MOVEit DMZ DLP Module

The MOVEit DMZ DLP Module consists of a Mail Transfer Agent (MTA) that accepts SMTP traffic from the MOVEit DMZ server. The MTA runs as a Windows Service and sits as a gateway between the MOVEit DMZ server and the normal SMTP service.

If the MTA receives a message that contains text that indicates the email is an ad-hoc package notification, it will hold the email and trigger DLP validation. The file is delivered to the DLP server using ICAP, and then the MTA awaits a response.

If the DLP server responds with approval, the email and its attachments are sent. If not, the MTA will discard the message and send a ‘bounce’ notification back to the sender.

Prerequisites

• MOVEit DMZ Enterprise v7.0 or higher, with Ad Hoc Transfer Module
• MySQL or SQL Server database configured for MOVEit DMZ
• Java 32-bit Virtual Machine 1.6 or higher (JRE or JDK)
• 25MB available disk space for the application, plus sufficient hard disk space for temporarily decrypted files (2GB or greater recommended)

Installation

• Simply run the Windows installer application, as an Administrator, on the machine that is running the MOVEit DMZ Enterprise server.
• Be sure to have the following configuration information about your MOVEit DMZ server available during installation:
  • MOVEit DMZ database information (database host, database name, username, and password for an account that can read/modify the MOVEit DMZ Database).
  • MOVEit DMZ Organization ID for the organization used for Ad Hoc transfers.
  • MOVEit DMZ base files path – the top-level folder where MOVEit DMZ stores files.
  • A temporary file location where the Ad Hoc DLP Integrator module can temporarily store unencrypted versions of the files it is validating against the DLP servers.
  • SMTP Server through which outbound emails are to be delivered.

Configure MOVEit DMZ to deliver email to the Ad Hoc DLP MTA, which in turn is configured to use the proper SMTP server as the gateway for delivering emails.

• The installer application obtains appropriate values from the administrator for proper interaction with MOVEit DMZ, the downstream mail server, and the ICAP endpoint for DLP. Other values are set at defaults that work in most cases; however, additional configuration options might be necessary since no two deployment environments are the same. The configuration information, therefore, is listed in this section though likely will not need to change these settings.
• The Windows Service launches the Java Virtual Machine, which hosts the MTA and corresponding Ad Hoc DLP logic. Refer to “$INSTDIR\conf\wrapper.config” for settings. The installer handles the defaults.

The Mail Transport Agent and Ad Hoc DLP Integrator are configured using the “$INSTDIR\apps\james\SARINF\conf\config.xml” file. The installer handles the defaults, based upon your input at installation time.

• By default, the MOVEit DMZ DLP MTA server runs as a Windows Service under the “Local System” account. It is recommended that you create and use a separate Windows account for this service, granting only the permissions required by the service (read/write to the application installation folder, MOVEit DMZ Base Files path, and the Temp folder).
• By default, the MOVEit DMZ DLP MTA server listens for incoming socket connections ONLY on the IPv4 address “127.0.0.1”. This reduces attack surface by only allowing SMTP connections from the local machine. You can turn on IPv6 through the service wrapper configuration file, which sets the Java parameters “-Djava.net.preferIPv4Stack=true” by default at installation time.
• By default, the MOVEit DMZ DLP MTA server runs with JMX enabled, so you can monitor performance of the JVM using tools such as jConsole. You can disable this in the service wrapper configuration file.
• If you send a MOVEit DMZ package to multiple recipients, the MOVEit server processes that as multiple individual messages. Each of those messages is handled separately by the Ad Hoc DLP Integrator module, and therefore a message sent to multiple people which violates DLP policy will result in multiple BOUNCE messages indicating the delivery failure.
• The MOVEit DMZ DLP Module supports the “Allow: 204” header feature in ICAP. This setting is the recommended configuration if your ICAP server supports it, since it can dramatically reduce the internal network traffic when verifying files; however, not all ICAP implementations properly support “Allow: 204,” and although the Ad Hoc DLP Integrator module is programmed to be very robust in handling implementation variations, you might need to turn OFF this feature in order to make the system work properly.
• Log files are found in the $INSTALLDIR\apps\james\logs folder. The “mailet-YYYY-MM-DD-HH-MM-SS.log” files contain information about the Ad Hoc message and DLP processing. The “debug” setting in $INSTALLDIR\apps\james\SAR-INF\config.xml increases the log output level.