Step 3 - Configuring Google Workspace

Configure a Perception Point scanner host to which emails will be routed.

1. Sign-in to the Google Admin console at admin.google.com.

2. Go to Apps > Google Workspace > Gmail and then click Hosts.
   [Click here: https://admin.google.com/u/1/ac/apps/gmail/hosts]

3. Click Add route.

4. In the Add mail route dialog box, specify the following.

   

   1. Name: Perception Point Scanner

   2. Single host [name]:

      What is the environment of your organization In FortiMail Workspace Security, go to Settings > Account. The Environment of your organization will appear under General > Info: US, EU, or AUS.

      	Multi-region enabled	Multi-region not enabled
      For US environments:	us.mx-pp.com	inbound-smtp.us-east-1.amazonaws.com
      For EU environments:	eu.mx-pp.com	inbound-smtp.eu-west-1.amazonaws.com
      For AUS environments:	australia.mx-pp.com	inbound-smtp.eu-west-1.amazonaws.com

   3. Port: 25

5. Under 2. Options:

   

   1. Clear the "Perform MX lookup on host" check box.

   2. Select "Require mail to be transmitted via a secure (TLS) connection".

      Note that FortiMail Workspace Security supports TLS 1.2

   3. Select "Require CA signed certificate".

   4. Validate certificate hostname:

      1. If multi-region IS NOT enabled, select "Validate certificate hostname".

      2. If multi-region IS enabled, clear the "Validate certificate hostname" check box.

         

         For details about multi-region, see Multi-region.

6. Click Save.

This procedure adds some FortiMail Workspace Security IP addresses to a safelist.

1. Sign-in to the Google Admin console at admin.google.com.

2. Click Apps > Google Workspace > Gmail.

   [Click here: https://admin.google.com/u/1/ac/apps/gmail/spam]

3. Scroll down to Spam, Phishing and Malware - and select it.

4. Locate Inbound gateway, hover over it, and click the Edit icon.

5. Select the "Enable" check box under Inbound Gateway - if it has not already been enabled.

6. In the Description text box, enter "Perception Point inbound Gateway"

7. Depending on the environment of your organization, add the following IP addresses to your inbound gateway:

   What is the environment of your organization In FortiMail Workspace Security, go to Settings > Account. The Environment of your organization will appear under General > Info: US, EU, or AUS.

   For US environments	For EU environments	For AUS environments
   54.227.64.76 3.81.182.154 3.93.155.149 3.95.118.12 3.95.142.181 209.85.128.0/17 52.12.169.124 [required only if Muti-region is enabled]	99.81.216.78 34.249.190.60 108.128.137.108 99.80.189.20 209.85.128.0/17 52.12.169.124 [required only if Muti-region is enabled]	13.236.255.231 54.66.125.250 209.85.128.0/17 52.12.169.124 [required only if Muti-region is enabled]

8. Select Automatically detect external IP.

   Important: Do NOT select "Reject all mail not from gateway IPs" - as this will interrupt mail flow.

9. Select "Require TLS for connections from the email gateways listed above".

   

   Note that FortiMail Workspace Security supports TLS 1.2

10. [Optional] To use the spam engine of FortiMail Workspace Security, scroll down and configure 2. Message Tagging.

    

    1. Select "Message is considered spam if the following header regexp matches".

    2. In the Regexp text box, enter X-PERCEPTION-POINT-SPAM: FAIL

    3. Select "Message is spam if regexp matches".

    4. Clear the following check box: "Disable Gmail spam evaluation on mail from his gateway; only use header value".

11. [At the bottom of the page, click "Add Settings".]

12. Click Save.

This procedure creates a content compliance rule that sends the email to FortiMail Workspace Security.

To add a content compliance rule:

1. Sign-in to the Google Admin console at admin.google.com.

2. Select Apps > Google Workspace > Gmail.

   [Click here: https://admin.google.com/u/1/ac/apps/gmail/compliance]

3. Scroll down to Compliance, and click it.

4. Scroll down to Content Compliance.

   If you already have a content compliance rule, click Add Another Rule.

   In the Add setting dialog box, specify the following:

   1. Short description: Perception Point Redirect Rule

   2. Under 1. Email messages to affect, select Inbound.

      

   3. Under "2. Add expressions that describe the content you want to search for in each message", in the first drop-down menu, select "If ALL of the following match the message"

      

      Important: Make sure to select "If ALL of the following match the message" and NOT the default "If ANY of the following match the message".

5. Add and configure the following two expressions:

   Expression 1: Unique header In this step, you'll add the first expression to the Perception Point Redirect Rule. This expression helps to prevent looping. Under Expressions, click Add. Fill in the following fields: Advanced content match Location: Full headers Match type: Not contains text Content: <A unique value, at least 8 characters long> Create a value that is unique to your organization - preferably by using a password generator such as 1Password. For example, GHTD465J Note: We highly recommend using only capital letters and numbers. Avoid using the full organization name. Click Save.

   Expression 2: Email size limitation In this step, you'll add a second expression to the Perception Point Redirect Rule. Note: Amazon SES has a 40 MB maximum size limit. We recommend using a different file sharing service for larger files - as a best practice. Messages larger than 40 MB will not trigger the rule, and therefore they will not be scanned. These un-scanned messages will be delivered to the specified recipients. Under the Expressions box, click Add to add a new expression. Specify the following details for the new expression: Metadata match Attribute: Message size Match type: Message size is less than the following (MB) Important: Make sure that you select "less" and NOT "greater". 40 Important: Check again to make sure that you selected "less than" and NOT "greater than". Click Save.

6. Complete the setting:

   1. Under 3. If the above expressions match, do the following:

      

   2. Select Modify message.

   3. Under Headers:

      1. Select Add X-Gm-Original-To header.

      2. Select Add X-Gm-Spam and X-Gm-Phishy headers.

      3. Select Add custom headers and click Add to add a header.

         1. Header: X-PERCEPTION-POINT-ROUTING

            Note: The "X-" is added to the expression automatically.

         2. Value: The unique value that you created and entered for Content above. [see Expression 1: Unique header]

            As per the example above, GHTD465J.

         3. Click Save.

   4. Scroll down to Route.

      

      1. Select Change route.

      2. [Optional] Select Also reroute spam.

      3. From the drop-down menu, select Perception Point Scanner.

   5. Scroll down to the bottom of the dialog box, and click Show options.

      

   6. Under Account types to affect, select [all of the following]:

      1. Users

      2. Groups

      3. (Unrecognized / Catch-all)

   7. Specifying which users to protect [Google Workspace]

      For POC installations only

      Note: It is possible to configure partial protection - protection of only a limited set of users in a Google Workspace account. Partial protection should be used for POC installations only. If partial protection is configured for an organization with a Commercial contract type, then billing will be based on the number of licenses that are included in the Microsoft 365 account - not on the number of "partial protection" users. See License source. For details on how to configure partial protection, see Modifying the list of users to protect [Google Workspace] - POC only.

      Under Envelope filter, select Only affect specific envelope recipients.

      

      1. From the drop-down menu that appears below, select "Pattern match" - and then enter your domain or domains to protect.

         Multiple domains: Add the domains with a pipe symbol ["|"] between them, and without spaces between them.

      2. Click Add setting.

   8. Click Save.