Secure Messaging Crypto-Gateway Configuration for Office 365 Contents Overview... 1 Crypto-Gateway Configuration for Outbound Messages... 2 Request Crypto-Gateway Setup for Office 365... 2 Connecting to Crypto-Gateway... 2 Configuring Office 365... 2 Create New Send Connector in Office 365... 2 Configuring DLP Rules... 5 Using an existing Rule Template... 5 Keyword Rule... 7 Routing Internal Email Secure... 8 Overview The Secure Messaging Crypto-Gateway casts a wider net for facilitating data leakage protection. It sits in-line between the mail server and Secure Messaging to offer high availability processing. For users, this translates into transparent outbound encryption, with all secure messages stored decrypted in the mail server. External guest users continue to benefit from all the same plug-ins such as Microsoft Outlook and mobile apps with the ability to store decrypted content behind their firewall in their own mail server, without any special server configurations. Figure 1 below describes the scenario of on premise email and Gateway with Cloud third party archiving. Figure 1: Secure Messaging Crypto-Gateway with Office 365 User Outlook Office 365 Exchange connector Cloud Gateway Secure Messaging Platform Secure Messaging Page 1
Crypto-Gateway Configuration for Outbound Messages The Secure Messaging Crypto-Gateway service can be used as an outbound gateway for messages. Messages are received from an Exchange Online via an Exchange Send Connector. DLP Rules within the Office 365/Exchange Online environment will route the messages to the Send Connector that will deliver the message to the Crypto-Gateway. Request Crypto-Gateway Setup for Office 365 The Crypto-Gateway servers will ignore all traffic unless the source of the traffic has been whitelisted with the service. The following information is necessary to submit Outbound Messages: IP address of sending server so we can whitelist the address Cirius can also create filter for Exchange Online servers, simply indicate that your email server is Office 365. Primary Domain and all associated domains for the company Customer Portal if different from Primary domain Once identified, this information should be submitted to support@secure-messaging.com for configuration. Once configured, the sending mail service can be configured to Gateway messages to the Crypto-Gateway. Connecting to Crypto-Gateway The connection to the Secure Messaging Crypto-Gateway service is done using SMTP via port 25. The STMP session must use the STARTTLS command to assure the SMTP messages are transmitted securely. The following table provides information to access the Crypto-Gateway services: Environment US Test Crypto-Gateway (nonproduction) US Region Crypto-Gateway CA Region Crypto-Gateway UK Region Crypto-Gateway Address n/a cr-us.secure-messaging.com cr-ca.secure-notification.com cr-uk.secure-notification.com Secure Messaging support will reply with the FQDN of the configured Crypto-Gateway environment once the setup is complete. Configuring Office 365 Create New Connector in Office 365 1. Navigate to Exchange admin center >> Mail flow >> Connectors 2. Press + to add new Connector 3. Select your mail flow scenario: a. From: Office 365 Secure Messaging Page 2
b. To: Partner organization 4. Name Connector: Secure Messaging Crypto-Gateway 5. Select box to turn it on and press Next 6. When do you want to use this connector? a. Select the first option: Only when I have a transport rule setup up that redirects messages to this connector, then press Next 7. How do you want to route email messages? Secure Messaging Page 3
b. Select: Route email through these smart hosts c. Press + sign and specify the fully qualified domain name (FQDN) or IPv4 address provided by Secure Messaging Support, then press next 8. How should Office 365 connect to your partner organization s email server? d. Select: Always use TLS e. Select: Any digital certificate, including self-signed certificates, press next twice 9. Validate Connector Secure Messaging Page 4
f. Press + and add any email address and press ok g. Press Validate button at bottom of screen h. Close confirmation screen i. Press Save 10. Connector is now setup and ready to send email to the Crypto-Gateway. Configuring DLP Rules DLP Rules are primarily compliance driven and will typically be setup by your compliance office or compliance team. The following is using existing templates only and intended as guidelines. We will setup a DLP policy template and Keyword Rules Rule following this. Using an existing Rule Template 1. Login to Exchange admin center a. Navigate to Compliance Management b. Select data loss prevention tab at top of page c. Press + symbol Secure Messaging Page 5
d. Name Policy: i.e. HIPAA e. Select relevant policy: i.e. U.S. Health Insurance Act f. Press Save (this may take a few minutes while the new rules are added to Exchange) 2. Navigate to mail flow on left of Exchange admin center 3. Your rules should now show in your rules tab, selected by default 4. Edit a rule to enable the outbound Crypto-Gateway: Secure Messaging Page 6
a. In the action drop down menu do the following leaving a policy tool tip is a preference of the individual organization: i. Select the action drop down box ii. Pick the action: Redirect the message to iii. Select: the following connector iv. Pick the Secure Messaging Crypto-Gateway connector v. Press ok vi. Press save to complete changes to the rule 5. This action should be completed for all DLP policy rules that require secure transmission of the message. 6. By default this policy group (HIPAA) and others allow an override, which may not be necessary if all other policies redirect message to be encrypted and a bypass is not an option. Keyword Rule Setting up your own keyword policy is as easy as the previous but will need to be made from a blank rule using the following steps 1. Select + symbol on tab at top of rules 2. Select: Create a new rule a. Give rule a name: i.e. Keyword Policy Secure Messaging Page 7
i. Apply Rule if ii. Select: : The subject or body includes iii. Enter a keyword: I.E. insider 1. Add as many words as required by selecting the + symbol and ok for each word iv. Audit this rule with severity level: Optional Setting 1. You can use a DLP policy with rules that do not specify any audit severity level. The severity level setting is a property of a single rule that you can change. When you don t specify a severity level, the detections that are made for that rule show up in the DLP reports as Low data points. You can change the severity level that is associated with detected messages for a specific rule by using the DLP rules editor. Learn more about editing rules at Manage DLP policies. v. Set Priority: Optional Setting 1. Determines what order this rule is run against the other vi. More options: This will allow new rule options so that you can setup the messages to go to the Crypto-Gateway if triggered. vii. Once you select more options you will be able to edit the existing rule actions. Please follow step 4 in DLP rules to complete setting up the keyword Policy 3. Once completed any email that contains a keyword in the list will be redirected to the Crypt Gateway for encryption. Routing Internal Email Secure In order to secure internal messages, they will need to be routed to the Crypt Gateway as well and an additional rule will need to be created. Secure Messaging Page 8
1. Before you create the internal message rule you will first need to add an action to each DLP or routing rule that routes email to the Crypto-Gateway. a. Add Action, Do the following b. Set the message header to this value i. Header: Secure-0365 ii. Value: True 2. Select + symbol on tab at top of rules 3. Select: Create a new rule a. Give rule a name: i.e. Internal Messages Secure i. Apply Rule if Secure Messaging Page 9
ii. Sender is located: Inside the organization iii. Do the following 1. Set the message header to the following: a. Header: Secure-0365 b. Value: True iv. Add Action v. Use the following Connector 1. Pick the connector previously created to rout email to the Crypto-Gateway vi. Create 2 exceptions (This prevents message looping between the 2 servers) vii. Except if 1. A message header Includes: a. Header: X-SecMsg-GWSMNotifcations b. Value: True 2. A Message Header Matches a. Header: Secure-0365 b. Value: True viii. Set priority to preferred value, the lower the value the higher priority will be placed on the rule. Secure Messaging Page 10