Symantec Data Loss PreventionCloudServicefor ......Table 1-2 Implementing Symantec Cloud Service for Email: roles and responsibilities Role Typical responsibilities...

Symantec™ Data LossPrevention Cloud Service forEmail Implementation Guide

Last updated: 06 February 2020

Symantec Data Loss Prevention Cloud Service forEmail Implementation Guide>

Documentation version: 15.7

Legal NoticeBroadcom, the pulse logo, Connecting everything, and Symantec are among the trademarks of Broadcom.

Copyright © 2020 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/orits subsidiaries.

For more information, please visit https://www.broadcom.com.

Broadcom reserves the right to make changes without further notice to any products or data herein toimprove reliability, function, or design. Information furnished by Broadcom is believed to be accurate andreliable. However, Broadcom does not assume any liability arising out of the application or use of thisinformation, nor the application or use of any product or circuit described herein, neither does it conveyany license under its patent rights nor the rights of others.

This Symantec product may contain third party software for which Symantec is required to provide attributionto the third party (“Third Party Programs”). Some of the Third Party Programs are available under opensource or free software licenses. The License Agreement accompanying the Software does not alter anyrights or obligations you may have under those open source or free software licenses. Please see theThird Party Legal Notice Appendix to this Documentation or TPIP ReadMe File accompanying this Symantecproduct for more information on the Third Party Programs.

The product described in this document is distributed under licenses restricting its use, copying, distribution,and decompilation/reverse engineering. No part of this document may be reproduced in any form by anymeans without prior written authorization of Symantec Corporation and its licensors, if any.

The Licensed Software and Documentation are deemed to be commercial computer software as definedin FAR 12.212 and subject to restricted rights as defined in FAR Section 52.227-19 "Commercial ComputerSoftware - Restricted Rights" and DFARS 227.7202, et seq. "Commercial Computer Software andCommercial Computer Software Documentation," as applicable, and any successor regulations, whetherdelivered by Symantec as on premises or hosted services. Any use, modification, reproduction release,performance, display or disclosure of the Licensed Software and Documentation by the U.S. Governmentshall be solely in accordance with the terms of this Agreement.

www.broadcom.com

Broadcom1320 Ridder Park DriveSan Jose, California95131

https://www.broadcom.com

https://www.broadcom.com

Symantec SupportAll support services will be delivered in accordance with your support agreement and thethen-current Enterprise Technical Support policy.

Knowledge Base Articles and Symantec ConnectBefore you contact Technical Support, you can find free content in our online Knowledge Base,which includes troubleshooting articles, how-to articles, alerts, and product manuals. In thesearch box of the following URL, type the name of your product:

https://support.symantec.com

Access our blogs and online forums to engage with other customers, partners, and Symantecemployees on a wide range of topics at the following URL:

https://www.symantec.com/connect

Technical Support and Enterprise Customer SupportSymantec Support maintains support centers globally 24 hours a day, 7 days a week. TechnicalSupport’s primary role is to respond to specific queries about product features and functionality.Enterprise Customer Support assists with non-technical questions, such as license activation,software version upgrades, product access, and renewals.

For Symantec Support terms, conditions, policies, and other support information, see:

https://entced.symantec.com/default/ent/supportref

To contact Symantec Support, see:

https://support.symantec.com/en_US/contact-support.html


https://www.symantec.com/connect/

https://entced.symantec.com/default/ent/supportref


Symantec Support .............................................................................................. 4

Chapter 1 Introducing Cloud Service for Email ................................. 7About Symantec Data Loss Prevention Cloud Service for Email ............... 7About updates to this guide .............................................................. 8Customer roles for Symantec Cloud Service for Email ........................... 9About Symantec Email Security.cloud and Symantec Cloud Service

for Email ............................................................................... 11About the Customer Management Portal ........................................... 11About the enrollment bundle ........................................................... 12Support for Symantec Cloud Service for Email ................................... 12Symantec Cloud Service for Email architecture ................................... 12System requirements for Symantec Cloud Service for Email .................. 14

Chapter 2 Deploying the Cloud Service for Email ........................... 16Preparing to implement Symantec Cloud Service for Email ................... 17Symantec Cloud Service for Email Implementation overview ................. 17Using the Cloud Management Portal ................................................ 20Saving the enrollment bundle for Symantec Data Loss Prevention

cloud services ........................................................................ 22Accessing the cloud service from the Enforce Server ........................... 22

Opening a port for communication with the cloud service ................ 23Configuring the Enforce Server to use a proxy to connect to cloud

services ......................................................................... 23Registering the Cloud Detector ........................................................ 24Enabling incident reconciliation ....................................................... 25Configuring on-premises Microsoft Exchange to use Symantec Email

Security.cloud email for delivery (Forwarding mode) ...................... 26Configuring Office 365 to use Symantec Email Security.cloud for email

delivery (Forwarding mode) ...................................................... 31Configuring Office 365 to use Office 365 for email delivery (Reflecting

mode) .................................................................................. 34Detecting emails from a subset of Office 365 Exchange Online

users ................................................................................... 38

Contents

Configuring Google G Suite Gmail to send outbound emails toSymantec Cloud Service for Email ............................................. 38

Detecting emails from a subset of Google G Suite Gmail users .............. 40Testing Symantec Cloud Service for Email ......................................... 41About updating email domains in the Enforce Server administration

console ................................................................................ 41Adding the unique TXT record to your DNS settings ...................... 42Updating email domains .......................................................... 42Update override by the Symantec Cloud Service .......................... 44Upgrading to Symantec Data Loss Prevention 15.1 MP1 through

15.7 if you use Reflecting mode .......................................... 44

Chapter 3 Creating Policies and Managing Incidents for theCloud Service for Email ................................................ 46

Creating and publishing a policy group for Symantec Cloud Servicefor Email ............................................................................... 46

Encrypting cloud email with Symantec Information CentricEncryption ............................................................................ 47Implementing ICE with Cloud Service for Email ............................ 48Configuring the Enforce Server to communicate with the ICE

service ........................................................................... 49Creating encryption response rules for ICE encryption ................... 50About decrypting ICE encrypted email ........................................ 52Viewing details about ICE incidents ........................................... 52

Chapter 4 Best Practices for Cloud Service for Email .................... 56Modifying SPF records in Email Security.cloud to ensure email

delivery ................................................................................ 56Deleting the Cloud Detector to reset Symantec Cloud Service for

Email ................................................................................... 57Requesting a new Cloud certificate .................................................. 57Understanding size limits for profiles ................................................ 58Review known issues for Symantec Cloud Service for Email ................. 58

Chapter 5 Using additional Symantec Email Security.cloudfeatures .......................................................................... 59

Using Symantec Email Security.cloud Data Protection ......................... 59Using Symantec Email Security.cloud Policy Based

Encryption ...................................................................... 59Using Data Protection to silently block email messages ................. 61

6Contents

Introducing Cloud Servicefor Email

This chapter includes the following topics:

■ About Symantec Data Loss Prevention Cloud Service for Email

■ About updates to this guide

■ Customer roles for Symantec Cloud Service for Email

■ About Symantec Email Security.cloud and Symantec Cloud Service for Email

■ About the Customer Management Portal

■ About the enrollment bundle

■ Support for Symantec Cloud Service for Email

■ Symantec Cloud Service for Email architecture

■ System requirements for Symantec Cloud Service for Email

About Symantec Data Loss Prevention Cloud Servicefor Email

Symantec Data Loss Prevention Cloud Service for Email accurately detects confidential datain corporate email that is sent from aMicrosoft Exchange Server, Microsoft Office 365 ExchangeOnline, or Google G Suite Gmail. It accelerates your enterprise's cloud email adoption byseamlessly integrating Symantec’s market-leading data loss prevention controls with yourenterprise's cloud email service (Microsoft Office 365 Exchange Online and Google G SuiteGmail are supported).

1Chapter

Symantec Symantec Cloud Service for Email monitors and analyzes outbound email trafficfrom your cloud email service and can encrypt, block, redirect, or modify email messages asspecified in your enterprise’s policies. In addition, you can add the powerful data protectioncapabilities of Symantec Information Centric Encryption (ICE).

The Symantec Cloud Service for Email solution lets you author data loss policies, review andremediate incidents, and administer your Data Loss Prevention system at the Enforce Serveradministration console. This solution enables your enterprise to leverage its existing investmentin policy definition and administration as well as incident remediation processes. The capabilityto use Symantec Cloud Service for Email to monitor and analyze on-premises MicrosoftExchange email traffic provides you with a seamless migration path to the cloud if you plan tomove to a cloud email service, such as Microsoft Office 365 Exchange Online or Google GSuite Gmail.

Symantec Data Loss Prevention supports Office 365 Reflecting mode. You can configure aMicrosoft Exchange Office 365 inbound connector as a mail transfer agent.

The Symantec Data Loss Prevention Cloud Service for Email solution also integrates withSymantec Email Security.cloud for email delivery and also includes inbound and outboundemail security services. See “About Symantec Email Security.cloud and Symantec CloudService for Email” on page 11.

Note: You can monitor on-premises Microsoft Exchange, Microsoft Office 365, and Google GSuite Gmail all from one Enforce Server. Themonitoring of both on-premises Exchange emailsand Office 365 Exchange Online emails is known as a hybrid deployment.

See “About updates to this guide” on page 8.

About updates to this guideThe Cloud Service for Email Implementation Guide is regularly updated with new features andupdates to existing features. You can find the latest version of this guide at the Symantecsupport center:

https://www.symantec.com/docs/DOC9008

Subscribe to this article at the Symantec Support Center to be notified when it is updated.

The following table provides the history of updates to this version of the Cloud Service forEmail Implementation Guide.

8Introducing Cloud Service for EmailAbout updates to this guide

https://www.symantec.com/docs/DOC9008

Table 1-1 Change History for the Cloud Service for Email Implementation Guide

DescriptionDate

Made minor edits to match the instructions to thecurrent Exchange admin center UI.

Added content about the new Cloud ManagementPortal (CMP) and removed content about theprovisioning form.

Support for 14.6 ends in September 2019, soremoved references to 14.6.

22 July 2019

Reinstated a note that explains that even thoughthe validation test for adding a new connector forMicrosoft Office 365 fails, you must click Save tocomplete the process. This applies to Office 365Forwarding mode and Reflecting mode.

15 April 2019

Added "Upgrading to Symantec Data LossPrevention 15.1 MP1 and 15.5 if you use Reflectingmode." This section includes information about TXTrecord IDs for domains and the upgrade process.

Clarified that while Cloud Service for Email is inReconcile mode, you must contact SymantecSupport if you want to remove domains.

Corrected URL from pki.scep.symauth.com topki-scep.symauth.com.

26 March 2019

See “Customer roles for Symantec Cloud Service for Email” on page 9.

