You are on page 1of 56

Symantec™ Data Loss

Prevention Cloud Service for


Email Implementation Guide

Last updated: 26 March 2019


Symantec Data Loss Prevention Cloud Service for
Email Implementation Guide
Documentation version: 15.5

Legal Notice
Copyright © 2019 Symantec Corporation. All rights reserved.

Symantec, CloudSOC, Blue Coat, the Symantec Logo, the Checkmark Logo, the Blue Coat logo, and the
Shield Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S.
and other countries. Other names may be trademarks of their respective owners.

This Symantec product may contain third party software for which Symantec is required to provide attribution
to the third party (“Third Party Programs”). Some of the Third Party Programs are available under open
source or free software licenses. The License Agreement accompanying the Software does not alter any
rights or obligations you may have under those open source or free software licenses. Please see the
Third Party Legal Notice Appendix to this Documentation or TPIP ReadMe File accompanying this Symantec
product for more information on the Third Party Programs.

The product described in this document is distributed under licenses restricting its use, copying, distribution,
and decompilation/reverse engineering. No part of this document may be reproduced in any form by any
means without prior written authorization of Symantec Corporation and its licensors, if any.

THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS,
REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE
DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY
INVALID. SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL
DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS
DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO
CHANGE WITHOUT NOTICE.

The Licensed Software and Documentation are deemed to be commercial computer software as defined
in FAR 12.212 and subject to restricted rights as defined in FAR Section 52.227-19 "Commercial Computer
Software - Restricted Rights" and DFARS 227.7202, et seq. "Commercial Computer Software and
Commercial Computer Software Documentation," as applicable, and any successor regulations, whether
delivered by Symantec as on premises or hosted services. Any use, modification, reproduction release,
performance, display or disclosure of the Licensed Software and Documentation by the U.S. Government
shall be solely in accordance with the terms of this Agreement.
Symantec Corporation
350 Ellis Street
Mountain View, CA 94043

https://www.symantec.com
Symantec Support
All support services will be delivered in accordance with your support agreement and the
then-current Enterprise Technical Support policy.

Knowledge Base Articles and Symantec Connect


Before you contact Technical Support, you can find free content in our online Knowledge Base,
which includes troubleshooting articles, how-to articles, alerts, and product manuals. In the
search box of the following URL, type the name of your product:
https://support.symantec.com
Access our blogs and online forums to engage with other customers, partners, and Symantec
employees on a wide range of topics at the following URL:
https://www.symantec.com/connect

Technical Support and Enterprise Customer Support


Symantec Support maintains support centers globally 24 hours a day, 7 days a week. Technical
Support’s primary role is to respond to specific queries about product features and functionality.
Enterprise Customer Support assists with non-technical questions, such as license activation,
software version upgrades, product access, and renewals.
For Symantec Support terms, conditions, policies, and other support information, see:
https://entced.symantec.com/default/ent/supportref
To contact Symantec Support, see:
https://support.symantec.com/en_US/contact-support.html
Contents

Symantec Support .............................................................................................. 4


Chapter 1 Introducing Cloud Service for Email ................................. 7
About Symantec Data Loss Prevention Cloud Service for Email ............... 7
About updates to this guide .............................................................. 8
Customer roles ............................................................................. 9
About Symantec Email Security.cloud ............................................... 10
About the provisioning form ............................................................ 10
Support for Symantec Cloud Service for Email ................................... 11
Symantec Cloud Service for Email architecture and mail flow ................ 11
System requirements .................................................................... 13

Chapter 2 Deploying the Cloud Service for Email ........................... 14


Preparing to implement Symantec Cloud Service for Email ................... 15
Implementation overview ............................................................... 15
Saving the enrollment bundle .......................................................... 18
Accessing the cloud service from the Enforce Server ........................... 19
Opening a port for communication with the cloud service ................ 19
Configuring the Enforce Server to use a proxy to connect to cloud
services ......................................................................... 19
Registering the Cloud Detector ........................................................ 20
Enabling incident reconciliation ....................................................... 21
Configuring on-premises Microsoft Exchange to use Symantec Email
Security.cloud email for delivery (Forwarding mode) ...................... 22
Configuring Office 365 to use Symantec Email Security.cloud for email
delivery (Forwarding mode) ...................................................... 27
Configuring Office 365 to use Office 365 for email delivery (Reflecting
mode) .................................................................................. 29
Detecting emails from a subset of Office 365 Exchange Online
users ................................................................................... 33
Configuring Google G Suite Gmail to send outbound emails to
Symantec Cloud Service for Email ............................................. 33
Detecting emails from a subset of Google G Suite Gmail users .............. 35
Testing Symantec Cloud Service for Email ......................................... 35
Contents 6

About updating email domains in the Enforce Server administration


console ................................................................................ 36
Adding the unique TXT record to your DNS settings ...................... 36
Updating email domains .......................................................... 37
Update override by the Symantec Cloud Service .......................... 38
Upgrading to Symantec Data Loss Prevention 15.1 MP1 and 15.5
if you use Reflecting mode ................................................. 38

Chapter 3 Creating Policies and Managing Incidents for the


Cloud Service for Email ................................................ 40
Creating and publishing a policy group for Symantec Cloud Service
for Email ............................................................................... 40
Encrypting cloud email with Symantec Information Centric
Encryption ............................................................................ 41
Implementing ICE with Cloud Service for Email ............................ 42
Configuring the Enforce Server to communicate with the ICE
service ........................................................................... 43
Creating encryption response rules for ICE encryption ................... 44
About decrypting ICE encrypted email ........................................ 46
Viewing details about ICE incidents ........................................... 46

Chapter 4 Best Practices for Cloud Service for Email .................... 50


Modify SPF records in Email Security.cloud to ensure email
delivery ................................................................................ 50
Delete the Cloud Detector to reset Symantec Cloud Service for
Email ................................................................................... 51
Requesting or renewing a new Cloud certificate .................................. 51
Understand size limits for profiles .................................................... 51
Review known issues for Symantec Cloud Service for Email ................. 52

Chapter 5 Using additional Symantec Email Security.cloud


features .......................................................................... 53
Using Symantec Email Security.cloud Data Protection ......................... 53
Using Symantec Email Security.cloud Policy Based
Encryption ...................................................................... 53
Using Data Protection to silently block email messages ................. 55
Chapter 1
Introducing Cloud Service
for Email
This chapter includes the following topics:

■ About Symantec Data Loss Prevention Cloud Service for Email

■ About updates to this guide

■ Customer roles

■ About Symantec Email Security.cloud

■ About the provisioning form

■ Support for Symantec Cloud Service for Email

■ Symantec Cloud Service for Email architecture and mail flow

■ System requirements

About Symantec Data Loss Prevention Cloud Service


for Email
Symantec Data Loss Prevention Cloud Service for Email accurately detects confidential data
in corporate email that is sent from a Microsoft Exchange Server, Microsoft Office 365 Exchange
Online, or Google G Suite Gmail. It accelerates your enterprise's cloud email adoption by
seamlessly integrating Symantec’s market-leading data loss prevention controls with your
enterprise's cloud email service (Microsoft Office 365 Exchange Online and Google G Suite
Gmail are supported).
Symantec Symantec Cloud Service for Email monitors and analyzes outbound email traffic
from your cloud email service and can encrypt, block, redirect, or modify email messages as
Introducing Cloud Service for Email 8
About updates to this guide

specified in your enterprise’s policies. In addition, you can add the powerful data protection
capabilities of Symantec Information Centric Encryption (ICE).
The Symantec Cloud Service for Email solution lets you author data loss policies, review and
remediate incidents, and administer your Data Loss Prevention system at the Enforce Server
administration console. This solution enables your enterprise to leverage its existing investment
in policy definition and administration as well as incident remediation processes. The capability
to use Symantec Cloud Service for Email to monitor and analyze on-premises Microsoft
Exchange email traffic provides you with a seamless migration path to the cloud if you plan to
move to a cloud email service, such as Microsoft Office 365 Exchange Online or Google G
Suite Gmail.
Symantec Data Loss Prevention supports Office 365 Reflecting mode. You can configure a
Microsoft Exchange Office 365 inbound connector as a mail transfer agent.
The Symantec Data Loss Prevention Cloud Service for Email solution also integrates with
Symantec Email Security.cloud for email delivery and also includes inbound and outbound
email security services. See “About Symantec Email Security.cloud” on page 10.

Note: You can monitor on-premises Microsoft Exchange, Microsoft Office 365, and Google G
Suite Gmail all from one Enforce Server. The monitoring of both on-premises Exchange emails
and Office 365 Exchange Online emails is known as a hybrid deployment.

About updates to this guide


The Cloud Service for Email Implementation Guide is regularly updated with new features and
updates to existing features. You can find the latest version of this guide at the Symantec
support center:
https://www.symantec.com/docs/DOC9008
Subscribe to this article at the Symantec Support Center to be notified when it is updated.
The following table provides the history of updates to this version of the Cloud Service for
Email Implementation Guide.
Introducing Cloud Service for Email 9
Customer roles

Table 1-1 Change History for the Cloud Service for Email Implementation Guide

Date Description

26 March 2019 Added "Upgrading to Symantec Data Loss


Prevention 15.1 MP1 and 15.5 if you use Reflecting
mode." This section includes information about TXT
record IDs for domains and the upgrade process.

Clarified that while Cloud Service for Email is in


Reconcile mode, you must contact Symantec
Support if you want to remove domains.

Corrected URL frompki.scep.symauth.com to


pki-scep.symauth.com.

Customer roles
Several people in your organization may need to coordinate activities during the implementation
of Symantec Cloud Service for Email. Although you may have different labels for each of these
roles, or responsibilities may overlap, it's important to have an idea of who needs to participate
in the implementation process.

Table 1-2 Implementing Symantec Cloud Service for Email: roles and responsibilities

Role Typical responsibilities

Email Administrator Fills out the Provisioning form and sets up Symantec
Email Security.cloud, if you use it for final email
delivery.

Configures email service and routes outbound email


from Microsoft Exchange, Microsoft Office 365
Exchange Online, or Google G Suite Gmail to DLP
Symantec Cloud Service for Email.

