Configuring the Exchange Security Agent

Internal emails between Microsoft Exchange clients use a proprietary protocol for Exchange communication. This protocol is not supported by the DLP gateway. To scan internal emails between Microsoft Exchange clients, you must install an Exchange Security Agent on the Exchange Server. The agent sends emails to the DLP gateway for inspection using the SMTP protocol encrypted with TLS. This requires connectivity between the Exchange server and the DLP gateway.

An Exchange Security Agent must be installed on each Exchange Server that passes traffic to the DLP gateway. Each agent is centrally managed through SmartConsole and can only send emails to one DLP gateway.

If your organization uses Exchange servers for all of its emails, you can also use this setup for scanning all emails.

To use the Exchange Security Agent it is necessary to configure settings in SmartConsole and on the Exchange server.

For more about using the Exchange Security Agent to examine internal emails, see some scenarios.

Configuring SmartConsole for the Exchange Security Agent

To define the Exchange Security Agent:

1. In SmartConsole, select Security Policies > Shared Policies > DLP and click Open DLP Policy in SmartDashboard.

   SmartDashboard opens and shows the DLP tab.

2. From the navigation tree, click Gateways.
3. Click Actions > New Exchange Agent.

   The Check Point Exchange Agent wizard opens.

4. Click Next. There are four pages in the wizard:
   • General
   • Trusted Communication
   • Inspection Scope
   • Configuration Summary
5. After you complete the wizard, click Save and then close SmartDashboard.
6. From SmartConsole, Install Policy.

Exchange Security Agent - General

Use the General page to enter information for the Exchange Security Agent.

• Name - Enter a name for the Exchange Security Agent.
• Inspected Exchange Server - Select the host object that represents the Exchange server on which the Exchange Security Agent is installed. If necessary, click New to create one.
• Exchange contact person (optional) - You can select the user object that represents the Exchange server administrator.
• Enforcing DLP gateway - Select the DLP gateway object that the Exchange Security Agent will send emails to for inspection. If you use a name to represent the DLP gateway in the Exchange Security Agent on the Exchange server, make sure to use the same name as this object.

Click Next.

Exchange Security Agent - Trusted Communication

Use the Trusted Communication page to enter the one-time password used to initialize SIC (Secure Internal Communication) between the Exchange Security Agent and the enforcing DLP gateway. This step creates a security certificate that is then used by the Exchange Security Agent.

• One-time password - Enter the one-time password and confirm it. Make sure that the same one-time password is entered in the Trusted Communication window of the Exchange Security Agent snap-in on the Exchange server.

Click Next.

Exchange Security Agent - Inspection Scope

Use the Inspection Scope window to define which emails to send for inspection. You can select all users or only specified users or user groups. It is recommended to start with specified users or user groups before inspecting all emails.

• Inspect emails sent only by these users or user groups - Define the Active directory, internal or LDAP users whose emails will be inspected.

Note - You can define users or groups for whom emails will not be sent for inspection in an Exceptions list. You can also set a percentage of emails to inspect for the rest of the organization. This lets you gradually increase the inspection coverage of your organization's emails. To define these options, edit the Exchange Security Agent in SmartConsole and open the Inspection Scope page.

Inspect all emails - All emails will be sent from the Exchange Security Agent to the enforcing DLP gateway for inspection.

Note - You can define users or groups for whom emails will not be sent for inspection in an Exceptions list. You can also set a percentage of emails to inspect for the rest of the organization. This lets you gradually increase the inspection coverage of your organization's emails.

To define these options, edit the Exchange Security Agent in SmartConsole and open the Inspection Scope page.

Click Next.

Exchange Security Agent - Configuration Summary

The Exchange Agent Wizard is Completed window opens.

The next steps include:

• Installing the policy on the DLP gateway.
• Installing and configuring the Exchange Security Agent on the Exchange server.

Installing the Exchange Security Agent

To install the Exchange Security Agent:

1. On the Exchange Server, download the DLP Exchange agent MSI from the R80.30 Home Page:
   1. From the Table of Contents, select Tools.
   2. Click Show / Hide the download matrix.
   3. In the Agents section, download the DLP Exchange agent MSI.
2. Do the steps of the installation wizard.

Exchange Server Configuration

After the Exchange Security Agent has been installed on the Exchange server, you can:

• Initialize trusted communication between the Check Point Exchange Security Agent and the Security Gateway.
• Start or stop the Exchange Security Agent that runs as an extension of the Microsoft Exchange Transport service.
• See Exchange Security Agent statistics.
• Monitor message status with the Message Tracking log.
• Configure when to bypass inspection of messages.

Initializing Trusted Communication

There are two possible communication states:

• Uninitialized is where trusted communication has not been established.
• Trust established is where the Exchange Security Agent has received the security certificate and can receive data securely from the Security Gateway.

