Create a Microsoft Exchange Proofpoint Encrypt Transport Rule
Focus
Focus
Enterprise DLP

Create a Microsoft Exchange Proofpoint Encrypt Transport Rule

Table of Contents


Create a Microsoft Exchange Proofpoint Encrypt Transport Rule

Create a Microsoft Exchange Encrypt transport rule to forward an email to your Proofpoint server for encrypting after inspection by Enterprise Data Loss Prevention (E-DLP).
This procedure assumes you have already setup your Proofpoint server and created the required Proofpoint connector.
  1. Create the required Microsoft Exchange connectors.
    Skip this step if you have already created both the outbound, inbound, and Proofpoint server connectors.
  2. Select Mail flowRulesAdd a ruleCreate a new rule to create a new email transport rule.
  3. Configure the encrypt transport rule conditions.
    1. Enter a Name for the Proofpoint encrypt transport rule.
    2. Add the encrypt email message header.
      The encrypt header is added by the DLP cloud service when an email contains sensitive information that should be encrypted.
      1. For Apply this rule if, select The message headers....
      2. Select match these text patterns.
      3. Click Enter Text. When promoted, enter the following.
        x-panw-action
        Click Save to continue.
      4. Click Enter words. When prompted, enter the following and Add:
        encrypt
        Select the word you added. Click Save to continue.
    3. Specify the action Microsoft Exchange takes when an email header includes the encrypt header added by Enterprise DLP.
      1. For Do the following, select Redirect the message to.
      2. Select the following connector.
      3. Select the Proofpoint connector and Save.
    4. Click the Add Action icon (+) to add an additional rule condition.
    5. Instruct Microsoft Exchange to further modify the email header.
      1. For Do the following, select Modify the message properties.
      2. Select set a message header.
      3. Click Enter Text. When promoted, enter the following.
        x-proofpointencryptdesktop
        Click Save to continue.
      4. Click Enter words. When prompted, enter the following and Add:
        encrypt
        Select the word you added. Click Save to continue.
    6. Click Next to continue.
  4. Configure the Proofpoint encrypt transport rule settings.
    1. For the Rule mode, ensure Enforce is selected.
      This setting is enabled by default when a new transport rule is created.
    2. (Optional) Configure the rest of the encrypt transport rule settings as needed.
    3. Click Next to continue.
  5. Review the encrypt transport rule configuration and click Finish.
    Click Done when prompted that the encrypt transport rule was successfully created. You are redirected back to the Microsoft Exchange Rules page.
  6. Modify the email transport rule priority as needed.
    To change the priority of a transport rule, select the transport rule and Move Up or Move Down as needed.
    A proper rule hierarchy is recommended to ensure emails successfully forward to Enterprise DLP.
    • The email transport rule should always be the highest priority rule relative to the other transport rules required for Email DLP.
    • Any email encryption rules not created as part of the Email DLP configuration must be ordered below the transport rules created for Email DLP. Enterprise DLP cannot inspect encrypted emails.
    • There is no impact in regards to priority between the quarantine transport rules, block transport rule, encrypt transport rule, or any other transport rules that exist.
      After Enterprise DLP inspects and returns the email back to Microsoft Exchange, the appropriate transport rule action will occur based on the email header.
    • If you want to ensure emails are forwarded to your Proofpoint server for encryption, Palo Alto Networks recommends disabling your existing Encrypt or assigning a higher priority to the Proofpoint encrypt rule.
      You can forward an email for encryption to either your Proofpoint server or to Microsoft Exchange for encryption, but not both.