• Facebook
  • RSS Feed
  • Instagram
  • LinkedIn
  • Twitter
Jan 072014
 

From time to time people ask questions about how to make Enterprise Vault data ‘more secure’. This is usually around the under-the-covers activities like when a client retrieves an archived item, and it’s transmitted back to the client can that be secured?

Sometimes people ask about how to make the server itself more secure and the data files on disk – but I’ll save that discussion for another day!

The answer is yes, lets discuss how.

Default transmission is HTTP

HTTP

And as you can see in Enterprise Vault 10.0.4 (and other flavours of EV too) you get a security warning, which when clicked, gives you a simple pop-up which says:

“Non-HTTPS traffic is not encrypted on the network. Do not use this option unless you are using a secure network”.

The second thing to notice is that this is a site wide setting.

So, life is good if we are using a secure network. I know that there are philisophical discussions to be had about whether ANY network can be termed secure, but now lets just say that if all traffic is inside the corporate file it’s secure.

But what about people who use Outlook Web Access?

This is a problem if Enterprise Vault is configured with Outlook Web Access extensions. Uses can access Outlook Web Access from ‘anywhere’. Therefore when they retrieve an archived item, or perform a search and so on, the transmission, by default, is not going to be secure.

We need to change to HTTPS. For this there are two considerations:

Green Field

In a green field deployment, or in other words a fresh deployment of Enterprise Vault, HTTPS can be enabled and configured from Day 1… before ANYTHNG is archived. This is of course the ideal situation.

Brown Field

The brown field deployment, or in other words an existing deployment of Enterprise Vault can also be changed to use HTTPS. No problem there; except of course that all the existing shortcuts will then be broken. So if you do go down this route, you will need to take a look at the options of recreating Enterprise Vault shortcuts, which I’ve written about before in this blog post. (http://thingsilearnedtoday.net/2013/12/17/how-to-recreate-enterprise-vault-shortcuts/). It might not be necessary to perform those steps though, for example if archived items do not have shortcuts created at all (good for customers who push Virtual Vault usage)

Remember

It’s also worth remembering that you don’t just make this change in Enterprise Vault, if you look at the online help you have to obtain and install a valid certificate on the default web site in IIS.

Do you use HTTP or HTTPS in your Enterprise Vault deployment? Let me know in the comments.

 

If you enjoyed this post, please consider leaving a comment or subscribing to the RSS feed to have future articles delivered to your feed reader.

  2 Responses to “Making Enterprise Vault More Secure”

  1. Hi Rob,

    nice article, as always. When changing a productive environment from http to https, old shortcuts without links will work and even shortcuts with links. EV and IIS will still listen to http traffic and answer these requests, as long as https is not enforced in the IIS configuration. I was not able to get EV working when IIS enforced the certificate, but I can’t recall the EV version I tried this or the reason.

    The IIS certificate for securing EV should include the EV alias as fqdn, the server alias without fqdn and the host name. The indexing service e.g. doesn’t use the alias with fqdn and so the console will show a certificate error. If the certificate just includes the server alias with fqdn, everything will work from a users’ perspective; it’s just on the administrative side, when pop-ups will give a warning

    Having EV secured with SSL, I find the OWA configuration to be easier for Exchange 2007/2010 and users don’t get warning messages when opening the EV search window through OWA. Expecting OWA to be secured traffic and EV search is unsecured, the IE browser can warn and ask if unsecured web content should be displayed. This may annoy users and depending on the GPOs managing IE settings, this is often difficult to change.

    Just just additional input. Way to go,
    Jochen.

 Leave a Reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

(required)

(required)