Data Loss Prevention

Hi All,

We are planning to implement Email Prevent server in HA mode, based on expeince and research I have below options but wanted to confirm from expert advise.

1. Using DNS configuration : email flow will be like  Exchange -> DNS-> Email Prevent1/Email Prevent2 -> MS spam filter->Internet
2. Using Exchange connector: Setting prioritties to Email Prevent1/Email Prevent2  !  Exchange EP1/EP2 -> Email Prevent -> MS spam->Internet
3. Using Load Balancer: Exchange -> NetScaler Load balancer-> Email Prevent1/Email Prevent2-> Ms spam->Internet

Please advise the best option and if provide any standard Plan of Action is availble if any.

I don't know if this is the best route to do but something I've always done.  I've always set it up in Exchange to flow like this:

• Exchange -> Network Prevent Email 1 -> Messaging Gateway -> Internet
• Exchange -> Network Prevent Email 2 -> Messaging Gateway -> Internet
• Exchange -> Messaging Gateway -> Internet
• Exchange -> Internet

I'm not an Exchange guru so the terms might not be right.  I work w/ the Exchange admins to set htem up.  Each bullet point is a route and the last two bullet points have the highest cost to allow for fail open in case my Messagign Gateway or my DLP server(s) fail I want email to still go through.

That's really the decision you need to make, should email still flow out if my DLP servers are unavailable?  

Hi jjesse,

Thanks for your valuable advise.

Any option where you can set the MS Edge relays as a lower priority is preferred, which gives the ability to fail-open (if DLP isnt business critical). The benefit of using a load balancer (NetScaler) instead of exchamge outbound connectors such as jjesse has described is you have more options in the way of health checks to ensure DLP is actually available. If the load balancers are supported by the same team that manages DLP or the MS Edge relays, this is also a consideration for responding to outages and troubleshooting.

Hi All,

Is this right architecture to flow email  through DLP Email prevent server in High Availbility mode? Could you proposed if any chnage required?

So as per below, we will follow below steps but have some doubts as well. Please help me to understand as no idea about Load balancer (Nescaler)

1. Create and config Send connectors on exchange and add IP address of Load balancer to forward emails to load balancer
2.  On Load Balancer will add IP address of both email prevent server to forward emails to email prevent server
3. On Email prevent,we will add IP address of Exhange server to accept email and next hope configuration to forward to Cloud Spam gatway
4. On Cloud Spam gatway we may need to add IP address of Email Prevent Nated IP public  to recieve /accept emails

You want to have the Email Prevent between the Exchange Server and MS Edge Server in the outbound email flow. This is so if you need to quarantine, encrypt or do other functions where DLP will add a SMTP header for MS Edge to action prior to leaving your network.

Make sure the Load Balancer VIP isn't doing source NATing (replacing the Source IP with it's own), or if it is ensure you're adding the NAT'd IP to the accepted hosts on the DLP Email Prevents/MS Edge.

Exchange > Load Balancer VIP > DLP Email Prevent  > MS Edge > Cloud spam

Email Prevent servers can forward to the MS Edge in their own leg/dc with the other as secondary. The main objective with the load balancer is to enable DLP to be bypassed entirely if it's unavailable (fail-open).