Customer roles for Symantec Cloud Service for EmailSeveral people in your organization may need to coordinate activities during the implementationof Symantec Cloud Service for Email. Although you may have different labels for each of theseroles, or responsibilities may overlap, it's important to have an idea of who needs to participatein the implementation process.

9Introducing Cloud Service for EmailCustomer roles for Symantec Cloud Service for Email

Table 1-2 Implementing Symantec Cloud Service for Email: roles and responsibilities

Typical responsibilitiesRole

Creates a Cloud Management Portal account andperforms initial configuration of Cloud Service forEmail. Also sets up Symantec Email Security.cloud,if it is used for final email delivery.

Configures email service and routes outbound emailfrom Microsoft Exchange, Microsoft Office 365Exchange Online, or Google G Suite Gmail to DLPSymantec Cloud Service for Email.

If you configure Office 365 Exchange Onlinereflecting mode, the email administrator alsoprovides the DLP administrator the Office 365endpoint URL to route mail from the DLP SymantecCloud Service for Email.

The Email Administrator is usually part of a largeemail administration team, and in charge of all mailserver administration tasks including mail routing,rules, mail security, and archiving for theorganization. This administrator may or may not bethe same as the DLP Administrator.

Email Administrator

May create a Cloud Management Portal accountand perform initial configuration of Cloud Servicefor Email. Installs Data Loss Prevention andregisters the Data Loss Prevention cloud detectorwithin the Enforce Server administration console.Sets up ICE encryption. Updates the email domainsin the Enforce Server administration console.Creates policies, remediates incidents, monitors theuser risk summary, generates reports, configuressystem management and roles, and configuresdetectors.

DLP Administrator

Manages and updates domains in the EnforceServer administration console.

Domain Administrator

Enables access from the Enforce Server to theSymantec Data Loss Prevention cloud gateway.

Network Administrator

See “About Symantec Email Security.cloud and Symantec Cloud Service for Email” on page 11.

10Introducing Cloud Service for EmailCustomer roles for Symantec Cloud Service for Email

About Symantec Email Security.cloud and SymantecCloud Service for Email

Symantec Email Security.cloud acts as an outbound mail transfer agent for emails passingthrough Symantec Cloud Service for Email for detection. You can also use Office 365 Reflectingmode as a mail transfer agent for Microsoft Office 365. Symantec Email Security.cloud enablesyou to redirect, silent-block, quarantine, or encrypt emails through its data protectionfunctionality. Policy Based Encryption and Silent Blocking are two examples of how dataprotection can be enforced using Symantec Email Security.cloud. See “Using Symantec EmailSecurity.cloud Data Protection” on page 59.

See “Symantec Cloud Service for Email architecture” on page 12.

You can find overviews of Symantec Email Security.cloud features at

https://www.symantec.com/products/email-security-cloud

You can find more information on setting up and using other Symantec Email Security.cloudfeatures at

https://support.symantec.com/en_US/email-security-cloud.html

See “Customer roles for Symantec Cloud Service for Email” on page 9.

About the Customer Management PortalThe Customer Management Portal is where you configure and keep track of your SymantecData Loss Prevention cloud services. After you order a Symantec Data Loss Prevention cloudservice, you receive an email from Symantec order processing. This welcome email tells youhow to log on to the Symantec Data Loss Prevention Customer Management Portal (CMP).After you get your service started, you can then use this guide to connect your new cloudservice to your existing Enforce Server, through the Enforce Server administration console.

If you use Symantec Email Security.cloud as a mail transfer agent, Symantec creates aSymantec Email Security.cloud account on your behalf or adds Symantec Data Loss Preventionservice to your existing Symantec Email Security.cloud account.

After you provide information about your requested services and mail configuration and pressConfigure in the CMP, Symantec sends you an enrollment bundle, in the form of a zip file.You will receive this enrollment bundle by the end of the next business day. You can then savethis bundle to your Enforce Server.

See “About the enrollment bundle” on page 12.

See “Using the Cloud Management Portal” on page 20.

11Introducing Cloud Service for EmailAbout Symantec Email Security.cloud and Symantec Cloud Service for Email

https://www.symantec.com/email-security-cloud


About the enrollment bundleAfter you provide information about your cloud service on the Symantec Cloud ManagementPortal (CMP), Symantec sends you an enrollment bundle, in the form of a zip file. You canthen install the Symantec Cloud Service for Email license and save this bundle to your EnforceServer. You will receive this bundle by the end of the next business after you press Configurein the CMP.

See “Saving the enrollment bundle for Symantec Data Loss Prevention cloud services”on page 22.

Note: The enrollment bundle expires in seven calendar days after Symantec sends it to you.If your enrollment bundle expires before you upload the bundle and register the service, contactSymantec Support to obtain a new bundle.


Support for Symantec Cloud Service for EmailFor help with troubleshooting your service, contact Symantec Support at


Table 1-3 Where to go for other support

ContactProblem

Contact Microsoft Support at www.support.microsoft.comProblems with Microsoft Exchange orMicrosoft Office 365 Exchange Online

Contact Google G Suite Support athttps://gsuite.google.com/setup-hub/

Problems with Google G Suite Gmail


Symantec Cloud Service for Email architectureSymantec Cloud Service for Email consists of the following components:

■ Symantec Data Loss Prevention version 15.0 or later. Symantec Data Loss Preventionversions under 15.0 are not supported after September 16, 2019, so we recommend thatyou upgrade before you set up your cloud service.

■ Symantec Cloud Detectors that provide Symantec Data Loss Prevention in the Symanteccloud.

12Introducing Cloud Service for EmailAbout the enrollment bundle


www.support.microsoft.com

https://www.google.com/work/apps/business/support/

■ Your organization's on-premises Microsoft Exchange deployment, Microsoft Office 365Exchange Online, or Google G Suite Gmail setup to relay SMTP traffic to Symantec CloudService for Email.

■ Symantec Email Security.cloud for email delivery. For Office 365, you can provide emaildelivery with Office 365 Reflecting mode.

After a message is sent it is routed through the cloud detector, and then is delivered to its finaldestination. Figure 1-1 depicts this process when you use Email Security.cloud.

Figure 1-1 Message flow for Symantec Cloud Service for Email

Here's a summary of how an email flows through the system:

1. Mary, an employee, sends an outbound email message from her corporate on-premisesExchange, Office 365 Exchange Online, or Google G Suite Gmail account to Bob, anexternal user.

13Introducing Cloud Service for EmailSymantec Cloud Service for Email architecture

2. The email is sent to the on-premises Exchange servers, the Exchange Online servers inthe Office 365 Exchange Online cloud, or Google G Suite Gmail servers in the Googlecloud.

3. The administrator has set up Office 365 Exchange Online or Google G Suite Gmail sothe corresponding servers route email messages to Symantec Cloud Service for Emailthat resides in the Symantec cloud.

4. Symantec Cloud Service for Email leverages the existing policies that are defined in theEnforce Server, and analyzes the emails for any violations of these policies. If any policyis violated, the Symantec Cloud Detector adds directives in the form of X-Headers to theemail. Then, it generates incidents and sends them to the customer's on-premises EnforceServer. At the Enforce Server administration console, the Data Loss Preventionadministrator or remediator can view incident reports.

5. Emails that pass detection are routed for final delivery through Symantec EmailSecurity.cloud. Office 365 mail can be routed for final delivery through Office 365 Reflectingmode.

Based on data protection policies that are defined within Email Security.cloud andX-Headers that the Symantec Cloud Detector inserts, Email Security.cloud blocks, encrypts,quarantines, or redirects the email before delivery to the recipient mail server.

6. In this case, the email that passed detection is delivered to Bob.

See “Preparing to implement Symantec Cloud Service for Email” on page 17.

System requirements for SymantecCloudService forEmail

The following components are necessary for Symantec Cloud Service for Email:

■ A Symantec Data Loss Prevention Enforce Server, version 15.0 MP1 or later

■ A license for Symantec Data Loss Prevention Symantec Cloud Service for Email for eachmail service you monitor

■ An enrollment bundle for Symantec Data Loss Prevention

■ An on-premises Microsoft Exchange Server, or a Microsoft Office 365 Exchange Onlineor Google G Suite Gmail online hosting account

■ An account with Symantec Email Security.cloud, only if you use it as a mail transfer agent

■ An Office 365 Exchange online account set up in Reflecting mode, if you use it as a mailtransfer agent

14Introducing Cloud Service for EmailSystem requirements for Symantec Cloud Service for Email

For more information on the hardware requirements and software requirements for SymantecData Loss Prevention, see the latest version of the Symantec Data Loss Prevention SystemRequirements and Compatibility Guide, available at

https://support.symantec.com/en_US/article.DOC10602.html

15Introducing Cloud Service for EmailSystem requirements for Symantec Cloud Service for Email

https://support.symantec.com/en_US/article.DOC10602.html

Deploying the Cloud Servicefor Email


■ Preparing to implement Symantec Cloud Service for Email

■ Symantec Cloud Service for Email Implementation overview

■ Using the Cloud Management Portal

■ Saving the enrollment bundle for Symantec Data Loss Prevention cloud services

■ Accessing the cloud service from the Enforce Server

■ Registering the Cloud Detector

■ Enabling incident reconciliation

■ Configuring on-premises Microsoft Exchange to use Symantec Email Security.cloud emailfor delivery (Forwarding mode)

■ Configuring Office 365 to use Symantec Email Security.cloud for email delivery (Forwardingmode)

■ Configuring Office 365 to use Office 365 for email delivery (Reflecting mode)

■ Detecting emails from a subset of Office 365 Exchange Online users

■ Configuring Google G Suite Gmail to send outbound emails to Symantec Cloud Servicefor Email

■ Detecting emails from a subset of Google G Suite Gmail users

■ Testing Symantec Cloud Service for Email

■ About updating email domains in the Enforce Server administration console

2Chapter

Preparing to implement Symantec Cloud Service forEmail

Before you implement Symantec Cloud Service for Email, you must complete a few preliminarytasks.

■ Determine who in your organization is responsible for each of the implementation tasks.For initial implementation, the two roles that are required are DLP administrator (DLPAdmin) and Email administrator (Email Admin).

■ Shortly after you place your order, you will get an email with instructions on how to log onto the Symantec Cloud Management Portal and configure your service.

See “Symantec Cloud Service for Email Implementation overview” on page 17.


Symantec Cloud Service for Email Implementationoverview

Implementing Symantec Cloud Service for Email is a multi-step process. Symantec Data LossPrevention Cloud Detectors, as well as the Email Security.cloud service, are both alreadyprovisioned for you in the Symantec cloud. Table 2-1 lists the steps that you must take to startusing your services in the Symantec cloud. See the cross-referenced sections for more details.

Table 2-1 Overview of Symantec Cloud Service for Email setup

More informationActionStep

See “Using the CloudManagement Portal” on page 20.

DLP Admin:

Click the link in your welcomeemail to log on to the SymantecData Loss Prevention CloudManagement Portal. Use thePortal to perform initial setup ofyour Symantec cloud services.

Step 1

See the Symantec Data LossPrevention Upgrade Guide andSymantec Data Loss PreventionAdministration Guide for moredetails.

DLP Admin:

Upgrade to Symantec Data LossPrevention version 15.0 MP1 orlater, if you are running a previousversion.

Step 2

17Deploying the Cloud Service for EmailPreparing to implement Symantec Cloud Service for Email

Table 2-1 Overview of Symantec Cloud Service for Email setup (continued)


See “Opening a port forcommunication with the cloudservice” on page 23.

DLP Admin:

Open a port for the EnforceServer to communicate with theSymantec Cloud Service forEmail.

Step 3

Symantec sends you anenrollment bundle, in the form ofa zip file, after it provisions theservice in the cloud. This bundlesets up your on-premises EnforceServer so that it can connect toyour Symantec Cloud Service forEmail in the Symantec cloud.

Note: Do not extract the zip file;extracted files in XML format donot work.

See “Saving the enrollmentbundle for Symantec Data LossPrevention cloud services”on page 22.

DLP Admin:

Save the enrollment bundle to adirectory on the Enforce Server.

Step 4

Register the Cloud Detector onthe Servers and Detectors pageof the Enforce Serveradministration console. See“Registering the Cloud Detector”on page 24.

DLP Admin:

Register the Cloud Detector.

Step 5

See “Enabling incidentreconciliation” on page 25.

DLP Admin:

Enable incident reconciliation.

Step 6

18Deploying the Cloud Service for EmailSymantec Cloud Service for Email Implementation overview



See “Configuring Office 365 touse Symantec EmailSecurity.cloud for email delivery(Forwarding mode)” on page 31.

See “Configuring Office 365 touse Office 365 for email delivery(Reflecting mode)” on page 34.

See “Configuring Google G SuiteGmail to send outbound emails toSymantec Cloud Service forEmail” on page 38.

Email Admin:

Depending on which email serviceyou use:

Connect on-premises Exchangewith Symantec Cloud Service forEmail using the ExchangeAdministration Center.

Connect Microsoft Office 365Exchange Online with SymantecCloud Service for Email usingExchange admin center. Thismethod uses Symantec EmailSecurity.cloud.

Connect Microsoft Office 365Online with Symantec CloudService for Email using admincenter. This method uses anOffice 365 receive connector.

Connect Google G Suite Gmailwith Symantec Cloud Service forEmail using the Google Adminconsole. This method usesSymantec Email Security.cloud.

Step 7

Generate an incident against atest policy.

See the section "Testing NetworkPrevent for Email" in theSymantec Data Loss PreventionAdministration Guide for moreinformation.

DLP Admin:

Test Symantec Cloud Service forEmail.

Step 8

See the section "Creating a policyfor Network Prevent for Email" inthe Symantec Data LossPrevention Administration Guidefor more information.

DLP Admin:

Create policies and monitorincidents for Symantec CloudService for Email.

Step 9

See “Encrypting cloud email withSymantec Information CentricEncryption” on page 47.

DLP Admin and ICE Admin:

Set up ICE for Email encryption.

Step 10

19Deploying the Cloud Service for EmailSymantec Cloud Service for Email Implementation overview



See “About updating emaildomains in the Enforce Serveradministration console”on page 41.

DLP Admin:

Update email domains in theEnforce Server administrationconsole.

Step 11


Using the Cloud Management PortalWith the Symantec Data Loss Prevention Cloud Management Portal (CMP) you can performinitial setup of your cloud services after you purchase them. After you place your order, you'llreceive a Welcome Email from Symantec order processing. This email includes informationon how to obtain a Symantec Secure Login account, if you do not already have one. It alsocontains a link to the Cloud Management Portal.

To create a Symantec Secure Login account

1 Check your inbox for the email that was sent from [email protected], withthe subject line “Welcome to Symantec Security Cloud – Confirm Email Address.” If youdo not find the email in your Inbox, check your Junk mail folder.

2 Click the Confirm link in this email to establish your Symantec Secure Login account.

3 Go to https://login.symantec.com/ and click Having Trouble Signing In if you cannot login to your Symantec Secure Login account or need to reset your password.

4 If you are not the registered user mentioned in this email, contact a registered user in yourcompany. Any registered user can add you to your corporation’s account as a registereduser.

To log on to the Cloud Management Portal

1 Click the link in the email to reach your Cloud Management Portal account.

2 Log in to your CMP account.

3 On the dashboard, view the cloud services that you have purchased and configure themfor your particular email forwarding configuration.

To perform initial setup of your cloud service

1 Provide an email address or distribution list address (recommended). Symantec cloudservices sends the enrollment bundle to this address.

2 If you want to convert an existing Trial service to a Sandbox or Production service, choosethe service you want to convert.

20Deploying the Cloud Service for EmailUsing the Cloud Management Portal

https://login.symantec.com/

3 Click Convert.

4 If you are configuring a new Sandbox or Production service, choose a region.

Note: Symantec offers two region choices: North America or Europe. You can chooseeither region, no matter where you are located. You can choose a different region for eachof your cloud services, as long as they are each connected to different Enforce Servers.Each Enforce Server can only connect to one Data Loss Prevention cloud region.

5 Click Configure.

To set up your desired email flow configuration

1 Select one of the following configurations:

■ Office 365 to Symantec Data Loss Prevention to Email Security.cloud (Forwardingmode)

■ Office 365 to Symantec Data Loss Preventionto Office 365 (Reflecting mode)

■ Gmail to Symantec Data Loss Prevention to Email Security.cloud (Forwarding mode)

■ On-premises Microsoft Exchange and Office 365 to Symantec Data Loss Preventionto Email Security.cloud Hybrid (Forwarding mode)

2 Click Configure.

To set up configuration of other cloud services

◆ Select one of the following options:

■ Cloud Detection Service for CASB (CloudSOC)

■ Cloud Detection Service for Web Security Service

■ ICE

After you click Configure, Symantec cloud services sends you an enrollment bundle, whichyou should receive by the end of the next business day.

After you set up a cloud service, you can always come back to your Cloud Services overviewpage in the CMP to see the configuration status of your services. If you are waiting for yourenrollment bundle for a service, the status is In Progress.


21Deploying the Cloud Service for EmailUsing the Cloud Management Portal

Saving the enrollment bundle for SymantecData LossPrevention cloud services

After Symantec has set up your detection service in the cloud, Symantec sends you anenrollment bundle. This bundle contains the information that you need to set up the connectionfrom your on-premises Enforce Server to the Symantec-hosted detection service in the cloud.

You can copy the enrollment bundle to any directory on your Enforce Server. Do not extractthe enrollment bundle zip file. The Enforce Server administration console requires the enrollmentbundle in the form of a zip file; extracted XML files do not enable enrollment.

Note: Each enrollment bundle can be uploaded to the Enforce Server to register your serviceonly once. The enrollment bundle expires 10 calendar days after you receive it. For securityreasons, you should ensure that no other user can access the bundle. To ensure limitedaccess, change the properties of the destination folder so that no other user can read it orwrite to it.

If you have waited longer than 10 calendar days to upload your bundle and register the service,and need a new enrollment bundle, contact Symantec Support at


For example, on Windows, save the bundle to

C:\Users\<username>\Downloads

or any other subfolder under c:\Users\<username>.

On Linux, save the bundle to

/<home>/<username>/

or any subfolder under /<home>/<username>/.

Note:You should receive an enrollment bundle shortly after Symantec provisions your service.If you have not received an enrollment bundle in a reasonable amount of time, check yourJunk mailbox. Check with your internal IT department to ensure that your company has noinbound filters that may have blocked receipt of the enrollment bundle zip file.

See “Accessing the cloud service from the Enforce Server” on page 22.

Accessing the cloud service from the Enforce ServerYou can establish communication between the Enforce Server and the cloud service eitherdirectly or by using a proxy.

22Deploying the Cloud Service for EmailSaving the enrollment bundle for Symantec Data Loss Prevention cloud services


See “Opening a port for communication with the cloud service” on page 23.

Opening a port for communication with the cloud serviceThe on-premises Enforce Server must be able to communicate with the Symantec CloudService for Email. Your corporate network must allow outbound traffic to port 443. Open port443 and ensure that access to the following URLs is allowed for connecting to the DLP cloudservice:

■ pki-scep.symauth.com

■ gw.csg.dlp.protect.symantec.com

See your network administrator for more information on opening a port in your environment.

If your enterprise has deployed a transparent proxy between the Enforce Server and theSymantec Data Loss Prevention cloud service, the Enforce Server does not trust the transparentproxy CA and the communication fails. You must exempt the Enforce Server from thetransparent proxy and allow it to communicate outbound on TCP port 443 to the Internet.

If your enterprise security policy does not allow this access from your Enforce Server, you canuse a proxy. See “Configuring the Enforce Server to use a proxy to connect to cloud services”on page 23.

Configuring the Enforce Server to use a proxy to connect to cloudservices

To configure the Enforce Server to use a proxy to connect to cloud services, you must set upyour proxy according to the proxy manufacturer's instructions. Then you configure the EnforceServer to support the use of the proxy. After setting up your proxy, use these instructions tocomplete the setup.

If you have configured the Enforce Server to connect to the Symantec ICE Cloud, NetworkProtect uses the configured proxy to connect to the ICE Cloud whenever a SharePoint scantriggers the SharePoint Encrypt response action.

Network Discover/Cloud Storage Discover also supports network proxies for connecting to theICE Cloud during file share (File System) scans. To configure the network proxy settings forfile share scans, you must update the Server configuration.

To configure the Enforce Server to use a proxy to connect to a cloud service

1 Go to System > Settings > General and click Configure. The Edit General Settingsscreen is displayed.

2 In the Enforce to Cloud Proxy Settings section, select one of the following proxycategories:

■ No proxy, or transparent proxy, or

23Deploying the Cloud Service for EmailAccessing the cloud service from the Enforce Server

■ Manual proxy

3 If you chooseManual proxy, fields for aURL, Port, and Proxy is Authenticated appear.

■ Enter the the HTTP Proxy URL.

■ Enter a port number.

4 If you are using an authenticated proxy, also enter

■ a user ID

■ a password

Note: The Enforce Server supports basic authentication when using a proxy to connectto cloud services. For connecting to the ICE Cloud, the Enforce Server supports basic,NTLM, and Kerberos authentication.

5 Click Save.

Registering the Cloud DetectorAfter you save the enrollment bundle, you can register your detector, enabling your on-premisesEnforce Server to communicate with your Symantec Cloud Service for Email.

