Forcepoint

DLP
9.0

Getting Started Guide

Revision A
 © 2022 Forcepoint
Forcepoint and the FORCEPOINT logo are trademarks of Forcepoint.
All other trademarks used in this document are the property of their respective owners.

Published 26 July 2022

Every effort has been made to ensure the accuracy of this document. However, Forcepoint
makes no warranties with respect to this documentation and disclaims any implied
warranties of merchantability and fitness for a particular purpose. Forcepoint shall not
be liable for any error or for incidental or consequential damages in connection with the
furnishing, performance, or use of this manual or the examples herein. The information in
this documentation is subject to change without notice.
Forcepoint DLP 9.0 | Getting Started Guide

Contents
1 Getting Started with Forcepoint DLP................................................................................................................ 5
Entering a subscription key........................................................................................................................... 5

2 Configuring the Data Protection Service.......................................................................................................... 7

3 Configuring the Protector for Use with SMTP................................................................................................. 9

Set up SMTP in monitoring mode................................................................................................................. 9
Set up SMTP in MTA mode........................................................................................................................ 10

4 Configuring the Web Content Gateway...........................................................................................................13

Enter a subscription key in the Content Gateway manager........................................................................13
Register Content Gateway with Forcepoint DLP.........................................................................................14
Configure the Content Gateway policy engine............................................................................................15
Set up Content Gateway............................................................................................................................. 16

5 Configuring the Analytics Engine....................................................................................................................17

Reporting and health monitoring options.....................................................................................................18

6 Configuring Third-Party Proxies...................................................................................................................... 19

Configuration example: Squid......................................................................................................................19

7 Configuring User Directory Integration...........................................................................................................21

Define user directory settings...................................................................................................................... 21
Configure the directory import..................................................................................................................... 23
Rearrange user directory servers................................................................................................................ 23

8 Getting Started with File Discovery.................................................................................................................25

Performing discovery on Micro Focus file systems..................................................................................... 25
Performing discovery on Windows NFS shares.......................................................................................... 27
Performing discovery on Exchange servers................................................................................................ 40
Performing discovery on IBM Domino and Notes....................................................................................... 45

9 Configuring Labels............................................................................................................................................ 47
Import and enable Boldon James Classifier labels..................................................................................... 47
Import and enable Microsoft Information Protection labels......................................................................... 48
Configure an action plan to apply labels.....................................................................................................49

10 Getting Started with the REST API Service..................................................................................................51

3
Forcepoint DLP 9.0 | Getting Started Guide

4
Chapter 1
Getting Started with Forcepoint
DLP
Contents

■ Entering a subscription key on page 5

After installing Forcepoint DLP, log on to the Forcepoint Security Manager and enter a subscription key (see Entering a
subscription key). Next, follow the initial configuration instructions in the related topics to configure the software.

Related concepts
Configuring the Data Protection Service on page 7
Configuring the Protector for Use with SMTP on page 9
Configuring Third-Party Proxies on page 19
Configuring Labels on page 47
Getting Started with the REST API Service on page 51

Related tasks
Entering a subscription key on page 5
Configuring the Analytics Engine on page 17

Related reference
Configuring the Web Content Gateway on page 13
Configuring User Directory Integration on page 21
Getting Started with File Discovery on page 25

Entering a subscription key

To enable Forcepoint DLP configuration, enter a subscription key in the Data Security module of the Forcepoint
Security Manager:

Steps
1) Open a browser and enter the Security Manager URL: https://<IP_address_or_hostname>:9443

2) Enter the User name admin and the password configured during installation, then click Log On.

Getting Started with Forcepoint DLP | 5

Forcepoint DLP 9.0 | Getting Started Guide

3) If the Data Security module of the Security Manager is not displayed by default, select Data from the Product
Module drop-down menu to open it.
■ Until a subscription key is entered, a subscription prompt appears automatically.
■ Once a key has been entered, administrators can review subscription information on the Settings >
General > Subscription page.

4) Browse to the subscription file, then click Submit.

Current subscription information is displayed.

5) Click Deploy in the Security Manager toolbar to complete the process.

Getting Started with Forcepoint DLP | 6

Chapter 2
Configuring the Data Protection
Service
Data Protection Service is a cloud-based DLP analysis service that integrates with the following Forcepoint products:
■ Forcepoint CASB
■ Forcepoint Web Security Cloud
■ Forcepoint Email Security Cloud
Forcepoint Cloud Security Gateway combines Data Protection Service with Forcepoint Web Security Cloud and
Forcepoint CASB to protect your organization in one easy-to-consume service.
■ When Data Protection Service is integrated with Forcepoint Web Security Cloud, web traffic passing through the
cloud gateway is sent to Data Protection Service for DLP analysis.
■ When Data Protection Service is integrated with Forcepoint CASB, the CASB gateway sends user actions in cloud
applications (such as uploading data) to Data Protection Service for DLP analysis.
■ When Data Protection Service finds a breach or potential data loss, the findings are returned to the Web or CASB
gateway for policy enforcement.
■ For more information or to get started with the integration of Forcepoint DLP and Forcepoint Cloud Web or
Forcepoint CASB, see the Forcepoint Cloud Security Gateway Integration Guide.
Data Protection Service for Email (available for Forcepoint DLP version 8.8.2 and later) enables Forcepoint Email
Security Cloud to protect your organization against the threats of malware, spam, and other unwanted content in email
traffic.
■ When Data Protection Service is integrated with Forcepoint Email Security Cloud, email messages that present
potential data loss are sent to Data Protection Service for further inspection. Data Protection Service then returns its
findings to the email cloud service for policy enforcement.
■ For more information or to get started with the integration of Forcepoint DLP and Forcepoint Cloud Email, see the
Forcepoint Email Security Cloud and Forcepoint DLP Integration Guide.

