Support Center > Search Results > SecureKnowledge Details
Harmony Email & Office: Microsoft 365 DLP Manual Configuration Technical Level
Solution

This article explains how to do a manual on-boarding and configuration for Microsoft 365 and Harmony Email & Office to enforce DLP for emails.

Before you select the manual configuration over the automatic configuration, consider these points:

  • You reviewed Harmony Email & Office - Microsoft 365 Threat Prevention for emails knowledgebase article
  • You prefer to use automatic mode but first want to learn the configuration changes that are automatically applied to Office 365.
  • You would like to know the configuration of using manual mode.
  • Your email environment is hybrid with on premise and Exchange Online.
  • You want to make sure that there are no possible conflict mail flow rules in Exchange Online.

Step 1: Connectors

To integrate Harmony Email & Office with Microsoft 365:
  1. In Office 365 Exchange Admin Center (classic portal), go to Mail flow > connectors.
  2. Click the + button to create a new connector.

To configure the Check Point DLP inbound connector:
  1. From - select Your organization‎'s email server.
  2. To -  select Office 365.
  3. Click Next.
  4. Name - enter Check-Point DLP Inbound
  5. Description - enter Check-Point DLP Inbound
  6. What do you want to do after the connector is saved?, select Turn in on.
  7. Click Next.
  8. How do you want to identify the partner organization - select By verifying that the IP address of the sending server matches one of these IP addresses that belong to your organization.   
  9. Click the + icon.
  10. Enter the IP addresses: 34.241.84.80, 54.155.100.84
  11. Click OK and then click Next.
  12. Click Save.
To configure the Check Point DLP outbound connector:
  1. From - select Office 365
  2. To - select Partner organization
  3. Click Next.
  4. Name - enter Check-Point DLP Outbound.
  5. Description - enter Check-Point DLP Outbound.
  6. What do you want to do after the connector is saved? - select Turn in on.
  7. Click Next.
  8. When do you want to use this connector? - select Only when I have a transport rule set up that redirects messages to this connector.
  9. Click OK and then click Next.
  10. Under How do you want to route email messages? - select Route email through these smart hosts
  11. Click the + icon to add a smart host, and enter the host domain name: mta-outgoing.iaas.checkpoint.com
  12. Click Save and then click Next.
  13. Under How should Office 365 connect to your partner organization's email server? - select Always use Transport Layer Security (TLS) to secure the connection.
  14. Connect only if the recipient's email server certificate matches this criteria - select Any digital certificate, including self-signed certificates.
  15. Click Next. Then click Next again.
  16. Click the + icon and enter this email address: connectivity@mta.iaas.checkpoint.com
  17. Click Validate.
  18. Notice that 'Check connectivity' succeeded and 'Send test email' failed. Click Save.
  19. Click Yes on the warning message.
  20. Make sure that the two connectors are created:



Step 2: Connection Filter

In this step, you update the Connection Filter to whitelist emails from Check Point.
  1. In the Exchange admin center (classic portal), go to Protection > Connection filter.
  2. Click the icon to edit the default rule.
  3. Under Connection filtering > IP Allow list, click the + icon.
  4. Under add allowed IP address, enter these IP addresses 34.241.84.80, 54.155.100.84

Note: Please wait around 30 minutes between step2 and step 3 to allow Microsoft to propagate the changed configuration

Step 3: Transport Rule

In this step, you create transport rule that will transfer the outbound email through Check Point.

Create the Check Point DLP Inspection rule:

  1. In the Exchange admin center, go to Mail flow > Rules.
  2. Click the + icon to add a rule.

  3. Name - enter Check-Point DLP Inspection.
  4. Apply this rule if…, add two conditions:
    • The first condition - The sender is located Inside the organization
    • The second condition - The recipient is located Outside the organization
    • To add one more condition, specify the groups that must be protected. In normal scenarios, this would be all users.
  5.  Do the following… add two actions:
    • First action:  Modify the message properties -> Set a message header, header name:  'X-CMTA-ACCOUNT-ID', header value: copy Client ID value from: Harmony Email & Office portal -> Settings -> Deployment: under Outbound email, click on Learn more.

    • Second action: Use the following connector, select Check-Point DLP Outbound

  6.  Except if… - add the Sender’s IP address is in the range: 54.155.100.84, 34.241.84.80
  7. Note: if you have other inbound connectors with IP addresses, add their IP addresses to this list.
  8. Set the priority to 0
  9. Select the checkbox for Stop processing more rules.
  10. Click Save

Finally, if you have any questions about how to apply these changes to the configuration, contact Check Point Support.

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment