Activating Google Workspace (Gmail and Google Drive)

Prerequisites

To activate Google Workspace, you must have these.

• You have the Administrator access to activate Google Workspace.

• Additional Google Workspace license to integrate with Harmony Email & Collaboration. (Integration is not supported for clients on the free G-Suite license tiers.)

• You have the minimum supported SaaS license. See Minimum License Requirements to Activate SaaS Applications.

• If you use GCDS (Google Cloud Directory Sync) to synchronize your user groups on-premises and in the cloud, before activating Google Workspace, you must create exclusion rules for these user groups.

  • check_point_inline_policy

  • check_point_inline_outgoing_policy

  • check_point_monitor_policy

  • check_point_monitor_outgoing_policy

  For more information, see User Groups.

By default, the Google Chrome browser authenticates the signed-in Chrome user in Google Workspace instead of a selected account. To see if you are signed in to Google Chrome, look for the user name in the browser's top-right corner.

While onboarding Google Workspace (Gmail / Google Drive), Harmony Email & Collaboration creates a service user (cloud-sec-av@[domain]) in the root organizational unit.

Before onboarding, make sure that these settings are selected in your Google Admin console.

• Go to Authentication Settings of the root organizational unit and check these settings.

  • The Allow users to turn on 2-Step Verification check-box is selected.

  • If the Only security key option is selected, do not select the Don’t allow users to generate security codes option.

Notes: If the Authentication Settings are not supported, onboarding fails. To resolve this issue, do one of these. If you want to keep the unsupported Authentication Settings of your root organizational unit, move the service user (cloud-sec-av@[domain]) to an organizational unit with the supported Authentication Settings. Then, start onboarding Gmail or Google Drive again. Create a new dedicated organizational unit with the supported Authentication Settings and move the service user (cloud-sec-av@[domain]) to the organizational unit. Then, start onboarding Gmail or Google Drive again.

Activating Gmail

To activate Gmail:

1. Navigate to Security Settings > SaaS Applications.

2. Click Start for Gmail.

   

3. Enable the I Accept Terms Of Service check-box.

4. If you need to limit the license consumption and protection to a specific group of users:

   1. Enable the Restrict inspection to a specific group (Groups Filter) checkbox and click OK.

   2. In the Gmail - Group Selection pop-up, select Specific group.

      

   3. Enter the group name you need to protect with Harmony Email & Collaboration.

      Note - The group name must have an associated email address.

   4. Click OK.

5. Log in to the Google Workspace Marketplace using your Google administrator credentials.

   

6. After successful authentication, you will be redirected to the Check Point Cloud Security app installation page.

   Click Admin Install.

   

7. In the Admin install pop up that opens, click Continue.

   

8. Check Point Cloud Security app requests permissions to access your data.

   Select Everyone at you organization, accept the terms of service and click Finish.

   

   Wait until the Check Point Cloud Security app is installed.

   After installation, the page appears like this.

   

9. Click in the Google Workspace Marketplace. Scroll down and select the Check Point Cloud Security app.

   

   If prompted, enter the Google administrator credentials, and you are redirected to Harmony Email & Collaboration.

   Note - After installing the Check Point Cloud Security app, a new Super Admin account is created in your Google Admin console. For details, see Super Admin.

10. Navigate to Security Settings > SaaS Applications and click Start for Gmail.

    

    After successful authentication, Harmony Email & Collaboration starts scanning the users and emails from Gmail.

    

    Note - After activating Gmail, Harmony Email & Collaboration performs retroactive scan of its content. For more information, see Onboarding Next Steps.

Activating Google Drive

To activate Google Drive:

1. Navigate to Security Settings > SaaS Applications.

2. Click Start for Google Drive.

   

3. Log in to the Google Workspace Marketplace using your Google administrator credentials.

   

4. If the Check Point Cloud Security app is already installed from Google Workspace Marketplace, after successful authentication, Harmony Email & Collaboration starts scanning the Google Drive of users.

   If not, continue from steps 3 in Activating Gmail.

   

Note - After activating Google Drive, Harmony Email & Collaboration performs retroactive scan of its content. For more information, see Onboarding Next Steps.

For more details about automatic configuration on Google Workspace, see Google Workspace Footprint.

Google Workspace Footprint

After Activating Google Workspace (Gmail and Google Drive), Harmony Email & Collaboration automatically creates a Super Admin, host (mail route), inbound gateway, SMTP relay service, two user groups, and four content compliance rules.

Super Admin

While installing the Check Point Cloud Security app, a new Super Admin user account is created in your Google Admin console.

The Super Admin user has an email address in the cloud-sec-av@[domain] format and is sometimes referred to as the Check Point Service User.

This user requires a Gmail license. For more details about the Super Admin role, see Pre-built administrator roles.

What is the Super Admin User Used For?

Harmony Email & Collaboration uses Super Admin user to perform tasks that cannot be accomplished with the Google APIs.

Harmony Email & Collaboration uses Super Admin user to do these tasks:

• To connect with Google Workspace and create User Groups, Host, Inbound Gateway, SMTP Relay Service, and Content Compliance Rules.

• To enable different artifacts that allow DLP inspection of outgoing emails in Protect (Inline) policy mode.

• To do maintenance activities from time to time, primarily to optimize support case handling.

• To take actions on files uploaded to Google Drive that do not have an owner. For more information, see Google Drive Permissions Changes.

• To support new features in the future.

Super Admin Security

The password of the Super Admin contains 43 random characters, a mix of lower case letters, upper case letters, and digits. The password is safely stored in AWS Key Management Service (AWS KMS).

Also, Check Point recommends to enable Multi-Factor Authentication (MFA) to enhance security for this account.

After the onboarding process completes, the Super Admin is automatically disabled.

Changing the Google Application Role

After successfully onboarding the Google Workspace SaaS application to Harmony Email & Collaboration, the administrator can change the role assigned to the Check Point application. To do that:

1. Sign in to your Google Admin console with an account with super administrator privileges.

2. Create a custom admin role. For more information, see Google Documentation.

3. Assign these privileges to the role:

   1. In the Admin console privileges:

      1. Assign Settings privilege to Gmail.

      2. Assign Groups privilege.

   2. In the Admin API privilege, assign Groups privilege.

4. Search for the Cloud-Sec-AV Service Admin role and do these:

   1. Unassign the Super Admin role. For more information, see Google Documentation.

   2. Assign the custom admin role created in step 2. For more information, see Google Documentation.

User Groups

After activating Google Workspace, Harmony Email & Collaboration automatically creates these user groups.

• check_point_inline_policy

• check_point_inline_outgoing_policy

• check_point_monitor_policy

• check_point_monitor_outgoing_policy

You can view these user groups under Groups in your Google Admin console.

Note - If you use GCDS (Google Cloud Directory Sync) to synchronize your user groups on-premises and in the cloud, the synchronization triggers the deletion of these Check Point groups. Though this will not impact the email delivery, Harmony Email & Collaboration cannot scan the emails, and no security events get generated.

Before activating Google Workspace, you must create exclusion rules for these user groups. Select the exclusion type as Group Email Address, match type as Exact Match, and the group email address should be in the groupname@[domain] format.

For example, the group email addresses should be check_point_inline_policy@mycompany.com and check_point_monitor_policy@mycompany.com, where mycompany is the name of your company.

Note - If you have activated Google Workspace without creating exclusion rules, contact Check Point Support.

Host

Harmony Email & Collaboration automatically creates a host (aka mail route) in your Google Admin console. You can see the host from the Google Admin Console under Apps > G Suite > Settings for Gmail > Hosts.

Inbound Gateway

Harmony Email & Collaboration automatically creates an Inbound gateway. You can see the inbound gateway from the Google Admin console under Apps > G Suite > Settings for Gmail > Advanced Settings.

Note - In the Inbound gateway settings, you must select the Require TLS for connections from the email gateways listed above checkbox.

SMTP Relay Service

Harmony Email & Collaboration automatically creates an SMTP relay service. You can see the SMTP relay service from your Google Admin console under Apps > G Suite > Settings for Gmail > Advanced Settings.

Content Compliance Rules

Harmony Email & Collaboration automatically creates three Content Compliance Rules. You can review the content compliance rules from your Google Admin console under Apps > G Suite > Settings for Gmail > Advanced Settings. The rules are called:

• [tenantname]_monitor_ei

• [tenantname]_monitor_ii

• [tenantname]_monitor_eo

• [tenantname]_inline_ei

where ei stands for incoming traffic, ii stands for internal traffic, and eo stands for outgoing traffic.

Note - The [tenantname]_inline_ei rule gets created when the Protect (Inline) mode is enabled. If you remove the Protect (Inline) mode for users in Harmony Email & Collaboration, the Content Compliance Rule remains in the Google Admin console but the content of the user group check_point_inline_rule gets updated to reflect that no users are protected in this mode.

Google Drive Permissions Changes

Depending on the Google Drive policy configured by the administrator, Harmony Email & Collaboration takes action (quarantine, remove permissions) on the files uploaded to Google Drive.

Harmony Email & Collaboration uses different users to take these actions depending on whether the Drive containing the file has an owner.

• If Google Drive has an owner, Harmony Email & Collaboration takes the action on behalf of the owner.

• If Google Drive does not have an owner, Harmony Email & Collaboration follows this procedure:

  1. Harmony Email & Collaboration adds the Super Admin user as an owner of the Drive.

  2. Harmony Email & Collaboration uses the Super Admin user to take the necessary action on the file.

  3. Harmony Email & Collaboration removes the Super Admin user from being the owner of the Drive.