Recent Searches

No recent searches

    Popular Articles

      Articles
      View all
        Topics
        View all
          Tickets
          View all
            no results

            Sorry! nothing found for

            NEWS: Proofpoint Integrated Deployment

            Created by Yves Lacombe, Modified on Thu, 13 Mar at 4:50 PM by Yves Lacombe



            We are pleased to announce that, effective March 18th, Vircom/Proofpoint will introduce a new deployment method alongside the existing Email Gateway option: Integrated Deployment . This new method eliminates the need for gateway MX record changes, making Proofpoint more efficient and adaptable than ever. The ICES deployment provides robust protection for end-users against advanced email threats, delivering the performance MSPs require to succeed.  


            Integrated Deployment is also known as ICES or (I)ntegrated (C)loud (E)mail (S)ecurity.


            With API-based Integrated Deployment, onboarding new customers takes less than five minutes. By removing the need for MX record adjustments, this option simplifies management for busy MSPs and smaller teams. 


            Integration with Microsoft 365 enables setup in just a few clicks, automatically detecting and configuring the service. Emails from Microsoft are then processed through Proofpoint's industry-leading AI and reputation-based detection system, where Proofpoint ensures secure communication while effectively blocking a wide range of threats, including phishing, email fraud, and malware.


            Emails are still blocked within Proofpoint's quarantine and you can apply the same controls and policies you are used to with MX-based deployment.   Users still receive Email Digests like they would with MX-based deployment.


            This deployment option will be available across all Vircom packages for all partners and customers.

            [Example Deployment]


            === FAQ ===

            Does this affect pricing?   

            No, it doesn't.


            Can you use the emergency inbox?
            No - since the MX record still points to Office365, there is no spooling that can be done in case of emergency.  That's still an advantage only present with MX filtering.

            Can you use Proofpoint Archiving?
            Not at the moment.  The mail flow difference means we'd be archiving all the mail good or bad via the archiving system.  Proofpoint is working on a solution to make it work with Archiving.  For now, ICES deployment should not be used with Professional and Professional plus packages.


            What other sacrifices do I make with Integrated (ICES) Deployment?

            You get less benefit from the IP reputation system (PDR and Cloudmark) at the connection layer since you're delegating that to Microsoft 365's.   Cloudmark & PDR is still leveraged but the messages will not be blocked at the connection layer (ie: with a 550 error).


            Can you still do outbound mail filtering and encryption?

            Yes, but you still need to update the SPF record prior to enabling the outgoing rule to add proofpoint to the client's SPF record.  When you deploy using the Integrated mode, the outgoing rule will be off during go-live.  That gives you time to adjust the SPF record.  You will need to manually enable the rule.


            Who gets the "go live" notification?

            When you roll it out, an email will be sent to the TECH CONTACT under the client's profile notifying said contact that the domain is ready to handle traffic via proofpoint.  It takes around 5 to 10 minutes to do the setup (excluding the outbound/SPF), from that point, the normal configuration replication delays apply as is usual on proofpoint.   It will be important at setup time to properly identify the technical contact.

            Does this work with anything other than Microsoft 365?

            No - currently integrated deployment / ICES only works with Microsoft 365.  


            Can you switch from Integrated (ICES) to MX-based filtering (SEG) after the fact?

            Yes you can.  You can change the type from Integrated to MX but it does require removing the rules and connectors manually prior to using the Easy Button or the Vircom Portal to create the conventional connectors and rules for MX-based filtering.

            Why would I chose Integrated (ICES) over MX?
            Good for very small clients that don't have access to DNS or have limited access to DNS settings.  It speeds up the onboarding.   You do need some form of DNS access to update SPF if you plan on sending mail outbound through proofpoint but that's a simpler change (a single TXT) record.  Also, using Integrated skips the domain verification process.


            Larger customers would probably have a preference for conventional MX/SEG deployment.


            Note that Integrated deployment is also a stepping stone for eventual inter-mailbox scanning (scanning of messages within the same organisation) and other advanced features that are coming in the future.


            Does the “easy button” on Integrations page create different connectors & rules based on if account is set to Integrated vs MX?

            Yes, there are a few differences in the rules created by the "Easy Button" depending on which deployment method you use.  Integrated adds extra header elements to track the org that is sending through proofpoint like the UUID, stack, and traffic direction.


            Does the automatic configuration create the azure sync AND imports users or just sets up the sync?
            It creates the app registration and synchronization AND forces the sync at the same time importing the users in one go.  If the client is on a plus package, it also adds the permissions necessary for making it possible to retract/restore emails from the message log.


            With Integrated with M365 enabled, is there any impact to the “Inbound sender DNS check” spam setting?

            You can have it on or off, it functions as normal in this scenario.



            With Integrated with M365 enabled, does Microsoft reject on DMARC fail p=reject

            Yes.


            With Integrated with M365 enabled, does Microsoft quarantine or reject for any other reason? 

            Microsoft will quarantine on obvious spam, or with their own RBL, or on SPF hard fail (if you have that enabled).


            Have you considered SAT tools like KnowBe4 that would bypass PPE and/or signature management tools? Are there recommendations for how to configure with the Integrated rules?

            Normally we recommend people use third party Phishing simulation software in direct delivery mode. However in this case, KnowBe4 -- it adds a header element to each email "x-phishtest" for instance, you will need to create a rule prior to all the proofpoint rules to "stop processing" more rules at priority 0 (ie: first rule in the list) with the option "stop processing following rules" checked.  Otherwise the messages will get caught by proofpoint.




            Preview
            0 of 0