messaging service provider enterprise architecture diagram
TRANSCRIPT
Robert Kowalke ~ Enterprise Architecture ~ [email protected] Management & Governance (RM&G) @ Virginia Information Technologies Agency (VITA)
Commonwealth Enterprise Solutions Center (CESC) Architectural Artifacts/Graphs/Views/Matrices/etc. reference page: http://pubs.opengroup.org/architecture/togaf9-doc/arch/chap35.html
PURPOSE: To depict the VITA messaging enterprise in support of leadership decision making. Benefits to the COV and VITA program is a consistent enterprise service offering that will meet agency requirements for messaging services. TempusNova (TN) and Google provide flexible and highly collaborative platforms to increase COV user productivity, provide flexible and secure options for configuration, and allow the COV to significantly reduce messaging costs. By deploying a Google solution, COV resources can be allocated away from email system maintenance to more business critical applications, which will change the way information is shared and decisions are made. The MDM environment is a hybrid cloud configuration with components hosted in the VMware SaaS cloud and in VITA’s datacenter. As of Mar 20, 2019: 1) Overall diagram accuracy is assessed at 95%; 2) Overall diagram completion is assessed at 98%.
Enterprise Architecture DiagramMessaging Services Enterprise
VITA Draft Discussion Document // REV – Mar 20, 2019
AirWatch CloudMessaging Service
Google Messaging and Adjunct Services (GMAS)Server and Associated Storage supporting GMAS
Primary WAP03922
Google Cloud Directory Sync (GCDS)
Backup WAP03923
Primary
SMTP Relay
GMR01 GMR02 GMR03
ESNA Officelinx for G-Suite Fax Service and Voice Messaging
Faxing, Fax to Email, and Voicemail to Email
ESNA1 ESNA2ESNA3 ESNA4
Enterprise Identity Management Solution.Single-Sign-On (SSO); Multi-Factor Authentication; Universal DirectoryFederated users sign in with Okta.
virginia.gov.okta.com
COV Active Directory (AD)
Already operational on premise. User identities managed on premise. COV Directory Services LDAP Server
Transport Layer Service 1.2Data Protected in Transit by FIPS 140-2 level 2 validated.
TCP 443 / 80
covdsldap.cov.virginia.gov
LDAP Secure SSL 636
Email Data Loss Prevention (EDLP) Virtru Email Encryption Virtru Data Protection (VDP) Platform Messaging Mailbox ADD-ON 3rd Party Google-based App
Google DriveFile Sharing, Collaborations, and
Collaborative Editing
Integrates with G-Mail
Mobile Users
Secure Socket Layer
TCP 80 / 443 / 2020 / 8443
Google Cloud Platform (GCP)
Cloud Storage
App Engine
Pub / Sub
Google Cloud
Messaging Service Provider
Google.Virginia.Gov
GMAS COV Users and VITA Agencies
Google Hangouts ChatInstant Messaging
Up to 100 people in group discussion.
Google Hangouts MeetVideo Conferencing
Up to 25 users (Basic)50 users (Enterprise) simultaneous
conference sessions.
Google Suite – G-Suite
Google Calendar
Google VaultHosted Mail Archiving
Messaging Archive Service
Messaging MailboxGoogle G-Mail
Enterprise Handheld Services (EHS)Google MDM
Mobile Device Management (MDM)
G-Suite Administrator Console
Unified Communication (UC) ManagementIntegrated unified messaging and communication services integrated with G-Suite and existing Cisco
communication system.
VITA’s VoIP Systems
TDM
SIP Trunk VoIP / Fax
Load Balancer
= Custom Coded Symbol
OktaIdentity and Access Management Solution
End-2-End Encryption
CTI
3rd Party Applications
Level-1 IT Support
Level-2/3 IT Support
Enabled by VITA CSRM Security Exception Only – not turned on for all users in the domain. Currently being used on a limited basis for calendar attachments by agencies that have signed a waiver. Drive is currently on in the following domains due to agency requests: ALTFA, CSA, DARS, DBVI, DCR, DGIF, DGS, DHCD, DHP, DHR, DJJ, DMV, DOAV, DOE, DPB, DRPT, DSBSD, GHP, GOV, JYF, TAX, TRS, VBPD, VDACS, VDDHH, VDEM, CDOT, VFHY, VITA, VMFA, VMNH, VSP, and WWRC.
COVENICES-ADC80
COV AD Domain Controllers used by CloudLink
COVENICES-ADC81
COVENICES-ADC82 COVENICES-ADC83
COVENICES-ADC84 COVENICES-ADC85
COVMSGCES-APL02
CloudLink provisions and disables users.
COVMSGCES-APL03
COVMSGCES-APL04
COVMSGCES-APL05DARS / DRS
COVMSGCES-APL06COVMSGCES-APL07
COVMSGCES-APL08
COVMSGCES-APL09
COVMSGCES-APL10
COVMSGCES-APL11
COVMSGCES-APL12
COVMSGCES-APL13
COVMSGCES-APL15
COVMSGCES-APL16
COVMSGCES-APL17
COVMSGCES-APL18
COVMSGCES-APL19
= Virtual Machine (VM)
Veritas EV.CloudHosted Mail Archiving
(HMA)
CloudLink Service Platform Servers for AD User SyncVM’s – W2008 R2
TCP 25 / 443 / 80
COVMSGCES-SM1OUD Acct Sync DSS
COVMSGCES-ACC1AD Acct Sync CoV
COVMSGCES-MAG1App Tunneling Proxy Primary – x.x.11.131
COVMSGCES-MAG2App Tunneling Proxy
Secondary – x.x.11.132
COVMSGCES-ACC2AD Acct Sync CoV
COVMSGCES-SM2OUD Acct Sync DSS
COVMSGCES-SM3Unused Server
COVMSGCES-ATS1Tunneling V2 / VMware OVA
COVMSGCES-ATS2Tunneling V2 / VMware OVA
Directory Integration Servers for DSS
Directory Integration Servers to COV
Media Application Gateways
App Tunnel Servers
Workspace ONE Unified Endpoint
Management (UEM)
Mobile Devices Load BalancerX.X.77.91
Load BalancerX.X.71.76
SaaS Cloud
TCP 80 / 443 / 636
TCP 443 / 2001
L
L = Logging Server
L
L
L
Virtru Client – Secure ReaderVirtru Client – Dashboard
Up to 59,000 COVA executive branch access licenses procured
Handles all COV SMTP relay requests from 3rd Party apps and multifunction devices
Multifunction Devices
Cisco IronPort Security Appliance
ESA Server
Cloud IronPort Email Security Appliance (ESA) Server
Virus and Spam Filtering
https://hangouts.google.com
System Roles and Custom Roles
Mail Sync; Calendar Sync; Contact Sync
CUMICUPI
(REST API)
GMAS has infrastructure in the COV based datacenter. Server infrastructure including the associated storage used to support the Google Messaging and Adjunct Services are provided by the Server Services Supplier. As part of that service, storage is included.
?????
?????
?????
?????
Blackberry Support
Google Domains
Cloud-based. No CoV infrastructure. Config Settings;
Core Services; User Accounts
Logging
Custom app created for VITA to log various events within the G Suite environment by utilizing Google’s Reports API. App uses both Google Cloud Platform (GCP) and on an on-premise server. Atos Server where TN FTP’s SIEM data in Syslog format.
On-Premise Portion
Custom VITA Log Application ServerLAP04201 (Syslog)
Logging
LiteVirus and spam Filtering only
Optional add-on to Google’s Messaging Mailbox.
= VAR-727
= VAR-413
727
413
413
413413
727
727
727 413
= Other VARs
727
269?197?113?
413
727
727727
727
727
727
413
413
727
= Single point of messaging failure assessment
12
All servers listed are virtual.
All servers listed are virtual.
All servers listed are virtual.
COVMSGCES-SM4???
