Cloud SEG

Overview

The Check Point Email Cloud SEG (Secure Email Gateway) solution provides inbound email protection by placing Cloud SEG in the customer’s mail flow as the first hop for incoming messages. The customer updates their MX record to route inbound email to Check Point Email Security, where messages are scanned, and security verdicts are applied before delivery.

After inspection, Cloud SEG routes legitimate messages to the customer’s mail environment, which can be:

• Microsoft Office 365

• On‑premises Microsoft Exchange Servers

• Custom email servers

Check Point uses user synchronization to maintain recipient and user information for routing, policy enforcement, and protection.

Cloud SEG enables Email Security to support customers that require SEG-style mail routing, including hybrid environments, centralized mail-flow configurations, and non-Microsoft architectures.

Notes: To enable the Cloud SEG feature, contact Check Point Support. Cloud SEG feature is currently supported in the Australia (AU) region. Cloud SEG currently supports Inbound email traffic only.

Supported Deployment Scenarios

Cloud SEG provides advanced email security for customers who cannot deploy a purely API‑based email security solution.

Common reasons customers may require the SEG deployment model include:

• Support for currently unsupported architectures, including:

  • Classic hybrid deployments

  • Centralized mail‑flow environments

  • Fully on‑premises environments

• Support for additional email vendors beyond the currently supported API integrations.

• Customer preference to maintain an existing SEG architecture.

  

Prerequisites

During Cloud SEG onboarding, select the SEG onboarding flow and do not install the Microsoft application separately.

Cloud SEG Onboarding Workflow

The Cloud SEG onboarding process includes the following steps:

1. Access the Cloud SEG Configuration

2. Configure Cloud SEG for a Domain

   1. Configure Email Servers and Users

   2. Configure DNS Records

   3. Activate Inbound Email Traffic

Accessing the Cloud SEG Configuration

To access the Cloud SEG configuration:

1. Access the Email Security Administration Guide.

2. From the left navigation panel, go to Security Settings > SEG & Relay > Domains.

Configuring Cloud SEG for a Domain

Configuring Email Servers and Users

To configure email servers and users:

1. Go to Security Settings > SEG & Relay > Domains.

2. Click the icon for the required domain and select Configure SEG.

   The SEG Onboarding page appears.

3. To configure the Email Servers & Users section, click:

   • Email servers

     The Select Email servers page appears.

     1. Configure the following email servers as required:

        Note - You can add multiple email servers of different types, and servers of the same type.

        • Office 365 Mail

          1. Select the Office 365 Mail checkbox.

          2. Click Add New Office 365 Mail.

          3. In the Name field, enter the required name (for example, Microsoft Office 365 Mail Endpoint).

          4. In the Inbound Host / IP(s) field, enter Microsoft Office 365 / EOP mail routing endpoint for this domain (for example, example-com.mail.protection.outlook.com).

             Note - You can add more than one Host or IP address, separated by commas.

          5. Click Save.

        • Microsoft Exchange Server

          1. Select the Microsoft Exchange Server checkbox.

          2. Click Add New Microsoft Exchange Server.

          3. In the Name field, enter the required name.

          4. In the Inbound Host / IP(s) field, enter the destination host or IP address to which Cloud SEG routes inbound email.

             Note - You can add more than one Host or IP address, separated by commas.

          5. In the Inbound Port field, enter the port number.

          6. Click Save.

        • Custom Email Server

          1. Select the Custom checkbox.

          2. Click Add New Custom.

          3. In the Name field, enter the required name (for example, Zoho or IceWarp Mail Endpoint).

          4. In the Inbound Host / IP(s) field, enter the destination host or IP address to which Cloud SEG routes inbound email.

             Note - You can add more than one Host or IP address, separated by commas.

          5. In the Inbound Port field, enter the port number.

          6. Click Save.

     2. After configuring the required email servers, click Save.

   • Users Sync

     The Sync users page appears.

     1. Select the required directory source for user synchronization:

        • Microsoft Entra ID (Azure AD): Sign in to your Microsoft account and approve the required permissions for Check Point. See Prerequisites.

        • Manual import: Export the user data from the on‑premises Active Directory and then manually import the data into Check Point Email Security. Upload a CSV file in the supported format.

          Note - To perform a manual import, contact Check Point Support.

     2. After selecting the required synchronization method, click Proceed to Sync Update.

        Note - The synchronization process can take a few hours to complete. Once this capability is productized, the process will be updated accordingly.

   • Routing

     The Routing Rules page appears.

     1. Click Add Rule.

     2. In the Rule Name field, enter the required rule name.

        

     3. From the If the recipient dropdown, select the required option:

        • is a member of the following group(s): Select the required user groups to which the email server will be routed.

     4. From the Direct email dropdown, select the required email serverto which the email traffic is routed.

     5. Click Save.

     Notes: Routing rule changes apply to all domains. All users and recipient groups expected to receive inbound email through Cloud SEG must be configured in Routing Rules. Inbound email for users not configured in the routing rules is rejected.

Configuring DNS Records

To configure DNS records:

1. Go to Security Settings > SEG & Relay > Domains.

2. Click the icon for the required domain and select Configure SEG.

   The SEG Onboarding page appears.

3. Configure the DNS Configure section.

   • Relay MX - To configure the Relay MX record, see Configure the Relay MX Record.

   • SPF - To configure SPF the record, see Configure the SPF Record.

   • DKIM - To configure the DKIM record, see Configure the DKIM Record.

4. Click Verify.

Activating Inbound Email Traffic

To activate inbound email traffic:

1. Go to Security Settings > SEG & Relay > Domains.

2. Click the icon for the required domain and select Configure SEG.

   The SEG Onboarding page appears.

3. To configure the Activate Email section, click Inbound.

   The Activate Inbound Email Traffic page appears.

4. Follow the on-screen instructions to complete the inbound mail flow activation process.

   • Microsoft Office 365 Mail

     

   • Exchange Server

     

5. Click Activate.

Configuring Quarantine Restore Request Notifications for Cloud SEG

For on-premises deployments that use manual user synchronization, you must configure an email address for quarantine restore requests notifications before configuring the SEG Security policy.

To configure quarantine restore request notifications:

1. Go to Security Settings > SaaS Applications.

2. Click Configure for SEG.

   The Configure SEG Security pop-up appears.

   

3. In the Send alerts on requests to restore emails from quarantine to field, enter the email address.

4. Click Save.