Appendix A: Check Point Manual Integration with Office 365

This topic describes how to perform a manual on-boarding and configuration process for Harmony Email & Collaboration where customers bind their Office 365 environment to Harmony Email & Collaboration.

Note - Automatic mode for onboarding allows for better maintenance, management, and smoother user experience. Check Point recommends only using Manual mode as a last resort. Before using the Manual mode, contact Check Point Support to help resolve any issues raised with the Automatic mode for onboarding.

After you select to bind Harmony Email & Collaboration to your Office 365, the Office 365 Install Mode window opens.

Select one of these modes:

  • Automatic mode - Harmony Email & Collaboration automatically configures Office 365 emails to operate in Detect modes (Monitor only and Detect and Remediate) and/or Protect (Inline) mode. You only need to authorize the Harmony Email & Collaboration app during the wizard and all configuration changes are applied automatically.

  • Manual mode - You must manually perform the necessary configurations in the Office 365 Admin Exchange Center before you bind the application.

This topic explains the various settings that need to be configured for Manual mode in the Office 365 Exchange Admin Center.

We recommend that you review if any of these scenarios listed below apply to you:

  • You want to choose automatic mode but first want to learn the configuration changes that are automatically applied to Office 365.

  • You want to choose manual mode and need to know what the initial configuration should be.

Note - In this guide, {portal} refers to your portal name. The portal name can be found in the Office 365 Install window. For more information, see Portal Identifier of Harmony Email & Collaboration Tenant.

If you have any queries about how to apply these changes in the configuration, contact the Check Point Support for assistance.

Manual Integration with Office 365 Mail - Required Permissions

You can choose Manual mode of integration when you do not want Check Point to automatically add and manage Mail Flow rules, connectors, and other Microsoft configurations for your organization.

As these configurations are not managed by Check Point, Manual mode require less permissions when compared with Automatic mode.

Permissions required from Office 365 for manual integration

Functions performed by Harmony Email & Collaboration

Access directory as the signed in user

Used for these:

  • Mapping users to groups to properly assign policies to users.

  • Baselining the active users to detect impersonation attempts.

  • Mapping users to titles, departments and more to determine if a user is a VIP user or not.

Read directory data

Read contacts in all mailboxes

Used for baselining social graphs and communication patterns for accurate phishing detections.

Enable and disable user accounts

Used for taking actions in response to security events involving user accounts.

Read user mailbox settings

Used for continuously monitoring mailbox settings to detect indications for account compromising, such as MFA settings, forwarding rules and many more.

Read all user mailbox settings

Read and write mail in all mailboxes

Read all audit log data

Used for retrospective audit of login events to detect compromised accounts (Anomalies).

Read all groups (preview)

Used for mapping users to groups to properly assign policies to users.

Read and write all groups

Read all directory RBAC settings

(Reserved for future release) Used to allow administrators to disable users or reset their password.

Read all users' full profiles

Used for these:

  • Mapping users to groups to properly assign policies to users.

  • (Reserved for future release) Allow administrators to disable users or reset their password.

Read activity data for your organization

Used for these:

  • Getting user login events, Microsoft Defender events and others to present login activities and detect compromised accounts (Anomalies).

  • Getting Microsoft detection information to present for every email.

Read service health information for your organization

Reserved for future releases.

Send mail on behalf of others

Used for sending notifications to end-users in scenarios that technically SMTP delivery is not available. This includes phishing, malware and DLP notifications.

Read and write user and shared mail

Used for these:

  • Enforcing Detect and Remediate policy rules, where emails are quarantined/modified post-delivery.

  • Allowing administrators to quarantine emails that are already in the users' mailboxes.

  • Baselining communication patterns as part of Learning Mode.

  • Retroactive scan of emails already in users' mailboxes immediately after onboarding.

Read and write user mail

Use Exchange Web Services with full access to all mailboxes

send mail as a user

Used for sending notifications to end-users in scenarios that technically SMTP delivery is not available. This includes phishing, malware and DLP notifications.

Send mail as any user

Policy Modes

These are the policy modes:

  • Monitor only - Monitors the emails and creates the relevant event.

  • Detect and Remediate - Creates an event, and also performs retroactive enforcement for Inbound emails already delivered to users.

  • Protect (Inline) - All emails are reviewed before delivery to the user.

Monitor only and Detect and Remediate have the same configuration and are sometimes referred to as Detect modes in this document.

Best Practice - We recommend that you start with the configuration for Detect modes and later change to Protect (Inline). If you are already in one of the Detect modes and want to start with Protect (Inline) mode, skip to Introduction - Protect (Inline) Mode.

Note - For the system to work properly, you must follow the steps in the order they appear.

Step 1 - Authorize the Manual Integration Application

  1. From the Getting Started Wizard, click Start for Office 365 Mail.

    or

    From the left panel, go to Security Settings > SaaS Applications.

  2. Click Start for Office 365 Mail.

  3. Select Manual mode of operation.

  4. In the Office 365 Authorization window that appears, sign in with your Microsoft Global Administrator credentials.

  5. In the authorization screen, click Accept to grant permissions for Check Point Cloud Security Platform - Emails - Manual Mode application.

    For more information, see Permissions required from Office 365 for manual integration.

Step 2 - Check Point Contact

In the Manual mode of integration, you have to add a dedicated Check Point Contact.

This contact is used for the Undeliverable Journal Reports under Journal Rules in Step 3 - Journal Rule.

If you already configured a recipient for undeliverable journal rules, skip this step.

