Engineering Simplicity
Secure Edge
CASB and DLP Administration Guide

Secure Edge Application

Copyright and disclaimer
Copyright © 2023 Lookout, Inc. and/or its affiliates. All rights reserved.
Lookout, Inc., Lookout, the Shield Logo, and Everything is OK are registered trademarks of Lookout, Inc. Android is a trademark of Google Inc. Apple, the Apple logo, and iPhone are trademarks of Apple Inc., registered in the U.S. and other countries. App Store is a service mark of Apple Inc. UNIX is a registered trademark of The Open Group. Juniper Networks, Inc., Juniper, the Juniper logo, and Juniper Marks are registered trademarks of Juniper Networks, Inc.
All other brand and product names are trademarks or registered trademarks of their respective holders.
This document is provided under a license agreement containing restrictions on its use and disclosure and is protected by intellectual property laws. Except as expressly permitted in your license agreement or allowed by law, you may not use, copy, reproduce, translate, broadcast, modify, license, transmit, distribute, exhibit, perform, publish, or display any part, in any form, or by any means.
The information contained in this document is subject to change without notice and is not warranted to be error-free. If you find any errors, please report them to us in writing.
This document may provide access to, or information on content, products and services from third parties. Lookout, Inc. and its affiliates are not responsible for and expressly disclaim all warranties of any kind with respect to thirdparty content, products, and services. Lookout, Inc. and its affiliates will not be responsible for any loss, costs, or damages incurred due to your access to or use of third-party content, products, or services.
2023-04-12

About Juniper Secure Edge

Juniper Secure Edge helps you secure your remote workforce with consistent threat protection that follows users wherever they go. It provides full-stack Security Service Edge (SSE) capabilities to protect web, SaaS, and on-premises applications and provides users with consistent and secure access from anywhere.
It includes key SSE capabilities including Cloud Access Security Broker (CASB) and Data Loss Prevention (DLP) to protect user access on SaaS applications and ensures that sensitive data in those applications doesn’t leave your network if you don’t want it to.
Benefits of Juniper Secure Edge

• Secure user access from anywhere—Support your remote workforce in the office, at home, or on the road with secure access to the applications and resources they need. Consistent security policies follow users, devices, and applications without copying or recreating rule sets.
• Single policy framework from a single UI—Unified policy management from the edge through the data center means fewer policy gaps, elimination of human error, and a more secure environment.
• Dynamic user segmentation—Follow-the-user policy provides automated access control to employees and third-party contractors through granular policy, locking down third-party access as an attack vector.
• Protect access to applications on-premises and in the cloud—Reduce risk by leveraging effective threat prevention services proven to be the most effective on the market by multiple third-party tests to inspect traffic, ensuring secure access to web, SaaS, and on-premises applications from anywhere.
• Transition at a pace that is best for your business—Juniper meets you where you are on your journey, helping to leverage the cloud-delivered security capabilities of Secure Edge for both onpremises edge security at the campus and branch, and for your remote workforce, working from anywhere.

Cloud Access Security Broker
CASB provides visibility into SaaS applications and granular control to ensure authorized access, threat prevention, and compliance.
Using Juniper’s CASB, you can:

• Apply granular controls to ensure authorized access, threat prevention, and compliance.
• Secure your data from unauthorized or inadvertent access, malware delivery and distribution, and data exfiltration.
• Allow organizations to leverage their existing technology investments, whether you are starting on-premises with campus and branch, in the cloud with remote workforce, or a hybrid approach.

Data Loss Prevention
Juniper’s DLP classifies and monitors data transactions to ensure compliance requirements and data security. Juniper’s DLP reads files, classifies content (for example, credit card numbers, social security numbers, and addresses), and tags the file as containing a specific category of data. Using your organization’s DLP policy, you can add granular controls and add tags (for example, HIPAA and PII) to the files. If anyone attempts to remove the data from your organization, Juniper’s DLP stops that from happening.

Getting started

The following sections provide instructions for the next steps after you have deployed Juniper Secure Edge:

• Logging in for the first time
• Viewing feature walkthroughs
• Accessing product information, documentation, and customer support
• Managing your password and logging out

Once you log in, you will be provided with options for onboarding cloud applications.
Logging in for the first time
After your enterprise has purchased Juniper Secure Edge, you will receive an email with a link that provides a username and a temporary password. Click the link.
The username you see in the Create Account screen is prepopulated from the email.

1. Enter the temporary password.
2. In the Password field, enter a new password for future use. Hints are provided as a guide to the type and number of characters allowed.
3. Re-enter the new password in the Confirm Password field and click Create.

Note
The email link and temporary password expire in 24 hours. If more than 24 hours have passed before you see this email, contact Support to get a new temporary link and password.
When you have completed the login steps, the initial welcome screen appears.
When you are ready to onboard unsanctioned or sanctioned cloud applications, select these areas from the Management Console:

• To initiate cloud discovery for unsanctioned cloud applications: Choose Administration > Log Agents to upload log files and create log agents.
• To onboard sanctioned cloud applications: Choose Administration > App Management. Then, follow the instructions for onboarding cloud applications.

Viewing feature walkthroughs
Click the i menu to view a list of how-to walkthroughs of Juniper Secure Edge features.
Accessing product information, documentation, and customer support
Click the question mark icon to display the help menu.
Version information
Click the About link.
Documentation and videos
The following links are available:

• Walkthrough Videos – Opens the Walkthrough Videos page, with links to videos about product features.
  You can also access links to feature videos from any Management Console page that displays a video link at the upper right.

• Online Help – Opens the online help for the product. The help includes a clickable Table of Contents and an index for searching.

• Documentation – Opens a link to a downloadable PDF of the Juniper Secure Edge CASB and DLP Administration Guide.

Customer support
You can contact Juniper Networks Technical Assistance Center (JTAC) 24 hours a day, seven days a week on the Web or by telephone:

• Juniper Support Portal: https://supportportal.juniper.net/

Note
If this is your first time requesting support, please register and create an account at: https://userregistration.juniper.net/

• Telephone: +1-888-314-JTAC (+1-888-314-5822), toll free in U.S., Canada, and Mexico

Note
For international or direct-dial options in countries without toll free numbers, see https://support.juniper.net/support/requesting-support. If you are contacting JTAC by telephone, enter your 12-digit service request number followed by the pound (#) key for an existing case, or press the star (*) key to be routed to the next available support engineer.
Managing your password and logging out
Use the following procedures to change your password, reset a forgotten password, and log out.
Changing your administrative password

1. Click the Profile icon.
2. Click Change Password.
3. Enter your current password in the Old Password field.
4. Enter your new password in the New Password and Confirm Password fields.
5. Click Update.

Resetting a forgotten password
If you forgot your password, perform the following steps to reset it.

1. From the Login screen, click Forgot your password?.

2. In the Forgot Password screen, enter your username and click Reset.
   You will receive an email with a temporary password and a link to reset your password.
   This temporary password will expire in 24 hours. If more than 24 hours have passed since you received your temporary password, you will see a Token Expired message when you try to enter your temporary password. If this happens, repeat the first two steps to receive a new temporary password.

3. In the email, click the link for the new temporary password.
   The Forgot Password dialog box is displayed with your first name, last name, and username filled in.

4. Enter the temporary password provided. If you copy and paste the temporary password from the email instead of typing it, be sure not to copy any extra spaces or characters.

5. Enter your new password in the New Password and Confirm New Password fields. As you type, tooltips appear at the right that provide guidance for the required format and number of characters.

6. Click Create.

Logging out
Click the Profile icon and click Logout.

Onboarding cloud applications and suites

The following sections provide instructions for configuring and onboarding cloud applications and application suites. Once cloud applications are onboarded, you can create and configure policies for those cloud applications.
For Secure Web Gateway (SWG), you can also create and configure policies for web access.
Supported sanctioned cloud applications
Juniper Secure Edge supports the following cloud types:

• Atlassian
• AWS
• Azure
• Box
• Dropbox
• Egnyte
• Google Cloud
• Google Drive
• Now
• OneDrive
• Salesforce
• ServiceNow
• SharePoint
• Slack
• Teams

Support is available for custom applications you create to meet your specific data security needs.
For each cloud application you onboard, you will need to provide a service account with login credentials for the managed administrative user of that application. These application-specific login credentials enable the administrator to manage the account details for an application and monitor user activity for it.
Note
Juniper Secure Edge does not store cloud-specific administrator credentials.

Onboarding process overview
Some onboarding steps vary depending on the cloud you are onboarding and the types of protection you choose. The following overview summarizes the onboarding procedure.
From the Management Console, select Administration > App Management.

Click New. Then, perform the following steps.
Enter basic information

1. Choose a cloud application type.
2. (Required) Enter a name for the new cloud application. Use only alphabetical characters, numbers, and the underscore character (_). Do not use spaces or any other special characters.
3. (Optional) Enter a description for the new application.

For application suites, select applications
If you are onboarding a cloud type that is an application suite, you will be prompted to select the applications in that suite that you want to protect. Click the check marks for the applications to include.
Select protection modes
Depending on the cloud type you chose, some or all of the following protection modes will be available.
For suites, the selected protection modes apply to the entire suite.

• API Access – Provides an out-of-band approach to data security; performs ongoing monitoring of user activities and administrative functions.
• Cloud Security Posture – Used for cloud types for which you want to apply Cloud Security Posture Management functionality.
• Cloud Data Discovery — Used for cloud types for which you want to apply Cloud Data Discovery functionality.
• Select one or more protection modes, depending on the type of protection you want to enable for a cloud. You can create policies for the cloud application based on the protection modes you choose.
• Click Next.

Select configuration settings
You will need to set configuration information for the cloud application you are onboarding. These configuration settings will vary, depending on the cloud type and the protection modes you choose.
Enter authorization information
For most protection modes, you will need to go through an authorization step by logging in to the cloud application with your administrator credentials for the account.
Save the onboarded cloud application

1. Click Next to view a summary of information about the new cloud application. The summary shows the cloud type, name and description, the selected protection modes, and other information, depending on the cloud type and selected protection modes for the cloud application.
2. Click Previous to correct any information or click Save to confirm the information.
   The new cloud application is added to the App Management page.

