Beruflich Dokumente
Kultur Dokumente
Legal Notice
Copyright © 2019 Symantec Corporation. All rights reserved.
Symantec, CloudSOC, Blue Coat, the Symantec Logo, the Checkmark Logo, the Blue Coat logo, and the
Shield Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S.
and other countries. Other names may be trademarks of their respective owners.
This Symantec product may contain third party software for which Symantec is required to provide attribution
to the third party (“Third Party Programs”). Some of the Third Party Programs are available under open
source or free software licenses. The License Agreement accompanying the Software does not alter any
rights or obligations you may have under those open source or free software licenses. Please see the
Third Party Legal Notice Appendix to this Documentation or TPIP ReadMe File accompanying this Symantec
product for more information on the Third Party Programs.
The product described in this document is distributed under licenses restricting its use, copying, distribution,
and decompilation/reverse engineering. No part of this document may be reproduced in any form by any
means without prior written authorization of Symantec Corporation and its licensors, if any.
THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS,
REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE
DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY
INVALID. SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL
DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS
DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO
CHANGE WITHOUT NOTICE.
The Licensed Software and Documentation are deemed to be commercial computer software as defined
in FAR 12.212 and subject to restricted rights as defined in FAR Section 52.227-19 "Commercial Computer
Software - Restricted Rights" and DFARS 227.7202, et seq. "Commercial Computer Software and
Commercial Computer Software Documentation," as applicable, and any successor regulations, whether
delivered by Symantec as on premises or hosted services. Any use, modification, reproduction release,
performance, display or disclosure of the Licensed Software and Documentation by the U.S. Government
shall be solely in accordance with the terms of this Agreement.
Symantec Corporation
350 Ellis Street
Mountain View, CA 94043
https://www.symantec.com
Symantec Support
All support services will be delivered in accordance with your support agreement and the
then-current Enterprise Technical Support policy.
■ Customer roles
■ System requirements
specified in your enterprise’s policies. In addition, you can add the powerful data protection
capabilities of Symantec Information Centric Encryption (ICE).
The Symantec Cloud Service for Email solution lets you author data loss policies, review and
remediate incidents, and administer your Data Loss Prevention system at the Enforce Server
administration console. This solution enables your enterprise to leverage its existing investment
in policy definition and administration as well as incident remediation processes. The capability
to use Symantec Cloud Service for Email to monitor and analyze on-premises Microsoft
Exchange email traffic provides you with a seamless migration path to the cloud if you plan to
move to a cloud email service, such as Microsoft Office 365 Exchange Online or Google G
Suite Gmail.
Symantec Data Loss Prevention supports Office 365 Reflecting mode. You can configure a
Microsoft Exchange Office 365 inbound connector as a mail transfer agent.
The Symantec Data Loss Prevention Cloud Service for Email solution also integrates with
Symantec Email Security.cloud for email delivery and also includes inbound and outbound
email security services. See “About Symantec Email Security.cloud” on page 10.
Note: You can monitor on-premises Microsoft Exchange, Microsoft Office 365, and Google G
Suite Gmail all from one Enforce Server. The monitoring of both on-premises Exchange emails
and Office 365 Exchange Online emails is known as a hybrid deployment.
Table 1-1 Change History for the Cloud Service for Email Implementation Guide
Date Description
Customer roles
Several people in your organization may need to coordinate activities during the implementation
of Symantec Cloud Service for Email. Although you may have different labels for each of these
roles, or responsibilities may overlap, it's important to have an idea of who needs to participate
in the implementation process.
Table 1-2 Implementing Symantec Cloud Service for Email: roles and responsibilities
Email Administrator Fills out the Provisioning form and sets up Symantec
Email Security.cloud, if you use it for final email
delivery.
Table 1-2 Implementing Symantec Cloud Service for Email: roles and responsibilities
(continued)
Problem Contact
Figure 1-1 Message flow for Symantec Cloud Service for Email
is violated, the Symantec Cloud Detector adds directives in the form of X-Headers to the
email. Then, it generates incidents and sends them to the customer's on-premises Enforce
Server. At the Enforce Server administration console, the Data Loss Prevention
administrator or remediator can view incident reports.
5. Emails that pass detection are routed for final delivery through Symantec Email
Security.cloud. Office 365 mail can be routed for final delivery through Office 365 Reflecting
mode.
Based on data protection policies that are defined within Email Security.cloud and
X-Headers that the Symantec Cloud Detector inserts, Email Security.cloud blocks, encrypts,
quarantines, or redirects the email before delivery to the recipient mail server.
6. In this case, the email that passed detection is delivered to Bob.
System requirements
The following components are necessary for Symantec Cloud Service for Email:
■ A Symantec Data Loss Prevention Enforce Server, version 14.6 MP1 or later, and an Oracle
database
■ A license for Symantec Data Loss Prevention Symantec Cloud Service for Email for each
mail service you monitor
■ An enrollment bundle for Symantec Data Loss Prevention
■ An on-premises Microsoft Exchange Server, or a Microsoft Office 365 Exchange Online
or Google G Suite Gmail online hosting account
■ An account with Symantec Email Security.cloud, only if you use it as a mail transfer agent
■ An Office 365 Exchange online account set up in Reflecting mode, if you use it as a mail
transfer agent
For more information on the hardware requirements and software requirements for the Enforce
Server and the Oracle database see the latest version of the Symantec Data Loss Prevention
System Requirements and Compatibility Guide available at
https://support.symantec.com/en_US/article.DOC10602.html
Chapter 2
Deploying the Cloud Service
for Email
This chapter includes the following topics:
■ Implementation overview
■ Configuring Office 365 to use Symantec Email Security.cloud for email delivery (Forwarding
mode)
■ Configuring Office 365 to use Office 365 for email delivery (Reflecting mode)
■ Configuring Google G Suite Gmail to send outbound emails to Symantec Cloud Service
for Email
Implementation overview
Implementing Symantec Cloud Service for Email is a multi-step process. Symantec Data Loss
Prevention Cloud Detectors, as well as the Email Security.cloud service, are both already
provisioned for you in the Symantec cloud. Table 2-1 provides an overview of the steps that
you must take to start using the services that are provisioned in the Symantec cloud. See the
cross-referenced sections for more details.
Table 2-1 Overview of Symantec Cloud Service for Email setup (continued)
Table 2-1 Overview of Symantec Cloud Service for Email setup (continued)
Step 9 DLP Admin and ICE Admin: See “Encrypting cloud email with
Symantec Information Centric
Set up ICE for Email encryption.
Encryption” on page 41.
Deploying the Cloud Service for Email 18
Saving the enrollment bundle
Table 2-1 Overview of Symantec Cloud Service for Email setup (continued)
Note: Each enrollment bundle can be uploaded to the Enforce Server to register your service
only once. The enrollment bundle expires 7 calendar days after you receive it. For security
reasons, you should ensure that no other user can access the bundle. To ensure limited
access, change the properties of the destination folder so that no other user can read it or
write to it.
If you have waited longer than 7 calendar days to upload your bundle and register the service,
and need a new enrollment bundle, contact Symantec Support at
https://support.symantec.com/en_US/contact-support.html
Note: You should receive an enrollment bundle shortly after Symantec provisions your service.
If you have not received an enrollment bundle in a reasonable amount of time, check your
Junk mailbox. Check with your internal IT department to ensure that your company has no
inbound filters that may have blocked receipt of the enrollment bundle zip file.
Deploying the Cloud Service for Email 19
Accessing the cloud service from the Enforce Server
3 If you choose Manual proxy, fields for a URL, Port, and Proxy is Authenticated appear.
■ Enter the the HTTP Proxy URL.
■ Enter a port number.
Note: The Enforce Server supports basic authentication when using a proxy to connect
to cloud services. For connecting to the ICE Cloud, the Enforce Server supports basic,
NTLM, and Kerberos authentication.
5 Click Save.
5 Locate the enrollmentbundle.zip that you received from Symantec and saved to your
Enforce Server.
The detector description for the chosen enrollment bundle appears. Verify that you have
chosen the correct bundle.
6 Add a name for this detector in the Detector Name field.
7 Click the Enroll Detector option to enroll your detector. The enrollment process can take
some time. You can track its progress on the Servers and Detectors > Overview page.
It may take several minutes or longer for the Enforce Server administration console to show
a Connected status for the Cloud Detector. To verify that the service was added, return to the
Servers and Detectors > Overview page. Verify that the cloud service appears in the list,
and that the status indicates Connected. After several minutes, if the connection status still
displays Unknown, you should restart the Monitor Controller process to move the status to
Connected.
Note: Each enrollment bundle can be uploaded to the Enforce Server to register your service
only once. The enrollment bundle expires 7 calendar days after you receive it. For security
reasons, you should ensure that no other user can access the bundle. To ensure limited
access, change the properties of the destination folder so that no other user can read it or
write to it.
If you have waited longer than 7 calendar days to upload your bundle and register the service,
and need a new enrollment bundle, contact Symantec Support at
https://support.symantec.com
Note: Microsoft Exchange Server 2010 must be configured at the Exchange server, not at the
Microsoft Exchange admin center.
Deploying the Cloud Service for Email 23
Configuring on-premises Microsoft Exchange to use Symantec Email Security.cloud email for delivery (Forwarding
mode)
15 Type the Exchange public FQDN in the FQDN field. It must match the CN in the public
certificate Subject.
16 Click add and then Finish.
To configure the receive connector
1 In the Exchange admin center, click mail flow then receive connectors.
2 Select a server from the Select server drop-down menu to create a new receive connector.
3 Click + to create a new receive connector.
4 Type a name for the connector in the Name field.
5 Under Role select Frontend Transport.
6 Under Type verify that Custom is selected and click Next.
7 Click -- to remove the default IP address range.
8 Click + and add at least one IP address of an application server or device that requires
external SMTP relay access.
9 Click Finish to create the new receive connector.
To apply an X-DetectorID message header to emails that will be routed to your DLP cloud
detector
1 Click rules, click +, and select Create a new rule.
2 Type a rule name in the Name field.
3 In the *Apply this rule if field, select The recipient is located .... Then select Outside
the organization and click OK.
4 Click the More Options link at the bottom of the window and add another condition.
5 Click the Sender is, then select one or multiple users or user groups.
6 In the Do the following list select Set the message header to this value.
7 At the right of this field, click Enter text to set the message header name and type
X-DetectorID. Click OK
8 Click Enter text to set the header value to the detector ID that you can find in your
Symantec welcome email or from the Enforce Server administration console at System
> Servers and Detectors > Overview > Server / Detector Detail page, under ID.
9 Click Save.
If multiple rules exist, you can move this rule to give it adequate priority using the up and down
arrows.
Deploying the Cloud Service for Email 25
Configuring on-premises Microsoft Exchange to use Symantec Email Security.cloud email for delivery (Forwarding
mode)
To add an SSL certificate to Exchange 2013, create a certificate request, submit the request
to a certificate authority, and import the certificate.
To create a certificate request
1 Go to Servers > Certificates. On the Certificates page, make sure your Client Access
server is selected in the Select server field, then click New+.
2 In the New Exchange certificate wizard, select Create a request for a certificate from
a certification authority and click Next.
3 Type a name for this certificate, and click Next.
4 To request a wildcard certificate, select Request a wild-card certificate, then specify
the root domain of all subdomains in the Root domain field. Leave this page blank if you
want to specify each domain that you want to add to the certificate. Click Next.
5 Click Browse, then specify the Exchange server where you want to store the certificate.
The server you select should be the internet-facing Client Access server. Click Next.
Deploying the Cloud Service for Email 26
Configuring on-premises Microsoft Exchange to use Symantec Email Security.cloud email for delivery (Forwarding
mode)
6 For each service listed, verify that the external or internal server names that are used to
connect to the Exchange server are correct. If you configured the internal and external
URLs to be the same, Outlook Web App (when accessed from the Internet) and Outlook
Web App (when accessed from the intranet) should show owa.contoso.com.
The Offline Address Book (OAB) when accessed from the Internet and OAB when
accessed from the intranet should show mail.contoso.com.
If you configured the internal URLs to internal.contoso.com, the Outlook Web App (when
accessed from the Internet) and OAB (when accessed from the Internet) should show
owa.contoso.com, and Outlook Web App (when accessed from the intranet) should show
internal.contoso.com.
These domains are used to create the SSL certificate request. When you have verified
the names, click Next.
7 Add any additional domains you want included on the SSL certificate.
8 Select the domain that you want to be the common name for the certificate. Set as common
name, for example: contoso.com. Click Next.
9 Provide information about your organization. This information is included with the SSL
certificate. Click Next.