Configuring the Data Protection Service | 7

Forcepoint DLP 9.0 | Getting Started Guide

Configuring the Data Protection Service | 8

Chapter 3
Configuring the Protector for Use
with SMTP
Contents

■ Set up SMTP in monitoring mode on page 9

■ Set up SMTP in MTA mode on page 10

When the protector is used for monitoring or protecting data transfer in email (SMTP) traffic, it can be configured in
monitoring or MTA mode.
More information about configuring the protector to monitor other protocols can be found in the Forcepoint DLP
Administrator Help.
For initial SMTP configuration instructions, go through the following tasks:

Related tasks
Set up SMTP in monitoring mode on page 9
Set up SMTP in MTA mode on page 10

Set up SMTP in monitoring mode

Preparing for configuration

The steps in this procedure assume that the protector has already been installed as described in the Forcepoint
DLP Installation Guide, with the following configuration:
■ The time, date, and time zone are precise.
■ Network interface eth0 is mapped and located on the main board.
■ Interface eth0 is connected to the LAN.
Before beginning the configuration process, make sure the protector is powered on.

Configuring the protector

Use the Forcepoint Security Manager to configure the protector to monitor SMTP:

Configuring the Protector for Use with SMTP | 9

Forcepoint DLP 9.0 | Getting Started Guide

Steps
1) Go to the Settings > Deployment > System Modules page.

2) Select the protector instance.

3) On the General tab, select Enabled.

4) On the Local Networks tab, select Include specific networks, then add all of the internal networks for all
sites.
■ This list is used to identify the direction of the traffic.
■ The mail servers and mail relays should be considered part of the internal network.

5) On the Services tab:

a) Select the SMTP service.

b) On the General tab, set the Mode to Monitoring bridge.

c) On the Traffic Filter tab, set the Direction to Outbound.

d) Click OK.

6) Click OK to save the configuration.

7) Click Deploy to activate the settings.

8) Connect the protector to the outgoing connection and to the organization’s internal network.
This should be done last, after the protector is fully configured.

Set up SMTP in MTA mode

Preparing for configuration

The steps in this procedure assume that the protector has already been installed as described in the Forcepoint
DLP Installation Guide, with the following configuration:
■ The time, date, and time zone are precise.
■ The network interface selected during installation is mapped and located on the main board.
■ The interface is connected to the LAN.
Before beginning the configuration process, make sure the protector is powered on.

Configuring the Protector for Use with SMTP | 10

Forcepoint DLP 9.0 | Getting Started Guide

Configuring the protector

Configure the protector in the Forcepoint Security Manager:

Steps
1) Go to the Settings > Deployment > System Modules page.

2) Select the protector instance.

3) On the General tab, select Enabled.

4) On the Local Networks tab, select Include specific networks, then add all of the internal networks for all
sites.
■ This list is used to identify the direction of the traffic.
■ The mail servers and mail relays should be considered part of the internal network.

5) On the Services tab:

a) Select the SMTP service.

b) On the General tab, set the Mode to Mail Transfer Agent (MTA).

c) On the Mail Transfer Agent (MTA) tab, set the Operation Mode to Blocking and select the behavior
desired when an unspecified error occurs during analysis.

d) Set the SMTP HELO name. This is required.

e) Set the next hop MTA (for example, the organization’s mail relay), if needed.

f) Set the addresses of all networks that are permitted to relay email messages through the protector.
■ This is required, as it is important that not all networks have permission to send email via the
protector’s SMTP service. Otherwise, the protector can be used as a mail relay.
■ This list should include the addresses of any previous hops, such as the mail server.

6) Click OK to save the configuration.

7) Go to the Main > Policy Management > DLP Policies page.

8) Select a policy rule to use for email management, then click Edit.

9) Complete the fields as follows:

a) Select Destinations, and check the Network Email box.

b) Select Severity & Action, then select an action plan that includes notifications.

Note
For more information about action plans, see the Forcepoint DLP Administrator Help.

Configuring the Protector for Use with SMTP | 11

Forcepoint DLP 9.0 | Getting Started Guide

c) Click OK to save the policy configuration.

10) Click Deploy to activate the settings.

Connecting the protector

Steps
1) Connect the protector to the outgoing connection and to the organization’s internal network.
Do this last, after the protector is fully configured.

2) If a next hop server exists (for example, a company mail relay), add the protector’s IP address to its allowed
relay list

3) (Optional) Set the mail server’s next hop (smart host) to the protector’s IP address.

Configuring the Protector for Use with SMTP | 12

Chapter 4
Configuring the Web Content
Gateway
Contents

■ Enter a subscription key in the Content Gateway manager on page 13

■ Register Content Gateway with Forcepoint DLP on page 14
■ Configure the Content Gateway policy engine on page 15
■ Set up Content Gateway on page 16

After installing the Web Content Gateway module, configure it in both the Content Gateway manager and the
Forcepoint Security Manager. Refer the following tasks to configure the gateway:

Related concepts
Register Content Gateway with Forcepoint DLP on page 14

Related tasks
Enter a subscription key in the Content Gateway manager on page 13
Configure the Content Gateway policy engine on page 15
Set up Content Gateway on page 16

Enter a subscription key in the Content

Gateway manager
Enter a subscription key in the Content Gateway manager to activate the Web Content Gateway:

Steps
1) Open a web browser and enter the Content Gateway manager URL: https://<ip_address>:8081

2) Log on as admin with the password created during installation.

