This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How do I add groups from active directory to the SPX encryption policies?

I need to add groups of users (Security groups organized by job type) to the SPX policies so that if a user is detected in the group it encrypts their email as it travels outbound.
I tried to type in the full CN path for the user groups in the policy and it will not let me add it. Only users email addresses. Additionally I can't add multiple users to the policies at once. I have around 800 accounts and mailboxes to manage encryption policies for. It is impractical to type in one user account at a time.

Also organizing users into an OU and specifying an OU of users will not work with our directory design. What are my options for scoping out these policies for large numbers of users requiring encryption?

I really need all or nothing encryption for specific groups of users.



This thread was automatically locked due to age.
Parents
  • Hi ITAdmin10,

    In order to do this you will need to craft a rule based upon the groups.  So the big issue here (that you are probably experiencing)  is if the user is in multiple groups the rule fails or it encrypts all mail from the user in multiple groups

    For this example I will assume you have 3 groups of people you wish to include Group A, Group B, Group C and your domain is ABC.com

    and then essentially a group D or list of people to exclude or to make the !NOT attribute work against

    If your groups are not already set up you would need to create group A,B,C in the appliance Policy / Accounts / User groups / create a manual group

    call it group A .. under entries

    add usera@abc.com (or as many as you like)

    save it

    add group B repeat add group C:

    now you should have 3 groups with 10 email addresses in each (for sake of example)

    Now under Policy / Additional Policy / Outbound

    Add a new rule:

    rule type is watch list

    under select users include users tab:

    select groups A B C

    under exclude senders add the groups to exclude

    select the main action of encrypt message.

    This will create the following rule:  test66 (in my case)

    custom 0001 0002 0003 = group ABC and policy_watch_list_6 is the excluded members of your policy rule

    # attr NAME=RULE[39]: test66
    if allof(anyof(envelope :memberof "from" "custom_0001", envelope :memberof "from" "custom_0002", envelope :memberof "from" "custom_0003"), not envelope :
    memberof "from" "policy_watch_list_00000006")
    {
    pmx_minfo "Rule" "test66";
    pmx_mark "Rule" "test66";
    pmx_mark "type" "Legit";
    # MAIN ACTION: spx
    pmx_mark "action" "spx";
    pmx_spx_init :template "default";
    pmx_spx :bounce_sender :attach_email :sender_confirm :sender_confirm_encryption;
    stop;
    }
    # end NAME=RULE[39]: test66

    in short:

    if any one in group A B or C matches.. AND they are NOT a member of the excluded members, encrypt the message.

    This will allow you to create a rule that apply's  to a group of users and also allows you to exclude people if they are apart of a group you dont wish to add

    Have Fun!

Reply
  • Hi ITAdmin10,

    In order to do this you will need to craft a rule based upon the groups.  So the big issue here (that you are probably experiencing)  is if the user is in multiple groups the rule fails or it encrypts all mail from the user in multiple groups

    For this example I will assume you have 3 groups of people you wish to include Group A, Group B, Group C and your domain is ABC.com

    and then essentially a group D or list of people to exclude or to make the !NOT attribute work against

    If your groups are not already set up you would need to create group A,B,C in the appliance Policy / Accounts / User groups / create a manual group

    call it group A .. under entries

    add usera@abc.com (or as many as you like)

    save it

    add group B repeat add group C:

    now you should have 3 groups with 10 email addresses in each (for sake of example)

    Now under Policy / Additional Policy / Outbound

    Add a new rule:

    rule type is watch list

    under select users include users tab:

    select groups A B C

    under exclude senders add the groups to exclude

    select the main action of encrypt message.

    This will create the following rule:  test66 (in my case)

    custom 0001 0002 0003 = group ABC and policy_watch_list_6 is the excluded members of your policy rule

    # attr NAME=RULE[39]: test66
    if allof(anyof(envelope :memberof "from" "custom_0001", envelope :memberof "from" "custom_0002", envelope :memberof "from" "custom_0003"), not envelope :
    memberof "from" "policy_watch_list_00000006")
    {
    pmx_minfo "Rule" "test66";
    pmx_mark "Rule" "test66";
    pmx_mark "type" "Legit";
    # MAIN ACTION: spx
    pmx_mark "action" "spx";
    pmx_spx_init :template "default";
    pmx_spx :bounce_sender :attach_email :sender_confirm :sender_confirm_encryption;
    stop;
    }
    # end NAME=RULE[39]: test66

    in short:

    if any one in group A B or C matches.. AND they are NOT a member of the excluded members, encrypt the message.

    This will allow you to create a rule that apply's  to a group of users and also allows you to exclude people if they are apart of a group you dont wish to add

    Have Fun!

Children
No Data