Level-1 IT Support Messaging Service Provider Enterprise Architecture Diagram Messaging Services Enterprise

Level-2/3 IT Support

Google Messaging and Adjunct Services (GMAS) 727 Logging Blackberry 727 Server and Associated Storage supporting GMAS 413 SMTP Relay Support Handles all COV SMTP relay requests from 3rd Party apps and multifunction devices ????? 413 GMR01 GMR02 GMR03 ????? Veritas EV.Cloud ????? On-Premise Portion 727 Hosted Mail Archiving ????? All servers listed are virtual. (HMA) GMAS has infrastructure in the COV based datacenter. Server infrastructure including the associated storage used to support the Load Balancer Custom VITA Log Application Server Messaging and Adjunct Services are provided by LAP04201 (Syslog) the Server Services Supplier. As part of that service, storage is included. Custom app created for VITA to log various events within the G Suite environment by utilizing Google’s Reports API. App uses both (GCP) and on an on-premise server. Atos Server where TN FTP’s SIEM data in Syslog format.

Email Data Loss Prevention (EDLP) AirWatch Cloud Mobile Devices Load Balancer Unified Communication (UC) Management Email Encryption 727 Messaging Service X.X.77.91 727 Integrated unified messaging and communication services integrated with G-Suite and existing Cisco 727 Workspace ONE communication system. Unified Endpoint CloudLink provisions and disables users. Management (UEM) SaaS Cloud CloudLink Service Platform Servers for AD User Sync VM’s – W2008 R2 TCP 443 / 2001 Directory Integration Servers to COV All servers listed Currently in VAR submission stage. COVMSGCES-ACC1 COVMSGCES-ACC2 are virtual. AD Acct Sync CoV L AD Acct Sync CoV COVMSGCES-APL02 COVMSGCES-APL07 COVMSGCES-APL11 COVMSGCES-APL16 COVMSGCES-APL06 GMAS COV Users and VITA Agencies All servers listed are virtual.

COVMSGCES-APL03 COVMSGCES-APL08 COVMSGCES-APL17 Email Data Loss Prevention (EDLP) Virtru Email Encryption Directory Integration Servers for DSS Virtru Data Protection (VDP) Platform COVMSGCES-APL04 COVMSGCES-APL12 413 Messaging Mailbox ADD-ON COVMSGCES-APL15 3rd Party Google-based App COVMSGCES-APL18 COVMSGCES-SM1 COVMSGCES-SM2 COVMSGCES-SM3 COVMSGCES-SM4 COVMSGCES-SM5 COVMSGCES-SM6 COVMSGCES-APL10 OUD Acct Sync DSS L OUD Acct Sync DSS Unused Server ??? ??? ??? COVMSGCES-APL05 Mobile Users DARS / DRS COVMSGCES-APL09 COVMSGCES-APL19 Media Application Gateways rd Load Balancer COVMSGCES-APL13 3 Party Applications App Tunnel Servers COVMSGCES-ATS1 X.X.71.76 TCP 80 / 443 / 636 Tunneling V2 / 12 VMware OVA COVMSGCES-MAG2 COVMSGCES-MAG1 COVMSGCES-ATS2 App Tunneling Proxy App Tunneling Proxy Tunneling V2 / Mail Sync; Calendar Sync; Contact Sync Secondary – x.x.11.132 L Primary – x.x.11.131 L VMware OVA Virtru Client – Dashboard Virtru Client – Secure Reader

Multifunction Devices End-2-End Encryption

Optional add-on to Google’s Messaging Mailbox.