If you configure Office 365 Exchange Online


reflecting mode, the email administrator also
provides the DLP administrator the Office 365
endpoint URL to route mail from the DLP Symantec
Cloud Service for Email.

The Email Administrator is usually part of a large


email administration team, and in charge of all mail
server administration tasks including mail routing,
rules, mail security, and archiving for the
organization. This administrator may or may not be
the same as the DLP Administrator.
Introducing Cloud Service for Email 10
About Symantec Email Security.cloud

Table 1-2 Implementing Symantec Cloud Service for Email: roles and responsibilities
(continued)

Role Typical responsibilities

DLP Administrator Installs Data Loss Prevention registers the Data


Loss Prevention cloud detector within the Enforce
Server administration console. Sets up ICE
encryption. Updates the email domains in the
Enforce Server administration console. Creates
policies, remediates incidents, monitors the user
risk summary, generates reports, configures system
management and roles, and configures detectors.

Network Administrator Enables access from the Enforce Server to the


Symantec Data Loss Prevention cloud gateway.

About Symantec Email Security.cloud


Symantec Email Security.cloud acts as an outbound mail transfer agent for emails passing
through Symantec Cloud Service for Email for detection. You can also use Office 365 Reflecting
mode as a mail transfer agent for Microsoft Office 365. Symantec Email Security.cloud enables
you to redirect, silent-block, quarantine, or encrypt emails through its data protection
functionality. Policy Based Encryption and Silent Blocking are two examples of how data
protection can be enforced using Symantec Email Security.cloud. See “Using Symantec Email
Security.cloud Data Protection” on page 53.
To see how Symantec Email Security.cloud fits in with other components of Symantec Cloud
Service for Email, see Symantec Cloud Service for Email architecture and mail flow.
You can find overviews of Symantec Email Security.cloud features at
https://www.symantec.com/products/email-security-cloud
You can find more information on setting up and using other Symantec Email Security.cloud
features at
https://support.symantec.com/en_US/email-security-cloud.html

About the provisioning form


When you order Symantec Cloud Service for Email, you must fill out a provisioning form,
provided by your Symantec sales representative, to complete your order. The information that
is required includes:
■ Information about your company and whether you are a new customer or an existing
customer of Symantec Email Security Services
Introducing Cloud Service for Email 11
Support for Symantec Cloud Service for Email

■ Domain and inbound delivery information


Symantec creates a Symantec Email Security.cloud account on your behalf or adds Symantec
Data Loss Prevention service to your existing Symantec Email Security.cloud account.

Support for Symantec Cloud Service for Email


For help with troubleshooting your service, contact Symantec Support at
https://support.symantec.com/en_US/contact-support.html

Table 1-3 Where to go for other support

Problem Contact

Problems with Microsoft Exchange or Contact Microsoft Support at www.support.microsoft.com


Microsoft Office 365 Exchange Online

Problems with Google G Suite Gmail Contact Google G Suite Support at


https://gsuite.google.com/setup-hub/

Symantec Cloud Service for Email architecture and


mail flow
Symantec Cloud Service for Email consists of the following components:
■ Symantec Data Loss Prevention version 14.6 MP1 or later.
■ Symantec Cloud Detectors that provide Symantec Data Loss Prevention in the Symantec
cloud.
■ Your organization's on-premises Microsoft Exchange deployment, Microsoft Office 365
Exchange Online, or Google G Suite Gmail setup to relay SMTP traffic to Symantec Cloud
Service for Email.
■ Symantec Email Security.cloud for email delivery. For Office 365, you can provide email
delivery with Office 365 Reflecting mode.
After a message is sent it is routed through the cloud detector, and then is delivered to its final
destination. Figure 1-1 depicts this process when you use Email Security.cloud.
Introducing Cloud Service for Email 12
Symantec Cloud Service for Email architecture and mail flow

Figure 1-1 Message flow for Symantec Cloud Service for Email

Here's a summary of how an email flows through the system:


1. Mary, an employee, sends an outbound email message from her corporate on-premises
Exchange, Office 365 Exchange Online, or Google G Suite Gmail account to Bob, an
external user.
2. The email is sent to the on-premises Exchange servers, the Exchange Online servers in
the Office 365 Exchange Online cloud, or Google G Suite Gmail servers in the Google
cloud.
3. The administrator has set up Office 365 Exchange Online or Google G Suite Gmail so
the corresponding servers route email messages to Symantec Cloud Service for Email
that resides in the Symantec cloud.
4. Symantec Cloud Service for Email leverages the existing policies that are defined in the
Enforce Server, and analyzes the emails for any violations of these policies. If any policy
Introducing Cloud Service for Email 13
System requirements

is violated, the Symantec Cloud Detector adds directives in the form of X-Headers to the
email. Then, it generates incidents and sends them to the customer's on-premises Enforce
Server. At the Enforce Server administration console, the Data Loss Prevention
administrator or remediator can view incident reports.
5. Emails that pass detection are routed for final delivery through Symantec Email
Security.cloud. Office 365 mail can be routed for final delivery through Office 365 Reflecting
mode.
Based on data protection policies that are defined within Email Security.cloud and
X-Headers that the Symantec Cloud Detector inserts, Email Security.cloud blocks, encrypts,
quarantines, or redirects the email before delivery to the recipient mail server.
6. In this case, the email that passed detection is delivered to Bob.

System requirements
The following components are necessary for Symantec Cloud Service for Email:
■ A Symantec Data Loss Prevention Enforce Server, version 14.6 MP1 or later, and an Oracle
database
■ A license for Symantec Data Loss Prevention Symantec Cloud Service for Email for each
mail service you monitor
■ An enrollment bundle for Symantec Data Loss Prevention
■ An on-premises Microsoft Exchange Server, or a Microsoft Office 365 Exchange Online
or Google G Suite Gmail online hosting account
■ An account with Symantec Email Security.cloud, only if you use it as a mail transfer agent
■ An Office 365 Exchange online account set up in Reflecting mode, if you use it as a mail
transfer agent
For more information on the hardware requirements and software requirements for the Enforce
Server and the Oracle database see the latest version of the Symantec Data Loss Prevention
System Requirements and Compatibility Guide available at
https://support.symantec.com/en_US/article.DOC10602.html
Chapter 2
Deploying the Cloud Service
for Email
This chapter includes the following topics:

■ Preparing to implement Symantec Cloud Service for Email

■ Implementation overview

■ Saving the enrollment bundle

■ Accessing the cloud service from the Enforce Server

■ Registering the Cloud Detector

■ Enabling incident reconciliation

■ Configuring on-premises Microsoft Exchange to use Symantec Email Security.cloud email


for delivery (Forwarding mode)

■ Configuring Office 365 to use Symantec Email Security.cloud for email delivery (Forwarding
mode)

■ Configuring Office 365 to use Office 365 for email delivery (Reflecting mode)

■ Detecting emails from a subset of Office 365 Exchange Online users

■ Configuring Google G Suite Gmail to send outbound emails to Symantec Cloud Service
for Email

■ Detecting emails from a subset of Google G Suite Gmail users

■ Testing Symantec Cloud Service for Email

■ About updating email domains in the Enforce Server administration console


Deploying the Cloud Service for Email 15
Preparing to implement Symantec Cloud Service for Email

Preparing to implement Symantec Cloud Service for


Email
Before you implement Symantec Cloud Service for Email, you must complete a few preliminary
tasks.
■ Determine who in your organization is responsible for each of the implementation tasks.
For initial implementation, the two roles that are required are DLP administrator (DLP
Admin) and Email administrator (Email Admin).
■ Fill out the provisioning form and submit it to Symantec, as directed. Your sales
representative provides you with a Symantec Cloud Service for Email provisioning form.
See “About the provisioning form” on page 10.

Implementation overview
Implementing Symantec Cloud Service for Email is a multi-step process. Symantec Data Loss
Prevention Cloud Detectors, as well as the Email Security.cloud service, are both already
provisioned for you in the Symantec cloud. Table 2-1 provides an overview of the steps that
you must take to start using the services that are provisioned in the Symantec cloud. See the
cross-referenced sections for more details.

Table 2-1 Overview of Symantec Cloud Service for Email setup

Step Action More information

Step 1 DLP Admin: See the Symantec Data Loss


Prevention Upgrade Guide and
Upgrade to Symantec Data Loss
Symantec Data Loss Prevention
Prevention version 14.6 MP1 or
Administration Guide for more
later, if you are running a previous
details.
version.

Step 2 DLP Admin: See “Opening a port for


communication with the cloud
Open a port for the Enforce
service” on page 19.
Server to communicate with the
Symantec Cloud Service for
Email.
Deploying the Cloud Service for Email 16
Implementation overview

Table 2-1 Overview of Symantec Cloud Service for Email setup (continued)

Step Action More information

Step 3 DLP Admin: Symantec sends you an


enrollment bundle, in the form of
Save the enrollment bundle to a
a zip file, after it provisions the
directory on the Enforce Server.
service in the cloud. This bundle
sets up your on-premises Enforce
Server so that it can connect to
your Symantec Cloud Service for
Email in the Symantec cloud.
Note: Do not extract the zip file;
extracted files in XML format do
not work.

See “Saving the enrollment


bundle” on page 18.

Step 4 DLP Admin: Register the Cloud Detector on


the Servers and Detectors page
Register the Cloud Detector.
of the Enforce Server
administration console. See
“Registering the Cloud Detector”
on page 20.

Step 5 DLP Admin: See “Enabling incident


reconciliation” on page 21.
Enable incident reconciliation.
Deploying the Cloud Service for Email 17
Implementation overview

Table 2-1 Overview of Symantec Cloud Service for Email setup (continued)

Step Action More information

Step 6 Email Admin: See “Configuring Office 365 to


use Symantec Email
Depending on which email service
Security.cloud for email delivery
you use:
(Forwarding mode)” on page 27.
Connect on-premises Exchange
See “Configuring Office 365 to
with Symantec Cloud Service for
use Office 365 for email delivery
Email using the Exchange
(Reflecting mode)” on page 29.
Administration Center.
See “Configuring Google G Suite
Connect Microsoft Office 365
Gmail to send outbound emails to
Exchange Online with Symantec
Symantec Cloud Service for
Cloud Service for Email using
Email” on page 33.
Exchange admin center. This
method uses Symantec Email
Security.cloud.

Connect Microsoft Office 365


Online with Symantec Cloud
Service for Email using admin
center. This method uses an
Office 365 receive connector.

Connect Google G Suite Gmail


with Symantec Cloud Service for
Email using the Google Admin
console. This method uses
Symantec Email Security.cloud.

Step 7 DLP Admin: Generate an incident against a


test policy.
Test Symantec Cloud Service for
Email. See the section "Testing Network
Prevent for Email" in the
Symantec Data Loss Prevention
Administration Guide for more
information.

Step 8 DLP Admin: See the section "Creating a policy


for Network Prevent for Email" in
Create policies and monitor
the Symantec Data Loss
incidents for Symantec Cloud
Prevention Administration Guide
Service for Email.
for more information.

Step 9 DLP Admin and ICE Admin: See “Encrypting cloud email with
Symantec Information Centric
Set up ICE for Email encryption.
Encryption” on page 41.
Deploying the Cloud Service for Email 18
Saving the enrollment bundle

Table 2-1 Overview of Symantec Cloud Service for Email setup (continued)

Step Action More information

Step 10 DLP Admin: See “About updating email


domains in the Enforce Server
Update email domains in the
administration console”
Enforce Server administration
on page 36.
console.

Saving the enrollment bundle


After Symantec has set up your detection service in the cloud, Symantec sends you an
enrollment bundle. This bundle contains the information that you need to set up the connection
from your on-premises Enforce Server to the Symantec-hosted detection service in the cloud.
You can copy the enrollment bundle to any directory on your Enforce Server. Do not extract
the enrollment bundle zip file. The Enforce Server administration console requires the enrollment
bundle in the form of a zip file; extracted XML files do not enable enrollment.

Note: Each enrollment bundle can be uploaded to the Enforce Server to register your service
only once. The enrollment bundle expires 7 calendar days after you receive it. For security
reasons, you should ensure that no other user can access the bundle. To ensure limited
access, change the properties of the destination folder so that no other user can read it or
write to it.
If you have waited longer than 7 calendar days to upload your bundle and register the service,
and need a new enrollment bundle, contact Symantec Support at
https://support.symantec.com/en_US/contact-support.html

For example, on Windows, save the bundle to


C:\Users\<username>\Downloads

or any other subfolder under c:\Users\<username>.


On Linux, save the bundle to
/<home>/<username>/

or any subfolder under /<home>/<username>/.

Note: You should receive an enrollment bundle shortly after Symantec provisions your service.
If you have not received an enrollment bundle in a reasonable amount of time, check your
Junk mailbox. Check with your internal IT department to ensure that your company has no
inbound filters that may have blocked receipt of the enrollment bundle zip file.
Deploying the Cloud Service for Email 19
Accessing the cloud service from the Enforce Server

Accessing the cloud service from the Enforce Server


You can establish communication between the Enforce Server and the cloud service either
directly or by using a proxy.

Opening a port for communication with the cloud service


The on-premises Enforce Server must be able to communicate with the Symantec Cloud
Service for Email. Your corporate network must allow outbound traffic to port 443. Open port
443 and ensure that access to the following URLs is allowed for connecting to the DLP cloud
service:
■ pki-scep.symauth.com
■ gw.csg.dlp.protect.symantec.com
See your network administrator for more information on opening a port in your environment.
If your enterprise has deployed a transparent proxy between the Enforce Server and the
Symantec Data Loss Prevention cloud service, the Enforce Server does not trust the transparent
proxy CA and the communication fails. You must exempt the Enforce Server from the
transparent proxy and allow it to communicate outbound on TCP port 443 to the Internet.
If your enterprise security policy does not allow this access from your Enforce Server, see
Configuring the Enforce Server to use a proxy to connect to cloud services.

Configuring the Enforce Server to use a proxy to connect to cloud


services
To configure the Enforce Server to use a proxy to connect to cloud services, you must set up
your proxy according to the proxy manufacturer's instructions. Then you configure the Enforce
Server to support the use of the proxy. After setting up your proxy, use these instructions to
complete the setup.
If you have configured the Enforce Server to connect to the Symantec ICE Cloud, Network
Protect uses the configured proxy to connect to the ICE Cloud whenever a SharePoint scan
triggers the SharePoint Encrypt response action.
Network Discover/Cloud Storage Discover also supports network proxies for connecting to the
ICE Cloud during file share (File System) scans. To configure the network proxy settings for
file share scans, you must update the Server configuration.
Deploying the Cloud Service for Email 20
Registering the Cloud Detector

To configure the Enforce Server to use a proxy to connect to a cloud service


1 Go to System > Settings > General and click Configure. The Edit General Settings
screen is displayed.
2 In the Enforce to Cloud Proxy Settings section, select one of the following proxy
categories:
■ No proxy, or transparent proxy, or
■ Manual proxy

3 If you choose Manual proxy, fields for a URL, Port, and Proxy is Authenticated appear.
■ Enter the the HTTP Proxy URL.
■ Enter a port number.

4 If you are using an authenticated proxy, also enter


■ a user ID
■ a password

Note: The Enforce Server supports basic authentication when using a proxy to connect
to cloud services. For connecting to the ICE Cloud, the Enforce Server supports basic,
NTLM, and Kerberos authentication.

5 Click Save.

Registering the Cloud Detector


After you save the enrollment bundle, you can register your detector, enabling your on-premises
Enforce Server to communicate with your Symantec Cloud Service for Email.
To add a Symantec Cloud Service for Email Cloud Detector
1 Log on to the Enforce Server as administrator.
2 Go to System > Servers and Detectors.
The Overview page appears.
3 Click Add Cloud Detector.
The Add Cloud Detector screen appears.
4 Click Browse in the Enrollment Bundle File field.
Deploying the Cloud Service for Email 21
Enabling incident reconciliation

5 Locate the enrollmentbundle.zip that you received from Symantec and saved to your
Enforce Server.
The detector description for the chosen enrollment bundle appears. Verify that you have
chosen the correct bundle.
6 Add a name for this detector in the Detector Name field.
7 Click the Enroll Detector option to enroll your detector. The enrollment process can take
some time. You can track its progress on the Servers and Detectors > Overview page.
It may take several minutes or longer for the Enforce Server administration console to show
a Connected status for the Cloud Detector. To verify that the service was added, return to the
Servers and Detectors > Overview page. Verify that the cloud service appears in the list,
and that the status indicates Connected. After several minutes, if the connection status still
displays Unknown, you should restart the Monitor Controller process to move the status to
Connected.

Note: Each enrollment bundle can be uploaded to the Enforce Server to register your service
only once. The enrollment bundle expires 7 calendar days after you receive it. For security
reasons, you should ensure that no other user can access the bundle. To ensure limited
access, change the properties of the destination folder so that no other user can read it or
write to it.
If you have waited longer than 7 calendar days to upload your bundle and register the service,
and need a new enrollment bundle, contact Symantec Support at
https://support.symantec.com

Enabling incident reconciliation


Incident reconciliation is turned off by default, but must be turned on for Symantec Cloud
Service for Email to work properly. Turning on incident reconciliation enables managing of
duplicate copies of emails that are generated by Office 365 Exchange Online or Google G
Suite Gmail, preventing duplicate incidents. Duplicate copies of an email are generated when
recipients are added to the Cc or Bcc lists. For example, a user sends one email containing
Bcc's through Office 365 Exchange Online. The email violates one policy and more than one
incident is created. Incident reconciliation "reconciles" these multiple incidents to one, avoiding
the unnecessary duplication of incidents.
Enable incident reconciliation on the Enforce Server computer on Windows
1 On the computer that hosts the Enforce Server, log on as Admin.
2 Change directory to C:\Program
Files\Symantec\DataLossPrevention\EnforceServer\15.5\Protect\config.
Deploying the Cloud Service for Email 22
Configuring on-premises Microsoft Exchange to use Symantec Email Security.cloud email for delivery (Forwarding
mode)

3 Open the IncidentPersister.properties file.


4 Change persister.enable.incident.reconciliation=false to equal true.
5 Restart the Symantec Data Loss Prevention services as appropriate for your version of
Windows services on the server computer.
See "Managing Enforce Server services and settings" in the Symantec Data Loss
Prevention Administration Guide for more details on Symantec Data Loss Prevention
services.
Enable incident reconciliation on the Enforce Server computer on Linux
1 On the computer that hosts the Enforce Server, log on as root.
2 Change directory to
/opt/Symantec/DataLossPrevention/EnforceServer/15.5/Protect/config.

3 Open the IncidentPersister.properties file.


4 Change persister.enable.incident.reconciliation=false to equal true.
5 Restart the Incident Persister service as appropriate for Linux services on the server
computer.
See "Managing Enforce Server services and settings" in the Symantec Data Loss
Prevention Administration Guide for more details on Symantec DLP services.

Configuring on-premises Microsoft Exchange to use


Symantec Email Security.cloud email for delivery
(Forwarding mode)
You must set up outbound connectors in the Microsoft Exchange admin center to forward mail
from Exchange to Symantec Cloud Service for Email. You must also set up at least one routing
rule that controls which emails are forwarded. By default, Exchange routes the emails using
its own mail transfer agents (MTAs). To enable monitoring of emails by Symantec Data Loss
Prevention, mail flow rules must be set up to divert the emails to Symantec Cloud Service for
Email.
Symantec Cloud Service for Email supports Exchange Server versions 2010, 2013, and 2016.

