- Simply run the Windows installer application, as an Administrator, on the machine which is running the MOVEit DMZ Enterprise server.
- Be sure to have the following configuration information about your MOVEit DMZ server available during installation:
- MOVEit DMZ database information (database host, database name, username, and password for an account that can read/modify the MOVEit DMZ Database).
- MOVEit DMZ Organization ID for the organization used for Ad Hoc transfers.
- MOVEit DMZ base files path – the top level folder where MOVEit DMZ stores files.
- A temporary file location where the Ad Hoc DLP Integrator module can temporarily store unencrypted versions of the files it is validating against the DLP servers.
- SMTP Server through which outbound emails are to be delivered.
- Configure MOVEit DMZ to deliver email to the Ad Hoc DLP MTA, which in turn is configured to use the proper SMTP server as the gateway for delivering emails.
- The installer application obtains appropriate values from the administrator for proper interaction with MOVEit DMZ, the downstream mail server, and the ICAP endpoint for DLP. Other values are set at defaults which work in most cases; however, additional configuration options might be necessary since no two deployment environments are the same. The configuration information, therefore, is listed in this section though likely will not need to change these settings.
- The Windows Service launches the Java Virtual Machine which hosts the MTA and corresponding Ad Hoc DLP logic. Refer to “$INSTDIR\conf\wrapper.config” for settings. The installer handles the defaults.
- The Mail Transport Agent and Ad Hoc DLP Integrator are configured using the “$INSTDIR\apps\james\SARINF\conf\config.xml” file. The installer handles the defaults, based upon your input at installation time.
- By default, the MOVEit DMZ DLP MTA server runs as a Windows Service under the “Local System” account. It is recommended that you create and use a separate Windows account for this service, granting only the permissions required by the service (read/write to the application installation folder, MOVEit DMZ Base Files path, and the Temp folder).
- By default, the MOVEit DMZ DLP MTA server listens for incoming socket connections ONLY on the IPv4 address “127.0.0.1”. This reduces attack surface by only allowing SMTP connections from the local machine. You can turn on IPv6 through the service wrapper configuration file, which sets the Java parameters “-Djava.net.preferIPv4Stack=true” by default at installation time.
- By default, the MOVEit DMZ DLP MTA server runs with JMX enabled, so you can monitor performance of the JVM using tools such as jConsole. You can disable this in the service wrapper configuration file.
- If you send a MOVEit DMZ package to multiple recipients, the MOVEit server processes that as multiple individual messages. Each of those messages is handled separately by the Ad Hoc DLP Integrator module, and therefore a message sent to multiple people which violates DLP policy will result in multiple BOUNCE messages indicating the delivery failure.
- The MOVEit DMZ DLP Module supports the “Allow: 204” header feature in ICAP. This setting is the recommended configuration if your ICAP server supports it, since it can dramatically reduce the internal network traffic when verifying files; however, not all ICAP implementations properly support “Allow: 204,” and although the Ad Hoc DLP Integrator module is programmed to be very robust in handling implementation variations, you might need to turn OFF this feature in order to make the system work properly.
- Log files are found in the $INSTALLDIR\apps\james\logs folder. The “mailet-YYYY-MM-DD-HH-MM-SS.log” files contain information about the Ad Hoc message and DLP processing. The “debug” setting in $INSTALLDIR\apps\james\SAR-INF\config.xml increases the log output level.