Prepare to run discovery on Exchange 2013
Steps
- Define a service account for Exchange discovery scanning.
- Grant the account one of the following roles.This is necessary so that the system can discover messages and display results.
- Organization Management
- View Only Organization Management
The service account should now be able to access Exchange via Outlook Web App (OWA) and move between the mailboxes intended to be scanned during the discovery. Log onto OWA with this account, and try switching between mailboxes as shown below:
-
Configure Exchange impersonation for the service account used for the discovery:
- Open the Exchange Management Shell.
-
Run the New-ManagementRoleAssignment cmdlet to add the permission to
impersonate to the specified user.
For example, to enable a service account to impersonate all other users in an organization, enter the following:
New-ManagementRoleAssignment -
Name:impersonationAssignmentName -
Role:ApplicationImpersonation -User:ServiceAccount
For more information on Exchange impersonation, see msdn.microsoft.com/enus/library/bb204095.
-
Configure an Exchange discovery task as follows:
- Log on to the Data Security module of the Forcepoint Security Manager.
- Go to the Main > Policy Management > Discovery Policies page, then click Add network task > Exchange Task.
- Complete the wizard as explained in the Forcepoint DLP Administrator Help. On the Exchange Servers page, enter the credentials set up above.
-
Check that Integrated Windows authentication is turned on (it should be on by default). If it is not:
- In the Exchange admin center, go to servers > virtual directories > EWS (Default Web Site).
- SelectIntegrated Windows authentication.