Upload
others
View
5
Download
0
Embed Size (px)
Citation preview
Vault migration Admin guide for Google Vault mail archive
migrations
Google Vault migration Page i
Copyright 2018 CLOUDIWAY. All rights reserved.
Use of any CLOUDIWAY solution is governed by the license agreement included in your original
contract.
The copyright and all other intellectual property rights in the Software are and remain the
property of CLOUDIWAY and/or its subsidiaries (“CLOUDIWAY”). The licensee shall not acquire
any title, copyright or other proprietary rights in the Software or any copy than specified in.
You may not attempt to copy, modify, alter, disassemble, de-compile, translate or
convert in human readable form, or reverse engineer all or any part of the
Features and/or Data.
You acknowledge that the Software and all related products (including but not limited to
documentation) are the subject of copyright. You therefore, shall not during or any time after
the expiry or termination of this Agreement, permit any act which infringes that copyright and,
without limiting the generality of the foregoing, You specifically acknowledge that You may not
copy the Software or Products except as otherwise expressly authorized by this Agreement.
CLOUDIWAY provides this publication “as is” without warranty of any either express or implied,
including but not limited to the implied warranties of merchantability or fitness for a particular
purpose. CLOUDIWAY may revise this publication from time to time without notice. Some
jurisdictions do not allow disclaimer of express or implied warranties in certain transactions;
therefore, this statement may not apply to you.
Document history
Date Editor Change details
24/03/2017 WR First publication
03/05/2015 ED Update
09/07/2018 ED Updated doc to use Office 365 PST Import Services
Google Vault migration Page ii
Table of Contents
1 Google Vault archive mail migration with Cloudiway ....................................................... 1
1.1 How does it work? ........................................................................................................ 1
2 Security ............................................................................................................................. 2
3 Performance ..................................................................................................................... 3
4 Mail migration scope ........................................................................................................ 4
4.1 What can be migrated? ................................................................................................ 4
4.2 Migration limitations .................................................................................................... 4
4.3 Considerations ............................................................................................................. 4
4.4 Audience ...................................................................................................................... 4
5 Pre-migration configuration ............................................................................................. 5
5.1 Before you start............................................................................................................ 5
5.2 Google Vault — Create and set up a migration account .............................................. 6
5.3 Office 365 ..................................................................................................................... 6
5.4 Exchange On-Premises — set up an account via PowerShell ....................................... 6
5.5 Amazon WorkMail — set up an account with mailbox permissions ............................ 6
6 Use the Cloudiway platform to migrate your mail ........................................................... 9
6.1 Create your Google Vault source connector .............................................................. 10
6.2 Office 365 — Create your target connector ............................................................... 12
6.3 Other target connector configurations ...................................................................... 21
6.3.1 Exchange ............................................................................................................... 21
6.3.2 Amazon WorkMail ................................................................................................. 22
6.3.3 G Suite ................................................................................................................... 22
6.4 Check the global settings before migration ................................................................ 23
6.5 Import or create your users ....................................................................................... 24
6.5.1 Option 1: CSV import ............................................................................................ 25
6.5.2 Option 2: Import Users tool .................................................................................. 27
6.5.3 Option 3: Single user creation details ................................................................... 27
6.6 Activate and monitor your migration ......................................................................... 28
Google Vault migration Page iii
7 Troubleshooting .............................................................................................................. 29
Google Vault migration Page 1/29
1 Google Vault archive mail migration with Cloudiway
Cloudiway's mail archive migration solution helps businesses perform migrations through a simple
SaaS interface. As a result, vault migrations require no additional software installation or overhead,
and migrations can be performed securely and quickly.
The Cloudiway platform is flexible enough to support all types of migration paths. However, this
mini-guide focusses on migrating Google Vault archives. For more information about migration types
(cutover vs. batch, please visit www.cloudiway.com/resources/ and download the mail migration
whitepaper and the mail migration administration guide.
1.1 How does it work?
Google Vault can be migrated to the following targets:
• an Office 365 inbox (either a separate inbox for archiving or a user's inbox);
• within the In-Place Archive of an Office 365 inbox;
• a mix of both an In-Place Archive and any Office 365 inbox;
• an Exchange On-Premises inbox;
• a Gmail inbox; or,
• an Amazon WorkMail inbox.