To add a Symantec Cloud Service for Email Cloud Detector

1 Log on to the Enforce Server as administrator.

2 Go to System > Servers and Detectors.

The Overview page appears.

3 Click Add Cloud Detector.

The Add Cloud Detector screen appears.

4 Click Browse in the Enrollment Bundle File field.

5 Locate the enrollmentbundle.zip that you received from Symantec and saved to yourEnforce Server.

The detector description for the chosen enrollment bundle appears. Verify that you havechosen the correct bundle.

6 Add a name for this detector in the Detector Name field.

7 Click the Enroll Detector option to enroll your detector. The enrollment process can takesome time. You can track its progress on the Servers and Detectors > Overview page.

24Deploying the Cloud Service for EmailRegistering the Cloud Detector

It may take several minutes or longer for the Enforce Server administration console to showa Connected status for the Cloud Detector. To verify that the service was added, return to theServers and Detectors > Overview page. Verify that the cloud service appears in the list,and that the status indicates Connected. After several minutes, if the connection status stilldisplays Unknown, you should restart the Monitor Controller process to move the status toConnected.

Note: Each enrollment bundle can be uploaded to the Enforce Server to register your serviceonly once. The enrollment bundle expires 7 calendar days after you receive it. For securityreasons, you should ensure that no other user can access the bundle. To ensure limitedaccess, change the properties of the destination folder so that no other user can read it orwrite to it.

If you have waited longer than 7 calendar days to upload your bundle and register the service,and need a new enrollment bundle, contact Symantec Support at


Enabling incident reconciliationIncident reconciliation is turned off by default, but must be turned on for Symantec CloudService for Email to work properly. Turning on incident reconciliation enables managing ofduplicate copies of emails that are generated by Office 365 Exchange Online or Google GSuite Gmail, preventing duplicate incidents. Duplicate copies of an email are generated whenrecipients are added to the Cc or Bcc lists. For example, a user sends one email containingBcc's through Office 365 Exchange Online. The email violates one policy and more than oneincident is created. Incident reconciliation "reconciles" these multiple incidents to one, avoidingthe unnecessary duplication of incidents.

Enable incident reconciliation on the Enforce Server computer on Windows

1 On the computer that hosts the Enforce Server, log on as Admin.

2 Change directory to C:\Program

Files\Symantec\DataLossPrevention\EnforceServer\15.7\Protect\config.

3 Open the IncidentPersister.properties file.

4 Change persister.enable.incident.reconciliation=false to equal true.

5 Restart the Symantec Data Loss Prevention services as appropriate for your version ofWindows services on the server computer.

See "Managing Enforce Server services and settings" in the Symantec Data LossPrevention Administration Guide for more details on Symantec Data Loss Preventionservices.

25Deploying the Cloud Service for EmailEnabling incident reconciliation


Enable incident reconciliation on the Enforce Server computer on Linux

1 On the computer that hosts the Enforce Server, log on as root.

2 Change directory to/opt/Symantec/DataLossPrevention/EnforceServer/15.7/Protect/config.

3 Open the IncidentPersister.properties file.

4 Change persister.enable.incident.reconciliation=false to equal true.

5 Restart the Incident Persister service as appropriate for Linux services on the servercomputer.

See "Managing Enforce Server services and settings" in the Symantec Data LossPrevention Administration Guide for more details on Symantec DLP services.

See “Configuring on-premises Microsoft Exchange to use Symantec Email Security.cloudemail for delivery (Forwarding mode)” on page 26.

Configuring on-premises Microsoft Exchange to useSymantec Email Security.cloud email for delivery(Forwarding mode)

You must set up outbound connectors in the Microsoft Exchange admin center to forward mailfrom Exchange to Symantec Cloud Service for Email. You must also set up at least one routingrule that controls which emails are forwarded. By default, Exchange routes the emails usingits own mail transfer agents (MTAs). To enable monitoring of emails by Symantec Data LossPrevention, mail flow rules must be set up to divert the emails to Symantec Cloud Service forEmail.Figure 2-1 shows the flow of emails with this setup.

Symantec Cloud Service for Email supports Exchange Server versions 2010, 2013, and 2016.

Note: Microsoft Exchange Server 2010 must be configured at the Exchange server, not at theMicrosoft Exchange admin center.

26Deploying the Cloud Service for EmailConfiguring on-premises Microsoft Exchange to use Symantec Email Security.cloud email for delivery (Forwarding

mode)

Figure 2-1 On-premises Microsoft Exchange to DLP to Symantec Email Security.Cloud

To log on to your Microsoft Exchange admin center account

1 Log on to your corporate Microsoft admin center account at https://<your Exchange

server name>/ecp administrator.

2 Expand the Exchange admin center item in the left column.

You must add the public domain as a default domain in case the internal domain for Exchangeis different from the external domain. For instructions, see

https://technet.microsoft.com/en-us/library/bb124423(v=exchg.160).aspx

Configure an email address policy with the public domain address as a default domain, insteadof using the local domain address. This step is necessary in case the internal domain is differentfrom the external domain. For instructions, see


Then, proceed with the next steps.

To add a new send connector

1 Click mail flow from the left column.

2 Click send connectors.

3 Click + to add a new send connector.

4 Type the name of the connector in the Name field on the first new send connector page.

5 Click Internet in the Type field.

6 Click Route mail through these smart hosts.

7 Click +. Specify at least one smart host name or IP address for the outbound connector.Use the URL that is indicated in your Symantec Data Loss Prevention Cloud Service forEmail welcome letter.

8 Select None under smart host authentication.

9 On the next new send connector page, click + to add a new address space.


mode)



10 On the Address Space -- Webpage Dialog, enter SMTP for the Type and * for the FullQualified Domain Name (FQDN). Keep the Cost default setting of 1 if you have onlyone send connector for your organization.

11 Click Save and then click Next.

12 Click + to add the source servers for the connector. Add all servers that are responsiblefor routing email out from your organization to Cloud Service for Email. Multiple serversprovide redundancy for outbound mail flow.

13 Select connector and click Edit.

14 Select scoping and scroll to the bottom.

15 Type the Exchange public FQDN in the FQDN field. It must match the CN in the publiccertificate Subject.

16 Click add and then Finish.

To configure the receive connector

1 In the Exchange admin center, click mail flow then receive connectors.

2 Select a server from the Select server drop-downmenu to create a new receive connector.

3 Click + to create a new receive connector.

4 Type a name for the connector in the Name field.

5 Under Role select Frontend Transport.

6 Under Type verify that Custom is selected and click Next.

7 Click -- to remove the default IP address range.

8 Click + and add at least one IP address of an application server or device that requiresexternal SMTP relay access.

9 Click Finish to create the new receive connector.

To apply an X-DetectorID message header to emails that will be routed to your DLP clouddetector

1 Click rules, click +, and select Create a new rule.

2 Type a rule name in the Name field.

3 In the *Apply this rule if field, select The recipient is located .... Then select Outsidethe organization and click OK.

4 Click the More Options link at the bottom of the window and add another condition.

5 Click the Sender is, then select one or multiple users or user groups.

6 In the Do the following list select Set the message header to this value.


mode)

7 At the right of this field, click Enter text to set the message header name and typeX-DetectorID. Click OK

8 Click Enter text to set the header value to the detector ID that you can find in yourSymantec welcome email or from the Enforce Server administration console at System> Servers and Detectors > Overview > Server / Detector Detail page, under ID.

9 Click Save.

If multiple rules exist, you can move this rule to give it adequate priority using the up and downarrows.

To create additional settings for the receive connector

1 Highlight the connector and click the pencil icon to edit the settings.

2 Select security and click Anonymous Users.

3 Click save.

4 Select connector and click Edit.

5 Select scoping and scroll to the bottom.

6 Type the Exchange public FQDN in the FQDN filed. It must match the CN in the publiccertificate Subject.

7 Next, grant anonymous users (such as the unauthenticated SMTP connections comingfrom applications and devices on your network) the ability to send to external recipients.In the Exchange Management Shell, run the following command, substituting the nameof your receive connector:

Get-ReceiveConnector <receive_connector_name>|Add-ADPermission -User

'NTAUTHORITY\Anonymous Logon' -ExtendedRights

MS-Exch-SMTP-Accept-Any-Recipient

8 Increase the number of inbound connections using this command:

Get-ReceiveConnector <receive_connector_name>|Set-ReceiveConnector

-MaxInboundConnectionPerSource 100

To add an SSL certificate to Exchange 2013, create a certificate request, submit the requestto a certificate authority, and import the certificate.

To create a certificate request

1 Go to Servers > Certificates. On the Certificates page, make sure your Client Accessserver is selected in the Select server field, then click New+.

2 In the New Exchange certificate wizard, select Create a request for a certificate froma certification authority and click Next.

3 Type a name for this certificate, and click Next.


mode)

4 To request a wildcard certificate, select Request a wild-card certificate, then specifythe root domain of all subdomains in the Root domain field. Leave this page blank if youwant to specify each domain that you want to add to the certificate. Click Next.

5 Click Browse, then specify the Exchange server where you want to store the certificate.The server you select should be the internet-facing Client Access server. Click Next.

6 For each service listed, verify that the external or internal server names that are used toconnect to the Exchange server are correct. If you configured the internal and externalURLs to be the same,OutlookWeb App (when accessed from the Internet) andOutlookWeb App (when accessed from the intranet) should show owa.contoso.com.

The Offline Address Book (OAB) when accessed from the Internet and OAB whenaccessed from the intranet should show mail.contoso.com.

If you configured the internal URLs to internal.contoso.com, theOutlookWeb App (whenaccessed from the Internet) and OAB (when accessed from the Internet) should showowa.contoso.com, andOutlookWeb App (when accessed from the intranet) should showinternal.contoso.com.

These domains are used to create the SSL certificate request. When you have verifiedthe names, click Next.

7 Add any additional domains you want included on the SSL certificate.

8 Select the domain that you want to be the common name for the certificate. Set as commonname, for example: contoso.com. Click Next.

9 Provide information about your organization. This information is included with the SSLcertificate. Click Next.

10 Specify the network location where you want this certificate request to be saved. ClickFinish.

To submit the request to a certificate authority

◆ Submit the request to your certificate authority (CA). You must use a public CA. You cansearch the CA website for the specific steps to submit a request.

You must provide Symantec Support with the public certificate that you assign to youroutbound connector. Support can ensure that Symantec trusts the CA and the certificate.

To import the certificate you have received from the CA

1 Go to Server > Certificates in the Exchange Admin Center and select the certificaterequest you created in the previous steps.

2 In the Certificate request details pane, click Complete under Status.

3 On the Complete pending request page, specify the path to the SSL certificate file, thenclick OK.

4 Select the new certificate you added, then click Edit.


mode)

5 On the Certificate page, choose Services.

6 Select the services you want to assign to this certificate. At a minimum, select SMTP andIIS. Click Save.

7 Click Yes if you receive the warning: Overwrite the existing default SMTP certificate?.

Gather information to pass on to Symantec Support

1 After you have imported the certificate into Exchange, obtain a copy of the public key forthe outbound MTA certificate.

2 If you use a certificate other than one issued by Symantec, Geotrust, or Thawte, gatherthe intermediate certificates you use.

3 Compile a list of public IPs that your on-premises email uses to forward mail to SymantecData Loss Prevention Cloud Service for Email.

Contact Symantec Support

1 Contact Symantec support for Cloud Service for Email athttps://support.symantec.com/en_US/contact-support.html.

2 Open a support case and pass on the information you gathered about your certificatesand public IPs.

Symantec Support reviews the information that you have collected and verifies that it iscomplete. Support passes your information on to the cloud service so that email from yourExchange is securely forwarded to Cloud Service for Email for detection.

Symantec notifies you when the process is complete.

See “About updating email domains in the Enforce Server administration console” on page 41.

See “Configuring Office 365 to use Symantec Email Security.cloud for email delivery (Forwardingmode)” on page 31.

Configuring Office 365 to use Symantec EmailSecurity.cloud for email delivery (Forwarding mode)

You must set up outbound connectors in the Microsoft Office 365 admin center to forward mailfrom Office 365 to Symantec Cloud Service for Email. You must also set up a routing rule thatroutes emails from O365 to DLP. By default, Office 365 routes the emails using its own mailtransfer agents (MTAs). To enable monitoring of emails by Symantec Data Loss Prevention,mail flow rules must be set up to divert the emails to Symantec Cloud Service for Email.Figure 2-2 shows the flow of emails with this setup.

31Deploying the Cloud Service for EmailConfiguring Office 365 to use Symantec Email Security.cloud for email delivery (Forwarding mode)


Figure 2-2 Office 365 to DLP to Email Security.cloud (Forwarding mode)

Note: You should have a basic understanding of how Office 365 rules and connectors work,and how they are used in your organization before you proceed. The following instructionsgive you a general example of how to set up Office 365 to forward email to Symantec CloudService for Email. The applications of rules (number of domains, migration path, exceptions,for example) vary from one organization to the next. The following instructions reflect theMicrosoft Office 365 admin center user interface at the time this document was published.While the Microsoft Office 365 user interface may change, the values you need to enter toconfigure the connection between Office 365 and Symantec Cloud Service for Email remainthe same.

To log on to your Microsoft Office 365 admin center account

1 Log on to your corporate Office 365 account as administrator.

2 Expand the admin center item.

3 Choose Exchange, then choose mail flow from the left column.

To create a new connector in the Exchange Admin Center

1 Click connectors.

2 Click + to add a new connector.

3 Click from Office 365 and to Partner organization.

4 Then click Next.

5 Type the name of the connector in theName field. You can optionally fill in theDescriptionfield.

6 Select Only when I have a transport rule set up that redirects messages to thisconnector. Then click Next.

7 Click Route email through these smart hosts.

8 Click + and add the Cloud Detector (SMTP Smarthost) URL that is indicated in theSymantec Data Loss Prevention Cloud Service for Email welcome letter.


9 Select Always use Transport Layer Security (TLS) to secure the connection(recommended) on the next New connector page, under How should Office 365connect to your partner organization's email server?

10 Then select Issued by a trusted certificate authority (CA), under Connect only if therecipient's email server certificate matches this criteria.

11 Then click Next.

To review the configuration and complete the connector configuration process

1 Review the configuration on the next New connector page, then click Next.

2 Enter any email for the test.

3 Click Validate on the next New connector page, under Validate this connector. Thestatus indicates Failed, but click Save to complete the setup process.

Note: The test always fails because Symantec Data Loss Prevention does not trust Microsofttest certificates. Symantec only validates and trusts Microsoft production certificates. You muststill click Save to complete the setup process. To verify that your setup works, you have to runan email through the Symantec Data Loss Prevention Cloud Service for Email process. See“Testing Symantec Cloud Service for Email” on page 41.

After you set up outbound connectors in Microsoft Office 365 Exchange admin center, youmust set up at least one routing rule to indicate to Office 365 Exchange which emails you wantto route through Symantec Cloud Service for Email. Each email to which the routing rule applieshas an X-Header added to it. If the routing rule doesn’t apply to an email, that email is notrouted to Symantec Cloud Service for Email, so it bypasses detection and is delivered torecipients.

To create a rule that routes emails from Office 365 Exchange to your DLP cloud detector andto apply an X-DetectorID message header to those emails



3 In the *Apply this rule if field, select The recipient is located .... Then select Outsidethe organization in the select recipient location field and click OK.

4 Click the More Options link at the bottom of the window and add another condition.

5 Click the Sender is, then select one or multiple users or user groups.

6 Select Modify the message properties. Then select Set a message header to see Setthe Message header to this value.


7 Set the message header name to X-DetectorID. Click OK.


To associate the rule with a connector

1 In theDo the following field, chooseRedirect this message to the following connectorand select the new connector that you created.

2 Click Save.

3 You can apply the rule to a subset of users. See “Detecting emails from a subset of Office365 Exchange Online users” on page 38.

4 Leave all other options set to the defaults. Optionally, you can add comments to explainthe purpose of the rule.

See “Configuring Office 365 to use Office 365 for email delivery (Reflecting mode)” on page 34.

Configuring Office 365 to use Office 365 for emaildelivery (Reflecting mode)

You must set up outbound and inbound connectors in the Microsoft Office 365 admin centerto forward mail from Office 365 to Symantec Cloud Service for Email and then forward theprocessed mail to its final destination. You must also set up at least one routing rule thatcontrols which emails are forwarded. By default, Office 365 routes the emails using its ownmail transfer agents (MTAs). To enable monitoring of emails by Symantec Data Loss Prevention,mail flow rules must be set up to divert the emails to Symantec Cloud Service for Email.Figure 2-3 shows the flow of emails with this setup.

Figure 2-3 Office 365 to DLP to Office 365 (Reflecting mode)

You should have a basic understanding of how Office 365 rules and connectors work, andhow they are used in your organization before you proceed. The following instructions giveyou a general example of how to set up Office 365 to forward email to Symantec Cloud Service

34Deploying the Cloud Service for EmailConfiguring Office 365 to use Office 365 for email delivery (Reflecting mode)

for Email. The applications of rules (number of domains, migration path, exceptions, for example)vary from one organization to the next.

Note: The following instructions reflect the Microsoft Exchange admin center user interface atthe time this document was published. While the Microsoft Exchange user interface maychange, the values you need to enter to configure the connection between Office 365 andSymantec Cloud Service for Email remain the same.

To log on to your Microsoft Exchange admin center account

1 Log on to your corporate Office 365 account as administrator.

2 Expand the admin center item.

3 Choose Exchange, then choose mail flow from the left column.

The outbound connector sends traffic to Symantec Data Loss Prevention for scanning.

To create a new outbound connector

1 Click connectors.


3 Click from Office 365 and to Partner organization.

4 Then click Next.

5 Type Outbound Connector in the Name field. You can optionally fill in the Descriptionfield with Connector for sending email to DLP.

6 Click Next.

7 Select Only when I have a transport rule set up that redirects messages to thisconnector. Then click Next.

8 Click Route mail through these smart hosts.

9 Click Next.

10 Click + and add the Cloud Detector (SMTP Smarthost) URL that is indicated in theSymantec Data Loss Prevention Cloud Service for Email welcome letter.

11 Select Always use Transport Layer Security (TLS) to secure the connection(recommended) on the next New connector page, under How should Office 365connect to your partner organization's email server?

12 Then select Issued by a trusted certificate authority (CA), under Connect only if therecipient's email server certificate matches this criteria.

13 Then click Next.




2 Enter any email for the test.

3 Click Validate on the next New connector page, under Validate this connector. Thestatus indicates Failed, but click Save to complete the setup process.

Note: The test always fails because Symantec Data Loss Prevention does not trust Microsofttest certificates. Symantec only validates and trusts Microsoft production certificates. You muststill click Save to complete the setup process. To verify that your setup works, you have to runan email through the Symantec Data Loss Prevention Cloud Service for Email process. See“Testing Symantec Cloud Service for Email” on page 41.

The inbound connector receives traffic from Symantec Data Loss Prevention and then forwardsit to its final destination (Reflecting mode). Set the subject name of the inbound connector tothe name Symantec provides in your welcome letter.

To create a new inbound connector

1 Click connectors.


3 Click from Your organization's email server and to Office 365.

4 Then click Next.

5 Type the name of the connector in the Name field, for example, Inbound Connector. Youcan optionally fill in the Description field, for example, Connector for receiving email fromDLP.

6 Click Next.

7 Select By verifying that the subject name on the certificate that the sending serveruses to authenticate with Office 365 matches this domain name. Then click Next.

8 Specify the subject name that is used in the public signed certificate that was generatedfor your cloud detector (see your Symantec welcome email), then click Next.



2 Click Save.

After you set up outbound connectors in Microsoft Office 365 Exchange admin center, youmust set up at least one routing rule to indicate to Office 365 Exchange which emails you wantto route through Symantec Cloud Service for Email. Each email to which the routing rule applieshas an X-Header added to it. If the routing rule doesn't apply to an email, that email is not


routed to Symantec Cloud Service for Email, so it bypasses detection and is delivered torecipients.

To create a rule and add an X-Header in the Exchange admin center that routes emails fromOffice 365 to DLP



3 In the Apply this rule if field, select The Sender is, then select one or multiple users oruser groups.

4 Select Modify the message properties. Then select Set a message header to see Setthe Message header to this value.

5 Set the message header name to X-DetectorID. Click OK.


Add another rule to redirect the message to a connector

1 Click add action.

2 Select Redirect the message to.

3 Select use the following connector.

4 Select Outbound Connector.

5 Click OK.

6 Click add exception and choose IP address is in any of these ranges or exactlymatches.

7 In the specify IP address ranges dialog, enter an IPv4 address or range.

8 To avoid loops, add the outbound DLP Cloud Detector IPs and CIDR blocks from theSymantec DLP Cloud Service for Email welcome email when prompted.

For cloud detectors in the US data center the list is:

■ 52.41.248.36

■ 52.27.180.120

■ 52.33.64.93

■ 18.237.140.176/28

■ 18.206.107.176/28

For cloud detectors in the EU data center the list is:

■ 52.30.186.166


■ 52.51.15.72

■ 52.211.17.155

■ 34.246.231.224/28

■ 18.184.203.160/28

9 Click OK.

10 Save the rule.

See “Detecting emails from a subset of Office 365 Exchange Online users” on page 38.

