Recent Searches

No recent searches

    Popular Articles

      Articles
      View all
        Topics
        View all
          Tickets
          View all
            no results

            Sorry! nothing found for

            Connecting Google Workspace

            Modified on Sat, 7 Sep at 3:49 PM

            About connecting Google Workspace email services

            You can integrate Perception Point X-Ray with Google Workspace. This enables Perception Point X-Ray to protect incoming email to Google Workspace. 

            Integration with Google Workspace uses semi-inline integration - with no MX record change.

            Note: 

            • By default, the Google Workspace integration monitors incoming emails only - not outgoing emails. [Outbound monitoring can't be configured for Google Workspace.]
            • By default, internal email is not monitored. To add monitoring for internal email, contact Perception Point Support [support@perception-point.io]. There may be additional licensing requirements for enabling internal scanning.

             

            Important: Make sure that Google Workspace "comprehensive mail storage" is disabled before implementing an integration with Google Workspace. If "comprehensive mail storage" is enabled, Malicious emails may not be successfully quarantined.


            A bit more about the Google Workspace integration

            Onboarding process

            • Customer onboarding involves adding the domain name and verifying a TXT record in the system.
            • Configuring the required rules and expressions is done manually.

            Email flow overview

            • Inbound emails initially route through the Google servers for initial analysis by Google Security.
            • Leveraging Content Compliance Rules, emails that meet specific criteria are redirected to the Perception Point scanner.

            Scanning and response

            • Clean: Emails that are assigned the clean verdict are sent back to the Google Workspace servers through the configured next-SMTP for final delivery.
            • Spam: Emails that are assigned the spamverdict are given a "X-PERCEPTION-POINT-SPAM: FAIL" header.
              • In Google Workspace, the Message Tagging header-based system identifies the Perception Point Spam header and redirects the email to the Spam folder.
            • Malicious: Emails that are assigned the maliciousverdict do not return to the Google Workspace servers.
              • This proactive prevention stops the malicious emails from reaching the recipient's Inbox.

            Flow chart diagram 

            Which users are protected

            When you onboard a Google Workspace email service, you specify which users to protect. You can choose to protect:

            • specific users
            • specific user groups
            • entire domains

             After onboarding Google Workspace, you can modify the set of users to protect. For details, see "Specifying which users to protect [Google Workspace]" on page 152.

            • Perception Point X-Ray scans email messages up to a maximum of 40 MB [including attachments]. Larger email messages are not scanned by Perception Point X-Ray, and will be delivered to the specified recipients.

            Note: 

            • Due to external technical limitations, the 40 MB limitation can't be increased.
            • We recommend that you limit receiving email attachments up to 30 MB in size. Files that are larger than 30 MB should be shared using a different file sharing service, such as Microsoft OneDrive or Google Drive.



            The Google Workspace connection procedure

            Perform the following procedure to integrate Google Workspace with Perception Point X-Ray:



             Step 1 - Onboarding Google Workspace


            You can integrate Perception Point X-Ray with Google Workspace. This enables Perception Point X-Ray to protect all incoming mail from Google Workspace. 

            This is the 1st step of the procedure to integrate Google Workspace with Perception Point X-Ray:

             The onboarding process includes enabling the Perception Point X-Ray remediation app [also known as the G-Suite APP - see step 6 below]. This app enables emails to be removed from a user's Inbox if the scan verdict is set to malicious - after the email has been delivered. For details on the remediation app, see "Remediation App" on page 729.

            To onboard Google Workspace:

            1. On the right of the Perception Point X-Ray banner, click the Add Services [] icon.
            2. Click Add New Domain - if this option appears. 

            1. Select the Organization - if necessary.
            2. Specify the Escalation contacts. For details, see "Escalation contacts" on page 51.
            3. In Email Service, select Google Workspace.
            4. In Connection Method, select Inline
            5. Click ENABLE G-Suite APP - in the bottom right corner. [This is the remediation app.]

             

            Important: If the ENABLE G-Suite APP button is not enabled, make sure that you have specified an escalation contact above.

             

            1. You'll be redirected to a page with instructions, and at the bottom, a place to enter an email address.

            Keep this page open - you'll return to this page later to complete this step, as described below.

            1. In Google Workspace:
              1. Go to your Google Workspace domain's Admin Console.
              2. Click Security > Access and data control > API controls.
              3. Scroll down to the Domain wide delegation section, and then select Manage Domain Wide Delegation.
              4. Click Add new.
              5. Under Client ID, enter 105845669529204264254

            1. Add these scopes to the 0Auth scopessection:
              1. https://mail.google.com/
              2. https://www.googleapis.com/auth/admin.directory.user.readonly
              3. https://www.googleapis.com/auth/admin.directory.group.readonly
            2. Click Authorize.
            1. In Perception Point X-Ray
              1. In Perception Point X-Ray, in the field with the text "Your Email", enter an admin email address [see the important note below for details].



            Important: 

            • We recommend that you create an email address that is dedicated for this integration only. This will ensure that the email address is always available - and that the integration is not dependent on the continued availability of a specific user in your organization.
            • The email address should have Super Admin privileges [with API permissions].

             

            1. Click Submit.

            The next step in the wizard appears.

            1. In the Host box, enter the name of the new domain - for example, acme.com 
            2. Click FIND SMTP to the right of the domain name. This should populate the SMTP Servers field. 

            This is the address to which mail will be sent after it has been scanned and marked as being clean.

             

            Important: Do not enter a value such as smtp.office365.com or outlook.office365.com or smtp.gmail.com

            The required SMTP server is a server in your domain - as it appears in the MX record.

            Checking your SMTP server manually 

            You can perform the lookup procedure below to check that the SMTP server that appears is correct:

            1. In Domain Name, enter your domain name - and then click MX Lookup.

            Your required SMTP server will appear under Hostname.

             

            1. [Optional] Click Add Domain - if more than 1 domain is required - and enter the required details.

            Licenses: By default, Perception Point X-Ray will protect all email users in the domains that you specified above. To protect only a limited number of users, contact Perception Point Support [support@perception-point.io].

            1. Click Next.

            The "Add TXT Records" dialog box opens. This dialog box includes the TXT record names and TXT record values, that you'll need in order to add and verify the TXT records for your domain - in Step 2.

            If multi-region is enabled, there will be details for TXT records in both the primary and secondary regions. For details about the multi-region functionality, see "Multi-region" on page 56.

            You must now perform Step 2 to verify the new domains that you added above. For details, see Step 2 "Step 2 - Verifying your domains [Google Workspace]" on page 137.

             


             Step 2 - Verifying your domains [Google Workspace]

            You can integrate Perception Point with Google Workspace. This enables Perception Point to protect all incoming mail. 

            This is the 2nd step of the procedure to integrate Google Workspace with Perception Point:

            About verifying your domain

            You need one or more verified domains for each email service that you integrate with Perception Point. After you add a domain [as part of the email service connection process], you need to verify the domain. Verifying a domain includes:

            •  Adding a TXT record to your domain provider
            • Verifying the TXT record

            Adding a TXT record

             

            Note: 

            • For each TXT record that you add, you will need the TXT record name and the TXT record value.
            • If multi-region functionality is enabled, you will need to add TXT records for both the primary region and the secondary region. [see "Multi-region" on page 56]
            • After adding a TXT record to your domain provider, don't remove the TXT record as long as you are connected to Perception Point X-Ray - as the TXT record allows Perception Point X-Ray to constantly authenticate with the DNS supplier.

             

            To add a TXT record:

            1. Open Perception Point X-Ray.
            2. In the left navigation menu, select Account > Email Domains.
            3. Locate and then open the required domain.
            4. Click Copy [] to copy the "TXT record name" to the clipboard.
            5. Go to your domain provider and add the TXT record name, using the value that you copied to the clipboard.
            6. Click Copy [] to copy the "TXT record value" to the clipboard.
            7. Go to your domain provider and add the TXT record value, using the value that you copied to the clipboard.

             

            Note

            Other AWS products may use this method of domain verification. This is OK, as it is acceptable to have more than one _amazonses.domain record, as long as the record values are different.

             

            Verifying the new TXT record

             

            Note

            When you add a TXT record to your domain provider, it may take up to 72 hours for your domain provider to apply and replicate the change. Inform Perception Point Support [support@perception-point.io] if the domain is not verified after a few hours.

             

            To verify a new TXT record:

            1. Open Perception Point X-Ray.
            2. In the left navigation menu, select Account > Email Domains.
            3. Locate and then open the required domain.
            4. Locate "TXT record verification". It should have the "Pending" status.
            5. Click Verify on the right of "TXT record verification".

            The status should change from Pending to Verified.

             

            Note: If multi-region functionality is enabled, you'll need to verify TXT records for both the primary region and the secondary region. [see "Multi-region" on page 56]

             



             Step 3 - Configuring Google Workspace

            You can integrate Perception Point X-Ray with Google Workspace. This enables Perception Point X-Ray to protect all incoming mail. 

