Robert Kowalke ~ Enterprise Architecture ~ robert.kowalke@vita.virginia.govRelationship Management & Governance (RM&G) @ Virginia Information Technologies Agency (VITA)

Commonwealth Enterprise Solutions Center (CESC) Architectural Artifacts/Graphs/Views/Matrices/etc. reference page: http://pubs.opengroup.org/architecture/togaf9-doc/arch/chap35.html

PURPOSE: To depict the VITA messaging enterprise in support of leadership decision making. Benefits to the COV and VITA program is a consistent enterprise service offering that will meet agency requirements for messaging services. TempusNova (TN) and Google provide flexible and highly collaborative platforms to increase COV user productivity, provide flexible and secure options for configuration, and allow the COV to significantly reduce messaging costs. By deploying a Google solution, COV resources can be allocated away from email system maintenance to more business critical applications, which will change the way information is shared and decisions are made. The MDM environment is a hybrid cloud configuration with components hosted in the VMware SaaS cloud and in VITA’s datacenter. As of Mar 20, 2019: 1) Overall diagram accuracy is assessed at 95%; 2) Overall diagram completion is assessed at 98%.

Enterprise Architecture DiagramMessaging Services Enterprise

VITA Draft Discussion Document // REV – Mar 20, 2019

AirWatch CloudMessaging Service

Google Messaging and Adjunct Services (GMAS)Server and Associated Storage supporting GMAS

Primary WAP03922

Google Cloud Directory Sync (GCDS)

Backup WAP03923

Primary

SMTP Relay

GMR01 GMR02 GMR03

ESNA Officelinx for G-Suite Fax Service and Voice Messaging

Faxing, Fax to Email, and Voicemail to Email

ESNA1 ESNA2ESNA3 ESNA4

Enterprise Identity Management Solution.Single-Sign-On (SSO); Multi-Factor Authentication; Universal DirectoryFederated users sign in with Okta.

virginia.gov.okta.com

COV Active Directory (AD)

Already operational on premise. User identities managed on premise. COV Directory Services LDAP Server

Transport Layer Service 1.2Data Protected in Transit by FIPS 140-2 level 2 validated.

TCP 443 / 80

covdsldap.cov.virginia.gov

LDAP Secure SSL 636

Email Data Loss Prevention (EDLP) Virtru Email Encryption Virtru Data Protection (VDP) Platform Messaging Mailbox ADD-ON 3rd Party Google-based App

Google DriveFile Sharing, Collaborations, and

Collaborative Editing

Integrates with G-Mail

Mobile Users

Secure Socket Layer

TCP 80 / 443 / 2020 / 8443

Google Cloud Platform (GCP)

Cloud Storage

App Engine

Pub / Sub

Google Cloud

Messaging Service Provider

Google.Virginia.Gov

GMAS COV Users and VITA Agencies

Google Hangouts ChatInstant Messaging

Up to 100 people in group discussion.

Google Hangouts MeetVideo Conferencing

Up to 25 users (Basic)50 users (Enterprise) simultaneous

conference sessions.

Google Suite – G-Suite

Google Calendar

Google VaultHosted Mail Archiving

Messaging Archive Service

Messaging MailboxGoogle G-Mail

Enterprise Handheld Services (EHS)Google MDM

Mobile Device Management (MDM)

G-Suite Administrator Console

Unified Communication (UC) ManagementIntegrated unified messaging and communication services integrated with G-Suite and existing Cisco

communication system.

VITA’s VoIP Systems

TDM

SIP Trunk VoIP / Fax

Load Balancer

= Custom Coded Symbol

OktaIdentity and Access Management Solution

End-2-End Encryption

CTI

3rd Party Applications

Level-1 IT Support

Level-2/3 IT Support

Enabled by VITA CSRM Security Exception Only – not turned on for all users in the domain. Currently being used on a limited basis for calendar attachments by agencies that have signed a waiver. Drive is currently on in the following domains due to agency requests: ALTFA, CSA, DARS, DBVI, DCR, DGIF, DGS, DHCD, DHP, DHR, DJJ, DMV, DOAV, DOE, DPB, DRPT, DSBSD, GHP, GOV, JYF, TAX, TRS, VBPD, VDACS, VDDHH, VDEM, CDOT, VFHY, VITA, VMFA, VMNH, VSP, and WWRC.

COVENICES-ADC80

COV AD Domain Controllers used by CloudLink

COVENICES-ADC81

COVENICES-ADC82 COVENICES-ADC83

COVENICES-ADC84 COVENICES-ADC85

COVMSGCES-APL02

CloudLink provisions and disables users.

COVMSGCES-APL03

COVMSGCES-APL04

COVMSGCES-APL05DARS / DRS

COVMSGCES-APL06COVMSGCES-APL07

COVMSGCES-APL08

COVMSGCES-APL09

COVMSGCES-APL10

COVMSGCES-APL11

COVMSGCES-APL12

COVMSGCES-APL13

COVMSGCES-APL15

COVMSGCES-APL16

COVMSGCES-APL17

COVMSGCES-APL18

COVMSGCES-APL19

= Virtual Machine (VM)

Veritas EV.CloudHosted Mail Archiving

(HMA)

CloudLink Service Platform Servers for AD User SyncVM’s – W2008 R2

TCP 25 / 443 / 80

COVMSGCES-SM1OUD Acct Sync DSS

COVMSGCES-ACC1AD Acct Sync CoV

COVMSGCES-MAG1App Tunneling Proxy Primary – x.x.11.131

COVMSGCES-MAG2App Tunneling Proxy

Secondary – x.x.11.132

COVMSGCES-ACC2AD Acct Sync CoV

COVMSGCES-SM2OUD Acct Sync DSS

COVMSGCES-SM3Unused Server

COVMSGCES-ATS1Tunneling V2 / VMware OVA

COVMSGCES-ATS2Tunneling V2 / VMware OVA

Directory Integration Servers for DSS

Directory Integration Servers to COV

Media Application Gateways

App Tunnel Servers

Workspace ONE Unified Endpoint

Management (UEM)

Mobile Devices Load BalancerX.X.77.91

Load BalancerX.X.71.76

SaaS Cloud

TCP 80 / 443 / 636

TCP 443 / 2001

L

L = Logging Server

L

L

L

Virtru Client – Secure ReaderVirtru Client – Dashboard

Up to 59,000 COVA executive branch access licenses procured

Handles all COV SMTP relay requests from 3rd Party apps and multifunction devices

Multifunction Devices

Cisco IronPort Security Appliance

ESA Server

Cloud IronPort Email Security Appliance (ESA) Server

Virus and Spam Filtering

https://hangouts.google.com

System Roles and Custom Roles

Mail Sync; Calendar Sync; Contact Sync

CUMICUPI

(REST API)

GMAS has infrastructure in the COV based datacenter. Server infrastructure including the associated storage used to support the Google Messaging and Adjunct Services are provided by the Server Services Supplier. As part of that service, storage is included.

?????

?????

?????

?????

Blackberry Support

Google Domains

Cloud-based. No CoV infrastructure. Config Settings;

Core Services; User Accounts

Logging

Custom app created for VITA to log various events within the G Suite environment by utilizing Google’s Reports API. App uses both Google Cloud Platform (GCP) and on an on-premise server. Atos Server where TN FTP’s SIEM data in Syslog format.

On-Premise Portion

Custom VITA Log Application ServerLAP04201 (Syslog)

Logging

LiteVirus and spam Filtering only

Optional add-on to Google’s Messaging Mailbox.

= VAR-727

= VAR-413

727

413

413

413413

727

727

727 413

= Other VARs

727

269?197?113?

413

727

727727

727

727

727

413

413

727

= Single point of messaging failure assessment

12

All servers listed are virtual.

All servers listed are virtual.

All servers listed are virtual.

COVMSGCES-SM4???

COVMSGCES-SM5???

COVMSGCES-SM6???

All servers listed are virtual.

WAP03934

All servers listed are virtual.

WAP03935

WAP03923 Backup

Multifactor Authentication

No DR

RK-1 - What DR is available for the CESC block of my messaging diagram? Dave Brackins: They are NOT/NOT subscribed to DR. Still waiting to hear back from TN on their DR plan.Dave Brackins: I know TN is having issues with their SSP, and they have DR as part of that. Let me follow up with them and I’ll get back to you.Dave Brackins: It seems TN is pointing to Unisys for all server issues. Trying to confirm now.Dave Brackins: CESC Servers Tempus Nova Updates 1-31-2019 (002)_fm-Dave-Brackins-Mar-7-2019-1019-email.xlsx

Email Data Loss Prevention (EDLP)Email Encryption

Currently in VAR submission stage.

• Google Vault – aka Hosted Mail Archiving (HMA) – is an enterprise-wide messaging archiving service solution allowing any customer subscribed to Messaging Mailbox to archive all inbound and outbound emails. The messaging archiving service is an enterprise-wide solution that allows any customer subscribed to Messaging Mailbox to archive all inbound and outbound emails. This solution includes storage for all mail archives for a period of determined by the customer's retention policies. There is no storage limitation with Google Vault. To be eligible for this service, users must be subscribed to a 30GB or unlimited mailbox. https://support.google.com/vault/answer/2462365?hl=en The Hosted Mail Archiving (HMA) solution is known as Google Vault. Can only be accessed via an Internet Browser. Automatically archives all incoming and outgoing emails from the Google Gmail Enterprise mailbox, or for users who have purchased a Google Vault license without user interaction. Agencies can elect to subscribe to G Suite Basic if they do not want to utilize the Google Vault Option. G Suite for Enterprise includes the Vault feature. Google Vault includes options to set data retention policies to meet each agency's requirements. It also has an eDiscovery toolset for the purpose of setting legal holds and collecting data to respond to open records requests or litigation. The Retention and eDiscovery functions are administered via a secure web UI that has its own access controls that are defined by VITA. Google Vault communicates using HTTPs, SSL, Port 80 to the cloud based service. o Google for Work was a service from Google that provided customizable enterprise versions of several Google products using a domain name provided by the customer. It featured several Web apps with similar functionality to traditional office suites, including Gmail, Hangouts, Google Calendar, Google Drive, Docs, Sheets, Slides, Groups, News, Play, Sites, and Vault. https://en.wikipedia.org/wiki/Google_for_Work

• Hosted Mail Archiving (HMA) service – enterprise-wide solution that will allow for any customer receiving standard messaging services through COV enterprise email to archive all inbound and outbound emails. This solution includes storage for all mail archives for the period determined by the customer's retention policies. Hosted mail options: End users can reference all of the information captured in their HMA archive until that data reaches its' retention policy. No new emails from Gmail will be added to the HMA archive. View + journaling – end users can reference all of the information captured in their HMA archive until that data reaches its retention policy and new emails from Gmail will be added to the HMA archive. Billing Start Trigger: User is entered in Active Directory with e-mail attribute flagged.

• Messaging Mailbox Service – Email is a robust, cloud-based solution for email, calendar, and messaging. Google Mail (Gmail) provides users with: 1) flexible ways to organize messages using Stars, Labels, and Filters; and 2) integrated instant messaging, accessible from an internet browser without additional software. The Messaging Mailbox service offers customers two options for Gmail storage capacity and features: Option 1: 30 GB Mailbox ($6.72 per end user) These mailboxes include 30 gigabytes of storage space per account, enabling users to keep their emails rather than deleting or archiving them. This mailbox includes the option of Google Hangouts for instant messaging/chat. Option 2: Unlimited Mailbox ($16.71 per end user) These mailboxes provide users with unlimited storage and the ability to retain a Gmail archive of messages allows users to fully leverage Google’s innovative search tools. Unlimited mailbox will include Vault. This mailbox includes the option of Google Hangouts for instant messaging/chat. The Messaging Mailbox solution is Google’s Gmail Basic and Enterprise offering. The service can be accessed via Internet Browser or Outlook client. The Outlook client delivers limited functionality, whereas, the native Gmail UI delivers all the feature rich functionality of G Suite.