ESNA Officelinx for G-Suite Fax 413 413 TDM 413 VITA’s VoIP Secure Socket Layer Service and Voice Messaging Systems Faxing, Fax to Email, and Voicemail to Email 727 TCP 80 / 443 / 2020 / 8443 727 Google Suite – G-Suite CTI Integrates with G-Mail Up to 59,000 COVA executive branch CUMI access licenses procured ESNA1 ESNA3 ESNA2 ESNA4 CUPI SIP Trunk (REST API) VoIP / Fax Messaging Mailbox All servers listed are virtual. Google G-Mail

Logging Enterprise Handheld Services (EHS) Meet Google MDM Video Conferencing 269? Cloud IronPort Email Security Mobile Device Management (MDM) 197? Appliance (ESA) Server Up to 25 users (Basic) 50 users (Enterprise) simultaneous 113? Virus and Spam Filtering conference sessions. Okta Enterprise Identity Management Solution. Identity and Access Management Solution Single-Sign-On (SSO); Multi-Factor Authentication; Universal Directory https://hangouts.google.com Google Cloud Platform (GCP) Federated users sign in with Okta. 727 virginia.gov.okta.com Lite Virus and spam Filtering only 727 Google Vault Cisco IronPort Hosted Mail Archiving No DR Security Appliance Messaging Archive Service P 443 / 80 TC ESA Server Cloud Storage Transport Layer Service 1.2 Data Protected in Transit by FIPS 140-2 level 2 validated. Google Hangouts Chat WAP03923 Backup Enabled by VITA CSRM Security Exception Only – not App Engine Multifactor Authentication Up to 100 people in group turned on for all users in the domain. Currently being discussion. used on a limited basis for calendar attachments by WAP03934 WAP03935 agencies that have signed a waiver. Drive is currently Pub / Sub Primary on in the following domains due to agency requests: ALTFA, CSA, DARS, DBVI, DCR, DGIF, DGS, DHCD, DHP, DHR, DJJ, DMV, DOAV, DOE, DPB, DRPT, DSBSD, GHP, GOV, JYF, TAX, TRS, VBPD, VDACS, VDDHH, VDEM, CDOT, VFHY, VITA, VMFA, covdsldap.cov.virginia.gov G-Suite Administrator Console VMNH, VSP, and WWRC. LDAP Secure SSL 636 File Sharing, Collaborations, and 413 Collaborative Editing 0 43 / 8 727 Google Cloud Directory Sync (GCDS) 413 25 / 4 TCP = Single point of messaging failure assessment Primary WAP03922 Backup WAP03923 COV Active Directory (AD) System Roles and Custom Roles Already operational on premise. User identities managed on = Other VARs premise. COV Directory Services LDAP Server All servers listed are virtual. COV AD Domain Controllers used by CloudLink RK-1 - What DR is available for the CESC block of my messaging diagram? = VAR-413 COVENICES-ADC80 COVENICES-ADC81 Dave Brackins: They are NOT/NOT subscribed to DR. Still waiting to hear back from COVENICES-ADC82 COVENICES-ADC83 TN on their DR plan. = VAR-727 Dave Brackins: I know TN is having issues with their SSP, and they have DR as part of that. 727 COVENICES-ADC84 COVENICES-ADC85 Let me follow up with them and I’ll get back to you. Cloud-based. No CoV = Virtual Machine (VM) Dave Brackins: It seems TN is pointing to Unisys for all server issues. Trying to confirm infrastructure. Config Settings; now. Core Services; User Accounts Dave Brackins: CESC Servers Tempus Nova Updates 1-31-2019 (002)_fm-Dave-Brackins- Google Cloud L = Logging Server Mar-7-2019-1019-email.xlsx Google.Virginia.Gov