COVMSGCES-SM5???
COVMSGCES-SM6???
All servers listed are virtual.
WAP03934
All servers listed are virtual.
WAP03935
WAP03923 Backup
Multifactor Authentication
No DR
RK-1 - What DR is available for the CESC block of my messaging diagram? Dave Brackins: They are NOT/NOT subscribed to DR. Still waiting to hear back from TN on their DR plan.Dave Brackins: I know TN is having issues with their SSP, and they have DR as part of that. Let me follow up with them and I’ll get back to you.Dave Brackins: It seems TN is pointing to Unisys for all server issues. Trying to confirm now.Dave Brackins: CESC Servers Tempus Nova Updates 1-31-2019 (002)_fm-Dave-Brackins-Mar-7-2019-1019-email.xlsx
Email Data Loss Prevention (EDLP)Email Encryption
Currently in VAR submission stage.
• Google Vault – aka Hosted Mail Archiving (HMA) – is an enterprise-wide messaging archiving service solution allowing any customer subscribed to Messaging Mailbox to archive all inbound and outbound emails. The messaging archiving service is an enterprise-wide solution that allows any customer subscribed to Messaging Mailbox to archive all inbound and outbound emails. This solution includes storage for all mail archives for a period of determined by the customer's retention policies. There is no storage limitation with Google Vault. To be eligible for this service, users must be subscribed to a 30GB or unlimited mailbox. https://support.google.com/vault/answer/2462365?hl=en The Hosted Mail Archiving (HMA) solution is known as Google Vault. Can only be accessed via an Internet Browser. Automatically archives all incoming and outgoing emails from the Google Gmail Enterprise mailbox, or for users who have purchased a Google Vault license without user interaction. Agencies can elect to subscribe to G Suite Basic if they do not want to utilize the Google Vault Option. G Suite for Enterprise includes the Vault feature. Google Vault includes options to set data retention policies to meet each agency's requirements. It also has an eDiscovery toolset for the purpose of setting legal holds and collecting data to respond to open records requests or litigation. The Retention and eDiscovery functions are administered via a secure web UI that has its own access controls that are defined by VITA. Google Vault communicates using HTTPs, SSL, Port 80 to the cloud based service. o Google for Work was a service from Google that provided customizable enterprise versions of several Google products using a domain name provided by the customer. It featured several Web apps with similar functionality to traditional office suites, including Gmail, Hangouts, Google Calendar, Google Drive, Docs, Sheets, Slides, Groups, News, Play, Sites, and Vault. https://en.wikipedia.org/wiki/Google_for_Work
• Hosted Mail Archiving (HMA) service – enterprise-wide solution that will allow for any customer receiving standard messaging services through COV enterprise email to archive all inbound and outbound emails. This solution includes storage for all mail archives for the period determined by the customer's retention policies. Hosted mail options: End users can reference all of the information captured in their HMA archive until that data reaches its' retention policy. No new emails from Gmail will be added to the HMA archive. View + journaling – end users can reference all of the information captured in their HMA archive until that data reaches its retention policy and new emails from Gmail will be added to the HMA archive. Billing Start Trigger: User is entered in Active Directory with e-mail attribute flagged.
• Messaging Mailbox Service – Email is a robust, cloud-based solution for email, calendar, and messaging. Google Mail (Gmail) provides users with: 1) flexible ways to organize messages using Stars, Labels, and Filters; and 2) integrated instant messaging, accessible from an internet browser without additional software. The Messaging Mailbox service offers customers two options for Gmail storage capacity and features: Option 1: 30 GB Mailbox ($6.72 per end user) These mailboxes include 30 gigabytes of storage space per account, enabling users to keep their emails rather than deleting or archiving them. This mailbox includes the option of Google Hangouts for instant messaging/chat. Option 2: Unlimited Mailbox ($16.71 per end user) These mailboxes provide users with unlimited storage and the ability to retain a Gmail archive of messages allows users to fully leverage Google’s innovative search tools. Unlimited mailbox will include Vault. This mailbox includes the option of Google Hangouts for instant messaging/chat. The Messaging Mailbox solution is Google’s Gmail Basic and Enterprise offering. The service can be accessed via Internet Browser or Outlook client. The Outlook client delivers limited functionality, whereas, the native Gmail UI delivers all the feature rich functionality of G Suite.
