search cancel

Verifying your DLP Cloud Service installation in advance of the migration to the Google Cloud Platform - for customers using O365 in Reflecting mode

book

Article ID: 201446

calendar_today

Updated On:

Products

Data Loss Prevention Cloud Service for Email Data Loss Prevention Cloud Detection Service Data Loss Prevention Cloud Detection Service for ICAP Data Loss Prevention Cloud Detection Service for REST Data Loss Prevention Enforce Data Loss Prevention Cloud Package

Issue/Introduction

As part of a migration of Symantec Information Security products to the Google Cloud Platform, some customers using the DLP Cloud Services need to make changes in their environment.

For more information about this migration, please see the Product Advisory on the topic.

Instructions for any required changes are summarized at the following locations:

  1. For all Cloud Service customers using DLP v15.1 and prior, the DLP Enforce server Truststore must be replaced: Follow the steps in this article "Replacing the Cloud Services Enforce Truststore prior to migration of DLP Cloud Service to Google Cloud Platform ".
  2. For DLP Cloud Service for Email customers in Reflecting mode, the set of IP ranges in O365 must be updated, to prevent looping of emails sent for detection to DLP: Follow the steps in the "Resolution" section on this page.

Cause

You use the DLP Cloud Service with your DLP Enforce Console, and want to verify your setup is ready in advance of the coming migration of the service to the Google Cloud Platform.

Environment

Customers using the DLP Cloud Service for Email with O365 in Reflecting mode need to follow steps in "B". Note that "Reflecting mode" means a mailflow as per the following:

End user email send => O365 Cloud => DLP Cloud Service for Email => O365 Cloud => End user email receipt

Customers using the DLP Cloud Service for Email in any other setup do not need to make further changes. Those setups include Forwarding mode (messages going to Email Security.cloud after DLP), as well as messages originating from a Gmail for Work setup.

Resolution

Validating the Office365 Configuration for DLP Cloud Service for Email Reflecting Mode

Note:The following instructions reflect the Microsoft Exchange admin center user interface at the time this document was published. While the Microsoft Exchange user interface may change, the values you need to enter to configure the connection between Office 365 and Symantec Cloud Service for Email remain the same.

To log on to your Microsoft Exchange admin center account

  1. Log on to your corporate Office 365 account as administrator.
  2. Expand the admin center item.
  3. Choose Exchange, then choose mail flow from the left column.

 

To verify exceptions for the DLP Cloud Service IP address ranges:

  1. Click rules.
  2. Find and select the rule(s) you created that routes emails to the Symantec DLP Cloud Service for Email through an Outbound connector(s).
  3. Verify that the Except if section contains the new IP address range (144.49.240.0/21) for the cloud service in GCP, in addition to the IP addresses for the service hosted in AWS*.
  4. Please see the screenshot below, for confirmation that the changes have been made correctly.

Additional Information

*Current IP addresses for the service hosted in AWS are taken from the latest version of the Cloud Service for Email Implementation Guide, in the section "Configuring Office 365 to use Office 365 for email delivery (Reflecting mode)".

For cloud detectors in the US data center the list is:

  • 52.41.248.36
  • 52.27.180.120
  • 52.33.64.93
  • 18.237.140.176/28
  • 18.206.107.176/28

For cloud detectors in the EU data center the list is:

  • 52.30.186.166
  • 52.51.15.72
  • 52.211.17.155
  • 34.246.231.224/28
  • 18.184.203.160/28

Attachments