See “Configuring Google G Suite Gmail to send outbound emails to Symantec Cloud Servicefor Email” on page 38.

Detecting emails from a subset of Office 365Exchange Online users

You may want to create a rule to divert a subset of your Office 365 Exchange Online users toSymantec Cloud Service for Email for detection. Diverting a subset of users is helpful whenyou want to test Symantec Data Loss Prevention, or when you want to specify that only certaindepartments are included in detection. To divert emails to a subset of users, create a rule inthe Exchange admin center. See “To create a rule that routes emails from Office 365 Exchangeto your DLP cloud detector and to apply an X-DetectorID message header to those emails”on page 33. Substitute the following steps for steps 2 and 3. When you follow this procedure,emails from other users bypass detection and are routed to the recipients by the Microsoftmail transfer agent.

Create the rule to detect emails from a subset of Office 365 Exchange Online users in theExchange admin center

1 Choose The sender is this person in the Apply this rule if window.

2 Choose the users that you want to add to this group and click Add. Or, you can type auser's email address in the Add field.


Configuring Google G Suite Gmail to send outboundemails to Symantec Cloud Service for Email

To enable monitoring of emails by Symantec Data Loss Prevention, you must set up GoogleG Suite Gmail mail-flow rules to forward the emails to Symantec Cloud Service for Email. Bydefault, Google G Suite Gmail routes the emails using its own mail transfer agents (MTAs).This is a two-step process: first, configure a host and enable TLS; then, configure the Routing

38Deploying the Cloud Service for EmailDetecting emails from a subset of Office 365 Exchange Online users

setting to deliver only the outbound emails to Symantec Cloud Service for Email. Figure 2-4shows the flow of emails with this setup.

Figure 2-4 Gmail to DLP to Email Security.cloud

Note: The following instructions reflect the Google Admin console user interface at the timethis document was published. The values you need to enter to configure the connection betweenGoogle G Suite Gmail and the Symantec Cloud Service for Email remain the same, even ifthe Google interface changes.

To configure a host and enable TLS

1 Sign in to the Google Admin console.

2 From the dashboard, go to Apps > G Suite > Gmail > Settings for Gmail.

3 Click the Hosts tab.

4 Click Add route.

5 Locate the Cloud Detector (SMTP Smarthost) URL that you received from Symantec inthe Symantec Cloud Service for Email welcome letter.

6 In the Add mail route dialog, Add a name for the mail route.

7 Under Single host enter the Cloud Detector (SMTP Smarthost) URL from the welcomeletter and 25 for the port number.

8 Select Require secure transport (TLS) and Require CA signed certificate.

9 Click Save.

Configure the Routing setting to add an X-Header to deliver only the outbound emails toSymantec Cloud Service for Email

1 Go to Apps > G Suite > Settings for Gmail > Advanced settings.

2 Click the General Settings tab.

3 Scroll down the page to locate the Routing section.

4 Click Add another in the Routing section.

39Deploying the Cloud Service for EmailConfiguring Google G Suite Gmail to send outbound emails to Symantec Cloud Service for Email

5 Type a name for the route (for example, "Route to DLP,") in theAdd Setting configurationpop-up dialog box.

6 Select Outbound in the Messages to affect section.

7 Select Only affect specific envelope senders in the Envelope filter section. Add anemail address.

8 SelectModifymessage > Add custom headers in the For the above type of messagessection.

9 Click add in the Custom headers section.

10 Set the header name to X-DetectorID.

11 Set the header value to the detector ID that you can find in the Symantec welcome emailor from the Enforce Server administration console at System > Servers and Detectors> Overview > Server / Detector Detail page, under ID.

12 Click Save.

13 Click Change route.

14 Choose an email address.

15 In the Encryption (onward delivery only) section, choose Require secure transport(TLS).

16 Click Add Setting.

17 Review your settings on the General Settings page.

If you are running tests of Symantec Data Loss Prevention, you may want finer filtering of yourmessages to include only a subset of users.

See “Detecting emails from a subset of Google G Suite Gmail users” on page 40.


Detecting emails from a subset of Google G SuiteGmail users

You may want to forward only a subset of your Google G Suite Gmail users to SymantecSymantec Cloud Service for Email for detection. Forwarding a subset of users is helpful whenyou want to test Symantec Data Loss Prevention. It's also helpful when you want to specifythat only certain departments are included in detection. When you follow this procedure, onlythe emails from these specified users pass through Symantec Cloud Service for Email fordetection and then on to Symantec Email Security.cloud for delivery. Emails from other usersbypass detection and are routed to the recipients by the Gmail mail transfer agent.

40Deploying the Cloud Service for EmailDetecting emails from a subset of Google G Suite Gmail users

Create filters for outbound messages

1 Select Execute this setting only if the envelope sender matches or select Executethis setting only if the envelope recipient matches.

2 Type a regular expression to filter on the senders or recipients.


See “Testing Symantec Cloud Service for Email” on page 41.

Testing Symantec Cloud Service for EmailYou can test Symantec Cloud Service for Email by sending an email that violates your testpolicy.

To test your system

1 Create a policy. See “Creating and publishing a policy group for Symantec Cloud Servicefor Email” on page 46.

2 Access an Office 365 email account or a Gmail account that routes to Symantec CloudService for Email.

3 Send an email that violates the policy that you created in step 1. After the email is sent,it takes several minutes for the incident to appear on the Enforce Server administrationconsole. The incident reconciliation timer determines the delay. The delay is configuredin the IncidentPersister.properties file. The default value is 4 minutes, so, by defaultthe incident does not appear on the Enforce Server administration console for 4 minutesfrom the time the email was sent.

4 In the Enforce Server administration console, go to Incident > Network and click Incidents- All. Look for the resulting incident. For example, search for an incident entry that includesthe appropriate timestamp and policy name.

5 Click on the relevant incident entry to see the complete incident snapshot.

See “Creating and publishing a policy group for Symantec Cloud Service for Email” on page 46.

About updating email domains in the Enforce Serveradministration console

You can quickly update the email domains of the corporate emails that you want Cloud Servicefor Email (the Cloud Service) to scan. This capability applies to emails that are sent fromMicrosoft Office 365 in Reflecting mode. The new list is immediately sent to the SymantecCloud Service when you add or remove a domain in the Enforce Server administration console.Cloud Service for Email verifies and updates your domains. This ability enables you to updatedomains at any time.

41Deploying the Cloud Service for EmailTesting Symantec Cloud Service for Email

The Cloud Service only supports domains that have been added (white listed) either throughthe Enforce Server administration console or through Symantec Support. Emails of unsupporteddomains are rejected (bounced) by the Cloud Service.

If you are an existing customer of Cloud Service for Email, when you upgrade to 15.1 MP1through 15.7, your existing domains are preserved and your traffic is not disrupted. You areblocked frommaking any changes to your domains in the Enforce Server administration consoleuntil the Cloud Service verifies your existing domains.

See “Upgrading to Symantec Data Loss Prevention 15.1 MP1 through 15.7 if you use Reflectingmode” on page 44.

See “Adding the unique TXT record to your DNS settings” on page 42.

Adding the unique TXT record to your DNS settingsEach domain that you use requires verification by the Cloud Service. Each domain must containa predetermined DNS TXT record ID to pass verification. Symantec automatically generatesthis ID when it provisions your Cloud Service for Email instance. You can find the TXT recordID at System > Servers and Detectors > Overview > Server/Detector Detail. Work withyour DNS administrator or email administrator to add the TXT record ID to each of your domains.

When you upgrade to Symantec Data Loss Prevention 15.1 MP1 through 15.7 from an earlierversion, your Cloud Service is in reconcile mode. All domains that are configured on the CloudService are available for verification. Once all domains are verified, you can manage thedomains going forward.

Note: As the domain owner, you must update your domains. Symantec cannot perform thistask for you.


See “Updating email domains” on page 42.

Updating email domainsYou can edit or remove email domains one-by-one or by importing a text file.

42Deploying the Cloud Service for EmailAbout updating email domains in the Enforce Server administration console

To add email domains one-by-one

1 Navigate to the System > Servers and Detectors > Overview screen. Click the detectorin the list.

Click Update Email Domains on the Email Domains page.

2 Click Add.

3 Enter an email domain.

To add domains in bulk by adding a list or importing a text file

1 Go to Add Email Domains.

2 Click Update Email Domains.

3 In the Enter Email Domains box, add email domains in comma- or line-separated format.

4 Alternately, indicate a file name and click Upload to upload a text file with email domainsin a comma- or line-separated format.

5 Click Save.

Note: Domain names must be specific. Wildcard DNS records such as *.example.com arenot supported. Specific subdomains (those not using wildcards) are supported.

Once you have added domains, you can configure the names after the Enforce Server syncswith the cloud configuration. All domains are checked and updated every 15 minutes by theSymantec Cloud Service.

To configure email domains at the Enforce Server administration console

1 Go to System > Servers and Detectors > Overview.

2 Select the Cloud email detector that you want to configure. The detail page for that detectorappears.

3 Click Update Email Domains.

4 Select a domain and then select Add or Delete.

The Domain status can be one of the following:

■ Added - The domain has been verified and added.

■ Reconcile - The Symantec Cloud Service has tried to verify a domain, but there is no TXTrecord in your DNS setting and the domain cannot be verified. You need to add the DNSTXT record so that the domain can be verified and added. After you update, click Resendto send the updated domain to Symantec.

■ Removed - You have deleted a domain and Symantec removed it from the detectorproperties.


■ Invalid - The domain that you tried to add in the Enforce Server administration consolefailed the DNS validation.

■ Request to Remove - You have deleted a domain and Symantec has not yet removed itfrom the detector properties.

If the Symantec Cloud Service finds any validation problems with the email domains that youhave submitted, notifications appear on the bottom of the Detector Details page. Only validdomains are used; the detector ignores invalid domains. You are responsible for checking thatthe domains you have submitted are accepted and are valid.


See “Update override by the Symantec Cloud Service” on page 44.

Update override by the Symantec Cloud ServiceThe Symantec Cloud Service team can override the Add Domains feature when you makea request for assistance to Symantec Support. If an override is required, a message that theSymantec Cloud Service has overridden control is visible in the System Events panel at thebottom right of the Detector Details page.


Upgrading to Symantec Data Loss Prevention 15.1 MP1 through15.7 if you use Reflecting mode

If you use Reflecting mode, when you upgrade to Symantec Data Loss Prevention 15.1 MP1through 15.7, your domains are all in a Reconcile state until Symantec verifies that they arevalid and contain a DNS TXT record ID. Each one of your domains must include a DNS TXTrecord ID.