• Okta – Enterprise Identity Management Solution. Federated users sign in with Okta. Only Okta’s Single Sign-on Solution is needed. SSO integrates on-premise Active Directory (AD) with online MS Azure AD. Uses java-based service (LDAP agent) that runs locally on any server.

• Session Initiation Protocol (SIP) – Protocol for controlling and directing communications, including voice, video and data, over IP (Internet Protocol). A good rough analogy would be to see SIP as the voice and data network on your smartphone and Time Division Multiplexing (TDM) as the voice-only, analog experience on a dial home phone. The analogy isn’t entirely accurate, but you get the idea. SIP treats all communication; voice, data, video, instant messaging, whatever– as software, using VoIP technology, and transfers it over IP. A SIP server is the main component of an IP PBX, and mainly deals with the management of all SIP calls in the network. A SIP server is also referred to as a SIP Proxy or a Registrar. Although the SIP server can be considered the most important part of a SIP-based IP-PBX phone system, it only handles or manages sessions; more specifically, a SIP Server can: 1) Set up a session between two (or more) endpoints (an audio conference would have more than two endpoints); 2) Negotiate the media parameters and specifications for the session for each endpoint using the SDP protocol; 3) Adjust the media parameters and specifications of a session DURING the session (putting a call on hold, for example); 4) Substituting one endpoint with a new endpoint (call transfer); 5) Terminate a session. The SIP server does not actually transmit or receive any media – this is done by the media server in using the RTP protocol. Within the context of an IP-PBX environment, it is almost always true that the SIP server and its Media server companion reside on the same machine. Do keep in mind, however, that very-high-volume SIP servers (such as a large VoIP Provider, for example), may separate their Media server to a different machine to better handle the workload, and could also possibly distribute the load to multiple Media servers.

• Session Initiation Protocol (SIP) Trunking SIP Trunking uses VoIP to connect a PBX between the Internet and the Public Switched Telephone Network (PSTN), replacing a traditional "phone trunk" such as a Primary Rate Interface (PRI) or analog line. This solution requires an on-premise PBX and a gateway to connect your Internet telephony service provider to a PBX. Trunking to a Hosted PBX is typically done using SIP. SIP Trunking's primary functions include: 1) Locating the user; 2) Selecting the end system for a session; 3) Learning user availability; 4) Determining the capability of the end-user system and establishing a session (call); 5) Managing the call session, including termination, transfers, and more. SIP Trunking Pros: 1) Leverages your IP Network, turning voice into an application on the network; 2) Potential for improved cost efficiency and cost savings; 3) Additional call appearances can be added quickly without having to wait for more circuits to be installed; 4) Call appearances can be routed to other sites quickly so you have flexibility with where phone service is being provided. SIP Trunking Cons: 1) Effective bandwidth analysis to protect QoS is especially important, due to multimedia transmissions; 2) Can require higher investment costs, due to need to acquire new equipment and retire old equipment; 3) The newness of this technology can make finding talent and troubleshooting help more challenging. Alternatives to SIP Trunking – SIP Trunking isn't an alternative to hosted or on-premise PBX. It's an alternative to publicly-switched telephone network (PSTN) technologies, which include: 1) T1; 2) Primary Rate Interface (PRI); 3) Analog lines https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/srnd/collab10/collab10/trunks.html

• Skyline Technology Solutions – is the service supplier for Veritas (Support dates: March 22, 2019) and for Airwatch (Support dates: April 19, 2019).

• TLS facilitate secure communications, but they do not encrypt the data itself.

• Virtru Email Encryption – Secure Email service enables the COV to encrypt emails, attachments, files and other content shared from messaging mailbox accounts. It is a cloud based email security tool that encrypts emails on the client before being sent. Virtru allows organization to create DLP rules to encrypt specific data types such as HIPAA, PII, etc. from intentionally or inadvertently being transmitted unencrypted to other users either internal to the environment or external. Virtru is an optional add-on to the Google messaging mailbox and is configured at the OU level within the Google domain. Virtru offers canned DLP templates for specific data types and users’ mailboxes can be configured to have one or more templates applied. Also allows for creation of custom DLP templates to meet each agency’s business needs. Any user intending to consume Virtru Email Encryption must also have either G Suite Basic or G Suite for Business.

• VMware Workspace ONE – Solution comprised of two main components: Identity Manager and AirWatch. Combining these technologies together gives us the following advantages: 1) Unified Application Catalog with Single Sign-On; 2) Unifies End-Point features; 3) Many security features

• Microsoft Active Directory (AD) – Unisys understands that VITA has an internal and external directory structure. Unisys will manage both directories. Unisys Clarified Response RFP 2017-04-E-mail 1-02.3.1 Exh (Solution - Server Storage Data Center) 20180125__Jan-29-2018.docx. In general a network directory service is a database composed of records or objects describing users and available network resources, such as servers, printers, and applications. A directory service can be used to specify who has the right to log on to a computer or restrict what software can be installed on a computer. Making sure the directory service is structured and designed correctly before using it is critical. Windows Active Directory became part of the Windows family of server OSs starting with Windows 2000 Server. You can structure Active Directory and organize the objects representing users and resources in a way that makes the most sense. Active-Directory-AD-Intro_Chap-3_Nov-25-2008.pdf.

• AODocs Document Management – AODocs was not implemented. Any user intending to consume AODocs must also have either G Suite Basic or G Suite for Business. • Airwatch for Mobile Application Management (MAM) enables state employees to securely access and manage COV apps on a mobile device, including deployment to devices.

• Airwatch for Secure Browser – enables users to seamlessly and securely connect to internal web-based resources such as intranet sites and Sharepoint without making those resources externally facing.

• Email Data Loss Prevention (EDLP) - https://www.virtru.com/data-loss-prevention/ is provided by a third party Google based solution provider known as Virtru. See Virtru.

• ESNA OfficeLinx for Google Apps – provides enhanced unified communications and VOIP integration. Integrates with phone systems to allow or enable voicemail and fax communications to work with Google’s email system. As a Unified Communication platform it extends real time communications and collaboration across G Suite. It is an add on intended for use with the G Suite Basic and G Suite for Business for authorized users that want to integrate with their current voice or fax messaging services. Service Lead: Jamey Stone Jamey.Stone@vita.virginia.gov o ESNA Fax https://fax.virginia.gov/#/splash?state=https:%2F%2Ffax.virginia.gov%2F ESNA Fax to Email enterprise fax service is an enhancement to existing messaging mailbox services providing users the capability to send or receive faxes from an email mailbox. o ESNA Voicemail to Email – provides access and management of voice messages right from your email. Must be a UCaaS customer.

• GMAS – Google Messaging and Adjunct Services (GMAS) solution is a hybrid cloud service offering by Tempus Nova (TN). It primarily leverages Google’s cloud based G-Suite platform with a small on premise footprint for account creation, single sign-on, faxing, and voicemail to email. GMAS solution is VITA’s messaging enterprise service offering allowing agencies to continue using services such as email, calendar, chat, mobile email, collaboration, and faxing. It facilitates information and data sharing between Commonwealth employees, partners, and citizens by way of email, mobile email, instant messaging, faxing and voicemail to email. Agencies will have virtually unlimited storage space for email, calendar, contacts and documents. IT resources will no longer need to deploy patches; manage updates; handle security issues; respond to growing needs for more storage and conduct massive training efforts associated with those upgrades. GMAS reduces thick desktop clients support burdens and the administrative overhead of maintaining and upgrading higher cost systems.