Note: Microsoft Exchange Server 2010 must be configured at the Exchange server, not at the
Microsoft Exchange admin center.
Deploying the Cloud Service for Email 23
Configuring on-premises Microsoft Exchange to use Symantec Email Security.cloud email for delivery (Forwarding
mode)

To log on to your Microsoft Exchange admin center account


1 Log on to your corporate Microsoft admin center account at https://<your Exchange
server name>/ecp administrator.

2 Expand the Exchange admin center item in the left column.


You must add the public domain as a default domain in case the internal domain for Exchange
is different from the external domain. For instructions, see
https://technet.microsoft.com/en-us/library/bb124423(v=exchg.160).aspx
Configure an email address policy with the public domain address as a default domain, instead
of using the local domain address. This step is necessary in case the internal domain is different
from the external domain. For instructions, see
https://technet.microsoft.com/en-us/library/bb232171(v=exchg.160).aspx
Then, proceed with the next steps.
To add a new send connector
1 Click mail flow from the left column.
2 Click send connectors.
3 Click + to add a new send connector.
4 Type the name of the connector in the Name field on the first new send connector page.
5 Click Internet in the Type field.
6 Click Route mail through these smart hosts.
7 Click +. Specify at least one smart host name or IP address for the outbound connector.
Use the URL that is indicated in your Symantec Data Loss Prevention Cloud Service for
Email welcome letter.
8 Select None under smart host authentication.
9 On the next new send connector page, click + to add a new address space.
10 On the Address Space -- Webpage Dialog, enter SMTP for the Type and * for the Full
Qualified Domain Name (FQDN). Keep the Cost default setting of 1 if you have only
one send connector for your organization.
11 Click Save and then click Next.
12 Click + to add the source servers for the connector. Add all servers that are responsible
for routing email out from your organization to Cloud Service for Email. Multiple servers
provide redundancy for outbound mail flow.
13 Select connector and click Edit.
14 Select scoping and scroll to the bottom.
Deploying the Cloud Service for Email 24
Configuring on-premises Microsoft Exchange to use Symantec Email Security.cloud email for delivery (Forwarding
mode)

15 Type the Exchange public FQDN in the FQDN field. It must match the CN in the public
certificate Subject.
16 Click add and then Finish.
To configure the receive connector
1 In the Exchange admin center, click mail flow then receive connectors.
2 Select a server from the Select server drop-down menu to create a new receive connector.
3 Click + to create a new receive connector.
4 Type a name for the connector in the Name field.
5 Under Role select Frontend Transport.
6 Under Type verify that Custom is selected and click Next.
7 Click -- to remove the default IP address range.
8 Click + and add at least one IP address of an application server or device that requires
external SMTP relay access.
9 Click Finish to create the new receive connector.
To apply an X-DetectorID message header to emails that will be routed to your DLP cloud
detector
1 Click rules, click +, and select Create a new rule.
2 Type a rule name in the Name field.
3 In the *Apply this rule if field, select The recipient is located .... Then select Outside
the organization and click OK.
4 Click the More Options link at the bottom of the window and add another condition.
5 Click the Sender is, then select one or multiple users or user groups.
6 In the Do the following list select Set the message header to this value.
7 At the right of this field, click Enter text to set the message header name and type
X-DetectorID. Click OK
8 Click Enter text to set the header value to the detector ID that you can find in your
Symantec welcome email or from the Enforce Server administration console at System
> Servers and Detectors > Overview > Server / Detector Detail page, under ID.
9 Click Save.
If multiple rules exist, you can move this rule to give it adequate priority using the up and down
arrows.
Deploying the Cloud Service for Email 25
Configuring on-premises Microsoft Exchange to use Symantec Email Security.cloud email for delivery (Forwarding
mode)

To create additional settings for the receive connector


1 Highlight the connector and click the pencil icon to edit the settings.
2 Select security and click Anonymous Users.
3 Click save.
4 Select connector and click Edit.
5 Select scoping and scroll to the bottom.
6 Type the Exchange public FQDN in the FQDN filed. It must match the CN in the public
certificate Subject.
7 Next, grant anonymous users (such as the unauthenticated SMTP connections coming
from applications and devices on your network) the ability to send to external recipients.
In the Exchange Management Shell, run the following command, substituting the name
of your receive connector:
Get-ReceiveConnector <receive_connector_name>|Add-ADPermission -User
'NTAUTHORITY\Anonymous Logon' -ExtendedRights
MS-Exch-SMTP-Accept-Any-Recipient

8 Increase the number of inbound connections using this command:


Get-ReceiveConnector <receive_connector_name>|Set-ReceiveConnector
-MaxInboundConnectionPerSource 100

To add an SSL certificate to Exchange 2013, create a certificate request, submit the request
to a certificate authority, and import the certificate.
To create a certificate request
1 Go to Servers > Certificates. On the Certificates page, make sure your Client Access
server is selected in the Select server field, then click New+.
2 In the New Exchange certificate wizard, select Create a request for a certificate from
a certification authority and click Next.
3 Type a name for this certificate, and click Next.
4 To request a wildcard certificate, select Request a wild-card certificate, then specify
the root domain of all subdomains in the Root domain field. Leave this page blank if you
want to specify each domain that you want to add to the certificate. Click Next.
5 Click Browse, then specify the Exchange server where you want to store the certificate.
The server you select should be the internet-facing Client Access server. Click Next.
Deploying the Cloud Service for Email 26
Configuring on-premises Microsoft Exchange to use Symantec Email Security.cloud email for delivery (Forwarding
mode)

6 For each service listed, verify that the external or internal server names that are used to
connect to the Exchange server are correct. If you configured the internal and external
URLs to be the same, Outlook Web App (when accessed from the Internet) and Outlook
Web App (when accessed from the intranet) should show owa.contoso.com.
The Offline Address Book (OAB) when accessed from the Internet and OAB when
accessed from the intranet should show mail.contoso.com.
If you configured the internal URLs to internal.contoso.com, the Outlook Web App (when
accessed from the Internet) and OAB (when accessed from the Internet) should show
owa.contoso.com, and Outlook Web App (when accessed from the intranet) should show
internal.contoso.com.
These domains are used to create the SSL certificate request. When you have verified
the names, click Next.
7 Add any additional domains you want included on the SSL certificate.
8 Select the domain that you want to be the common name for the certificate. Set as common
name, for example: contoso.com. Click Next.
9 Provide information about your organization. This information is included with the SSL
certificate. Click Next.
10 Specify the network location where you want this certificate request to be saved. Click
Finish.
To submit the request to a certificate authority
u Submit the request to your certificate authority (CA). You must use a public CA. You can
search the CA website for the specific steps to submit a request.
You must provide Symantec Support with the public certificate that you assign to your
outbound connector. Support can ensure that Symantec trusts the CA and the certificate.
To import the certificate you have received from the CA
1 Go to Server > Certificates in the Exchange Admin Center and select the certificate
request you created in the previous steps.
2 In the Certificate request details pane, click Complete under Status.
3 On the Complete pending request page, specify the path to the SSL certificate file, then
click OK.
4 Select the new certificate you added, then click Edit.
5 On the Certificate page, choose Services.
6 Select the services you want to assign to this certificate. At a minimum, select SMTP and
IIS. Click Save.
7 Click Yes if you receive the warning: Overwrite the existing default SMTP certificate?.
Deploying the Cloud Service for Email 27
Configuring Office 365 to use Symantec Email Security.cloud for email delivery (Forwarding mode)

Gather information to pass on to Symantec Support


1 After you have imported the certificate into Exchange, obtain a copy of the public key for
the outbound MTA certificate.
2 If you use a certificate other than one issued by Symantec, Geotrust, or Thawte, gather
the intermediate certificates you use.
3 Compile a list of public IPs that your on-premises email uses to forward mail to Symantec
Data Loss Prevention Cloud Service for Email.
Contact Symantec Support
1 Contact Symantec support for Cloud Service for Email at
https://support.symantec.com/en_US/contact-support.html.
2 Open a support case and pass on the information you gathered about your certificates
and public IPs.
Symantec Support reviews the information that you have collected and verifies that it is
complete. Support passes your information on to the cloud service so that email from your
Exchange is securely forwarded to Cloud Service for Email for detection.
Symantec notifies you when the process is complete.

Configuring Office 365 to use Symantec Email


Security.cloud for email delivery (Forwarding mode)
You must set up outbound connectors in the Microsoft Office 365 admin center to forward mail
from Office 365 to Symantec Cloud Service for Email. You must also set up a routing rule that
routes emails from O365 to DLP. By default, Office 365 routes the emails using its own mail
transfer agents (MTAs). To enable monitoring of emails by Symantec Data Loss Prevention,
mail flow rules must be set up to divert the emails to Symantec Cloud Service for Email.

Note: You should have a basic understanding of how Office 365 rules and connectors work,
and how they are used in your organization before you proceed. The following instructions
give you a general example of how to set up Office 365 to forward email to Symantec Cloud
Service for Email. The applications of rules (number of domains, migration path, exceptions,
for example) vary from one organization to the next. The following instructions reflect the
Microsoft Office 365 admin center user interface at the time this document was published.
While the Microsoft Office 365 user interface may change, the values you need to enter to
configure the connection between Office 365 and Symantec Cloud Service for Email remain
the same.
Deploying the Cloud Service for Email 28
Configuring Office 365 to use Symantec Email Security.cloud for email delivery (Forwarding mode)

To log on to your Microsoft Office 365 admin center account


1 Log on to your corporate Office 365 account as administrator.
2 Expand the admin center item.
3 Choose Exchange, then choose mail flow from the left column.
To create a new connector in the Exchange Admin Center
1 Click connectors.
2 Click + to add a new connector.
3 Click from Office 365 and to Partner organization.
4 Then click Next.
5 Type the name of the connector in the Name field. You can optionally fill in the Description
field.
6 Select Only when I have a transport rule set up that redirects messages to this
connector. Then click Next.
7 Click Route email through these smart hosts.
8 Click + and add the Cloud Detector (SMTP Smarthost) URL that is indicated in the
Symantec Data Loss Prevention Cloud Service for Email welcome letter.
9 Configure on port 25 (TCP).
10 Select Always use Transport Layer Security (TLS) to secure the connection
(recommended) on the next New connector page, under How should Office 365
connect to your partner organization's email server?
11 Then select Issued by a trusted certificate authority (CA), under Connect only if the
recipient's email server certificate matches this criteria.
12 Then click Next.
To review the configuration and complete the connector configuration process
1 Review the configuration on the next New connector page, then click Next.
2 Enter any email for the test.
3 Click Validate on the next New connector page, under Validate this connector.
4 Click Save.
After you set up outbound connectors in Microsoft Office 365 Exchange admin center, you
must set up at least one routing rule to indicate to Office 365 Exchange which emails you want
to route through Symantec Cloud Service for Email. Each email to which the routing rule applies
has an X-Header added to it. If the routing rule doesn’t apply to an email, that email is not
routed to Symantec Cloud Service for Email, so it bypasses detection and is delivered to
recipients.
Deploying the Cloud Service for Email 29
Configuring Office 365 to use Office 365 for email delivery (Reflecting mode)