To add a DNS TXT record ID to each of your domains

1 Find your DNS TXT record ID on the System > Servers and Detectors > Overview >Server/Detector Detail page.

2 Add the DNS TXT record ID to each of your domains.

3 Click Reconcile to send the corrected domain records to the Symantec Cloud Service.

When your Cloud Service is in Reconcile mode, you can only reconcile domains. You cannotadd or remove domains. During this time, the Symantec Cloud Service controls updating.

If the Symantec Cloud Service finds any validation problems with the email domains that youhave submitted, notifications appear on the bottom of the Detector Details page. Only validdomains are used; the detector ignores invalid domains. You are responsible for checking that


the domains you have submitted are accepted and are valid. You must fix domains markedReconcile.

To fix domains to include the DNS TXT record code

1 Find your DNS TXT record ID on the System > Servers and Detectors > Overview >Server/Detector Detail page.

2 Add the DNS TXT record ID to each of your domains that are marked Reconcile.

3 Go back to the Enforce Server administration console.

4 Click Resend to send the corrected domain records to the Symantec Cloud Service.

If you want to remove domains when your service is in Reconcile mode, contact SymantecSupport. The removal is synced from the Cloud Service to the Enforce Server administrationconsole.

Once all of your domains are verified, you can manage them all through the Enforce Serveradministration console.

See “Adding the unique TXT record to your DNS settings” on page 42.


Creating Policies andManaging Incidents for theCloud Service for Email


■ Creating and publishing a policy group for Symantec Cloud Service for Email

■ Encrypting cloud email with Symantec Information Centric Encryption

Creating and publishing a policy group for SymantecCloud Service for Email

You can create the policies that include any of the standard response rules, for example, AddComment, Limit Incident Data Retention, Log to a Syslog Server, Send Email Notification, andSet Status.

See the Symantec Data Loss Prevention Administration Guide for more details.

You can also incorporate the following rules, which are specific to the Symantec Cloud Servicefor Email:

■ Network: Block SMTP MessageBlocks the email messages that contain confidential data or significant metadata (as definedin your policies). You can configure Symantec Data Loss Prevention to bounce the messageor redirect the message to a specified address.The redirect feature is typically used to reroute messages to the address of a mailbox ormail list. Administrators and managers use the mailbox or list to review and releasemessages. Such mailboxes are outside the Symantec Data Loss Prevention system.

■ Network: Modify SMTP Message

3Chapter

Modifies the email messages that contain confidential data or significant metadata (asdefined in your policies). You can use this action to modify the message subject or addspecific RFC-2822message headers to trigger further downstream processing. For example,message encryption, message quarantine, or message archiving.

For details on setting up any response rule action, go to Manage > Policies > ResponseRules and click Add Response Rule, then open the online Help.

For details on using the Network: Modify SMTP Message action to trigger downstreamprocesses (such as message encryption), see the Symantec Data Loss Prevention MTAIntegration Guide for Network Prevent.

Even if you do not incorporate response rules into your policy, Symantec Cloud Service forEmail captures incidents as long as your policies contain detection rules. This feature can beuseful if you want to review the types of incidents Symantec Data Loss Prevention capturesand to then refine your policies.

To create a block test policy for Symantec Cloud Service for Email

1 In the Enforce Server administration console, create a response rule that includes one ofthe actions specific to Symantec Cloud Service for Email. For example, create a responserule that includes the Network: Block SMTP Message action.

2 Create a policy that incorporates the response rule you configured in the previous step.

For example, create a policy called Test Policy as follows:

■ Include a Content Matches Keyword detection rule that matches on the keyword"secret."

■ Include a Network: Block SMTP Message response rule.

■ Associate it with the Default policy group.

Encrypting cloud email with Symantec InformationCentric Encryption

Integrating Symantec Information Centric Encryption (ICE) with Symantec Data Loss PreventionCloud Service for Email enables you to encrypt sensitive emails that are sent through MicrosoftOffice 365 Exchange Online or Google G Suite Gmail. ICE encryption can be applied to emailattachments or to the email body and email attachments.

You set up ICE for Email in the Symantec ICE Cloud Console and the Enforce Serveradministration console. You must set up encryption response rules for the emails that passthrough detection. Incidents show up on the Incident Details page with links to the ICEConsole.

47Creating Policies and Managing Incidents for the Cloud Service for EmailEncrypting cloud email with Symantec Information Centric Encryption

Using ICE with DLP Cloud Service for EmailTypical encryption technologies may allow data loss after emails are decrypted. Once theemails are decrypted, they can be sent to other individuals and are no longer protected.However, ICE encryption technology encrypts and protects emails and attachments throughoutthe life of an email, regardless of where the email travels. If an email or an attachment violatesone or more DLP Cloud Service for Email policies, DLP Cloud Service for Email can direct theICE encryption service to automatically encrypt the message. Once it is encrypted, only theusers that you authorize can read it. ICE can encrypt the email and attachments, or only theattachments.

With ICE, you can apply granular permissions to ICE-encrypted emails and determine what auser can do with an email after ICE decrypts it. You can restrict the user from printing the emailattachment or email and attachment, modifying them, or sharing them. When DLP CloudService for Email identifies an attachment to an email, or an email and attachment that violatesa policy, it uses the ICE encryption service to automatically encrypt them. The incident appearsin the Enforce Server administration console. DLP Cloud Service for Email then registers theaction with the ICE Cloud Console. You can click a link in the incident to view more details inthe ICE Cloud Console.

Initially, DLP administrators are given read-only access to the ICE Cloud Console. You canalways give the administrator greater permissions from within that console. DLP administratorsmust sign in to the ICE Cloud Console when they click the View in ICE Cloud Console link.After signing in, they can view more information about the incident in the ICE Cloud Console.

For more information on ICE, see the ICE online Help or the ICE documentation athttp://www.symantec.com/docs/DOC9707.

See “Implementing ICE with Cloud Service for Email” on page 48.

Implementing ICE with Cloud Service for EmailTable 3-1 provides an overview of the steps you take to use ICE to encrypt emails. The stepsassume that you have already set up and deployed Cloud Service for Email.

Table 3-1 Overview of implementing ICE with Cloud Service for Email


See “About the Customer ManagementPortal” on page 11.

See “Using the Cloud Management Portal”on page 20.

Click the link in your welcome email tolog on to the Symantec Data LossPrevention Cloud Management Portal.

Step 1


https://help.symantec.com/home/ice1.0?locale=EN_US

http://www.symantec.com/docs/DOC9707

Table 3-1 Overview of implementing ICE with Cloud Service for Email (continued)


For information about how ICE works anddetails about decryption, see SymantecInformation Centric Encryption DeploymentGuide athttp://www.symantec.com/docs/DOC9707.html.

Set up the ICE service.Step 2

See “Configuring the Enforce Server tocommunicate with the ICE service”on page 49.

Configure the Cloud Service for Emailintegration with the ICE service.

Step 3

See “Creating encryption response rulesfor ICE encryption” on page 50.

Configure response rules that use ICEencryption.

Step 4

See “Viewing details about ICE incidents”on page 52.

Click an incident to go to the ICE CloudConsole for more information.

Step 5

See “Configuring the Enforce Server to communicate with the ICE service” on page 49.

Configuring the Enforce Server to communicate with the ICE serviceYou need information from the ICE Cloud Console to configure the communication betweenthe Enforce Server and the ICE Cloud Console.

■ In the ICE Cloud Console, go to Settings > Advanced Configuration > External Services.Copy the following information to enter in the Enforce Server administration console to setup the connection between Data Loss Prevention Cloud Service for Email and the ICECloud Console:

■ Service URL

■ Customer ID

■ Domain ID

■ Service User ID

■ Service Password

■ In the Enforce Server administration console go to System > Settings > General > EditGeneral Settings under ICE Cloud Access Settings.

■ Enter the following information that you obtained from the ICE Cloud Console:

■ Service URL

■ Customer ID


http://www.symantec.com/docs/DOC9707.html

■ Domain ID

■ Service User ID

■ Service Password

■ Re-enter your Service Password

After you save these settings, they are transmitted to the DLPCloud Service and ICE is enabled.

See “Creating encryption response rules for ICE encryption” on page 50.

Creating encryption response rules for ICE encryptionUse the information in Table 3-2 to create rules for ICE encryption. The steps for creating therules are provided after the table.

You can apply either of two rules for ICE encryption in your policies. You can either encryptonly email attachments or the email attachments and the email body. You cannot encrypt justthe body. If an email includes multiple attachments, and only one attachment violates a policycondition, all of the attachments are encrypted.

Table 3-2 Response rules for ICE encryption

FunctionValueHeader nameRule name

Encrypts only theattachments.

The recipient seesthe original emailmessage, butattachments arereplaced withencrypted HTMLfiles. The recipientis notified that theattachments areencrypted and canonly be decryptedwith ICE. See theICE documentationfor more details.

ICEemailattachments

X-encryption-methodEncrypt attachments only


Table 3-2 Response rules for ICE encryption (continued)

FunctionValueHeader nameRule name

Encrypts theattachments andemail body.

The recipient isnotified that theemail andattachments areencrypted and canonly be decryptedwith ICE. Theattachments arereplaced withencrypted HTMLfiles. See the ICEdocumentation formore details.

ICEemail allX-encryption-methodEncrypt attachments and body

Creating a response rule

1 Go to Manage > Policies > Response Rules.

2 Click Add Response Rule.

3 Click Automated Response (Smart Response rules are also possible).

4 Enter a response Rule Name and Description.

5 Optionally, define one or moreConditions to determine when the response rule executes.

6 In the Actions drop-down menu, from the Network Prevent category, select ModifySMTP Message.

7 Click Add Action.

8 In the Network Prevent dialog box, in the Header 1 Name field, type"X-encryption-method."

9 In the Header 1 Value field, type "ICEemail attachments" or "ICEemail all," depending onyour data protection policies.

10 Click Save.

11 Configure a policy with the response rule that you created.


Note: If the attachment or the attachment and the email body cannot be encrypted for somereason (such as invalid server information), Cloud Service for Email inserts a separate headerso that the email can be handled downstream.

The Encrypt response rule takes precedence over a Modify or Prepend Header response rule.If there is a Modify Header response rule in addition to Encryption, only Encryption is executed.However, a Block response rule takes precedence over an Encrypt response rule.

See "About response rules" in the Symantec Data Loss Prevention online Help.

See “About decrypting ICE encrypted email” on page 52.

About decrypting ICE encrypted emailYou can find details about ICE mail decryption in the topic "About the Symantec ICE Utility"in the ICE Cloud Console online Help.

See “Viewing details about ICE incidents” on page 52.

