Activating the DLP Cloud Service via the Cloud Management Portal (CMP)
search cancel

Activating the DLP Cloud Service via the Cloud Management Portal (CMP)

book

Article ID: 184719

calendar_today

Updated On:

Products

Data Loss Prevention Cloud Service for Email Data Loss Prevention Cloud Detection Service Data Loss Prevention Cloud Package Data Loss Prevention Cloud Detection Service for ICAP Data Loss Prevention Cloud Detection Service for REST Data Loss Prevention CASB Securlet SAAS With DLP-CDS

Issue/Introduction

You have purchased the Cloud Service for DLP and want to activate it. You have been sent a link to the Data Loss Prevention (DLP) Cloud Management Portal (CMP).

Environment

  • Data Loss Prevention Cloud Detection Service - aka a "CDS" whether for the CloudSOC, for WSS, or for a Custom REST Detector
  • Data Loss Prevention Cloud Service for Email
  • CloudSOC Tenant, aka CASB

Note that the above detector types can also be configured in a "Cloud Managed DLP" option. - but those detectors do not use enrollment bundles.

  • "Enforce Managed" detectors require enrollment bundles in order to bind the service to an on-premises Enforce Server.
  • "Cloud Managed" detectors do not - they are bound to your CloudSOC Tenant via a different process, which is performed by the Cloud Operations teams.

Cause

You have purchased the Cloud Service, but do not have a bundle that will let you enroll with the service.

Resolution

For clarification, all customers of the DLP Cloud Service need to login to the CMP in order to gain access to the Cloud Service: https://cmp.protect.broadcom.com/

Below are the steps you will need to follow in order to get your Cloud Service "provisioned" - and to receive your enrollment bundle:

  1. Purchase the Cloud Service.
  2. Confirm receipt of a "Welcome email" directing you to login to the Cloud Management Portal.
    • FYI: The CMP account as setup uses the same SSO method to sign in as the account you would use to access your Support cases on the Broadcom portal (e.g., you need an account in Okta).
    • Once successfully logged in to the CMP, your account will appear as "Enabled" to the Technical Support teams. Otherwise it shows up as "New" and we will advise you to complete this step.
  3. Next you need to verify the setup of the Cloud Detection Service needed.
    The details submitted will vary somewhat with each type of Cloud Detector:
    • For ALL Detector types: The email address of a DLP "Admin". The Cloud Operations team may use this info to contact you and your team directly, as in the event of an issue with your Cloud Service. Thus, this should be not be an individual email address - we suggest you use a Distribution List.
    • For ALL Detector types: The region where you need your Detector to be "housed" - either EMEA or US. At this time, APJ customers should choose the US region.
    • For Cloud Service for Email entitlements, you need to verify your email setup or mailflow - designating the MTA you will be using with the Cloud Service. It needs to be one of the following supported configurations:
      • Forwarding mode - the "next hop" after DLP is Email Security.cloud - aka "MessageLabs". Note: Customers need to provide their Email Security.cloud user name as part of this configuration. This is also known as the "Clientnet" ID [Detector MIN CREF], and is always 3 letters followed by 4 numerals, e.g., ABC1234:
        • G-Suite/Google for Work gmail => DLP Cloud Service for Email => Email Security.cloud
        • O365 => DLP Cloud Service for Email => Email Security.cloud
      • "Hybrid" mode - actually also a "Forwarding mode" option: a Hybrid mode Detector will accept messages from your on-prem Exchange or from your O365 tenant:
        • Exchange / O365 => DLP Cloud Service for Email => Email Security.cloud
      • Reflecting mode - only available for customers of O365/M365: no Email Security.cloud integration is needed, instead, messages go back to O365 for final transport and delivery:
        • O365 => DLP Cloud Service for Email => O365
      • NOTE: there are no other supported configurations for the Cloud Service for Email at this time. 
  4. Until you actually submit its configuration, the status of your entitlements will have a wrench icon:
    • When you've successfully submitted your configuration its status will change to this icon:

      At this point, your new Cloud Detector should be provisioned within 1-2 business days.

When provisioning is complete, the Cloud Operations team will send a second Welcome Email to the DLP Admin as submitted above - including the Enrollment Bundle and configuration details.

The bundle email will be sent from "[email protected]".

*Until the configuration has been submitted as above, no provisioning will have occurred, and no bundle can be issued.*

Additional Information

Customers using DLP and CASB must have a CASB Tenant provisioned before submitting their "DLP CDS for CASB" entitlement.

As noted in the "Environment" section above, customers who've requested Cloud Managed DLP detectors will not receive an enrollment bundle. For more info about submitting a Cloud Managed DLP detector, see You want to have a Cloud-Managed DLP CDS provisioned (broadcom.com).

If you've already completed the steps above, and for any reason need a new enrollment bundle for your on-premises detector, please contact Technical support. As per this article, the bundle generation feature is not currently working in the CMP.

Note: if you do not see the DLP entitlements in your CMP account and you have a PLA license, additional steps may be required: You have a PLA for DLP but do not see any entitlements for it in the Cloud Management Portal (broadcom.com).