VIPRE Security Knowledge

Deployment Guide for SafeSend Web Add-in

Super Administrator

Written By Marissa Fegan (Super Administrator)

Updated at January 25th, 2024

Have you ever mistakenly sent an email to the wrong person? Accidentally forwarded attachments with sensitive data? The VIPRE SafeSend Web Add-in is an Outlook add-in that works to prevent those types of mistakes within your organization by requesting manual confirmation from the user when sending emails to recipients outside of your organization.

If you're new to VIPRE SafeSend, this is the place to start. We're here to walk you through deployment with this guided setup. If you haven't seen our product overview and comparison chart though, please visit there first.

 

How SafeSend Works

When installed, SafeSend requires validation each time you send an email to an external recipient. You will need to confirm all external recipients of an email before it leaves the network. Upon hitting “Send” or “Send Secure,” the SafeSend pop-up window will appear. To confirm the recipients or any attached file, click on the checkbox beside each of the external recipients (and file if applicable) and hit the Send button.

What's Included

When you receive your SafeSendArchive-v.r.zip file, it will include the following files:

  • Get_Started_With_SafeSend
    • Helpful information and links to help you get started
  • SafeSendPC_v.r.m.b.zip (SafeSend PC add-in)
    • Administrative Templates 
      • For use with Group Policy to manage settings when the SafeSend PC add-in has already been deployed
    • Admin Password 
      • Administrative credentials for local access to SafeSend settings
      • Not applicable for Trial licenses
    • SafeSendSetup
      • Installer package (.MSI) for the SafeSend PC/COM add-in
  • SafeSendWeb_v.r.m.b (SafeSend Web add-in)
    • End-user License Agreement (EULA)
    • Deployable files
    • packagename.txt
    • SafeSendWebPackagev.r.m.b.zip
  • 3rd Party Libraries.txt
    • Licenses for third-party libraries

For these instructions, you will need everything within the SafeSendWeb_v.r.m.b folder mentioned above.

When you are ready, move on to the next step below.

Next Step

 
 

 

Install and Configure SafeSend Web Add-in

Install SafeSend Web Add-in

While SafeSend v4.6 will work with any .NET CORE 3.1 capable web server, we recom...

If you are new to SafeSend and setting it up for the first time, please stop here and navigate to our complete deployment guide.

 

SafeSend will work with any .NET CORE 6.0 capable web server. Please note if you are using IIS, you'll need to download and install the .NET Core Hosting Bundle found here.

 

Important

Microsoft requires the site where the add-in is hosted to be SSL-secured.

 

Deploying the SafeSend web add-in can take up to 12 hours to propagate the network.

 

Any changes made to Settings.json require the website to be restarted to take effect. This should be done outside of normal operating hours to avoid potential service interruptions.

 

When deploying multiple instances of the SafeSend server, you'll need to provide a strong password with a minimum length of 16 characters using the following setting: "ApiSecret": "<YOUR_API_SECRET>",

 

 

Step 1: Graph API Setup

Click here for Microsoft Graph API Setup

Web Add-in: Microsoft Graph API Setup for SafeSend

These instructions are for admins utilizing the SafeSend Web Add-in with Microsoft 365. These steps do not apply if you are using Microsoft Exchange Server. 

  1. Sign in to Microsoft Azure Active Directory Admin Center with your administrator credentials
  2. Select New Registration
  3. On the Register an Application page, set the following values:
    • Name: VIPRE SafeSend Graph API Resource
    • Supported account types: Accounts in any organizational directory (any Azure AD directory - Multitenant) and personal Microsoft accounts (e.g., Skype, Xbox, etc)
    • In the Redirect URI section, select Web from the drop-down menu, then set URI to your SafeSend site URL using the following format: 'https://<yoursafesendsiteurl>/login'
  4. Choose Register
  5. On the SafeSend page, copy and save the Application (client) ID; you'll need this later
  6. Under the Manage section, select Authentication
  7. Under Implicit Grant and Hybrid Flows, check the box next to Access Tokens (used for implicit flows) and ID Tokens, and click Save
  8. Still, under the Manage section, select Certificates & Secrets, then Certificate
  9. Under Certificates, select Upload Certificate
    • Select a certificate file (.cer extension) and enter a value for Description 
      • This is a file you can create yourself or obtain through a third-party certificate authority; it is not provided to you by VIPRE
    • Click Add, then copy and save the Thumbprint value; you'll need this later for a setting called AppCertificateThumbprint
  10. Enter a value for Description, select an appropriate option for Expires, then click Add
  11. Still, under Manage, select Expose an API
  12. Choose the Set link that appears after Application ID URI
  13. In the Set App URI panel, change the default value by adding your host before the GUID listed
    • Example: If the default value is api://05adb30e-50fa-4ae2-9cec-eab2cd6095b0, and your app is running on <yoursafesendhost>, the value should be api://<yoursafesendhost>/05adb30e-50fa-4ae2-9cec-eab2cd6095b0
  14. Click Save
  15. Select Add a Scope 
  16. A panel will open; enter access_as_user as the Scope name
  17. Who can consent? should be set to Admins only
  18. Fill in the fields for configuring the admin consent prompt with values that are appropriate for the `access_as_user` scope
    • This enables the Office client application to use your SafeSend add-in's web APIs with the same rights as the current user
    • Examples: 
      • Admin consent display name**: Office can act as the user
      • Admin consent description**: Enable Office to call the add-in's web APIs with the same rights as the current user
  19. Set State to Enabled
  20. Select Add Scope
  21. In the Authorized client applications section, identify the applications that you want to authorize to your SafeSend add-in's web application
    • Each of the following IDs needs to be pre-authorized:
      • d3590ed6-52b3-4102-aeff-aad2292ab01c (Microsoft Office)
      • ea5a67f6-b6f3-4338-b240-c655ddc3cc8e (Microsoft Office)
      • 57fb890c-0dab-4253-a5e0-7188c88b2bb4 (Office on the web)
      • 08e18876-6177-487e-b8b5-cf950c1e598c (Office on the web)
      • bc59ab01-8403-45c6-8796-ac3ef710b3e3 (Outlook on the web)
  22. For each of the IDs above, take the following steps:
    1. Select Add a client application button
    2. In the panel that opens, set the Client ID to the respective GUID 
    3. Check the box for api://<yoursafesendhost>/$App ID GUID$/access_as_user
    4. Select Add application
  23. Under Manage, select API Permissions, then Add a Permission
  24. On the panel that opens, choose Microsoft Graph then Delegated Permissions
  25. Using the Select Permissions search box, search for the following permissions
    • Calendars.ReadWrite.Shared
    • Files.ReadWrite
    • Mail.ReadWrite.Shared
    • offline_access
    • openid
    • profile
    • User.Read
  26. Select the checkbox for each permission as it appears; after selecting the permissions, click Add Permissions at the bottom of the panel
  27. On the same page, choose Grant Admin Consent for [tenant name] button
  28. Select Yes to confirm

Important

After choosing Grant Admin Consent for [tenant name], you may see a banner message asking you to try again in a few minutes so that the consent prompt can be constructed. If you see that message, you can continue to the next step, however, it is important that you do not forget to come back to this step.

 

 

  1. Update the following settings via Azure portal configuration:
    1. Update AppID using the AppID from Step 5 above
    2. Update AppCertificateThumbprint using the certificate thumbprint from Step 9 above
    3. Ensure EmailProviderUrl is set to https://graph.microsoft.com
  2. Navigate to https://<yoursafesendhost>/manifest to download the manifest file

 

Using SafeSend Web Add-in with a Different Tenant than the one you Registered the Application with

In order to use the SafeSend Web Add-in with a different tenant than the one you registered with, you will need access to a tenant administrator account to perform consent for all of your Microsoft 365 users

  1. Browse to `https://login.microsoftonline.com/common/adminconsent?client_id={AppId}&state=12345`, where `{AppId}` is the application ID shown in your app registration
  2. Sign in with your administrator account then review the permissions and click Accept
  3. The browser will attempt to redirect back to your app, which may not be running
    • You might see a This Site cannot be Reached error after clicking Accept; this is okay as the consent was still recorded
 
 

Step 2: Web Server Setup

Click here for Azure-specific instructions 

Step 1 - Create the Web App

  1. Navigate to portal.azure.com and log in with your Microsoft Azure account credentials
  2. On the top menu, hover your mouse over App Services and select Create Web App
  3. A new page called Create Web App will load
  4. Select the desired Resource Group from the drop-down menu
  5. Under Instance Details:
    1. Choose a web app name that reflects your use
      1. e.g., For our purposes, we'll use SafeSend8 but you can use any name that you want
    2. Publish - defaults to Code; this can stay as-is
    3. Runtime stack - .NET 6.0 (LTS)
    4. Operating System - choose your preferred operating system to host SafeSend
    5. Region - Select your region
  1. Click Next : Deployment >
  2. On the next page, click Review + Create, then Create

Step 2 - For the next part, you should see confirmation that deployment is complete