The most common scenario is to migrate Google Vault contents to an Office 365 In-Place Archive.
This guide explains how to migrate to an In-Place Archive, a mix of inbox and In-Place Archive, and a
standard inbox.
The most standard scenario is a Vault to Office 365 migration. The new Vault migration engine is
using the Office 365 PST Import Service.
The platform exports the archives from Vault in PST format and upload them directly into the Azure
Blob Storage used the Office 365 PST Import service.
Once imported, you will run the Office 365 PST import service manually.
Google Vault migration Page 2/29
2 Security
We take your privacy and security seriously at Cloudiway, and we have invested significant effort into
making our platform and your data secure. Cloudiway provides a cloud-based application hosted in
Windows Azure. It means that the software and data are centrally hosted and accessed by clients
using a web browser and internet connection. In addition, Cloudiway's SaaS benefits from Windows
Azure's certifications, ensuring security of the infrastructure, network and physical security layers of
the Cloudiway cloud.
For total assurance, Cloudiway provides auditing tools, secure, authenticated data connections and a
logging system. More specifically:
• Cloudiway doesn’t store your mail, files or site data
• the migration takes place in memory only: the migration engine connects to the source, pulls
data and pushes it in real time;
• connections to the source and the target are done using HTTPS so no data is transferred
unencrypted over the internet; and,
• nothing is stored internally: no data persists in the platform. *
*For the delta pass mechanism, the messageID of each email is used. This ensures that no data is
duplicated, and for efficiency, only the changes are propagated. We automatically delete inactive
records after 90 days, or upon request.
In addition, because the Cloudiway platform needs credentials to connect to the source and the
target, you define connectors to connect to them and enter credentials that will be used for the
connection. These credentials are stored encrypted using AES 256.
For complete peace of mind, we recommend that you create a temporary migration account during
your migration which you can delete at the completion of your project.
Google Vault migration Page 3/29
3 Performance
The Cloudiway migration platform uses all available resources to provide the fastest migration
possible and can support both small and large migrations. The on-demand migration engine allocates
the capacity needed to migrate the volume of data of your choice in the time slot you have allocated.
However, there are limitations. Many mail systems can heavily throttle users. When you perform too
many calls, the remote server will begin throttling and decrease the number of calls that can be
performed each minute, thus reducing the migration throughput. Cloudiway constantly attempts to
work at the maximum capacity allowed to achieve excellent throughput.
Google Limitations
Google allows to extract 30 vault users concurrently.
Office 365 limitations
Office 365 uses throttling to limit resources consumed by a single account. To maximize throughput
and limit throttling, Cloudiway follows Microsoft best practice and uses impersonation. An account
with impersonation rights can pose as 100 users concurrently to migrate 100 mailboxes in parallel.
The platform uses EWS protocol; Microsoft theoretically allows throughput of around 300 MB per
user per hour. The Cloudiway platform typically sees throughput of 200 MB to 300 MB per mailbox
per hour — an average of 500 GB per day with a constant migration of 100 concurrent mailboxes.
To further improve throughput, you can create additional connectors. For example, if you create two
target Office 365 connectors (each with its own distinct migration account), you can migrate 200
mailboxes concurrently and reach a throughput of around 1 TB per day.
Exchange On-Premises limitations
A major benefit of Exchange On-Premises is that you're in control of all settings. If you're migrating
from Exchange, make sure your server(s) and network are optimized for maximum throughput.
Amazon WorkMail limitations
At the time of writing, Amazon WorkMail does not provide any native mail archiving tools. Although
archives can be sent to an Amazon WorkMail inbox, all archive functionality will be lost. Throttling
may also slow down migration, although exact measurements are not currently available.
Google Vault migration Page 4/29
4 Mail migration scope
4.1 What can be migrated?
Cloudiway is capable of migrating the following from Google Vaults:
• Emails
• Attachments
4.2 Migration limitations
Google Vaults has the capacity to store Google Hangout chats if the history setting has been
activated as well as any Google Talk chats that are on the record. The Cloudiway platform currently
does not migrate Google Hangout chats or Google Talk chats
Google Vaults can retain Google Groups messages only if the Groups owner has archiving activated.
