Endpoint Encryption

 View Only
  • 1.  Accounts disabled on SEMS?

    Posted Aug 28, 2014 07:04 AM

    Hello, wondered if someone would be able to offer some advice on an issue I discovered yesterday.  We use Web Email Protection Gateway and we had two shared mailboxes that are enabled to send via this method.  However we discovered that there emails have been going out in the clear for almost a week as the accounts on the server had been excluded from the group to enable this method.

    The accounts are now enabled again and able to send emails using the Web Email Protection Gateway.  I'd like to know the reason why this could have become disabled.  Would there be any criteria I could use to try and find out why in the reporting logs?

    And also, have anyone else come across this problem before with accounts potentially disabling themselves?  I know it sounds odd, but a pretty serious issue and need to understand why so it doesn't happen again in future.

    We use LDAP synchronisation and the server version is 10.3.3 MP1.

    Any help or advice greatly appreciated 

    Thanks

    Paul



  • 2.  RE: Accounts disabled on SEMS?

    Posted Aug 28, 2014 10:18 AM

    How are those shared mailboxes put into a group?  What group were they moved to that enabled them to send clear email?



  • 3.  RE: Accounts disabled on SEMS?

    Posted Aug 28, 2014 10:29 AM

    Thanks for the reply.

    They would have added using matched consumers and then adding them using the LDAP button.  Accounts are added individually here rather than them being in a AD group.  Not best practice, but this was how it was when I joined.

    They had been excluded from the group were orginally in.  I need to find out the reason why this happened.  Have been trying to find information from Reporting, by purposly disabling/excluding my own account and seeing what logs this reports in order to copy what comes back to get some information about these two share mailboxes.  Makes sense?  But so far, haven't found anything that shows my account being exluded from any groups.

     

     

     

     



  • 4.  RE: Accounts disabled on SEMS?

    Posted Aug 28, 2014 10:37 AM

    So they ended up in the "excluded" group is this correct?



  • 5.  RE: Accounts disabled on SEMS?

    Posted Aug 28, 2014 11:23 AM

    They did and I had to re-add them back to the group to enable them again.

    Thanks



  • 6.  RE: Accounts disabled on SEMS?

    Posted Aug 28, 2014 11:28 AM

    Because consumers can belong to more than one group, you need to confirm the priority order of the list of groups that reference consumer policy.

    From the help:

    You can exclude consumers through Directory Synchronization, or through matching to domain, dictionary, or type. You cannot manually add consumers to the Excluded group.

    You can also exclude users by adding their email addresses to either of the default exclusions dictionaries. If a user’s email address appears on the Excluded Addresses: Sign or the Excluded Addresses: Do Not Sign dictionaries, that user is a member of the Excluded group. This is true even if none of the mail policy rules use the default exclusions dictionaries. Excluding users this way does not require Directory Synchronization

     



  • 7.  RE: Accounts disabled on SEMS?

    Posted Aug 29, 2014 07:03 AM

    Thanks for the replies Alex. I was hoping that I find out what happened to the accounts by information in the logs.  



  • 8.  RE: Accounts disabled on SEMS?

    Posted Aug 29, 2014 07:20 AM

    There is a groups logs section, which does show directory mapping.  It only holds the past 30 days worth of logs though, so if it didnt happen within the last 30 days I think you might be out of luck.  Add a user to the SEMS and make it go into a group via directory sync then look at the Groups logs.  It should display the matched consumers and it was put into that group.



  • 9.  RE: Accounts disabled on SEMS?

    Broadcom Employee
    Posted Aug 29, 2014 09:10 AM

    Hi Paulquirk,

    Have a look into this KB if it can be of any help:

    User appears in Excluded Users after changing their user name
    http://www.symantec.com/docs/TECH149303

    --snip--

     

    After changing a user's username in Active Directory, the user now appears in the Excluded Users policy on the server.
    The user is moved to the Excluded Users policy due to the username entered during enrollment with the PGP Universal Server not matching the username in Active Directory when Directory Sychronization is performed

    Could it be sth that has happend in your case while a go ?

    HTH