The display in the grid shows the following information:

• The name of the cloud application.

• A description (if provided). To view the description, hover over the information icon next to the cloud application name.

• The protection modes available for cloud application. Each icon represents a protection mode.
  The protection modes you selected for this cloud appear in blue; those not selected for this cloud appear in gray. Hover over each icon to see its protection type.

• The key assignment status. The orange icon at the upper right indicates that the application is waiting for a key to be assigned. You can assign a key now or do so later. Once you assign a key to the cloud application, the orange icon is replaced by a green check mark.

• The user ID (email address) of the administrator user who onboarded the application.

• The date and time the application was onboarded.

The following sections provide instructions for onboarding cloud applications and suites.
Onboarding Microsoft 365 suite and applications
This section outlines the procedures for onboarding a Microsoft 365 suite and applications and enabling audit logging.
Note
The following user roles are required for onboarding.

• Office Apps Administrator
• SharePoint Administrator
• Teams Administrator
• Application Administrator
• Cloud Application Administrator
• Guest Inviter
• Privileged Authentication Administrator
• Privileged Role Administrator
• Global Reader
• Compliance Administrator
• Compliance Data Administrator

Configuration steps
Microsoft 365 application suite
CASB can provide protection options to the entire suite of Microsoft 365 applications, including Microsoft Teams in addition to OneDrive and SharePoint.
The Microsoft 365 cloud type is an application suite. You can onboard the suite, and then select the applications for which to apply protection. Some configurations, such as key management, will apply to the entire suite and cannot be specified by application. Other configurations can be customized for each application in the suite.
CASB provides a dedicated dashboard for monitoring activity in the Microsoft 365 suite applications. You can select the Microsoft 365 dashboard from the Monitor menu.
Turning on audit log search and verifying mailbox management by default
For monitoring of applications in the Microsoft 365 suite, you must configure settings for these options: Turn on audit log search. You must turn on audit logging in the Microsoft Security & Compliance Center before you can start searching the Microsoft 365 audit log. Turning on this option enables user and administrator activity from your organization to be recorded in the audit log. The information is retained for 90 days.
For more details and instructions about how to turn on audit log search and turn it off, see https://docs.microsoft.com/en- us/office365/securitycompliance/turn-audit-log-search-on-or-off

SharePoint / OneDrive
Creating sites for new SharePoint or OneDrive users
When new users are added to a SharePoint or OneDrive account, you must perform the following procedure to start monitoring and protecting data in the personal sites for these users. You should also perform a user sync.
Perform the following steps to add sites for new SharePoint or OneDrive users.

1. Log in as the administrator.
2. Go to Admin > SharePoint admin center > user profiles > My Site Settings > Setup My Sites.
3. Under Setup My Sites, check Enable My Site secondary admin, and select the admin as the site admin.
4. Go to User Profiles > Manage User Profiles.
5. Under Manage User Profiles, right-click the user’s profile, and click Manage site collection owners. User profiles are not displayed by default. They appear only when you search for them.The site admin should now appear in the list of site collection administrators.

Creating a Quarantine site in SharePoint
You must create a SharePoint site called Quarantine-Site to enable the Quarantine action to work.
Onboarding steps

1. Go to Administration > App Management and click Add New.

2. Choose Office 365. This is the Office 365 application suite.

3. Click Next.

4. Enter a Name (required) and a Description (optional) for the new cloud application. For the name, use only alphabetical characters, numbers, and the underscore character (_). Do not use spaces or any other special characters.

5. Select the Microsoft 365 applications in the suite that you want to protect. The named applications are the specific applications that are supported. The Other Apps selection includes any unsupported or partially supported applications such as Calendar, Dynamics365, Excel, Word, Planner, Sway, Stream, and Video.

6. Click Next.

7. Select one or more protection modes. The protection options you see vary, depending on the Microsoft 365 applications you selected in the previous step, and will apply to those applications. You cannot select protection modes for individual applications.
   API Access| Available for all Microsoft 365 applications.
   Must be also enabled if you enable Dynamic or Cloud Data Discovery.
   ---|---
   Cloud Security Posture| Available for all Microsoft 365 applications.
   Select this mode if you want to implement Cloud Security Posture Management (CSPM) functionality, also known as SaaS Security Posture Management (SSPM) functionality, for this cloud. For more information about CSPN, see Cloud Security Posture Management (CSPM).
   Cloud Data Discovery| Available for OneDrive and SharePoint applications.
   Select this mode if you want to implement Cloud Data Discovery functionality for this application.
   Also requires API Access to be enabled.

8. Click Next.

9. Enter the following configuration information. The fields you see depend on the protection modes you selected.● Proxy
   ● The Custom HTTP Header Name and Custom HTTP Header Value fields are configured on the cloud level (as opposed to the cloud application level). If this is the first Microsoft 365 cloud application you are onboarding, the values you enter in these two fields will apply to all other Microsoft 365 cloud applications you onboard. If this is not the first Microsoft 365 cloud application you are onboarding, these field values will be initialized from the first Microsoft 365 cloud you onboarded.
   The remaining fields are configured for the cloud application you are onboarding. Enter values as needed.
   ● Login Domain Prefix — For example, companyname.com (as in@ companyname.com )
   ● Specific Domains – Microsoft 365-specific domain names that need to be redirected. Enter or select domains for this cloud application.
   ● Tenant Identifier Domain Prefix — For example, casbprotect (as in casbprotect.onmicrosoft.com )
   ● API Settings (required only for API Access protection mode) —
   ● Content Collaboration Scan – Toggle is enabled by default. This setting enables events for File CheckIn/CheckOut to be processed. If this toggle is disabled, these events are not processed.
   ● Internal Domains — Enter one or more internal domains.
   ● Archive Settings – Enables archiving of files that are either permanently deleted or replaced by Content Digital Rights policy actions. Archived files (including those for SharePoint and Teams) are placed in an Archive folder under a CASB Compliance Review folder created for the cloud application. You can then review the files and restore them if needed.
   Notes
   ● If you onboard Microsoft Teams as a Microsoft 365 application, be sure that an Active Sync directory is created, because the Azure AD is the source of user information. To create a directory, go to Administration > Enterprise Integration > User Directory.
   ● When the authorized administrator for a cloud account is changed, previously archived content in the CASB Compliance Review folder that is owned by the previous administratorshould be shared with the new authorized administrator to enable archived data to be reviewed and restored.
   The Archive Settings option is available for onboarded cloud applications with API Access protection mode selected.
   Two options are available:
   ● Remove from Trash
   ● ArchiveFor Permanent Delete policy actions, both options are disabled by default; for Content Digital Rights, they are enabled by default.
   Note
   For OneDrive cloud applications (Microsoft 365), files for non-administrator user accounts are not removed from the Trash when the Remove from Trash flag is enabled.
   Click the toggles to enable or disable the settings. If you select the Archive action, you must also select the Remove from Trash option for archiving to be enabled.
   Enter the number of days for which to retain archived files. The default value is 30 days.
   ● Authorization — Authorize the Microsoft 365 components. You will need to provide your Microsoft 365 login credentials when prompted. Click the buttons as follows:
   ● OneDrive and SharePoint — Click each Authorize button. If you did not select either of these applications earlier, these buttons do not appear.
   ● Office 365 – Clicking Authorize authorizes the Office 365 suite components you selected, except for OneDrive and SharePoint, which must be authorized separately. This authorization is for monitoring only.

10. Click Next.

11. View the summary page to verify that all information is correct. If it is, click Next.
    The onboarding is complete. The cloud application is added to the list on the App Management page.

Enabling audit logging and managing mailbox auditing
Once you have onboarded a Microsoft 365 suite with applications, you must turn on audit logging in your Microsoft 365 account before you can search the audit log. Event polling will start 24 hours after audit logging is enabled.
For information and instructions regarding about audit logging for Microsoft 365, see the following Microsoft documentation: https://docs.microsoft.com /en-us/microsoft-365/compliance/turn-audit-log-search-on-or- off?view=o365worldwide

Onboarding Slack Enterprise applications
This section outlines the procedure for onboarding a Slack enterprise cloud application. For these applications, you can choose several protection modes including API Access, which provides expanded access controls that go beyond user IDs, such as denial of logins from non-compliant or compromised devices and from users with patterns of risky behavior.
A non-enterprise Slack application is also available with a smaller number of protection modes.

Onboarding steps

1. Go to Administration > App Management.

2. In the Managed Apps tab, click Add New.

3. Select Slack Enterprise and click Next.

4. Enter a Name (required) and a Description (optional). Then click Next.

5. Select one or more protection modes.
   ● API Access
   ● Cloud Data Discovery

6. Enter the information for the selected protection modes.
   ● For API Settings – Enter or select the following information:
   ● The API Usage type — Defines how this application will be used with API protection. Check Monitoring & Content Inspection, Receiving Notifications, or Select All. If you select only Receiving Notifications, this cloud application is not protected; and will be used only to receive notifications.
   ● Enable Review of Quarantine Files — Click this toggle to enable reviewing of tombstoned files through the Slack channel.
   ● Internal Domains – Enter any internal domains applicable for this application.
   ● Slack Enterprise Domain (Full Login Domain) — Enter the full domain for your organization. Example: https://.enterprise.slack.com
   

7. Click Authorize. Enter Slack credentials when prompted.

8. Slack displays a prompt requesting that you confirm permissions to access your organization’s messages, modify messages, and view elements from workspaces, channels, and users in your organization.
   Click Allow to confirm these permissions.

9. Authorize one or more workspaces. Click Authorize next to the workspace name to authorize it. At least one workspace must be authorized.

10. When prompted to install the app in the workspace, click Allow.
    Note
    If you want to enable additional functionality, each workspace must be onboarded (authorized) separately. If the workspaces are not authorized separately, the following actions will not be supported:
    ● Encrypt
    ● Watermark
    ● Removed external shared link

11. In response to the prompt for non-discovery access, click Allow.

12. Click Next. The Key Management page is displayed.

13. To request a new key now, click Request New Key. The administrator will be notified, and a key will be assigned. Then, click Save. If you want to request a new key later, click Save.

