Support Center > Search Results > SecureKnowledge Details
Harmony Email & Office 2.0: Microsoft 365 Threat Prevention Manual Configuration Technical Level
Solution
This article explains how to perform the manual on-boarding and configuration process for Harmony Email & Office 2.0. In its course, customers bind their Office 365 and Exchange Online environment to Check Point, with the various settings to configure in the Office 365 Exchange Admin Center.

Your selection of the manual configuration over the automatic configuration can be induced by these considerations:
  • You want to select the automatic mode but first want to learn the configuration changes that are automatically applied to Office 365.
  • You want to select the manual mode and need to know the initial configuration.
  • Your email environment is hybrid with on-premise and Exchange Online.
  • You want to verify that there is no possible conflict of the mail flow rules in Exchange Online.

Step 1: On-boarding

To integrate Harmony Email & Office with Office 365:
  1. In the Harmony Email & Office portal, go to Settings > Applications.
  2. Click Connect Office 365.
  3. Select Manual Mode.
  4. Authorize the Harmony Email & Office app: enter the Office 365 admin credential in the new tab and then click Accept.

Step 2: Connectors

In this step, you define two connectors: inbound and outbound connectors.

These connectors allow you to send and receive traffic between Exchange Online and Check Point Harmony Email & Office.

To create new a connector:
  1. In the Exchange admin center (classic portal), go to Mail flow > connectors.
  2. Click the + button to create a new connector.
 
To configure the Check Point inbound connector:
  1. For From - select Partner organization.
  2. For To -  select Office 365.
  3. Click Next.
  4. For Name - enter Check-Point Inbound
  5. For Description - enter Check-Point Inbound
  6. For What do you want to do after the connector is saved?, select Turn in on.
  7. Click Next.
  8. For How do you want to identify the partner organization - select Use the sender's IP address.   
  9. Under Specify the sender IP address range - click the + icon.
  10. Enter the IP addresses: 54.78.128.204, 54.195.213.115
  11. Click OK and then click Next.
  12. Under What security restrictions do you want to apply? - select Reject email messages if they are not sent over TLS.
  13. Click Next.
  14. Click Save.
To configure the Check Point outbound connector:
  1. For From - select Office 365
  2. For To - select Partner organization
  3. Click Next.
  4. For Name - enter Check-Point Outbound.
  5. For Description - enter Check-Point Outbound.
  6. For What do you want to do after the connector is saved? - select Turn in on.
  7. Click Next.
  8. For When do you want to use this connector? - select Only when I have a transport rule set up that redirects messages to this connector.
  9. Click OK and then click Next.
  10. Under How do you want to route email messages? - select Route email through these smart hosts
  11. Click the + icon to add a smart host, and enter the host domain name: mta.iaas.checkpoint.com
  12. Click Save and then click Next.
  13. Under How should Office 365 connect to your partner organization's email server? - select Always use Transport Layer Security (TLS) to secure the connection.
  14. For Connect only if the recipient's email server certificate matches this criteria - select Any digital certificate, including self-signed certificates.
  15. Click Next. Then click Next again.
  16. Click the + icon and enter this email address: connectivity@mta.iaas.checkpoint.com
  17. Click Validate.
  18. Notice that 'Check connectivity' succeeded and 'Send test email' failed, click Save.
  19. Click Yes on the warning message
  20. Make sure that both connectors were created:

Step 3: Connection Filter

In this step, you update the Connection Filter to whitelist emails from Check Point.

To configure the connection filter:
  1. In the Exchange admin center, go to Protection > Connection filter
  2. Click the icon to edit the default rule.
  3. Under Connection filtering > IP Allow list, click the + icon.
  4. Under add allowed IP address, enter these IP addresses 54.78.128.204, 54.195.213.115

 Step 4: Transport Rules

The purpose of the transport rules is to take action while the messages are still in transit, before they are delivered to the mailbox.

Note: If any mail flow rules already exist, the Harmony Email & Office rules must be prioritized at the top of the list.

Create the Check Point Inspection rule:
  1. In the Exchange admin center, go to Mail flow > Rules.
  2. Click the + icon to add a rule
  3. For Name, enter Check-Point Inspection.
  4. For Apply this rule if…, add two conditions:
    • First condition – The sender is located outside the organization
    • Second condition – The recipient is located inside the organization
    • If you want to add another condition, specify the groups that should be protected. In normal scenarios, this would be all users.
  5. For Do the following… add two actions:
    • First action:   Modify the message properties -> Set a message header, header name:  'X-CMTA-ACCOUNT-ID', header value: copy Client ID value from: Harmony Email & Office portal -> Settings -> Deployment: under Inbound emails, click on Learn more.
    • Second action: Select Use the following connector, then select Check-Point Outbound.
     6. For Except if…, add the Sender’s IP address is in the range: 54.78.128.204, 54.195.213.115

Note: If you have other inbound connectors using IP address, add their IP addresses to this list.

     7. Make sure the priority is set to 0.
     8. Select the checkbox for Stop processing more rules.
     9. Click Save.

Create the Check Point SCL bypass rule:
  1. In the Exchange admin center, go to Mail flow > Rules.
  2. Click the + icon to add a rule.
  3. For Name, enter Check-Point SCL Bypass.
  4. For Apply this rule if…, add:
  5. The Sender IP address is one of the following IPs '54.78.128.204' or '54.195.213.115'
  6. For Do the following…, set the spam confidence level (SCL) to...Bypass spam filtering. Set the spam confidence level (SCL) to -1
  7. For Except if..., select message header matches these text patterns. 'X-CMTA-SEC-SCL' header matches the following patterns: 'true'
  8. Make sure the priority is set to 1.
  9. Click Save.
Finally, if you have any questions about how to apply these changes to the configuration, contact Check Point Support.

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment