VIPRE Edge Defense Guided Setup

Written By Marissa Fegan (Super Administrator)

Updated at January 19th, 2022

Guided Setup of VIPRE Edge Defense. Included in this solution is VIPRE Email Security Cloud Advanced Threat Protection with Encryption add-on, SafeSend with Data Loss Prevention add-on, and Security Awareness Training for Edge.

Select a topic below for step-by-step instructions: 

Email Security Cloud

The setup of VIPRE Email Security Cloud requires fundamental changes that need to be completed in a specific order. We’ve outlined these changes in the guided path below. 

 

Set Password and Login

Important 

You should have received an email that includes a variation of your email address, provided by VIPRE. Please have this email available when going through the steps below.

 
  1. Navigate to https://email.myvipre.com 
  2. Click Forgot password? on the bottom-right
  3. Enter the above-mentioned email address provided by VIPRE and click Recover Password
  4. Check your email for an email from VIPRE

 

When ready, click the next step below

Next Step - Add and Verify Domains

 
 
This content will be shown (depending on) when button above is clicked
Click this arrow to return to the previous step.

 

Add and Verify Domains

Add and Verify Domains

To further the amount of protection we provide, domain ownership is verified via ...

To further the amount of protection we provide, domain ownership is verified via DNS lookup tools. VIPRE will provide a verification code that the domain owner or administrator will need to add to the TXT section. Email Cloud will then verify the DNS records to ensure the code we provided is in the TXT section.

  1. Select Domains on the left-side menu
  2. Click the plus sign on the top-right
  3. Fill in the appropriate required fields and click Save & Continue
  4. Ensure DNS TXT Record is selected and add the provided TXT values to your DNS records
  5. Select one of the following:
    • Verify Later - this option is best if the required changes cannot be made right away
    • Verify Now - use this option if you have already made the required changes
      • Please note, in some circumstances, it may take up to 72 hours for changes to your DNS record to propagate across the Internet


To verify domains at a later time:

  1. From the Domain Listing screen, select the appropriate domain under the Domains Pending Verification section at the top
  2. Click Verify Now; the Edit Domain window will appear showing the DNS TXT Record verification method
  3. When ready, click Verify Now


 

 

When ready, click the next step below.

 

Next Step - Add Users

 
 
Click this arrow to return to the previous step.

Add Users

Within VIPRE Email Security – Cloud Edition, a user is defined as a single actual email address. Aliases and distribution lists do not count against the allowed number of users. This article explains the different ways you can create or import users into the system.

Using any of the methods below enables you to add users to VIPRE.

Log in as an administrator

  1. Login to https://email.myvipre.com/ using your Administrator credentials

Navigate to the desired customer

If you are logging in as the administrator, you will be presented with your customer list.

  1. From the displayed Customer List, select the Customer which you are adding users to

Choose one of the following methods for adding users below:

Directory Services

VIPRE Recommends

Adding users via directory services like LDAP or Entra ID, is recommended due to its ease of use. 

 

 

LDAP

This article explains the benefits of using LDAP sync for user management and how to enable in Email Security.

What is LDAP sync? 

For ease of user management with Email Security, use Lightweight Directory Access Protocol (LDAP) Sync. User information that updates in LDAP will automatically replicate to VIPRE Email Security. This lets you continue to use the LDAP system as a single point of user management.

When LDAP Sync is enabled, Email Security considers LDAP the system of truth. Thus, new users in LDAP are automatically added to Email Security. Disabled or deleted users are automatically deleted from Email Security once the deletion delay interval expires. Email aliases are automatically mapped from LDAP secondary email address data.

The sync process can be scheduled to run every 6, 12, or 24 hours, every three days, or weekly. If immediate sync is needed, such as in the case of offboarding an employee, the Email Security administrator can use the Sync Now action to immediately sync the LDAP changes over to Email Security. Network traffic for the sync process is minimized by Email Security, which places a directory service sync agent local to the LDAP directory service. The data that is transmitted back to Email Security is a subset of the LDAP data.

Summary of benefits

Use LDAP sync to enjoy these benefits

  • Quickly add users to a new (or existing) Email Security account
  • Keep users' account details updated (e.g., name, phone, notes)
  • Easily add email aliases to users' accounts
  • Ensure disabled, or deleted users cannot access Email Security

Supported directory services

The Email Security LDAP sync feature has been certified with Microsoft Active Directory Services. Since LDAP is a standard protocol, the feature should work with any standard directory that supports LDAP. However, not all directory implementations use the same attributes to store the same types of information; in some cases, this may cause mismatches in data interpretation. If you are attempting to connect Email Security to some other directory, let us know of any issues so that we can account for different schema mappings.

LDAP sync and manual account management

If desired, user management through LDAP sync can be used in conjunction with manual account management. When used in this manner, the LDAP sync process uses a supplemental approach to reconcile user accounts.  For example, an email address that has been manually added to Email Security will have its name, phone number, and notes updated from the directory service data. This also means when the user is disabled or deleted in LDAP, that action will not be recognized in Email Security.

LDAP sync processing considerations

Review the information in this section for an understanding of how LDAP sync works with user management in Email Security.

Synchronization rules

The synchronization process uses these rules when scanning LDAP for updates to make in Email Security. If the rules are not met, then the user is not added to the Email Security account.

  • System of truth - when LDAP sync is enabled, it is the system of truth for user management within Email Security
  • Primary email address - the domain of the primary email address must match a domain that is managed by the Email Security account 
  • Secondary email address (aliases)- the domains of secondary email addresses must match a domain that is managed by Email Security AND the primary email address domain is managed by the same Email Security account.
    • list of users - when viewing the list of users, you will see secondary email addresses grouped under the users' account for the primary address
  • Domain changes in Email Security- if a domain is removed from management under Email Security, this results in:
    • when the removed domain matches a Primary email domain - the user is immediately removed from Email Security and will not appear under LDAP -> Conflicts
    • when the removed domain matches a Secondary email domain - the secondary email address is removed from the primary user, as long as Email Security still manages the primary domain
  • LDAP attributes - these attributes sync to Email Security: mail, proxyAddresses, member, givenName, sn (Surname), homePhone, mobile, company, department, and notes

Enabling / Disabling of LDAP sync

Take note of the following points when enabling or disabling LDAP sync. The information in this section assumes the synchronization rules (above) are met.

  • Single LDAP source - at this time, LDAP sync supports connecting to just one LDAP source
  • Enable for new Email Security account - set up LDAP sync connection and use the Sync Now action to quickly add users
  • Enable for existing Email Security account - upon for the first sync event; Email Security will 
    • Add users - LDAP users that are not found in Email Security will be added
    • Update users - user metadata from LDAP will be added to existing users. Qualifying secondary email addresses will be added.
    • Delete users -Unless managed manually or by SMTP, Email Security users that are not found in LDAP are flagged for deletion and will be listed under LDAP -> Conflicts
  • Disable LDAP sync - users will stay in Email Security, and you must now manage manually
    • User conflicts - no further action will occur for users identified as conflicts at the time of disabling LDAP sync. However, users flagged for deletion will be automatically deleted when the delay interval expires.

Synchronization frequency

The Email Security Administrator controls the frequency at which the LDAP process runs. 

  • Frequency - Email Security polls LDAP for changes as frequently as every 6, 12, or 24 hours; every three days, or weekly
  • Adjusting frequency - polling interval is adjusted through the Poll LDAP Every setting that is located on the Connect tab under Service Settings -> LDAP
  • On-demand synchronization - use the Sync Now action to force immediate sync from LDAP to Email Security. This is especially useful when there is an urgent need to add or remove a user.

User Deletion

  • Users deleted from LDAP - upon the next sync polling event, newly deleted users will be flagged for deletion in Email Security
  • Users disabled in LDAP - are flagged for deletion in Email Security
  • Deletion delay interval - LDAP connection setting Delete Users After controls the delay interval, which can be set to  7, 14, or 30 days; or never
  • Physical deletion- users deleted from LDAP are delayed by a minimum of 7 days before Email Security automatically deletes them
    • Accidental deletion - the delay interval protects against unintentional removal, or temporary disablement, of accounts that sync over from LDAP
  • When a user is flagged for deletion
    • User access disabled -  during the delayed deletion interval, users registered for deletion can no longer access Email Security
    • User-level rules - user-specific Email Security rules, such as Allow & Deny, are retained during the delete delay interval. Once the user is automatically deleted when the interval expires, the related user rules are deleted. 
    • User's Archived emails - for a user that is automatically deleted after the delete interval and later activated in LDAP, they will be automatically synced to Email Security. At that time, the user's email archive will be restored. 
  • Immediate deletion - during the delete delay interval, a user can be manually deleted from Email Security through the User Conflicts tab within the LDAP section of Service Settings 
  • Ignore deletion - users deleted from LDAP can be retained in Email Security by using the Ignore action (User Conflicts tab) during the deletion delay interval
  • Manual deletion - A user that is manually deleted in Email Security will be added back upon the next sync event with LDAP. The user must be deleted from LDAP for them to be permanently deleted in Email Security.


Important

Only one directory service can be active and enabled at a time. For example, you can use either Azure or LDAP but not both. Enabling one directory service will disable the other. You will be prompted before saving the new configuration.

When switching from one directory service to the other, previously synced users no longer in the current directory service sync will be considered user conflicts. These users can be found in the User Conflict Tab and are marked for deletion as directed in the Delete User After setting.



How to enable LDAP sync for user management

LDAP discovery allows VIPRE to scan your network directory for users and automatically add them to the user list.

Step 1. Prerequisite - Firewall permissions for LDAP

To use LDAP sync, you will need to ensure your firewall permits access from the Email Security data centers to your LDAP server. 

  1. Open one of these LDAP ports, based on your use of SSL (recommended) or non-SSL
    • SSL: 636
    • Non-SSL: 389
  2. Permit these server IP addresses 

    Email Security Data Center Network Ranges

    192.162.216.0/22 (192.162.216.0-192.162.219.255)

    208.70.128.0/21 (208.70.128.0-208.70.135.255)

    72.35.12.0/24 (72.35.12.0 - 72.35.12.255)

    72.35.23.0/24 (72.35.23.0 - 72.35.23.255)

Step 2. Set up the LDAP connection

  1. Login to https://email.myvipre.com/ using your Administrator credentials

If you have multiple accounts to administer, you will be presented with your list of accounts.

  1. From the Administrator Dashboard, expand the Customers menu, then select Customer List
  2. From the displayed Customer List, select the Customer to which you are adding users
  3. From the customer dashboard, expand the Service Settings menu. Then, select LDAP
  4. On the Connect tab of the LDAP Configuration screen, click the Enable LDAP box
  5. In the Host field, enter the IP address of the LDAP server 
  6. Ensure the SSL option is selected (highly recommended). Deselect if your environment does not support SSL.
  7. In the Username and Password fields, enter the user account credentials to be used for the sync process
  8. Enter the Base DN (Domain Name) information using standard LDAP notation, e.g.; ou=myOU,dc=example,dc=com
  9. In the Poll LDAP Every drop-down, select the frequency at which you would like the sync process to run
  10. In the Delete Users After drop-down, select the number of days for the deletion delay interval
  11. Click Show advanced options to specify the LDAP port (if not using the default 389/636)
  12. Click Test to verify the connection settings
  13. Click Save to store the configuration changes

If the connection test has failed, double-check the setting provided, revise as necessary and test again

Step 3. Add users

  1. To immediately discover and add users, select Sync Now. Otherwise, users will sync at the next polling cycle. 

The initial sync may take up to an hour, depending on the number of users to be created.

Important Information

Sync: Disabled/deactivated users and public folders are not synced by default in LDAP. Enable the checkboxes to sync disabled/deactivated users and/or public folders.

Custom Filter: Filters are applied to user and group syncs; LDAP search filters are supported

How to disable LDAP Sync

Email Security retains all users when LDAP Sync is disabled. If any users are flagged for deletion, they will still be deleted at the expiration of the deletion delay interval. 

Disable LDAP sync

  1. Login to https://email.myvipre.com/ using your Administrator credentials

If you have multiple accounts to administer, you will be presented with your list of accounts.

  1. From the Administrator Dashboard, expand the Customers menu, then select Customer List
  2. From the displayed Customer List, select the Customer to which you are adding users
  3. From the customer dashboard, expand the Service Settings menu. Then, select LDAP
  4. On the Connect tab of the LDAP Configuration screen, uncheck the Enable LDAP box
  5. Click Save to store the configuration changes

LDAP sync is now disabled. 

Managing LDAP in Email Cloud

Exceptions

The Exceptions tab is where you can select any name from the User List that you want to exclude from the LDAP sync with VIPRE Email Cloud. This means any exceptions will also be excluded from any custom filters you set up on the Connect tab.


VIPRE Email Security Cloud - LDAP Sync Exceptions

 


To exclude a user, group, or alias from the LDAP sync:

  1. In the User List column, which shows a complete view of your directory server, locate the row with the name of the user, group, or alias you want to exclude
  2. Click the blue arrow in the same row as the name to add that name to the Exception List
  3. Click Save

Additions

The Additions tab allows you to manually add users to include in the LDAP sync. For example, this would be useful for adding any new employees that may need to be added in between syncs.


VIPRE Email Security Cloud - LDAP Sync Additions

 To include an additional user to your LDAP sync:

  1. Type the email address of the user you want to include
  2. Click Add

Users added to your LDAP sync via this method will be listed on this tab. They will also show up in the list under Users in the left-side menu with the source as LDAP.


User Conflicts

The User Conflicts tab will show users that previously synced in the portal but are no longer in the directory server.


VIPRE Email Security Cloud - LDAP Sync User Conflicts

 

Possible actions within this tab are: Delete, Ignore, Export, Deactivate

Example Use-Case

You notice there are two users showing in User Conflicts. Let's say that when you were first setting up LDAP sync, under the Connect tab, you set Delete Users After to 7 days. You're fine with one of the users being deleted because the employee no longer works for your company. The other user, however, is on maternity leave and will be coming back in 12 weeks.

  1. Click the checkbox next to the user and select your desired action.

In the example above, you could use Ignore so that the user will not be deleted after 7 days.


Troubleshooting

Firewall settings - Verify the Email Security IP addresses have been allowed through the network and domain controller firewall. Verify that your Directory Service is reachable through your firewall.

Account credentials - Confirm the correct user account credentials for Username and Password have been provided and are accurate.

Connection successful but users not populating

When the sync process runs, users will begin to appear in the Users view of the Admin portal. Follow the suggestions below if you do not see the users populating in this view as the sync process runs. After allowing up to 30 minutes for the initial sync process to complete, if many users are missing, then please reach out to our Support team for assistance.

Sync Now - Click the Sync Now button on the Connect tab of the LDAP Configuration screen. You should receive a notification message indicating the sync process has been started. 

Managed domain - Verify domain is a managed domain for this Email Security account. From the Email Admin portal, navigate to Domains. The domain(s) shown here must match the domain of the LDAP users' primary email addresses.

‍ 
 
 

Entra ID

 

Microsoft Entra ID (Active Directory) is a cloud-based identity and access management service that we've integrated with VIPRE Email Security Cloud allowing Email Cloud to sync user and group accounts that belong to your managed domain. 

Important

Only one directory service can be active and enabled at a time. For example, you can use either Azure or LDAP but not both. Enabling one directory service will disable the other. You will be prompted before saving the new configuration.

When switching from one directory service to the other, previously synced users no longer in the current directory service sync will be considered user conflicts. These users can be found in the User Conflict Tab and are marked for deletion as directed in the Delete User After setting.

 

 

There are two main parts to set up the Entra ID integration with Email Security Cloud.

