Internal emails between Microsoft Exchange clients use a proprietary protocol for Exchange communication. This protocol is not supported by the DLP gateway. To scan internal emails between Microsoft Exchange clients, you must install an Exchange Security Agent on the Exchange Server. The agent sends emails to the DLP gateway for inspection using the SMTP protocol encrypted with TLS. This requires connectivity between the Exchange server and the DLP gateway.
An Exchange Security Agent must be installed on each Exchange Server that passes traffic to the DLP gateway. Each agent is centrally managed through SmartConsole and can only send emails to one DLP gateway.
If your organization uses Exchange servers for all of its emails, you can also use this setup for scanning all emails.
To use the Exchange Security Agent it is necessary to configure settings in SmartConsole and on the Exchange server.
For more about using the Exchange Security Agent to examine internal emails, see some scenarios.
To define the Exchange Security Agent:
SmartDashboard opens and shows the DLP tab.
The Check Point Exchange Agent wizard opens.
Use the General page to enter information for the Exchange Security Agent.
Click Next.
Use the Trusted Communication page to enter the one-time password used to initialize SIC (Secure Internal Communication) between the Exchange Security Agent and the enforcing DLP gateway. This step creates a security certificate that is then used by the Exchange Security Agent.
Click Next.
Use the Inspection Scope window to define which emails to send for inspection. You can select all users or only specified users or user groups. It is recommended to start with specified users or user groups before inspecting all emails.
Note - You can define users or groups for whom emails will not be sent for inspection in an Exceptions list. You can also set a percentage of emails to inspect for the rest of the organization. This lets you gradually increase the inspection coverage of your organization's emails. To define these options, edit the Exchange Security Agent in SmartConsole and open the Inspection Scope page. |
Inspect all emails - All emails will be sent from the Exchange Security Agent to the enforcing DLP gateway for inspection.
Note - You can define users or groups for whom emails will not be sent for inspection in an Exceptions list. You can also set a percentage of emails to inspect for the rest of the organization. This lets you gradually increase the inspection coverage of your organization's emails.
To define these options, edit the Exchange Security Agent in SmartConsole and open the Inspection Scope page.
Click Next.
The Exchange Agent Wizard is Completed window opens.
The next steps include:
To install the Exchange Security Agent:
After the Exchange Security Agent has been installed on the Exchange server, you can:
There are two possible communication states:
To initialize trusted communication:
The Trusted Communication window opens.
The Exchange Security Agent runs as an extension of the Microsoft Exchange Transport service. When you start or stop the agent. Each time you start or stop the agent, you restart the Microsoft Exchange Transport service.
After you click Start, messages are sent to the Security Gateway for DLP inspection. The messages sent are based on the users or groups defined for inspection.
To start the Exchange Security Agent:
The Statistics page in the Exchange Security Agent shows performance statistics and the number of emails it handles and sends to the Security Gateway.
The graph you see in the window is the Windows Performance Monitor graph. It shows some of the Windows counters plus the CPExchangeAgent counters. Alternatively, you can use the Windows Performance Monitor and add the CPExchangeAgent counters.
Statistics shown:
In the Message Tracking window you can see logs for each message that goes through the Exchange Security Agent. You can do a search on all of the fields in the log and refresh the log.
You can see these values in the Event Id column:
This table describes the possible reasons for each of the event IDs.
Event ID |
Reason |
---|---|
Receive |
Empty - indicates that the message is being handled by the Exchange Security Agent |
Release |
Tap mode - when all of the rules in the Rule Base are detect or inform, the Exchange Security Agent automatically sends the message to its destination. The agent does not receive a response from the Security Gateway |
Scanned by gateway |
|
Timeout |
|
Drop |
Dropped by gateway - after Security Gateway inspection the message matched an ask or prevent rule |
Bypass
|
DLP scanning is disabled - when DLP inspection is not enabled on the Security Gateway |
Fail open active - if one of the bypass settings in the Advanced window is matched |
|
Message is too big |
|
Incoming message scanning is disabled |
|
Internal message scanning is disabled |
|
Incoming message scanning from other domains is disabled |
|
Sender is included in the Inspection Scope exceptions |
|
Sender is not included in Inspection Scope settings |
In the Advanced window you can configure log parameters and when not to send emails to the Security Gateway for DLP inspection.
The available options:
Email inspection is bypassed in these situations: