Skip to main content
McAfee Enterprise MVISION Cloud

Set up Inline Gmail DLP

IMPORTANT: Before setting up Gmail Inline DLP, you must open a support ticket and request assistance in pre-configuring your tenant.

Step 1. Create a Gmail Instance in MVISION Cloud 

  1. Login to MVISION Cloud.
  2. Go to Settings > Service Management.

    service management.png
  3.  Click Add Service Instance.

    Service manager_b.png
  4. Select Gmail, enter a name for this new instance, and click Done.
     
  5. Select Configure for the new instance.

    inline setup_b.png
     
  6. Select Data Loss Prevention (DLP) to ensure compliance, and select Inline Only.

    inline Only.png
     
  7. Review the prerequisites and select I have reviewed all prerequisites.

    gmail.png
     
  8. Make sure the following are complete:
    • Domains. Populate with all public domains configured with the Google Suite tenant.
    • Take note of the MVISION Cloud Email Service Domain. You will need this later.
    • Select the checkbox confirming you've configured Gmail, as you will in the next step. 

      domains.png
  9. Review the settings and select Done.

    summary.png

Step 2: Configure Gmail to Route Email to MVISION Cloud 

  1. Login to Google Suite admin (https://admin.google.com) and navigate to Apps.

    google admin.png
     
  2. Select G Suite.

    G Suite.png
     
  3. Select Gmail

    gs gmail.png
     
  4. Scroll down and select Advanced settings.

    advanced settings.png
  5. Select the Hosts tab. Then select ADD ROUTE.
    Hosts_b.png
  6. Enter the following details for the new mail route:
    • Enter a name 
    • Enter the single host as captured earlier (MVISION Cloud Email Service Domain).
    • Enter port 25.
    • Disable MX lookup and Require secure transport TLS .

NOTE: Do NOT enable Require secure transport (TLS) because it requires communication between the email servers initiated with TLS. MVISION Cloud uses START-TLS instead, which initiates communication with standard SMTP. Then upgrade to TLS after the connection is set up.

 

Presentation1.png

Host Actions.png

  1. Select the General Settings tab. In the Compliance section, find the Content compliance and click Configure. (Use  the mouse to hover over Content compliance, the CONFIGURE button will then appear.)

    gen settings compliance.png
    content compliance.png
     
  2. Configure the rule as follows:
    • Enter a name for the rule (for example, MVISION Cloud DLP).
    • Select Outbound.
    • Select Internal - sending to enable scanning for internal emails, sent from GMail to the MVISION Cloud PoP.
    • Advanced content match. Full headers, Not contains text, "X-SHN-DLP-SCAN: success".
    • Change Route and select the host created earlier.
    • More options:
      • Select Users and Groups as the account type to affect.
      • IMPORTANT: If this is a production environment, apply this rule to a test user/group so all mailboxes are not impacted.

internal_sending.png

mod message.png

hide options.png

IMPORTANT: DO NOT save the configuration yet.
  1. Scroll down to the Routing section and find the SMTP relay service and select CONFIGURE.

    SMTP_b.png
     
  2. Configure the SMTP relay service rule as follows:
    • Enter a name for the rule (for example,  MVISION Cloud DLP).
    • Allowed Senders. Set to Only addresses in my domains.
    • Authentication. Select Only accept mail from the specified IP addresses and enter the following based on the environment. 

MVISION Cloud source IP addresses (you need to add each IP address to the list in the GMail rule):

  • PROD: 52.8.140.255, 35.169.47.31, 18.217.82.134, 54.164.132.26
  • EUPROD: 35.157.197.205, 3.120.8.62 
  1. Encryption: Set Require TLS encryption

    TLS encryption_b.png
     
  2. Select SAVE to apply both the compliance and SMTP relay configurations.

    relay config.png

 

Step 3: Configure a DLP Rule 

  1. In MVISION Cloud, go to Policy> DLP Policies, and add a new rule applied to Gmail. An example is shown below.
    • Type: API
    • Active: ON
    • Services: Gmail instance you created earlier
    • Action: Block email

new dlp.png

exceptions.png

policy data.png

NOTE: The only actions supported are Generate Incident or Block Email

Step 4: Test the Configuration

  1. Login to Gmail using a user account, and send an email with content that will trigger the configured DLP rule.

    sent.png
  2. Confirm that the email is NOT received by the recipient.
  3. Confirm that a policy incident is created and the action blocked the email.

    blocked.png
  • Was this article helpful?