Part 1 - Configure Entra ID Integration

Follow the steps below to configure Entra ID to integrate with VIPRE Email Security Cloud. These steps all take place in Entra ID and assume you already have a Microsoft Azure account.

Step 1 - New App Registration

  1. Navigate to portal.azure.com and log in with your Microsoft Azure account credentials
  2.  On the left-side menu, under Manage, select App registrations
  3. Click New Registration and name your registration
    • Any name will work but it's recommended to use a name that identifies what app you're registering (e.g., in this case, VIPRE Email Cloud)
  4. Click Single tenant
  5. Skip the redirect URI and click Register
 

Step 2 - API Permissions

  1. On the left-side menu, under Manage, select API Permissions
  2. Select Add a permission
  3. Select Microsoft Graph 
    • This is the API that the Email Cloud portal uses to communicate with Azure
  4. Select Application Permissions
  5. Select the following Application Permissions
    • Directory > Directory.Read.All
    • Group > Group.Read.All
    • GroupMember > GroupMember.Read.All
    • User > User.Read.All
  6. Click Add Permissions
  7. Look for the row that shows User.Read, click the ellipses (...) on the right, and select Remove Permission
  8. Click Grant admin consent for <your.tenant.name.here>
 

Step 3 - Certificates & Secrets

  1. In the breadcrumb trail, select the API name

Example showing where to locate the tenant and API names. Your tenant name, and API name, won't match this image.

 

  1. On the left-side menu, select Certificates & secrets
  2. Under Client secrets, click New client secret and fill in the following information:
    • Description - This can be whatever you want
    • Expires - No matter which timeframe you choose, it's important to set a reminder for yourself to both create a new client secret, and save the new client secret into the Azure Connect tab (step 5 below), before expiry. Failure to do so could break the sync between Email Cloud and Entra ID.
  3. Click Add
 

Step 4 - Gather Necessary Info for VIPRE Email Cloud

 

  1. Open a new text file on your computer and copy/paste the following information from the Microsoft Entra ID portal into the blank text file:
    1. Under Client secrets, copy the Value and paste it into your blank text file
    2. In the breadcrumb trail, select the API, copy the Application (client) ID and paste it into your text file
    3. From the same page, copy the Directory (tenant) ID and paste it into your text file
 

 

Part 2 - Enable and Sync Entra ID

In part two, we'll take what we did in the Entra ID portal and configure it to sync with VIPRE Email Security Cloud.

Step 5 - Connect

 

  1. In a separate browser tab, navigate to your Email Cloud admin portal and log in
  2. On the left-side menu, click Service Settings, then select Directory Services
  3. On the main page, select Entra ID
  4. Place checkmark next to Enable Azure Sync
  5. Copy the Directory (tenant) ID) from your text file and paste it into the Tenant Domain field
  6. Copy the Application (client) ID from your text file and paste it into the Client ID field
  7. Copy the Client secret from your text file and paste it into the Client Secret field
  8. Select a Sync Frequency from the dropdown menu
    • The default sync frequency is 6 hours
  9. Select an amount of time to Delete Users After from the dropdown menu; see the User Conflicts section below for more details
    • The default is 7 days
  10. Click the checkbox if you want to include disabled/deactivated user accounts in your sync
    • This is unchecked by default
  11. If you want to include Custom Filters, enter those in the text field here
    • Custom Filters are only applied to syncs of users. Groups are not included.
    • For full details, including supported custom filters and examples of queries, visit Custom Filters for use with Entra ID Sync to open a new browser tab
  12. Click Save in the bottom right
  13. Click Test in the bottom left to verify the connection
    • If successful, a green message will appear in the top-right "Azure Connection test was passed
    • If unsuccessful, a red message will appear in the top-right "Azure Connection test failed"
      • Verify the Tenant Domain, Client ID, and Client Secret were copied correctly from the Azure portal
  14. Click Sync Now
    • A green message will appear in the top-right "Azure sync has successfully started"

Once the sync has completed, you will be able to see all of your users by clicking Users in the left-side menu. Looking in the Source column, you will be able to tell which users were added via Azure.

VIPRE Email Security Cloud User List showing Azure as the sourceVIPRE Email Security Cloud - Users

 

 

 

 

 

Congratulations! You have successfully configured Entra ID to sync with VIPRE Email Security Cloud! Continue reading below to learn how to further manage your Entra ID integration

Managing Entra ID in Email Cloud

Exceptions

The Exceptions tab is where you can select any name from the User List that you want to exclude from the Entra ID sync with VIPRE Email Cloud. This means any exceptions will also be excluded from any custom filters you set up on the Connect tab.

 

VIPRE Email Security Cloud - Entra ID Sync Exceptions 
 

To exclude a user, group, or alias from the Entra ID sync:

  1. In the User List column, which shows a complete view of your directory server, locate the row with the name of the user, group, or alias you want to exclude
  2. Click the blue arrow in the same row as the name to add that name to the Exception List
  3. Click Save
 

Additions

The Additions tab allows you to manually add users to include in the Entra ID sync. For example, this would be useful for adding any new employees that may need to be added in between syncs.

 

VIPRE Email Security Cloud - Entra ID Sync Additions
 

 To include an additional user to your Entra ID sync:

  1. Type the email address of the user you want to include
  2. Click Add

Users added to your Entra ID sync via this method will be listed on this tab. They will also show up in the list under Users in the left-side menu with the source as Azure.

 

 

User Conflicts

The User Conflicts tab will show users that previously synced in the portal but are no longer in the directory server.

 

VIPRE Email Security Cloud - Entra ID Sync User Conflicts

 

Possible actions within this tab are: Delete, Ignore, Export, Deactivate

Example Use-Case

You notice there two users showing in User Conflicts. Let's say that when you were first setting up Entra ID sync, under the Connect tab, you set Delete Users After to 7 days. You're fine with one of the users being deleted because the employee no longer works for your company. The other user, however, is on maternity leave and will be coming back in 12 weeks.

 

  1. Click the checkbox next to the user and select your desired action.

In the example above, you could use Ignore so that the user will not be deleted after 7 days.

 

 

‍ 
 
 

 

 

 
 

Manual

When adding users manually,  you can either use a .csv file to create many users at once or adding users one at a time in the portal. Click on your chosen method below.

Import from .csv File

Importing users from a Comma-Separated Values (CSV) file allows you to create many users at once.

Sample CSV and XLS files

Located on the Import Users tab in the product, VIPRE provides sample files so that you may use the correct format for exporting your existing user list. If you are using an Excel file to export from, you must save it as a CSV file in order to import it into VIPRE.

To import users from a CSV file

  1. From the customer dashboard, expand the Users menu. Then, select Import Users
  2. Perform one of the following:
    • Use the file browser to select a CSV file, or...
    • Drag and drop a CSV file onto the Upload CSV file area, or...
    • In your CSV file editor (such as Excel), highlight user data and copy it, then paste it into the Paste CSV data section
  3. At the bottom of the screen, select Review Import
  4. When finished, select Save
 
 

Add via Online Portal

  1. In the navigation pane, expand the Users menu, then select Users.
  2. On the right side of the Users panel, select the green + plus sign.
  3. In the Add:User panel, fill out the information in all required fields.
  4. (Optional) You can add additional information (phone numbers, notes, etc.) by selecting the Additional checkbox.
  5. Once completed, select Save
  6. (Optional) You can edit Settings, Quarantine, Filtering, and Routing information on a per-user basis. 
  7. Confirm the user information is correct, then select Close

Repeat steps 2–5 to add additional users. 

 
 

 

 
 

 

When ready, click the next step below.

Next Step - Verify or Edit your Mail Server Address

 
 

 

When ready, click the next step below.

Next Step - Allow VIPRE IP Ranges

 
 

Allow VIPRE IP Ranges Through Your Firewall (On Prem)

Now that you've updated your MX records, you should reconfigure your firewall(s) ...

For VIPRE Email Security to work, all of your inbound emails must be routed through the service, and VIPRE must be able to deliver your email to the place where you will read it. 

Test Inbound Routing

  1. From within the VIPRE Email Cloud portal, navigate to Service Settings on the left-side menu
  2. Select Inbound Routing
  3. Click the refresh icon on the right

Configure your Firewall

Important

Follow the instructions below if the SMTP connectivity test fails (Status: Error)

 
  1. Reconfigure your firewall(s) to block email from all other possible sources (i.e. you can restrict access to only VIPRE Email Security servers)
  2. Accept the server IP addresses below

North America

Subnet IP Subnet Mask Net Mask IP Range
208.70.128.0 255.255.248.0 /21 208.70.128.0–208.70.135.255
72.35.12.0 255.255.255.0 /24 72.35.12.0–72.35.12.255
72.35.23.0 255.255.255.0 /24 72.35.23.0–72.35.23.255

UK

Subnet IP Subnet Mask Net Mask IP Range
192.162.216.0 255.255.252.0 /22 192.162.216.0–192.162.219.255
208.70.128.0 255.255.248.0 /21 208.70.128.0–208.70.135.255
72.35.12.0 255.255.255.0 /24 72.35.12.0–72.35.12.255
72.35.23.0 255.255.255.0 /24 72.35.23.0–72.35.23.255
2a01:77c0:1619::0  ffff:ffff:ffff::  /48 2a01:77c0:1619::0 - 2a01:77c0:1619:ffff:ffff:ffff:ffff

Denmark

Subnet IP Subnet Mask   IP Range
185.38.180.0 255.255.252.0 /22 185.38.180.0–185.38.183.255
2a01:77c0:1180:: ffff:ffff:fffc:: /46 2a01:77c0:1180::–2a01:77c0:1183:ffff:ffff:ffff: ffff:ffff
89.104.206.0 255.255.254.0 /23 89.104.206.0–89.104.207.255
2a01:77c0:0006:: ffff:ffff:fffe:: /47 2a01:77c0:0006::–2a01:77c0:0007:ffff:ffff:ffff: ffff:ffff
192.162.216.0 255.255.252.0 /22 192.162.216.0–192.162.219.255
2a01:77c0:1619::0  ffff:ffff:ffff::  /48 2a01:77c0:1619::0 - 2a01:77c0:1619:ffff:ffff:ffff:ffff

Sweden

Subnet IP Subnet Mask Net Mask IP Range
185.38.180.0 255.255.252.0 /22 185.38.180.0–185.38.183.255
2a01:77c0:1180:: ffff:ffff:fffc:: /46 2a01:77c0:1180::–2a01:77c0:1183:ffff:ffff:ffff: ffff:ffff
89.104.206.0 255.255.254.0 /23 89.104.206.0–89.104.207.255
2a01:77c0:0006:: ffff:ffff:fffe:: /47 2a01:77c0:0006::–2a01:77c0:0007:ffff:ffff:ffff: ffff:ffff
192.162.216.0 255.255.252.0 /22 192.162.216.0–192.162.219.255
2a01:77c0:1619::0  ffff:ffff:ffff::  /48 2a01:77c0:1619::0 - 2a01:77c0:1619:ffff:ffff:ffff:ffff

The network addresses above will attempt to deliver email to your servers on the standard SMTP port (25).

By allowing the IP addresses above, mail coming from both VIPRE's primary and secondary data centers will be able to reach your network.

 

When ready, click the next step below.

Next Step -  Update MX records

 
 

Update Your MX Records

This article explains the MX (Mail eXchange) record settings you will need to red...

Redirect Inbound Mail to VIPRE

After your account is provisioned and you've allowed VIPRE IP ranges to connect to your internal mail server (if required), you will need to redirect all inbound emails to VIPRE Email Security for processing. VIPRE is configured to accept all mail for the client domain and relay that mail to the IP/FQDN for your mail server (listed in the Inbound Routing section of the dashboard). 

The Internet Domain Name Service (DNS) helps mail senders determine where to deliver email destined for a particular domain. For example, which servers to send email to when sending to john.doe@vipre.com. In this example, the MX (Mail eXchange) records related to 'vipre.com' are looked up in the DNS system, and the sender then delivers the email to the servers listed in those MX records.

Update your MX records

MX records are typically maintained by your DNS registrar, and you will have to log in to your provider's management console or contact them to update your records.

Determine your DNS registrar using Who.Is

If you forget who your DNS registrar is, you can easily find out.

  1. Visit Who.Is - https://who.is/
  2. Enter your domain name into the form
  3. Record your registrar information

VIPRE Email MX records

You can locate the VIPRE EMail MX records within the Email Cloud portal by clicking on the Getting Started button in the top right-hand corner. Provide your DNS registrar with that information, based on your location.

 

When ready, click the next step below.

Type Button Text

 
 

Block Other Email Sources

This article serves as a final step in the allow/block workflow, reminding admins...

Block non-VIPRE Email Sources

Blocking additional sources of email allows the VIPRE product to protect you as intended; if other sources of email are allowed into your network, that defeats the purpose of protecting your email with VIPRE.

Select the appropriate option below for details on how to block non-VIPRE sources.

On-Premises

After email is flowing through VIPRE and no other solution, we highly recommend locking down your mail server to only accept mail from VIPRE.

By locking down your server to accept only port 25 connections from the VIPRE IP range, you ensure all inbound mail must be filtered through VIPRE before reaching your server. Blocking additional sources of email allows the VIPRE product to protect you as intended; if other sources of email are allowed into your network, that defeats the purpose of protecting your email with VIPRE.

Allowed VIPRE IP ranges can be found here.

Microsoft 365

To ensure the deliverability of your filtered mail from the VIPRE platform, it is recommended that a receive connector is created on your Microsoft 365 account.

  1. In the Microsoft 365 Admin Center, find Mail Flow, then select Connectors
  2. Click the icon
  3. Select Partner Organization in the From: dropdown menu
  4. Select Office 365 or Microsoft 365 in the To: downdrop menu
  5. Name your connector and click Next
  6. Select Use the sender's IP address and click Next
    • VIPRE IP ranges can be found here
  7. Select whether or not to enforce TLS
  8. Click Save 


Google Workspace (formerly G Suite)

  1. From your Google Admin console, select Apps, then Google Workspace, and Gmail
  2. Scroll down and select Advanced Settings
  3. Scroll down to Inbound Gateway
  4. Hover the cursor to the right of Inbound Gateway
    • To create a new Inbound Gateway setting, select Configure
    • To edit an existing setting, select Edit
  5. Under Gateway IPs,enter the information for each gateway and select Add
    • VIPRE IP ranges can be found here

 

When ready, click the next step below.

Next Step - Configure Outbound Mail Flow 

 
 
Configure Outbound Mail Flow

 

Next Step - Setup or Modify SPF 

 
 
This content will be shown (depending on) when button above is clicked

Next Step - Add-ons

 
 
Now that you've configure the fundamentals of Email Security Cloud. Depending on your package, you may have some of our add-ons.

https://success.vipre.com/email-security-cloud-addons

 
 
 
 
 
 

Click this arrow to return to the previous step.

Add or Edit a Mail Server Address

You may have already provided your mail server address during the purchase process. If not, you can check or update your mail server address by following these steps.

Add a Mail Server IP Address or Domain

As a reminder, this is the destination mail server IP address where you want email to be delivered. VIPRE needs this address in order to deliver mail to your server.

  1. From the Customer Dashboard, expand the Service Settings menu
  2. Select Inbound Routing.
  3. Select Add Site, at the bottom of the page
  4. A box will open called Site Information; enter a description for the mail server you are configuring, e.g. “Hosted Server” or “Clearwater Office”
  5. Select the Default Site checkbox if this entry is going to be the primary delivery point
  6. Click the plus sign (+) to enter the mail server IP address (preferred) or customer domain
  7. Confirm the Port and Priority are correct and select the blue checkmark to confirm
  8. When done, select Save 

Important 

You can create Multiple Sites with multiple server entries if you have a client with multiple domains, each having a different Server Delivery point. For assistance setting up multiple sites, contact Support.

 

 

Edit an Existing Mail Server Address

  1. From the Customer Dashboard, expand the Service Settings menu
  2. Select Inbound Routing
    • You'll see a list of all mail servers currently set up and you can verify the IP address or domain, port, and priority
  3. If you need to make any changes:
    1. Click the pencil/edit icon 
    2. The Site Information box will appear
      • Select the pencil/edit icon again to make changes, or...
      • Select the trashcan icon to delete the existing mail server, then...
      • Click the plus sign + to add a new mail server
    3. Click Save

When ready, click the next step below.

Next Step - Allow VIPRE IP Ranges

 
 

Click this arrow to return to the previous step.

Allow VIPRE IP Ranges

For VIPRE Email Security to work for you, all of your inbound email must be routed through the service, then VIPRE must be able to deliver your email to the place where you will read it. 

Test Inbound Routing

  1. From within the VIPRE Email Cloud portal, navigate to Service Settings on the left-side menu
  2. Select Inbound Routing
  3. Click the refresh icon in the right

Click here if the SMTP connectivity test fails (Status: Error)

Configure your Firewall

  1. Reconfigure your firewall(s) to block email from all other possible sources (i.e. you can restrict access to only VIPRE Email Security servers)
  2. Accept the server IP addresses below

North America

Subnet IP Subnet Mask Net Mask IP Range
208.70.128.0 255.255.248.0 /21 208.70.128.0–208.70.135.255
72.35.12.0 255.255.255.0 /24 72.35.12.0–72.35.12.255
72.35.23.0 255.255.255.0 /24 72.35.23.0–72.35.23.255

UK

Subnet IP Subnet Mask Net Mask IP Range
192.162.216.0 255.255.252.0 /22 192.162.216.0–192.162.219.255
208.70.128.0 255.255.248.0 /21 208.70.128.0–208.70.135.255
72.35.12.0 255.255.255.0 /24 72.35.12.0–72.35.12.255
72.35.23.0 255.255.255.0 /24 72.35.23.0–72.35.23.255

Denmark

Subnet IP Subnet Mask   IP Range
185.38.180.0 255.255.252.0 /22 185.38.180.0–185.38.183.255
2a01:77c0:1180:: ffff:ffff:fffc:: /46 2a01:77c0:1180::–2a01:77c0:1183:ffff:ffff:ffff: ffff:ffff
89.104.206.0 255.255.254.0 /23 89.104.206.0–89.104.207.255
2a01:77c0:0006:: ffff:ffff:fffe:: /47 2a01:77c0:0006::–2a01:77c0:0007:ffff:ffff:ffff: ffff:ffff
192.162.216.0 255.255.252.0 /22 192.162.216.0–192.162.219.255

Sweden

Subnet IP Subnet Mask Net Mask IP Range
185.38.180.0 255.255.252.0 /22 185.38.180.0–185.38.183.255
2a01:77c0:1180:: ffff:ffff:fffc:: /46 2a01:77c0:1180::–2a01:77c0:1183:ffff:ffff:ffff: ffff:ffff
89.104.206.0 255.255.254.0 /23 89.104.206.0–89.104.207.255
2a01:77c0:0006:: ffff:ffff:fffe:: /47 2a01:77c0:0006::–2a01:77c0:0007:ffff:ffff:ffff: ffff:ffff
192.162.216.0 255.255.252.0 /22 192.162.216.0–192.162.219.255

The network addresses above will attempt to deliver email to your servers on the standard SMTP port (25).

By allowing the IP addresses above, mail coming from both VIPRE's primary and secondary data centers will be able to reach your network.

 
 

 

When ready, click the next step below.

 

Next Step - Update MX Records

 
 
Click this arrow to return to the previous step.

Redirect Inbound Mail to VIPRE

After your account is provisioned and you've allowed VIPRE IP ranges to connect to your internal mail server (if required), you will need to redirect all inbound emails to VIPRE Email Security for processing. VIPRE is configured to accept all mail for the client domain and relay that mail to the IP/FQDN for your mail server (listed in the Inbound Routing section of the dashboard). 

The Internet Domain Name Service (DNS) helps mail senders determine where to deliver email destined for a particular domain. For example, which servers to send email to when sending to john.doe@vipre.com. In this example, the MX (Mail eXchange) records related to 'vipre.com' are looked up in the DNS system, and the sender then delivers the email to the servers listed in those MX records.

Update your MX records

MX records are typically maintained by your DNS registrar, and you will have to log in to your provider's management console or contact them to update your records.

Determine your DNS registrar using Who.Is

If you forget who your DNS registrar is, you can easily find out.

  1. Visit Who.Is - https://who.is/
  2. Enter your domain name into the form
  3. Record your registrar information

VIPRE Email MX records

You can locate the VIPRE EMail MX records within the Email Cloud portal by clicking on the Getting Started button in the top right-hand corner. Provide your DNS registrar with that information, based on your location.

 

When ready, click the next step below.

 

 

Next Step - Block non-VIPRE Email Sources

 
 
Click this arrow to return to the previous step.

Block non-VIPRE Email Sources

Blocking additional sources of email allows the VIPRE product to protect you as intended; if other sources of email are allowed into your network, that defeats the purpose of protecting your email with VIPRE.

Select the appropriate option below for details on how to block non-VIPRE sources.

On-Premises

After email is flowing through VIPRE and no other solution, we highly recommend locking down your mail server to only accept mail from VIPRE.

By locking down your server to accept only port 25 connections from the VIPRE IP range, you ensure all inbound mail must be filtered through VIPRE before reaching your server. Blocking additional sources of email allows the VIPRE product to protect you as intended; if other sources of email are allowed into your network, that defeats the purpose of protecting your email with VIPRE.

Allowed VIPRE IP ranges can be found here.

 
 

Microsoft 365

To ensure the deliverability of your filtered mail from the VIPRE platform, it is recommended that a receive connector is created on your Microsoft 365 account.

  1. In the Microsoft 365 Admin Center, find Mail Flow, then select Connectors
  2. Click the icon
  3. Select Partner Organization in the From: dropdown menu
  4. Select Office 365 or Microsoft 365 in the To: downdrop menu
  5. Name your connector and click Next
  6. Select Use the sender's IP address and click Next
    • VIPRE IP ranges can be found here
  7. Select whether or not to enforce TLS
  8. Click Save 


 

 

 
 

Google Workspace (formerly G Suite)

  1. From your Google Admin console, select Apps, then Google Workspace, and Gmail
  2. Scroll down and select Advanced Settings
  3. Scroll down to Inbound Gateway
  4. Hover the cursor to the right of Inbound Gateway
    • To create a new Inbound Gateway setting, select Configure
    • To edit an existing setting, select Edit
  5. Under Gateway IPs,enter the information for each gateway and select Add
    • VIPRE IP ranges can be found here
 
 

 

When ready, click the next step below.

 

Next Step - Configure Outbound Mail Flow

 
 
Click this arrow to return to the previous step.

Configure Outbound Mail Flow

By configuring outbound mail flow with VIPRE, any mail you send will be scanned and filtered per your policies and will be sent from a safe and reputable IP address which will help you avoid being blacklisted.

After you've configured inbound email so that it is secured by VIPRE Email Security, you may also configure outbound filtering to provide the same protections for outbound email that people in your organization are sending. Outbound filtering provides many of the same security and policy protections as inbound filtering and more. Plus, by sending your email through VIPRE, your mail will appear to come from a safe and reputable IP source that recipients will trust.

Routing of outbound email is similar to routing of inbound email:

In most scenarios, email authored by members of your organization will first be sent to your primary email host/provider (this could be an on-premises Exchange server, or it could be a hosted service), then it is forwarded to VIPRE Email Security. In this paradigm, VIPRE Email Security is acting as the smart relay that will deliver the email to the recipient, a so-called SmartHost. VIPRE will perform a number of filtering and policy matching steps on the email (for example, adding standard disclaimers) and then deliver the email to the ultimate recipient(s).

Configure VIPRE to accept email from your email service/provider

The first step in configuring outbound filtering is to set VIPRE Email Security so that it will accept email from your primary email service or provider. It is important to do this carefully, as a misconfiguration could result in exposing your domain for use by spammers. Essentially, we want to inform VIPRE that it should only accept email sent from specific senders, identified by IP addresses (the hosts that will send email) and domains (the people who will send email).

Important Information

VIPRE Email Security is already pre-provisioned to accept mail from services such as Microsoft 365 or Google Workspace for any mail sent from a domain provisioned on the VIPRE portal,

 

 

Select the appropriate option below:

On-Premises

  1. Login to https://email.myvipre.com/ using your Administrator credentials.
  2. Expand the Service Settings menu. Then, select Outbound Relay 
  3. Click on the green plus sign (+), which will open a pop-up window
  4. Enter a descriptive name for the server that will be sending email, e.g. “Exchange Server” or “Clearwater Office”
  5. Enter the IP address of the server that will be sending email and select Save
    • You can add additional mail server IPs by clicking the green plus sign (+) and following the above steps
  6. Confirm the Port number and Priority are correct and press the blue check to confirm
  7. When finished, select Save
 
 

Microsoft 365

In order for outbound email from Microsoft 365 to be routed through VIPRE, we need to create a new send connector in Microsoft 365 and point it to VIPRE.

Create a new send connector in Office365

  1. Log in to the Microsoft 365 Exchange Admin Center (EAC)
  2. Select the Admin > Exchange menu
  3. Select the Mail Flow > Connectors menu. Then, select Create a new Connector
  4. Set the mail flow scenario
    1. Select Office 365 from the From: drop-down
    2. Select Partner Organization from the To: drop-down
  5. Select Next
  6. Enter a name and description for the connector. You may also select the checkbox to make the connector active immediately
  7. Select Next
  8. Select the Only when email messages are sent to these domains option
    1. Select the plus (+) to add domains that should use this connector
    2. Enter a value of (asterisk). This is a wildcard that will route all outbound emails through VIPRE
  9. Select Next
  10. Select the Route email through these smart hosts option 
    1. Select the plus (+) to add your smart host
      • You can find your smart host by clicking Get Started within the VIPRE Email Security portal

    2. Click the Save button
  11. Select Next
  12. Select the checkbox for Always use Transport Layer Security (TLS) to Secure the Connection (recommended)
  13. Select Issued by a trusted certificate authority (CA) from the list
  14. Select Next
  15. Add an email address of a recipient for a domain external to your organization, and select Validateto test
    • If you did not choose to turn the connector on in Step 6, validation of the connector will fail. If your validation results show that the connection was successful, but the email failed to send because "The domain of the recipient is not configured as part of connector" - this may be due to the connector being disabled. Try enabling the connector and re-attempting the validation. 
  1. Once Microsoft 365 has been successfully validated, select Save
  2. Once you are happy with mail flow, you may remove the old inbound route from VIPRE that points to the old on-site server if no other domains still use the old route
 
 

Google Workspace (formerly G Suite)

In order for outbound email from Google Workspace to be routed through VIPRE, we need to add an outbound gateway to Google and point it to VIPRE.

  1. Log into your Google Admin account
  2. Select Apps > Google Workspace > Gmail
  3. Scroll down and select Advanced Settings
  4. In Advanced Settings, scroll down to Outbound gateway and type in your outbound gateway name 
    • You can find your smart host by clicking Get Started within the email portal
  5. In the bottom right of the screen, select Save

 

Important Information

These changes may take up to 1 hour to propagate to all users.

 

 

 
 

 

 

 

When ready, click the next step below.

Next Step - Setup or Modify SPF

 
 
Click this arrow to return to the previous step.

Set up or Modify the Sender Policy Framework (SPF)

VIPRE recommends setting up SPF for your domain to help reduce spam and ensure that your domain reputation is maintained.

Introduction to the Sender Policy Framework

The Sender Policy Framework, or SPF, is a mechanism used to help reduce spam sent to or from your domain. Effectively what the SPF does is it allows you to declare which internet hosts are allowed to send an email purporting to be from your domain. This means that spammers can't "hijack" your domain and pretend to be you while sending out their nefarious messages. Similarly, other organizations that have set up SPF can't be spoofed, so you won't get spam that appears to come from their domains.

Follow the steps below to set up or modify SPF to work with VIPRE. 

Set up SPF to work with VIPRE Email Security

When you introduce VIPRE Email Security into your environment as part of a holistic security solution, you will need to account for it when you configure your SPF records. If you are not currently using SPF, this should be relatively easy to set up and you can just follow the instructions below. If you already have SPF set up for your domain, you may need to reconcile your existing SPF records with the suggestions below, adding and removing tokens as appropriate. An example is provided.

SPF is set up by using a TXT type of DNS record, which means you will have to work with your DNS registrar to create or modify these records. If you don't know who your DNS registrar is, refer to Related Articles for more information on updating MX Records.

The following example will simply authorize VIPRE Email Security to send email on behalf of your domain.

v=spf1 include:spf.mailanyone.net -all

 If you already have an SPF record setup for your domain, you can just usually add the following statement to the end of the SPF record, before the “all” token:

include:spf.mailanyone.net

Note, however, that if VIPRE Email Security is taking over email delivery for your domain, you may want to remove some or all of your pre-existing authorized senders.

For example; if your current SPF record is:

v=spf1 include:spf.protection.outlook.com -all

You will need to add the new statement to update it to the following:

v=spf1 include:spf.protection.outlook.com include:spf.mailanyone.net -all

 

When ready, click the next step below.

Next Step

 
 
Click this arrow to return to the previous step.

Congratulations! 

You have completed the foundational configuration of Email Security Cloud.

Now, depending on the package you purchased, you may or may not have some of our add-ons.

 

 
 
 
 
 
 
 
 
 
 



Email Advanced Threat Protection + Encryption

Decision Tree

Configure Encryption

VIPRE Email Security Encryption enables your system administrators to encrypt emails automatically.

Encryption Settings

To get to the Encryption settings:

  1. Click on Service Settings
  2. Select Encryption


Settings


  • General - This is enabled by default; click the checkbox to disable or reenable the encryption of replies sent from the encryption portal
  • Policy Description- All of the following policies are disabled by default; includes four pre-defined policies that will trigger encryption under the following circumstances:
    • The email body contains any of the following information:
      • Credit card number
      • US Social Security Number
      • Canadian Social Insurance Number
      • Danish Personal Number
      • Swedish Personal Number
      • Norwegian Personal Number
    • The sensitivity of an Outlook email is sent to confidential
    • The subject line of an email is pre-pended with "[encrypt]" (not case-sensitive)
    • An outgoing email sent to a self-created list of addresses or domains
      • To add email addresses or domains for outgoing encryption, enter the address in the text field and select the   plus sign

Click Save at the bottom to commit all changes.

Important

You can create additional custom policies:

1. Click on Policies then Advanced Policies

2. Select For Outbound Mail

3. Click Create Policy in the top right corner

4. Under Settings, name your policy

5. Under Rules, add your desired rules

6. Under Actions, select Encryption [STOP] and click Add

7. Click Create Policy 

Branding

The Branding tab allows you to add your organization's identity to outgoing Encryption notifications. 

  • Logo Settings- Upload your organization's custom logo by clicking the blue plus sign; supported file types are .jpg and .png, and the maximum file size is 200KB
    • You can also remove your logo by placing a checkmark next to Remove Image
  • Email Subject - By default, emails that start with the subject line "[Encrypt]" will be encrypted automatically
  • Email Header - Customize text included after the Sender's email address
  • Email Text -  Customize any text you want to add to the email body below the Email Button
  • Email Button Link Text - Customize the text of the button
  • Email Button Colour - Customize the color of the aforementioned button


Delete


‍ 

When ready, click the next step below.