To create a rule that routes emails from Office 365 Exchange to your DLP cloud detector and
to apply an X-DetectorID message header to those emails
1 Click rules, click +, and select Create a new rule.
2 Type a rule name in the Name field.
3 In the *Apply this rule if field, select The recipient is located .... Then select Outside
the organization in the select recipient location field and click OK.
4 Click the More Options link at the bottom of the window and add another condition.
5 Click the Sender is, then select one or multiple users or user groups.
6 In the Do the following list select Set the message header to this value.
7 At the right of this field, click Enter text to set the message header name and type
X-DetectorID. Click OK.
8 Click Enter text to set the header value to the detector ID that you can find in your
Symantec welcome email or from the Enforce Server administration console at System
> Servers and Detectors > Overview > Server / Detector Detail page, under ID.
To associate the rule with a connector
1 In the Do the following field, choose Redirect this message to the following connector
and select the connector that you created in the To create a new connector in the Exchange
Admin Center section.
2 Click Save.
3 If you want to apply a rule to a subset of users, see Detecting emails from a subset of
Office 365 Exchange Online users.
4 Leave all other options set to the defaults. Optionally, you can add comments to explain
the purpose of the rule.

Configuring Office 365 to use Office 365 for email


delivery (Reflecting mode)
You must set up outbound and inbound connectors in the Microsoft Office 365 admin center
to forward mail from Office 365 to Symantec Cloud Service for Email and then forward the
processed mail to its final destination. You must also set up at least one routing rule that
controls which emails are forwarded. By default, Office 365 routes the emails using its own
mail transfer agents (MTAs). To enable monitoring of emails by Symantec Data Loss Prevention,
mail flow rules must be set up to divert the emails to Symantec Cloud Service for Email.
You should have a basic understanding of how Office 365 rules and connectors work, and
how they are used in your organization before you proceed. The following instructions give
you a general example of how to set up Office 365 to forward email to Symantec Cloud Service
Deploying the Cloud Service for Email 30
Configuring Office 365 to use Office 365 for email delivery (Reflecting mode)

for Email. The applications of rules (number of domains, migration path, exceptions, for example)
vary from one organization to the next.

Note: The following instructions reflect the Microsoft Exchange admin center user interface at
the time this document was published. While the Microsoft Exchange user interface may
change, the values you need to enter to configure the connection between Office 365 and
Symantec Cloud Service for Email remain the same.

To log on to your Microsoft Exchange admin center account


1 Log on to your corporate Office 365 account as administrator.
2 Expand the admin center item.
3 Choose Exchange, then choose mail flow from the left column.
The outbound connector sends traffic to Symantec Data Loss Prevention for scanning.
To create a new outbound connector
1 Click connectors.
2 Click + to add a new connector.
3 Click from Office 365 and to Partner organization.
4 Then click Next.
5 Type Outbound Connector in the Name field. You can optionally fill in the Description
field with Connector for sending email to DLP.
6 Click Next.
7 Select Only when I have a transport rule set up that redirects messages to this
connector. Then click Next.
8 Click Route mail through these smart hosts.
9 Click Next.
10 Click + and add the Cloud Detector (SMTP Smarthost) URL that is indicated in the
Symantec Data Loss Prevention Cloud Service for Email welcome letter.
11 Configure on port 25 (TCP).
12 Select Always use Transport Layer Security (TLS) to secure the connection
(recommended) on the next New connector page, under How should Office 365
connect to your partner organization's email server?
13 Then select Issued by a trusted certificate authority (CA), under Connect only if the
recipient's email server certificate matches this criteria.
14 Then click Next.
Deploying the Cloud Service for Email 31
Configuring Office 365 to use Office 365 for email delivery (Reflecting mode)

To review the configuration and complete the connector configuration process


1 Review the configuration on the next New connector page, then click Next.
2 Enter any email for the test.
3 Click Validate on the next New connector page.
4 Click Save to complete the setup process.
The inbound connector receives traffic from Symantec Data Loss Prevention and then forwards
it to its final destination (Reflecting mode). Set the subject name of the inbound connector to
the name Symantec provides in your welcome letter.
To create a new inbound connector
1 Click connectors.
2 Click + to add a new connector.
3 Click from Your organization's email server and to Office 365.
4 Then click Next.
5 Type the name of the connector in the Name field, for example, Inbound Connector. You
can optionally fill in the Description field, for example, Connector for receiving email from
DLP.
6 Click Next.
7 Select By verifying that the subject name on the certificate that the sending server
uses to authenticate with Office 365 matches this domain name. Then click Next.
8 Specify the subject name that is used in the public signed certificate that was generated
for your cloud detector (see your Symantec welcome email), then click Next.
To review the configuration and complete the connector configuration process
1 Review the configuration on the next New connector page, then click Next.
2 Click Save.
After you set up outbound connectors in Microsoft Office 365 Exchange admin center, you
must set up at least one routing rule to indicate to Office 365 Exchange which emails you want
to route through Symantec Cloud Service for Email. Each email to which the routing rule applies
has an X-Header added to it. If the routing rule doesn't apply to an email, that email is not
routed to Symantec Cloud Service for Email, so it bypasses detection and is delivered to
recipients.
To create a rule and add an X-Header in the Exchange admin center that routes emails from
Office 365 to DLP
1 Click rules, click +, and select Create a new rule.
2 Type a rule name in the Name field.
Deploying the Cloud Service for Email 32
Configuring Office 365 to use Office 365 for email delivery (Reflecting mode)

3 In the Apply this rule if field, select The Sender is, then select one or multiple users or
user groups.
4 In the next field, select The recipient is located. Then select Outside the organization
and click OK.
In the Do the following list select Modify the message properties, then Set the message
header to this value.
5 At the right of this field, click Enter text to set the message header name and type
X-DetectorID. Click OK.
6 Click Enter text to set the header value to the detector ID that you can find in your
Symantec welcome email or from the Enforce Server administration console at System
> Servers and Detectors > Overview > Server / Detector Detail page, under ID.
Add another rule to redirect the message to a connector
1 Click add action.
2 Select Redirect the message to.
3 Select use the following connector.
4 Select Outbound Connector.
5 Click OK.
6 Click add exception and choose IP address is in any of these ranges or exactly
matches.
7 In the specify IP address ranges dialog, enter an IPv4 address or range.
8 To avoid loops, add the outbound DLP Cloud Detector IPs and CIDR blocks from the
Symantec DLP Cloud Service for Email welcome email when prompted.
For cloud detectors in the US data center the list is:
■ 52.41.248.36
■ 52.27.180.120
■ 52.33.64.93
■ 18.237.140.176/28
■ 18.206.107.176/28
For cloud detectors in the EU data center the list is:
■ 52.30.186.166
■ 52.51.15.72
■ 52.211.17.155
■ 34.246.231.224/28
Deploying the Cloud Service for Email 33
Detecting emails from a subset of Office 365 Exchange Online users

■ 18.184.203.160/28

9 Click OK.
10 Save the rule.

Detecting emails from a subset of Office 365


Exchange Online users
You may want to create a rule to divert a subset of your Office 365 Exchange Online users to
Symantec Cloud Service for Email for detection. Diverting a subset of users is helpful when
you want to test Symantec Data Loss Prevention, or when you want to specify that only certain
departments are included in detection. To divert emails to a subset of users, create a rule in
the Exchange admin center as described in To create a rule that routes emails from Office
365 Exchange to your DLP cloud detector and to apply an X-DetectorID message header to
those emails, substituting the following steps for steps 2 and 3. When you follow this procedure,
emails from other users bypass detection and are routed to the recipients by the Microsoft
mail transfer agent.
Create the rule to detect emails from a subset of Office 365 Exchange Online users in the
Exchange admin center
1 Choose The sender is this person in the Apply this rule if window.
2 Choose the users that you want to add to this group and click Add. Or, you can type a
user's email address in the Add field.

Configuring Google G Suite Gmail to send outbound


emails to Symantec Cloud Service for Email
To enable monitoring of emails by Symantec Data Loss Prevention, you must set up Google
G Suite Gmail mail-flow rules to forward the emails to Symantec Cloud Service for Email. By
default, Google G Suite Gmail routes the emails using its own mail transfer agents (MTAs).
This is a two-step process: first, configure a host and enable TLS; then, configure the Routing
setting to deliver only the outbound emails to Symantec Cloud Service for Email.

Note: The following instructions reflect the Google Admin console user interface at the time
this document was published. The values you need to enter to configure the connection between
Google G Suite Gmail and the Symantec Cloud Service for Email remain the same, even if
the Google interface changes.
Deploying the Cloud Service for Email 34
Configuring Google G Suite Gmail to send outbound emails to Symantec Cloud Service for Email

To configure a host and enable TLS


1 Sign in to the Google Admin console.
2 From the dashboard, go to Apps > G Suite > Gmail > Settings for Gmail.
3 Click the Hosts tab.
4 Click Add route.
5 Locate the Cloud Detector (SMTP Smarthost) URL that you received from Symantec in
the Symantec Cloud Service for Email welcome letter.
6 In the Add mail route dialog, Add a name for the mail route.
7 Under Single host enter the Cloud Detector (SMTP Smarthost) URL from the welcome
letter and 25 for the port number.
8 Select Require secure transport (TLS) and Require CA signed certificate.
9 Click Save.
Configure the Routing setting to add an X-Header to deliver only the outbound emails to
Symantec Cloud Service for Email
1 Go to Apps > G Suite > Settings for Gmail > Advanced settings.
2 Click the General Settings tab.
3 Scroll down the page to locate the Routing section.
4 Click Add another in the Routing section.
5 Type a name for the route (for example, "Route to DLP,") in the Add Setting configuration
pop-up dialog box.
6 Select Outbound in the Messages to affect section.
7 Select Only affect specific envelope senders in the Envelope filter section. Add an
email address.
8 Select Modify message > Add custom headers in the For the above type of messages
section.
9 Click add in the Custom headers section.
10 Set the header name to X-DetectorID.
11 Set the header value to the detector ID that you can find in the Symantec welcome email
or from the Enforce Server administration console at System > Servers and Detectors
> Overview > Server / Detector Detail page, under ID.
12 Click Save.
13 Click Change route.
14 Choose an email address.
Deploying the Cloud Service for Email 35
Detecting emails from a subset of Google G Suite Gmail users

15 In the Encryption (onward delivery only) section, choose Require secure transport
(TLS).
16 Click Add Setting.
17 Review your settings on the General Settings page.
If you are running tests of Symantec Data Loss Prevention, you may want finer filtering of your
messages to include only a subset of users.

Detecting emails from a subset of Google G Suite


Gmail users
You may want to forward only a subset of your Google G Suite Gmail users to Symantec
Symantec Cloud Service for Email for detection. Forwarding a subset of users is helpful when
you want to test Symantec Data Loss Prevention. It's also helpful when you want to specify
that only certain departments are included in detection. When you follow this procedure, only
the emails from these specified users pass through Symantec Cloud Service for Email for
detection and then on to Symantec Email Security.cloud for delivery. Emails from other users
bypass detection and are routed to the recipients by the Gmail mail transfer agent.
Create filters for outbound messages
1 Select Execute this setting only if the envelope sender matches or select Execute
this setting only if the envelope recipient matches.
2 Type a regular expression to filter on the senders or recipients.

Testing Symantec Cloud Service for Email


You can test Symantec Cloud Service for Email by sending an email that violates your test
policy.
To test your system
1 Create a policy. See “Creating and publishing a policy group for Symantec Cloud Service
for Email” on page 40.
2 Access an Office 365 email account or a Gmail account that routes to Symantec Cloud
Service for Email.
3 Send an email that violates the policy that you created in step 1. After the email is sent,
it takes several minutes for the incident to appear on the Enforce Server administration
console. The incident reconciliation timer determines the delay. The delay is configured
in the IncidentPersister.properties file. The default value is 4 minutes, so, by default
the incident does not appear on the Enforce Server administration console for 4 minutes
from the time the email was sent.
Deploying the Cloud Service for Email 36
About updating email domains in the Enforce Server administration console

4 In the Enforce Server administration console, go to Incident > Network and click Incidents
- All. Look for the resulting incident. For example, search for an incident entry that includes
the appropriate timestamp and policy name.
5 Click on the relevant incident entry to see the complete incident snapshot.

About updating email domains in the Enforce Server


administration console
You can quickly update the email domains of the corporate emails that you want Cloud Service
for Email (the Cloud Service) to scan. This capability applies to emails that are sent from
Microsoft Office 365 in Reflecting mode. The new list is immediately sent to the Symantec
Cloud Service when you add or remove a domain in the Enforce Server administration console.
Cloud Service for Email verifies and updates your domains. This ability enables you to update
domains at any time.
The Cloud Service only supports domains that have been added (white listed) either through
the Enforce Server administration console or through Symantec Support. Emails of unsupported
domains are rejected (bounced) by the Cloud Service.
If you are an existing customer of Cloud Service for Email, when you upgrade to 15.1 MP1 or
15.5, your existing domains are preserved and your traffic is not disrupted. You are blocked
from making any changes to your domains in the Enforce Server administration console until
the Cloud Service verifies your existing domains.
See “Upgrading to Symantec Data Loss Prevention 15.1 MP1 and 15.5 if you use Reflecting
mode” on page 38.
See “Adding the unique TXT record to your DNS settings” on page 36.

Adding the unique TXT record to your DNS settings


Each domain that you use requires verification by the Cloud Service. Each domain must contain
a predetermined DNS TXT record ID to pass verification. Symantec automatically generates
this ID when it provisions your Cloud Service for Email instance. You can find the TXT record
ID at System > Servers and Detectors > Overview > Server/Detector Detail. Work with
your DNS administrator or email administrator to add the TXT record ID to each of your domains.
When you upgrade to Symantec Data Loss Prevention 15.1 MP1 or 15.5 from an earlier version,
your Cloud Service is in reconcile mode. All domains that are configured on the Cloud Service
are available for verification. Once all domains are verified, you can manage the domains
going forward.
Deploying the Cloud Service for Email 37
About updating email domains in the Enforce Server administration console

Note: As the domain owner, you must update your domains. Symantec cannot perform this
task for you.

See “Upgrading to Symantec Data Loss Prevention 15.1 MP1 and 15.5 if you use Reflecting
mode” on page 38.
See “Updating email domains” on page 37.

Updating email domains


You can edit or remove email domains one-by-one or by importing a text file.
To add email domains one-by-one
1 Navigate to the System > Servers and Detectors > Overview screen. Click the detector
in the list.
Click Update Email Domains on the Email Domains page.
2 Click Add.
3 Enter an email domain.
To add domains in bulk by adding a list or importing a text file
1 Go to Add Email Domains.
2 Click Update Email Domains.
3 In the Enter Email Domains box, add email domains in comma- or line-separated format.
4 Alternately, indicate a file name and click Upload to upload a text file with email domains
in a comma- or line-separated format.
5 Click Save.

Note: Domain names must be specific. Wildcard DNS records such as *.example.com are
not supported. Specific subdomains (those not using wildcards) are supported.

Once you have added domains, you can configure the names after the Enforce Server syncs
with the cloud configuration. All domains are checked and updated every 15 minutes by the
Symantec Cloud Service.
To configure email domains at the Enforce Server administration console
1 Go to System > Servers and Detectors > Overview.
2 Select the Cloud email detector that you want to configure. The detail page for that detector
appears.
Deploying the Cloud Service for Email 38
About updating email domains in the Enforce Server administration console

3 Click Update Email Domains.


4 Select a domain and then select Add or Delete.
The Domain status can be one of the following:
■ Added - The domain has been verified and added.
■ Reconcile - The Symantec Cloud Service has tried to verify a domain, but there is no TXT
record in your DNS setting and the domain cannot be verified. You need to add the DNS
TXT record so that the domain can be verified and added. After you update, click Resend
to send the updated domain to Symantec.
■ Removed - You have deleted a domain and Symantec removed it from the detector
properties.
■ Invalid - The domain that you tried to add in the Enforce Server administration console
failed the DNS validation.
■ Request to Remove - You have deleted a domain and Symantec has not yet removed it
from the detector properties.
If the Symantec Cloud Service finds any validation problems with the email domains that you
have submitted, notifications appear on the bottom of the Detector Details page. Only valid
domains are used; the detector ignores invalid domains. You are responsible for checking that
the domains you have submitted are accepted and are valid.
See “Upgrading to Symantec Data Loss Prevention 15.1 MP1 and 15.5 if you use Reflecting
mode” on page 38.
See “Update override by the Symantec Cloud Service” on page 38.

Update override by the Symantec Cloud Service


The Symantec Cloud Service team can override the Add Domains feature when you make
a request for assistance to Symantec Support. If an override is required, a message that the
Symantec Cloud Service has overridden control is visible in the System Events panel at the
bottom right of the Detector Details page.
See “Upgrading to Symantec Data Loss Prevention 15.1 MP1 and 15.5 if you use Reflecting
mode” on page 38.

Upgrading to Symantec Data Loss Prevention 15.1 MP1 and 15.5 if


you use Reflecting mode
If you use Reflecting mode, when you upgrade to Symantec Data Loss Prevention 15.1 MP1
or 15.5, your domains are all in a Reconcile state until Symantec verifies that they are valid
and contain a DNS TXT record ID. Each one of your domains must include a DNS TXT record
ID.
Deploying the Cloud Service for Email 39
About updating email domains in the Enforce Server administration console

To add a DNS TXT record ID to each of your domains


1 Find your DNS TXT record ID on the System > Servers and Detectors > Overview >
Server/Detector Detail page.
2 Add the DNS TXT record ID to each of your domains.
3 Click Reconcile to send the corrected domain records to the Symantec Cloud Service.
When your Cloud Service is in Reconcile mode, you can only reconcile domains. You cannot
add or remove domains. During this time, the Symantec Cloud Service controls updating.
If the Symantec Cloud Service finds any validation problems with the email domains that you
have submitted, notifications appear on the bottom of the Detector Details page. Only valid
domains are used; the detector ignores invalid domains. You are responsible for checking that
the domains you have submitted are accepted and are valid. You must fix domains marked
Reconcile.
To fix domains to include the DNS TXT record code
1 Find your DNS TXT record ID on the System > Servers and Detectors > Overview >
Server/Detector Detail page.
2 Add the DNS TXT record ID to each of your domains that are marked Reconcile.
3 Go back to the Enforce Server administration console.
4 Click Resend to send the corrected domain records to the Symantec Cloud Service.
If you want to remove domains when your service is in Reconcile mode, contact Symantec
Support. The removal is synced from the Cloud Service to the Enforce Server administration
console.
Once all of your domains are verified, you can manage them all through the Enforce Server
administration console.
See “Adding the unique TXT record to your DNS settings” on page 36.
Chapter 3
Creating Policies and
Managing Incidents for the
Cloud Service for Email
This chapter includes the following topics:

■ Creating and publishing a policy group for Symantec Cloud Service for Email

■ Encrypting cloud email with Symantec Information Centric Encryption

Creating and publishing a policy group for Symantec


Cloud Service for Email
You can create the policies that include any of the standard response rules, for example, Add
Comment, Limit Incident Data Retention, Log to a Syslog Server, Send Email Notification, and
Set Status.
See the Symantec Data Loss Prevention Administration Guide for more details.
You can also incorporate the following rules, which are specific to the Symantec Cloud Service
for Email:
■ Network: Block SMTP Message
Blocks the email messages that contain confidential data or significant metadata (as defined
in your policies). You can configure Symantec Data Loss Prevention to bounce the message
or redirect the message to a specified address.
The redirect feature is typically used to reroute messages to the address of a mailbox or
mail list. Administrators and managers use the mailbox or list to review and release
messages. Such mailboxes are outside the Symantec Data Loss Prevention system.
■ Network: Modify SMTP Message
Creating Policies and Managing Incidents for the Cloud Service for Email 41
Encrypting cloud email with Symantec Information Centric Encryption

Modifies the email messages that contain confidential data or significant metadata (as
defined in your policies). You can use this action to modify the message subject or add
specific RFC-2822 message headers to trigger further downstream processing. For example,
message encryption, message quarantine, or message archiving.
For details on setting up any response rule action, go to Manage > Policies > Response
Rules and click Add Response Rule, then open the online Help.
For details on using the Network: Modify SMTP Message action to trigger downstream
processes (such as message encryption), see the Symantec Data Loss Prevention MTA
Integration Guide for Network Prevent.
Even if you do not incorporate response rules into your policy, Symantec Cloud Service for
Email captures incidents as long as your policies contain detection rules. This feature can be
useful if you want to review the types of incidents Symantec Data Loss Prevention captures
and to then refine your policies.
To create a block test policy for Symantec Cloud Service for Email
1 In the Enforce Server administration console, create a response rule that includes one of
the actions specific to Symantec Cloud Service for Email. For example, create a response
rule that includes the Network: Block SMTP Message action.
2 Create a policy that incorporates the response rule you configured in the previous step.
For example, create a policy called Test Policy as follows:
■ Include a Content Matches Keyword detection rule that matches on the keyword
"secret."
■ Include a Network: Block SMTP Message response rule.
■ Associate it with the Default policy group.

Encrypting cloud email with Symantec Information


Centric Encryption
Integrating Symantec Information Centric Encryption (ICE) with Symantec Data Loss Prevention
Cloud Service for Email enables you to encrypt sensitive emails that are sent through Microsoft
Office 365 Exchange Online or Google G Suite Gmail. ICE encryption can be applied to email
attachments or to the email body and email attachments.
You set up ICE for Email in the Symantec ICE Cloud Console and the Enforce Server
administration console. You must set up encryption response rules for the emails that pass
through detection. Incidents show up on the Incident Details page with links to the ICE Console.
Creating Policies and Managing Incidents for the Cloud Service for Email 42
Encrypting cloud email with Symantec Information Centric Encryption

Using ICE with DLP Cloud Service for Email


Typical encryption technologies may allow data loss after emails are decrypted. Once the
emails are decrypted, they can be sent to other individuals and are no longer protected.
However, ICE encryption technology encrypts and protects emails and attachments throughout
the life of an email, regardless of where the email travels. If an email or an attachment violates
one or more DLP Cloud Service for Email policies, DLP Cloud Service for Email can direct the
ICE encryption service to automatically encrypt the message. Once it is encrypted, only the
users that you authorize can read it. ICE can encrypt the email and attachments, or only the
attachments.
With ICE, you can apply granular permissions to ICE-encrypted emails and determine what a
user can do with an email after ICE decrypts it. You can restrict the user from printing the email
attachment or email and attachment, modifying them, or sharing them. When DLP Cloud
Service for Email identifies an attachment to an email, or an email and attachment that violates
a policy, it uses the ICE encryption service to automatically encrypt them. The incident appears
in the Enforce Server administration console. DLP Cloud Service for Email then registers the
action with the ICE Cloud Console. You can click a link in the incident to view more details in
the ICE Cloud Console.
Initially, DLP administrators are given read-only access to the ICE Cloud Console. You can
always give the administrator greater permissions from within that console. DLP administrators
must sign in to the ICE Cloud Console when they click the View in ICE Cloud Console link.
After signing in, they can view more information about the incident in the ICE Cloud Console.
For more information on ICE, see the ICE online Help or the ICE documentation at
http://www.symantec.com/docs/DOC9707.
See “Implementing ICE with Cloud Service for Email” on page 42.

Implementing ICE with Cloud Service for Email


Table 3-1 provides an overview of the steps you take to use ICE to encrypt emails. The steps
assume that you have already set up and deployed Cloud Service for Email. See the
cross-referenced sections for more details.

Table 3-1 Overview of implementing ICE with Cloud Service for Email

Step Action More information

Step 1 Set up the ICE service. For information about how ICE works and
details about decryption, see Symantec
Information Centric Encryption Deployment
Guide at
http://www.symantec.com/docs/DOC9707.html.
Creating Policies and Managing Incidents for the Cloud Service for Email 43
Encrypting cloud email with Symantec Information Centric Encryption

Table 3-1 Overview of implementing ICE with Cloud Service for Email (continued)

Step Action More information

Step 2 Configure the Cloud Service for Email See “Configuring the Enforce Server to
integration with the ICE service. communicate with the ICE service”
on page 43.

Step 3 Configure response rules that use ICE See “Creating encryption response rules
encryption. for ICE encryption” on page 44.

Step 4 Click an incident to go to the ICE Cloud See “Viewing details about ICE incidents”
Console for more information. on page 46.

See “Configuring the Enforce Server to communicate with the ICE service” on page 43.

Configuring the Enforce Server to communicate with the ICE service


You need information from the ICE Cloud Console to configure the communication between
the Enforce Server and the ICE Cloud Console.
■ In the ICE Cloud Console, go to Settings > Advanced Configuration > External Services.
Copy the following information to enter in the Enforce Server administration console to set
up the connection between Data Loss Prevention Cloud Service for Email and the ICE
Cloud Console:
■ Service URL
■ Customer ID
■ Domain ID
■ Service User ID
■ Service Password

■ In the Enforce Server administration console go to System > Settings > General > Edit
General Settings under ICE Cloud Access Settings.
■ Enter the following information that you obtained from the ICE Cloud Console:
■ Service URL
■ Customer ID
■ Domain ID
■ Service User ID
■ Service Password
■ Re-enter your Service Password
Creating Policies and Managing Incidents for the Cloud Service for Email 44
Encrypting cloud email with Symantec Information Centric Encryption

After you save these settings, they are transmitted to the DLP Cloud Service and ICE is enabled.
See “Creating encryption response rules for ICE encryption” on page 44.

Creating encryption response rules for ICE encryption


Use the information in Table 3-2 to create rules for ICE encryption. The steps for creating the
rules are provided after the table.
You can apply either of two rules for ICE encryption in your policies. You can either encrypt
only email attachments or the email attachments and the email body. You cannot encrypt just
the body. If an email includes multiple attachments, and only one attachment violates a policy
condition, all of the attachments are encrypted.

Table 3-2 Response rules for ICE encryption

Rule name Header name Value Function

Encrypt attachments only X-encryption-method ICEemail Encrypts only the


attachments attachments.

The recipient sees


the original email
message, but
attachments are
replaced with
encrypted HTML
files. The recipient
is notified that the
attachments are
encrypted and can
only be decrypted
with ICE. See the
ICE documentation
for more details.
Creating Policies and Managing Incidents for the Cloud Service for Email 45
Encrypting cloud email with Symantec Information Centric Encryption

Table 3-2 Response rules for ICE encryption (continued)

Rule name Header name Value Function

Encrypt attachments and body X-encryption-method ICEemail all Encrypts the


attachments and
email body.

The recipient is
notified that the
email and
attachments are
encrypted and can
only be decrypted
with ICE. The
attachments are
replaced with
encrypted HTML
files. See the ICE
documentation for
more details.

Creating a response rule


1 Go to Manage > Policies > Response Rules.
2 Click Add Response Rule.
3 Click Automated Response (Smart Response rules are also possible).
4 Enter a response Rule Name and Description.
5 Optionally, define one or more Conditions to determine when the response rule executes.
6 In the Actions drop-down menu, from the Network Prevent category, select Modify
SMTP Message.
7 Click Add Action.
8 In the Network Prevent dialog box, in the Header 1 Name field, type
"X-encryption-method."
9 In the Header 1 Value field, type "ICEemail attachments" or "ICEemail all," depending on
your data protection policies.
10 Click Save.
11 Configure a policy with the response rule that you created.
Creating Policies and Managing Incidents for the Cloud Service for Email 46
Encrypting cloud email with Symantec Information Centric Encryption

Note: If the attachment or the attachment and the email body cannot be encrypted for some
reason (such as invalid server information), Cloud Service for Email inserts a separate header
so that the email can be handled downstream.

The Encrypt response rule takes precedence over a Modify or Prepend Header response rule.
If there is a Modify Header response rule in addition to Encryption, only Encryption is executed.
However, a Block response rule takes precedence over an Encrypt response rule.
See "About response rules" in the Symantec Data Loss Prevention online Help.
See “About decrypting ICE encrypted email” on page 46.

About decrypting ICE encrypted email


You can find details about ICE mail decryption in the topic "About the Symantec ICE Utility"
in the ICE Cloud Console online Help.
See “Viewing details about ICE incidents” on page 46.

Viewing details about ICE incidents


Go to Incidents > Network > Incidents - New to view details about incidents. Click the History
tab to view the chronological details. See Figure 3-1 on page 47.
Creating Policies and Managing Incidents for the Cloud Service for Email 47
Encrypting cloud email with Symantec Information Centric Encryption

Figure 3-1 History details for ICE incidents in Enforce

Click the Key Info tab to view the further details. See Figure 3-2 on page 48.
Creating Policies and Managing Incidents for the Cloud Service for Email 48
Encrypting cloud email with Symantec Information Centric Encryption

Figure 3-2 Key Info detail for ICE incidents in Enforce

Click Open in Symantec ICE to get more information about each incident at the ICE Cloud
Console. You must sign in to the ICE Cloud Console to see all of the documents that were
encrypted as part of the message. See Figure 3-3 on page 49.
Creating Policies and Managing Incidents for the Cloud Service for Email 49
Encrypting cloud email with Symantec Information Centric Encryption

Figure 3-3 File Details in the ICE Cloud Console

When you click a file, you see additional details. You can click Message ID to navigate to a
page for that message where you can view message components. See Figure 3-4 on page 49.