• Google Cloud – Includes Google Cloud Platform (infrastructure, data analytics, machine learning), G Suite (productivity and collaboration), Maps APIs, as well as Android, Chromebooks, and Chrome for enterprises.

• Google Drive – is a file sharing and collaborative editing solution. Google Drive is the home of Google Docs, a suite of productivity applications that offer collaborative editing on documents, spreadsheets, presentations, and more. At VITA, Google Drive is not turned on for the entire domain. Drive has been enabled for only specific agencies by organizational units (OUs) and is permissioned for use with Google calendar. Google Drive (OU) is enabled only for agencies that have requested it to be turned on via CSRM Security Exception. The use of Google Drive for these agencies is intended to be for calendar attachment sharing purposes only.

• Google Domains – contain configuration settings, core services, and user accounts. End users do not directly log in to the Google domain, rather through Okta single sign on capability. Administrators such as TempusNova, VITA’s messaging service provider, login using Google’s integrated two factor authentication and utilize a SEC525 password as dictated by policy. It is cloud based and does not consist of, or require, any infrastructure in a Commonwealth based datacenter. The configuration settings for the Google Domain are governed by VITA, Messaging Transition Team, and CSRM. Google Domains is a domain registration service offered by Google, which publicly launched in the United States on January 13, 2015. It is currently in the Beta stage as noted by the somewhat accurate Wikipedia article accessed on Feb-8-2019.

• Google Hangouts Instant Messaging (IM) – Google chat provides authorized users the ability to instant message (aka chat) with other Commonwealth Eligible customers in real time communication with chats of up to 100 people in a group discussion. The Instant Messaging solution is configured to only allow users to chat with other users inside of the Virginia.gov Google domain. The Google Hangouts client operates via Internet Browser and mobile devices and communicates using HTTPs, SSL 443 to the cloud based service. https://apps.google.com/learning-center/products/hangouts

• Google Hangouts – Meet – allows up to 25 users on GS Basic and 50 users on GS Enterprise to simultaneously participate in a live video conference session with features such as screen sharing, chat inside the hangout, capture images, remote desktop capabilities and more. Users may perform screen shares with either one-on-one, or one-to-many web-based video conferences. This service can be accessed via the Gmail interface or via https://hangouts.google.com with a connection to the internet and on mobile devices.

• Google MDM – Enterprise Handheld Services (EHS) Mobile Device Management (MDM) provides users the capability to access email, calendar, and contacts within the COV environment securely from Android & iOS mobile devices, including tablets. https://support.google.com/a/answer/1734200?hl=en EHS is aka Google MDM and allows end users to securely receive their emails, calendars, and contacts to the mobile device. Handhelds required to run the Google Inbox application and can be found in the Google Play Store or the iTunes store or use the mobile browser because it allows for COV data to be held within the Google Inbox app versus being stored natively on the mobile device.

• G Suite Enterprise – The premium suite of Google services. In addition to everything available in G Suite Business, G Suite Enterprise offers enhanced security, controls, and customization, including access to the G Suite security center. G Suite comprises Gmail, Hangouts, Calendar, and Google+ for communication; Drive for storage; Docs, Sheets, Slides, Forms, and Sites for collaboration; and an Admin panel and Vault for managing users and the services. The key competitor to the Google suite is Microsoft Office 365, Microsoft's cloud-based offering for businesses that includes similar products. The key differences are in the pricing plans, storage space and number of features.

• Google Apps for Work (GAFW) – 30 GB Mailbox. These mailboxes include 30 GB of storage space per account, enabling users to keep their emails rather than deleting or archiving them. This mailbox includes the option of Google Hangouts for instant messaging/chat Google Apps for Work changed to G-Suite. https://en.wikipedia.org/wiki/G_Suite Google Apps for Work – G-Suite Features: Gmail; Calendar; Google+; Hangouts Chat; Hangouts Meet; Hangouts Meet hardware; Docs; Sheets; Forms; Slides; Sites; App Maker; Keep; Jamboard; Drive; Cloud Search; Admin; Vault; Mobile; G Suite Training