Viewing details about ICE incidentsGo to Incidents > Network > Incidents - New to view details about incidents. Click theHistorytab to view the chronological details. See Figure 3-1 on page 53.


https://help.symantec.com/cs/dlp15.1/DLP/v40462357_v125428396/About-response-rules?locale=EN_US

https://help.symantec.com/cs/ice1.0/ICE/v120727947_v120576779/About-the-Symantec-ICE-Utility?locale=EN_US

Figure 3-1 History details for ICE incidents in Enforce

Click the Key Info tab to view the further details. See Figure 3-2 on page 54.


Figure 3-2 Key Info detail for ICE incidents in Enforce

Click Open in Symantec ICE to get more information about each incident at the ICE CloudConsole. You must sign in to the ICE Cloud Console to see all of the documents that wereencrypted as part of the message. See Figure 3-3 on page 55.


Figure 3-3 File Details in the ICE Cloud Console

When you click a file, you see additional details. You can click Message ID to navigate to apage for that message where you can viewmessage components. See Figure 3-4 on page 55.

Figure 3-4 Email Message Components in the ICE Cloud Console


Best Practices for CloudService for Email


■ Modifying SPF records in Email Security.cloud to ensure email delivery

■ Deleting the Cloud Detector to reset Symantec Cloud Service for Email

■ Requesting a new Cloud certificate

■ Understanding size limits for profiles

■ Review known issues for Symantec Cloud Service for Email

Modifying SPF records in Email Security.cloud toensure email delivery

When you use Symantec Cloud Service for Email, your outbound mail may be rejected andnot sent from Symantec Email Security.cloud because IP addresses are not registered in thesending domain's Sender Policy Framework (SPF) record. The email is rejected when therecipient domain is also a client who has enabled inbound SPF validation on their portal. Emailsfrom domains that publish a hard-fail SPF policy are blocked and deleted if the sending IPaddress is not registered in the sending domain's SPF record.

To solve this problem, register the sending IP address in the SPF record to authorize bothSymantec Email Security.cloud and Microsoft Office 365 servers to send mail on behalf of adomain. The sending administrator must modify the SPF record TXT file in DNS asdemonstrated in the following example to include the following Symantec Email Security.cloudSPF string:

v=spf1 include:spf.messagelabs.com include:spfprotection.outlook.com -all

4Chapter

For more information on SPF records and their use in Symantec Email Security.cloud, see thefollowing article in the Symantec Support Center: http://www.symantec.com/docs/TECH226211.

See “Deleting the Cloud Detector to reset Symantec Cloud Service for Email” on page 57.

Deleting the Cloud Detector to reset Symantec CloudService for Email

You may need to delete an existing cloud detector if a detector was installed incorrectly, or ifyou transition from a trial setup to a production setup.

To delete the Cloud Detector

1 Go to System > Overview.

2 In the Servers and Detectors section of the screen, click the red X on the Cloud Detector'sstatus line to remove it from the Enforce Server administration console.

3 ClickOK to confirm deletion. The Cloud Detector's status line is removed from the SystemOverview list.

4 Request a new enrollment bundle and save it to the Enforce Server. See “Symantec CloudService for Email Implementation overview” on page 17.

See “Requesting a new Cloud certificate” on page 57.

Requesting a new Cloud certificateThe certificate that you receive in your enrollment bundle has an expiration date. You can seethe expiration date on the System > Settings > General page, underCloud Certificate. Whenthe certificate is about to expire, you receive and email from Symantec, with a new certificateand instructions to install the certificate.

If you do not receive an email, you can request a new certificate bundle or a renewal bundlefrom Symantec Support. You upload either bundle to the Enforce Server and install a newcertificate or renew an existing certificate on the System > Settings> General > Install aCloud Certificate page.


See “Understanding size limits for profiles” on page 58.

57Best Practices for Cloud Service for EmailDeleting the Cloud Detector to reset Symantec Cloud Service for Email

http://www.symantec.com/docs/TECH226211

Understanding size limits for profilesThe combined maximum memory usage in a cloud detector for deployed policies and profileindexes is 20 GB. If you want to deploy policies and profile indexes that exceed 20 GB, contactSymantec Support.

See “Using Symantec Email Security.cloud Data Protection” on page 59.

Review known issues for Symantec Cloud Service forEmail

The following table lists known issues in this release of Symantec Data Loss Prevention CloudService for Email. The issue ID is an internal number for references purposes only.

Table 4-1 Symantec Cloud Service for Email known issues

WorkaroundDescriptionIssue ID

Do not setIncident.Writer.ShouldEncryptContentto false.

Incident reconciliation fails whenIncidentWriter.ShouldEncryptContent is set tofalse.

3644338

Ignore this message. It is not a securityerror, but the result of an RFCcompliance issue.

A severe error that is related to subjectname mismatch on the self-signedcertificate is logged on the Tomcatlocalhost log during cloudenrollment.

3769753

Cloud Service for Email does notsupport form recognition.

Users get an error message when theytry to use form recognition with CloudService for Email.

3954853

58Best Practices for Cloud Service for EmailUnderstanding size limits for profiles

Using additional SymantecEmail Security.cloudfeatures


■ Using Symantec Email Security.cloud Data Protection

Using Symantec Email Security.cloudData ProtectionEmail Security.cloud's Data Protection features complement the detection features of theSymantec DLP Cloud Detector. Based on directives in the form of X-Headers that are addedto an email by the DLP Cloud Detector, Data Protection policies within Symantec EmailSecurity.cloud are configured to take appropriate action such as redirecting, blocking,quarantining or encrypting an email. For detailed instructions on setting up Data Protectionpolicies within Email Security.cloud, seehttps://support.symantec.com/en_US/email-security-cloud.html.

The following sections give more information on three examples of Data Protection policiesthat can be implemented within Email Security.cloud: Using Policy Based Encryption, UsingSilent blocking, and Using Quarantine.

See “Using Symantec Email Security.cloud Policy Based Encryption” on page 59.

Using Symantec Email Security.cloud Policy Based EncryptionWith Policy Based Encryption, you can enforce email encryption based on predefined policieswhile ensuring that emails can be read on all devices, including mobile. Policy Based EncryptionEssentials is provided with Symantec Cloud Service for Email and Policy Based EncryptionAdvanced is available as an add-on to Email Security.cloud. It enforces email encryption based

5Chapter


on predefined policies. Encryption of messages can be initiated manually by the user orautomatically by policies that are set in Data Protection.

Defining PBE policies using Data ProtectionYou must define a Data Protection policy to trigger email encryption. The policy specifies anaction to redirect the email to a specific email address. The email address depends on thePolicy Based Encryption service you use. When you create the policy, you define the rulesthat you want to cause the email to be encrypted. For example, you can specify a word orphrase that must be contained in the header or body of the email to trigger encryption. Thenyou inform your users of the word or phrase that must be present to encrypt the email.

Data Protection scans email against the policies in the order they are listed in the portal. If anemail triggers a policy with an exit action, it is subject to that action and does not pass on tobe scanned for further policies. The redirection action for special Policy Based Encryptionpolicies is an exit action. Put encryption policies towards the bottom of the policy list, so thatother policies defined to comply with the organization's acceptable usage policy are acted onfirst. If an email triggers a policy with an exit action such as a block action, and that rule ishigher in the policy list, the email is not encrypted. The first policy that is encountered blocksthe email.

To define an encryption policy

1 Select Services > Email Services > Data Protection at the ESS portal.

2 Click New Policy from Template.

3 Select the PBE Essential Trigger Template (US) and click Create. A new Policy BasedEncryption policy is created from the template at the bottom of your policy list.

4 Click the policy name to open the policy. You can adjust the name of the policy at thistime. The policy is applied by default to Outboundmail only and theAction is preconfiguredto Redirect to Administrator.

5 Use the default rule. As long as "[email protected]" is not a recipient of the message,the rule always works. The first rule in the template policy is a Recipient Group rule. AllPolicy Based Encryption policies require a recipient group rule. By default, the rule in thetemplate works if the message recipient does not match an address in the Default PBERecipient Group that by default contains "[email protected]".

60Using additional Symantec Email Security.cloud featuresUsing Symantec Email Security.cloud Data Protection

6 Use the default rules. The Policy Based Encryption templates contain two more defaultrules that customers can use to help identify messages containing sensitive data. Thefirst rule looks for common keywords that might be found in messages customers maywant to be encrypted. Examples of these keywords are "confidential," "sensitive," and"encrypt." The second rule looks for headers that are found in the message if the senderhas flagged the message for encryption using one of the Outlook plug-ins. Customerscan leave these rules in place or may choose to remove them and create new rules tohelp identify messages with sensitive data. When sensitive information is identified in aDLP policy, Symantec Cloud Service for Email can add a header to the message. DataProtection uses this header to determine if the message should be encrypted.

7 Click Save in the bottom right-hand corner of the page. Once a policy is saved, you canmove the policy to where you want it positioned in your policy list. The policy can beactivated by clicking Activate in the far right-hand column of the policy. Once a policy isactivated, it can take about 20 minutes for it to take effect.

If an email is encrypted, the recipient receives an email with an encrypted PDF. The first timethat the recipient receives an encrypted PDF, he also receives an email with a link to a portalwhere he can set the password that can be used to open the encrypted PDFs. The recipientuses this password to view the message body of the email and any attachments.

See “Using Data Protection to silently block email messages ” on page 61.

Using Data Protection to silently block email messagesYou can use Symantec Email Security.cloud to block emails. Unlike Symantec Data LossPrevention, where the sender of the email gets a "Blocked Message" notification, when emailmessages are silently blocked using Data Protection, neither the sender nor the receiver getsa notification. You can, however, pair the silent block rule with another response rule thatnotifies the sender.

Here are the steps that you need to take to create a silent blocking policy with a keyword list.

To create a silent blocking policy

1 Select Services > Email Services > Data Protection at the ESS portal. A list of all emailpolicies appears.

2 Click Create a New Policy. Then, add a name and description.

3 In Apply to: click Outbound email only (the default).

4 In Execute if: choose ANY rules are met.

5 In Action: choose Block And Delete.

6 In Administrator email: add the email address of your DLP administrator.

7 Click Add rule.


8 Click Add a condition.

In Content Keyword List, click Create a new Keyword List.

9 Add a Name and a Description.

10 Add keywords. The ESS keywords (for example, downstream_block) must match thekeyword that is specified in the DLP "Modify SMTP Message" response rule.

11 Click Add.

12 Click Save.

13 After you save a policy, you must return to the Email Policies page and click the redActivate option to activate the policy.

Note: If you want to test the policy, do not send the email from the email address that is definedas the administrator email address. If you send a test message from the administrator emailaddress, the policy won't be applied.

You can find more information about setting up silent blocking and other Email Security.cloudfeatures, including configuring Data Protection to silently block messages from the EmailSecurity.cloud console at:




Symantec Data Loss PreventionCloudServicefor ......Table 1-2 Implementing Symantec Cloud Service for Email: roles and responsibilities Role Typical responsibilities...

Documents