  • Next Step - Link Isolation
  • Add Button
Click the arrow to return to the previous step.


Configure Link Isolation

To configure the VIPRE Email Security Cloud Link Isolation add-on, complete the following steps:

  1. From your Email Security Cloud admin portal, click on Service Settings in the left-side menu
  2. Select Link Isolation,action plan then select a tab below to learn about the settings for that option

 

VIPRE Recommends

Your experience with Link Isolation is dependent on the options you choose here. Review all of the options below carefully to determine the best action plan for your organization before implementation.

The scanning and analysis processes for Link Isolation can take up to approximately 20-30 seconds. During that time, important steps are taking place - some of these steps include loading the URL into the cloud browser, waiting for all embedded scripts to execute fully, and putting the page through a series of tests. 

You can fine-tune the system by ensuring all sites/domains that are used frequently by your organization and are known to be safe have been added to the Allowed IPs/Domains tab.

 

 

URL Filter Configuration

  1. On the URL Filter Configuration tab, select from the following options:
    • Click-time Protection
      • Enable Deeplink: This option allows Link Isolation to perform deep, cloud-based scanning to analyze malicious URLs and obtain more information; also enables URL categorization and screenshots/previews of malicious URLs
      • Click-Through > Block: Blocks all potentially malicious URLs that have been clicked in the email; unable to proceed
      • Click-Through > Warn and allow override: Displays a warning when potentially malicious URLs have been clicked in the email; gives the option to ignore the warning and proceed to the website
    • URL Rewriting
      • Exclude my own domains: URLs containing any of the domains you've added to your account will not be rewritten
      • Rewrite displayed URLs and underlying links: Visible links shown as URLs will be rewritten; this may alter the appearance of the email as rewritten URLs can be quite long
      • Rewrite URLs in text mode email: Rewrites URLs both in HTML and text mode; this may alter the appearance of the email as rewritten URLs can be quite long
  2. Click Save
 
 

Allowed IPs/Domains

  1. Click on the + plus sign on the left side of the screen
  2. Type the IP address or domain in the text box - when adding multiples, supported separators are commas, semicolons, and space
    • Any trusted IP address or domain can be added to this list as Link Isolation does not rewrite IP addresses or Domains on this list
    • VIPRE recommends only adding trusted domains, like domains associated with your organization, to the Allowed IPs/Domains list
  3. Click Save

 
 

Denied IPs/Domains

To add an IP address or domain that you want to deny:

  1. Click on the + plus sign on the left side of the screen
  2. Type the IP address or domain in the text box
    • Any untrusted IP address or domain can be added to this list
  3. Click Save

To search for a previously denied IP address or domain:

  • Type the IP address or domain in the search box and press Enter

To delete a previously denied IP address or domain:

  • Locate the desired IP address or domain and click the trash icon on the right side of the screen
 
 

Templates

  1. This allows you to customize the message that your users see:
    1. When they click on the malicious URL based on whether you chose to Warn and Allow or Block Page under URL Filter Configuration
    2. When attempting to access an IP address or domain that has been denied
  2. Click Save
 
 

Once you've gone through the configuration options detailed in the tabs above, you're ready to enable Link Isolation. 

  1. Scroll to the top of the screen and click the toggle next to Enable Link Isolation in the top-left corner
     

Congratulations! Link Isolation is now configured and enabled. 

 

‍ 

When ready, click the next step below.


  • Next Step - Attachment Sandboxing
  • Add Button
Click the arrow to return to the previous step.

Attachment Sandboxing uses advanced sandbox technology to quarantine harmful email attachments that can evade other antivirus or anti-spam software.

Attachment Sandboxing Settings

To get to Attachment Sandboxing settings:

  1. Click on Service Settings
  2. Select Sandboxing

  • Use Attachment Sandboxing default policy - If enabled, this default policy sandboxes all of the following attachment types:
    • .com, .doc, .docm, .docx, .dot, .dotm, .dotx, .exe, .htm, .html, .pot, .potx, .pps, .ppsx, .ppt, .pptx, .rar, .rtf, .xls, .xlsb, .xlsm, .xlsx, .xlt, .xltm, .xltx, .zip
    • .jpeg, .jpg, .pdf, .png (which are also scanned for QR codes that are converted to a URL, which is then checked for malicious behaviors)

Important

If you prefer to use a custom policy, this default policy must be disabled. Refer to Related Articles for details on how to create and enable custom Sandboxing policies.

 
  • Allow users to release emails - If enabled, messages to the end user also contain a link to the release delayed emails before the result from the sandbox is known; copies of attachments will still be analyzed; if the sandbox finds malicious attachments before this release link is used, the email cannot be released
    •   If disabled, messages to the end user will not contain a release link
  • Send delay notifications - If enabled, notifications about delayed mail will be sent
‍ 

All of the features associated with Email Security Advanced Threat Protection + Encryption have now successfully been configured.


SafeSend with Data Loss Prevention Add-on

Before you get started, you should have received a Welcome email that contains important information you'll need to proceed with this guide. If you haven't received this email, please check your spam folder or contact Support.


Action Needed

You will need to determine if you need the SafeSend Web add-in for or the SafeSend PC add-in with DLP (Data Loss Prevention). Visit our SafeSend comparison chart to help you determine which add-in your organization would most benefit from.



Click on the desired add-in below.

PC Add-in with Data Loss Prevention

Have you ever mistakenly sent an email to the wrong person? Accidentally forwarded attachments with sensitive data? The VIPRE SafeSend PC Add-in is an Outlook add-in that works to prevent those types of mistakes within your organization by requesting manual confirmation from the user when sending emails to recipients outside of your organization.

If you're new to VIPRE SafeSend, this is the place to start. We're here to walk you through deployment with this guided setup. If you haven't seen our product overview and comparison chart though, please visit there first.

 

How SafeSend Works

When installed, SafeSend requires validation each time you send an email to an external recipient. You will need to confirm all external recipients of an email before it leaves the network. Upon hitting “Send” or “Send Secure,” the SafeSend pop-up window will appear. To confirm the recipients or any attached file, click on the checkbox beside each of the external recipients (and file if applicable) and hit the Send button.

What's Included

When you receive your SafeSendArchive-v.r.zip file, it will include the following files:

  • Get_Started_With_SafeSend
    • Helpful information and links to help you get started
  • SafeSendArchive-v.r.m.b.zip(SafeSend PC add-in)
    • Administrative Templates 
      • For use with Group Policy to manage settings when the SafeSend PC add-in has already been deployed
    • Admin Password 
      • Administrative credentials for local access to SafeSend settings
      • Not applicable for Trial licenses
    • SafeSendSetup
      • Installer package (.MSI) for the SafeSend PC/COM add-in
  • SafeSendWebAddinWeb_v.r.m.b (SafeSend Web add-in)
    • SafeSendWebAddinWeb
      • Web server folder
    • End-user License Agreement (EULA)
    • safesend-manifest.XML
      • Editable file where you add your web server domain

For these instructions, you will need everything within the SafeSendArchive-v.r.m.b.zip file mentioned above.

 

Important Terminology

Before we begin, let's define some terms that will show up often within our content.

 

Initial Install
The local installation of SafeSend that allows you to apply configurations and customizations before deployment to the end-users

Deploy / Deployment
The distribution of SafeSend after all configurations and customizations have been applied to a newly generated MSI (Microsoft Installer)

Customize / Customization
The modification of specific SafeSend features

Configure / Configuration
The use of settings within SafeSend to change its behavior

 

 

 

Complete Setup Checklist

To get you started with VIPRE SafeSend, we've created a checklist to get you from the initial install to configuration and customization, and finally end-user deployment.

Step How to accomplish (with links to the respective articles)
1. Initial Install Initial Install of VIPRE SafeSend
2. Customize
  • Add License Key
    • After purchase
    • Not applicable with a trial license
  • Set Administrator Password
    • Not applicable with a trial license
  • Add your Organization's Logo
    • Optional
  • Prevent End-Users from Disabling VIPRE SafeSend
3. Configure
  • Configure VIPRE SafeSend
    • VIPRE SafeSend Settings Reference
  • Configure Data Loss Prevention Content Scanning
    • Optional Module; not applicable to all SafeSend customers
    • Included with a trial license
4. Create a Custom Installer (MSI) Generate a Custom Installer
5. End-User Deploy
  • Individual PC
    • Deploy SafeSend on Individual PCs
  • Group Policy
    • Deploy SafeSend using Group Policy

 

When you are ready, move on to the next step below.



 

Next Step

 
 

Initial Installation

If you are new to SafeSend and setting it up for the first time, please stop here and navigate to our complete deployment guide.

SafeSend PC add-in can be deployed to end-user PCs individually or using Group Policy, but whether you are planning to use SafeSend on just a couple of computers or in an Enterprise-wide deployment, the first step remains the same: install VIPRE SafeSend locally.

Delete

Important Information

SafeSend cannot be installed from a network share drive. You must copy and run the installer locally

This article is part of the SafeSend PC Add-in Deployment Guide, which includes all successive steps needed for a successful deployment. Please refer to Related Articles for direct links to the deployment guide and other processes pertinent to the one detailed in this article.


Install Locally

Follow these steps to install SafeSend locally, on an individual PC.

  1. Double-click on the installer package
  2. Accept the End-user License Agreement
  3. Click Install

Now that VIPRE SafeSend is installed on your local PC, it's time to make it work specifically for your needs!

The first thing you'll want to do is customize VIPRE SafeSend to your organization. You can do things like setting the Administrative password and adding your organization's logo for a personalized look and feel. Once you've got it customized, then you'll want to take a look at the settings and really configure how you want SafeSend to behave.

We've already discussed the differences between customizing and configuring, so let's get started.



 

I'm a trial account user

 

I purchased a license key

 
 

Add your Organization's Logo

You can customize the look and feel of VIPRE SafeSend by uploading a personalized logo. This optional step is a great way to integrate SafeSend with your organization seamlessly.

Important

This article is part of the SafeSend PC Add-in Deployment Guide, which includes all successive steps needed for a successful deployment. Please refer to Related Articles for direct links to the deployment guide and other processes pertinent to the one detailed in this article.

 

 

Image Requirements

Before uploading your logo, make sure it meets the following requirements:

  • Image size must be no larger than 50x180
  • Image type must be .png

Images with transparent backgrounds are recommended so that your logo matches the rest of SafeSend.

Now that you have an image that meets the above requirements, let's move on to uploading it.

Add Logo

  1. In Outlook, on the top left, click File
  2. Go down to Outlook Options and select Add-Ins
  3. Select Add-in Options
  4. Locate and click Change Logo
  5. Browse to the image you want to use and click Open
  6. Click OK at the bottom

Now, your logo is part of SafeSend!

If you are following the guided setup, click Next Step below to continue to the next part of the SafeSend PC Add-in Deployment Guide. Otherwise, see Related Articles below to learn how to store settings.



 

Next Step

 
 

Prevent End-users from Disabling VIPRE SafeSend

Let's walk through how you can prevent users from disabling the SafeSend PC add-in.

Outlook 2007-2010

It is possible to prevent users from disabling the SafeSend Add-in in Outlook 2007 or 2010 using the registry key DontDisplayHKLMAddin.

The image below shows how it looks after the registry key DontDisplayHKLMAddins has been set. As can be seen, SafeSend is not visible even though it is loaded. This registry key DontDisplayHKLMAddins can also be set using GPO.

Setting this key will affect all HKLM type of add-ins, in that none of them can be disabled by the end-user anymore. This potential issue is solved in Outlook 2013 or later.

  1. Log in to a normal user account
  2. Using Regedit, open HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Outlook
  3. If the current user does not have a key for "Security", add it
  4. Add the DontDisplayHKLMAddinsDWORDValue in the Security key. Set the value to 1
  5. In the Manage COM Add-ins dialog, click Go. SafeSend is not visible, even though it is loaded.

There is no need to restart Outlook, since Outlook reads this registry entry when you click the Go button.

Outlook 2013 or Outlook 2016

It is possible to prevent users from disabling the SafeSend Add-in in Outlook 2013 or Outlook 2016 using group policy

The image below shows how it looks after the group policy setting is enabled. A user cannot uncheck the “SafeSend Outlook Add-in” checkbox as can be seen in the text marked in red.

  1. Open Group Policy and check that the Office 2013/2016 Administrative Templates are installed
    • If the templates are installed, you will see the “Microsoft Outlook 2013/2016” in the User Configuration > Administrative Templates > Microsoft Outlook 2013> Miscellaneous path
    • If the templates are not installed, you can download the templates from Microsoft. View this Microsoft article for help installing the template
  2. Enable the “List of managed add-ins” policy setting
  3. Write “zzz.SafeSend” (the add-ins progId) and 1 for the Value in this setting. Can also click the “Show” button above to get the dialog below. The value 1 means that SafeSend cannot be disabled by users.

An alternative way to achieve this is to push a registry key manually using GPO; see below for the path. 

For Outlook 2013 the “16.0” part should be replaced a “15.0” part. Please note that the registry type should be REG_SZ. This can also be tested on a single machine by creating the registry key in regedit.  If GPO is being used then please make sure there is no conflict with another GPO that is configuring the same setting using administrator templates.




 

Next Step

 
 

Configure VIPRE SafeSend

If you want to get started using SafeSend with the default configuration, you can skip this step.

Important Information

This article is part of the SafeSend PC Add-in Deployment Guide, which includes all successive steps needed for a successful deployment. Please refer to Related Articles for direct links to the deployment guide and other processes pertinent to the one detailed in this article.

 

 

VIPRE SafeSend Settings

There are two ways to get to VIPRE SafeSend's settings, depending on if you are using a trial or have purchased a full license.

Click here if using a trial license

  1. Select Trial Settings in the Confirmation window pop-up 
  2. In the Logic tab, click on the arrows next to Advanced, Commonly used, and Special cases to see options available to you
  3. Refer to our settings reference for full details on how to use all settings 
 

Click here if using a full license

  1. In Outlook, on the top left, click File
  2. Go down to Outlook Options and select Add-Ins
  3. Select Add-in Options 

     
  4. Click Edit Settings, which allows you to customize the behavior of VIPRE SafeSend
  5. In the Logic tab, click on the arrows next to Advanced, Commonly used, and Special cases to see options available to you
  6. Refer to our settings reference for full details on how to use all settings 
 

Helpful Information

While we do provide a comprehensive settings reference to help determine what makes the most sense for your organization, we understand that it can be a little overwhelming. To help make things a little easier for you, VIPRE SafeSend ships with the settings we recommend already configured by default. However, because each organization has unique needs, we suggest going through the settings reference, specifically the Commonly Used and Advanced sections, to ensure SafeSend is set up appropriately for your organization.

If you'll be deploying VIPRE SafeSend via Group Policy and will be moving forward with the default configuration, we've included ADMX/ADML files (administrative templates) in the SafeSendArchive-v.r.m.b.zip file you downloaded that will allow you to push changes to your organization after it's been deployed.



 

Next Step

 
 

Configure Data Loss Prevention

VIPRE SafeSend can prevent sensitive information from being sent out to the wrong client. 

Important Information

This article is part of the SafeSend PC Add-in Deployment Guide, which includes all successive steps needed for a successful deployment. Please refer to Related Articles for direct links to the deployment guide and other processes pertinent to the one detailed in this article.

 

 

Within VIPRE SafeSend, DLP (Data Loss Prevention) has three important features:

  • Client Keyword/Domain Scanning allows you to identify a set of client keywords or regular expressions and associate those with a set of client domains or individual email addresses 
  • DLP Content Scanning presents sensitive content to the user, allowing the user to determine if the email should be blocked or sent with additional confirmation
  • DLP Scan Password-Protected Attachments allows SafeSend to detect password-protected .zip files and prompt the user to add the password and decrypt the file so it can scan the attachment

It can scan emails and attachments for specific client keywords or regular expressions and require agent confirmation.

Client Keyword and Domain Scanning 

Define Client Data

The client keyword/domain data is configured in Edit Settings, under the Data Loss Prevention (DLP) tab, and stored in the setting SS_ClientKeywordDomainList; it can contain thousands of lines of client/customer data. The principle is that you can identify a set of client keywords or regular expressions and associate those with a set of client domains. Instead of domains, it is also possible to specify individual email addresses as approved recipients.

Syntax: 
Client1Keyword1,Client1Keyword2,…:Client1Domain1,Client1Domain2,… 
Client2Keyword1,Client2Keyword2,…:Client2Domain1,Client2Domain2,…

Example: 
Apple,AAPL:apple.com 
Microsoft,MSFT:microsoft.com

Display Popup only when Client Data is Found

It is possible to use the setting OnlyPopupForDLPMatch to configure SafeSend to display its confirmation window only when client data has been found in the email.

Supported Attachment File Types

  • Text: csv, txt
  • PDF: pdf
  • HTML: html, xhtml
  • Word: doc, docx
  • PowerPoint: pptx, ppsx, pptm, ppt, pot, pps
  • Excel: xls, xlsx, xlsm, xlt, xltx, xltm
  • RTF: rtf
  • ZIP: zip (recursively)

Sending to Non-client Recipients

The user is required to type “CONFIRM” in order to send client data to a non-client external domain.

Sending to Approved Recipients

No additional confirmation is required except confirming the external recipient.

Sending Non-client Data Externally

What happens, in this case, depends on the OnlyPopupForDLPMatch setting. If it is enabled then the SafeSend confirmation window will not be displayed. If it is disabled, which is the default behavior, then SafeSend will still show its normal confirmation window. The below screenshot is thus displayed only if OnlyPopupForDLPMatch = 0.

 

Password Protected Files or Invalid Files

SafeSend displays password-protected files or invalid files in the DLP output table. Password protection is detected on Word, Excel, PowerPoint, PDF, and ZIP files.

Scanning Email Notification

The Scanning Email notification is displayed when OnlyPopupForDLPMatch is enabled, and SafeSend is busy scanning large files. The default time-out for large files is 10 seconds (see ContentScanningTimeoutMS), whereby SafeSend will post an error message in the dialog, saying that the content scan timed out.

 

DLP Content Scanning

Sensitive content is presented to the user, and you can define if the email should be blocked, or if the user can send the email after an additional confirmation.

Here you can see that SafeSend scanned an email's content and attachments finding potential Social Security and Credit Card numbers. 

Sensitive Content

When you use DLP with VIPRE SafeSend, this is the type of content it looks for within your emails:

  • Strings such as ‘Confidential’, ‘Internal’, ‘Restricted’ and ‘Sensitive’.
  • US Social Security Number (SSN)
  • Credit Card number (VISA, MasterCard, American Express, Diners Club, …)
  • Standard health identification card number (NPI)
  • Vehicle Identification Number (VIN)
  • UK health identification number (NHS, CHI)
  • UK national insurance number (NINO)

SafeSend Actions

Once VIPRE SafeSend finds what it's looking for, it performs the following actions:

  • Inform the user
  • Require confirmation from the user in the form of a checkbox
  • Require confirmation from the user by the text “CONFIRM”
  • Deny sending the email

Supported Content Types

VIPRE SafeSend supports the following types of documents and attachments:

  • Email content (body)
  • Email subject
  • Attachment filename
  • Attachment file types (scans inside attachments)
    • Text: csv, txt
    • PDF: pdf
    • HTML: html, hxtml
    • Word: doc, docx
    • PowerPoint: pptx, ppsx, pptm, ppt, pot, pps
    • Excel: xls, xlsx, xlsm, xlt, xltx, xltm
    • RTF: rtf
    • ZIP: zip (fully recursive)
    • MSG: msg (fully recursive)

DLP Policy

Policy Syntax

The DLP policies are defined using the following syntax:

[policy_name]:[file_types_to_scan]:[action_upon_match]:[regular_expression]

Options for ‘file_types_to_scan’:

  • “all”
  • “all_excl_pdf”
  • “email_content”
  • “email_subject”
  • “file_name”
  • “csv”, “txt”, “pdf”, “html”, “hxtml”, “doc”, “docx”, “rtf”, “xls”, “xlsx”, “xlsm”, “xlt”, “xltx”, “xltm”, “pptx”, “ppsx”, “pptm”, “ppt”, “pot”, “pps”

Options for ‘action_upon_match’:

  • “inform”
  • “confirm”
  • “confirm_text”
  • “deny”

If you'd like to skip the policy examples and get straight to the configuration of DLP, we can skip past it and come back if necessary.

Policy Examples

Case-insensitive detection of the string “confidential” in all content types that require user confirmation. The policy is named “Confidential”.

Confidential:all:confirm:(?i)confidential

Case-insensitive detection of the string “confidential” in specific content types. The results are displayed to the user and require no confirmation. The policy is named “Confidential”.

Confidential:email_subject,email_content,doc,docx:inform:(?i)confidential

VISA credit card rule that requires a user confirmation for all content types. The policy is named “VISA”. 

VISA:all:confirm:4(?<=\b(?<!\.)4)\d{3}[\W\s]?\d{4}[\W\s]?\d{4}[\W\s]?\d{4}\b

 

Regular Expressions (regex)

Generic:

Confidential:all:confirm:(?i)confidential 
Internal:all:confirm:(?i)internal 
Restricted:all:confirm:(?i)restricted 
Sensitive:all:confirm:(?i)sensitive

Credit cards:

Visa: 4(?<=\b(?<!\.)4)\d{3}[\W\s]?\d{4}[\W\s]?\d{4}[\W\s]?\d{4}\b 
Mastercard 1: 5(?<=\b(?<!\.)5)[1-5]\d{2}[\W\s]?\d{4}[\W\s]?\d{4}[\W\s]?\d{4}\b 
Mastercard 2: 5(?<=\b(?<!\.)5)([\W\s][1-5])([\W\s]\d){14}\b 
American Express 1: 3(?<=\b(?<!\.)3)(4|7)\d{2}[\W\s]?\d{2}[\W\s]?\d{4}[\W\s]?\d{5}\b 
American Express 2: 3(?<=\b(?<!\.)3)([\W\s](4|7))([\W\s]\d){13}\b 
Diners Club 1: 3(?<=\b(?<!\.)3)(0[0-5]|[68]\d{1})\d{1}[\W\s]?\d{4}[\W\s]?\d{4}[\W\s]?\d{2}\b 
Diners Club 2: 3(?<=\b(?<!\.)3)[\W\s](0[\W\s][0-5]|[68][\W\s]\d{1})([\W\s]\d){11}\b 
Discover card 1: 6(?<=\b(?<!\.)6)(011|5[0-9]{2})[\W\s]?\d{4}[\W\s]?\d{4}[\W\s]?\d{4}[\W\s]?\b 
Discover card 2: 6(?<=\b(?<!\.)6)[\W\s](0[\W\s](1[\W\s]){2}|5[\W\s](\d[\W\s]){2})(\d[\W\s]){11}\d\b 
JCB cards 1: (?=[21|18])(2131|1800)[\W\s]?(\d{4}[\W\s]?){2}\d{3}\b 
JCB cards 2: (?=[2|1])(2[\W\s]?1[\W\s]?3[\W\s]?1|1[\W\s]?8[\W\s]?0[\W\s]?0)([\W\s]?\d){10}\b 
JCB cards 3: 35(?<=\b(?<!\.)35)\d{2}[\W\s]?(\d{4}[\W\s]?){3}\b 
JCB cards 4: 3(?<=\b(?<!\.)3)[\W\s]?5[\W\s]?(\d[\W\s]?){13}\d\b


Standard health identification card number (NPI):

(?<!\\d)\\d{10}(?!\\d)|80840\\d{10}(?!\\d)

 

Vehicle Identification Number (VIN): 

[0-9A-HJ-NPR-Z]{17}


US Social Security Number (SSN): 

([^0-9-]|^)([0-9]{3}-[0-9]{2}-[0-9]{4})([^0-9-]|$)


UK health identification number (NHS, CHI): 

b([1-9]{1}[0-9]{2}s?-?[0-9]{3}s?-?[0-9]{4})b 

(([^wt]?s)?(-)?d){10} 

(([^wt]?s)?(_)?d){10} 

(([^wt]?s)?d){10}


UK national insurance number (NINO): 

[A-CEGHJ-NOPR-TW-Z]{2}[0-9]{6}[ABCDs]{1}


Irish PPS number: 

W?d{7}[a-zA-Z]{1,2}W


Other

SSNorHSA:all:confirm:([^0-9-]|^)([0-9]{3}[0-9]{2}[0-9]{4})([^0-9-]|$) 
DDAorSAV7:all:confirm:([^0-9-]|^)([0-9]{7})([^0-9-]|$) 
DDAorSAV8:all:confirm:([^0-9-]|^)([0-9]{8})([^0-9-]|$) 
HSA:all:confirm:([^0-9-]|^)([0-9]{10})([^0-9-]|$)


Health

Birthday:all:confirm:((?i)Birth Date|DOB|Patient Date of Birth|Patient DOB|Patient_DOB) 
RX:all:confirm:((?i)rx_number|RxNumber) 
Patient Name:all:confirm:((?i)pa_first_name|pa_last_name|patient_first|patient_last|Patient First|Patient First Name|Patient Last|Patient Last Name|first_name|last_name|Patient Address|Patient Full Name|Patient Middle Name|Patient Middle Initial) 
Patient Identifier:all:confirm:((?i)Patient Email|Patient experience on drug|patient experience on drug(DELETE)|Patient Gender|Patient height|Patient ID (Internal Reporting)|Patient interest|patient phone #|patient state|patient weight|patient work phone #|patient zip) 
PHI:all:confirm:((?i)PHI Consent Date|PHI Consent signed|Prescription Sub-Status Code) 
HUB ID:all:confirm:((?i)HUB Identifier|HUB Patient ID) 
Identifiers:all:confirm:((?i)Patient_Genotype|Fibrosis Score|Patient Weight|Prescription Transfer|Product Form|Quality of Life Scale|Record Date/Timestamp|SPP Patient Identifier) 
ICD:all:confirm((?i)ICD9|ICD-9|ICD10|ICD-10|ICD)

 

 

 Configuring DLP Content Scanning

VIPRE recommends that you test your DLP rules before deployment using the live testing window. To do this, follow the steps below.

  1. Access the live testing window at File > Options > Add-ins > Add-In Options > SafeSend > Edit Settings
  2. Use the setting ContentScanningRules in the ADMX/ADML files for configuration via Group Policy; This setting can be used to push out new rules to all client machines. This setting is named SS_ContentScanningRules in the registry which can also be used for testing settings locally:
HKEY_LOCAL_MACHINE/SOFTWARE/{WOW6432Node}/SafeSend/SS_ContentScanningRules


The ContentScanningLicenseKey needs to be set to a valid license key in a production deployment (not in a trial or POC).

 

Important

Encrypted MS Office documents go through Office to decrypt - not SafeSend. Depending on your computer and network connection, this could potentially take longer than the default scan timeout. You’ll need to increase the content scanning timeout to allow enough time for the document to be opened, the password to be entered, and the scan to complete.

To increase the default scan timeout, update the following setting:

ContentScanningTimeoutMS

It’s set to 10000ms (10 seconds) by default.

 

 

This article is part of the SafeSend PC Add-in Deployment Guide, which includes all successive steps needed for a successful deployment. Please refer to Related Articles for direct links to the deployment guide and other processes pertinent to the one detailed in this article.



 

Next Step

 
 

Store Settings

When you are deploying VIPRE SafeSend throughout your organization for the first time, this content walks you through the process of using the Store Settings option to permanently save your settings and build a new .msi installer that's been explicitly customized for the needs of your organization.

Helpful Information

Other occasions when you may need to generate a custom installer include:

  • Making changes to the configuration on individual PCs
  • Making changes to the configuration on roaming profiles in your Group Policy
  • Updating the license key on individual PCs after initial purchase when your trial ends
  • Updating the license key on individual PCs after extending your full license key for another year

Build .MSI

  1. In Outlook, on the top left, click File
  2. Go down to Outlook Options and select Add-Ins
  3. Select Add-in Options
  4. Click Store Settings
  5. Browse to the original .msi installer and click Open
  6. Browse to the location where you want to save the customized .msi installer
    • Create a unique name, so you know the difference between the custom installer and the original installer
  7. Click Save

Now, we need to uninstall from the computer you're on so we can re-install your unique version of VIPRE SafeSend!

Uninstall SafeSend

  1. In Windows, open Control Panel. Under Programs, select Uninstall a program
  2. Locate SafeSend and select Uninstall


 

I'm deploying via GPO

 

I'm deploying on individual PCs

 
 

Deploy SafeSend using Group Policy

Here we'll walk you through the process of deploying VIPRE SafeSend to your organization via Group Policy.

Create a Distribution Point

The first step in deploying an MSI through Group Policy Objects (GPO) is to create a distribution point on the publishing server.

  1. Log on to the server as an Administrator
  2. Create a shared network folder to house the MSI installer package
  3. Set the folder permissions to allow access to the distribution package
  4. Copy the SafeSend MSI to the shared folder

Create a Group Policy Object

The SafeSend .MSI is a per-machine package and should, therefore, be assigned per-machine. SafeSend will then be installed silently for all computers when the machines start.

  1. Navigate to StartProgramsAdministrative ToolsGroup Policy Management Console
  2. Locate the domain/OU you wish to link the new GPO
  3. Right-click on your selected domain/OU and select Create a GPO in this domain, and Link it here…
  4. Name of the new policy, e.g. “SafeSend DLP Outlook Add-In”
  5. On the left side of the screen, select the GPO
  6. Under ScopeSecurity Filtering, add the wanted groups, users and computers
  7. Right-click on the new GPO and select Edit
  8. Expand Computer ConfigurationPoliciesSoftware SettingsSoftware installation
  9. Right-click Software Installation, and select NewPackage
  10. In the Open dialog, enter the full UNC path of the shared package you want to assign
    • Be sure to use the UNC path, not not the Browse button
  11. Click Open
  12. Click AssignedOK. The package will be added to the right pane of the Group Policy window
    • When the client computers start-up, the assigned package will be installed automatically

Congratulations! VIPRE SafeSend PC add-in has now been successfully deployed to the end-users in your organization.

‍ 

Deploy SafeSend on Individual PCs

Warning

 SafeSend cannot be installed from a network share drive. You must copy and run the installer locally. On each PC you want to install VIPRE SafeSend on, double-click on the installer package

  1. Accept the End-user License Agreement
  2. Click Install

Congratulations! VIPRE SafeSend has now been successfully deployed to the end-users in your organization.

 
 
 
 
 

Add License Key

Once you have your license key, follow these instructions to apply it to the VIPRE SafeSend PC add-in.

Important

This article is part of the SafeSend PC Add-in Deployment Guide, which includes all successive steps needed for a successful deployment, including how to make changes to the settings and license key persistent. Please refer to that article or Related Articles below for direct links to the deployment guide and other processes pertinent to the one detailed in this article.

 

 

  1. In Outlook, on the top left, click File
  2. Go down to Outlook Options and select Add-Ins
  3. Select Add-in Options
  4. Select Edit settings... 
  5. Under the Logic tab, click the  arrow next to Commonly Used
  6. Look for the field called LicenseKey and paste your license key into the field
  7. Click Close Window at the bottom of the window

You have successfully added your license key!



 

Next Step

 
 

Set Administrator Password

While you're in trial mode, there is no admin password required. Once you purchase a full license, however, you will need to set an admin password in order to view or change any settings.

Delete

Important Information

This article is part of the SafeSend PC Add-in Deployment Guide, which includes all successive steps needed for a successful deployment. Please refer to Related Articles for direct links to the deployment guide and other processes pertinent to the one detailed in this article.


To set the password:

  1. In Outlook, on the top left, click File
  2. Go down to Outlook Options and select Add-ins
  3. Select Add-in Options

Under Administrator, you'll notice that all options are grayed out.

  1. Locate the default password in the SafeSend_Admin_Password.PDF file that came in the SafeSendArchive.v.r.m.b.zip
  2. Enter the default password in the Password field
  3. Select Change password
  4. In the Change password window, enter and confirm your new password, then click OK

The password is now saved and will be required when viewing or changing SafeSend settings.



 

Next Step

 
 

Add your Organization's Logo

You can customize the look and feel of VIPRE SafeSend by uploading a personalized logo. This optional step is a great way to integrate SafeSend with your organization seamlessly.

Important

This article is part of the SafeSend PC Add-in Deployment Guide, which includes all successive steps needed for a successful deployment. Please refer to Related Articles for direct links to the deployment guide and other processes pertinent to the one detailed in this article.

 

 

Image Requirements

Before uploading your logo, make sure it meets the following requirements:

  • Image size must be no larger than 50x180
  • Image type must be .png

Images with transparent backgrounds are recommended so that your logo matches the rest of SafeSend.

Now that you have an image that meets the above requirements, let's move on to uploading it.

Add Logo

  1. In Outlook, on the top left, click File
  2. Go down to Outlook Options and select Add-Ins
  3. Select Add-in Options
  4. Locate and click Change Logo
  5. Browse to the image you want to use and click Open
  6. Click OK at the bottom

Now, your logo is part of SafeSend!

If you are following the guided setup, click Next Step below to continue to the next part of the SafeSend PC Add-in Deployment Guide. Otherwise, see Related Articles below to learn how to store settings.



 

Next Step

 
 

Prevent End-users from Disabling SafeSend

Let's walk through how you can prevent users from disabling the SafeSend PC add-in.

Outlook 2007-2010

It is possible to prevent users from disabling the SafeSend Add-in in Outlook 2007 or 2010 using the registry key DontDisplayHKLMAddin.

The image below shows how it looks after the registry key DontDisplayHKLMAddins has been set. As can be seen, SafeSend is not visible even though it is loaded. This registry key DontDisplayHKLMAddins can also be set using GPO.

Setting this key will affect all HKLM type of add-ins, in that none of them can be disabled by the end-user anymore. This potential issue is solved in Outlook 2013 or later.

  1. Log in to a normal user account
  2. Using Regedit, open HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Outlook
  3. If the current user does not have a key for "Security", add it
  4. Add the DontDisplayHKLMAddinsDWORDValue in the Security key. Set the value to 1
  5. In the Manage COM Add-ins dialog, click Go. SafeSend is not visible, even though it is loaded.

There is no need to restart Outlook, since Outlook reads this registry entry when you click the Go button.

Outlook 2013 or Outlook 2016

It is possible to prevent users from disabling the SafeSend Add-in in Outlook 2013 or Outlook 2016 using group policy

The image below shows how it looks after the group policy setting is enabled. A user cannot uncheck the “SafeSend Outlook Add-in” checkbox as can be seen in the text marked in red.

  1. Open Group Policy and check that the Office 2013/2016 Administrative Templates are installed
    • If the templates are installed, you will see the “Microsoft Outlook 2013/2016” in the User Configuration > Administrative Templates > Microsoft Outlook 2013> Miscellaneous path
    • If the templates are not installed, you can download the templates from Microsoft. View this Microsoft article for help installing the template
  2. Enable the “List of managed add-ins” policy setting
  3. Write “zzz.SafeSend” (the add-ins progId) and 1 for the Value in this setting. Can also click the “Show” button above to get the dialog below. The value 1 means that SafeSend cannot be disabled by users.

An alternative way to achieve this is to push a registry key manually using GPO; see below for the path. 

For Outlook 2013 the “16.0” part should be replaced a “15.0” part. Please note that the registry type should be REG_SZ. This can also be tested on a single machine by creating the registry key in regedit.  If GPO is being used then please make sure there is no conflict with another GPO that is configuring the same setting using administrator templates.




 

Next Step

 
 

Configure SafeSend

If you want to get started using SafeSend with the default configuration, you can skip this step.

Important Information

This article is part of the SafeSend PC Add-in Deployment Guide, which includes all successive steps needed for a successful deployment. Please refer to Related Articles for direct links to the deployment guide and other processes pertinent to the one detailed in this article.

 

 

VIPRE SafeSend Settings

There are two ways to get to VIPRE SafeSend's settings, depending on if you are using a trial or have purchased a full license.

Click here if using a trial license

  1. Select Trial Settings in the Confirmation window pop-up 
  2. In the Logic tab, click on the arrows next to Advanced, Commonly used, and Special cases to see options available to you
  3. Refer to our settings reference for full details on how to use all settings 
 

Click here if using a full license

  1. In Outlook, on the top left, click File
  2. Go down to Outlook Options and select Add-Ins
  3. Select Add-in Options 

     
  4. Click Edit Settings, which allows you to customize the behavior of VIPRE SafeSend
  5. In the Logic tab, click on the arrows next to Advanced, Commonly used, and Special cases to see options available to you
  6. Refer to our settings reference for full details on how to use all settings 
 

Helpful Information

While we do provide a comprehensive settings reference to help determine what makes the most sense for your organization, we understand that it can be a little overwhelming. To help make things a little easier for you, VIPRE SafeSend ships with the settings we recommend already configured by default. However, because each organization has unique needs, we suggest going through the settings reference, specifically the Commonly Used and Advanced sections, to ensure SafeSend is set up appropriately for your organization.

If you'll be deploying VIPRE SafeSend via Group Policy and will be moving forward with the default configuration, we've included ADMX/ADML files (administrative templates) in the SafeSendArchive-v.r.m.b.zip file you downloaded that will allow you to push changes to your organization after it's been deployed.



 

I did not purchase the optional DLP module

 

I purchased the optional DLP module

 
 

Generate a Custom Installer

When you are deploying VIPRE SafeSend throughout your organization for the first time, this content walks you through the process of using the Store Settings option to permanently save your settings and build a new .msi installer that's been explicitly customized for the needs of your organization.

Helpful Information

Other occasions when you may need to generate a custom installer include:

  • Making changes to the configuration on individual PCs
  • Making changes to the configuration on roaming profiles in your Group Policy
  • Updating the license key on individual PCs after initial purchase when your trial ends
  • Updating the license key on individual PCs after extending your full license key for another year

Build .MSI

  1. In Outlook, on the top left, click File
  2. Go down to Outlook Options and select Add-Ins
  3. Select Add-in Options
  4. Click Store Settings
  5. Browse to the original .msi installer and click Open
  6. Browse to the location where you want to save the customized .msi installer
    • Create a unique name, so you know the difference between the custom installer and the original installer
  7. Click Save

Now, we need to uninstall from the computer you're on so we can re-install your unique version of VIPRE SafeSend!

Uninstall SafeSend

  1. In Windows, open Control Panel. Under Programs, select Uninstall a program
  2. Locate SafeSend and select Uninstall


 

I'm deploying via GPO

 

I'm deploying on Individual PCs

 
 

Deploy SafeSend using Group Policy

Here we'll walk you through the process of deploying VIPRE SafeSend to your organization via Group Policy.

Create a Distribution Point

The first step in deploying an MSI through Group Policy Objects (GPO) is to create a distribution point on the publishing server.

  1. Log on to the server as an Administrator
  2. Create a shared network folder to house the MSI installer package
  3. Set the folder permissions to allow access to the distribution package
  4. Copy the SafeSend MSI to the shared folder

Create a Group Policy Object

The SafeSend .MSI is a per-machine package and should, therefore, be assigned per-machine. SafeSend will then be installed silently for all computers when the machines start.

  1. Navigate to StartProgramsAdministrative ToolsGroup Policy Management Console
  2. Locate the domain/OU you wish to link the new GPO
  3. Right-click on your selected domain/OU and select Create a GPO in this domain, and Link it here…
  4. Name of the new policy, e.g. “SafeSend DLP Outlook Add-In”
  5. On the left side of the screen, select the GPO
  6. Under ScopeSecurity Filtering, add the wanted groups, users and computers
  7. Right-click on the new GPO and select Edit
  8. Expand Computer ConfigurationPoliciesSoftware SettingsSoftware installation
  9. Right-click Software Installation, and select NewPackage
  10. In the Open dialog, enter the full UNC path of the shared package you want to assign
    • Be sure to use the UNC path, not not the Browse button
  11. Click Open
  12. Click AssignedOK. The package will be added to the right pane of the Group Policy window
    • When the client computers start-up, the assigned package will be installed automatically

Congratulations! VIPRE SafeSend PC add-in has now been successfully deployed to the end-users in your organization.

Deploy SafeSend on Individual PCs

Warning

 SafeSend cannot be installed from a network share drive. You must copy and run the installer locally. On each PC you want to install VIPRE SafeSend on, double-click on the installer package

  1. Accept the End-user License Agreement
  2. Click Install

Congratulations! VIPRE SafeSend has now been successfully deployed to the end-users in your organization.

 

Configure DLP (Data Loss Prevention)

VIPRE SafeSend can prevent sensitive information from being sent out to the wrong client. 

Important Information

This article is part of the SafeSend PC Add-in Deployment Guide, which includes all successive steps needed for a successful deployment. Please refer to Related Articles for direct links to the deployment guide and other processes pertinent to the one detailed in this article.

 

 

Within VIPRE SafeSend, DLP (Data Loss Prevention) has three important features:

  • Client Keyword/Domain Scanning allows you to identify a set of client keywords or regular expressions and associate those with a set of client domains or individual email addresses 
  • DLP Content Scanning presents sensitive content to the user, allowing the user to determine if the email should be blocked or sent with additional confirmation
  • DLP Scan Password-Protected Attachments allows SafeSend to detect password-protected .zip files and prompt the user to add the password and decrypt the file so it can scan the attachment

It can scan emails and attachments for specific client keywords or regular expressions and require agent confirmation.

Client Keyword and Domain Scanning 

Define Client Data

The client keyword/domain data is configured in Edit Settings, under the Data Loss Prevention (DLP) tab, and stored in the setting SS_ClientKeywordDomainList; it can contain thousands of lines of client/customer data. The principle is that you can identify a set of client keywords or regular expressions and associate those with a set of client domains. Instead of domains, it is also possible to specify individual email addresses as approved recipients.

Syntax: 
Client1Keyword1,Client1Keyword2,…:Client1Domain1,Client1Domain2,… 
Client2Keyword1,Client2Keyword2,…:Client2Domain1,Client2Domain2,…

Example: 
Apple,AAPL:apple.com 
Microsoft,MSFT:microsoft.com

Display Popup only when Client Data is Found

It is possible to use the setting OnlyPopupForDLPMatch to configure SafeSend to display its confirmation window only when client data has been found in the email.

Supported Attachment File Types

  • Text: csv, txt
  • PDF: pdf
  • HTML: html, xhtml
  • Word: doc, docx
  • PowerPoint: pptx, ppsx, pptm, ppt, pot, pps
  • Excel: xls, xlsx, xlsm, xlt, xltx, xltm
  • RTF: rtf
  • ZIP: zip (recursively)

Sending to Non-client Recipients

The user is required to type “CONFIRM” in order to send client data to a non-client external domain.

Sending to Approved Recipients

No additional confirmation is required except confirming the external recipient.

Sending Non-client Data Externally

What happens, in this case, depends on the OnlyPopupForDLPMatch setting. If it is enabled then the SafeSend confirmation window will not be displayed. If it is disabled, which is the default behavior, then SafeSend will still show its normal confirmation window. The below screenshot is thus displayed only if OnlyPopupForDLPMatch = 0.

 

Password Protected Files or Invalid Files

SafeSend displays password-protected files or invalid files in the DLP output table. Password protection is detected on Word, Excel, PowerPoint, PDF, and ZIP files.

Scanning Email Notification

The Scanning Email notification is displayed when OnlyPopupForDLPMatch is enabled, and SafeSend is busy scanning large files. The default time-out for large files is 10 seconds (see ContentScanningTimeoutMS), whereby SafeSend will post an error message in the dialog, saying that the content scan timed out.

 

DLP Content Scanning

Sensitive content is presented to the user, and you can define if the email should be blocked, or if the user can send the email after an additional confirmation.

Here you can see that SafeSend scanned an email's content and attachments finding potential Social Security and Credit Card numbers. 

Sensitive Content

When you use DLP with VIPRE SafeSend, this is the type of content it looks for within your emails:

  • Strings such as ‘Confidential’, ‘Internal’, ‘Restricted’ and ‘Sensitive’.
  • US Social Security Number (SSN)
  • Credit Card number (VISA, MasterCard, American Express, Diners Club, …)
  • Standard health identification card number (NPI)
  • Vehicle Identification Number (VIN)
  • UK health identification number (NHS, CHI)
  • UK national insurance number (NINO)

SafeSend Actions

Once VIPRE SafeSend finds what it's looking for, it performs the following actions:

  • Inform the user
  • Require confirmation from the user in the form of a checkbox
  • Require confirmation from the user by the text “CONFIRM”
  • Deny sending the email

Supported Content Types

VIPRE SafeSend supports the following types of documents and attachments:

  • Email content (body)
  • Email subject
  • Attachment filename
  • Attachment file types (scans inside attachments)
    • Text: csv, txt
    • PDF: pdf
    • HTML: html, hxtml
    • Word: doc, docx
    • PowerPoint: pptx, ppsx, pptm, ppt, pot, pps
    • Excel: xls, xlsx, xlsm, xlt, xltx, xltm
    • RTF: rtf
    • ZIP: zip (fully recursive)
    • MSG: msg (fully recursive)

DLP Policy

Policy Syntax

The DLP policies are defined using the following syntax:

[policy_name]:[file_types_to_scan]:[action_upon_match]:[regular_expression]

Options for ‘file_types_to_scan’:

  • “all”
  • “all_excl_pdf”
  • “email_content”
  • “email_subject”
  • “file_name”
  • “csv”, “txt”, “pdf”, “html”, “hxtml”, “doc”, “docx”, “rtf”, “xls”, “xlsx”, “xlsm”, “xlt”, “xltx”, “xltm”, “pptx”, “ppsx”, “pptm”, “ppt”, “pot”, “pps”

Options for ‘action_upon_match’:

  • “inform”
  • “confirm”
  • “confirm_text”
  • “deny”

If you'd like to skip the policy examples and get straight to the configuration of DLP, we can skip past it and come back if necessary.

Policy Examples

Case-insensitive detection of the string “confidential” in all content types that require user confirmation. The policy is named “Confidential”.

Confidential:all:confirm:(?i)confidential

Case-insensitive detection of the string “confidential” in specific content types. The results are displayed to the user and require no confirmation. The policy is named “Confidential”.

Confidential:email_subject,email_content,doc,docx:inform:(?i)confidential

VISA credit card rule that requires a user confirmation for all content types. The policy is named “VISA”. 

VISA:all:confirm:4(?<=\b(?<!\.)4)\d{3}[\W\s]?\d{4}[\W\s]?\d{4}[\W\s]?\d{4}\b

 

Regular Expressions (regex)

Generic:

Confidential:all:confirm:(?i)confidential 
Internal:all:confirm:(?i)internal 
Restricted:all:confirm:(?i)restricted 
Sensitive:all:confirm:(?i)sensitive

Credit cards:

Visa: 4(?<=\b(?<!\.)4)\d{3}[\W\s]?\d{4}[\W\s]?\d{4}[\W\s]?\d{4}\b 
Mastercard 1: 5(?<=\b(?<!\.)5)[1-5]\d{2}[\W\s]?\d{4}[\W\s]?\d{4}[\W\s]?\d{4}\b 
Mastercard 2: 5(?<=\b(?<!\.)5)([\W\s][1-5])([\W\s]\d){14}\b 
American Express 1: 3(?<=\b(?<!\.)3)(4|7)\d{2}[\W\s]?\d{2}[\W\s]?\d{4}[\W\s]?\d{5}\b 
American Express 2: 3(?<=\b(?<!\.)3)([\W\s](4|7))([\W\s]\d){13}\b 
Diners Club 1: 3(?<=\b(?<!\.)3)(0[0-5]|[68]\d{1})\d{1}[\W\s]?\d{4}[\W\s]?\d{4}[\W\s]?\d{2}\b 
Diners Club 2: 3(?<=\b(?<!\.)3)[\W\s](0[\W\s][0-5]|[68][\W\s]\d{1})([\W\s]\d){11}\b 
Discover card 1: 6(?<=\b(?<!\.)6)(011|5[0-9]{2})[\W\s]?\d{4}[\W\s]?\d{4}[\W\s]?\d{4}[\W\s]?\b 
Discover card 2: 6(?<=\b(?<!\.)6)[\W\s](0[\W\s](1[\W\s]){2}|5[\W\s](\d[\W\s]){2})(\d[\W\s]){11}\d\b 
JCB cards 1: (?=[21|18])(2131|1800)[\W\s]?(\d{4}[\W\s]?){2}\d{3}\b 
JCB cards 2: (?=[2|1])(2[\W\s]?1[\W\s]?3[\W\s]?1|1[\W\s]?8[\W\s]?0[\W\s]?0)([\W\s]?\d){10}\b 
JCB cards 3: 35(?<=\b(?<!\.)35)\d{2}[\W\s]?(\d{4}[\W\s]?){3}\b 
JCB cards 4: 3(?<=\b(?<!\.)3)[\W\s]?5[\W\s]?(\d[\W\s]?){13}\d\b


Standard health identification card number (NPI):

(?<!\\d)\\d{10}(?!\\d)|80840\\d{10}(?!\\d)

 

Vehicle Identification Number (VIN): 

[0-9A-HJ-NPR-Z]{17}


US Social Security Number (SSN): 

([^0-9-]|^)([0-9]{3}-[0-9]{2}-[0-9]{4})([^0-9-]|$)


UK health identification number (NHS, CHI): 

b([1-9]{1}[0-9]{2}s?-?[0-9]{3}s?-?[0-9]{4})b 

(([^wt]?s)?(-)?d){10} 

(([^wt]?s)?(_)?d){10} 

(([^wt]?s)?d){10}


UK national insurance number (NINO): 

[A-CEGHJ-NOPR-TW-Z]{2}[0-9]{6}[ABCDs]{1}


Irish PPS number: 

W?d{7}[a-zA-Z]{1,2}W


Other

SSNorHSA:all:confirm:([^0-9-]|^)([0-9]{3}[0-9]{2}[0-9]{4})([^0-9-]|$) 
DDAorSAV7:all:confirm:([^0-9-]|^)([0-9]{7})([^0-9-]|$) 
DDAorSAV8:all:confirm:([^0-9-]|^)([0-9]{8})([^0-9-]|$) 
HSA:all:confirm:([^0-9-]|^)([0-9]{10})([^0-9-]|$)


Health

Birthday:all:confirm:((?i)Birth Date|DOB|Patient Date of Birth|Patient DOB|Patient_DOB) 
RX:all:confirm:((?i)rx_number|RxNumber) 
Patient Name:all:confirm:((?i)pa_first_name|pa_last_name|patient_first|patient_last|Patient First|Patient First Name|Patient Last|Patient Last Name|first_name|last_name|Patient Address|Patient Full Name|Patient Middle Name|Patient Middle Initial) 
Patient Identifier:all:confirm:((?i)Patient Email|Patient experience on drug|patient experience on drug(DELETE)|Patient Gender|Patient height|Patient ID (Internal Reporting)|Patient interest|patient phone #|patient state|patient weight|patient work phone #|patient zip) 
PHI:all:confirm:((?i)PHI Consent Date|PHI Consent signed|Prescription Sub-Status Code) 
HUB ID:all:confirm:((?i)HUB Identifier|HUB Patient ID) 
Identifiers:all:confirm:((?i)Patient_Genotype|Fibrosis Score|Patient Weight|Prescription Transfer|Product Form|Quality of Life Scale|Record Date/Timestamp|SPP Patient Identifier) 
ICD:all:confirm((?i)ICD9|ICD-9|ICD10|ICD-10|ICD)

 

 

 Configuring DLP Content Scanning

VIPRE recommends that you test your DLP rules before deployment using the live testing window. To do this, follow the steps below.

  1. Access the live testing window at File > Options > Add-ins > Add-In Options > SafeSend > Edit Settings
  2. Use the setting ContentScanningRules in the ADMX/ADML files for configuration via Group Policy; This setting can be used to push out new rules to all client machines. This setting is named SS_ContentScanningRules in the registry which can also be used for testing settings locally:
HKEY_LOCAL_MACHINE/SOFTWARE/{WOW6432Node}/SafeSend/SS_ContentScanningRules


The ContentScanningLicenseKey needs to be set to a valid license key in a production deployment (not in a trial or POC).

 

Important

Encrypted MS Office documents go through Office to decrypt - not SafeSend. Depending on your computer and network connection, this could potentially take longer than the default scan timeout. You’ll need to increase the content scanning timeout to allow enough time for the document to be opened, the password to be entered, and the scan to complete.

To increase the default scan timeout, update the following setting:

ContentScanningTimeoutMS

It’s set to 10000ms (10 seconds) by default.

 

 

This article is part of the SafeSend PC Add-in Deployment Guide, which includes all successive steps needed for a successful deployment. Please refer to Related Articles for direct links to the deployment guide and other processes pertinent to the one detailed in this article.

‍ 

Next Step

 
 

Generate a Custom Installer

When you are deploying VIPRE SafeSend throughout your organization for the first time, this content walks you through the process of using the Store Settings option to permanently save your settings and build a new .msi installer that's been explicitly customized for the needs of your organization.

Helpful Information

Other occasions when you may need to generate a custom installer include:

  • Making changes to the configuration on individual PCs
  • Making changes to the configuration on roaming profiles in your Group Policy
  • Updating the license key on individual PCs after initial purchase when your trial ends
  • Updating the license key on individual PCs after extending your full license key for another year

Build .MSI

  1. In Outlook, on the top left, click File
  2. Go down to Outlook Options and select Add-Ins
  3. Select Add-in Options
  4. Click Store Settings
  5. Browse to the original .msi installer and click Open
  6. Browse to the location where you want to save the customized .msi installer
    • Create a unique name, so you know the difference between the custom installer and the original installer
  7. Click Save

Now, we need to uninstall from the computer you're on so we can re-install your unique version of VIPRE SafeSend!

Uninstall SafeSend

  1. In Windows, open Control Panel. Under Programs, select Uninstall a program
  2. Locate SafeSend and select Uninstall
‍ 

I'm deploying SafeSend viaGPO

 

I'm deploying SafeSend on individual PCs

 
 

Deploy SafeSend using Group Policy

Here we'll walk you through the process of deploying VIPRE SafeSend to your organization via Group Policy.

Create a Distribution Point

The first step in deploying an MSI through Group Policy Objects (GPO) is to create a distribution point on the publishing server.

  1. Log on to the server as an Administrator
  2. Create a shared network folder to house the MSI installer package
  3. Set the folder permissions to allow access to the distribution package
  4. Copy the SafeSend MSI to the shared folder

Create a Group Policy Object

The SafeSend .MSI is a per-machine package and should, therefore, be assigned per-machine. SafeSend will then be installed silently for all computers when the machines start.

  1. Navigate to StartProgramsAdministrative ToolsGroup Policy Management Console
  2. Locate the domain/OU you wish to link the new GPO
  3. Right-click on your selected domain/OU and select Create a GPO in this domain, and Link it here…
  4. Name of the new policy, e.g. “SafeSend DLP Outlook Add-In”
  5. On the left side of the screen, select the GPO
  6. Under ScopeSecurity Filtering, add the wanted groups, users and computers
  7. Right-click on the new GPO and select Edit
  8. Expand Computer ConfigurationPoliciesSoftware SettingsSoftware installation
  9. Right-click Software Installation, and select NewPackage
  10. In the Open dialog, enter the full UNC path of the shared package you want to assign
    • Be sure to use the UNC path, not not the Browse button
  11. Click Open
  12. Click AssignedOK. The package will be added to the right pane of the Group Policy window
    • When the client computers start-up, the assigned package will be installed automatically

Congratulations! VIPRE SafeSend PC add-in has now been successfully deployed to the end-users in your organization.

‍ 

Deploy SafeSend on Individual PCs

Warning

 SafeSend cannot be installed from a network share drive. You must copy and run the installer locally. On each PC you want to install VIPRE SafeSend on, double-click on the installer package

  1. Accept the End-user License Agreement
  2. Click Install

Congratulations! VIPRE SafeSend has now been successfully deployed to the end-users in your organization.

 
 
 
 
 
 
 
 
 
 
‍ 

Web Add-in

Have you ever mistakenly sent an email to the wrong person? Accidentally forwarded attachments with sensitive data? The VIPRE SafeSend Web Add-in is an Outlook add-in that works to prevent those types of mistakes within your organization by requesting manual confirmation from the user when sending emails to recipients outside of your organization.

If you're new to VIPRE SafeSend, this is the place to start. We're here to walk you through deployment with this guided setup. If you haven't seen our product overview and comparison chart though, please visit there first.

 

How SafeSend Works

When installed, SafeSend requires validation each time you send an email to an external recipient. You will need to confirm all external recipients of an email before it leaves the network. Upon hitting “Send” or “Send Secure,” the SafeSend pop-up window will appear. To confirm the recipients or any attached file, click on the checkbox beside each of the external recipients (and file if applicable) and hit the Send button.

What's Included

When you receive your SafeSendArchive-v.r.zip file, it will include the following files:

  • Get_Started_With_SafeSend
    • Helpful information and links to help you get started
  • SafeSendPC_v.r.m.b.zip (SafeSend PC add-in)
    • Administrative Templates 
      • For use with Group Policy to manage settings when the SafeSend PC add-in has already been deployed
    • Admin Password 
      • Administrative credentials for local access to SafeSend settings
      • Not applicable for Trial licenses
    • SafeSendSetup
      • Installer package (.MSI) for the SafeSend PC/COM add-in
  • SafeSendWeb_v.r.m.b (SafeSend Web add-in)
    • End-user License Agreement (EULA)
    • Deployable files
    • packagename.txt
    • SafeSendWebPackagev.r.m.b.zip
  • 3rd Party Libraries.txt
    • Licenses for third-party libraries

For these instructions, you will need everything within the SafeSendWeb_v.r.m.b folder mentioned above.

When you are ready, move on to the next step below.

Next Step

 
 

 

Install and Configure SafeSend Web Add-in

Install SafeSend Web Add-in

While SafeSend v4.6 will work with any .NET CORE 3.1 capable web server, we recom...

If you are new to SafeSend and setting it up for the first time, please stop here and navigate to our complete deployment guide.

 

SafeSend will work with any .NET CORE 6.0 capable web server. Please note if you are using IIS, you'll need to download and install the .NET Core Hosting Bundle found here.

 

Important

Microsoft requires the site where the add-in is hosted to be SSL-secured.

 

Deploying the SafeSend web add-in can take up to 12 hours to propagate the network.

 

Any changes made to Settings.json require the website to be restarted to take effect. This should be done outside of normal operating hours to avoid potential service interruptions.

 

When deploying multiple instances of the SafeSend server, you'll need to provide a strong password with a minimum length of 16 characters using the following setting: "ApiSecret": "<YOUR_API_SECRET>",

 

 

Step 1: Graph API Setup

Click here for Microsoft Graph API Setup

Web Add-in: Microsoft Graph API Setup for SafeSend

These instructions are for admins utilizing the SafeSend Web Add-in with Microsoft 365. These steps do not apply if you are using Microsoft Exchange Server. 

  1. Sign in to Microsoft Azure Active Directory Admin Center with your administrator credentials
  2. Select New Registration
  3. On the Register an Application page, set the following values:
    • Name: VIPRE SafeSend Graph API Resource
    • Supported account types: Accounts in any organizational directory (any Azure AD directory - Multitenant) and personal Microsoft accounts (e.g., Skype, Xbox, etc)
    • In the Redirect URI section, select Web from the drop-down menu, then set URI to your SafeSend site URL using the following format: 'https://<yoursafesendsiteurl>/login'
  4. Choose Register
  5. On the SafeSend page, copy and save the Application (client) ID; you'll need this later
  6. Under the Manage section, select Authentication
  7. Under Implicit Grant and Hybrid Flows, check the box next to Access Tokens (used for implicit flows) and ID Tokens, and click Save
  8. Still, under the Manage section, select Certificates & Secrets, then Certificate
  9. Under Certificates, select Upload Certificate
    • Select a certificate file (.cer extension) and enter a value for Description 
      • This is a file you can create yourself or obtain through a third-party certificate authority; it is not provided to you by VIPRE
    • Click Add, then copy and save the Thumbprint value; you'll need this later for a setting called AppCertificateThumbprint
  10. Enter a value for Description, select an appropriate option for Expires, then click Add
  11. Still, under Manage, select Expose an API
  12. Choose the Set link that appears after Application ID URI
  13. In the Set App URI panel, change the default value by adding your host before the GUID listed
    • Example: If the default value is api://05adb30e-50fa-4ae2-9cec-eab2cd6095b0, and your app is running on <yoursafesendhost>, the value should be api://<yoursafesendhost>/05adb30e-50fa-4ae2-9cec-eab2cd6095b0
  14. Click Save
  15. Select Add a Scope 
  16. A panel will open; enter access_as_user as the Scope name
  17. Who can consent? should be set to Admins only
  18. Fill in the fields for configuring the admin consent prompt with values that are appropriate for the `access_as_user` scope
    • This enables the Office client application to use your SafeSend add-in's web APIs with the same rights as the current user
    • Examples: 
      • Admin consent display name**: Office can act as the user
      • Admin consent description**: Enable Office to call the add-in's web APIs with the same rights as the current user
  19. Set State to Enabled
  20. Select Add Scope
  21. In the Authorized client applications section, identify the applications that you want to authorize to your SafeSend add-in's web application
    • Each of the following IDs needs to be pre-authorized:
      • d3590ed6-52b3-4102-aeff-aad2292ab01c (Microsoft Office)
      • ea5a67f6-b6f3-4338-b240-c655ddc3cc8e (Microsoft Office)
      • 57fb890c-0dab-4253-a5e0-7188c88b2bb4 (Office on the web)
      • 08e18876-6177-487e-b8b5-cf950c1e598c (Office on the web)
      • bc59ab01-8403-45c6-8796-ac3ef710b3e3 (Outlook on the web)
  22. For each of the IDs above, take the following steps:
    1. Select Add a client application button
    2. In the panel that opens, set the Client ID to the respective GUID 
    3. Check the box for api://<yoursafesendhost>/$App ID GUID$/access_as_user
    4. Select Add application
  23. Under Manage, select API Permissions, then Add a Permission
  24. On the panel that opens, choose Microsoft Graph then Delegated Permissions
  25. Using the Select Permissions search box, search for the following permissions
    • Calendars.ReadWrite.Shared
    • Files.ReadWrite
    • Mail.ReadWrite.Shared
    • offline_access
    • openid
    • profile
    • User.Read
  26. Select the checkbox for each permission as it appears; after selecting the permissions, click Add Permissions at the bottom of the panel
  27. On the same page, choose Grant Admin Consent for [tenant name] button
  28. Select Yes to confirm

Important

After choosing Grant Admin Consent for [tenant name], you may see a banner message asking you to try again in a few minutes so that the consent prompt can be constructed. If you see that message, you can continue to the next step, however, it is important that you do not forget to come back to this step.