  1. Click Go to resource
  2. On the left-side menu, under Settings, select Configuration
  3. Under Application Settings, select +New application setting, enter the names and values below - do not click Deployment Slot Setting, leave that blank - then click OK at the bottom 
    1. Name = WEBSITE_RUN_FROM_PACKAGE; Value = 1
    2. Name = AppID (NOTE: The AppID value should have been obtained during the Graph API setup. If that has not been done, you should complete this now before proceeding.)
    3. Name = AppCertificateThumbprint (NOTE: The AppCertificateThumbprint value should have been obtained during the Graph API setup. If that has not been done, you should complete this now before proceeding.)
    4. Name = LicenseKey; Value = license key obtained when you purchased SafeSend
  4. Click General settings
  5. Set ARR affinity to On
  6. Click Save at the top

Step 3 - Upload the Private Key Certificate

  1. Select Certificates on the left-side menu
  2. Click the Bring your own certificates tab
  3. Choose Add certificate
  4. Browse to the directory where you saved the .pfx file and upload it here


 Step 4 - You'll need an FTP Client (like Filezilla) for the next part

  1. On the left-side menu, under Deployment, select Deployment Center
  2. Select FTPS Credentials at the top
  3. Copy the value in the FTPS endpoint field and paste it into the Host address field of your FTP Client
  4. Under Application scope, copy the value in the Username field to the Username field of your FTP Client
  5. Copy the value of the Password field to the Password field of your FTP Client
  6. On your FTP Client, click Connect
  7. After you're connected, under Remote site, create a new directory called Data
    1. Right-click on the new folder Data, and select Create a Directory
    2. A box called Create Directory will open
      • Name your directory based on the Operating System you chose in Step 1.5.d above 
        • Examples: Windows based App Service =  C:\home\Data\sitepackages or Linux based App Service = /data/sitepackages
      • Click OK  
  1. Upload the SafeSendWebPackagev.r.m.b.zip and packagename.txt files found in SafeSendArchive-v.r.m.b.zip\SafeSendWeb_v.r.m.b.zip by dragging them to your FTP Client to copy them to the sitepackages folder

Step 5 - Go back to the browser screen that has Azure open

Refer to the Web Add-in Settings Reference for the following section:

  1. Configure additional settings as desired
    1. Within the App Service, on the left-side menu under Settings, click New application setting
    2. Take the name of the setting from Web Add-in Settings Reference and add it to the Name field
      1. For example, to enable the client keyword domain list setting, you could copy ClientKeywordDomainList from Web Add-in Settings Reference into the Name field of Azure  
  1. Determine the appropriate values for each setting using the Web Add-in Settings Reference 
  1. Click OK then Save at the top
  2. Click Continue to save changes
  1. On the left-side menu, select Overview, then select Restart at the top
  2. Azure will confirm you are sure you want to restart SafeSend - click Yes
  3. In the top-right corner, you should see a notification showing the web app has been successfully restarted
  4. You'll see a URL somewhat close to the top-right portion of the screen labeled Default Domain; clicking that URL should open a browser window and take you immediately to the SafeSend website to verify your installation and license status
  5. Append /manifest to the URL to download the manifest.xml file; you will need this manifest or the URL to it when sideloading or deploying the add-in to users
 
 

Click here for IIS-specific instructions

Step 1 - Configure IIS

  1. After you have downloaded and extracted the SafeSend Web add-in .zip files, create a folder called SafeSend in the c:\ directory of the server hosting IIS.
  2. Copy the contents from the extracted folder to your new c:\SafeSend
  3. Open Internet Information Services (IIS) Manager
  4. Right-click on Sites
  5. Select Add Website and complete the following properties:
    • Site Name: SafeSend
    • Physical Path: c:\SafeSend
    • In the Binding section:
      • Type: https
      • Add the SSL certificate
      • IP address and port should be according to your needs
         
  6. Click OK
  7. Select Default Website, then click on Stop in the right panel
  8. In the left panel, click Application Pools
  9. Right-click SafeSend
  10. Select Basic Settings
    •  .NET CLR version: No Managed Code
  11. Click OK

Step 2 - Edit the settings.json file

  1. Open the folder created in Step 1
  2. Look for the file called settings.json and right-click on the file and open it with Notepad  
  3. Adjust the following settings:
    • EmailProviderURL
      • If you are using Microsoft 365, the EmailProviderURL should already be correct
        • The AppID and AppSecret values should have been obtained during the Graph API setup. If that has not been done, you should complete this now before proceeding.)
      • If you are using an Exchange Server, you will need to update that setting as appropriate
    • Set LicenseKey
    • Set SafeDomains
    • Set EnablePlatform to True if you will be using Web, PC, or Mac and False for the platforms you will not be using
      • If you are using Microsoft 365, Web Add-in works for all 3 available platforms
      • If you are using Exchange Server, Web Add-in does not work for Outlook for Mac or OWA in Safari
      • If you intend to use both the PC add-in and the Web add-in, set the PC platform to False to avoid double prompts
  4.  Append /manifest to the URL to download the manifest.xml file; you will need this manifest or the URL to it when sideloading or deploying the add-in to users
 
 

Step 3: Debug Mode

Click here to enable Debug Mode

Web Add-in: Debug Mode

SafeSend has an additional logging mode to better assist with tracing environmental issues when running the SafeSend Web Add-in in Microsoft Outlook for Windows.

Enable SafeSend's Debug Mode

If you're using Microsoft Outlook for Windows, you can use the manifestlog file instead of the manifest file to enable SafeSend's debug mode in your email client.

To download the manifestlog, navigate to your SafeSend site at <your SafeSend Site URL>/manifestlog.

Access Log File

  1. From Microsoft Outlook for Windows, select About SafeSend in the ribbon 
  2. Click Download log file

The log file will then be downloaded so you can review it and take any action necessary.

 
 

 

 


 

When you are ready, move on to the next step below.

 

 

Next Step

 
 

 

Add your Logo

SafeSend for Web - Add your Logo

...

You can customize the look and feel of the VIPRE SafeSend web add-in by uploading your organization's personalized logo. This optional step is a great way to integrate SafeSend with your organization seamlessly.

Image Requirements

Before uploading your logo, make sure it meets the following requirements:

  • Image size must be no larger than 155x40
  • Image type must be .png file type
  • Images with transparent backgrounds are recommended so that your logo matches the rest of SafeSend.

Now that you have an image that meets the above requirements, let's upload it.

Add Logo

Change the following setting to change your logo in Azure or IIS:

Setting Description
LogoFilePath

File path of .png file to use for confirmation logo. Overrides Logo setting if defined. This may be an absolute or relative path. The path must be accessible from within the context that the web addin is running and should be json escaped if it contains json characters. I.E. "C:\\logo.png"

 

"LogoFilePath": "logo.png",

Click here for Azure instructions

When using the LogoFilePath setting, please note the path must be accessible from within the context of the Web Add-in.

  1. Upload your logo to your SafeSend site by completing the following:
    1. Copy your logo to a local copy of the SafeSend Web Add-in package directory and create a new .zip package
    2. Use the FTP client of your choosing to upload your logo to the SafeSend Web Add-in package directory on your SafeSend site
  2. In Azure, go to the SafeSend web app you previously created
  3. On the left-side menu, under Settings, click Configuration
  4. Select +New Application
  5. Add new setting LogoFilePath using the following syntax: "LogoFilePath": "logo.png", with logo.png as the image name and extension of the logo image you uploaded in Step 1
  6. Click OK
  7. Click Save
  8. Click Continue

Allow a few minutes after the service restarts for the changes to appear.

 
 

Click here for IIS instructions

When using the LogoFilePath setting, please note the path must be accessible from within the context of the Web Add-in.

  1. Open settings.json with administrative privileges using the text editor of your choosing
  2. Locate //"LogoFilePath": "",
  3. Remove the // at the beginning of the line and add the image name and extension of your logo image
    • Example: "LogoFilePath": "logo.png",
  4. Save your changes and restart the SafeSend site

Allow a few minutes after the service restarts for the changes to appear.

 
 

Congratulations! Now, your logo is part of SafeSend.

 

 

 


 

When you are ready, move on to the next step below.

 

Next Step

 
 

 

Deploy SafeSend Web Add-in

Deploy SafeSend Web Add-in

When using the SafeSend web add-in, there are two ways to deploy this to your org...

When using the SafeSend web add-in, there are two ways to deploy this to your organization:

  • Microsoft 365
  • Exchange 2019

Refer to the latest release notes for full system requirements.

Centralized Deployment via Microsoft 365 Admin Center

For full, up-to-date, details on deploying add-ins in Microsoft 365, visit https://docs.microsoft.com/en-us/microsoft-365/admin/manage/manage-deployment-of-add-ins?view=o365-worldwide.

Deployment via Exchange 2019

For full, up-to-date, details on deploying add-ins for Outlook in Exchange, visit https://docs.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/add-ins-for-outlook/add-ins-for-outlook



Congratulations! VIPRE's SafeSend web add-in has now been successfully deployed to the end-users in your organization.
 

 

 
 
 
 

 

 

Related Articles

Add License Key to SafeSend PC Add-in

Once you have your license key, follow these instructions to apply it to the VIPR...

Deployment Guide for VIPRE SafeSend PC Add-in

Have you ever mistakenly sent an email to the wrong person? Accidentally forwarde...

Store Settings

When you are deploying VIPRE SafeSend throughout your organization for the first ...

Set Admin Password to Protect Settings

While you're in trial mode, there is no admin password required. Once you purchas...