10 Specify the network location where you want this certificate request to be saved. Click
Finish.
To submit the request to a certificate authority
u Submit the request to your certificate authority (CA). You must use a public CA. You can
search the CA website for the specific steps to submit a request.
You must provide Symantec Support with the public certificate that you assign to your
outbound connector. Support can ensure that Symantec trusts the CA and the certificate.
To import the certificate you have received from the CA
1 Go to Server > Certificates in the Exchange Admin Center and select the certificate
request you created in the previous steps.
2 In the Certificate request details pane, click Complete under Status.
3 On the Complete pending request page, specify the path to the SSL certificate file, then
click OK.
4 Select the new certificate you added, then click Edit.
5 On the Certificate page, choose Services.
6 Select the services you want to assign to this certificate. At a minimum, select SMTP and
IIS. Click Save.
7 Click Yes if you receive the warning: Overwrite the existing default SMTP certificate?.
Deploying the Cloud Service for Email 27
Configuring Office 365 to use Symantec Email Security.cloud for email delivery (Forwarding mode)
Note: You should have a basic understanding of how Office 365 rules and connectors work,
and how they are used in your organization before you proceed. The following instructions
give you a general example of how to set up Office 365 to forward email to Symantec Cloud
Service for Email. The applications of rules (number of domains, migration path, exceptions,
for example) vary from one organization to the next. The following instructions reflect the
Microsoft Office 365 admin center user interface at the time this document was published.
While the Microsoft Office 365 user interface may change, the values you need to enter to
configure the connection between Office 365 and Symantec Cloud Service for Email remain
the same.
Deploying the Cloud Service for Email 28
Configuring Office 365 to use Symantec Email Security.cloud for email delivery (Forwarding mode)
To create a rule that routes emails from Office 365 Exchange to your DLP cloud detector and
to apply an X-DetectorID message header to those emails
1 Click rules, click +, and select Create a new rule.
2 Type a rule name in the Name field.
3 In the *Apply this rule if field, select The recipient is located .... Then select Outside
the organization in the select recipient location field and click OK.
4 Click the More Options link at the bottom of the window and add another condition.
5 Click the Sender is, then select one or multiple users or user groups.
6 In the Do the following list select Set the message header to this value.
7 At the right of this field, click Enter text to set the message header name and type
X-DetectorID. Click OK.
8 Click Enter text to set the header value to the detector ID that you can find in your
Symantec welcome email or from the Enforce Server administration console at System
> Servers and Detectors > Overview > Server / Detector Detail page, under ID.
To associate the rule with a connector
1 In the Do the following field, choose Redirect this message to the following connector
and select the connector that you created in the To create a new connector in the Exchange
Admin Center section.
2 Click Save.
3 If you want to apply a rule to a subset of users, see Detecting emails from a subset of
Office 365 Exchange Online users.
4 Leave all other options set to the defaults. Optionally, you can add comments to explain
the purpose of the rule.
for Email. The applications of rules (number of domains, migration path, exceptions, for example)
vary from one organization to the next.
Note: The following instructions reflect the Microsoft Exchange admin center user interface at
the time this document was published. While the Microsoft Exchange user interface may
change, the values you need to enter to configure the connection between Office 365 and
Symantec Cloud Service for Email remain the same.
3 In the Apply this rule if field, select The Sender is, then select one or multiple users or
user groups.
4 In the next field, select The recipient is located. Then select Outside the organization
and click OK.
In the Do the following list select Modify the message properties, then Set the message
header to this value.
5 At the right of this field, click Enter text to set the message header name and type
X-DetectorID. Click OK.
6 Click Enter text to set the header value to the detector ID that you can find in your
Symantec welcome email or from the Enforce Server administration console at System
> Servers and Detectors > Overview > Server / Detector Detail page, under ID.
Add another rule to redirect the message to a connector
1 Click add action.
2 Select Redirect the message to.
3 Select use the following connector.
4 Select Outbound Connector.
5 Click OK.
6 Click add exception and choose IP address is in any of these ranges or exactly
matches.
7 In the specify IP address ranges dialog, enter an IPv4 address or range.
8 To avoid loops, add the outbound DLP Cloud Detector IPs and CIDR blocks from the
Symantec DLP Cloud Service for Email welcome email when prompted.
For cloud detectors in the US data center the list is:
■ 52.41.248.36
■ 52.27.180.120
■ 52.33.64.93
■ 18.237.140.176/28
■ 18.206.107.176/28
For cloud detectors in the EU data center the list is:
■ 52.30.186.166
■ 52.51.15.72
■ 52.211.17.155
■ 34.246.231.224/28
Deploying the Cloud Service for Email 33
Detecting emails from a subset of Office 365 Exchange Online users
■ 18.184.203.160/28
9 Click OK.
10 Save the rule.
Note: The following instructions reflect the Google Admin console user interface at the time
this document was published. The values you need to enter to configure the connection between
Google G Suite Gmail and the Symantec Cloud Service for Email remain the same, even if
the Google interface changes.
Deploying the Cloud Service for Email 34
Configuring Google G Suite Gmail to send outbound emails to Symantec Cloud Service for Email
15 In the Encryption (onward delivery only) section, choose Require secure transport
(TLS).
16 Click Add Setting.
17 Review your settings on the General Settings page.
If you are running tests of Symantec Data Loss Prevention, you may want finer filtering of your
messages to include only a subset of users.
4 In the Enforce Server administration console, go to Incident > Network and click Incidents
- All. Look for the resulting incident. For example, search for an incident entry that includes
the appropriate timestamp and policy name.
5 Click on the relevant incident entry to see the complete incident snapshot.
Note: As the domain owner, you must update your domains. Symantec cannot perform this
task for you.
See “Upgrading to Symantec Data Loss Prevention 15.1 MP1 and 15.5 if you use Reflecting
mode” on page 38.
See “Updating email domains” on page 37.
Note: Domain names must be specific. Wildcard DNS records such as *.example.com are
not supported. Specific subdomains (those not using wildcards) are supported.
Once you have added domains, you can configure the names after the Enforce Server syncs
with the cloud configuration. All domains are checked and updated every 15 minutes by the
Symantec Cloud Service.
To configure email domains at the Enforce Server administration console
1 Go to System > Servers and Detectors > Overview.
2 Select the Cloud email detector that you want to configure. The detail page for that detector
appears.
Deploying the Cloud Service for Email 38
About updating email domains in the Enforce Server administration console
■ Creating and publishing a policy group for Symantec Cloud Service for Email
Modifies the email messages that contain confidential data or significant metadata (as
defined in your policies). You can use this action to modify the message subject or add
specific RFC-2822 message headers to trigger further downstream processing. For example,
message encryption, message quarantine, or message archiving.
For details on setting up any response rule action, go to Manage > Policies > Response
Rules and click Add Response Rule, then open the online Help.
For details on using the Network: Modify SMTP Message action to trigger downstream
processes (such as message encryption), see the Symantec Data Loss Prevention MTA
Integration Guide for Network Prevent.
Even if you do not incorporate response rules into your policy, Symantec Cloud Service for
Email captures incidents as long as your policies contain detection rules. This feature can be
useful if you want to review the types of incidents Symantec Data Loss Prevention captures
and to then refine your policies.
To create a block test policy for Symantec Cloud Service for Email
1 In the Enforce Server administration console, create a response rule that includes one of
the actions specific to Symantec Cloud Service for Email. For example, create a response
rule that includes the Network: Block SMTP Message action.
2 Create a policy that incorporates the response rule you configured in the previous step.
For example, create a policy called Test Policy as follows:
■ Include a Content Matches Keyword detection rule that matches on the keyword
"secret."
■ Include a Network: Block SMTP Message response rule.
■ Associate it with the Default policy group.
Table 3-1 Overview of implementing ICE with Cloud Service for Email
Step 1 Set up the ICE service. For information about how ICE works and
details about decryption, see Symantec
Information Centric Encryption Deployment
Guide at
http://www.symantec.com/docs/DOC9707.html.
Creating Policies and Managing Incidents for the Cloud Service for Email 43
Encrypting cloud email with Symantec Information Centric Encryption
Table 3-1 Overview of implementing ICE with Cloud Service for Email (continued)
Step 2 Configure the Cloud Service for Email See “Configuring the Enforce Server to
integration with the ICE service. communicate with the ICE service”
on page 43.
Step 3 Configure response rules that use ICE See “Creating encryption response rules
encryption. for ICE encryption” on page 44.
Step 4 Click an incident to go to the ICE Cloud See “Viewing details about ICE incidents”
Console for more information. on page 46.
See “Configuring the Enforce Server to communicate with the ICE service” on page 43.
■ In the Enforce Server administration console go to System > Settings > General > Edit
General Settings under ICE Cloud Access Settings.
■ Enter the following information that you obtained from the ICE Cloud Console:
■ Service URL
■ Customer ID
■ Domain ID
■ Service User ID
■ Service Password
■ Re-enter your Service Password
Creating Policies and Managing Incidents for the Cloud Service for Email 44
Encrypting cloud email with Symantec Information Centric Encryption
After you save these settings, they are transmitted to the DLP Cloud Service and ICE is enabled.
See “Creating encryption response rules for ICE encryption” on page 44.
The recipient is
notified that the
email and
attachments are
encrypted and can
only be decrypted
with ICE. The
attachments are
replaced with
encrypted HTML
files. See the ICE
documentation for
more details.
Note: If the attachment or the attachment and the email body cannot be encrypted for some
reason (such as invalid server information), Cloud Service for Email inserts a separate header
so that the email can be handled downstream.
The Encrypt response rule takes precedence over a Modify or Prepend Header response rule.
If there is a Modify Header response rule in addition to Encryption, only Encryption is executed.
However, a Block response rule takes precedence over an Encrypt response rule.
See "About response rules" in the Symantec Data Loss Prevention online Help.
See “About decrypting ICE encrypted email” on page 46.
Click the Key Info tab to view the further details. See Figure 3-2 on page 48.
Creating Policies and Managing Incidents for the Cloud Service for Email 48
Encrypting cloud email with Symantec Information Centric Encryption
Click Open in Symantec ICE to get more information about each incident at the ICE Cloud
Console. You must sign in to the ICE Cloud Console to see all of the documents that were
encrypted as part of the message. See Figure 3-3 on page 49.
Creating Policies and Managing Incidents for the Cloud Service for Email 49
Encrypting cloud email with Symantec Information Centric Encryption
When you click a file, you see additional details. You can click Message ID to navigate to a
page for that message where you can view message components. See Figure 3-4 on page 49.
■ Delete the Cloud Detector to reset Symantec Cloud Service for Email
For more information on SPF records and their use in Symantec Email Security.cloud, see the
following article in the Symantec Support Center: http://www.symantec.com/docs/TECH226211.
3769753 A severe error that is related to subject Ignore this message. It is not a security
name mismatch on the self-signed error, but the result of an RFC
certificate is logged on the Tomcat compliance issue.
localhost log during cloud
enrollment.
3954853 Users get an error message when they Cloud Service for Email does not
try to use form recognition with Cloud support form recognition.
Service for Email.
Chapter 5
Using additional Symantec
Email Security.cloud
features
This chapter includes the following topics:
6 Use the default rules. The Policy Based Encryption templates contain two more default
rules that customers can use to help identify messages containing sensitive data. The
first rule looks for common keywords that might be found in messages customers may
want to be encrypted. Examples of these keywords are "confidential," "sensitive," and
"encrypt." The second rule looks for headers that are found in the message if the sender
has flagged the message for encryption using one of the Outlook plug-ins. Customers
can leave these rules in place or may choose to remove them and create new rules to
help identify messages with sensitive data. When sensitive information is identified in a
DLP policy, Symantec Cloud Service for Email can add a header to the message. Data
Protection uses this header to determine if the message should be encrypted.
7 Click Save in the bottom right-hand corner of the page. Once a policy is saved, you can
move the policy to where you want it positioned in your policy list. The policy can be
activated by clicking Activate in the far right-hand column of the policy. Once a policy is
activated, it can take about 20 minutes for it to take effect.
If an email is encrypted, the recipient receives an email with an encrypted PDF. The first time
that the recipient receives an encrypted PDF, he also receives an email with a link to a portal
where he can set the password that can be used to open the encrypted PDFs. The recipient
uses this password to view the message body of the email and any attachments.
Note: If you want to test the policy, do not send the email from the email address that is defined
as the administrator email address. If you send a test message from the administrator email
address, the policy won't be applied.
You can find more information about setting up silent blocking and other Email Security.cloud
features, including configuring Data Protection to silently block messages from the Email
Security.cloud console at:
https://support.symantec.com/en_US/email-security-cloud.html