This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Bypass Data Control Encryption for a specific domain

I'm trying to configure my ES1100 to bypass Data Control encryption only for one specific domain. My company has a partner using TLS encryption and we want to avoid having our users unnecessarily using the data control encryption process for PII between our organizations.

I got it done easily enough by configuring an outbound rule to check the header for the desired domain, say "@partner.com" and that works, but if there's a CC in the message, such as "@stranger.com" they also get the message unencrypted.

How can I configure the device to send the message unencrypted to the trusted domain and an encrypted copy to the untrusted domain OR if an untrusted domain is present send it encrypted to everyone, ie allow it to bypass encryption only if @partner.com is the only destination.

That's a mouthful, I hope I explained myself clearly.

Thanks!

:50668


This thread was automatically locked due to age.
  • I'm trying to configure my ES1100 to bypass Data Control encryption only for one specific domain.

    go into the data control rule and modify the selected users tab.

    click exclude recipient

    custom group

    enter either @abc.com for the whole domain.. or fred@abc.com for just fred.

    add.

    save

    "I got it done easily enough by configuring an outbound rule to check the header for the desired domain, say "@partner.com" and that works, but if there's a CC in the message, such as "@stranger.com" they also get the message unencrypted."

    keep in mind data control rules are processed before additional policy rules, so if your encryption rule is DC and your exclusion is an additional policy, it will never trigger

    "How can I configure the device to send the message unencrypted"

    the appliance will always try encryption first if it fails then it will send it in plain text.  If you wish to exchange public keys with the company you can add it to your certificates and create TLS rules for that domain under the encryption tab.

    :50708
  • Thanks for the reply.

    create TLS rules for that domain under the encryption tab.

    That's what I did for the partner organization, which is why I'm trying to disable the DC encryption but only for them. I'll try the exclude recipient method.

    :50710
  • That did the trick! Thank you very much for your response, I've accepted your reply as the solution.

    :50712
  • red warrior needs beer.... badly!!

    cheers

    :50720