• Okta – Enterprise Identity Management Solution. Federated users sign in with Okta. Only Okta’s Single Sign-on Solution is needed. SSO integrates on-premise Active Directory (AD) with online MS Azure AD. Uses java-based service (LDAP agent) that runs locally on any server.
• Session Initiation Protocol (SIP) – Protocol for controlling and directing communications, including voice, video and data, over IP (Internet Protocol). A good rough analogy would be to see SIP as the voice and data network on your smartphone and Time Division Multiplexing (TDM) as the voice-only, analog experience on a dial home phone. The analogy isn’t entirely accurate, but you get the idea. SIP treats all communication; voice, data, video, instant messaging, whatever– as software, using VoIP technology, and transfers it over IP. A SIP server is the main component of an IP PBX, and mainly deals with the management of all SIP calls in the network. A SIP server is also referred to as a SIP Proxy or a Registrar. Although the SIP server can be considered the most important part of a SIP-based IP-PBX phone system, it only handles or manages sessions; more specifically, a SIP Server can: 1) Set up a session between two (or more) endpoints (an audio conference would have more than two endpoints); 2) Negotiate the media parameters and specifications for the session for each endpoint using the SDP protocol; 3) Adjust the media parameters and specifications of a session DURING the session (putting a call on hold, for example); 4) Substituting one endpoint with a new endpoint (call transfer); 5) Terminate a session. The SIP server does not actually transmit or receive any media – this is done by the media server in using the RTP protocol. Within the context of an IP-PBX environment, it is almost always true that the SIP server and its Media server companion reside on the same machine. Do keep in mind, however, that very-high-volume SIP servers (such as a large VoIP Provider, for example), may separate their Media server to a different machine to better handle the workload, and could also possibly distribute the load to multiple Media servers.
• Session Initiation Protocol (SIP) Trunking SIP Trunking uses VoIP to connect a PBX between the Internet and the Public Switched Telephone Network (PSTN), replacing a traditional "phone trunk" such as a Primary Rate Interface (PRI) or analog line. This solution requires an on-premise PBX and a gateway to connect your Internet telephony service provider to a PBX. Trunking to a Hosted PBX is typically done using SIP. SIP Trunking's primary functions include: 1) Locating the user; 2) Selecting the end system for a session; 3) Learning user availability; 4) Determining the capability of the end-user system and establishing a session (call); 5) Managing the call session, including termination, transfers, and more. SIP Trunking Pros: 1) Leverages your IP Network, turning voice into an application on the network; 2) Potential for improved cost efficiency and cost savings; 3) Additional call appearances can be added quickly without having to wait for more circuits to be installed; 4) Call appearances can be routed to other sites quickly so you have flexibility with where phone service is being provided. SIP Trunking Cons: 1) Effective bandwidth analysis to protect QoS is especially important, due to multimedia transmissions; 2) Can require higher investment costs, due to need to acquire new equipment and retire old equipment; 3) The newness of this technology can make finding talent and troubleshooting help more challenging. Alternatives to SIP Trunking – SIP Trunking isn't an alternative to hosted or on-premise PBX. It's an alternative to publicly-switched telephone network (PSTN) technologies, which include: 1) T1; 2) Primary Rate Interface (PRI); 3) Analog lines https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/srnd/collab10/collab10/trunks.html
• Skyline Technology Solutions – is the service supplier for Veritas (Support dates: March 22, 2019) and for Airwatch (Support dates: April 19, 2019).
• TLS facilitate secure communications, but they do not encrypt the data itself.
