Harmony : Setup Overview

This particular guide will assume we’re running out of the UK data centre, and not a USA hosted one, however, all the IP addresses will be included in this guide, this sections are as follows, this will also assume you are an Infinity Portal administrator as well.

Enterprise Application – Infinity Portal 
Enterprise Application - Check Point Harmony Email and Collaboration - Manual Mode 
Mail Contact for Journal NDR 
Journal NDR Contact 
Journal Rules 
Allow IP Update 
SPF Update 
Connectors 
Transport Rules 
Outbound Protection

IP Address Requirements for Harmony

These are the IP addresses you will require for this guide for the transport rules, I will focus on United Kingdom, the rainy and windy capital of the world!

United States > 35.174.145.124 Europe > 52.212.19.177 Australia > 13.211.69.231 Canada > 15.222.110.90 India > 3.109.187.96 United Arab Emirates > 3.29.194.128 United Kingdom > 13.42.61.32

Email NDR Journal Address for Harmony

This is required for the Journal Rule to configure Harmony, find your region from below:

United States > {portal}@mt-prod-cp-1-journal-error.checkpointcloudsec.com Australia > {portal}@mt-prod-cp-au-4-journal-error.checkpointcloudsec.com Canada > {portal}@mt-prod-cp-ca-1-journal-error.checkpointcloudsec.com Europe > {portal}@mt-prod-cp-eu-1-journal-error.checkpointcloudsec.com India > {portal}@mt-prod-cp-aps1-1-journal-error.checkpointcloudsec.com United Arab Emirates > {portal}@mt-prod-cp-mec1-1-journal-error.checkpointcloudsec.com United Kingdom > {portal}@mt-prod-cp-euw2-1-journal-error.checkpointcloudsec.com

Infinity Portal Prerequisites

If you do not have an account you will need to create one, then login complete 2FA and SMS verification and then you should get here:

Then we will need Harmony and then Email & Coloration as below:



We
We will then go a free trial in this case:


You will then get the "this may take a moment" this will then after a unspecified amount of time fail with this, but now you have your portal name as below:


If you wish to get back into this, you cannot sign out, you need to close that tab and then login again, which is weird, but you know its worked as you are presented with a white screen with nothing on it like this:

Once you have got here, you need to click on the cog then Identity and Access as below:

You then need to click on the "Add" icon as below:


Once you have give it a Integration Title and then for this example choose Microsoft Entra as below:
We then require the options to allow administrators to login with one organisation account, and we do not want any services for end users in this example:

We now need to
verify we own the domain, this will record will need to be added to your external DNS for the domain name you are protecting, this will need to be added before you add the domain name to the setup wizard

Note : If you try to add a domain without it being verified you will get an error as below:

Therefore lets get the record added now:

Now that is added we are now verified, so we can move right along.

Now we have the settings for the Enterprise application as below:

You then need to create the Enterprise Application, this can be done from the Enterprise gallery and does not require manual configuration, so go ahead and create this application with the Create button.
Then you need to go to "Single Sign-on" and choose SAML as below:

When you do that you will get this appear and to the question here choose "Yes" that will then configure the SAML wait a moment.
You will then need to edit the Basic SAML configuration as below:
Once here, add the Identifier from the Infinity Portal to the ID here like this and then click the Save button:

This should then not show "required" for anything in SAML like this:
You will also need to add a uk. to the Rely URL else the SAML will fail:

You now need to find the SAML Certificate section and then click the "Federation Metadata XML" as below, this will download a XML file from Entra.
Then you need to give Infinity portal that XML file and then click test as below, once you have verified your identity you will get a success as below:
Then you need to configure directory identity if applicable, however in this example this is not required so this will be skipped:

Finally you will get a confirmation of what you have just done:

Settings (Overview - for reference)

Identifier : <company_GUID>.uk.portal.checkpoint.com 
Reply URL : https://cloudinfra-gw.uk.portal.checkpoint.com/api/saml/sso 

Owners : Mail Bear Manager
Assignment Required : Yes 
Linked to Group : HarmonyAdminUsers (Entra group) 
VIsable to User : No 

Once complete will wee see this is a valid identity provider as below:

Enterprise Application - Check Point Harmony Email and Collaboration - Manual Mode 

This is created by the software when you activate the Office 365 so this is not created manually, so this is not created manually, this is created from the Infinity portal. 

You will need the Global Admin role to grant for the whole company, however I noticed a permission that was not required, this is the "Enable and Disable user accounts" this will be removed below:  


We have some permissions that should not be there so they will need to be revoked, the only one we need to revoke is the “Enable and Disable user accounts” this was do with navigate to this Enterprise application then choosing Permissions then finding that permission in the list


On the far right clicking the “three dots” and choosing revoke as below, if you have a greyed out permission then you do not have your roles activated or you do not have the access:

Other updates include: 
 
Owners : Mail Bear Manager
Assignment Required : Yes 
Linked to Group : HarmonyAdminUsers (Entra group) 
VIsable to User : No 
 
Mail Contact for Journal NDR 

A mail contact on local exchange needs to be created for use in the Journal NDR response, the contact is required for a visual in message tracing if you have issues, and this is Journal setup but is required by checkpoint this needs to be the value of : <portal>@mt-prod-cp-euw2-1-journal-error.checkpointcloudsec.com 

Replace the value is supplied by the Infinity portal with the <portal>

Journal NDR Contact 

You are required to have a contact outside the current company, and by outside is needs to not be an accepted domain for your tenant else you cannot set it. 

Journal rules are located in Purview which is from https://compliance.microsoft.com then from Data and Lifecycle management then Exchnage (Legacy) then from here click the Settings option cog:


Then you need to enter the e-mail address from the mail contact and then click Save:

Journal Rules 

This is in the same location as the last step, and will require creating a new rule, so first you need the "New Rule" option:

Then you need to create the rule, remember to repalce <portal>@<portal> with your portal name here, the rest is as below then click Next and Save.


You should then see the rule in the Journal tab like this, and it should have the status of "On" as below.

When you apply this rule, you will notice that in all messages in the message trace will now flow via the rule immediately:

Message was journaled. Journal report was sent to <portal@<portal>-mail.checkpointcloudsec.com. Message ID of Journal Report: <c220bded-e907-4992-aef6-e003f8251209@journal.report.generator>. 

Allow IP Update 

We now need a trusted IP try to avoid the term whitelist there is nothing that is “safe “ anymore, so this needs to be done in Defender for Office 365 this is from https://security.microsoft.com then when there Email and Collaboration>Policies and Rules > Threat Policies > Anti-Spam > Connection filter policy (Default) 

Then you need to add the IP below to the “IP Allow List” 
 
IP Address: 13.42.61.32 (this is for the UK datacentre IP)


SPF Update 

You will need to update a TXT record that will be for the root of the domain then the record will look like this (at the time of this document) 

v=spf1 include:_spf.mx.cloudflare.net ~all

You will need to add, there are NO comma or semicolons between the records just a space, also ensure you use ip4 and not ipv4: 

include:spfa.cpmails.com 
ip4:13.42.61.32  That should make it look like this, with the updates in bold: 

v=spf1 include:_spf.mx.cloudflare.net ip4:13.42.61.32 include:spfa.cpmails.com ~all

Connectors 

This requires 3 connectors for this product to work these will be as below before more information is provided : 
 
Check Point Journaling Outbound 

This connection is required for Journal emails to be routed to the correct location Harmony side and the rule looks something like this and will work in conjunction with the Journal rule created earlier to get Journal emails routed to the correct place in Harmony via the smart host required for the product to work, you will need to replace the red "blobs" with the name of your portal in Harmony:

Flow: This rule is from Office 365 to Checkpoint 
 



This tells us that e-mail routed to <portal>-mail.checkpointcloud.com are then routed to the host<portal>-monitor.checkpointcloudsec.com - this comes from the email earlier if you remember about the domain from the Journal rule we created earlier, it will require TLS as well. 

Check Point Inbound Connector 

This rule will identify mails that we receive from Checkpoint from the IP 13.42.61.32 (this is the IP we trusted earlier) and they will need to have a TLS certificate else they will be rejected and not be accepted 

Flow: This rule is from Checkpoint to our Office 365 EXO 



Check Point Outbound (inline Mode)

This rule is only required for inline protection mode and this rule will alter mail flow by sending messages to Checkpoint and then having them return from Checkpoint after being scanned and checked, this connector itself is part of inline mode, but will not actually "redirect messages" yet.

This rule utilises a transport rule and will not be utilised until the required mail flow rule is enabled and pointed at this connector:

In this example when a transport rule calls this connector this connector will then process the email and send it to the smart host <portal>-host.checkpointcloudsec.com this connector does not run UNLESS the transport rule calls it to run. 

Transport Rules 

We also have a couple of these as well, this is in the Rule sections of mailflow:
 
Check Point - Junk Filter 

This rule is only for messages that have been via Harmony in inline mode from the IP 13.42.61.32 and this rule ensures the message is marked as spam, however with a SCL of 9 that may end up in Quarantine as that is very high spam, this may require an updated to SCL of 6. 


 

Check Point - Allow-List 

This ensure the message is delivered again only in inline mode from the Ip of 13.42.61.32 and this disables the SCL, essentially making the mail “not spam” however the only exception is if Harmony set the header X-CLOUD-SEC-AV-SCL to be true this is an header controlled by Checkpoint. 


Check PointProtect 

The rule is required for inline mode and changes now email flow from this, therefore be careful with this rule as it can cause weird behaviour:

WWW > EOP > EXO > Exchange  

To this  
 
WWW > EOP > Harmony > EXO > Exchange 

This is where the e-mails are sent o the smart host of Checkpoint to be analysed and “bounced of their server” like “one ping Vasili, one ping only” in Hunt for Red October  Note : I have started this rule with a single mailbox, then a group then eventually everyone as I was happier doing some testing to confirm all as well and working like it should, the first "is sent to" in red is my mailbox, then the other red blob is where your portal address needs to go!
 



This shows that in this example for only me (for testing at this time) when I get a message from outside the company, it will be routed to the connector “Check Point Outbound” and the X-CLOUD-SEC-AV-Info will be added with the value <portal>, office365_emails, inline 

This header will tell Harmony what to do with the message, however if the SCL is greater than 5 or the sender IP is 13.42.61.32 this does not fire, this should stop mail loops between ECO <> Harmony. 

Note : This rule requires the connector to work and the connector needs to be online and active, if you validate this rule with the connector and the rules disabled it will fail!

Outbound Protection

Note : I do not agree with the official naming of the connectors as they are all prefixed with DLP, If you are not using DLP, you might be hesitant to create these connectors because it’s not a service you’re using, but these connectors are absolute required for outbound protection, The official names have been used, but personally, I would rather call them:

Checkpoint Outbound Protection (Pre Process) Checkpoint Inbound Protection (Post Process)

We have used manual mode but the process is the same for both once you understand the process, but how it works is quite simple take the normal mailflow route:

Mailbox > EXO > EOP > Outbound When you implement this it will flow like this: Mailbox >EXO > Checkpoint Outbound > Checkpoint > EOP > EXO > Outbound

Therefore you will see that it hits the rule then the connector to get to Checkpoint then once scanned Checkpoint will send it back to us on the other connector and then with the exclusion it will flow out using the MX record, so lets create those now.

First we need the Outbound DLP connector, this is for mails outbound from Office 365 to our email servers and here it fires on a transport and it will route the emails to the smart host <portal>.dlp.checkpointcloudsec.com and it will require TLS or a certificate:

Second, we need the returning message from Checkpoint this will be from Checkpoint (partner) to Office 365 and this will identify these messages coming from the data residency for the UK, you may need to change this for your residency, and you need to Reject anything with TLS or certificates as below:

Thirdly, we need to create the Rules that will fire the connector for outbound messages, this will route to the Outbound DLP connector and add X-CLOUD-SEC-AV-Info header with the values <portal>,office365_emails,sent,inline

This will be for message "outside" the company and here I have used one person for testing, but the official stance is received from "inside" the company, but for testing I do not like that, so I would rather test with one person, then a group of people, then when happy move to to "everyone"

This will then route the messages to the Outbound DLP connector we created earlier and you need to ensure you exclude the IP ranges from your chosen residency location for us this is '13.42.61.32' or '13.42.61.32/28' or '13.39.103.0/28' - this will prevent mail loops and is a require exception.



Lets see this in action with the message headers, so this is message flowing outside normally, notice this is between EXO and Google Mail:

Now lets see a message though outbound protection, here you can clearly see it leave EXO then off to Harmony, then back to EXO before being sent on to Google Mail, exactly what we want!

If we look at message tracing in EXO you will notice that every outbound message has 2x message logs like this:
This then shows the first message is using the connector as below:
This then shows the the second message has been returned to EXO and due to the exclusion in the transport rule has been delivered out the company by the MX record:

Mail Rule Issues

When you enable this rule with the connector certain of the mail flow rules will ruin twice for example if you add a header to messages to warn about external content then this can occur:


This is down to the fact that the messages are being send to Harmony and then back to your company which means the "rule" will fire twice, here you are see the EXO to Harmony event and the Harmony to EXO events - green is Harmony and Red is EXO:


Harmony - Manual Mode and Permissions

You now need to onboard the Harmony application (this is regardless of all modes) this will allow it to connect with Office 365, for this we want manual mode for fine control of what actually happens under the hood:

Once you have selected this you will need to accept the licensing terms you will then need to authorised your administrative account (we have covered this earlier in the guide)

Then you will need to tell Harmony if you are filtering to a group of people, remember if you choose this group and add a group that has say 20 people listed, then the "learning mode" will learn off the 20 people, tro analyse more users to need to update this and wait for the learning mode to start again to analyse your e-mails.

I would recommend that you do not limit it to users and choose "All Organisation" here but that will depend on your requirements as a company.
Previous Post Next Post

Ω†Ω…ΩˆΨ°Ψ¬ Ψ§Ω„Ψ§ΨͺΨ΅Ψ§Ω„