= Custom Coded Symbol

VITA Draft Discussion Document // REV – Mar 20, 2019

Robert Kowalke ~ Enterprise Architecture ~ [email protected] PURPOSE: To depict the VITA messaging enterprise in support of leadership decision making. Benefits to the COV and VITA program is a consistent enterprise service offering that will meet agency requirements for messaging services. TempusNova (TN) and Google provide flexible and highly collaborative platforms to increase COV user productivity, provide flexible and secure options for configuration, and allow the COV to significantly reduce messaging costs. By deploying a Google Relationship Management & Governance (RM&G) @ Virginia Information Technologies Agency (VITA) Commonwealth Enterprise Solutions Center (CESC) solution, COV resources can be allocated away from email system maintenance to more business critical applications, which will change the way information is shared and decisions are made. The MDM environment is a hybrid cloud configuration with components hosted in the VMware SaaS cloud and in VITA’s datacenter. As of Mar 20, 2019: 1) Overall diagram accuracy is assessed at 95%; 2) Overall diagram completion is assessed at 98%. Architectural Artifacts/Graphs/Views/Matrices/etc. reference page: http://pubs.opengroup.org/architecture/togaf9-doc/arch/chap35.html • Microsoft Active Directory (AD) – Unisys understands that VITA has an internal and external directory structure. Unisys will manage both directories. • Google Vault – aka Hosted Mail Archiving (HMA) – is an enterprise-wide messaging archiving service solution allowing any customer subscribed to Unisys Clarified Response RFP 2017-04-E-mail 1-02.3.1 Exh (Solution - Server Storage Data Center) 20180125__Jan-29-2018.docx. In general a network Messaging Mailbox to archive all inbound and outbound emails. The messaging archiving service is an enterprise-wide solution that allows any directory service is a database composed of records or objects describing users and available network resources, such as servers, printers, and applications. customer subscribed to Messaging Mailbox to archive all inbound and outbound emails. This solution includes storage for all mail archives for a period A directory service can be used to specify who has the right to log on to a computer or restrict what software can be installed on a computer. Making of determined by the customer's retention policies. There is no storage limitation with Google Vault. To be eligible for this service, users must be sure the directory service is structured and designed correctly before using it is critical. Windows Active Directory became part of the Windows family of subscribed to a 30GB or unlimited mailbox. https://support.google.com/vault/answer/2462365?hl=en The Hosted Mail Archiving (HMA) solution is server OSs starting with Windows 2000 Server. You can structure Active Directory and organize the objects representing users and resources in a way that known as Google Vault. Can only be accessed via an Internet Browser. Automatically archives all incoming and outgoing emails from the Google makes the most sense. Active-Directory-AD-Intro_Chap-3_Nov-25-2008.pdf. Enterprise mailbox, or for users who have purchased a Google Vault license without user interaction. Agencies can elect to subscribe to G Suite Basic if they do not want to utilize the Google Vault Option. G Suite for Enterprise includes the Vault feature. Google Vault includes options to set • AODocs Document Management – AODocs was not implemented. Any user intending to consume AODocs must also have either G Suite Basic or G data retention policies to meet each agency's requirements. It also has an eDiscovery toolset for the purpose of setting legal holds and collecting data Suite for Business. to respond to open records requests or litigation. The Retention and eDiscovery functions are administered via a secure web UI that has its own access controls that are defined by VITA. Google Vault communicates using HTTPs, SSL, Port 80 to the cloud based service. • Airwatch for Mobile Application Management (MAM) enables state employees to securely access and manage COV apps on a mobile device, including o Google for Work was a service from Google that provided customizable enterprise versions of several Google products using a domain name provided deployment to devices. by the customer. It featured several Web apps with similar functionality to traditional office suites, including Gmail, Hangouts, Google Calendar, Google Drive, Docs, Sheets, Slides, Groups, News, Play, Sites, and Vault. https://en.wikipedia.org/wiki/Google_for_Work • Airwatch for Secure Browser – enables users to seamlessly and securely connect to internal web-based resources such as intranet sites and Sharepoint without making those resources externally facing. • Hosted Mail Archiving (HMA) service – enterprise-wide solution that will allow for any customer receiving standard messaging services through COV enterprise email to archive all inbound and outbound emails. This solution includes storage for all mail archives for the period determined by the • Email Data Loss Prevention (EDLP) - https://www.virtru.com/data-loss-prevention/ is provided by a third party Google based solution provider known customer's retention policies. Hosted mail options: End users can reference all of the information captured in their HMA archive until that data as Virtru. See Virtru. reaches its' retention policy. No new emails from Gmail will be added to the HMA archive. View + journaling – end users can reference all of the information captured in their HMA archive until that data reaches its retention policy and new emails from Gmail will be added to the HMA archive. • ESNA OfficeLinx for Google Apps – provides enhanced unified communications and VOIP integration. Integrates with phone systems to allow or Billing Start Trigger: User is entered in Active Directory with e-mail attribute flagged. enable voicemail and fax communications to work with Google’s email system. As a Unified Communication platform it extends real time communications and collaboration across G Suite. It is an add on intended for use with the G Suite Basic and G Suite for Business for authorized users • Messaging Mailbox Service – Email is a robust, cloud-based solution for email, calendar, and messaging. Google Mail (Gmail) provides users with: 1) that want to integrate with their current voice or fax messaging services. Service Lead: Jamey Stone [email protected] flexible ways to organize using Stars, Labels, and Filters; and 2) integrated instant messaging, accessible from an internet browser without o ESNA Fax https://fax.virginia.gov/#/splash?state=https:%2F%2Ffax.virginia.gov%2F ESNA Fax to Email enterprise fax service is an enhancement additional software. The Messaging Mailbox service offers customers two options for Gmail storage capacity and features: Option 1: 30 GB Mailbox to existing messaging mailbox services providing users the capability to send or receive faxes from an email mailbox. ($6.72 per end user) These mailboxes include 30 gigabytes of storage space per account, enabling users to keep their emails rather than deleting or o ESNA Voicemail to Email – provides access and management of voice messages right from your email. Must be a UCaaS customer. archiving them. This mailbox includes the option of Google Hangouts for instant messaging/chat. Option 2: Unlimited Mailbox ($16.71 per end user) These mailboxes provide users with unlimited storage and the ability to retain a Gmail archive of messages allows users to fully leverage Google’s • GMAS – Google Messaging and Adjunct Services (GMAS) solution is a hybrid cloud service offering by Tempus Nova (TN). It primarily leverages innovative search tools. Unlimited mailbox will include Vault. This mailbox includes the option of Google Hangouts for instant messaging/chat. Google’s cloud based G-Suite platform with a small on premise footprint for account creation, single sign-on, faxing, and voicemail to email. GMAS The Messaging Mailbox solution is Google’s Gmail Basic and Enterprise offering. The service can be accessed via Internet Browser or Outlook client. solution is VITA’s messaging enterprise service offering allowing agencies to continue using services such as email, calendar, chat, mobile email, The Outlook client delivers limited functionality, whereas, the native Gmail UI delivers all the feature rich functionality of G Suite. collaboration, and faxing. It facilitates information and data sharing between Commonwealth employees, partners, and citizens by way of email, mobile email, instant messaging, faxing and voicemail to email. Agencies will have virtually unlimited storage space for email, calendar, contacts and • Okta – Enterprise Identity Management Solution. Federated users sign in with Okta. Only Okta’s Single Sign-on Solution is needed. SSO documents. IT resources will no longer need to deploy patches; manage updates; handle security issues; respond to growing needs for more storage and integrates on-premise Active Directory (AD) with online MS Azure AD. Uses java-based service (LDAP agent) that runs locally on any server. conduct massive training efforts associated with those upgrades. GMAS reduces thick desktop clients support burdens and the administrative overhead of maintaining and upgrading higher cost systems. • Session Initiation Protocol (SIP) – Protocol for controlling and directing communications, including voice, video and data, over IP (Internet Protocol). A good rough analogy would be to see SIP as the voice and data network on your smartphone and Time Division Multiplexing (TDM) as the voice-only, • Google Cloud – Includes Google Cloud Platform (infrastructure, data analytics, machine learning), G Suite (productivity and collaboration), Maps APIs, as analog experience on a dial home phone. The analogy isn’t entirely accurate, but you get the idea. SIP treats all communication; voice, data, well as Android, , and Chrome for enterprises. video, instant messaging, whatever– as software, using VoIP technology, and transfers it over IP. A SIP server is the main component of an IP PBX, and mainly deals with the management of all SIP calls in the network. A SIP server is also referred to as a SIP Proxy or a Registrar. Although the SIP server • Google Drive – is a file sharing and collaborative editing solution. Google Drive is the home of , a suite of productivity applications that can be considered the most