            This is the 3rd step of the procedure to integrate Google Workspace with Perception Point X-Ray:

            To enable your Google Workspace integration with Perception Point X-Ray, some configurations must be made in your Google Workspace account. Perform these configurations as described below.

            To configure Google Workspace with Perception Point X-Ray:

             

            Note: The procedures below may differ slightly depending on the versions of the products that you are using.

             

            1. Add and configure a Google Workspace host 

            Configure a Perception Point scanner host to which emails will be routed.

            1. Sign-in to the Google Admin console at admin.google.com.
            2.  Go to Apps > Google Workspace > Gmail and then click Hosts.
              [Click here: https://admin.google.com/u/1/ac/apps/gmail/hosts]
            3. Click Add route.
            4. In the Add mail route dialog box, specify the following.

            1. Name: Perception Point Scanner
            2. Single host [name]:

            What is the environment of your organization 

            1. In Perception Point X-Ray, go to Account > Preferences.
            2. The Environment of your organization will appear under General > Info: US, EU, or AU.

             

             

            Multi-region enabled

            Multi-region not enabled

            For US environments:

            us.mx-pp.com

            inbound-smtp.us-east-1.amazonaws.com

            For EU environments:

            eu.mx-pp.com

            inbound-smtp.eu-west-1.amazonaws.com

            For AU environments:

            australia.mx-pp.com

            inbound-smtp.eu-west-1.amazonaws.com

             

            1. Port: 25
            1. Under 2. Options:

            1. Clear the Perform MX lookup on host check box.
            2. Select Require mail to be transmitted via a secure (TLS) connection.

            Note that Perception Point X-Ray supports TLS 1.2

            1. Select Require CA signed certificate.
            2. Validate certificate hostname:
              1. If multi-region IS NOT enabled, select Validate certificate hostname.
              2. If multi-region IS enabled, clear the Validate certificate hostname check box.

            For details about multi-region, see "Multi-region" on page 56.

            1. Click Save.



            2. Add IPs to inbound gateway 

            This procedure adds some Perception Point IP addresses to a safelist. 

            1. Sign-in to the Google Admin console at admin.google.com.
            2. Click Apps > Google Workspace > Gmail

            [Click here: https://admin.google.com/u/1/ac/apps/gmail/spam]

            1.  Scroll down to Spam, Phishing and Malware - and select it.
            2. Locate Inbound gateway, hover over it, and click the Edit icon.
            3. Select the "Enable" check box under Inbound Gateway - if it has not already been enabled.
            4. In the Description text box, enter Perception Point inbound Gateway
            5. Depending on the environment of your organization, add the following IP addresses to your inbound gateway:

            What is the environment of your organization 

            1. In Perception Point X-Ray, go to Account > Preferences.
            2. The Environment of your organization will appear under General > Info: US, EU, or AU.

             

            For US environments

            For EU environments

            For AU environments

            • 54.227.64.76
            • 3.81.182.154
            • 3.93.155.149
            • 3.95.118.12
            • 3.95.142.181
            • 209.85.128.0/17
            • 52.12.169.124 [required only if muti-region is enabled]
            • 99.81.216.78
            • 34.249.190.60
            • 108.128.137.108
            • 99.80.189.20
            • 209.85.128.0/17
            • 52.12.169.124 [required only if muti-region is enabled]
            • 13.236.255.231
            • 54.66.125.250
            • 209.85.128.0/17
            • 52.12.169.124 [required only if muti-region is enabled]

             

            1. Select Automatically detect external IP.

             

            Important: Do NOT select "Reject all mail not from gateway IPs" - as this will interrupt mail flow.

             

            1. Select Require TLS for connections from the email gateways listed above.

            Note that Perception Point X-Ray supports TLS 1.2

            1. [Optional] To use the spam engine of Perception Point X-Ray, scroll down and configure 2. Message Tagging.

            1. Select Message is considered spam if the following header regexp matches
            2. In the Regexp text box, enter X-PERCEPTION-POINT-SPAM: FAIL
            3. Select Message is spam if regexp matches.
            4. Clear the Disable Gmail spam evaluation on mail from his gateway; only use header value check box.
            1. [At the bottom of the page, click Add Settings.]
            2. Click Save.

            3. Route incoming emails to Perception Point 

            This procedure creates a content compliance rule that sends the email to Perception Point X-Ray.