• Virtru Email Encryption – Secure Email service enables the COV to encrypt emails, attachments, files and other content shared from messaging mailbox accounts. It is a cloud based email security tool that encrypts emails on the client before being sent. Virtru allows organization to create DLP rules to encrypt specific data types such as HIPAA, PII, etc. from intentionally or inadvertently being transmitted unencrypted to other users either internal to the environment or external. Virtru is an optional add-on to the Google messaging mailbox and is configured at the OU level within the Google domain. Virtru offers canned DLP templates for specific data types and users’ mailboxes can be configured to have one or more templates applied. Also allows for creation of custom DLP templates to meet each agency’s business needs. Any user intending to consume Virtru Email Encryption must also have either G Suite Basic or G Suite for Business.
• VMware Workspace ONE – Solution comprised of two main components: Identity Manager and AirWatch. Combining these technologies together gives us the following advantages: 1) Unified Application Catalog with Single Sign-On; 2) Unifies End-Point features; 3) Many security features
• Microsoft Active Directory (AD) – Unisys understands that VITA has an internal and external directory structure. Unisys will manage both directories. Unisys Clarified Response RFP 2017-04-E-mail 1-02.3.1 Exh (Solution - Server Storage Data Center) 20180125__Jan-29-2018.docx. In general a network directory service is a database composed of records or objects describing users and available network resources, such as servers, printers, and applications. A directory service can be used to specify who has the right to log on to a computer or restrict what software can be installed on a computer. Making sure the directory service is structured and designed correctly before using it is critical. Windows Active Directory became part of the Windows family of server OSs starting with Windows 2000 Server. You can structure Active Directory and organize the objects representing users and resources in a way that makes the most sense. Active-Directory-AD-Intro_Chap-3_Nov-25-2008.pdf.
• AODocs Document Management – AODocs was not implemented. Any user intending to consume AODocs must also have either G Suite Basic or G Suite for Business. • Airwatch for Mobile Application Management (MAM) enables state employees to securely access and manage COV apps on a mobile device, including deployment to devices.
• Airwatch for Secure Browser – enables users to seamlessly and securely connect to internal web-based resources such as intranet sites and Sharepoint without making those resources externally facing.
• Email Data Loss Prevention (EDLP) - https://www.virtru.com/data-loss-prevention/ is provided by a third party Google based solution provider known as Virtru. See Virtru.
• ESNA OfficeLinx for Google Apps – provides enhanced unified communications and VOIP integration. Integrates with phone systems to allow or enable voicemail and fax communications to work with Google’s email system. As a Unified Communication platform it extends real time communications and collaboration across G Suite. It is an add on intended for use with the G Suite Basic and G Suite for Business for authorized users that want to integrate with their current voice or fax messaging services. Service Lead: Jamey Stone [email protected] o ESNA Fax https://fax.virginia.gov/#/splash?state=https:%2F%2Ffax.virginia.gov%2F ESNA Fax to Email enterprise fax service is an enhancement to existing messaging mailbox services providing users the capability to send or receive faxes from an email mailbox. o ESNA Voicemail to Email – provides access and management of voice messages right from your email. Must be a UCaaS customer.
• GMAS – Google Messaging and Adjunct Services (GMAS) solution is a hybrid cloud service offering by Tempus Nova (TN). It primarily leverages Google’s cloud based G-Suite platform with a small on premise footprint for account creation, single sign-on, faxing, and voicemail to email. GMAS solution is VITA’s messaging enterprise service offering allowing agencies to continue using services such as email, calendar, chat, mobile email, collaboration, and faxing. It facilitates information and data sharing between Commonwealth employees, partners, and citizens by way of email, mobile email, instant messaging, faxing and voicemail to email. Agencies will have virtually unlimited storage space for email, calendar, contacts and documents. IT resources will no longer need to deploy patches; manage updates; handle security issues; respond to growing needs for more storage and conduct massive training efforts associated with those upgrades. GMAS reduces thick desktop clients support burdens and the administrative overhead of maintaining and upgrading higher cost systems.
