How to install ETP on a domain set up for email in Google Workspace
***Important: ETP for a new domain can only be implemented after confirmation from the Ostra Onboarding Team that prep is complete.
***Important: Remediation steps are currently under revision due to changes in Google. (Steps 30-42)
1. Log into the Google Workspace Admin, then go to Apps > Google Workspace > Gmail on the left menu.
2. Scroll down and click on Spam, Phishing and Malware.
3. In Inbound gateway, click the Edit pencil icon.
4. In Inbound gateway, check the box to Enable, then click on Add in IP addresses / ranges.
5. Enter 34.223.36.0/24 in the Enter IP address/range field, click Save, then ADD. Enter 3.93.93.0/24 and click Save.
6. Uncheck the boxes for Automatically detect external IP and Reject all mail not from gateway IPs. Click Save at the bottom right of the screen.
7. Click on Spam, phishing, and malware to close it out.
8. In Settings for Gmail, click on Hosts.
9. In Settings for Gmail > Hosts, click on ADD ROUTE.
10. In Add mail route, type in Google Internal in the Name field, change the drop-menu option in 1. Specify email server to Multiple hosts, and copy and paste the host names below in Primary. Enter 25 for the Port and 20 for Load % for all host names.
aspmx.l.google.com
alt1.aspmx.l.google.com
alt2.aspmx.l.google.com
alt3.aspmx.l.google.com
alt4.aspmx.l.google.com
11. Scroll down to 2. Options and verify that all boxes are checked. Click Save.
12. Verify that all hosts are listed and click on Hosts to close out this section.
13. In Settings for Gmail, scroll down and select Routing.
14. In Routing > Routing, click on Configure.
15. In Add setting, type in Internal Routing in the Routing text field. In 1. Email messages to affect, check the box for Internal - Sending.
16. Scroll down to Route, check the box for Change route, then check the box for Suppress bounces from this recipient. Click on the drop-menu and select Google Internal.
17. Scroll down and click on Show options. In B. Account types to affect, check the box for Groups. In C. Envelope filter, click on the drop-menu and select Pattern match.
18. In the text field for Regexp, type .* (period asterisk) and click Save.
19. Open another browser tab and go to console.cloud.google.com. Ensure that Google is signed in under the right profile (top right). Check the box to agree to the Terms of Service and click AGREE AND CONTINUE.
20. Click on the burger icon next to Google Cloud (top left), then IAM & Admin > Manage Resources.
21. In Manage resources, click on + CREATE PROJECT on the top menu.
22. In New Project, type ETP Remediation in the Project name text field. Click CREATE, then SELECT PROJECT in the Notifications pop-up.
23. Click on APIs & Services, select Enabled APIs & services, then Library.
24. Type admin sdk into the API Library search box, then open Admin SDK API.
25. In Admin SDK API, click on ENABLE.
26. Go back to the APIs & Services left-menu, click on Library, type google calendar in the search box, open Google Calendar API, then click ENABLE.
27. Go back to the APIs & Services left-menu, click on Library, type contacts in the search box, open Essential Contacts API, then click ENABLE.
28. Go back to the APIs & Services left-menu, click on Library, type gmail in the search box, open Gmail API, then click ENABLE.
29. Go back to the APIs & Services left-menu, click on Library, type groups migration in the search box, open Groups Migration API, then click ENABLE.
30. By default, Google Cloud does not allow the creation of service account keys. This policy will need to be disabled in order to complete the setup of the Remediation Service Account. Navigate to to the parent organization for the ETP Remediation project. (Select 'ALL' in order to see which organization this project was created under)
31. Navigate to IAM & Admin, then Roles. The logged in user should have the role Organization Administrator. Add the following role to them as well; Organization Policy Administrator
32. Go to IAM & Admin > Organization Policies and search for the policy iam.disableServiceAccountKeyCreation
Edit the policy and switch enforcement to Off
33. Navigate back to the ETP Remediation project and then the APIs & services left-menu, click on OAuth consent screen
(If this is the first time this setting is being used in this instance of Google Cloud, OAuth may not be configured. If this is the case, click on 'Get Started' and continue following the steps below.)
34. Check Internal for User Type, and click on CREATE
35. In App information, type ETP Authorization into the App name text field, then enter the email for the client's contact in User support email. Scroll down to Developer contact information and enter it again, then click SAVE AND CONTINUE.
36. Click SAVE AND CONTINUE in the Scopes section.
37. Click on Credentials in the left-menu, then + CREATE CREDENTIALS and Service Account.
38. In Service account details, type ETP Remediation Service Account into the Service account name text field. Click CREATE AND CONTINUE then DONE.
39. In Service Accounts, click on the email for the ETP Remediation Service Account.
40. In ETP Remediation Service Account, select KEYS in the top-menu, click on the drop-menu in ADD KEY, and select Create new key.
41. In Key type, select JSON, then click CREATE.
(If you encounter this error when clicking create, the organization policy iam.disableServiceAccountKeyCreation will need to be disabled. Please refer to steps 31-33)
42. Click Allow to allow downloads. This will download a file. Create an email draft to support@ostra.net with the subject of 'Values for [Domain] ETP', attach the file, and send.
***Important: This step is necessary for Ostra to implement email remediation services on this client domain. However, remediation cannot be implemented on Google Workspace accounts on the Business Starter tier. Upgrading to Business Standard or higher is necessary.
43. Go back to the Routing tab on your browser. In the Admin left-menu, go to Security > Access and data control > API controls.
44. In API Controls, scroll down and click on MANAGE DOMAIN WIDE DELEGATION.
45. In Security > API Controls > Domain-wide Delegation, click Add new.
46. Before entering the Client ID, go to the browser tab for ETP Remediation Service Account, then click on the tab for DETAILS and copy the Unique ID.
47. Go back to the browser tab for Domain-wide Delegation and paste the Unique ID into the Client ID text field.
48. Copy and paste or type each of the following into the OAuth scopes text fields.
https://mail.google.com
https://www.googleapis.com/auth/admin.directory.user.readonly https://www.googleapis.com/auth/admin.directory.group.readonly
Click AUTHORIZE. Confirm that all three scopes are present in the new API client.
49. All changes in Google Workspace have been completed. To finalize ETP implementation, add the following MX records in the domain registrar. All other MX records should be removed.
MX Records (Scope: @)
Priority
Record
10
primary.us.email.fireeyecloud.com
20
alt1.us.email.fireeyecloud.com
30
alt2.us.email.fireeyecloud.com
40
alt3.us.email.fireeyecloud.com
(See Knowledge Base articles for instructions on changing MX records in GoDaddy or mydomain.com.)
50. Send a test email to an existing mailbox in the client domain and cc' onboarding@ostra.net. The subject should be Test email for [domain]. The Onboarding Team will verify that inbound email is being filtered through ETP and reply all to confirm a successful deployment.
Troubleshooting:
- If the test email is not received in the client inbox, check the MX records. Enter the domain in mxtoolbox.com or another tool to verify that only the records above are listed.
- Review all the steps to ensure all policies were created according to this guide.
- Contact the Onboarding Team at onboarding@ostra.net or call (952) 521-8002.
Please report any errors or omissions in this guide to onboarding@ostra.net.