In some scenarios where a workstation is unable to connect to a parent server on its initial deployment, the Data Protection Outlook agent could tag mails as processed which prevents the Exchange Server Agent acting as a backstop. As a result some mails could be sent without the correct policy being applied.
One specific scenario arises when the CA Data Protection Agent is deployed as part of a virtual desktop image (VDI) and the parent gateway is not available. In this scenario the Outlook client add-in has started but cannot make its initial connected to the parent server and the infrastructure fails to start with an error like the one below:.
Mar 09, 2018 07:50:57 AM System E0028 Infrastructure failed to start correctly. (Unable to make initial login connection to parent server.)
Because the infrastructure has failed it to connect to its parent it cannot download the user policy. However the Outlook client add-in is loaded and tagging events as being processed. Consequently, if an Exchange Server Agent (ESA) is being deployed as a back stop for any "missed" mails, it will fail to process these Outlook mails as it believes that have already been processed by the client.
Note: That it is possible to use the "ReprocessClientEmails" registry option on the Exchange Server Agent (ESA) to overcome this issue however this can cause a lot of duplication and delays in processing.
CA Data Protection 15.0 with Microsoft Outlook
The General Availability (GA) hotfix has been released for this issue. It has been published as FIX:SO03687 (incorporating Client_15.0_HF096 and Client_x64_15.0_HF097) and is available to download from the CA Support Portal (http://support.ca.com) .
This hotfix addresses this issue in the following manner:
(a) Allow mails to pass through the failed Outlook Agent without tagging them so the Exchange Agent can process the event.
(b) Periodically (every 60 seconds) retry to connect with the parent server in order to activate the Outlook client agent.
This fix should be deployed on the gold image/template from which the VDI's are created, otherwise a restart of the Data Protection services and Outlook will be needed for the fix to work.