How to install ETP on a domain set up for email in Google Workspace
***Important: ETP for a new domain can only be implemented after confirmation from the Ostra Onboarding Team that prep is complete.
***Important: Remediation steps are currently under revision due to changes in Google. (Steps 34-44)
1. Log into the Google Workspace Admin, then go to Apps > Google Workspace > Gmail on the left menu.
2. Scroll down and click on Spam, Phishing and Malware.
3. In Inbound gateway, click the Edit pencil icon.
4. In Inbound gateway, check the box to Enable, then click on Add in IP addresses / ranges.
5. Enter 34.223.36.0/24 in the Enter IP address/range field, click Save, then ADD. Enter 3.93.93.0/24 and click Save.
6. Uncheck the boxes for Automatically detect external IP and Reject all mail not from gateway IPs. Click Save at the bottom right of the screen.
7. Click on Spam, phishing, and malware to close it out.
8. In Settings for Gmail, click on Hosts.
9. In Settings for Gmail > Hosts, click on ADD ROUTE.
10. In Add mail route, type in Google Internal in the Name field, change the drop-menu option in 1. Specify email server to Multiple hosts, and copy and paste the host names below in Primary. Enter 25 for the Port and 20 for Load % for all host names.
aspmx.l.google.com
alt1.aspmx.l.google.com
alt2.aspmx.l.google.com
alt3.aspmx.l.google.com
alt4.aspmx.l.google.com
11. Scroll down to 2. Options and verify that all boxes are checked. Click Save.
12. Verify that all hosts are listed and click on Hosts to close out this section.
13. In Settings for Gmail, scroll down and select Routing.
14. In Routing > Routing, click on Configure.
15. In Add setting, type in Internal Routing in the Routing text field. In 1. Email messages to affect, check the box for Internal - Sending.
16. Scroll down to Route, check the box for Change route, then check the box for Suppress bounces from this recipient. Click on the drop-menu and select Google Internal.
17. Scroll down and click on Show options. In B. Account types to affect, check the box for Groups. In C. Envelope filter, click on the drop-menu and select Pattern match.
18. In the text field for Regexp, type .* (period asterisk) and click Save.
19. Open another browser tab and go to console.cloud.google.com. Ensure that Google is signed in under the right profile (top right). Check the box to agree to the Terms of Service and click AGREE AND CONTINUE.
20. Click on the burger icon next to Google Cloud (top left), then IAM & Admin > Manage Resources.
21. In Manage resources, click on + CREATE PROJECT on the top menu.
22. In New Project, type ETP Remediation in the Project name text field. Click CREATE, then SELECT PROJECT in the Notifications pop-up.
23. Click on APIs & Services, select Enabled APIs & services, then Library.
24. Type admin sdk into the API Library search box, then open Admin SDK API.
25. In Admin SDK API, click on ENABLE.
26. Go back to the APIs & Services left-menu, click on Library, type google calendar in the search box, open Google Calendar API, then click ENABLE.
27. Go back to the APIs & Services left-menu, click on Library, type contacts in the search box, open Essential Contacts API, then click ENABLE.
28. Go back to the APIs & Services left-menu, click on Library, type gmail in the search box, open Gmail API, then click ENABLE.
29. Go back to the APIs & Services left-menu, click on Library, type groups migration in the search box, open Groups Migration API, then click ENABLE.
30. In the APIs & services left-menu, click on OAuth consent screen, check Internal for User Type, and click on CREATE.
31. In App information, type ETP Authorization into the App name text field, then enter the email for the client's contact in User support email. Scroll down to Developer contact information and enter it again, then click SAVE AND CONTINUE.
32. Click SAVE AND CONTINUE in the Scopes section.
33. Click on Credentials in the left-menu, then + CREATE CREDENTIALS and Service Account.
34. In Service account details, type ETP Remediation Service Account into the Service account name text field. Click CREATE AND CONTINUE then DONE.
35. In Service Accounts, click on the email for the ETP Remediation Service Account.
36. In ETP Remediation Service Account, select KEYS in the top-menu, click on the drop-menu in ADD KEY, and select Create new key.
37. In Key type, select JSON, then click CREATE.
38. Click Allow to allow downloads. This will download a file. Create an email draft to onboarding@ostra.net with Values for [Domain] ETP in the subject line, attach the file, and send.
***Important: This step is necessary for Ostra to implement email remediation services on this client domain. However, remediation cannot be implemented on Google Workspace accounts on the Business Starter tier. Upgrading to Business Standard or higher is necessary.
39. Go back to the Routing tab on your browser. In the Admin left-menu, go to Security > Access and data control > API controls.
40. In API Controls, scroll down and click on MANAGE DOMAIN WIDE DELEGATION.
41. In Security > API Controls > Domain-wide Delegation, click Add new.
42. Before entering the Client ID, go to the browser tab for ETP Remediation Service Account, then click on the tab for DETAILS and copy the Unique ID.
43. Go back to the browser tab for Domain-wide Delegation and paste the Unique ID into the Client ID text field.
44. Copy and paste https://mail.google.com into the OAuth scopes text field. Copy and paste https://www.googleapis.com/auth/admin.directory.user.readonly into the next OAuth scopes text field. Click AUTHORIZE. Confirm that both scopes are present in the new API client.
45. All changes in Google Workspace have been completed. To finalize ETP implementation, add the following MX records in the domain registrar. All other MX records should be removed.
MX Records (Scope: @)
Priority
Record
10
primary.us.email.fireeyecloud.com
20
alt1.us.email.fireeyecloud.com
30
alt2.us.email.fireeyecloud.com
40
alt3.us.email.fireeyecloud.com
(See Knowledge Base articles for instructions on changing MX records in GoDaddy or mydomain.com.)
46. Send a test email to an existing mailbox in the client domain and cc' onboarding@ostra.net. The subject should be Test email for [domain]. The Onboarding Team will verify that inbound email is being filtered through ETP and reply all to confirm a successful deployment.
Troubleshooting:
- If the test email is not received in the client inbox, check the MX records. Enter the domain in mxtoolbox.com or another tool to verify that only the records above are listed.
- Review all the steps to ensure all policies were created according to this guide.
- Contact the Onboarding Team at onboarding@ostra.net or call (952) 521-8002.
Please report any errors or omissions in this guide to onboarding@ostra.net.