3) Go to the Configure > Subscription page.

4) Enter the subscription key.

5) Go to the Configure > My Proxy > Basic page.

Configuring the Web Content Gateway | 13

Forcepoint DLP 9.0 | Getting Started Guide

6) Click Restart to restart Content Gateway.

Register Content Gateway with

Forcepoint DLP
After Content Gateway is activated, it must be registered with the Forcepoint management server.

Preparing for registration

Steps
1) Synchronize the date and time on the Content Gateway and management server machines to within a few
minutes.

2) If Content Gateway is deployed as a transparent proxy, ensure that traffic to and from the communication
interface (“C” on a V Series appliance) is not subject to transparent routing. If it is, the registration process
will be intercepted by the transparent routing and will not complete properly.

3) Make sure that the IPv4 address of the eth0 NIC on the Content Gateway machine is available (not required
if Content Gateway is located on a V-Series appliance). This is the NIC used by the management server
during the registration process.

4) After registration, the IP address can move to another network interface.

5) Verify connectivity between Content Gateway and the management server.

Registering Content Gateway

Register Content Gateway in the Content Gateway manager:

Steps
1) Go to the Configure > My Proxy > Basic > General page.

2) In the Networking section, enable Web DLP > Integrated on-box if needed. If a change was made, restart
Content Gateway when prompted.

3) Go to the Configure > Security > Web DLP page and enter the IP address of the management server.

4) Enter a user name and password for a Forcepoint Security Manager administrator with Deploy Settings
privileges in the Data Security module.

Configuring the Web Content Gateway | 14

Forcepoint DLP 9.0 | Getting Started Guide

5) Click Register.

6) Go to the Configure > My Proxy > Basic page and click Restart to restart the Content Gateway machine.

Enabling web DLP

After Content Gateway has registered with Forcepoint DLP, use the Content Gateway manager to perform the
following steps:

Steps
1) Go to the Configure > Security > Web DLP page.

2) Enable Analyze FTP Uploads to send FTP uploads to web DLP components for analysis and policy
enforcement.

3) Enable Analyze Secure Content to send decrypted HTTPS posts to web DLP components for analysis and
policy enforcement.
This option requires that SSL Manager be enabled. See the Content Gateway Manager Help for details.

4) Click Apply and restart Content Gateway.

Configure the Content Gateway policy

engine
When Content Gateway is registered with the management server, a Content Gateway module is added to the
System Modules in the Data Security module of the Forcepoint Security Manager.
By default, this agent is configured to monitor web traffic, not block it, and for a default violation message to
appear when an incident is triggered. To continue using this default behavior, no Content Gateway configuration
changes are needed. Simply deploy settings in the Security Manager to activate the default configuration.
To instead block web traffic that breaches policy, or to customize the violation message, do the following:

Steps
1) Log on to the Data Security module of the Security Manager.

2) Go to the Settings > Deployment > System Modules page.

3) Select the Web Content Gateway module in the tree view (click the module name itself, not the plus sign next
to it).
It will be listed as “Forcepoint Web Security Server on <FQDN> (<PE_version>),” where <FQDN> is the fully-
qualified domain name of the Content Gateway machine and <PE_version> is the version of the Content
Gateway policy engine.

Configuring the Web Content Gateway | 15

Forcepoint DLP 9.0 | Getting Started Guide

4) Select the HTTP/HTTPS tab to configure HTTP(S) blocking behavior.

Select Help > Explain This Page for instructions for each option.

5) Select the FTP tab to configure FTP blocking behavior.

Select Help > Explain This Page for instructions for each option.

6) Click Save to save the changes.

7) Click Deploy to deploy the settings.

Important
Even if the default configuration is not changed, it is still necessary to click Deploy to finalize
the Content Gateway deployment process.

Set up Content Gateway

Additional Content Gateway configuration is performed in the Content Gateway manager:

Steps
■ Log onto Content Gateway Manager and run a basic test (Getting Started).
■ If there are multiple instances of Content Gateway, consider configuring a managed cluster.
■ Configure protocols to proxy in addition to HTTP:
■ HTTP (SSL Manager)
■ FTP
■ Complete the explicit or transparent proxy deployment.
■ Content Gateway explicit and transparent proxy deployments
■ Explicit proxy
■ Transparent proxy
■ If proxy user authentication will be used, configure user authentication.
■ If content caching was enabled during installation, configure content caching.

After the base configuration has been tested, consider these additional activities:
■ In explicit proxy deployments, customize the PAC file.
■ In transparent proxy deployments, use ARM dynamic and static bypass, or use router ACL lists to bypass
Content Gateway (see the router documentation).

Configuring the Web Content Gateway | 16

Chapter 5
Configuring the Analytics Engine
Contents

■ Reporting and health monitoring options on page 18

Configure the analytics engine, incident risk reporting, and risk-related policies in the Data Security module of the
Forcepoint Security Manager.

Steps
1) Go the Settings > Deployment > System Modules page.

2) Make sure the analytics engine module appears in the tree, then:
a) Click the module to view details.

b) If needed, change the module name and description.

3) Go to the Settings > General > Reporting page to configure the Top Risks report derived from the user analytics.
a) Specify the risk scores to show in the report and on the dashboard.

b) Define the organization’s typical work week to help identify aberrant behavior.

4) For optimal accuracy and efficacy, go to the Main > Policy Management > DLP Policies page and add the
following policies:
■ Disgruntled Employee
■ Self CV Distribution
■ Password Files
■ PKCS #12 Files
■ Deep Web URLs
■ Email to Competitors
Be sure to provide the competitors’ domain names (case-insensitive, separated by semicolons).
■ Suspected Mail to Self
Add or edit the sources to monitor via the possible_sources_domains
parameter in the Email Similarity script classifier.

5) Click Deploy.

Next steps
Refer the following task for information about the reports that the analytics engine enables.

Configuring the Analytics Engine | 17

Forcepoint DLP 9.0 | Getting Started Guide

Related tasks
Reporting and health monitoring options on page 18

Reporting and health monitoring options

Once the system is running and capturing metrics, use the following reports to review analytics data:
■ On the Main > Status > Dashboard page, monitor the charts under Data Loss Prevention - Incident Risk
Ranking.
■ Use the Incident Risk Ranking report to investigate risks in more detail. To access the report, do either of the
following:
■ Click an Incident Risk Ranking dashboard chart
■ Go to the Main > Reporting > Data Loss Prevention > Report Catalog page, then expand the Security
Analytics tree and select Incident Risk Ranking.
To view the health of the analytics engine, go to the Main > Status > System Healthpage, then click the
Analytics Engine module.

Configuring the Analytics Engine | 18

Chapter 6
Configuring Third-Party Proxies
Contents

■ Configuration example: Squid on page 19

Forcepoint DLP Network deployments include the Forcepoint web proxy, Web Content Gateway.
Forcepoint DLP can additionally be configured to integrate with third-party proxies via ICAP.
This chapter assumes a forward proxy deployment, where the third-party proxy connects to a Forcepoint DLP
protector.
Instructions for two sample third-party proxies are provided. These are not the only proxies that can be used with
Forcepoint DLP. See your proxy’s documentation for more detailed information about ICAP integrations.
The protector configuration steps apply regardless of which third-party proxy is used.
A reference of error and response codes is also available at the end of this chapter. Refer to the following topics for
proper configuration:

Related concepts
Configuration example: Squid on page 19

Related tasks
Configure the protector for ICAP on page 20

Related reference
ICAP server error and response codes on page 20

Configuration example: Squid

Configure the Squid proxy to send requests to the ICAP server that is part of the Forcepoint DLP protector.
This example is for Squid-3.1:

icap_service service_req reqmod_precache 1

icap://<protector_IP>:1344/reqmod

adaptation_access service_req allow all

This example is for Squid-3.0:

icap_service service_req reqmod_precache 1

icap://<protector_IP>:1344/reqmod

icap_class class_req service_req

Configuring Third-Party Proxies | 19

Forcepoint DLP 9.0 | Getting Started Guide

icap_access class_req allow all

For full ICAP configuration details for Squid, see http://wiki.squid-cache.org/Features/ICAP?highlight=

%28faqlisted.yes%29.

Configure the protector for ICAP

Configure the protector to use ICAP in the Data Security module of the Forcepoint Security Manager:

Steps
1) Go to Settings > Deployment > System Modules page.

2) Expand the node for a protector instance.

3) Select the ICAP server for the selected protector.

For more information, see “Configuring ICAP” in the Forcepoint DLP Administrator Help.

ICAP server error and response codes

Response Condition Forcepoint Block Control Exceeds Size Error Condition
Decision Limit

Condition “pana_response” “huge_content” “pana_error”

Error Code 500 500 512

=“X-Response- Info” PA-block PA-error

=“X-Response- Desc” Forcepoint blocked

Plain URL /usr/local/spicer/etc/

blockmessageexample.plain

Markup URL /usr/local/spicer/etc/block-

messageexample.markup

Configuring Third-Party Proxies | 20

Chapter 7
Configuring User Directory
Integration
Contents

■ Define user directory settings on page 21

■ Configure the directory import on page 23
■ Rearrange user directory servers on page 23

Import information from a supported directory server, such as Microsoft Active Directory or IBM Domino, into
Forcepoint DLP in order to:
■ Allow administrators to use their network credentials to log on to the Forcepoint Security Manager.
■ Include user details in analysis.
■ Enhance the incident details displayed to administrators. For configuration instructions, refer to the following topics:

Related tasks
Define user directory settings on page 21
Configure the directory import on page 23
Rearrange user directory servers on page 23

Define user directory settings

Use the Forcepoint Security Manager to configure Forcepoint DLP to import user directory data.

Configuring general settings

Steps
1) Log on to the Data Security module of the Security Manager.

2) Go to the Settings > General > User Directories page.

3) Click New in the toolbar at the top of the page.

4) At the top of the Add/Edit directory server page:

a) Enter a display Name for the directory server. This is displayed in the list on the User Directories page.

Configuring User Directory Integration | 21

Forcepoint DLP 9.0 | Getting Started Guide

b) Mark the Enabled check box.

c) Select the directory Type from the drop-down list: Active Directory, Domino, or Comma-Separated
Values (CSV) File.

Configuring connection settings

Connection settings vary, based on whether a network user directory or a CSV file was selected in the previous
section.
For network user directories (Active Directory or Domino), enter:

1) The IP address or hostname and Port to use to connect to the user directory server.

2) Enter the User distinguished name and Password for an account with directory server access.

3) To secure the connection to the directory server, mark Use SSL encryption.

4) To prompt Forcepoint DLP to follow server referrals, if they exist, mark Follow referrals.

5) Click Test Connection to verify the connection to the directory server.

6) Continue with the next section,

For CSV files:

1) Enter the Path to the file.

2) Enter the User name and Password for an account with at least read permissions to the file.

3) Click Test Connection to verify that Forcepoint DLP can read the file.

4) Click OK.

Configuring directory usage settings

This section applies only to network user directories (Active Directory or Domino).

Steps
1) Mark Get user attributes to retrieve specified user attributes from the directory server.

2) Use the Attributes to retrieve field to enter the user attributes that should be collected for all users. Use
commas to separate entries.

3) If the directory includes user photos, enter the photo attribute name in the User’s photo attribute field.

Configuring User Directory Integration | 22

Forcepoint DLP 9.0 | Getting Started Guide

4) Under Test Attributes, enter a Sample email address to use to perform an import test. Use a valid email
address from the directory.

5) Click Test Attributes to retrieve user information that corresponds to the sample email address.

6) Click OK.

Result
The server is listed on the User Directories page.

Configure the directory import

By default, Forcepoint DLP imports data from user directory servers daily at a set time. To change the import
time:

1) In the Security Manager, go to the Settings > General > User Directories page.

2) Click the Import daily at... link (to the left of the page, above the list of directories).

3) Set a new time or schedule, then click OK.

In addition to the scheduled import, user directory information can also be imported manually. To start the import
process at any time:

1) Go to the User Directories page.

2) Select a directory server in the list.

3) Click Import Now in the toolbar at the top of the page.

4) Click Yes to continue.

To view user directory entries after they have been imported:

1) Go to the Main > Policy Management > Resources page.

2) Select User Directory Entries.

Rearrange user directory servers

If more than one user directory has been configured, users are imported from directories in the order listed on the
User Directories page. If a user is in more than one directory, the first directory record takes precedence.
To rearrange the order of the servers:

Configuring User Directory Integration | 23

Forcepoint DLP 9.0 | Getting Started Guide

Steps
1) Go to the Settings > General > User Directories page.

2) Click Rearrange Servers in the toolbar at the top of the page.

3) Select a server and use the arrow buttons to move it up or down the list.

4) Click OK.

Configuring User Directory Integration | 24

Chapter 8
Getting Started with File
Discovery
Contents

■ Performing discovery on Micro Focus file systems on page 25

■ Performing discovery on Windows NFS shares on page 27
■ Performing discovery on Exchange servers on page 40
■ Performing discovery on IBM Domino and Notes on page 45

Discovery is the act of determining where sensitive content is located in the organization. If the network includes
Windows or Micro Focus shared drives, administrators can create a data discovery task that describes where and
when to discover content on the drives. Discovery can also be performed on Exchange servers and IBM Domino and
Notes.
For more information, follow the below topics to start and perform file discovery:

Related concepts
Performing discovery on Micro Focus file systems on page 25
Performing discovery on Windows NFS shares on page 27

Related tasks
Performing discovery on IBM Domino and Notes on page 45

Related reference
Performing discovery on Exchange servers on page 40

Performing discovery on Micro Focus

file systems
The following definitions are used in this section:
■ Using Micro Focus Directory Services, a network administrator can set up and control a database of users
and manage them using a directory with an easy-to-use graphical user interface. Users at remote locations
can be added, updated, and managed centrally. Applications can be distributed electronically and maintained
centrally. The concept is similar to Microsoft’s Active Directory.
■ Micro Focus Client for Windows allows Windows machines to authenticate through NDS and access shared
resources on Micro Focus servers.

Getting Started with File Discovery | 25

Forcepoint DLP 9.0 | Getting Started Guide

Prepare the Micro Focus server

Steps
1) Create a user account in NDS.
■ This user will be used by the Forcepoint DLP crawler agent to authenticate with Micro Focus eDirectory
and access files and folders.
■ The user account must have the same logon name and password as the Forcepoint DLP service account.

2) Make sure the newly created user has at least “Read” permissions on all files and folders on which discovery
will be run.

Prepare the Forcepoint DLP server

Step 1: Install the Micro Focus Client

Steps
1) Download the latest Micro Focus Client for Windows from the Micro Focus Help.

2) Run setupnw.exe and select Custom Installation.

3) Make sure Distributed Print Services is not selected, then click Next.

4) Make sure NetIdentity Agent and NMAS are selected, then click Next.

5) Select IP and IPX protocols, then click Next.

6) Select eDirectory, then click Next.

7) Wait for the installation to complete, then reboot the server.

After the reboot, the logon window should appear instead of the regular Windows logon.

Step 2: Prepare the system for discovery

Steps
1) Log on to Windows and Micro Focus using the Forcepoint DLP service account (it should be the same user
for both platforms as stated above).

2) On the eDirectory tab, select the tree and its relevant context for the folders on which discovery will be run.

3) Right-click the Micro Focus icon in the task bar and select Properties.

Getting Started with File Discovery | 26

Forcepoint DLP 9.0 | Getting Started Guide

4) Click Cancel.

5) Ensure the files on which discovery will be run are accessible from Windows by UNC (for example, \\FileSrv
\vol1\Data).

6) Right-click the icon in the task bar and select Connections.

7) On all connections, click Detach until no connections remain.

Step 3: Create a new discovery task

Steps
1) Log on to the Data Security module of the Forcepoint Security Manager.

2) Go to the Main > Policy Management > Discovery Policies page.

3) Select Add Network Task > File System Task.

4) On the Networks page, click Edit to select the server’s IP address.

5) Click Advanced, then add the Micro Focus access port number 524.

6) On the Scanned Folders page, use the Forcepoint DLP service account for authentication.

7) Configure the remaining discovery options as needed.

Performing discovery on Windows NFS

shares
If you want to perform data discovery on Windows file shares, you need to install NFS client on your Forcepoint
DLP server. If you have more than one Forcepoint DLP server, install NFS client on the one with the crawler you
will use to perform discovery.
Do not install Forcepoint DLP on the same machine as the NFS server.

Configure the Forcepoint DLP server

The instructions in this section are for supported versions of Windows Server 2008 R2.

Steps
1) To activate Network File System (NFS) on the Forcepoint DLP server, open the Server Manager.

Getting Started with File Discovery | 27

Forcepoint DLP 9.0 | Getting Started Guide

2) Select Server > Role Services > Add Role > Services for Network File System.

3) Go to Start > Administrative Tools > Services for Network File System (NFS).

Getting Started with File Discovery | 28

Forcepoint DLP 9.0 | Getting Started Guide

4) Right-click Client for NFS and select Properties.

5) On the Client Settings tab, set the Transport protocol to TCP and the Default mount type to Use hard
mounts.

6) On the File Permissions tab, set all file permissions to Read, Write, and Execute.

7) Click OK.

8) Right-click Services for NFS again and select Properties.

Getting Started with File Discovery | 29

Forcepoint DLP 9.0 | Getting Started Guide

9) Mark the Active Directory domain name check box and enter a Active Directory domain name.

10) Click OK.

Getting Started with File Discovery | 30

Forcepoint DLP 9.0 | Getting Started Guide

Configure the domain controller

Steps
1) Log onto a Domain Controller to configure Active Directory to use Identity Management for UNIX.

2) Remove any installed NIS tools under Server Manager > Features.

Getting Started with File Discovery | 31

Forcepoint DLP 9.0 | Getting Started Guide

3) Click Add Role Services to launch the Add Role Services wizard.

4) Select Identity Management for UNIX.

5) Click Next, then click Install.

6) Reboot the server when prompted.

Result
Identity Management for UNIX is now installed.

Configure Identity Management for UNIX

Identity Management for UNIX requires:

1) A primary group that includes all LDAP users

2) A bind or anonymous bind user

Create the primary group for all UNIX user

accounts
Steps
1) On the Domain Controller, navigate to Start > Administrative Tools > Active Directory Users and
Computers.

Getting Started with File Discovery | 32

Forcepoint DLP 9.0 | Getting Started Guide

2) Navigate to the Organization Unit (OU) that will contain the group, then select Action > New > Group.

3) Under Group Scope, select Global.

4) Under Group type, select Security.

5) Click OK.

6) Right-click the new group and select Properties.

Getting Started with File Discovery | 33

Forcepoint DLP 9.0 | Getting Started Guide

7) On the UNIX Attributes tab, select the NIS Domain from the drop-down menu and accept the default Group
ID (GID), then click OK.

Note
If the GID is not 10000, there is already a UNIX-enabled group in the directory. The GID must
be unique and match the GID of the UNIX Group.

Create a new UNIX user / service account

Getting Started with File Discovery | 34

Forcepoint DLP 9.0 | Getting Started Guide

Steps
1) Still in the Active Directory Users and Computers tool, select the OU that will hold the UNIX Service Account,
then Action > New > User.

Getting Started with File Discovery | 35

Forcepoint DLP 9.0 | Getting Started Guide

2) Enter a Password and select the following:

■ User cannot change password
■ Password never expires

All other features must be disabled.

3) Click Next, then click Finish to create the account.

4) Right-click the new user and select Properties.

5) On the Member Of tab, click Set Primary Group and add the group created in the previous section.

Getting Started with File Discovery | 36

Forcepoint DLP 9.0 | Getting Started Guide

6) Remove the Domain Users group.

7) Select the UNIX Attributes tab.

8) Set the following parameters, then click OK.

a) Select the user’s NIS Domain.

b) Enter the UID on the UNIX computer that matches the UID of the user on the UNIX machine.

c) Enter the user account Login Shell.

d) Enter the user Home Directory on the UNIX computer.

Getting Started with File Discovery | 37

Forcepoint DLP 9.0 | Getting Started Guide

e) Enter the Primary group name/GID of the user configured previously.

Configure Forcepoint DLP to scan NFS

Steps
1) Log on to the Data Security module of the Security Manager.

2) Create a data discovery policy. (See Creating a data discovery policy for instructions.)

3) On the Main > Policy Management > Discovery Policies page, select Add network task > File System
Task.

4) On the General page, add a name and description for the discovery task and select the crawler hosted on
the machine that also hosts the NFS client.
This is the crawler that will perform the file system discovery.

Getting Started with File Discovery | 38

Forcepoint DLP 9.0 | Getting Started Guide

5) On the Networks page, click Advanced and add port 2049 to the existing list of scanned ports.

6) On the Scanned Folders page, specify the shares to scan and the user name and password of the Windows
user mapped to the UNIX account as follows:

Note
Network discovery has a limit of 255 characters for the path and file name. Files contained in
paths that have more than 255 characters are not scanned.

a) Select the Shared Folders to scan:

■ Select Administrative shares to scan administrative share drives such as C$.
■ Select Shared folders to scan shared folders such as PublicDocs.
■ Select Specific folders to scan one or more specified folders, then enter one or more folder names.
Use semi-colons to separate entries.

b) Select the Method to use when scanning network shares: TCP or ICMP.

Getting Started with File Discovery | 39

Forcepoint DLP 9.0 | Getting Started Guide

c) Enter the User name and Password of the Windows user that was previously mapped to a UNIX
account.

7) Deploy your changes.

For more information on the wizard for creating file system discovery tasks, see File System tasks.

Performing discovery on Exchange

servers
Forcepoint DLP can be used to perform discovery on Microsoft Exchange servers. See the following topics for
more information on run discovery:

Related tasks
Prepare to run discovery on Exchange Online 365 on page 41
Prepare to run discovery on Exchange 2013 on page 43

Getting Started with File Discovery | 40

Forcepoint DLP 9.0 | Getting Started Guide

Prepare to run discovery on Exchange Online

365
Steps
1) Create or identify an Exchange 365 account for Exchange discovery scanning.

2) Grant the account one of the following roles to allow the Forcepoint DLP crawler to discover messages and
display results:
■ Organization Management
■ View Only Organization Management
The crawler account should now be able to access Exchange via Outlook Web App (OWA) and move
between the mailboxes intended to be scanned during the discovery.
Log onto OWA with this account, and try switching between mailboxes as shown below:

3) Configure Exchange impersonation for the service account used for discovery:
a) Open the Windows PowerShell as administrator.

b) Enter the following command:

$LiveCred = Get-Credential

c) When prompted for credentials, enter the user name (email address) and password for the Exchange
365 account to be used for discovery.

d) Enter the following command:

$Session = New-PSSession -ConfigurationName

Microsoft.Exchange -ConnectionUri https://

ps.outlook.com/powershell/ -Credential $LiveCred -

Authentication Basic –AllowRedirection

Read and ignore any warnings that result.

Getting Started with File Discovery | 41

Forcepoint DLP 9.0 | Getting Started Guide

e) Enter the following commands:

Import-PSSession $Session

Set-ExecutionPolicy RemoteSigned

f) When prompted to change the execution policy, respond Yes.

g) Enter the following command:

Enable-OrganizationCustomization

h) Enter the following command:

New-ManagementRoleAssignment –Name "Impersonation-

Forcepoint" –Role "ApplicationImpersonation" –User

[email protected]

Here, “Impersonation-Forcepoint” is the name of the administrator role being created for the Exchange
365 account and “user@mydomain” is the user name that will be used for the discovery task.

4) To configure an Exchange discovery task:

a) Log on to the Data Security module of the Forcepoint Security Manager.

b) Go to the Main > Policy Management > Discovery Policies page, then click Add network task >
Exchange Task.

c) Complete the wizard as explained in the Forcepoint DLP Administrator Help. On the Exchange Servers
page, enter the credentials set up above.

5) Make sure that Integrated Windows authentication is turned on (default). If it is not:

a) In the Exchange admin center, go to servers > virtual directories > EWS (Default Web Site).

b) Select Integrated Windows authentication.

Getting Started with File Discovery | 42

Forcepoint DLP 9.0 | Getting Started Guide

c) Click Save.

Prepare to run discovery on Exchange 2013

Steps
1) Define a service account for Exchange discovery scanning.

2) Grant the account one of the following roles.This is necessary so that the system can discover messages
and display results.
■ Organization Management
■ View Only Organization Management
The service account should now be able to access Exchange via Outlook Web App (OWA) and move
between the mailboxes intended to be scanned during the discovery. Log onto OWA with this account, and
try switching between mailboxes as shown below:

Getting Started with File Discovery | 43

Forcepoint DLP 9.0 | Getting Started Guide

3) Configure Exchange impersonation for the service account used for the discovery:
a) Open the Exchange Management Shell.

b) Run the New-ManagementRoleAssignment cmdlet to add the permission to impersonate to the specified
user.
For example, to enable a service account to impersonate all other users in an organization, enter the
following:
New-ManagementRoleAssignment -

Name:impersonationAssignmentName -

Role:ApplicationImpersonation -User:ServiceAccount

For more information on Exchange impersonation, see msdn.microsoft.com/enus/library/bb204095.

4) Configure an Exchange discovery task as follows:

a) Log on to the Data Security module of the Forcepoint Security Manager.

b) Go to the Main > Policy Management > Discovery Policies page, then click Add network task >
Exchange Task.

c) Complete the wizard as explained in the Forcepoint DLP Administrator Help. On the Exchange Servers
page, enter the credentials set up above.

5) Check that Integrated Windows authentication is turned on (it should be on by default). If it is not:
a) In the Exchange admin center, go to servers > virtual directories > EWS (Default Web Site).

b) SelectIntegrated Windows authentication.

Getting Started with File Discovery | 44

Forcepoint DLP 9.0 | Getting Started Guide

Performing discovery on IBM Domino

and Notes
Forcepoint DLP can perform discovery on documents stored in an IBM Domino Data Management System
(DMS).
Domino discovery treats a document (body and attachments) as one unit. This way, a breach is reported even if
the sensitive content is scattered in different parts of the document that individually would not cause an incident.
To perform discovery on documents:

1) Log on to the Data Security module of the Forcepoint Security Manager.

2) Go to the Main > Policy Management > Discovery Policies page.

3) Select one of the following:

■ Locate regulatory & compliance data
■ Create custom policy.

4) Complete the steps in the wizard as described in the Forcepoint DLP Administrator Help. Select dictionary,
RegEx, fingerprinting, or other classifiers as needed.

5) Go to the Main > Policy Management > Discovery Policies page.

6) Select Add network task > Domino Task.

7) Complete the steps in the wizard as described in the Forcepoint DLP Administrator Help.

8) To deploy the policy and task to the Domino server, click Deploy.

9) The Domino server will be crawled for sensitive data at the next scheduled time. Incidents are reported in
Main > Reporting > Discovery reports.

Getting Started with File Discovery | 45

Forcepoint DLP 9.0 | Getting Started Guide

Getting Started with File Discovery | 46

Chapter 9
Configuring Labels
Contents

■ Import and enable Boldon James Classifier labels on page 47

■ Import and enable Microsoft Information Protection labels on page 48
■ Configure an action plan to apply labels on page 49

Use the Forcepoint Security Manager to import labels from labeling systems and apply them on files in endpoint
discovery scans (available on Windows operating systems only). Refer to the following tasks:

Related tasks
Import and enable Boldon James Classifier labels on page 47
Import and enable Microsoft Information Protection labels on page 48
Configure an action plan to apply labels on page 49

Import and enable Boldon James

Classifier labels
To import Boldon James Classifier labels and enable the option to apply labels, first ensure that the labeling
system is installed on the network, and then do the following:

Steps
1) Log into the Data Security module of the Security Manager.

2) Go to Settings > General > Services and select the File Labeling tab.

3) Click the Boldon James Classifier link.

4) On the Boldon James Classifier Properties page, in the Imported Labels section, click Import Labels. The
Import Labels dialog box appears.

5) Click Choose File.

6) Browse to the Boldon James configuration file, and click OK to import it.
The file is usually called spif.xml. If the file is not found, contact Boldon James technical support.

7) When the importation is successfully completed, the time and date of the process and a list of imported
labels appear in the Last import field.

Configuring Labels | 47
Forcepoint DLP 9.0 | Getting Started Guide

8) Select the Apply file labels check box. You can now define DLP action plans that use Boldon James
Classifier file labels.
When this box is unchecked, Boldon James Classifier labels are used only for detection.

9) In the Guidelines section, mark one or more check boxes to specify when Forcepoint DLP should add or
modify a label. Note the following aspects of the guidelines:
■ If a file does not meet a specified condition, its labeling remains unchanged.
■ Incident reports provide detailed information about whether labels were found on files and whether they
were changed.

10) Click OK to save the changes.

Import and enable Microsoft Information

Protection labels
Before you begin
Before you can import Microsoft Information Protection labels for the first time, you must obtain
permission for the Forcepoint application to perform the import, as follows:

Steps
1) Log into the Microsoft Office 365 Admin Consent page, using your Microsoft Office 365 admin credentials for
authentication.

2) Accept the permission statement on the page.

Next steps
Next, to import enable Microsoft Information Protection labels, first ensure that the labeling system is installed on
the network, and then do the following:

1) Log into the Data Security module of the Security Manager.

2) Go to Settings > General > Services and select the File Labeling tab.

3) Click the Microsoft Information Protection link.

4) On the Microsoft Information Protection Properties page, in the Imported Labels section, enter your Microsoft
Office 365 admin credentials, and then click Import Labels.

Configuring Labels | 48
Forcepoint DLP 9.0 | Getting Started Guide

Note
We recommend that you enter credentials for an administrator who has visibility to all Microsoft
Information Protection labels used in the organization. User credentials are not stored
on Forcepoint servers. You should also ensure that your web browser does not store this
information.

5) Click OK to start the import process. Note that if the consent process was not completed, this step generates
an error. Complete the consent process, and then try again.

6) When the importation is successfully completed, the time and date of the process and a list of imported
labels appear in the Last import field.

7) Select the Apply file labels check box. You can now define DLP action plans that use Microsoft Information
Protection file labels.
When this box is unchecked, Microsoft Information Protection labels are used only for detection. Configuring
Labels

8) Click OK to save the changes.

Note
Files that are protected by Microsoft Information Protection can be decrypted automatically during
DLP analysis (see “Configuring MIP for endpoint decryption” in the Forcepoint DLP Administrator
Guide).

Configure an action plan to apply labels

To configure labels to apply on files for Discovery Policies (endpoint only):

Steps
1) Log into the Data Security module of the Security Manager.

2) Go to Policy Management > Resources > Action Plans and select the Discovery tab.

3) In the Endpoint Discovery section, select a labeling system from the drop-down menu.

4) Select the labels you want to apply. Make sure they are from the labeling system you chose.

5) Click OK to save.

6) Add the action plan to the desired Discovery Policy.

For more information, see Forcepoint DLP Administrator Guide.

Configuring Labels | 49
Forcepoint DLP 9.0 | Getting Started Guide

Configuring Labels | 50
Chapter 10
Getting Started with the REST API
Service
The REST API service allows customers to remotely pull and manage incident data from Forcepoint Security Manager
to integrate with SOAR, SIEM, BI and other solutions.
The REST API service allows to get Discovery and DLP incidents by verifying optional filters like policy, department,
or the Risk Level. In addition, the REST API allows customers to update incidents’ Status, Severity, assigned
administrator, and more.
The following REST APIs are available:
■ Get Incidents API
■ Update Incidents API
Make sure you create a Local Account of Administrator from type Application on the Forcepoint Security Manager and
apply the authentication process before using the service.
To connect an application to Forcepoint DLP through a REST API connection, you need to create an Application
administrator in the Forcepoint Security Manager on the Global Settings > General > Administrators settings page.
For more information, see the Enabling access to theSecurity Manager topic in the Forcepoint Security Manager Help.
The Application administrator type is only supported for Local accounts. Please note that Network accounts cannot be
configured as an Application type.
For more information about the Authentication process and using the REST API service, see the Forcepoint DLP REST
API Guide.

Getting Started with the REST API Service | 51

Forcepoint DLP 9.0 | Getting Started Guide

Getting Started with the REST API Service | 52

© 2022 Forcepoint