• Google Cloud – Includes Google Cloud Platform (infrastructure, data analytics, machine learning), G Suite (productivity and collaboration), Maps APIs, as well as Android, Chromebooks, and Chrome for enterprises.
• Google Drive – is a file sharing and collaborative editing solution. Google Drive is the home of Google Docs, a suite of productivity applications that offer collaborative editing on documents, spreadsheets, presentations, and more. At VITA, Google Drive is not turned on for the entire domain. Drive has been enabled for only specific agencies by organizational units (OUs) and is permissioned for use with Google calendar. Google Drive (OU) is enabled only for agencies that have requested it to be turned on via CSRM Security Exception. The use of Google Drive for these agencies is intended to be for calendar attachment sharing purposes only.
• Google Domains – contain configuration settings, core services, and user accounts. End users do not directly log in to the Google domain, rather through Okta single sign on capability. Administrators such as TempusNova, VITA’s messaging service provider, login using Google’s integrated two factor authentication and utilize a SEC525 password as dictated by policy. It is cloud based and does not consist of, or require, any infrastructure in a Commonwealth based datacenter. The configuration settings for the Google Domain are governed by VITA, Messaging Transition Team, and CSRM. Google Domains is a domain registration service offered by Google, which publicly launched in the United States on January 13, 2015. It is currently in the Beta stage as noted by the somewhat accurate Wikipedia article accessed on Feb-8-2019.
• Google Hangouts Instant Messaging (IM) – Google chat provides authorized users the ability to instant message (aka chat) with other Commonwealth Eligible customers in real time communication with chats of up to 100 people in a group discussion. The Instant Messaging solution is configured to only allow users to chat with other users inside of the Virginia.gov Google domain. The Google Hangouts client operates via Internet Browser and mobile devices and communicates using HTTPs, SSL 443 to the cloud based service. https://apps.google.com/learning-center/products/hangouts
• Google Hangouts – Meet – allows up to 25 users on GS Basic and 50 users on GS Enterprise to simultaneously participate in a live video conference session with features such as screen sharing, chat inside the hangout, capture images, remote desktop capabilities and more. Users may perform screen shares with either one-on-one, or one-to-many web-based video conferences. This service can be accessed via the Gmail interface or via https://hangouts.google.com with a connection to the internet and on mobile devices.
• Google MDM – Enterprise Handheld Services (EHS) Mobile Device Management (MDM) provides users the capability to access email, calendar, and contacts within the COV environment securely from Android & iOS mobile devices, including tablets. https://support.google.com/a/answer/1734200?hl=en EHS is aka Google MDM and allows end users to securely receive their emails, calendars, and contacts to the mobile device. Handhelds required to run the Google Inbox application and can be found in the Google Play Store or the iTunes store or use the mobile browser because it allows for COV data to be held within the Google Inbox app versus being stored natively on the mobile device.
• G Suite Enterprise – The premium suite of Google services. In addition to everything available in G Suite Business, G Suite Enterprise offers enhanced security, controls, and customization, including access to the G Suite security center. G Suite comprises Gmail, Hangouts, Calendar, and Google+ for communication; Drive for storage; Docs, Sheets, Slides, Forms, and Sites for collaboration; and an Admin panel and Vault for managing users and the services. The key competitor to the Google suite is Microsoft Office 365, Microsoft's cloud-based offering for businesses that includes similar products. The key differences are in the pricing plans, storage space and number of features.
• Google Apps for Work (GAFW) – 30 GB Mailbox. These mailboxes include 30 GB of storage space per account, enabling users to keep their emails rather than deleting or archiving them. This mailbox includes the option of Google Hangouts for instant messaging/chat Google Apps for Work changed to G-Suite. https://en.wikipedia.org/wiki/G_Suite Google Apps for Work – G-Suite Features: Gmail; Calendar; Google+; Hangouts Chat; Hangouts Meet; Hangouts Meet hardware; Docs; Sheets; Forms; Slides; Sites; App Maker; Keep; Jamboard; Drive; Cloud Search; Admin; Vault; Mobile; G Suite Training