Skip to main content
Skyhigh Security

Set up Inline Gmail DLP

IMPORTANT: Before setting up Gmail Inline DLP, you must open a support ticket and request assistance in pre-configuring your tenant.

Step 1: Create a Gmail Instance in Skyhigh CASB 

  1. Log in to Skyhigh CASB.
  2. Go to Settings > Service Management.
    service management.png
  3. Click Add Service Instance.
    clipboard_e045e47b05b2f09d55d48c310b898174e.png
  4. Select Gmail, enter a name for this new instance, and click Done.
  5. To configure new instance, click Configure.
    clipboard_ee05e4a3ea589ed5a1c92a63f0679c9fe.png
  6. Activate the Data Loss Prevention (DLP) to ensure compliance checkbox, and under Email DLP Mode, select Inline Only.
    inline Only.png
  7. Review the prerequisites and activate I have reviewed all prerequisites checkbox.
    gmail.png
  8. Make sure the following are complete:
    • Domains. Populate with all public domains configured with the Google Suite tenant.
    • Take a note of the Skyhigh CASB Email Service Domain. You will need this later.
    • Select the checkbox confirming you've configured Gmail, as you need this in the next step. 
      8.png
  9. Review the settings and click Done.
    9.png

Step 2: Configure Gmail to Route Email to Skyhigh CASB 

  1. Log in to Google Suite admin (https://admin.google.com) and go to Apps.
    1.png
  2. Select Google Workspace.
    2.png
  3. Select Gmail
    3.png
  4. Scroll down and select Hosts.
    4.png
  5. On the Hosts tab, click ADD ROUTE.
    clipboard_e0035b5f8fcde7e80716a1b9313246920.png
  6. Enter the following details for the new mail route:
    • Enter a name 
    • Enter the single host as captured earlier (Skyhigh CASB Email Service Domain).
    • Enter port 25.
    • Disable MX lookup and Require secure transport TLS .

NOTE: Do NOT enable Require secure transport (TLS) because it requires communication between the email servers initiated with TLS. Skyhigh CASB uses START-TLS instead, which initiates communication with standard SMTP. Then upgrade to TLS after the connection is set up.

6 inline.png

6c.png

  1. Select the Settings for Gmail tab and click on  Compliance section.
    7inline new.png
  2. Under the Content compliance section, click CONFIGURE .
    8inline.png

  3. Configure the rule as follows:
    • Enter a name for the rule (for example, Skyhigh CASB DLP).
    • Select Outbound.
    • Select Internal - sending to enable scanning for internal emails, sent from GMail to the Skyhigh CASB PoP. Click ADD.
      9inline.png
    • Advanced content match. Full headers, Not contains text, "X-SHN-DLP-SCAN: success".
      clipboard_ee59f2675d29b239dda7634383b19f9b5.png
    • Change Route and select the host created earlier.
      9c.png
    • More options:
      • Select Users and Groups as the account type to affect.
      • IMPORTANT: If this is a production environment, apply this rule to a test user/group so all mailboxes are not impacted.
        9d.png

IMPORTANT: DO NOT save the configuration yet.

  1. Under the Settings for Gmail, select Routing.
    10 inline.png
  2. Find the SMTP relay service and click CONFIGURE.
    11.png
  3. Configure the SMTP relay service rule as follows:
    • Enter a name for the rule (for example,  Skyhigh CASB DLP).
    • Allowed Senders. Set to Only addresses in my domains.
    • Authentication. Select Only accept mail from the specified IP addresses and enter the following based on the environment. 

Skyhigh CASB source IP addresses (you need to add each IP address to the list in the GMail rule):

US PROD CA PROD EU PROD GovCloud
  • 52.8.140.255
  • 52.60.101.91
  • 52.60.220.168
  • 35.169.47.31
  • 54.164.132.26
  • 18.234.18.255
  • 54.227.184.154
  • 52.62.169.21
  • 54.79.123.149
  • 65.1.17.176
  • 65.1.151.216
  • 52.41.228.5
  • 52.33.163.59
  • 52.24.89.51
  • 52.24.135.199
  • 18.217.82.134
  • 13.228.222.124
  • 13.251.87.3
  • 15.222.50.218
  • 35.183.159.113
  • 35.183.147.43
  • 3.120.8.62
  • 52.57.142.37
  • 3.120.122.0
  • 3.120.87.164
  • 35.157.197.205
  • 18.197.131.12
  • 3.126.56.81
  • 3.48.107.137
  • 13.48.141.247
  • 13.48.142.205
  • 13.48.146.72
  • 13.48.171.162
  • 13.48.175.172
  • 13.51.91.219
  • 13.51.42.170
  • 13.48.197.80
  • 13.49.95.243
  • 108.129.24.90
  • 34.240.136.14
  • 54.220.117.56
  • 52.214.141.239
  • 54.154.11.112
  • 52.213.216.96
  • 46.137.17.125
  • 52.208.188.45
  • 52.61.94.253
  • 15.200.38.217
  • 18.252.127.142
  • 18.252.136.33
  1. Encryption: Set Require TLS encryption and click SAVE.
    11inline.png
  2. Once saved, you can view the compliance and SMTP relay configurations.
    Save.png
  3. Under the Settings for Gmail tab, select Spam, Phishing and Malware.
    Spam.png
  4. Under Email allowlist, click the Edit icon.
    Email allow list.png
  5. Add the IP addresses that were added in the Step 12 based on your environment separated by commas.
  6. Click SAVE.
    IP allowlist.png
  7. Once saved, you can view the following message.
    last.png

Step 3: Configure a DLP Rule 

  1. In Skyhigh CASB, go to Policy> DLP Policies, and add a new rule applied to Gmail. An example is shown below.
    • Type: API
    • Active: ON
    • Services: Gmail instance you created earlier
    • Action: Block email
      clipboard_e397a78d3abecb388069f5947c614b977.png
      exceptions.png
      policy data.png

​​​​​NOTE: The only actions supported are Generate Incident or Block Email.

Step 4: Test the Configuration

  1. Log in to Gmail using a user account, and send an email with content that will trigger the configured DLP rule.
    sent.png
  2. Confirm that the email is NOT received by the recipient.
  3. Confirm that a policy incident is created and the action blocked the email.
    blocked.png
  • Was this article helpful?