 

 

  1. Update the following settings via Azure portal configuration:
    1. Update AppID using the AppID from Step 5 above
    2. Update AppCertificateThumbprint using the certificate thumbprint from Step 9 above
    3. Ensure EmailProviderUrl is set to https://graph.microsoft.com
  2. Navigate to https://<yoursafesendhost>/manifest to download the manifest file

 

Using SafeSend Web Add-in with a Different Tenant than the one you Registered the Application with

In order to use the SafeSend Web Add-in with a different tenant than the one you registered with, you will need access to a tenant administrator account to perform consent for all of your Microsoft 365 users

  1. Browse to `https://login.microsoftonline.com/common/adminconsent?client_id={AppId}&state=12345`, where `{AppId}` is the application ID shown in your app registration
  2. Sign in with your administrator account then review the permissions and click Accept
  3. The browser will attempt to redirect back to your app, which may not be running
    • You might see a This Site cannot be Reached error after clicking Accept; this is okay as the consent was still recorded
 
 

Step 2: Web Server Setup

Click here for Azure-specific instructions 

Step 1 - Create the Web App

  1. Navigate to portal.azure.com and log in with your Microsoft Azure account credentials
  2. On the top menu, hover your mouse over App Services and select Create Web App
  3. A new page called Create Web App will load
  4. Select the desired Resource Group from the drop-down menu
  5. Under Instance Details:
    1. Choose a web app name that reflects your use
      1. e.g., For our purposes, we'll use SafeSend8 but you can use any name that you want
    2. Publish - defaults to Code; this can stay as-is
    3. Runtime stack - .NET 6.0 (LTS)
    4. Operating System - choose your preferred operating system to host SafeSend
    5. Region - Select your region
  1. Click Next : Deployment >
  2. On the next page, click Review + Create, then Create

Step 2 - For the next part, you should see confirmation that deployment is complete

  1. Click Go to resource
  2. On the left-side menu, under Settings, select Configuration
  3. Under Application Settings, select +New application setting, enter the names and values below - do not click Deployment Slot Setting, leave that blank - then click OK at the bottom 
    1. Name = WEBSITE_RUN_FROM_PACKAGE; Value = 1
    2. Name = AppID (NOTE: The AppID value should have been obtained during the Graph API setup. If that has not been done, you should complete this now before proceeding.)
    3. Name = AppCertificateThumbprint (NOTE: The AppCertificateThumbprint value should have been obtained during the Graph API setup. If that has not been done, you should complete this now before proceeding.)
    4. Name = LicenseKey; Value = license key obtained when you purchased SafeSend
  4. Click General settings
  5. Set ARR affinity to On
  6. Click Save at the top

Step 3 - Upload the Private Key Certificate

  1. Select Certificates on the left-side menu
  2. Click the Bring your own certificates tab
  3. Choose Add certificate
  4. Browse to the directory where you saved the .pfx file and upload it here


 Step 4 - You'll need an FTP Client (like Filezilla) for the next part

  1. On the left-side menu, under Deployment, select Deployment Center
  2. Select FTPS Credentials at the top
  3. Copy the value in the FTPS endpoint field and paste it into the Host address field of your FTP Client
  4. Under Application scope, copy the value in the Username field to the Username field of your FTP Client
  5. Copy the value of the Password field to the Password field of your FTP Client
  6. On your FTP Client, click Connect
  7. After you're connected, under Remote site, create a new directory called Data
    1. Right-click on the new folder Data, and select Create a Directory
    2. A box called Create Directory will open
      • Name your directory based on the Operating System you chose in Step 1.5.d above 
        • Examples: Windows based App Service =  C:\home\Data\sitepackages or Linux based App Service = /data/sitepackages
      • Click OK  
  1. Upload the SafeSendWebPackagev.r.m.b.zip and packagename.txt files found in SafeSendArchive-v.r.m.b.zip\SafeSendWeb_v.r.m.b.zip by dragging them to your FTP Client to copy them to the sitepackages folder

Step 5 - Go back to the browser screen that has Azure open

Refer to the Web Add-in Settings Reference for the following section:

  1. Configure additional settings as desired
    1. Within the App Service, on the left-side menu under Settings, click New application setting
    2. Take the name of the setting from Web Add-in Settings Reference and add it to the Name field
      1. For example, to enable the client keyword domain list setting, you could copy ClientKeywordDomainList from Web Add-in Settings Reference into the Name field of Azure  
  1. Determine the appropriate values for each setting using the Web Add-in Settings Reference 
  1. Click OK then Save at the top
  2. Click Continue to save changes
  1. On the left-side menu, select Overview, then select Restart at the top
  2. Azure will confirm you are sure you want to restart SafeSend - click Yes
  3. In the top-right corner, you should see a notification showing the web app has been successfully restarted
  4. You'll see a URL somewhat close to the top-right portion of the screen labeled Default Domain; clicking that URL should open a browser window and take you immediately to the SafeSend website to verify your installation and license status
  5. Append /manifest to the URL to download the manifest.xml file; you will need this manifest or the URL to it when sideloading or deploying the add-in to users
 
 

Click here for IIS-specific instructions

Step 1 - Configure IIS

  1. After you have downloaded and extracted the SafeSend Web add-in .zip files, create a folder called SafeSend in the c:\ directory of the server hosting IIS.
  2. Copy the contents from the extracted folder to your new c:\SafeSend
  3. Open Internet Information Services (IIS) Manager
  4. Right-click on Sites
  5. Select Add Website and complete the following properties:
    • Site Name: SafeSend
    • Physical Path: c:\SafeSend
    • In the Binding section:
      • Type: https
      • Add the SSL certificate
      • IP address and port should be according to your needs
         
  6. Click OK
  7. Select Default Website, then click on Stop in the right panel
  8. In the left panel, click Application Pools
  9. Right-click SafeSend
  10. Select Basic Settings
    •  .NET CLR version: No Managed Code
  11. Click OK

Step 2 - Edit the settings.json file

  1. Open the folder created in Step 1
  2. Look for the file called settings.json and right-click on the file and open it with Notepad  
  3. Adjust the following settings:
    • EmailProviderURL
      • If you are using Microsoft 365, the EmailProviderURL should already be correct
        • The AppID and AppSecret values should have been obtained during the Graph API setup. If that has not been done, you should complete this now before proceeding.)
      • If you are using an Exchange Server, you will need to update that setting as appropriate
    • Set LicenseKey
    • Set SafeDomains
    • Set EnablePlatform to True if you will be using Web, PC, or Mac and False for the platforms you will not be using
      • If you are using Microsoft 365, Web Add-in works for all 3 available platforms
      • If you are using Exchange Server, Web Add-in does not work for Outlook for Mac or OWA in Safari
      • If you intend to use both the PC add-in and the Web add-in, set the PC platform to False to avoid double prompts
  4.  Append /manifest to the URL to download the manifest.xml file; you will need this manifest or the URL to it when sideloading or deploying the add-in to users
 
 

Step 3: Debug Mode

Click here to enable Debug Mode

Web Add-in: Debug Mode

SafeSend has an additional logging mode to better assist with tracing environmental issues when running the SafeSend Web Add-in in Microsoft Outlook for Windows.

Enable SafeSend's Debug Mode

If you're using Microsoft Outlook for Windows, you can use the manifestlog file instead of the manifest file to enable SafeSend's debug mode in your email client.

To download the manifestlog, navigate to your SafeSend site at <your SafeSend Site URL>/manifestlog.

Access Log File

  1. From Microsoft Outlook for Windows, select About SafeSend in the ribbon 
  2. Click Download log file

The log file will then be downloaded so you can review it and take any action necessary.

 
 

 

 


 

When you are ready, move on to the next step below.

 

 

Next Step

 
 

 

Add your Logo

SafeSend for Web - Add your Logo

...

You can customize the look and feel of the VIPRE SafeSend web add-in by uploading your organization's personalized logo. This optional step is a great way to integrate SafeSend with your organization seamlessly.

Image Requirements

Before uploading your logo, make sure it meets the following requirements:

  • Image size must be no larger than 155x40
  • Image type must be .png file type
  • Images with transparent backgrounds are recommended so that your logo matches the rest of SafeSend.

Now that you have an image that meets the above requirements, let's upload it.

Add Logo

Change the following setting to change your logo in Azure or IIS:

Setting Description
LogoFilePath

File path of .png file to use for confirmation logo. Overrides Logo setting if defined. This may be an absolute or relative path. The path must be accessible from within the context that the web addin is running and should be json escaped if it contains json characters. I.E. "C:\\logo.png"

 

"LogoFilePath": "logo.png",

Click here for Azure instructions

When using the LogoFilePath setting, please note the path must be accessible from within the context of the Web Add-in.

  1. Upload your logo to your SafeSend site by completing the following:
    1. Copy your logo to a local copy of the SafeSend Web Add-in package directory and create a new .zip package
    2. Use the FTP client of your choosing to upload your logo to the SafeSend Web Add-in package directory on your SafeSend site
  2. In Azure, go to the SafeSend web app you previously created
  3. On the left-side menu, under Settings, click Configuration
  4. Select +New Application
  5. Add new setting LogoFilePath using the following syntax: "LogoFilePath": "logo.png", with logo.png as the image name and extension of the logo image you uploaded in Step 1
  6. Click OK
  7. Click Save
  8. Click Continue

Allow a few minutes after the service restarts for the changes to appear.

 
 

Click here for IIS instructions

When using the LogoFilePath setting, please note the path must be accessible from within the context of the Web Add-in.

  1. Open settings.json with administrative privileges using the text editor of your choosing
  2. Locate //"LogoFilePath": "",
  3. Remove the // at the beginning of the line and add the image name and extension of your logo image
    • Example: "LogoFilePath": "logo.png",
  4. Save your changes and restart the SafeSend site

Allow a few minutes after the service restarts for the changes to appear.

 
 

Congratulations! Now, your logo is part of SafeSend.

 

 

 


 

When you are ready, move on to the next step below.

 

Next Step

 
 

 

Deploy SafeSend Web Add-in

Deploy SafeSend Web Add-in

When using the SafeSend web add-in, there are two ways to deploy this to your org...

When using the SafeSend web add-in, there are two ways to deploy this to your organization:

  • Microsoft 365
  • Exchange 2019

Refer to the latest release notes for full system requirements.

Centralized Deployment via Microsoft 365 Admin Center

For full, up-to-date, details on deploying add-ins in Microsoft 365, visit https://docs.microsoft.com/en-us/microsoft-365/admin/manage/manage-deployment-of-add-ins?view=o365-worldwide.

Deployment via Exchange 2019

For full, up-to-date, details on deploying add-ins for Outlook in Exchange, visit https://docs.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/add-ins-for-outlook/add-ins-for-outlook



Congratulations! VIPRE's SafeSend web add-in has now been successfully deployed to the end-users in your organization.
 

 

 
 
 
 

 

 

‍ 


Security Awareness Training for Edge

Before you get started, you should have received a Welcome email that contains important information you'll need to proceed with this guide. If you haven't received this email, please check your spam folder or contact Support.


There are several things that will need to be completed before you are able to deploy VIPRE Security Awareness Training. 

What we need from you

Sometimes it can be confusing to try to figure out what you need to do to get started. Here we eliminate that confusion and lay it all out as simply as possible.

  • Company Name
  • Customer Contact Name
  • Customer Email Address (both primary and admin)
  • Product Selection
  • Number of users/learners
  • List of end-users in a CSV file
  • Confirmation that all prerequisite action items have been completed

The majority of these items are obtained when you respond to the Onboarding/Account Setup email.

Action Items Checklist

On top of the required items above, we've put together a check-list of things you'll need to complete on your end to ensure VIPRE SAT and PhishProof works properly.

Info

The following information discusses white-listing via domain. If your organization prefers to white-list via IP address, please contact us for that information.

 

 

  • Notify your IT department that we will be sending simulated phishing emails from outside of your network
  • The following white-listing tasks must be completed in Intrusion Detection System/Firewall, Client-side Email Filters, and Server-side Email Filters to ensure emails are delivered successfully to the end-user:
    • Domain name of the SMTP Relay used by the application: smtp.mailgun.org
    • Location that hosts the landing pages in your web filtering software (if applicable): *phishproof.com
    • Domains used when sending Phishproof email templates:
      • accountsecurity.online
      • amznbks.com
      • bankameriica.com
      • certifyjob.com
      • clickweb.solutions
      • faceboookfriendster.com
      • filescanners.org
      • formsmail.com
      • funitgames.org
      • googllesecurity.net
      • ibsbanks.com
      • mailsystems.online
      • phishproof.com
      • securityadmin.net
      • securityalert.org
      • securityawarenesstraining.com
      • starrwood.net
      • systemadsmin.org
      • twitttersocialpage.com
      • upssite.com
      • uspostallservice.com
      • wallgreenspharm.com
      • web-access-alerting.com
      • boxfilesshare.com
      • docutransfers.com
      • employee-rewards.net
      • hr-rewardscenter.com
      • hq-administrators.com
      • itpatching-installs.com
      • corp-addmin.com
      • admin-tokenalert.com
      • sso-server.com
      • login-microsoft.com
  • Adjust any other settings as needed to ensure the simulated phishing emails flow properly to your end-users


 What VIPRE takes care of

Once we've received all of the above information from you, we'll get to work on the following:

  • Configuration of VIPRE SAT (Security Awareness Training) with the provided company name and domain
  • Sending a registration email
  • Registration of users with the selected learning path
  • Configuration of automatic reminders for all courses bi-weekly on predefined cadence
    • e.g. Every two weeks, learners will receive automated reminders to complete their courses

 

System Requirements

Browsers

  • Google Chrome 75+
  • Mozilla Firefox 66+
  • Microsoft Edge 89+
  • Apple Safari 13.0.2+

Additional Requirements

  • Required bandwidth per host machine of 4 Mbps download and .5 Mbps upload
  • iPad access is supported only for HTML5-based courses in the latest version of iPadOS with Safari
  • Operating System and browser zoom levels at 100%
  • Screen resolution of 1024x768 or 1920x1080
  • Ability to play .mp4 videos

Not Supported

VIPRE User Protection does not officially support training using the following:

  • Thin Clients (Citrix / Virtual Desktops)
  • VPN Connections
  • Proxy Connections
  • Internet Explorer Compatibility mode

PhishProof

Ensure your computers meet the following requirements:

Email Clients

  • MS Outlook 2003+
  • Hotmail
  • Gmail
  • Yahoo Mail
 

Browsers

  • Chrome 71+
  • Firefox 65+
  • Internet Explorer 9+
  • Safari 11.1.2+
 
‍