Data Protection Interactive Server Side Warnings Routing Behavior

Document ID : KB000066803
Last Modified Date : 21/06/2018
Show Technical Document Details

CA Data Protection supports both client-side and server-side email integration. Specifically, it can integrate with Microsoft Outlook or Lotus Notes on client machines and with Microsoft Exchange, IIS SMTP, Domino, Sendmail and Postfix email servers.

With Microsoft Exchange server or IIS SMTP agents, CA Data Protection can intervene by sending an interactive warning email to the sender. The user can then reply to the message to disregard the warning, or do nothing to automatically heed the warning and the agent sends or does not send the email accordingly. This is possible for emails that generated warning or inform events and requires specific configuration on the machine hosting the agent.


If CA Data Protection intercepts an email transiting through Exchange Server or IIS SMTP and the email generates a warning or inform event, CA Data Protection can automatically send a notification or an interactive warning email to the sender.  This is known as a Server Side Warning (SSW)

If the sender replies to this warning promptly (that is, before the warning timeout expires), then their email is released and sent to its intended recipients. If they do not reply (or reply too late), then CA Data Protection deems that they have heeded the warning and the email is disposed of without being released. The warning timeout defaults to 4 hours. That is, a user has 4 hours to reply if they want to disregard the warning and send their email anyway. But this timeout is configurable.

CA Data Protection 14.x\15.x

To enable server-side interactive warnings, the Exchange Server Agent (ESA) must exist on each Hub Transport (HT) server (Exchange 2007 or 2010) or each Mailbox server (Exchange 2013\2016).  The following is an example of the SSW routing behavior.


Step 1: A user sends an e-mail from Exchange OWA (Outlook Web Access) or mail client where the Data Protection client is not installed. 

Step 2: A Hub Transport HUB (HT1) receives the mail which is passed to a Policy Engine and processed accordingly.  If the policy action triggerss a warning,  the event is called back into the HUB and a warning e-mail is generated. 

While creating the warning mail, Data Protection applies an algorithm using Message ID + Host ID (IP address of HT1 intercommunication IP Address) this unique ID is inserted in Subject line.   For example; CA DLP Advisory [ID=FJDCLHHNPNVBQNBCBW]

Step 3: When the user replies to the warning e-mail the mail can reach to any HUB Transport.

Step 4: The HUB Transport that receives the message applies a reverse algorithm on the unique ID to get IP address and Message ID.

Step 5: The Data Protection code compares the decoded IP address with its internal Host id and if it matches, then it will process the mail (release).

Step 6: If it does not match then, it will send a messages to the IP address extracted from the Unique ID along with message ID. This inter communication between Data Protection Exchange Server Agents (ESA's) is sent over a dynamically allocated port and received by the listening port assigned to the "IntercomPort" specified in the registry (defaults to 8102). 

Note: All "IntercomPort" listening port addresses must be set the same on all ESAs.

Step 7: When the originating HUB receives the release request the original e-mail is released.


Additional Information:

In some circumstances (for example; where there is any indiscriminate network binding and/or multiple sub-nets that could influence the routing between HUBs) you may need to specify the IP Address to ensure the listener can be bound to the correct network address.  The registry setting "IntercomIPAddress" augments the "IntercomPort" setting, to specify the Network card IP Address to associated with the "IntercomPort" listening port number.

The "IntercomIPAddress" functionality was introduced in DataMinder 14.1 via FIX:RO74283 , DataMinder 14.5 via FIX:RO82723  and 14.6 via FIX:RO74494 (see TEC618851 for more details).


Full details for deployment can be found in the Data Protection Product documentation.