Figure 3-4 Email Message Components in the ICE Cloud Console


Chapter 4
Best Practices for Cloud
Service for Email
This chapter includes the following topics:

■ Modify SPF records in Email Security.cloud to ensure email delivery

■ Delete the Cloud Detector to reset Symantec Cloud Service for Email

■ Requesting or renewing a new Cloud certificate

■ Understand size limits for profiles

■ Review known issues for Symantec Cloud Service for Email

Modify SPF records in Email Security.cloud to ensure


email delivery
When you use Symantec Cloud Service for Email, your outbound mail may be rejected and
not sent from Symantec Email Security.cloud because IP addresses are not registered in the
sending domain's Sender Policy Framework (SPF) record. The email is rejected when the
recipient domain is also a client who has enabled inbound SPF validation on their portal. Emails
from domains that publish a hard-fail SPF policy are blocked and deleted if the sending IP
address is not registered in the sending domain's SPF record.
To solve this problem, register the sending IP address in the SPF record to authorize both
Symantec Email Security.cloud and Microsoft Office 365 servers to send mail on behalf of a
domain. The sending administrator must modify the SPF record TXT file in DNS as
demonstrated in the following example to include the following Symantec Email Security.cloud
SPF string:
v=spf1 include:spf.messagelabs.com include:spfprotection.outlook.com -all
Best Practices for Cloud Service for Email 51
Delete the Cloud Detector to reset Symantec Cloud Service for Email

For more information on SPF records and their use in Symantec Email Security.cloud, see the
following article in the Symantec Support Center: http://www.symantec.com/docs/TECH226211.

Delete the Cloud Detector to reset Symantec Cloud


Service for Email
You may need to delete an existing cloud detector if a detector was installed incorrectly, or if
you transition from a trial setup to a production setup.
To delete the Cloud Detector
1 Go to System > Overview.
2 In the Servers and Detectors section of the screen, click the red X on the Cloud Detector's
status line to remove it from the Enforce Server administration console.
3 Click OK to confirm deletion. The Cloud Detector's status line is removed from the System
Overview list.
4 Request a new enrollment bundle and save it to the Enforce Server. See “Implementation
overview” on page 15.

Requesting or renewing a new Cloud certificate


The certificate that you receive in your enrollment bundle has an expiration date. You can see
the expiration date on the System > Settings > General page, under Cloud Certificate. When
the certificate is about to expire, you receive and email from Symantec, with a new certificate
and instructions to install the certificate.
If you do not receive an email, you can request a new certificate bundle or a renewal bundle
from Symantec Support. You upload either bundle to the Enforce Server and install a new
certificate or renew an existing certificate on the System > Settings> General > Install a
Cloud Certificate page. See “Saving the enrollment bundle” on page 18.

Understand size limits for profiles


The combined maximum memory usage in a cloud detector for deployed policies and profile
indexes is 20 GB. If you want to deploy policies and profile indexes that exceed 20 GB, contact
Symantec Support.
Best Practices for Cloud Service for Email 52
Review known issues for Symantec Cloud Service for Email

Review known issues for Symantec Cloud Service for


Email
The following table lists known issues in this release of Symantec Data Loss Prevention Cloud
Service for Email. The issue ID is an internal number for references purposes only.

Table 4-1 Symantec Cloud Service for Email known issues

Issue ID Description Workaround

3644338 Incident reconciliation fails when Do not set


IncidentWriter. Incident.Writer.ShouldEncryptContent
ShouldEncryptContent is set to to false.
false.

3769753 A severe error that is related to subject Ignore this message. It is not a security
name mismatch on the self-signed error, but the result of an RFC
certificate is logged on the Tomcat compliance issue.
localhost log during cloud
enrollment.

3954853 Users get an error message when they Cloud Service for Email does not
try to use form recognition with Cloud support form recognition.
Service for Email.
Chapter 5
Using additional Symantec
Email Security.cloud
features
This chapter includes the following topics:

■ Using Symantec Email Security.cloud Data Protection

Using Symantec Email Security.cloud Data Protection


Email Security.cloud's Data Protection features complement the detection features of the
Symantec DLP Cloud Detector. Based on directives in the form of X-Headers that are added
to an email by the DLP Cloud Detector, Data Protection policies within Symantec Email
Security.cloud are configured to take appropriate action such as redirecting, blocking,
quarantining or encrypting an email. For detailed instructions on setting up Data Protection
policies within Email Security.cloud, see
https://support.symantec.com/en_US/email-security-cloud.html.
The following sections give more information on three examples of Data Protection policies
that can be implemented within Email Security.cloud: Using Policy Based Encryption, Using
Silent blocking, and Using Quarantine.

Using Symantec Email Security.cloud Policy Based Encryption


With Policy Based Encryption, you can enforce email encryption based on predefined policies
while ensuring that emails can be read on all devices, including mobile. Policy Based Encryption
Essentials is provided with Symantec Cloud Service for Email and Policy Based Encryption
Advanced is available as an add-on to Email Security.cloud. It enforces email encryption based
on predefined policies. Encryption of messages can be initiated manually by the user or
automatically by policies that are set in Data Protection.
Using additional Symantec Email Security.cloud features 54
Using Symantec Email Security.cloud Data Protection

Defining PBE policies using Data Protection


You must define a Data Protection policy to trigger email encryption. The policy specifies an
action to redirect the email to a specific email address. The email address depends on the
Policy Based Encryption service you use. When you create the policy, you define the rules
that you want to cause the email to be encrypted. For example, you can specify a word or
phrase that must be contained in the header or body of the email to trigger encryption. Then
you inform your users of the word or phrase that must be present to encrypt the email.
Data Protection scans email against the policies in the order they are listed in the portal. If an
email triggers a policy with an exit action, it is subject to that action and does not pass on to
be scanned for further policies. The redirection action for special Policy Based Encryption
policies is an exit action. Put encryption policies towards the bottom of the policy list, so that
other policies defined to comply with the organization's acceptable usage policy are acted on
first. If an email triggers a policy with an exit action such as a block action, and that rule is
higher in the policy list, the email is not encrypted. The first policy that is encountered blocks
the email.
To define an encryption policy
1 Select Services > Email Services > Data Protection at the ESS portal.
2 Click New Policy from Template.
3 Select the PBE Essential Trigger Template (US) and click Create. A new Policy Based
Encryption policy is created from the template at the bottom of your policy list.
4 Click the policy name to open the policy. You can adjust the name of the policy at this
time. The policy is applied by default to Outbound mail only and the Action is preconfigured
to Redirect to Administrator.
5 Use the default rule. As long as "example@domain.com" is not a recipient of the message,
the rule always works. The first rule in the template policy is a Recipient Group rule. All
Policy Based Encryption policies require a recipient group rule. By default, the rule in the
template works if the message recipient does not match an address in the Default PBE
Recipient Group that by default contains "example@domain.com".
Using additional Symantec Email Security.cloud features 55
Using Symantec Email Security.cloud Data Protection

6 Use the default rules. The Policy Based Encryption templates contain two more default
rules that customers can use to help identify messages containing sensitive data. The
first rule looks for common keywords that might be found in messages customers may
want to be encrypted. Examples of these keywords are "confidential," "sensitive," and
"encrypt." The second rule looks for headers that are found in the message if the sender
has flagged the message for encryption using one of the Outlook plug-ins. Customers
can leave these rules in place or may choose to remove them and create new rules to
help identify messages with sensitive data. When sensitive information is identified in a
DLP policy, Symantec Cloud Service for Email can add a header to the message. Data
Protection uses this header to determine if the message should be encrypted.
7 Click Save in the bottom right-hand corner of the page. Once a policy is saved, you can
move the policy to where you want it positioned in your policy list. The policy can be
activated by clicking Activate in the far right-hand column of the policy. Once a policy is
activated, it can take about 20 minutes for it to take effect.
If an email is encrypted, the recipient receives an email with an encrypted PDF. The first time
that the recipient receives an encrypted PDF, he also receives an email with a link to a portal
where he can set the password that can be used to open the encrypted PDFs. The recipient
uses this password to view the message body of the email and any attachments.

Using Data Protection to silently block email messages


You can use Symantec Email Security.cloud to block emails. Unlike Symantec Data Loss
Prevention, where the sender of the email gets a "Blocked Message" notification, when email
messages are silently blocked using Data Protection, neither the sender nor the receiver gets
a notification. You can, however, pair the silent block rule with another response rule that
notifies the sender.
Here are the steps that you need to take to create a silent blocking policy with a keyword list.
To create a silent blocking policy
1 Select Services > Email Services > Data Protection at the ESS portal. A list of all email
policies appears.
2 Click Create a New Policy. Then, add a name and description.
3 In Apply to: click Outbound email only (the default).
4 In Execute if: choose ANY rules are met.
5 In Action: choose Block And Delete.
6 In Administrator email: add the email address of your DLP administrator.
7 Click Add rule.
8 Click Add a condition.
In Content Keyword List, click Create a new Keyword List.
Using additional Symantec Email Security.cloud features 56
Using Symantec Email Security.cloud Data Protection

9 Add a Name and a Description.


10 Add keywords. The ESS keywords (for example, downstream_block) must match the
keyword that is specified in the DLP "Modify SMTP Message" response rule.
11 Click Add.
12 Click Save.
13 After you save a policy, you must return to the Email Policies page and click the red
Activate option to activate the policy.

Note: If you want to test the policy, do not send the email from the email address that is defined
as the administrator email address. If you send a test message from the administrator email
address, the policy won't be applied.

You can find more information about setting up silent blocking and other Email Security.cloud
features, including configuring Data Protection to silently block messages from the Email
Security.cloud console at:
https://support.symantec.com/en_US/email-security-cloud.html