The Cloudiway platform currently does not migrate Google Groups messages as part of Vault
migration. However, it can handle Google Groups migrations to Office 365 (unified groups or shared
mailboxes) as a separate migration project.
During migration, Outlook profiles are not created. This is the responsibility of the system
administrators performing the migration.
4.3 Considerations
Migration takes place between existing mailboxes, whether they're dedicated archive mailboxes or
standard mailboxes. This means that mailboxes must exist in the target at the time of migration.
Before starting a migration, please ensure that all mailboxes to be migrated have had their target
mailbox created in the target domain (steps are included in this guide). If required, you can use the
optional IAM module to provision the target (get in touch via [email protected] for more
information).
4.4 Audience
This guide is aimed at experienced system administrators who are capable of connecting to remote
systems and using a variety of administration tools.
Although we provide support for our own products, we do not provide support for third party
products such as PowerShell or server administration of Google or Office 365.
If you are concerned you might have any difficulty completing these steps, please consider a solution
with our consulting team, contactable via [email protected]. This will ensure a fast, cost-
effective and stress-free implementation.
Google Vault migration Page 5/29
5 Pre-migration configuration
5.1 Before you start
Before you start, you will need to ensure you have the details outlined in the following table. In each
case, we recommend you create an account especially for migration (we provide steps for each
system), which you can delete upon completion of migration. This ensures full security and simplicity.
Name Description Location
Cloudiway login
Stores details and provides communication between the systems you already use.
https://apps.cloudiway.com
Knowledge base access
Our extensive knowledge base is always accessible, with videos, troubleshooting tools, samples & more.
http://kb.cloudiway.com
Google Vault Admin console
This is where administrators manage Google Vault for people in an organization.
https://ediscovery.google.com
Target: Exchange On-Premises
Exchange account and secure port
Used for impersonation to access mailboxes. This doesn't have to be the main admin account. However, it must be an administrator account if you wish to migrate the permissions. The account must be able to bypass SSO and authenticate using username/password credentials (with a password set to never expire). This is not required if self-migration is used. The Cloudiway platform needs to connect to Exchange securely. Use SSL port 443.
If you can't access an account with impersonation privileges, you can use the self-migration option.
Target: WorkMail
WorkMail migration account
Used for impersonation to access mailboxes. It can be any user.
Your AWS console
Google Vault migration Page 6/29
5.2 Google Vault — Create and set up a migration account
You need the username and password of a Vault Administrator.
5.3 Office 365
The latest version of the Google Vault migration engine uses Office 365 PST Import Service.
There is no prerequisites.
5.4 Exchange On-Premises — set up an account via PowerShell
If you're migrating from Exchange On-Premises, you can create a migration account with admin and
impersonation permissions using your existing Exchange server interface or using the command line
instructions shown in the steps below.
1. Launch Exchange Management Shell to connect to your Exchange server with an Exchange
Admin account
2. Copy the commands below:
New-ManagementRoleAssignment –Name "Impersonation for migration
" –Role "ApplicationImpersonation" –User
3. Paste the command into the command prompt, ensuring you have updated
"[email protected]" with your own mail migration account
5.5 Amazon WorkMail — set up an account with mailbox permissions
Below are the steps to show you how to set up impersonation using the Amazon WorkMail Console.
We recommend that you create a user especially for mail migration at both your source and target.
1. Login with your administrator account to the Amazon WorkMail Console
2. Ensure that the region shown in the top right corner matches the region you set up for the
Amazon WorkMail server (for example, US West (Oregon) is selected below):
Google Vault migration Page 7/29
3. Scroll down to the Business Productivity and click on WorkMail to see a list of your
WorkMail servers:
4. Click on the target migration server to produce a list of all existing users:
5. Click on Organization settings on the left, then the Migration settings tab:
6. Click on the Edit button and turn Mailbox permissions on
Google Vault migration Page 8/29
7. Use the Select user button to add your mail migration account
8. Click on the Save button to save your changes
Google Vault migration Page 9/29
6 Use the Cloudiway platform to migrate your mail
For the Cloudiway platform to migrate archives, it must connect (bind) to a source Vault mailbox with
a specific Google Vault connector. Archives can be entirely migrated to the In-Place Archives folder
within an Office 365/Exchange 2010 or later inbox or directly to an inbox, or a mixture of both.