Step 3 - Journal Rule

The Journal rule is used only for Detect modes (Monitor only or Detect and Protect).

The Journal rule configures Office 365 to send a copy of all scoped emails to the journaling mailbox used by Harmony Email & Collaboration for inspection.

Notes -

  • Before you create a Journal rule, you must specify a mailbox to receive the Undeliverable journal report. If you already configured a mailbox for this purpose, skip this step and define only the journal rule.

Step 4 - Connectors

In this step, you define two connectors:

  • Inbound connector - For all modes.

  • Journaling Outbound - For Detect modes.

These connectors send traffic to and receive traffic from the cloud.

Note - These connectors are used for Detect modes. For information on the configuration for Protect (Inline) mode, see Introduction - Protect (Inline) Mode.

Step 5 - Connection Filter (All Modes)

Update the Connection Filter to Allow-list emails from Check Point.

This goes hand-in-hand with the Check Point Inbound Connector created in Step 4 - Connectors .

Step 6 - On-boarding (Monitor only & Detect and Remediate)

In this step, you are ready to integrate Harmony Email & Collaboration with Office 365 for Monitor only and Detect and Remediate modes.

Step 7 - Protect (Inline) Policy Configuration on Harmony Email & Collaboration

Introduction - Protect (Inline) Mode

In Protect (Inline) mode, the system inspects all emails in scope before delivery to the users.

In manual mode, you must change the policy to Protect (Inline) before moving to Office 365 configurations.

To configure Protect (Inline) mode, follow Steps 7-9 below.

Note - To return to detect modes, disable the transport rules in Step 9 - Transport Rules (Protect (Inline) Mode).

Step 8 - Connectors (Protect (Inline) Mode)

In this step, you define the outbound connector for Protect (Inline) mode.

Step 9 - Transport Rules (Protect (Inline) Mode)

The purpose of the transport rule is to implement the inline mode for the users that need to be inline. Every time you change the scope of the inline policy (add or remove users/groups) you need to edit the scope of the transport rule accordingly.

Note - If any mail flow rules already exist, the Check Point rules must be prioritized.

These are the Check Point rules:

  1. Check Point - Protect Internal

  2. Check Point - Protect

  3. Check Point - Allow-List

  4. Check Point - Junk Filter

 

Check Point - Protect Internal

Check Point - Protect

Check Point - Allow-List

Check Point - Junk Filter

Transport Rules

Office 365 Transport rules automate actions on emails-in-traffic based on custom policies. In most enterprise environments, every transport rule falls under either Delivery Rule or Modification Rule.

Step 10 - Sending User Reported Phishing Emails to an Internal Mailbox

To handle phishing reports effectively, Harmony Email & Collaboration requires that reports sent through the Microsoft Report Phishing / Report Message add-in are also sent to an internal mailbox. This mailbox can be an existing dedicated mailbox or a new shared mailbox that does not require a Microsoft license.

To send user reported phishing emails to an internal mailbox:

  1. Log in to the Microsoft Defender portal.

  2. Click Settings > Email & Collaboration > User reported settings.

  3. Scroll down to the Reported message destinations section and do these:

    1. In the Send reported messages to: field, select Microsoft and my reporting mailbox.

    2. In the Add an exchange online mailbox to send reported messages to: field, enter the dedicated mailbox email address.

  4. Click Save.

Reverting Manual Onboarding / Switching to Automatic Onboarding

To switch the onboarding from Manual mode to Automatic mode or to disconnect Harmony Email & Collaboration from your Office 365 account, follow these steps:

  1. Navigate to Security Settings > SaaS Applications.

  2. Click Stop for all the Office 365 SaaS applications.
  3. Follow all the steps in Appendix A: Check Point Manual Integration with Office 365, and remove every rule and object you created.

  4. Contact Check Point Support so that Check Point support finalizes the process in the backend.

    After the confirmation from Check Point Support, the reverting process is complete.

  5. To start the onboarding in Automatic mode, follow the procedure in Activating Office 365 Mail.

Unified Quarantine for Manual Mode of Onboarding

Some organizations prefer Manual mode of onboarding for these reasons:

  • The permissions required by the Check Point Cloud Security Platform - Emails V2 enterprise application for Automatic mode are too high for the organization.

  • The organization prefers that Check Point do not automatically change mail flow rules, connectors, transport rules, and so on in their Microsoft Azure cloud platform.

However, to get visibility on emails quarantined by Microsoft (Unified Quarantine) and act on them, Check Point requires permissions that are requested only by the Check Point Cloud Security Platform - Emails V2 application in the Automatic mode of onboarding.

For customers using Harmony Email & Collaboration in Manual mode who agree to grant the necessary permissions (see Required Roles and Permissions) to the Check Point Cloud Security Platform - Emails V2 application, but prefer not to have Check Point manage mail flow rules, connectors, transport rules, and other configurations in their Microsoft Azure, can still use Unified Quarantine.

To do that:

  1. Contact Check Point Support with the request.

  2. After approval from the support representative, re-authorize the Office 365 Mail application with Microsoft administrator credentials.

    1. Click Security Settings > SaaS Applications.

    2. Click Configure for Office 365 Mail.

    3. Click Re-Authorize Check Point Office 365 Email App.

    4. Follow the onscreen instructions and authorize the Microsoft 365 application.

    You can see that Harmony Email & Collaboration is using a different application requiring more permissions.

Unified Quarantine is enabled and the application will not make any changes to your Microsoft 365 configuration.