Print Download PDF Send Feedback

Previous

Next

Configuring the Exchange Security Agent

Internal emails between Microsoft Exchange clients use a proprietary protocol for Exchange communication. This protocol is not supported by the DLP gateway. To scan internal emails between Microsoft Exchange clients, you must install an Exchange Security Agent on the Exchange Server. The agent sends emails to the DLP gateway for inspection using the SMTP protocol encrypted with TLS. This requires connectivity between the Exchange server and the DLP gateway.

An Exchange Security Agent must be installed on each Exchange Server that passes traffic to the DLP gateway. Each agent is centrally managed through SmartConsole and can only send emails to one DLP gateway.

If your organization uses Exchange servers for all of its emails, you can also use this setup for scanning all emails.

To use the Exchange Security Agent it is necessary to configure settings in SmartConsole and on the Exchange server.

For more about using the Exchange Security Agent to examine internal emails, see some scenarios.

Configuring SmartConsole for the Exchange Security Agent

To define the Exchange Security Agent:

  1. In SmartConsole, select Security Policies > Shared Policies > DLP and click Open DLP Policy in SmartDashboard.

    SmartDashboard opens and shows the DLP tab.

  2. From the navigation tree, click Gateways.
  3. Click Actions > New Exchange Agent.

    The Check Point Exchange Agent wizard opens.

  4. Click Next. There are four pages in the wizard:
    • General
    • Trusted Communication
    • Inspection Scope
    • Configuration Summary
  5. After you complete the wizard, click Save and then close SmartDashboard.
  6. From SmartConsole, Install Policy.

Exchange Security Agent - General

Use the General page to enter information for the Exchange Security Agent.

Click Next.

Exchange Security Agent - Trusted Communication

Use the Trusted Communication page to enter the one-time password used to initialize SIC (Secure Internal Communication) between the Exchange Security Agent and the enforcing DLP gateway. This step creates a security certificate that is then used by the Exchange Security Agent.

Click Next.

Exchange Security Agent - Inspection Scope

Use the Inspection Scope window to define which emails to send for inspection. You can select all users or only specified users or user groups. It is recommended to start with specified users or user groups before inspecting all emails.

Note - You can define users or groups for whom emails will not be sent for inspection in an Exceptions list. You can also set a percentage of emails to inspect for the rest of the organization. This lets you gradually increase the inspection coverage of your organization's emails.

To define these options, edit the Exchange Security Agent in SmartConsole and open the Inspection Scope page.

Inspect all emails - All emails will be sent from the Exchange Security Agent to the enforcing DLP gateway for inspection.

Note - You can define users or groups for whom emails will not be sent for inspection in an Exceptions list. You can also set a percentage of emails to inspect for the rest of the organization. This lets you gradually increase the inspection coverage of your organization's emails.

To define these options, edit the Exchange Security Agent in SmartConsole and open the Inspection Scope page.

Click Next.

Exchange Security Agent - Configuration Summary

The Exchange Agent Wizard is Completed window opens.

The next steps include:

Installing the Exchange Security Agent

To install the Exchange Security Agent:

  1. On the Exchange Server, download the DLP Exchange agent MSI from the R80.30 Home Page:
    1. From the Table of Contents, select Tools.
    2. Click Show / Hide the download matrix.
    3. In the Agents section, download the DLP Exchange agent MSI.
  2. Do the steps of the installation wizard.

Exchange Server Configuration

After the Exchange Security Agent has been installed on the Exchange server, you can:

Initializing Trusted Communication

There are two possible communication states:

To initialize trusted communication:

  1. On the Exchange server, open the Exchange Security Agent: Start > Check Point > Check Point Exchange Agent > Configure Check Point Exchange Agent
  2. In the Navigation pane, click Check Point Exchange Agent.
  3. Click Communication.

    The Trusted Communication window opens.

  4. Enter information in these fields:
    • Gateway name or IP - The same name or IP that is given to the DLP Security Gateway in SmartConsole.
    • Exchange agent object name - The same name that is set for the Exchange agent object in SmartConsole.
    • One time password - Used only for establishing the initial trust. When trust is established, trust is based on security certificates. This password must be the same as the one time password defined for the Exchange Security Agent in SmartConsole.
  5. Click Initialize to start the trusted communication procedure.

Starting the Exchange Security Agent

The Exchange Security Agent runs as an extension of the Microsoft Exchange Transport service. When you start or stop the agent. Each time you start or stop the agent, you restart the Microsoft Exchange Transport service.

After you click Start, messages are sent to the Security Gateway for DLP inspection. The messages sent are based on the users or groups defined for inspection.

To start the Exchange Security Agent:

Statistics

The Statistics page in the Exchange Security Agent shows performance statistics and the number of emails it handles and sends to the Security Gateway.

The graph you see in the window is the Windows Performance Monitor graph. It shows some of the Windows counters plus the CPExchangeAgent counters. Alternatively, you can use the Windows Performance Monitor and add the CPExchangeAgent counters.

Statistics shown:

Message Tracking

In the Message Tracking window you can see logs for each message that goes through the Exchange Security Agent. You can do a search on all of the fields in the log and refresh the log.

You can see these values in the Event Id column:

This table describes the possible reasons for each of the event IDs.

Event ID

Reason

Receive

Empty - indicates that the message is being handled by the Exchange Security Agent

Release

Tap mode - when all of the rules in the Rule Base are detect or inform, the Exchange Security Agent automatically sends the message to its destination. The agent does not receive a response from the Security Gateway

Scanned by gateway

Timeout

Drop

Dropped by gateway - after Security Gateway inspection the message matched an ask or prevent rule

Bypass

 

DLP scanning is disabled - when DLP inspection is not enabled on the Security Gateway

Fail open active - if one of the bypass settings in the Advanced window is matched

Message is too big

Incoming message scanning is disabled

Internal message scanning is disabled

Incoming message scanning from other domains is disabled

Sender is included in the Inspection Scope exceptions

Sender is not included in Inspection Scope settings

Advanced

In the Advanced window you can configure log parameters and when not to send emails to the Security Gateway for DLP inspection.

The available options: