Getting Started Guide

Forcepoint DLP

v 8.9. 1
©2022 Forcepoint
Forcepoint and the FORCEPOINT logo are trademarks of Forcepoint. All other trademarks used in this document are the property of their
respective owners.
Published 2022
Every effort has been made to ensure the accuracy of this document. However, Forcepoint makes no warranties with respect to this
documentation and disclaims any implied warranties of merchantability and fitness for a particular purpose. Forcepoint shall not be liable
for any error or for incidental or consequential damages in connection with the furnishing, performance, or use of this manual or the
examples herein. The information in this documentation is subject to change without notice.

Document last updated March 31, 2022

Contents
Chapter 1 Getting Started with Forcepoint DLP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Entering a subscription key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Chapter 2 Configuring the Data Protection Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Chapter 3 Configuring the Protector for Use with SMTP . . . . . . . . . . . . . . . . . . . . . . . . . 5
Set up SMTP in monitoring mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Set up SMTP in MTA mode. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Chapter 4 Configuring the Web Content Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Enter a subscription key in the Content Gateway manager . . . . . . . . . . . . . . . . . . 9
Register Content Gateway with Forcepoint DLP. . . . . . . . . . . . . . . . . . . . . . . . . . 9
Enabling web DLP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Configure the Content Gateway policy engine . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Set up Content Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Chapter 5 Configuring the Analytics Engine. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Reporting and health monitoring options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Chapter 6 Configuring Third-Party Proxies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Configuration example: Squid . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Configure the protector for ICAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
ICAP server error and response codes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Chapter 7 Configuring User Directory Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Define user directory settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Configure the directory import. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Rearrange user directory servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Chapter 8 Getting Started with File Discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Performing discovery on Micro Focus file systems . . . . . . . . . . . . . . . . . . . . . . . 21
Prepare the Micro Focus server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Prepare the Forcepoint DLP server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Step 1: Install the Micro Focus Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Step 2: Prepare the system for discovery . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Step 3: Create a new discovery task . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Performing discovery on Windows NFS shares. . . . . . . . . . . . . . . . . . . . . . . . . . 23
Configure the Forcepoint DLP server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Configure the domain controller . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Configure Identity Management for UNIX. . . . . . . . . . . . . . . . . . . . . . . . . . . 26

Getting Started Guide i

Contents

Configure Forcepoint DLP to scan NFS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

Performing discovery on Exchange servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Prepare to run discovery on Exchange Online 365 . . . . . . . . . . . . . . . . . . . . . 32
Prepare to run discovery on Exchange 2013. . . . . . . . . . . . . . . . . . . . . . . . . . 33
Performing discovery on IBM Domino and Notes. . . . . . . . . . . . . . . . . . . . . . . . 35
Chapter 9 Configuring Labels. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Import and enable Boldon James Classifier labels. . . . . . . . . . . . . . . . . . . . . . . . 37
Import and enable Microsoft Information Protection labels . . . . . . . . . . . . . . . . 38
Configure an action plan to apply labels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Chapter 10 Getting Started with the REST API Service . . . . . . . . . . . . . . . . . . . . . . . . . . 41

ii Forcepoint DLP
1 Getting Started with
Forcepoint DLP

Getting Started Guide | Forcepoint DLP | Version 8.9.1

After installing Forcepoint DLP, log on to the Forcepoint Security Manager and enter
a subscription key (see Entering a subscription key).
Next, follow the initial configuration instructions for the components that have been
deployed.
● Configuring the Data Protection Service, page 3
● Configuring the Protector for Use with SMTP, page 5
● Configuring the Web Content Gateway, page 9
● Configuring the Analytics Engine, page 13
● Configuring Third-Party Proxies, page 15
To get started with Forcepoint DLP, also configure commonly used features:
● Configuring User Directory Integration, page 17
● Getting Started with File Discovery, page 21
● Configuring Labels, page 37
To get started with connecting your custom applications to Forcepoint DLP:
● Getting Started with the REST API Service, page 41

Tip
For installation instructions, see the Forcepoint DLP
Installation Guide.

Entering a subscription key

To enable Forcepoint DLP configuration, enter a subscription key in the Data Security
module of the Forcepoint Security Manager:
1. Open a browser and enter the Security Manager URL:
https://<IP_address_or_hostname>:9443

Getting Started Guide  1

Getting Started with Forcepoint DLP

2. Enter the User name admin and the password configured during installation, then
click Log On.
3. If the Data Security module of the Security Manager is not displayed by default,
select Data from the Product Module drop-down menu to open it.
■ Until a subscription key is entered, a subscription prompt appears
automatically.
■ Once a key has been entered, administrators can review subscription
information on the Settings > General > Subscription page.
4. Browse to the subscription file, then click Submit.
Current subscription information is displayed.
5. Click Deploy in the Security Manager toolbar to complete the process.

2  Forcepoint DLP
2 Configuring the Data
Protection Service

Getting Started Guide | Forcepoint DLP | Version 8.9.1

Data Protection Service is a cloud-based DLP analysis service that integrates with the
following Forcepoint products:
● Forcepoint CASB
● Forcepoint Web Security Cloud
● Forcepoint Email Security Cloud
Forcepoint Cloud Security Gateway combines Data Protection Service with
Forcepoint Web Security Cloud and Forcepoint CASB to protect your organization in
one easy-to-consume service.
■ When Data Protection Service is integrated with Forcepoint Web Security
Cloud, web traffic passing through the cloud gateway is sent to Data
Protection Service for DLP analysis.
■ When Data Protection Service is integrated with Forcepoint CASB, the CASB
gateway sends user actions in cloud applications (such as uploading data) to
Data Protection Service for DLP analysis.
■ When Data Protection Service finds a breach or potential data loss, the
findings are returned to the Web or CASB gateway for policy enforcement.
■ For more information or to get started with the integration of Forcepoint DLP
and Forcepoint Cloud Web or Forcepoint CASB, see the Forcepoint Cloud
Security Gateway Integration Guide.
Data Protection Service for Email (available for Forcepoint DLP version 8.8.2 and
later) enables Forcepoint Email Security Cloud to protect your organization against
the threats of malware, spam, and other unwanted content in email traffic.
■ When Data Protection Service is integrated with Forcepoint Email Security
Cloud, email messages that present potential data loss are sent to Data
Protection Service for further inspection. Data Protection Service then returns
its findings to the email cloud service for policy enforcement.
■ For more information or to get started with the integration of Forcepoint DLP
and Forcepoint Cloud Email, see the Forcepoint Email Security Cloud and
Forcepoint DLP Integration Guide.

Getting Started Guide  3

Configuring the Data Protection Service

4  Forcepoint DLP
3 Configuring the Protector
for Use with SMTP

Getting Started Guide | Forcepoint DLP | Version 8.9.1

When the protector is used for monitoring or protecting data transfer in email (SMTP)
traffic, it can be configured in monitoring or MTA mode.
More information about configuring the protector to monitor other protocols can be
found in the Forcepoint DLP Administrator Help.
For initial SMTP configuration instructions, see:
● Set up SMTP in monitoring mode, page 5
● Set up SMTP in MTA mode, page 6

Set up SMTP in monitoring mode

Preparing for configuration

The steps in this procedure assume that the protector has already been installed as
described in the Forcepoint DLP Installation Guide, with the following configuration:
● The time, date, and time zone are precise.
● Network interface eth0 is mapped and located on the main board.
● Interface eth0 is connected to the LAN.
Before beginning the configuration process, make sure the protector is powered on.

Configuring the protector

Use the Forcepoint Security Manager to configure the protector to monitor SMTP:
1. Go to the Settings > Deployment > System Modules page.
2. Select the protector instance.
3. On the General tab, select Enabled.
4. On the Local Networks tab, select Include specific networks, then add all of the
internal networks for all sites.
■ This list is used to identify the direction of the traffic.

Getting Started Guide  5

Configuring the Protector for Use with SMTP

■ The mail servers and mail relays should be considered part of the internal
network.
5. On the Services tab:
a. Select the SMTP service.
b. On the General tab, set the Mode to Monitoring bridge.
c. On the Traffic Filter tab, set the Direction to Outbound.
d. Click OK.
6. Click OK to save the configuration.
7. Click Deploy to activate the settings.
8. Connect the protector to the outgoing connection and to the organization’s internal
network.
This should be done last, after the protector is fully configured.

Set up SMTP in MTA mode

Preparing for configuration

The steps in this procedure assume that the protector has already been installed as
described in the Forcepoint DLP Installation Guide, with the following configuration:
● The time, date, and time zone are precise.
● The network interface selected during installation is mapped and located on the
main board.
● The interface is connected to the LAN.
Before beginning the configuration process, make sure the protector is powered on.

Configuring the protector

Configure the protector in the Forcepoint Security Manager:
1. Go to the Settings > Deployment > System Modules page.
2. Select the protector instance.
3. On the General tab, select Enabled.
4. On the Local Networks tab, select Include specific networks, then add all of the
internal networks for all sites.
■ This list is used to identify the direction of the traffic.
■ The mail servers and mail relays should be considered part of the internal
network.
5. On the Services tab:
a. Select the SMTP service.
b. On the General tab, set the Mode to Mail Transfer Agent (MTA).

6  Forcepoint DLP
 Configuring the Protector for Use with SMTP

c. On the Mail Transfer Agent (MTA) tab, set the Operation Mode to Blocking
and select the behavior desired when an unspecified error occurs during
analysis.
d. Set the SMTP HELO name. This is required.
e. Set the next hop MTA (for example, the organization’s mail relay), if needed.
f. Set the addresses of all networks that are permitted to relay email messages
through the protector.
○ This is required, as it is important that not all networks have permission to
send email via the protector’s SMTP service. Otherwise, the protector can
be used as a mail relay.
○ This list should include the addresses of any previous hops, such as the
mail server.
6. Click OK to save the configuration.
7. Go to the Main > Policy Management > DLP Policies page.
8. Select a policy rule to use for email management, then click Edit.
9. Complete the fields as follows:
a. Select Destinations, and check the Network Email box.
b. Select Severity & Action, then select an action plan that includes
notifications.

Note
For more information about action plans, see the
Forcepoint DLP Administrator Help.

c. Click OK to save the policy configuration.

10. Click Deploy to activate the settings.

Connecting the protector

1. Connect the protector to the outgoing connection and to the organization’s internal
network.
Do this last, after the protector is fully configured.
2. If a next hop server exists (for example, a company mail relay), add the
protector’s IP address to its allowed relay list.
3. (Optional) Set the mail server’s next hop (smart host) to the protector’s IP
address.

Getting Started Guide  7

Configuring the Protector for Use with SMTP

8  Forcepoint DLP
4 Configuring the Web
Content Gateway

Getting Started Guide | Forcepoint DLP | Version 8.9.1

After installing the Web Content Gateway module, configure it in both the Content
Gateway manager and the Forcepoint Security Manager. See:
● Enter a subscription key in the Content Gateway manager, page 9
● Register Content Gateway with Forcepoint DLP, page 9
● Configure the Content Gateway policy engine, page 11
● Set up Content Gateway, page 11

Enter a subscription key in the Content Gateway manager

Enter a subscription key in the Content Gateway manager to activate the Web Content
Gateway:
1. Open a web browser and enter the Content Gateway manager URL:
https://<ip_address>:8081
2. Log on as admin with the password created during installation.
3. Go to the Configure > Subscription page.
4. Enter the subscription key.
5. Go to the Configure > My Proxy > Basic page.
6. Click Restart to restart Content Gateway.

Register Content Gateway with Forcepoint DLP

After Content Gateway is activated, it must be registered with the Forcepoint

management server.

Preparing for registration

1. Synchronize the date and time on the Content Gateway and management server
machines to within a few minutes.

Getting Started Guide  9

Configuring the Web Content Gateway

2. If Content Gateway is deployed as a transparent proxy, ensure that traffic to and

from the communication interface (“C” on a V Series appliance) is not subject to
transparent routing. If it is, the registration process will be intercepted by the
transparent routing and will not complete properly.
3. Make sure that the IPv4 address of the eth0 NIC on the Content Gateway machine
is available (not required if Content Gateway is located on a V-Series appliance).
This is the NIC used by the management server during the registration process.
4. After registration, the IP address can move to another network interface.
5. Verify connectivity between Content Gateway and the management server.

Registering Content Gateway

Register Content Gateway in the Content Gateway manager:
1. Go to the Configure > My Proxy > Basic > General page.
2. In the Networking section, enable Web DLP > Integrated on-box if needed.
If a change was made, restart Content Gateway when prompted.
3. Go to the Configure > Security > Web DLP page and enter the IP address of the
management server.
4. Enter a user name and password for a Forcepoint Security Manager administrator
with Deploy Settings privileges in the Data Security module.
5. Click Register.
6. Go to the Configure > My Proxy > Basic page and click Restart to restart the
Content Gateway machine.

Enabling web DLP

After Content Gateway has registered with Forcepoint DLP, use the Content Gateway
manager to perform the following steps:
1. Go to the Configure > Security > Web DLP page.
2. Enable Analyze FTP Uploads to send FTP uploads to web DLP components for
analysis and policy enforcement.
3. Enable Analyze Secure Content to send decrypted HTTPS posts to web DLP
components for analysis and policy enforcement.
This option requires that SSL Manager be enabled. See the Content Gatweway
Manager Help for details.
4. Click Apply and restart Content Gateway.

10  Forcepoint DLP
 Configuring the Web Content Gateway

Configure the Content Gateway policy engine

When Content Gateway is registered with the management server, a Content Gateway
module is added to the System Modules in the Data Security module of the Forcepoint
Security Manager.
By default, this agent is configured to monitor web traffic, not block it, and for a
default violation message to appear when an incident is triggered. To continue using
this default behavior, no Content Gateway configuration changes are needed. Simply
deploy settings in the Security Manager to activate the default configuration.
To instead block web traffic that breaches policy, or to customize the violation
message, do the following:
1. Log on to the Data Security module of the Security Manager.
2. Go to the Settings > Deployment > System Modules page.
3. Select the Web Content Gateway module in the tree view (click the module name
itself, not the plus sign next to it).
It will be listed as “Forcepoint Web Security Server on <FQDN>
(<PE_version>),” where <FQDN> is the fully-qualified domain name of the
Content Gateway machine and <PE_version> is the version of the Content
Gateway policy engine.
4. Select the HTTP/HTTPS tab to configure HTTP(S) blocking behavior.
Select Help > Explain This Page for instructions for each option.
5. Select the FTP tab to configure FTP blocking behavior.
Select Help > Explain This Page for instructions for each option.
6. Click Save to save the changes.
7. Click Deploy to deploy the settings.

Important
Even if the default configuration is not changed, it is still
necessary to click Deploy to finalize the Content Gateway
deployment process.

Set up Content Gateway

Additional Content Gateway configuration is performed in the Content Gateway

manager:
● Log onto Content Gateway Manager and run a basic test (Getting Started)
● If there are multiple instances of Content Gateway, consider configuring a
managed cluster.
● Configure protocols to proxy in addition to HTTP:

Getting Started Guide  11

Configuring the Web Content Gateway

■ HTTP (SSL Manager)

■ FTP
● Complete the explicit or transparent proxy deployment.
■ Content Gateway explicit and transparent proxy deployments
■ Explicit proxy
■ Transparent proxy
● If proxy user authentication will be used, configure user authentication.
● If content caching was enabled during installation, configure content caching.
After the base configuration has been tested, consider these additional activities:
● In explicit proxy deployments, customize the PAC file.
● In transparent proxy deployments, use ARM dynamic and static bypass, or use
router ACL lists to bypass Content Gateway (see the router documentation).

12  Forcepoint DLP
5 Configuring the Analytics
Engine

Getting Started Guide | Forcepoint DLP | Version 8.9.1

Configure the analytics engine, incident risk reporting, and risk-related policies in the
Data Security module of the Forcepoint Security Manager.
1. Go the Settings > Deployment > System Modules page.
2. Make sure the analytics engine module appears in the tree, then:
a. Click the module to view details.
b. If needed, change the module name and description.
3. Go to the Settings > General > Reporting page to configure the Top Risks report
derived from the user analytics.
a. Specify the risk scores to show in the report and on the dashboard.
b. Define the organization’s typical work week to help identify aberrant
behavior.
4. For optimal accuracy and efficacy, go to the Main > Policy Management > DLP
Policies page and add the following policies:
■ Disgruntled Employee
■ Self CV Distribution
■ Password Files
■ PKCS #12 Files
■ Deep Web URLs
■ Email to Competitors
Be sure to provide the competitors’ domain names (case-insensitive,
separated by semicolons).
■ Suspected Mail to Self
Add or edit the sources to monitor via the possible_sources_domains
parameter in the Email Similarity script classifier.
5. Click Deploy.
See Reporting and health monitoring options, page 14, for information about the
reports that the analytics engine enables.

Getting Started Guide  13

Configuring the Analytics Engine

Reporting and health monitoring options

Once the system is running and capturing metrics, use the following reports to review
analytics data:
● On the Main > Status > Dashboard page, monitor the charts under Data Loss
Prevention - Incident Risk Ranking.
● Use the Incident Risk Ranking report to investigate risks in more detail. To access
the report, do either of the following:
■ Click an Incident Risk Ranking dashboard chart.
■ Go to the Main > Reporting > Data Loss Prevention > Report Catalog
page, then expand the Security Analytics tree and select Incident Risk
Ranking.
To view the health of the analytics engine, go to the Main > Status > System Health
page, then click the Analytics Engine module.

14  Forcepoint DLP
6 Configuring Third-Party
Proxies

Getting Started Guide | Forcepoint DLP | Version 8.9.1

Forcepoint DLP Network deployments include the Forcepoint web proxy, Web
Content Gateway.
Forcepoint DLP can additionally be configured to integrate with third-party proxies
via ICAP.
This chapter assumes a forward proxy deployment, where the third-party proxy
connects to a Forcepoint DLP protector.
Instructions for two sample third-party proxies are provided. These are not the only
proxies that can be used with Forcepoint DLP. See your proxy’s documentation for
more detailed information about ICAP integrations.
The protector configuration steps apply regardless of which third-party proxy is used.
See:
● Configuration example: Squid, page 15
● Configure the protector for ICAP, page 16
A reference of error and response codes is available at the end of this chapter. See
ICAP server error and response codes, page 16.

Configuration example: Squid

Configure the Squid proxy to send requests to the ICAP server that is part of the
Forcepoint DLP protector.
This example is for Squid-3.1:
icap_service service_req reqmod_precache 1
icap://<protector_IP>:1344/reqmod
adaptation_access service_req allow all

This example is for Squid-3.0:

icap_service service_req reqmod_precache 1
icap://<protector_IP>:1344/reqmod

Getting Started Guide  15

Configuring Third-Party Proxies

icap_class class_req service_req

icap_access class_req allow all

For full ICAP configuration details for Squid, see http://wiki.squid-cache.org/

Features/ICAP?highlight=%28faqlisted.yes%29.

Configure the protector for ICAP

Configure the protector to use ICAP in the Data Security module of the Forcepoint
Security Manager:
1. Go to Settings > Deployment > System Modules page.
2. Expand the node for a protector instance.
3. Select the ICAP server for the selected protector.
For more information, see “Configuring ICAP” in the Forcepoint DLP Administrator
Help.

ICAP server error and response codes

Response Forcepoint Block Control Error Condition

Condition Decision Exceeds Size
Limit
Condition “pana_response” “huge_content” “pana_error”
Error Code 500 500 512
=“X-Response- PA-block PA-error
Info”

=“X-Response- Forcepoint blocked

Desc”
Plain URL /usr/local/spicer/etc/
blockmessageexample.plain
Markup URL /usr/local/spicer/etc/block-
messageexample.markup

16  Forcepoint DLP
7 Configuring User Directory
Integration

Getting Started Guide | Forcepoint DLP | Version 8.9.1

Import information from a supported directory server, such as Microsoft Active

Directory or IBM Domino, into Forcepoint DLP in order to:
● Allow administrators to use their network credentials to log on to the Forcepoint
Security Manager.
● Include user details in analysis.
● Enhance the incident details displayed to administrators.
For configuration instructions, see:
● Define user directory settings, page 17
● Configure the directory import, page 19
● Rearrange user directory servers, page 19

Define user directory settings

Use the Forcepoint Security Manager to configure Forcepoint DLP to import user
directory data.

Configuring general settings

1. Log on to the Data Security module of the Security Manager.
2. Go to the Settings > General > User Directories page.
3. Click New in the toolbar at the top of the page.
4. At the top of the Add/Edit directory server page:
a. Enter a display Name for the directory server. This is displayed in the list on
the User Directories page.
b. Mark the Enabled check box.
c. Select the directory Type from the drop-down list: Active Directory, Domino,
or Comma-Separated Values (CSV) File.

Getting Started Guide  17

Configuring User Directory Integration

Configuring connection settings

Connection settings vary, based on whether a network user directory or a CSV file was
selected in the previous section.
For network user directories (Active Directory or Domino), enter:
1. The IP address or hostname and Port to use to connect to the user directory
server.
2. Enter the User distinguished name and Password for an account with directory
server access.
3. To secure the connection to the directory server, mark Use SSL encryption.
4. To prompt Forcepoint DLP to follow server referrals, if they exist, mark Follow
referrals.
5. Click Test Connection to verify the connection to the directory server.
6. Continue with the next section,
For CSV files:
1. Enter the Path to the file.
2. Enter the User name and Password for an account with at least read permissions
to the file.
3. Click Test Connection to verify that Forcepoint DLP can read the file.
4. Click OK.

Configuring directory usage settings

This section applies only to network user directories (Active Directory or Domino).
1. Mark Get user attributes to retrieve specified user attributes from the directory
server.
2. Use the Attributes to retrieve field to enter the user attributes that should be
collected for all users. Use commas to separate entries.
3. If the directory includes user photos, enter the photo attribute name in the User’s
photo attribute field.
4. Under Test Attributes, enter a Sample email address to use to perform an import
test. Use a valid email address from the directory.
5. Click Test Attributes to retrieve user information that corresponds to the sample
email address.
6. Click OK.
The server is listed on the User Directories page.

18  Forcepoint DLP
 Configuring User Directory Integration

Configure the directory import

By default, Forcepoint DLP imports data from user directory servers daily at a set
time. To change the import time:
1. In the Security Manager, go to the Settings > General > User Directories page.
2. Click the Import daily at... link (to the left of the page, above the list of
directories).
3. Set a new time or schedule, then click OK.
In addition to the scheduled import, user directory information can also be imported
manually. To start the import process at any time:
1. Go to the User Directories page.
2. Select a directory server in the list.
3. Click Import Now in the toolbar at the top of the page.
4. Click Yes to continue.
To view user directory entries after they have been imported:
1. Go to the Main > Policy Management > Resources page.
2. Select User Directory Entries.

Rearrange user directory servers

If more than one user directory has been configured, users are imported from
directories in the order listed on the User Directories page. If a user is in more than
one directory, the first directory record takes precedence.
To rearrange the order of the servers:
1. Go to the Settings > General > User Directories page.
2. Click Rearrange Servers in the toolbar at the top of the page.
3. Select a server and use the arrow buttons to move it up or down the list.
4. Click OK.

Getting Started Guide  19

Configuring User Directory Integration

20  Forcepoint DLP
8 Getting Started with File
Discovery

Getting Started Guide | Forcepoint DLP | Version 8.9.1

Discovery is the act of determining where sensitive content is located in the

organization. If the network includes Windows or Micro Focus shared drives,
administrators can create a data discovery task that describes where and when to
discover content on the drives. Discovery can also be performed on Exchange servers
and IBM Domino and Notes.
For more information, see:
● Performing discovery on Micro Focus file systems, page 21
● Performing discovery on Windows NFS shares, page 23
● Performing discovery on Exchange servers, page 32
● Performing discovery on IBM Domino and Notes, page 35

Performing discovery on Micro Focus file systems

The following definitions are used in this section:

● Using Micro Focus Directory Services, a network administrator can set up and
control a database of users and manage them using a directory with an easy-to-use
graphical user interface. Users at remote locations can be added, updated, and
managed centrally. Applications can be distributed electronically and maintained
centrally. The concept is similar to Microsoft’s Active Directory.
● Micro Focus Client for Windows allows Windows machines to authenticate
through NDS and access shared resources on Micro Focus servers.

Prepare the Micro Focus server

1. Create a user account in NDS.
■ This user will be used by the Forcepoint DLP crawler agent to authenticate
with Micro Focus eDirectory and access files and folders.
■ The user account must have the same logon name and password as the
Forcepoint DLP service account.

Getting Started Guide  21

Getting Started with File Discovery

2. Make sure the newly created user has at least “Read” permissions on all files and
folders on which discovery will be run.

Prepare the Forcepoint DLP server

Step 1: Install the Micro Focus Client

1. Download the latest Micro Focus Client for Windows from the Micro Focus
website.
2. Run setupnw.exe and select Custom Installation.
3. Make sure Distributed Print Services is not selected, then click Next.
4. Make sure NetIdentity Agent and NMAS are selected, then click Next.
5. Select IP and IPX protocols, then click Next.
6. Select eDirectory, then click Next.
7. Wait for the installation to complete, then reboot the server.
After the reboot, the logon window should appear instead of the regular Windows
logon.

Step 2: Prepare the system for discovery

1. Log on to Windows and Micro Focus using the Forcepoint DLP service account
(it should be the same user for both platforms as stated above).
2. On the eDirectory tab, select the tree and its relevant context for the folders on
which discovery will be run.
3. Right-click the Micro Focus icon in the task bar and select Properties.
4. Click Cancel.
5. Ensure the files on which discovery will be run are accessible from Windows by
UNC (for example, \\FileSrv\vol1\Data).
6. Right-click the icon in the task bar and select Connections.
7. On all connections, click Detach until no connections remain.

Step 3: Create a new discovery task

1. Log on to the Data Security module of the Forcepoint Security Manager.
2. Go to the Main > Policy Management > Discovery Policies page.
3. Select Add Network Task > File System Task.
4. On the Networks page, click Edit to select the server’s IP address.
5. Click Advanced, then add the Micro Focus access port number 524.
6. On the Scanned Folders page, use the Forcepoint DLP service account for
authentication.
7. Configure the remaining discovery options as needed.

22  Forcepoint DLP
 Getting Started with File Discovery

Performing discovery on Windows NFS shares

If you want to perform data discovery on Windows file shares, you need to install NFS
client on your Forcepoint DLP server. If you have more than one Forcepoint DLP
server, install NFS client on the one with the crawler you will use to perform
discovery.
Do not install Forcepoint DLP on the same machine as the NFS server.

Configure the Forcepoint DLP server

The instructions in this section are for supported versions of Windows Server 2008
R2.
1. To activate Network File System (NFS) on the Forcepoint DLP server, open the
Server Manager.
2. Select Server > Role Services > Add Role > Services for Network File System.

3. Go to Start > Administrative Tools > Services for Network File System (NFS).

Getting Started Guide  23

Getting Started with File Discovery

4. Right-click Client for NFS and select Properties.

5. On the Client Settings tab, set the Transport protocol to TCP and the Default
mount type to Use hard mounts.
6. On the File Permissions tab, set all file permissions to Read, Write, and Execute.
7. Click OK.
8. Right-click Services for NFS again and select Properties.

24  Forcepoint DLP
 Getting Started with File Discovery

9. Mark the Active Directory domain name check box and enter a Active
Directory domain name.

10. Click OK.

Configure the domain controller

1. Log onto a Domain Controller to configure Active Directory to use Identity
Management for UNIX.

Getting Started Guide  25

Getting Started with File Discovery

2. Remove any installed NIS tools under Server Manager > Features.

3. Click Add Role Services to launch the Add Role Services wizard.
4. Select Identity Management for UNIX.

5. Click Next, then click Install.

6. Reboot the server when prompted.
Identity Management for UNIX is now installed.

Configure Identity Management for UNIX

Identity Management for UNIX requires:
1. A primary group that includes all LDAP users
2. A bind or anonymous bind user

Create the primary group for all UNIX user accounts

1. On the Domain Controller, navigate to Start > Administrative Tools > Active
Directory Users and Computers.

26  Forcepoint DLP
 Getting Started with File Discovery

2. Navigate to the Organization Unit (OU) that will contain the group, then select
Action > New > Group.
3. Under Group Scope, select Global.
4. Under Group type, select Security.
5. Click OK.

6. Right-click the new group and select Properties.

7. On the UNIX Attributes tab, select the NIS Domain from the drop-down menu
and accept the default Group ID (GID), then click OK.
.

Note
If the GID is not 10000, there is already a UNIX-enabled
group in the directory. The GID must be unique and match
the GID of the UNIX Group.

Getting Started Guide  27

Getting Started with File Discovery

Create a new UNIX user / service account

1. Still in the Active Directory Users and Computers tool, select the OU that will
hold the UNIX Service Account, then Action > New > User.

2. Enter a Password and select the following:

■ User cannot change password
■ Password never expires
All other features must be disabled.

3. Click Next, then click Finish to create the account.

4. Right-click the new user and select Properties.
5. On the Member Of tab, click Set Primary Group and add the group created in the
previous section.

28  Forcepoint DLP
 Getting Started with File Discovery

6. Remove the Domain Users group.

7. Select the UNIX Attributes tab.

8. Set the following parameters, then click OK.
a. Select the user’s NIS Domain.
b. Enter the UID on the UNIX computer that matches the UID of the user on the
UNIX machine.
c. Enter the user account Login Shell.
d. Enter the user Home Directory on the UNIX computer.

Getting Started Guide  29

Getting Started with File Discovery

e. Enter the Primary group name/GID of the user configured previously.

Configure Forcepoint DLP to scan NFS

1. Log on to the Data Security module of the Security Manager.
2. Create a data discovery policy. (See Creating a data discovery policy for
instructions.)
3. On the Main > Policy Management > Discovery Policies page, select Add
network task > File System Task.
4. On the General page, add a name and description for the discovery task and select
the crawler hosted on the machine that also hosts the NFS client.
This is the crawler that will perform the file system discovery.
5. On the Networks page, click Advanced and add port 2049 to the existing list of
scanned ports.

30  Forcepoint DLP
 Getting Started with File Discovery

6. On the Scanned Folders page, specify the shares to scan and the user name and
password of the Windows user mapped to the UNIX account as follows:

Note
Network discovery has a limit of 255 characters for the
path and file name. Files contained in paths that have more
than 255 characters are not scanned.

a. Select the Shared Folders to scan:

○ Select Administrative shares to scan administrative share drives such as
C$.
○ Select Shared folders to scan shared folders such as PublicDocs.
○ Select Specific folders to scan one or more specified folders, then enter
one or more folder names. Use semi-colons to separate entries.
b. Select the Method to use when scanning network shares: TCP or ICMP.
c. Enter the User name and Password of the Windows user that was previously
mapped to a UNIX account.

7. Deploy your changes.

For more information on the wizard for creating file system discovery tasks, see File
System tasks.

Getting Started Guide  31

Getting Started with File Discovery

Performing discovery on Exchange servers

Forcepoint DLP can be used to perform discovery on Microsoft Exchange servers.

See:
● Prepare to run discovery on Exchange Online 365, page 32
● Prepare to run discovery on Exchange 2013, page 33

Prepare to run discovery on Exchange Online 365

1. Create or identify an Exchange 365 account for Exchange discovery scanning.
2. Grant the account one of the following roles to allow the Forcepoint DLP crawler
to discover messages and display results:
■ Organization Management
■ View Only Organization Management
The crawler account should now be able to access Exchange via Outlook Web
App (OWA) and move between the mailboxes intended to be scanned during the
discovery.
Log onto OWA with this account, and try switching between mailboxes as shown
below:

3. Configure Exchange impersonation for the service account used for discovery:
a. Open the Windows PowerShell as administrator.
b. Enter the following command:
$LiveCred = Get-Credential
c. When prompted for credentials, enter the user name (email address) and
password for the Exchange 365 account to be used for discovery.
d. Enter the following command:
$Session = New-PSSession -ConfigurationName
Microsoft.Exchange -ConnectionUri https://
ps.outlook.com/powershell/ -Credential $LiveCred -
Authentication Basic –AllowRedirection
Read and ignore any warnings that result.
e. Enter the following commands:
Import-PSSession $Session

32  Forcepoint DLP
 Getting Started with File Discovery

Set-ExecutionPolicy RemoteSigned
f. When prompted to change the execution policy, respond Yes.
g. Enter the following command:
Enable-OrganizationCustomization
h. Enter the following command:
New-ManagementRoleAssignment –Name "Impersonation-
Forcepoint" –Role "ApplicationImpersonation" –User
[email protected]
Here, “Impersonation-Forcepoint” is the name of the administrator role being
created for the Exchange 365 account and “user@mydomain” is the user
name that will be used for the discovery task.
4. To configure an Exchange discovery task:
a. Log on to the Data Security module of the Forcepoint Security Manager.
b. Go to the Main > Policy Management > Discovery Policies page, then click
Add network task > Exchange Task.
c. Complete the wizard as explained in the Forcepoint DLP Administrator
Help. On the Exchange Servers page, enter the credentials set up above.
5. Make sure that Integrated Windows authentication is turned on (default). If it is
not:
a. In the Exchange admin center, go to servers > virtual directories > EWS
(Default Web Site).
b. Select Integrated Windows authentication.
c. Click Save.

Prepare to run discovery on Exchange 2013

1. Define a service account for Exchange discovery scanning.
2. Grant the account one of the following roles. This is necessary so that the system
can discover messages and display results.
■ Organization Management
■ View Only Organization Management

Getting Started Guide  33

Getting Started with File Discovery

The service account should now be able to access Exchange via Outlook Web App
(OWA) and move between the mailboxes intended to be scanned during the
discovery. Log onto OWA with this account, and try switching between mailboxes
as shown below:

3. Configure Exchange impersonation for the service account used for the discovery:
a. Open the Exchange Management Shell.
b. Run the New-ManagementRoleAssignment cmdlet to add the permission to
impersonate to the specified user.
For example, to enable a service account to impersonate all other users in an
organization, enter the following:
New-ManagementRoleAssignment -
Name:impersonationAssignmentName -
Role:ApplicationImpersonation -User:ServiceAccount
For more information on Exchange impersonation, see msdn.microsoft.com/en-
us/library/bb204095.
4. Configure an Exchange discovery task as follows:
a. Log on to the Data Security module of the Forcepoint Security Manager.
b. Go to the Main > Policy Management > Discovery Policies page, then click
Add network task > Exchange Task.
c. Complete the wizard as explained in the Forcepoint DLP Administrator
Help. On the Exchange Servers page, enter the credentials set up above.
5. Check that Integrated Windows authentication is turned on (it should be on by
default). If it is not:
a. In the Exchange admin center, go to servers > virtual directories > EWS
(Default Web Site).

34  Forcepoint DLP
 Getting Started with File Discovery

b. Select Integrated Windows authentication.

Performing discovery on IBM Domino and Notes

Forcepoint DLP can perform discovery on documents stored in an IBM Domino Data
Management System (DMS).
Domino discovery treats a document (body and attachments) as one unit. This way, a
breach is reported even if the sensitive content is scattered in different parts of the
document that individually would not cause an incident.
To perform discovery on documents:
1. Log on to the Data Security module of the Forcepoint Security Manager.
2. Go to the Main > Policy Management > Discovery Policies page.
3. Select one of the following:
■ Locate regulatory & compliance data
■ Create custom policy.
4. Complete the steps in the wizard as described in the Forcepoint DLP
Administrator Help. Select dictionary, RegEx, fingerprinting, or other classifiers
as needed.
5. Go to the Main > Policy Management > Discovery Policies page.
6. Select Add network task > Domino Task.
7. Complete the steps in the wizard as described in the Forcepoint DLP
Administrator Help.
8. To deploy the policy and task to the Domino server, click Deploy.
The Domino server will be crawled for sensitive data at the next scheduled time.
Incidents are reported in Main > Reporting > Discovery reports.

Getting Started Guide  35

Getting Started with File Discovery

36  Forcepoint DLP
9 Configuring Labels

Getting Started Guide | Forcepoint DLP | Version 8.9.1

Use the Forcepoint Security Manager to import labels from labeling systems and
apply them on files in endpoint discovery scans (available on Windows operating
systems only). See:
● Import and enable Boldon James Classifier labels, page 37
● Import and enable Microsoft Information Protection labels, page 38
● Configure an action plan to apply labels, page 40

Import and enable Boldon James Classifier labels

To import Boldon James Classifier labels and enable the option to apply labels, first
ensure that the labeling system is installed on the network, and then do the following:
1. Log into the Data Security module of the Security Manager.
2. Go to Settings > General > Services and select the File Labeling tab.
3. Click the Boldon James Classifier link.
4. On the Boldon James Classifier Properties page, in the Imported Labels section,
click Import Labels. The Import Labels dialog box appears.
5. Click Choose File.
6. Browse to the Boldon James configuration file, and click OK to import it.
The file is usually called spif.xml. If the file is not found, contact Boldon James
technical support.
7. When the importation is successfully completed, the time and date of the process
and a list of imported labels appear in the Last import field.
8. Select the Apply file labels check box. You can now define DLP action plans that
use Boldon James Classifier file labels.
When this box is unchecked, Boldon James Classifier labels are used only for
detection.
9. In the Guidelines section, mark one or more check boxes to specify when
Forcepoint DLP should add or modify a label. Note the following aspects of the
guidelines:

Getting Started Guide  37

Configuring Labels

■ If a file does not meet a specified condition, its labeling remains unchanged.
■ Incident reports provide detailed information about whether labels were found
on files and whether they were changed.
10. Click OK to save the changes.

Import and enable Microsoft Information Protection

labels

Before you can import Microsoft Information Protection labels for the first time, you
must obtain permission for the Forcepoint application to perform the import, as
follows:
1. Log into the Microsoft Office 365 Admin Consent page, using your Microsoft
Office 365 admin credentials for authentication.
2. Accept the permission statement on the page.
Next, to import enable Microsoft Information Protection labels, first ensure that the
labeling system is installed on the network, and then do the following:
1. Log into the Data Security module of the Security Manager.
2. Go to Settings > General > Services and select the File Labeling tab.
3. Click the Microsoft Information Protection link.
4. On the Microsoft Information Protection Properties page, in the Imported Labels
section, enter your Microsoft Office 365 admin credentials, and then click Import
Labels.

Note
We recommend that you enter credentials for an
administrator who has visibility to all Microsoft
Information Protection labels used in the organization.
User credentials are not stored on Forcepoint servers. You
should also ensure that your web browser does not store
this information.

5. Click OK to start the import process. Note that if the consent process was not
completed, this step generates an error. Complete the consent process, and then try
again.
6. When the importation is successfully completed, the time and date of the process
and a list of imported labels appear in the Last import field.
7. Select the Apply file labels check box. You can now define DLP action plans that
use Microsoft Information Protection file labels.
When this box is unchecked, Microsoft Information Protection labels are used
only for detection.

38  Forcepoint DLP
 Configuring Labels

8. Click OK to save the changes.

Note
Files that are protected by Microsoft Information
Protection can be decrypted automatically during DLP
analysis (see “Configuring MIP for endpoint decryption”
in the Forcepoint DLP Administrator Guide).

Getting Started Guide  39

Configuring Labels

Configure an action plan to apply labels

To configure labels to apply on files for Discovery Policies (endpoint only):

1. Log into the Data Security module of the Security Manager.
2. Go to Policy Management > Resources > Action Plans and select the Discovery
tab.
3. In the Endpoint Discovery section, select a labeling system from the drop-down
menu.
4. Select the labels you want to apply. Make sure they are from the labeling system
you chose.
5. Click OK to save.
6. Add the action plan to the desired Discovery Policy.
For more information, see Forcepoint DLP Administrator Guide.

40  Forcepoint DLP
10 Getting Started with the
REST API Service

Getting Started Guide | Forcepoint DLP | Version 8.9.1

The REST API service allows customers to remotely pull and manage incident data
from Forcepoint Security Manager to integrate with SOAR, SIEM, BI and other
solutions.
The REST API service allows to get Discovery and DLP incidents by verifying
optional filters like policy, department, or the Risk Level. In addition, the REST API
allows customers to update incidents’ Status, Severity, assigned administrator, and
more.
The following REST APIs are available:
● Get Incidents API
● Update Incidents API
Make sure you create a Local Account of Administrator from type Application on the
Forcepoint Security Manager and apply the authentication process before using the
service.
To connect an application to Forcepoint DLP through a REST API connection, you
need to create an Application administrator in the Forcepoint Security Manager on
the Global Settings > General > Administrators settings page. For more
information, see the Enabling access to the Security Manager topic in the Forcepoint
Security Manager Help. The Application administrator type is only supported for
Local accounts. Please note that Network accounts cannot be configured as an
Application type.
For more information about the Authentication process and using the REST API
service, see the Forcepoint DLP REST API Guide.

Getting Started Guide  41

Getting Started with the REST API Service

42  Forcepoint DLP