To initialize trusted communication:

1. On the Exchange server, open the Exchange Security Agent: Start > Check Point > Check Point Exchange Agent > Configure Check Point Exchange Agent
2. In the Navigation pane, click Check Point Exchange Agent.
3. Click Communication.

   The Trusted Communication window opens.

4. Enter information in these fields:
   • Gateway name or IP - The same name or IP that is given to the DLP Security Gateway in SmartConsole.
   • Exchange agent object name - The same name that is set for the Exchange agent object in SmartConsole.
   • One time password - Used only for establishing the initial trust. When trust is established, trust is based on security certificates. This password must be the same as the one time password defined for the Exchange Security Agent in SmartConsole.
5. Click Initialize to start the trusted communication procedure.

Starting the Exchange Security Agent

The Exchange Security Agent runs as an extension of the Microsoft Exchange Transport service. When you start or stop the agent. Each time you start or stop the agent, you restart the Microsoft Exchange Transport service.

After you click Start, messages are sent to the Security Gateway for DLP inspection. The messages sent are based on the users or groups defined for inspection.

To start the Exchange Security Agent:

• In the Check Point Exchange Agent window, click Start.

Statistics

The Statistics page in the Exchange Security Agent shows performance statistics and the number of emails it handles and sends to the Security Gateway.

The graph you see in the window is the Windows Performance Monitor graph. It shows some of the Windows counters plus the CPExchangeAgent counters. Alternatively, you can use the Windows Performance Monitor and add the CPExchangeAgent counters.

Statistics shown:

• Latency per any message - The average latency in seconds of all email messages that go through the Exchange Security Agent.
• Latency per scanned message - The average latency in seconds of all email messages that go through the Exchange Security Agent and are then sent to the Security Gateway for inspection.
• Message queue length - Then number of emails that are currently being handled by the Exchange Security Agent.
• Total messages - Total number of emails handled by the Exchange Security Agent.
• Scanned messages - Total number of emails inspected by the DLP policy (includes dropped and allowed messages).
• Dropped messages - Emails dropped after being inspected by the DLP policy.

Message Tracking

In the Message Tracking window you can see logs for each message that goes through the Exchange Security Agent. You can do a search on all of the fields in the log and refresh the log.

You can see these values in the Event Id column:

• Receive - The message has been received by the Exchange Security Agent. The Reason column for this entry is always blank.
• Release - The message has been inspected by DLP and has been sent to its destination.
• Drop - The message has been dropped by DLP and has not been sent to its destination.
• Bypass - The Exchange Security Agent has not sent the message to DLP for inspection. The message is sent to its destination.

This table describes the possible reasons for each of the event IDs.

Event ID	Reason
Receive	Empty - indicates that the message is being handled by the Exchange Security Agent
Release	Tap mode - when all of the rules in the Rule Base are detect or inform, the Exchange Security Agent automatically sends the message to its destination. The agent does not receive a response from the Security Gateway
	Scanned by gateway
	Timeout
Drop	Dropped by gateway - after Security Gateway inspection the message matched an ask or prevent rule
Bypass	DLP scanning is disabled - when DLP inspection is not enabled on the Security Gateway
	Fail open active - if one of the bypass settings in the Advanced window is matched
	Message is too big
	Incoming message scanning is disabled
	Internal message scanning is disabled
	Incoming message scanning from other domains is disabled
	Sender is included in the Inspection Scope exceptions
	Sender is not included in Inspection Scope settings

Advanced

In the Advanced window you can configure log parameters and when not to send emails to the Security Gateway for DLP inspection.

The available options:

• Enable debug logs - Enables logs that contain debugging information about each email received (this is mainly for Check Point support).
• Bypass inspection of a single email after timeout of X seconds - Defines the timeout of sending an email to the Security Gateway for inspection. The default value is 60. The valid range of values is 1 to 120.
• Bypass email inspection for X seconds if: - Defines the time interval to not inspect emails. The default value is 120. The valid range of values is 30 to 3600.

  Email inspection is bypassed in these situations:

  • Additional latency exceeds X seconds - When the added average latency of traffic passing through the Exchange Security Agent is more than the defined time interval. The default value is 10. The valid range of values is 1 to 60.
  • Emails queue length exceeds X emails - When the number of emails in the Exchange queue is more than the defined number of emails. The default value is 50. The valid range of values is 1 to 300.
  • Exchange server CPU usage exceeds X % - When the Exchange server CPU uses more than the defined percentage. The default value is 90. The valid range of values is 20 to 100.
  • Gateway doesn't respond to the last X emails - When the Security Gateway does not respond to the last defined number of attempts. The default value is 25. The valid range of values is 1 to 100.