important part of a SIP-based IP-PBX phone system, it only handles or manages sessions; more specifically, a SIP Server can: offer collaborative editing on documents, spreadsheets, presentations, and more. At VITA, Google Drive is not turned on for the entire domain. Drive 1) Set up a session between two (or more) endpoints (an audio conference would have more than two endpoints); 2) Negotiate the media parameters has been enabled for only specific agencies by organizational units (OUs) and is permissioned for use with Google calendar. Google Drive (OU) is and specifications for the session for each endpoint using the SDP protocol; 3) Adjust the media parameters and specifications of a session DURING the enabled only for agencies that have requested it to be turned on via CSRM Security Exception. The use of Google Drive for these agencies is intended to session (putting a call on hold, for example); 4) Substituting one endpoint with a new endpoint (call transfer); 5) Terminate a session. The SIP be for calendar attachment sharing purposes only. server does not actually transmit or receive any media – this is done by the media server in using the RTP protocol. Within the context of an IP-PBX environment, it is almost always true that the SIP server and its Media server companion reside on the same machine. Do keep in mind, however, that • Google Domains – contain configuration settings, core services, and user accounts. End users do not directly log in to the Google domain, rather very-high-volume SIP servers (such as a large VoIP Provider, for example), may separate their Media server to a different machine to better handle the through Okta single sign on capability. Administrators such as TempusNova, VITA’s messaging service provider, login using Google’s integrated two workload, and could also possibly distribute the load to multiple Media servers. factor authentication and utilize a SEC525 password as dictated by policy. It is cloud based and does not consist of, or require, any infrastructure in a Commonwealth based datacenter. The configuration settings for the Google Domain are governed by VITA, Messaging Transition Team, and CSRM. • Session Initiation Protocol (SIP) Trunking SIP Trunking uses VoIP to connect a PBX between the Internet and the Public Switched Telephone Google Domains is a domain registration service offered by Google, which publicly launched in the United States on January 13, 2015. It is currently in Network (PSTN), replacing a traditional "phone trunk" such as a Primary Rate Interface (PRI) or analog . This solution requires an on-premise PBX the Beta stage as noted by the somewhat accurate Wikipedia article accessed on Feb-8-2019. and a gateway to connect your Internet telephony service provider to a PBX. Trunking to a Hosted PBX is typically done using SIP. SIP Trunking's primary functions include: 1) Locating the user; 2) Selecting the end system for a session; 3) Learning user availability; 4) Determining the • Google Hangouts Instant Messaging (IM) – provides authorized users the ability to instant message (aka chat) with other Commonwealth capability of the end-user system and establishing a session (call); 5) Managing the call session, including termination, transfers, and more. SIP Eligible customers in real time communication with chats of up to 100 people in a group discussion. The Instant Messaging solution is configured to only Trunking Pros: 1) Leverages your IP Network, turning voice into an application on the network; 2) Potential for improved cost efficiency and cost allow users to chat with other users inside of the Virginia.gov Google domain. The Google Hangouts client operates via Internet Browser and mobile savings; 3) Additional call appearances can be added quickly without having to wait for more circuits to be installed; 4) Call appearances can be devices and communicates using HTTPs, SSL 443 to the cloud based service. https://apps.google.com/learning-center/products/hangouts routed to other sites quickly so you have flexibility with where phone service is being provided. SIP Trunking Cons: 1) Effective bandwidth analysis to protect QoS is especially important, due to multimedia transmissions; 2) Can require higher investment costs, due to need to acquire new equipment • Google Hangouts – Meet – allows up to 25 users on GS Basic and 50 users on GS Enterprise to simultaneously participate in a live video conference and retire old equipment; 3) The newness of this technology can make finding talent and troubleshooting help more challenging. Alternatives to session with features such as screen sharing, chat inside the hangout, capture images, remote desktop capabilities and more. Users may perform SIP Trunking – SIP Trunking isn't an alternative to hosted or on-premise PBX. It's an alternative to publicly-switched telephone network (PSTN) screen shares with either one-on-one, or one-to-many web-based video conferences. This service can be accessed via the or via technologies, which include: 1) T1; 2) Primary Rate Interface (PRI); 3) Analog lines https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/ https://hangouts.google.com with a connection to the internet and on mobile devices. cucm/srnd/collab10/collab10/trunks.html

• Google MDM – Enterprise Handheld Services (EHS) Mobile Device Management (MDM) provides users the capability to access email, calendar, and • Skyline Technology Solutions – is the service supplier for Veritas (Support dates: March 22, 2019) and for Airwatch (Support dates: April 19, 2019). contacts within the COV environment securely from Android & iOS mobile devices, including tablets. https://support.google.com/a/answer/ 1734200?hl=en EHS is aka Google MDM and allows end users to securely receive their emails, calendars, and contacts to the mobile device. • TLS facilitate secure communications, but they do not encrypt the data itself. Handhelds required to run the Google Inbox application and can be found in the Store or the iTunes store or use the mobile browser because it allows for COV data to be held within the Google Inbox app versus being stored natively on the mobile device. • Virtru Email Encryption – Secure Email service enables the COV to encrypt emails, attachments, and other content shared from messaging mailbox accounts. It is a cloud based email security tool that encrypts emails on the client before being sent. Virtru allows organization to create DLP rules to • G Suite Enterprise – The premium suite of Google services. In addition to everything available in G Suite Business, G Suite Enterprise offers enhanced encrypt specific data types such as HIPAA, PII, etc. from intentionally or inadvertently being transmitted unencrypted to other users either internal to the security, controls, and customization, including access to the G Suite security center. G Suite comprises Gmail, Hangouts, Calendar, and Google+ for environment or external. Virtru is an optional add-on to the Google messaging mailbox and is configured at the OU level within the Google domain. communication; Drive for storage; Docs, Sheets, Slides, Forms, and Sites for collaboration; and an Admin panel and Vault for managing users and Virtru offers canned DLP templates for specific data types and users’ mailboxes can be configured to have one or more templates applied. Also allows the services. The key competitor to the Google suite is Microsoft Office 365, Microsoft's cloud-based offering for businesses that includes similar for creation of custom DLP templates to meet each agency’s business needs. Any user intending to consume Virtru Email Encryption must also have products. The key differences are in the pricing plans, storage space and number of features. either G Suite Basic or G Suite for Business.

• Google Apps for Work (GAFW) – 30 GB Mailbox. These mailboxes include 30 GB of storage space per account, enabling users to keep their emails • VMware Workspace ONE – Solution comprised of two main components: Identity Manager and AirWatch. Combining these technologies together rather than deleting or archiving them. This mailbox includes the option of Google Hangouts for instant messaging/chat Google Apps for Work gives us the following advantages: 1) Unified Application Catalog with Single Sign-On; 2) Unifies End-Point features; 3) Many security features changed to G-Suite. https://en.wikipedia.org/wiki/G_Suite Google Apps for Work – G-Suite Features: Gmail; Calendar; Google+; Hangouts Chat; Hangouts Meet; Hangouts Meet hardware; Docs; Sheets; Forms; Slides; Sites; App Maker; Keep; ; Drive; Cloud Search; Admin; Vault; Mobile; G Suite Training