This is a "quick and dirty" guide for setup of a client with Proofpoint Integrated Deployment.
This document is meant for MSP (Managed Service Providers) who already have an account with us and would like to deploy clients in Integrated Mode.
Integrated deployment is extremely simple:
You don't need to make any DNS changes unless you also need to setup outbound through proofpoint, and in this case it only requires you update the existing SPF record if there is one present. Ahead of time, we recommend to update the user's existing SPF like this (example):
Current SPF:
"v=spf1 include:spf.protection.outlook.com -all"
New SPF should be:
"v=spf1 include:spf.protection.outlook.com include:_spf-us.ppe-hosted.com -all"If you're using the EU stack, the include should be _spf-eu.ppe-hosted.com
Requirements:
- Client must be on Microsoft365
- You need an account that is global admin in their tenant to be able to deploy it properly
Here is the process in 11 steps
Step #1 -- add the customer to your tenant
Go to your CUSTOMERS page and click "ADD A CUSTOMER"
Step #2 -- fill in the product & packages info for said client
Step #3 -- Fill in the customer corporate details
Step #4 - fill in the client's primary domain details ...
Note that we recommend you uncheck the "send welcome email" box and make sure that the email address you use is going to be the official technical contact account for the organisation. This is the account that will receive the notification that the domain is ready to go live.
Step #5 - Pick the deployment method
Step #6 - Pick "Automated Deployment"
Manual requires a lot of knowledge on what proofpoint needs in terms of connectors and rule and falls outside the scope of this document.
Click on "CONNECT WITH MICROSOFT" to begin the process.
Step #7 - Pick the global admin account for the Microsoft 365 tenant to grant permissions
Step #8 - Accept / Grant permissions
At this point proofpoint is going to be creating the azure sync, populating the domains that are currently present in the office365 tenant in proofpoint and creating all the connectors and rules required for integration. The mail flow will not be interfered with at this stage until it detects everything is ready to go live.
Step #9 - Complete the initial process
At this point, several background checks and processes are running waiting for all the backend setup to be completed.
It takes around an hour for proofpoint to be ready. Once everything is ready to go, proofpoint will automatically enable the rules in M365 to begin processing email through proofpoint.
Step #10 - Finalise the configuration.
Right now the automatic configuration is under way ...
Notice the warning that the organisation setup in process. Technical contact is good.
Under Account Management -> domains ... notice that the domains are "currently activating" and are all populated. Note that the default .onmicrosoft.com domain is there only as a management domain.
Under User Management -> Users - you can notice that all users are pre-populated due to the sync having been done
Check the Azure sync section under User Management -> Azure Directory Sync - notice that the sync is already pre-set and running.
Check out M365 Exchange setup -> Connectors are already created and turned on. Don't worry, the mail flow through proofpoint is triggered via rules and those are only turned on when the proofpoint tenant is detected as ready.
Rules are disabeled, they will be turned on automatically by proofpoint (except for the outbound rule). This one has to be triggered manually since there's no garantee that the SPF is up-to-date.
After 30 or 40 minutes, you should see that organisation is almost ready to go when the Domains Mail Relay are shown as "Active"
The technical contact will receive an Email notification like this indicating everything is go and up and running:
If you go back to the DOMAINS section, it's officially live when it looks like this:
Step #11 - Enable the outbound rule
All you need to do (assuming you updated the SPF record) is to enable the outbound rule and you're good to go.