            To add a content compliance rule:

            1. Sign-in to the Google Admin console at admin.google.com.
            2. Select Apps > Google Workspace > Gmail

            [Click here: https://admin.google.com/u/1/ac/apps/gmail/compliance]

            1.  Scroll down to Compliance, and click it.
            2. Scroll down to Content Compliance.

            If you already have a content compliance rule, click Add Another Rule.

            In the Add setting dialog box, specify the following:

            1. Short description: Perception Point Redirect Rule
            2. Under 1. Email messages to affect, select Inbound.




            1. Under "2. Add expressions that describe the content you want to search for in each message", in the first drop-down menu, select "If ALL of the following match the message"

            Important: Make sure to select "If ALL of the following match the message" and NOT the default "If ANY of the following match the message".

            1. Add and configure the following two expressions:

             

            Expression 1: Unique header 

            In this step, you'll add the first expression to the Perception Point Redirect Rule. This expression helps to prevent looping.

            1. Under Expressions, click Add

            Fill in the following fields:

            1. Advanced content match
            2. Location: Full headers
            3. Match type: Not contains text
            4. Content: <A unique value, at least 8 characters long>

            Create a value that is unique to your organization - preferably by using a password generator such as 1Password. 

            For example, GHTD465J

            Note: 

            • We highly recommend using only capital letters and numbers. 
            • Avoid using the full organization name.

             

            1. Click Save.

            Expression 2: Email size limitation 

            In this step, you'll add a second expression to the Perception Point Redirect Rule.

            Note: Amazon SES has a 40 MB limit. We recommend using a different file sharing service for larger files as a best practice. Messages larger than 40 MB will not trigger the rule, and therefore they will not be scanned. These messages will still be delivered to the specified recipients.

             

            1. Under the Expressions box, click Add to add a new expression.

            1. Specify the following details for the new expression:

            1. Metadata match
            2. Attribute: Message size
            3. Match type: Message size is less than the following (MB)
            4. 40
            1. Click Save.

             

            1. Complete the setting:
              1. Under 3. If the above expressions match, do the following

            1. Select Modify message.
            2. Under Headers:
              1. Select Add X-Gm-Original-To header.
              2. Select Add X-Gm-Spam and X-Gm-Phishy headers.
              3. Select Add custom headers and click Addto add a header.
                1. Header: X-PERCEPTION-POINT-ROUTING

             

            Note: The "X-" is added to the expression automatically.

             

            1. Value: The unique value that you created and entered for Content above. [see Expression 1: Unique header]

            As per the example above, GHTD465J.

            1. Click Save.
            1. Scroll down to Route.

            1. Select Change route.
            2. [Optional] Select Also reroute spam.
            3. From the drop-down menu, select Perception Point Scanner.
            1. Scroll down to the bottom of the dialog box, and click Show options.

            1. Under Account types to affect, select [all of the following]:
              1.  Users 
              2. Groups
              3. (Unrecognized / Catch-all)
            2. Specifying which users to protect [Google Workspace]

            Note: After onboarding the Google Workspace integration, you can change the set of users that are protected by modifying the rule, as described below.

            Under Envelope filter, select Only affect specific envelope recipients.

            1.  From the drop-down menu, select one of the following 3 options:

            [This defines the users that will be protected by Perception Point X-Ray.]

             

             

            Applies to

            Instructions

             Pattern match

            Domains and email addresses

            Enter the domains or email addresses to protect.

            Note: Make sure to use lower-case letters to specify the domains and email addresses. For example, specify "acme.com" and not "ACME.COM"

             

            • Multiple domains: Add the domains with a pipe symbol ["|"] between them, and without spaces between them.
            • Multiple email addresses: Add the email addresses with a pipe symbol ["|"] between them, and without spaces between them.

            Group membership

            Email groups

            Click Select groups and then select the required group or groups to protect.

            Single email address

            A single email address

            Enter the required [single] email address to protect.

             

            1. Click Add setting.
            1. Click Save.



            Email from Google Workspace is now protected by Perception Point.


            References:

            https://docs.perception-point.io/WP/Content/PP/Gmail-Connecting.htm

            Acronis: https://docs.perception-point.io/acronis/Content/PP/Gmail-Connecting.htm

             

            Was this article helpful?

            That’s Great!

            Thank you for your feedback

            Sorry! We couldn't be helpful

            Thank you for your feedback

            Let us know how can we improve this article!

            Select at least one of the reasons
            CAPTCHA verification is required.

            Feedback sent

            We appreciate your effort and will try to fix the article

            Preview
            0 of 0