Cloudiway requires a special archive license (quota) to ensure archive mails are migrated from an
archive mailbox. (You can buy archive packages the same way you buy a standard user license for
Cloudiway, or you can contact us at [email protected] to request archive packages.)
The most straightforward way to migrate archives is to create a new source and target connector to
use especially for archive migrations. This allows you to begin an archive migration even if you're
performing standard mail migrations on the Cloudiway platform at the same time. In effect, this
treats a Google Vault migration as separate migration on the Cloudiway platform.
The following steps are required to migrate a Google Vault:
1. Create a Google Vault source connector
2. Create a target connector (perhaps with 'archive' in the name), with the archive option switched on and at zero for In-Place Archive migration, or switched of for migration directly to an inbox
3. Create an archive user and link the user to the Google Vault source connector and the archive target connector
Google Vault migration Page 10/29
6.1 Create your Google Vault source connector
To facilitate mail archive migration, the Cloudiway platform needs to be able to communicate with
both your source and target domains. To do this, Cloudiway uses connectors, which are configured
on apps.cloudiway.com. You will need to set up a connector for each Google Vault source and each
target system. Follow the steps below to configure a Google Vault source connector.
1. From your browser, go to https://apps.cloudiway.com and login
2. Click on Mail Migration on the left, then Sources
3. Click on the + New option at the bottom of the screen
Google Vault migration Page 11/29
4. Click on Google Vault and type a meaningful name in Connector name
5. Click on the Create button
6. Set the administrator and password
Also fill the security questions: Google will detect that the migration account will login from
an unusual location and will request to answer one or two security questions.
Cloudiway would then have to logon to Google from the server in order to “whitelist” the IP
address of the server. This would be necessary only one time, then the server would remain
whitelisted during all the project.
Google Vault migration Page 12/29
7. Click on the Save button at the bottom of the screen
Your source connector has now been created. Next up is the target connector.
6.2 Office 365 — Create your target connector
If you are migrating to Office 365, you need to create a target connector of type Office 365 PST
Import.
1. From your browser, go to https://apps.cloudiway.com and login
2. Click on Mail Migration on the left, then Targets
Google Vault migration Page 13/29
3. Click on the + New option at the bottom of the screen
4. Click on PST Import and type a meaningful name in Connector name
Google Vault migration Page 14/29
The migration is a 3 step Process.
The Cloudiway platform is automating the upload of the PST files to Office 365..
For the complete Microsoft documentation, follow:
https://support.office.com/en-us/article/use-network-upload-to-import-your-organization-s-pst-
files-to-office-365-103f940c-0468-4e1a-b527-cc8ad13a5ea6?ui=en-US&rs=en-US&ad=US#step4
Step 1:
Provision the Office 365 blob storage and store the connection string to access it
How to find the BlobStorage Connection String?
Login to the Office 365 portal as administrator.
Click on Setup, then Data migration
Click on Upload PST files
Google Vault migration Page 15/29
Click on New import job
Name you Job and click Next.
Select Upload your data
Google Vault migration Page 16/29
Click on Show network upload SAS URL
Once Azure has provisioned the container, the URL is displayed.
Google Vault migration Page 17/29
Copy it to the clipboard and paste it in the Cloudiway connector.
You can leave the Import data page open (in case you need to copy the SAS URL again) or
click Cancel to close it.
Step 2.
Upload the PST files to the blob storage using Cloudiway platform:
From the archive user list, select the users and click Start
When the migration is completed, proceed to step 3.
Step 3.
Once Cloudiway platform has uploaded the PST files to the blob storage, come back to this page or
create a new import job.
Google Vault migration Page 18/29
Click on I’m done uploading my files and I have access to the mapping file
Click Next
The next step is to upload the mapping file.
Generate the following csv file:
Workload,FilePath,Name,Mailbox,IsArchive,TargetRootFolder Exchange,,[email protected],[email protected],FALSE, Exchange,, [email protected],[email protected],FALSE, Exchange,, [email protected],[email protected],FALSE, Exchange,, [email protected],[email protected],FALSE, Exchange,, [email protected],[email protected],FALSE,
In the following line, the format is
Exchange,,Export_<source email address>-1.pst,<target email address>,FALSE,
For example, if the source email address is [email protected], the platform will export the archive and
upload it with the following name: [email protected]
Upload your csv file to Office 365 and validate it.
Google Vault migration Page 19/29
Click on Validate and click Save.
Click Save to submit the job, and then click Close after the job is successfully created.
A status flyout page is displayed, with a status of Analysis in progress and the new import job is
displayed in the list on the Import page.
Click the Refresh icon to update the status information that's displayed in the Status column. When
the analysis is complete and the data is ready to be imported, the status is changed to Analysis
completed.
You can click the import job to display the status flyout page, which contains more detailed
information about the import job such as the status of each PST file listed in the mapping file.
Google Vault migration Page 20/29
Google Vault migration Page 21/29
6.3 Other target connector configurations
It's possible to migrate Google Vault archives to any other target, even if archiving isn't supported.
The Vault items will simply be placed directly into the target inbox, without being placed in a specific
archive folder.
Follow the steps in the previous section to create the basics of your target connector, then check
below for specific details.
6.3.1 Exchange
For Exchange On-Premises, the connector requires a few extra details:
If autodiscover is active, the Server Name field doesn't need to be filled.
Make sure you select the right server version from the dropdown list.
The admin login is in UPN format.
Google Vault migration Page 22/29
6.3.2 Amazon WorkMail
For Amazon WorkMail, the connector requires a few extra details:
Enter your Amazon WorkMail domain in Domain. For example, drypizza.awsapps.com.
Enter the Server Region that matches your WorkMail server region (shown in the top right corner of the Amazon WorkMail Console.
6.3.3 G Suite
For G Suite, the connector requires a few different details:
This Cloudiway connector will use the Cloudiway migration service account. Read more Error! Reference source not found. Error! Reference source not found.
Google Vault migration Page 23/29
6.4 Check the global settings before migration
If you've already set up any other mail migrations on the Cloudiway platform, you have probably
already configured the global settings according to your needs, and you can probably leave alone.
As these settings are global, changing them for a Vault migration will change them for all other
migrations running concurrently. In addition, Vault data is less varied than an inbox, with no
calendars, contracts or trash to migrate. Therefore, only a few global settings can apply to a Vault
migration, so it's unlikely that you'll need to do any further configuration to the global settings.
However, if required, you can use the date and timestamp settings (in UTC) to choose particular
dates of emails that should be migrated. For example, if you wish to migrate only the past three
years of a Vault which has been active for five years, you can specify the date range here. Make sure
that you check these settings before performing any other migrations later on, and that you don't
run any other migrations requiring different dates during Vault migration.
The Convert Email Address option can be used during Vault migration and is active by default. It
rewrites email addresses found in the header and replaces source email addresses with their
corresponding target email addresses.
The Convert X500 Address is not used for Gsuite or Vault Migration (it’s used only when the source is
Exchange or Office 365).
For example, [email protected] sends an email to [email protected]. A week later, after migration,
[email protected] replies to Bob. The Cloudiway platform has already updated the SMTP header in
Bob's original email in her inbox, so her reply will be sent to [email protected]. How does it do this?
1. For migrations where both the domain name and alias change ([email protected] becomes
[email protected]), the Cloudiway platform already uses a mapping table to link each user.
2. For migrations where only the domain name changes, the Cloudiway platform still uses the user
list as a mapping table and if it doesn't find a matching username in the list, it uses the domain
name defined in the target connector to convert source email addresses.
In other words, the user list mapping table is also used by the Convert Email Addresses option in this
situation. Therefore, it's important that all users exist in the mapping table before migration begins
(this guide contains instructions).
Google Vault migration Page 24/29
3. From the same Mail Migration area of https://apps.cloudiway.com, click on Global Settings
4. Click on the Edit button at the bottom of the screen.
The grey buttons will turn blue, indicating you can now edit these to your preferred global
migration plan.
5. Update any settings you wish to alter, remembering that time and dates are set to the UTC
time zone, and that changes affect all mail migrations.
6. Click on the Save button at the bottom of the screen to update your global settings.
6.5 Import or create your users
There are a number of ways to add users that you wish to migrate. These include:
• CSV file upload;
• Cloudiway's Import Users tool (using IAM); and,
• creation of single users.
Archive mail migration inboxes don't require individual migration licenses on the Cloudiway platform.
Google Vault migration Page 25/29
6.5.1 Option 1: CSV import
You can upload a user CSV file to Cloudiway. It must have the following fields in the header row:
FirstName;LastName;SourceEmail;TargetEmail;BatchName
Many browsers limit CSV file uploads to 5000 lines. Larger files can be split and uploaded separately.
Data already uploaded will not be overwritten, so you can upload as many files as needed.
The BatchName field can be left blank. If required, you can use this field to name different batches so
they can be run in a certain order. A sample CSV file is available for download during the steps below.
1. Ensure you're still in the Mail Migration area of apps.cloudiway.com and go to Archive
2. Click on User in the bottom left corner and select Upload CSV
Google Vault migration Page 26/29
3. If required, click on Download sample CSV and add your users to the CSV file using the
sample headers (FirstName;LastName;SourceEmail;TargetEmail;BatchName)
4. When you have a complete CSV file with the correct headers, click on the Upload button
5. Locate your CSV file within your own file system, and double-click on it to select it
6. Select the appropriate connectors in the Source and Target fields
7. Click on the Upload button: if the format is not correct, you will see an error message:
8. If you see any error messages, check your CSV file to ensure it has five columns with a
separator between each and try uploading again
Once the CSV file format is correct, you will see a confirmation message:
9. Check your email or refresh the screen to see when the user list has been updated.
When you have received confirmation that the upload has been completed, you can refresh the
Cloudiway platform to display your imported users
Google Vault migration Page 27/29
6.5.2 Option 2: Import Users tool
Cloudiway's Import Users tool helps you to retrieve users from your source. The functionality works
via Identity Access Management. The tool requires you to specify any transformation rules you wish
to apply. It will then add new users in the Mail Migration User List view within the Cloudiway
platform. This is an advanced tool that is best used in partnership with Cloudiway consultants. If you
are interested in using this option, please get in touch with your Cloudiway contact.
6.5.3 Option 3: Single user creation details
Many of our customers create a single user for testing. This lets you watch the migration process
without affecting all users. Single users can also be created for migrations affecting just a few users.
1. Click on Archive from the Mail Migration menu
2. Click on User in the bottom left corner and select Create Single to display the pop-up screen:
Google Vault migration Page 28/29
3. Fill in all details for a new user
4. Click on the Create button to add the new user to the Archive Migration / User List screen:
5. Repeat steps 1 to 4 for any more users you'd like to create.
6.6 Activate and monitor your migration
Now that you have performed all the pre-migration steps within your remote systems and within
Cloudiway, you're ready to migrate. We recommend you run a test migration on a single user first to
check that your configuration produces the outcome you expect.
To start your migration, select the users or batch you wish to migrate and click on the Start button.
Your batch will be scheduled and will begin as soon as resources are available.
Don't forget that the Cloudiway migration platform supports delta passes and that migrations are
therefore incremental; every time you restart the migration of a mailbox, only items that haven't
already been copied to the target will be migrated. The platform therefore does not duplicate items
in the target.
Google Vault migration Page 29/29
7 Troubleshooting
Cloudiway provides an extensive knowledge base with many resources, including common error
messages, video guides and downloads.
Please visit the mail migration knowledge base area here:
http://kb.cloudiway.com/category/faq-cloudiway/cloudiway-migration-products/mail-migration-faq-
cloudiway/
Please visit the entire knowledge base here (where you can search for keywords or read through
topics): http://kb.cloudiway.com/
The knowledge base also contains information on how you can ask for further support, should you
require it.