Exchange Server Configuration

After the Exchange Security Agent has been installed on the Exchange server, you can:

  • There are two possible communication states:

    To initialize trusted communication:

    1. On the Exchange server, open the Exchange Security Agent: Start > Check Point > Check Point Exchange Agent > Configure Check Point Exchange Agent.

    2. In the Navigation pane, click Check Point Exchange Agent.

    3. Click Communication.

      The Trusted Communication window opens.

    4. Enter information in these fields:

    5. Click Initialize to start the trusted communication procedure.

  • The Exchange Security Agent runs as an extension of the Microsoft Exchange Transport service. When you start or stop the agent. Each time you start or stop the agent, you restart the Microsoft Exchange Transport service.

    After you click Start, messages are sent to the Security Gateway for DLP inspection. The messages sent are based on the users or groups defined for inspection.

    To start the Exchange Security Agent:

    In the Check Point Exchange Agent window, click Start.

  • The Statistics page in the Exchange Security Agent shows performance statistics and the number of emails it handles and sends to the Security Gateway.

    The graph you see in the window is the Windows Performance Monitor graph. It shows some of the Windows counters plus the CPExchangeAgent counters. Alternatively, you can use the Windows Performance Monitor and add the CPExchangeAgent counters.

    Statistics shown:

    • Latency per any message - The average latency in seconds of all email messages that go through the Exchange Security Agent.

    • Latency per scanned message - The average latency in seconds of all email messages that go through the Exchange Security Agent and are then sent to the Security Gateway for inspection.

    • Message queue length - Then number of emails that are currently being handled by the Exchange Security Agent.

    • Total messages - Total number of emails handled by the Exchange Security Agent.

    • Scanned messages - Total number of emails inspected by the DLP policy (includes dropped and allowed messages).

    • Dropped messages - Emails dropped after being inspected by the DLP policy.

  • In the Message Tracking window you can see logs for each message that goes through the Exchange Security Agent. You can do a search on all of the fields in the log and refresh the log.

    Value

    Description

    Receive

    The message has been received by the Exchange Security Agent. The Reason column for this entry is always blank.

    Release

    The message has been inspected by DLP and has been sent to its destination.

    Drop

    The message has been dropped by DLP and has not been sent to its destination.

    Bypass

    The Exchange Security Agent has not sent the message to DLP for inspection. The message is sent to its destination.

    Event ID

    Reason

    Receive

    Empty - indicates that the message is being handled by the Exchange Security Agent

    Release

    Tap mode - when all of the rules in the Rule BaseClosed All rules configured in a given Security Policy. Synonym: Rulebase. are detect or inform, the Exchange Security Agent automatically sends the message to its destination. The agent does not receive a response from the Security Gateway

    Scanned by gateway

    Timeout

    Drop

    Dropped by gateway - after Security Gateway inspection the message matched an ask or prevent ruleClosed Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session.

    Bypass

    DLP scanning is disabled - when DLP inspection is not enabled on the Security Gateway

    Fail open active - if one of the bypass settings in the Advanced window is matched

    Message is too big

    Incoming message scanning is disabled

    Internal message scanning is disabled

    Incoming message scanning from other domains is disabled

    Sender is included in the Inspection Scope exceptions

    Sender is not included in Inspection Scope settings

  • In the Advanced window you can configure log parameters and when not to send emails to the Security Gateway for DLP inspection.

    The available options:

    • Enable debug logs - Enables logs that contain debugging information about each email received (this is mainly for Check Point support).

    • Bypass inspection of a single email after timeout of X seconds - Defines the timeout of sending an email to the Security Gateway for inspection. The default value is 60. The valid range of values is 1 to 120.

    • Bypass email inspection for X seconds if: - Defines the time interval to not inspect emails. The default value is 120. The valid range of values is 30 to 3600.

      Email inspection is bypassed in these situations:

      • Additional latency exceeds X seconds - When the added average latency of traffic passing through the Exchange Security Agent is more than the defined time interval. The default value is 10. The valid range of values is 1 to 60.

      • Emails queue length exceeds X emails - When the number of emails in the Exchange queue is more than the defined number of emails. The default value is 50. The valid range of values is 1 to 300.

      • Exchange server CPU usage exceeds X % - When the Exchange server CPU uses more than the defined percentage. The default value is 90. The valid range of values is 20 to 100.

      • Gateway doesn't respond to the last X emails - When the Security Gateway does not respond to the last defined number of attempts. The default value is 25. The valid range of values is 1 to 100.