Onboarding the AWS suite and applications
This section outlines instructions for onboarding the AWS suite in CASB. You can choose to perform an automated or manual onboarding depending on your needs.
Automated onboarding
You can onboard the AWS suite automatically using the provided Terraform module.
Onboarding with Terraform

1. In the Management Console, select Administration > System Settings > Downloads.
2. Locate the file aws-onboarding-terraform-module-.zip and download it.
3. Extract the contents of the zip file.
4. Locate and open the file README-Deployment steps.pdf.
5. Follow the instructions provided in the README file to complete the automated onboarding.

Manual onboarding
This section outlines instructions for configuring the AWS suite for manual onboarding in CASB, followed by the manual onboarding instructions.
Configuration steps
Before you onboard the AWS application, you must perform a set of configuration steps.
Note: These configuration steps are only necessary if you plan to onboard AWS in API mode. If you plan to onboard AWS in inline mode, skip to Onboarding steps.
To get started, log in to the AWS console ( http://aws.amazon.com ).

Then, perform the following configuration steps.

• Step 1 — Create an Identity Access Management (IAM) DLP policy
• Step 2 – Create an IAM Monitor policy
• Step 3 – Create an IAM Cloud Security Posture Management (CSPM) policy
• Step 4 – Create an IAM Key Management Service (KMS) policy
• Step 5 – Create an IAM role for Juniper CASB
• Step 6 – Create Simple Queue Service (SQS)
• Step 7 – Create a Cloud Trail

Step 1 — Create an Identity Access Management (IAM) DLP policy

1. Click Services and select IAM.

2. Select Policies and click Create Policy.

3. Click the JSON tab.

4. Copy and paste the following policy information.
   {
   “Statement”: [
   {
   “Action”: [
   “iam:GetUser”,
   “iam:ListUsers”,
   “iam:GetGroup”,
   “iam:ListGroups”,
   “iam:ListGroupsForUser”,
   “s3:ListAllMyBuckets”,
   “s3:GetBucketNotification”,
   “s3:GetObject”,
   “s3:GetBucketLocation”,
   “s3:PutBucketNotification”,
   “s3:PutObject”,
   “s3:GetObjectAcl”,
   “s3:GetBucketAcl”,
   “s3:PutBucketAcl”,
   “s3:PutObjectAcl”,
   “s3:DeleteObject”,
   “s3:ListBucket”,
   “sns:CreateTopic”,
   “sns:SetTopicAttributes”,
   “sns:GetTopicAttributes”,
   “sns:Subscribe”,
   “sns:AddPermission”,
   “sns:ListSubscriptionsByTopic”,
   “sqs:CreateQueue”,
   “sqs:GetQueueUrl”,
   “sqs:GetQueueAttributes”,
   “sqs:SetQueueAttributes”,
   “sqs:ChangeMessageVisibility”,
   “sqs:DeleteMessage”,
   “sqs:ReceiveMessage”,
   “cloudtrail:DescribeTrails”
   ],
   “Effect”: “Allow”,
   “Resource”: “*”,
   “Sid”: “LookoutCasbAwsDlpPolicy”
   }
   ],
   “Version”: “2012-10-17”
   }

5. Click Review Policy at the lower right portion of the screen.

6. Name the policy lookout-api-policy and click Create Policy.

Step 2 – Create an IAM Monitor policy

1. Click Services and select IAM.

2. Select Policies and click Create Policy.

3. Click the JSON tab.

4. Copy and paste the following policy information.
   {
   “Statement”: [
   {
   “Action”: [
   “cloudtrail:DescribeTrails”,
   “cloudtrail:LookupEvents”,
   “iam:Get”,
   “iam:List”,
   “s3:AbortMultipartUpload”,
   “s3:DeleteObject”,
   “s3:GetBucketAcl”,
   “s3:GetBucketLocation”,
   “s3:GetBucketNotification”,
   “s3:GetObject”,
   “s3:ListAllMyBuckets”,
   “s3:ListBucket”,
   “s3:ListMultipartUploadParts”,
   “s3:PutBucketAcl”,
   “s3:PutBucketNotification”,
   “s3:PutObject”,
   “s3:ListBucketMultipartUploads”
   ],
   “Effect”: “Allow”,
   “Resource”: “*”,
   “Sid”: “LookoutCasbAwsMonitorPolicy”
   }
   ],
   “Version”: “2012-10-17”
   }

5. Click Review Policy at the lower right portion of the screen.

6. Give the policy the name lookout-aws-monitor and click Create Policy.

Step 3 – Create an IAM Cloud Security Posture Management (CSPM) policy

1. Click Services and select IAM.

2. Select Policies and click Create Policy.

3. Click the JSON tab.

4. Copy and paste the following policy information:
   {
   “Statement”: [
   {
   “Action”: [
   “account:”,
   “cloudhsm:AddTagsToResource”,
   “cloudhsm:DescribeClusters”,
   “cloudhsm:DescribeHsm”,
   “cloudhsm:ListHsms”,
   “cloudhsm:ListTags”,
   “cloudhsm:ListTagsForResource”,
   “cloudhsm:TagResource”,
   “cloudtrail:AddTags”,
   “cloudtrail:DescribeTrails”,
   “cloudtrail:GetEventSelectors”,
   “cloudtrail:GetTrailStatus”,
   “cloudwatch:DescribeAlarms”,
   “cloudwatch:DescribeAlarmsForMetric”,
   “cloudwatch:TagResource”,
   “config:Describe”,
   “dynamodb:ListStreams”,
   “dynamodb:TagResource”,
   “ec2:CreateTags”,
   “ec2:Describe”,
   “ecs:DescribeClusters”,
   “ecs:ListClusters”,
   “ecs:TagResource”,
   “elasticbeanstalk:AddTags”,
   “elasticfilesystem:CreateTags”,
   “elasticfilesystem:DescribeFileSystems”,
   “elasticloadbalancing:AddTags”,
   “elasticloadbalancing:DescribeLoadBalancers”,
   “elasticloadbalancing:DescribeTags”,
   “glacier:AddTagsToVault”,
   “glacier:ListVaults”,
   “iam:GenerateCredentialReport”,
   “iam:Get”,
   “iam:List”,
   “iam:PassRole”,
   “kms:DescribeKey”,
   “kms:ListAliases”,
   “kms:ListKeys”,
   “lambda:ListFunctions”,
   “lambda:TagResource”,
   “logs:DescribeLogGroups”,
   “logs:DescribeMetricFilters”,
   “rds:AddTagsToResource”,
   “rds:DescribeDBInstances”,
   “redshift:CreateTags”,
   “redshift:DescribeClusters”,
   “s3:GetBucketAcl”,
   “s3:GetBucketLocation”,
   “s3:GetBucketWebsite”,
   “s3:ListAllMyBuckets”,
   “s3:ListBucket”,
   “s3:PutBucketTagging”,
   “sdb:ListDomains”,
   “secretsmanager:ListSecrets”,
   “secretsmanager:TagResource”,
   “sns:GetTopicAttributes”,
   “sns:List”,
   “tag:GetResources”,
   “tag:GetTagKeys”,
   “tag:GetTagValues”,
   “tag:TagResources”,
   “tag:UntagResources”
   ],
   “Effect”: “Allow”,
   “Resource”: “*”,
   “Sid”: “LookoutCasbAwsCspmPolicy”
   }
   ],
   “Version”: “2012-10-17”
   }

5. Click Review Policy.

6. Give the policy the name lookout-cspm-policy and click Create Policy.

Step 4 – Create an IAM Key Management Service (KMS) policy
Perform the following steps if the S3 bucket has KMS enabled.

1. Click Services and select IAM.

2. Select Policies and click Create Policy.

3. Click the JSON tab.

4. From an S3 bucket, obtain the KMS key for the KMS policy information.
   a. Click an S3 bucket.
   b. Click Bucket Properties.
   c. Scroll to the default encryption section and copy the AWS KMS key ARN.
   If different keys are assigned to buckets, you will need to add them under Resource in the policy information (step 5).

5. Copy and paste the following policy information:
   {
   “Sid”: “VisualEditor0”,
   “Effect”: “Allow”,
   “Action”: [
   “kms:Decrypt”,
   “kms:Encrypt”,
   “kms:GenerateDataKey”,
   “kms:ReEncryptTo”,
   “kms:DescribeKey”,
   “kms:ReEncryptFrom”
   ],
   “Resource”: [“”
   ] }

6. Click Review Policy.

7. Give the policy the name lookout-kms-policy and click Create Policy.

Step 5 – Create an IAM role for Juniper CASB

1. Click Roles and select Create role.

2. Select Role Type: Another AWS Account.

3. For Account ID, obtain this ID from the Juniper Networks team. This is the account ID for the AWS account in which the tenant Management Server is onboarded.

4. Under Options, check Require External ID.

5. Enter the following information:
   ● External ID – Enter a unique attribute to be used while onboarding AWS S3 in CASB.
   ● Require MFA – Do not check.

6. Click Next: Permissions.

7. Assign the policies created in the first three steps according to the desired protection modes. For example, if you need only an S3 DLP policy, select only lookout-casb-aws-dlp policy.

8. Click Next: Tags and (optional) enter any tags you want to include to the Add Tags page.

9. Click Next: Review.

10. Enter a Role Name (for example, Juniper-AWS-Monitor) and click Create Role.

11. Search for the role name you created and click it.

12. Copy the role ARN and enter it in the Role ARN field.

13. Copy the External ID from the Roles > Trust relationships tab > Lookout-AWS-Monitor summary view > Conditions.

Step 6 – Create Simple Queue Service (SQS)

1. Under Services, go to Simple Queue Service (SQS).

2. Click Create New Queue.

3. Enter a Queue Name and select Standard Queue as the queue type.

4. Go to the Access Policy section.

5. Select Advanced and paste the following policy information.
   {
   “Version”: “2008-10-17”,
   “Id”: ” default_policy_ID”, “Statement”: [
   {
   “Sid”: ” owner_statement”, “Effect”: “Allow”, “Principal”: {
   “AWS”: “”
   },
   “Action”: “SQS:”, “Resource”:
   “arn:aws:sqs:::”
   },
   {
   “Sid”: ” s3_bucket_notification_statement”, “Effect”: “Allow”,
   “Principal”: {
   “Service”: “s3.amazonaws.com”
   },
   “Action”: “SQS:*”, “Resource”:
   “arn:aws:sqs:::”
   }
   ] }

6. Click Create Queue.

Step 7 – Create a Cloud Trail

1. From Services, go to Cloud Trail.

2. Select Trails from the left panel.

3. Click New Trail and enter the following information.● Trail name – ccawstrail (for example)
   ● Apply trail to all regions – check Yes.
   ● Management events —
   ● Read/Write events – Check All.
   ● Log AWS KMS events – Check Yes.
   ● Insight events – check No.
   ● Data Events (optional) – Configure data events if you want to see activity audit logs and AWS monitoring screens.● Storage location –● Create a new S3 bucket – Check Yes to create a new bucket or No to pick up existing buckets in which to store logs.

4. S3 bucket – Enter a name (for example, awstrailevents).

5. Click CreateTrail at the bottom of the screen.

6. Under Buckets, go to the bucket that stores the CloudTrail logs (for example, awstrailevnts).

7. Click the Properties tab for the bucket.

8. Go to the Event Notifications section and click Create event notification.

9. Enter the following information for the notification.
   ● Name – any naming (for example, SQS Notification)
   ● Event Types – Check all object create events.
   ● Filters – Enter any filters to apply to the notification.
   ● Destination – Select SQS Queue.
   ● Specify SQS Queue – Select LookoutAWSQueue (select the SQS queue created in Step 5.)

10. Click Save Changes.
    The event is created.

Onboarding steps

1. Go to Administration > App Management and click New.

2. Select AWS from the dropdown list.

3. Enter a Name (required) and a Description (optional) and click Next.

4. For the application, check Amazon Web Services and click Next.

5. Select one or more of the following protection models by clicking the toggle for each protection model to include.
   ● Cloud Authentication
   ● API Access
   ● Cloud Security Posture

6. Click Next.
   Notes
   ● To onboard AWS in API mode, choose API Access.
   ● Cloud Security Posture Management (CSPM) provides tools to monitor resources used in your organization and assess security risk factors against security best practices for AWS cloud applications. To enable use of CSPM, you must choose Cloud Security Posture as a protection mode.

7. If you selected API Access:
   a. Click the AWS Monitoring toggle and enter the following information in the API section of the Configuration page. This is the information you had generated in Step 2 of the configuration steps (Create an Identity Access Management (IAM) role for CASB).
   i. External ID
   ii. Role ARN
   iii. SQS Queue Name and SQS Region (see Step 6 – Create Simple Queue Service [SQS])b. In the Authentication section, click the Authorize button and click Next.
   A popup message appears prompting you to confirm that the required policies (according to the selected protection modes) are assigned to the role.
   Note: Be sure your browser is configured to allow pop-ups to be displayed.
   c. Click Continue to confirm that the required policies are displayed.
   When the authorization is complete, a green checkmark appears next to the Authorize button, and the button label now reads Re-Authorize.
   d. Click Next to display a summary of the onboarding settings.
   e. Click Save to complete onboarding.
   The new cloud application is displayed as a tile on the App Management page.

Onboarding Azure applications
This section outlines the procedures for onboarding Azure cloud applications. For Azure Blob Storage onboarding instructions, see the next section.
Configuration steps
To use the CSPM feature for an Azure account, you need a Service Principal that has access to the corresponding subscription.
The Service Principal should have the Reader or Monitoring Reader role with access to Azure AD user, group, or service principal and associated Client Secret.
Before onboarding, you should have the Subscription ID of the account, and the following information from the Service Principal:

• Application (Client) ID
• Client Secret
• Directory (Tenant) ID

Onboarding steps

1. From the Management Console, select Administration > App Management, and click Add New.

2. Select Azure. Then, enter the details for the application.

3. Enter a Name (required) and a Description (optional). The name must include only alphanumeric characters, with no special characters other than the underscore, and no spaces. Then, click Next.

4. Select one or more of the following protection modes for the application and click Next.
   ● Cloud Authentication
   ● API Access
   ● Cloud Security Posture
   The Cloud Security Posture mode is required if you want to implement Cloud Security Posture Management (CSPM) functionality.

5. Depending on the protection modes you selected, enter the required configuration details.● If you selected App Authorization, no additional configuration is required. Click Next to view the summary information.
   ● If you selected API Access, no additional configuration is needed other than authorization. Go to the Authorization step.
   ● If you selected Cloud Security Posture, enter the following information from the Azure configuration steps you performed earlier.
   ● Service Principal’s Application Id
   ● Service Principal’s Client Secret
   ● Service Principal’s Directory Id
   ● Subscription Id
   ● Sync Interval (1-24 Hrs) is how often (in hours) that CSPM will retrieve information from the cloud and refresh the inventory. Enter a number.

6. Click Authorize and enter your Azure login credentials.

7. Review the summary information to verify that it is correct. If it is, click Save to complete onboarding.

Onboarding Azure Blob applications
This section outlines the procedures for onboarding Azure Blob Storage cloud applications.
Notes

• Juniper Secure Edge does not support Azure Data Lake Storage generation 2 storage accounts.
  Juniper is unable to log activity or take actions on blobs using this storage type.

• Juniper Secure Edge does not support content-related actions on immutable containers, due to retention and legal hold policies enforced by Azure.

Configuration steps
In preparation for onboarding Azure Blob, do the following:

• Ensure that you have an active Azure account and that you have the Subscription ID of the account.
• Ensure that your Azure subscription has at least one storage account with the storageV2 type.
• Ensure that you have a storage account to use for quarantine actions. You will be prompted to select the storage account during onboarding. You can use an existing storage account, or, if you prefer, create a new dedicated storage account for quarantine.
• Create a new custom role at the subscription level, and assign it to an admin account. This will be used for authorization on the Management Console. See details for this step below.
• Ensure that your Azure account has the EventGrid resource registered. See details for this step below.

Creating a custom role

1. Copy the following code into a new text document.
   {“properties”:{“roleName”:”lookoutcasbrole”,”description”:”Lookout casb role”,”assignableScopes”:[“/subscriptions/”],”permissions”:[{“actions”:[“Microsoft.Storage/storageAccounts/read”, “Microsoft.Storage/storageAccounts/encryptionScopes/read”,”Microsoft.Storage/storageAccounts/blobServices/read”,”Microsoft.Storage/storageAccounts/blobServices/containers/read”,”Microsoft.Storage/storageAccounts/blobServices/containers/write”,”Microsoft.Storage/storageAccounts/blobServices/containers/immutabilityPolicies/read”,”Microsoft.Storage/storageAccounts/queueServices/read”,”Microsoft.Storage/storageAccounts/queueServices/queues/write”,”Microsoft.EventGrid/eventSubscriptions/delete”,”Microsoft.EventGrid/eventSubscriptions/read”,”Microsoft.EventGrid/eventSubscriptions/write”,”Microsoft.Storage/storageAccounts/write”,”Microsoft.Storage/storageAccounts/listkeys/action”,”Microsoft.EventGrid/systemTopics/read”,”Microsoft.EventGrid/systemTopics/write”,”Microsoft.Insights/eventtypes/values/Read”,”Microsoft.Storage/storageAccounts/blobServices/providers/Microsoft.Insights/diagnosticSettings/read”],”notActions”:[],”dataActions”: “Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read”,”Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write”,”Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete”,”Microsoft.Storage /storageAPost-onboarding tasks 78Configuring tenants for user access and session activity 80Managing users 82Configuring CASB for enterprise integration 88ccounts/blobServices/containers/blobs/add/action”,”Microsoft.Storage/storageAccounts/blobServices/containers/blobs/filter/action”,”Microsoft.Storage/storageAccounts/blobServices/containers/blobs/move/action”,”Microsoft.Storage/storageAccounts/blobServices/containers/blobs/permanentDelete/action”,”Microsoft.Storage/storageAccounts/blobServices/containers/blobs/deleteBlobVersion/action”,”Microsoft.Storage/storageAccounts/queueServices/queues/messages/read”,”Microsoft.Storage/storageAccounts/queueServices/queues/messages/delete”],”notDataActions”:[]}]}}

2. Replace the text “” with the subscription ID for your Azure account. If desired, you can also replace the roleName and description values.

3. Save the text file with a .json extension.

4. In the Azure console, navigate to Azure Subscription > Access Control (IAM).

5. Click Add and select Add custom role.

6. For Baseline Permissions, select Start from JSON.

7. Use the file browser to select and upload the .json file that you saved in step 2 above.

8. If needed, enter or update the name and (optional) description of your new role.

9. Select Review + Create to see all settings for your new role.

10. Click Create to finish creating the new role.

11. Assign the new role to a user with admin permissions on your Azure account.

Registering the EventGrid resource

1. In the Azure console, navigate to Azure Subscription > Resource Providers.
2. Use the filter field to search for Microsoft.EventGrid. Select it and click Register.

Onboarding steps

1. From the Management Console, select Administration > App Management and click +New.
2. Select Azure. Enter a Name (required) and a Description (optional). The name must include only alphanumeric characters, with no special characters other than the underscore, and no spaces. Click Next.
3. Select Microsoft Azure Blob Storage and click Next.
4. Select API Access (required). If needed, you can also select Cloud Security Posture (optional). Click Next.
5. For both Azure and Azure Blob Storage, click the Authorize button and enter the credentials for the account that you assigned your new role to in the previous section. If prompted, click Accept to give Juniper permissions on your Azure account.
6. After you have authorized both accounts, the Subscription Id field appears. Select your Azure subscription.
7. The Destination Storage Account field appears. Select the storage account that you want to use as a quarantine container.
8. Click Next.
9. Ensure that the details shown on the summary page are correct. If they are, click Next to finish onboarding.

Onboarding the Google Workspace suite and applications
This section outlines the procedures for onboarding Google Workspace (formerly G Suite) along with Google Drive applications.
Configuration steps
The enterprise account used for Google Drive must be part of the Google Workspace business plan.
The authenticated user must be an administrator with super admin privileges.
Updating API access settings

1. Log in to the Google Workspace application and click Security from the left panel.

2. Under Security, click API controls.

3. Scroll down and click Manage Domain-wide Delegation.

4. Click Add New.

5. Enter the Client ID:
   102415853258596349066

6. Enter the following OAuth scopes:
   https://www.googleapis.com/auth/activity ,
   https://www.googleapis.com/auth/admin.directory.group ,
   https://www.googleapis.com/auth/admin.directory.user ,
   https://www.googleapis.com/auth/admin.reports.audit.readonly ,
   https://www.googleapis.com/auth/drive ,
   https://www.googleapis.com/auth/drive.activity.readonly ,
   https://www.googleapis.com/auth/admin.directory.user.security ,
   https://www.googleapis.com/auth/userinfo.email

7. Click Authorize.

Updating folder access information

1. From the left panel, click Apps > Google Workspace > Drive and Docs.
2. Scroll down and click Features and Applications.
3. Make sure that Drive SDK is on.

Onboarding steps in CASB

1. From the Management Console, select Administration > App Management and click New.
2. Select Google Workspace from the list.
3. Enter a Name (required) and a Description (optional). The name must include only alphanumeric characters, with no special characters other than the underscore, and no spaces. Then, click Next.
4. Select Google Drive application.
5. Click Next and select one or more protection models.
   The available protection models depend on the applications you selected in the previous step. The following table lists the protection modes available for each Google Workspace application. Google Workspace application| Protection models available
   ---|---
   Google Drive| API Access
   Cloud Data Discovery

Note
Some protection models require one or other models to be enabled or must be selected for specific functions.
Cloud Data Discovery must be selected if you want to implement Cloud Data Discovery (CDD) for this cloud application. You must also select API Access protection mode as well.

6. Click Next.
7. Enter the following configuration information. The fields you see depend on the protection modes you selected.
   ● API Settings (required for API Access protection mode)● Internal domains – Enter necessary internal domains, along with enterprise business domain.
   ● Archive Settings (for Google Drive) — Enables archiving of files that are either permanently deleted or replaced by Content Digital Rights policy actions. Archived files are placed in an Archive folder under a CASB Compliance Review folder created for the cloud application. You can then review the files and restore them if needed.
   Note
   When the authorized administrator for a cloud account is changed in CASB, previously archived content in the CASB Compliance Review folder that is owned by the previous administrator should be shared with the new authorized administrator to enable archived data to be reviewed and restored.
   Two options are available:
   ● Remove from Trash
   ● ArchiveFor Permanent Delete policy actions, both options are disabled by default; for Content Digital Rights, they are enabled by default.
   Click the toggles to enable or disable the settings.
   Enter the number of days for which to retain archived files. The default value is 30 days.
   ● Authorization — If you selected Google Drive as one of your Google Workspace applications, authorize Google Drive and click Next.Review the instructions in the screen that appears and click Continue to authorize access to your Google Drive account. Enter your account credentials.
   In the Summary page, review the summary information to verify that all information is correct. If it is, click Save to complete onboarding.

Onboarding Google Cloud Platform (GCP)
This section outlines procedures for configuration and onboarding of Google Cloud Platform applications.
Configuration steps

1. Create a service account in GCP Org. For more information, go to https://cloud.google.com/docs/authentication/getting-started
2. Create an OAuth client ID.
   a. In the Google Cloud Platform, go to the Credentials page. b. From the Projects list, select the project containing your API.
   c. From the Create Credentials dropdown list, select OAuth client ID. d. From the dropdown list, select Web application as the application type. e. In the Application field, enter a Name. f. Fill in the remaining fields as needed.
   g. To add a redirect URL, click Add URL. h. Enter the redirect URL and click Create. A message appears with the client ID and the client secret. You will need this information when you onboard the Google Cloud Platform application.

Onboarding steps

1. From the Management Console, select Administration > App Management, and click New.

2. Select GCP from the dropdown list.
   Tip
   To find an app, enter the first few characters of the app name, then select the app from the search results.

3. Enter a Name (required) and a Description (optional). The name must include only alphanumeric characters, with no special characters other than the underscore, and no spaces. Then, click Next.

4. Select one or more protection models and click Next. The options are
   ● API Access
   ● Cloud Security Posture

5. Enter the following configuration information. The fields you see depend on the protection models you selected in the previous step.
   ● If you selected API Access, enter:
   ● Client Id
   ● Client Secret
   This is the information created during the GCP pre-onboarding configuration steps. Be sure to enter exactly the same information in the Client ID and Client Secret fields here.● If you selected Cloud Security Posture, enter:
   ● Service Account Credentials (JSON) –The service account credentials for the JSON file you downloaded in the configuration steps.
   ● Sync Interval (1-24 Hrs) – How often CSPM will retrieve information from the cloud and refresh the inventory. Enter a number.

6. Click Authorize. ● If you selected only Cloud Security Posture, the Summary page appears. Review it and save the new GCP application to complete onboarding.
   ● If you selected API Access or both API Access and Cloud Security Posture, enter your GCP account login credentials when prompted.
   Note
   ● If you entered an invalid client secret or client ID on the Configuration page, an error message will appear after you click Authorize. Review your client secret and client ID entries, make any corrections, and click Authorize again. Once the system recognizes the entries as valid, enter your GCP login credentials when prompted.
   After your GCP login credentials have been accepted, save the new GCP cloud application to complete onboarding.

Onboarding Dropbox applications
This section outlines procedures for onboarding Dropbox cloud applications.

1. From the Management Console, select Administration > App Management, and click New.

2. From the Choose an app list, select Dropbox.

3. Enter a Name (required) and a Description (optional). The name must include only alphanumeric characters, with no special characters other than the underscore, and no spaces. Then, click Next.

4. From the Configuration page, select one or more protection models:
   ● API Access
   ● Cloud Data Discovery (CDD)

5. Enter the following configuration information. The fields you see depend on the protection models you selected in the previous step.
   ● If you selected API Access, enter one or more internal domains.
   You can also configure Archive Settings. These settings enable archiving of files that are either permanently deleted or replaced by Content Digital Rights policy actions. Archived files are placed in an Archive folder under a CASB Compliance Review folder created for the cloud application. You can then review the files and restore them if needed.
   Note
   When the authorized administrator for a cloud account is changed, previously archived content in the CASB Compliance Review folder that is owned by the previous administrator should be shared with the new authorized administrator to enable archived data to be reviewed and restored.
   The Archive Settings option is available for onboarded cloud applications with API Access and Cloud Data Discovery protection modes selected.
   Two options are available:
   ● Remove from Trash
   ● ArchiveFor Permanent Delete policy actions, both options are disabled by default; for Content Digital Rights, they are enabled by default.
   Click the toggles to enable or disable the settings. If you select the Archive action, also select the Remove from Trash option.
   Enter the number of days for which to retain archived files. The default value is 30 days.
   Then, click Authorize, and enter your Dropbox administrator login credentials.

6. Click Next and review a summary to verify that all information is correct. If it is, click Save. The new cloud application is added to the App Management page.

Onboarding the Atlassian Cloud suite and applications
This section outlines procedures for onboarding the Atlassian cloud suite and applications.
Note: For the Confluence application, you must have an enterprise account. CASB does not support free Confluence accounts.

1. From the Management Console, select Administration > App Management and click New.
2. Select Atlassian from the app list.
3. Enter a Name (required) and a Description (optional). The name must include only alphanumeric characters, with no special characters other than the underscore, and no spaces. Then, click Next.
4. Select the applications in the suite to include and click Next.
5. Select API Access protection model.

Entering configuration settings for protection models
Enter required configuration information for the protection models you selected.
API Access

1. Enter the following API access information. ● API Token (Confluence applications only) – Enter an API token. To create an API token from your Atlassian account, see the following section, Generating an API Token.
   ● Polling Timezone (Confluence applications only) – Select a time zone for polling from the dropdown list. The selected time zone must be the same as that of the cloud application instance, not the time zone of the user.
   ● Authorization – Click the Authorize button next to each app included in the suite.
   When prompted, click Accept to authorize domain access for each of the selected apps. The Authorize button labels will now say Re-Authorize.
   ● Domains – For each app included in the suite, select the applicable domain or accept the domain shown. Select only domains that are included in the access authorization in the previous step.

2. Click Next.

3. Review the information on the Summary page. Click Save to save and onboard the application.

Generating an API token (Confluence applications only)
You can generate an API token from your Atlassian account.

1. Log into your Atlassian account.

2. Select Administration from the left menu.

3. From the Administration page, select API Keys from the left menu.
   Any API keys you created previously are listed.

4. Click Create New Key to generate a new key.

5. Give the new key a name and select an expiration date. Then, click Create.

The new API key is created and is added to the list of keys on the Administration page. For each key, the system generates an alphanumeric string that serves as the API token. Enter this string in the API Token field in the CASB Management Console.

Onboarding Egnyte applications
This section outlines the procedure for onboarding an Egnyte cloud application.

1. Go to Administration > App Management and click New.

2. Choose Egnyte from the dropdown list and click Next.

3. Enter a Name (required) and a Description (optional). The name must include only alphanumeric characters, with no special characters other than the underscore, and no spaces. Then, click Next

4. Select API Access protection mode.

5. Click Next and enter the following configuration information, depending on the protection modes you selected.
   If you selected API Access, click Authorize Egnyte, and enter your Egnyte login credentials.

6. Enter a domain name associated with your Egnyte account and click Continue.

7. Once your authorization is successful, save the new cloud application.

Onboarding Box applications
This section outlines prerequisite configuration and onboarding steps for Box applications.
Configuration steps in the Box Admin Console
For connectivity to Box cloud applications, several user account settings are required to enable proper policy creation and visibility into Box user activities.
Perform the following steps to configure the ADMIN account for a Box cloud application.
Note
The ADMIN account is required for authorization of a Box cloud application. Authorization or reauthorization cannot be completed with CO-ADMIN (co- administrator) account credentials.

1. Log in to Box using the ADMIN credentials for the Box account.

2. Click the Admin Console tab.

3. Click the Users icon.

4. From the Managed Users window, select the admin account you want to validate and use to connect to your Box cloud application.

5. Expand the User Account information.

6. In the Edit User Access Permissions window, be sure that Shared contacts / Allow this user to see all managed users is checked.
   Note
   Do not allow co-administrators to monitor other co-admin activities. Only an administrator should monitor other co-admin activities.

7. Go to Apps > Custom Apps.

8. Choose Authorize New App.

9. In the pop-up window that appears, enter the following string: xugwcl1uosf15pdz6rdueqo16cwqkdi9

10. Click Authorize.

11. Click Continue to confirm access to your Box enterprise account.

Onboarding steps in the Management Console

1. Go to Administration > App Management.

2. In the Managed Apps tab, click New.

3. Select Box from the list.

4. Enter a Name (required) and a Description (optional).

5. Click Next and select one or more available protection modes:
   ● API Access
   ● Cloud Data Discovery

6. Click Next and enter the configuration information. The fields you see on the Configuration screen depend on the deployment and the protection modes you chose in the previous step.

7. Enter the information needed for each protection mode you select.
   ● For Cloud Data Discovery — You must also choose the API Access protection mode.
   ● For API Access – In the API Settings section, enter a valid Admin Email address for the Box account. This address must be for the Admin account and not for a co-admin account. Then, enter the names of Internal Domains.● For API Access – Archive Settings enable archiving of files that are either permanently deleted or replaced by Content Digital Rights policy actions. Archived files are placed in an Archive folder under a CASB Compliance Review folder created for the cloud application. You can then review the files and restore them if needed.
   Note
   When the authorized administrator for a cloud account is changed, previously archived content in the CASB Compliance Review folder that is owned by the previous administrator should be shared with the new authorized administrator to enable archived data to be reviewed and restored.
   The Archive Settings option is available for onboarded cloud applications with API Access protection mode selected.
   Two options are available:
   ● Remove from Trash
   ● ArchiveFor Permanent Delete policy actions, both options are disabled by default; for Content Digital Rights, they are enabled by default.
   Click both toggles to enable or disable the settings.
   Enter the number of days for which to retain archived files. The default value is 30 days.
   Note
   For Box applications, the original files are not removed from the Trash.
   For API Access, enter the Enterprise ID used to authorize access to Box.

8. When you have entered the required configurations, click Next to authorize access to Box.

9. In the Grant Access to Box screen, enter the Enterprise ID for this Box account, and click Continue.

10. In the Log in to Grant Access to Box screen, enter the admin login credentials for the Box account, and click Authorize.
    If the administrator has configured an SSO setup, click the Use Single Sign On (SSO) link and enter the credentials to authenticate. Any multi-factor authentication information is submitted.
    The Box cloud application is onboarded and added to the list of managed applications in the App Management page.

Onboarding Salesforce applications
Configuration steps
CASB for Salesforce scans standard objects such as Accounts, Contacts, Campaigns, and Opportunities, as well as custom objects.
Enable CRM content
For DLP scanning to work with Salesforce, the Enable CRM setting must be enabled in Salesforce for all users. To enable Salesforce CRM content, log in to your Salesforce account and perform the following steps:

1. Using the Quick Find box at the top left, search for Salesforce CRM Content.

2. From the search results, click the Salesforce CRM Content link.
   The Salesforce CRM Content settings box appears.

3. If the Enable Salesforce CRM Content and Autoassign feature licenses to existing and new users options are not checked, check them.

Enable scanning for structured data
If you are working with structured data, be sure that the Structured Data option is enabled.
Enable permissions for DLP scanning
System administrators have global access to Salesforce standard and custom objects. For nonadministrators, the Push Topics and API Enabled permissions must be enabled for DLP to work, as follows.
To set the Push Topics option:

1. From the Manage Users menu, select Users.

2. From the All Users page, select a user.

3. In the User Detail page for that user, click the Standard Platform User link.

4. Scroll to the Standard Object Permissions section.

5. Under Basic Access/Push Topics, be sure that Read, Create, Edit, and Delete are checked.
   To set the API Enabled option:

6. On the Standard Platform User page, scroll to the Administrative Permissions section.

7. Be sure that API Enabled is checked.

Enable permissions for viewing event log files
To view event monitoring data, user permissions must be enabled for the View Event Log Files and API Enabled settings.
Users with View All Data permissions also can view event monitoring data. For more information, refer to the following link: https://developer.salesforce.com/docs/atlas.en- us.api_rest.meta/api_rest/using_resources_event_log_files.htm
Enable permissions for Audit Trail events
To process Audit Trail events, permissions must be enabled for View Setup and Configuration.

Enable permissions for Login History events
To process Login History events, permissions must be enabled for Manage Users, which also enables permissions for the following settings:
Requires Reset User Passwords and Unlock Users
View All Users
Manage Profiles and Permission Sets
Assign Permission Sets
Manage Roles
Manage IP Addresses
Manage Sharing
View Setup and Configuration
Manage Internal Users
Manage Password Policies
Manage Login Access Policies
Manage Two-Factor Authentication in User Interface

Onboarding steps

1. Go to Administration > App Management and click New.

2. Select Salesforce from the list

3. Enter a Name (required) and a Description (optional) and click Next.

4. Select one or more protection modes:
   ● API Access
   ● Cloud Security Posture
   ● Cloud Data Discovery

5. Click Next and enter configuration settings. The fields you see depend on the deployment and the protection modes you chose in the previous step.
   ● For API Access – Enter a Salesforce Subdomain.● For Cloud Security Posture – No other details are needed.
   ● For Cloud Data Discovery — No other details are needed.

6. Click Authorize.

7. Select the Salesforce instance from the dropdown list.

8. If this authorization is for a custom or a sandbox domain, click the box. Then, click Continue.

9. Enter the administrator login credentials for this Salesforce account. Then, click Log In.

Onboarding ServiceNow applications
The following section provides instructions for onboarding ServiceNow applications.
Configuration steps
Before onboarding the ServiceNow application, create an OAuth application.

1. Log in to ServiceNow as an administrator.

2. To create an OAuth application, go to
   System OAuth > Application Registry > New > Create an OAuth API endpoint for external clients.

3. Enter the following information:
   ● Name – Enter a name for this OAuth app.
   ● Redirect URL – Enter the appropriate URL.
   ● Logo URL – Enter the appropriate URL for the logo.
   ● PKCE Required — Leave unchecked.

4. Click Submit.

5. Open the newly created app and note the Client ID and Client Secret values.

Onboarding steps

1. From the Management Console, go to Administration > App Management.

2. In the Managed Apps tab, click New.

3. Select ServiceNow and click Next.

4. Enter a Name (required) and a Description (optional). Then click Next.

5. Select one or more protection modes and click Next.

6. On the Configuration page, enter the information for the protection modes you selected in the previous step.
   ● For API Access, enter:
   ● The API Usage type, which defines how this application will be used with API protection.
   Check Monitoring & Content Inspection, Receiving Notifications, or Select All.
   If you select only Receiving Notifications, this cloud application is not protected; it is used only to receive notifications.● The OAuth App Client ID
   ● The OAuth App Client Secret
   ● The ServiceNow Instance ID
   ● For Cloud Data Discovery, enter
   ● The OAuth App Client ID
   ● The OAuth App Client Secret
   ● The ServiceNow Instance ID
   7. Click Authorize.

7. When prompted, log in to the ServiceNow application.

8. When prompted, click Allow.
   If authorization is successful, you should see a Re-Authorize button when you return to the Management Console. Click Next and Save to complete onboarding.

Post-onboarding tasks

Once you have onboarded cloud applications, you can filter events for those applications.
Applying event filtering to onboarded cloud applications
If you selected API Access as a protection mode, you can select event filtering options for that cloud application after it is onboarded.
After you have onboarded a cloud application with API Access as a protection mode, you can set default filters for allowing or denying all events for users, user groups, domains, or events. These filters can help narrow the focus to specific groups and will require less processing time and less demand on system resources.

To apply event filtering:

1. Go to Administration > App Management.

2. Select the cloud to which you want to apply event filtering by checking the pencil option.

3. Select filtering options as follows:
   ● Default filters – Choose a default filter.
   ● Deny All Events – No events are processed.
   ● Allow All Events – All events are processed.
   ● Exceptions – Select exceptions to the chosen filter for users or user groups. For example, if you want to apply an exception for one group — the engineering team — the default filter actions would be applied as follows:
   ● For Deny All Events, no events are processed except those for the engineering team.
   ● For Allow All Events, all events are processed except those for the engineering team.
   ● Exclusions – Select any criteria that should not be included in the exceptions. For example, you might opt to deny (not to process) events for staff in engineering except for managers. Using this example, the default filter exclusions would be applied as follows:
   ● For Deny All Events — No events are processed except for the engineering team. The managers are excluded from this exception, which means that events for managers within the engineering team are not processed.
   ● For Allow All Events — Events are processed except for the engineering team. The managers are excluded from this exception, which means that events for managers within the engineering team are processed.

4. Click Next.

Configuring tenants for user access and session activity

You can set conditions for tenant access by:

• Specifying authorized IP addresses for user access
• Entering session timeout information
• Choosing a time frame for login access to Juniper Support.

Authorized IP addresses
You can allow access to the tenant for only the IP addresses you authorize. When users with Application Administrator, Key Administrator, or Application Monitor roles want to log in to the Management Console,the system checks their IP addresses against those authorized addresses.

• If the match with a valid IP address is not found, login is denied and the message Invalid IP user range is displayed.
• If a match with a valid IP address is found, the user can log in.

Notes
This validation process does not apply for:

• System Administrator, Operations Administrator, or Service Administrator logins
• Login with IdP

To specify authorized IP addresses for access to the tenant, click in the Authorized IP Addresses field.

Enter one or more IP addresses you want to authorize for access to the tenant. Separate each IP address with a comma.
Click Save to close the entry box and select other configuration settings on the page.

Session Timeout
Enter a time (in minutes, any number between 1 and 120) after which a session expires, and another login is required. The default value is 30 minutes.
Login access to Juniper Support
System administrators and application administrators can enable or disable access to Juniper Support by service administrators and operations administrators. You can deny access or select the number of days available access.
In the Lookout Support field, select an option. The default selection is No Access. You can also select access for 1 day, 3 days, or 1 week.
Click Save to save all tenant configuration settings.

Managing users

CASB provides three options for managing users:

• Administrative, which enables control of user access by role for the Management Server and Hybrid Key Management System
• Enterprise, which provides an integrated view of users in their enterprise, and their account information

Administrative user management
CASB provides role-based access control to provide clear distinction of user access privileges and responsibilities. You can add new users as needed.
All user information is identical for the Management Server and the Hybrid Key Management System (HKMS), although the sets of users are maintained separately.

Adding new users
To add users:

1. Go to Administration > User Management and click the Administrative User Management tab.

2. Click New.

3. Enter the following information:
   ● User Name – Enter a valid email address for the user.
   ● Role – Use the check boxes to select one or more roles for the user. ● System Administrator – Can perform all system administration functions, including onboarding cloud applications, adding and removing users, creating and assigning keys, and restarting the Management Server.
   ● Key Administrator – Can create, assign, and remove keys, and monitor other system functions.
   ● Application Administrator – Can create and manage applications and monitor other system functions.
   ● Application Monitor – Can monitor system functions through the Management Console, view alerts, and export reports. Cannot create or modify functions such as onboarding cloud applications, adding users, editing user information, or configuring system settings.
   Note
   Hosted deployments include two additional users with unique roles: Services Administrator and Operations Administrator. These users are assigned by Juniper Networks and cannot be deleted.

4. Click Apply.

5. Click Save. The new user is added to the list. The new user will receive an email notification with a temporary password and will be asked to select a permanent password.

Setting up a user account password policy
CASB provides a default password policy. You can change the default settings to meet your organization’s needs.
To change the user account password policy:

1. Go to Administration > User Management.

2. Click the User Account Password Policy link.
   The Password Policy screen is displayed. (The Save button becomes active once you begin entering changes.)

3. Change the policy items as needed:
   Field| Description
   ---|---
   Minimum Length| Specifies the minimum number of characters that can make up a password for a user account. You can set a value of between 1 and 13 characters. To specify that no password is required, set the number of characters to (zero).

A minimum of 8 characters is recommended. This number is long enough to provide adequate security, but not too difficult for users to remember. This value also helps to provide adequate defense against a brute force attack.

Maximum Length| Specifies the maximum number of characters that can make up a password for a user account.
If you specify 0 (zero), the allowed length will be unlimited. A setting of 0 (unlimited) or a relatively large number such as 100 is recommended.
Lowercase Characters| Specifies the minimum number of lowercase characters that must be present in a password for a user account.
If you enter 0 (zero), no lowercase characters are allowed in the password. A minimum of 1 lowercase character is recommended.
Uppercase Characters| Specifies the minimum number of uppercase characters that must be present in a password for a user account.
If you enter 0 (zero), no uppercase characters are allowed in the password. A minimum of 1 uppercase character is recommended.
Special Characters| Specifies the minimum number of special characters (for example, @ or $) that can make up a password for a user account. If you enter 0 (zero), no special characters are required in the password. A minimum of 1 special character is recommended.
Numerics| Specifies the minimum number of numeric characters that must be present in a password for a user account.
If you enter 0 (zero), no numeric characters are required in the password. A minimum of 1 numeric character is recommended.
Field| Description
---|---
Enforce Password History| Specifies the number of unique new passwords that must be associated with a user account before an old password can be reused.
A low number allows users to use the same small number of passwords repeatedly. For example, if you select 0, 1, or 2, users can reuse old passwords more quickly. Setting a higher number will make using old passwords more difficult.
Password Expiration Period| Specifies the period of time (in days) that a password can be used before the system requires the user to change it. You can set passwords to expire after a number of days between 1 and 99, or you can specify that passwords never expire by setting the number of days to 0 (zero).
Invalid Login Attempts Allowed| Specifies the number of failed login attempts that will cause a user account to be locked. A locked account cannot be used until it is reset by an administrator or until the number of minutes specified by the Lockout Effective Period policy setting expires.
You can set a value from 1 through 999. If you want the account never to be locked, you can set the value to 0 (zero).
Lockout Effective Period| Specifies the number of minutes that an account remains locked out before automatically becoming unlocked. The available range is from 1 through 99 minutes. A value of 0 (zero) means that the account will be locked out until an administrator unlocks it.
4. Click Save.

Account status for system administrator and non-administrator roles
Non-administrator user accounts are disabled automatically after more than 90 days of non-use. When an account is disabled, the user will see a message on the Management Console login screen notifying them that their account is disabled. A system administrator must re-enable the account before the user can log in to the Management Console.
Note
Accounts for system administrators, service administrators, and operations administrators cannot be disabled. Only accounts for Key Administrator, Application Administrator, and Application Monitor roles can be disabled and re-enabled.
On the Administrative User Management tab of the User Management page, the toggles represent the following conditions:

• System Administrators: The toggle is visible, enabled by default. and shows as grayed out.
• Services Administrators and Operations Administrators: The toggle is visible, enabled by default, and shows as grayed out.
• System Administrators can disable or enable the status of users with Key Administrator, Application Administrator and Application Monitor roles.
• For existing System Administrators who have not completed the user onboarding process, the toggle shows a status of disabled.
• For newly created System Administrators who have not completed the user onboarding process, the toggle is not visible.
• For System Administrators who have completed the onboarding process but have not logged into the application yet, the toggle is enabled but grayed out.
• For Key Administrator, Application Administrator, and Application Monitor roles: These users’ accounts are disabled after 90 days of non-use. They will be blocked when they try to log in to the Management Console.

Note
System Administrators whose accounts were disabled previously are now enabled (active).
The following sections provide instructions for system administrators to disable and re-enable nonadministrator user accounts.
Disabling a non-administrator user account

1. Click the bright green toggle for the enabled non-administrator account.
2. When prompted, confirm the action to disable the account.

Re-enabling a disabled non-administrator user account

1. Click the dimmed, colorless toggle for the disabled non-administrator account.
2. When prompted, confirm the action to re-enable the account.

Reassigning the Super Administrator role
A tenant can only have one Super Administrator account. If you want to reassign the Super Administrator role to a different user, you must do it while logged in with the current Super Administrator account.

1. In the Management Console, select Administration > System Settings > Tenant Configuration.
2. If you are logged in with the Super Administrator role, you will see the Re Assignment of Super Administrator option.
3. Select the desired user from the drop-down menu. Only users who currently have the System Administrator role are shown here.
4. Click Send OTP to receive a one-time password.
5. Retrieve the password from your email and enter it in the Enter OTP field. Click Validate.
6. Click Save. The Super Administrator role is transferred to the user you selected.

Enterprise user management
The Enterprise User Management page provides an integrated view of users in their enterprise and their account information.
Searching for user information
You can search for user information by:

• account name (Email), to see which users are associated with a specific account,
• User Group, to see which users are part of a specific user group, or
• User Name, to see which users (if any) are associated with more than one account.

To perform a search, enter all or part of the username, group name, or email in the Search box.
Searches are case sensitive. To return to the default list, clear the Search box.
Filtering user information
You can filter the display of information by cloud application. Click the Filter icon at the upper right and select the cloud applications to include in the display.

To clear the filter, click anywhere outside of the list box.

Configuring CASB for enterprise integration

You can configure CASB to work with external services to manage user data, gather information about unsanctioned cloud applications, and other functions.
The following topics are provided:

• Installing an on-premise connector for system services
• Adding Advanced Threat Protection (ATP) services
• Adding external services for Enterprise Data Loss Prevention (EDLP)
• Configuring Security Information and Event Management (SIEM)
• Configuring data classification
• Creating and managing user directories
• Creating and managing enterprise sites
• Creating notification channels

Installing an on-premise connector for system services
CASB provides a unified on-premise connector that can be used with multiple services, including SIEM, log agents, and EDLP. The following sections provide specifications and instructions for installing the onpremise connector.

• Specifications
• Downloading the connector
• Pre-installation steps
• Installing the connector
• Restarting and uninstalling the connector
• Additional notes

Note
Remote upgrades are supported only for agents running on CentOS.
If you are using connector version 22.03 and planning to migrate to version 22.10.90, you can upgrade the SIEM, EDLP, and Log Agents using the manual upgrade procedure. For more information, see the Manually upgrading the SIEM, EDLP, and Log Agents section.
Specifications
The following specifications are required for installation of the on- premise connector.
Operating systems and software

• For SIEM, EDLP, and Log Agent: Red Hat Enterprise, CentOS 8, Ubuntu 20.04.5 LTS (Focal Fossa)
• Java version 11
• bzip2 1.0.6
• RPM version 4.11.3

Firewall settings

• Allow outbound HTTPS traffic
• Allow the following outbound WSS connections:
  • nm.ciphercloud.io (applies to SIEM, LOG, and EDLP agents)
  • wsg.ciphercloud.io (applies to SIEM, LOG, and EDLP agents)

Minimum requirements for VM configurations
Here are the deployment options and minimum hardware requirements. The Base Package contains the NS-Agent and upgrade service.
Log agent, SIEM, and EDLP services

• 8 GB RAM
• 4 vCPUs
• 100 GB disk space

Downloading the connector

1. Go to Administration > System Settings > Downloads.

2. Select On-premise Connector and click the download icon.

3. Save the RPM file for installation on the appropriate VM.

Pre-installation steps
Step 1 – Create an agent for the service

1. Go to Administration > Enterprise Integration and select the agent to configure.
2. Perform the following steps to configure the agent.

Step 2 – Create an environment
Perform these basic steps to create an environment.

1. Go to Administration > Environment Management and click New.
2. Enter a Name and a Description for the environment.
3. Select On-premise Connector as the environment Type.
4. Enter an IP address for the location where you want to install the connector.
5. Enable the agent and select a service.
6. Save the environment.

Step 3 – Create a node
Perform these basic steps to create a node.

1. Go to Administration > Node Management and click New.
2. Enter a Name and a Description for the node.
3. Select Connector as the node Type.
4. Select the environment you created in the previous step.
5. Select the service.
6. Save the node.
   Perform the steps in the following sections to install the on-premise connector.

Installing the connector (SIEM, EDLP, and Log Agent)
Perform the following steps to install the on-premise connector. In the script, the term Node Server refers to the connector. In the next sections, the term node server refers to the connector.
Run the following command to start the installation:
[root@localhost home]# rpm -ivh enterprise-connector-21.01.0105.x86_64.rpm
Preparing… #################################
[100%] /usr/sbin/useradd -r -g ccns-c ${USER_DESCRIPTION} -s /bin/nologin ccns
Updating / installing…
1:enterprise-connector-0:21.01.0-10################################# [100%] CipherCloud node server has been successfully installed in
/opt/ciphercloud/node-server.
Adding [Systemd] service support
Reloading Systemd daemon
Systemd service node-server has been installed
Please use ‘sudo systemctl start node-server’ to start the service manually
==========================IMPORTANT================
Please run ‘sudo /opt/ciphercloud/node-server/install.sh’ to configure the node server before starting it for the first time.

Run the following command to change to the directory in which to install the connector.
[root@localhost ~]# cd /opt/ciphercloud/node-server/
Run the following command to perform the installation.
[root@localhost node-server]# ./install.sh
Initializing node-server install script. Please wait..
Please enter Management Server endpoint [wss://nm:443/nodeManagement]:
Based on the location of your tenant, provide the Node Management URL:
For Europe Central-1 [euc1]:
wss://nm.euc1.lkt.cloud:443/nodeManagement
For United States West-2 [usw2]:
wss://nm.usw2.lkt.cloud:443/nodeManagement
Note: You can identify the Node Management URL from your Management Console URL as follows:
If your Management Console URL is https://maxonzms.euc1.lkt.cloud/account/index.html#login
Then your Node Management URL is
euc1.lkt.cloud
Enter the default option shown or enter the URL for this installation.
Management Server endpoint:
Enter ID for this tenant.
Input Tenant Id:
Enter the unique name for the Node Server.
Input Node Server Unique Name:
Enter the API token (click the API Token button in the Configuration tab).
Input Node Server Token:
There are 3 NICS assigned to this host.

1. NIC_n
2. NIC_n
3. Please select an option from the above list **Select an NIC option.** NIC option (1 to 3): Selected NIC is Adding new property ms.endpoint. Adding new property node.name. Adding new property node.token.plain. Adding new property node.nic. Updating property logging.config Updating property logging.config Updating property logging.config Updating property logging.config Node server installation is done. Start node server using ‘sudo service nodeserver start’. ================================ **Starting the connector** Run the following command: sudo service node-server start **Restarting and uninstalling the connector** **Restarting** Run the following command: [root@localhost node-server]#sudo systemctl restart node-server **Uninstalling** Run the following command: rpm -ev enterprise-connector **Additional configuration notes for SIEM**

• WSG configurations are based on the installing region.
• For SIEM, the spooling directory path should be under /opt/ciphercloud/node-server. The directory does not need to be created manually. In the SIEM configuration, provide the directory path and name — for example, /opt/ciphercloud/node-server/siempooldir.

Additional configuration notes for log agents
Connecting to a different server
KACS and WSG configuration are provided by default. If you need to connect to a different server, use the following commands to override the server and port information.
[root@localhost log-agent]# cat /opt/ciphercloud/node-server/config/logagent /log-agent.conf
JAVA_OPTS=-Xms7682m -Xmx7682m -Dkacs.host=kacs.devqa.ciphercloud.in Dkacs.port=8987-Dwsg.host=wsg.devqa.ciphercloud.in -Dwsg.port=8980
Write permissions
If needed, provide the ccns user with write permissions for the spooling directories.
Redis commands for Palo Alto Networks logs
For Palo Alto Networks logs, use the following setup commands for a local Redis.
Setup
Run the systemctl setup command for ciphercloud-node-logagent-redis
[root@localhost ~]# cd /opt/ciphercloud/node-server/bin/log-agent
[root@localhost log-agent]# ./logagent-redis-systemctl-setup.sh
Run the following commands to start, restart, stop, and display status for ciphercloud-node-logagent-redis.
Start
[root@localhost log-agent]#
systemctl start ciphercloud-node-logagent-redis
Restart
[root@localhost log-agent]#
systemctl restart ciphercloud-node-logagent-redis
Stop
[root@localhost log-agent]#
systemctl stop ciphercloud-node-logagent-redis
Display status
[root@localhost log-agent]#
systemctl status ciphercloud-node-logagent-redis
Additional configuration notes for EDLP
KACS and WSG configurations are based on the installing region.

Adding Advanced Threat Protection (ATP) services
From this page, you can create and manage configurations to integrate with vendors for advanced threat protection. CASB supports Juniper ATP Cloud and FireEye ATP services.

1. From the Enterprise Integration page, choose Threat Management.
2. To display details of a configuration, click the > arrow to the left for that configuration.

To add a new configuration for threat management:

1. Click New.

2. Enter the following information. Fields with a colored border at the left require a value.
   ● Name — The name of the service. The name you enter here will appear in the dropdown list of available external services when you create a policy that scans for malware.
   ● Description (optional) — Enter a description of the service.
   ● Vendor — Select a vendor from the list, either FireEye or Juniper Networks (Juniper ATP Cloud). ● Service URL — Enter the URL of the service for this configuration.
   ● API key — Enter the API key provided by the service. You can opt to show or hide this key. When the key is hidden, Xs appear for the entry.

3. If you want to exclude file sizes and extensions from scanning by this service, click the File Type Exclusion and File Size Exclusion toggles to enable these settings. Then, enter the following information.
   ● For File Type Exclusion, enter types of files to be excluded from scanning. Separate each type with a comma. ● For File Size Exclusion, enter a number greater than zero that represents upper file size threshold for scanning. Files larger than this size will not be scanned.

4. Click Save.
   The new configuration is added to the list. A successful connection is indicated by a green connector icon.

Adding external services for Enterprise Data Loss Prevention (EDLP)
You can configure CASB to work with external services to manage user data, gather information about unsanctioned cloud applications, and other functions.
Many organizations have made a significant investment in an enterprise DLP (EDLP) solution. This investment not only counts the capital expenditure on the software and support but also the person-hours and intellectual capital to craft policies that meet the organization’s needs. By adding a CASB to an organization, you can extend the access boundary from the endpoint, where traditional enterprise DLP lives, to the cloud and SaaS.
When CASB is integrated with an EDLP solution, policies can be configured to do the initial check on the CASB DLP, and then pass the file/data to the EDLP. Or it can pass everything to the EDLP or a combination of the two.
After the file/data inspection is complete, the policy action is taken. Examples of policy actions include these:

• Encryption
• Deny upload
• Watermarking
• Quarantine
• Allow and log
• User remediation
• Replace file with a marker file

The following topics provide instructions for configuring external services for data loss prevention.

• Creating a new configuration for EDLP
• Downloading and installing an EDLP agent
• Stopping and starting the EDLP agent
• Symantec DLP response rule configuration for Vontu service

Creating a new configuration for EDLP

1. In the Management Console, go to Administration > Enterprise Integration > Data Loss Prevention.

2. Click New.

3. Enter the following configuration details. (The values shown are examples.)● Name — Enter a name for this EDLP service.
   ● Description (optional) — Enter a brief description.
   ● Vendor – Select an external DLP vendor. The options are Symantec or Forcepoint.
   ● DLP Server Hostname — Enter the host name or IP address of the server to be used for the external DLP.
   ● Service Name — Enter the name or IP address of the service that applies to this configuration.
   ● ICAP port — Enter the number for the associated Internet Content Management Protocol (ICAP) server. ICAP servers focus on specific issues such as virus scanning or content filtering.

4. To exclude any file types or size from EDLP scanning, click the toggles to enable exclusions. Then, enter the appropriate file information.● For file types, enter the extensions for the file types to exclude, separating each extension by a comma.
   ● For file size, enter the maximum file size (in megabytes) to exclude.

5. Click Save.
   The new configuration is added to the list. Once an agent is downloaded and installed, a connection can be made. A successful connection is indicated on the Data Loss Prevention page by a green connector icon.

Downloading and installing an EDLP agent
After you create at least one EDLP agent, you can download the EDLP agent and install it on a machine or server. The machine you choose for the EDLP agent installation should contain RedHat Enterprise / CentOS 7.x and Java 1.8.
Prerequisites for installing the EDLP agent
Your environment must include the following components and settings for installing and running the EDLP agent:

• Oracle Server Java 11 or later
• JAVA_HOME environment variable set
• root or sudo privileges
• Hardware – 4 Core, 8 GB RAM, 100 GB storage

Perform the steps outlined in the following sections to download, install, and start the EDLP agent.
Downloading the EDLP agent

1. In the Management Console, go to Administration > System Settings > Downloads.

2. Select EDLP Agent from the list and click the Download icon under Actions.
   To view information about the file, including version, size, and checksum value, click the Information icon.
   The EDLP agent is downloaded as ciphercloud- edlpagent-20.07.0.22.centos7.x86_64.rpm.

3. Move the EDLP agent to its intended machine.

Installing the EDLP agent

1. From the command line, run the following command:
   rpm -ivh
   For example:
   rpm -ivh ciphercloud-edlpagent-20.07.0.22.centos7.x86_64.rpm
   Preparing… ################################# [100%] Preparing / installing…
   1:ciphercloud-edlpagent-20.07.0.22.centos7.x86_64########################

   [100%] Execute ‘EDLP-setup’ to setup your EDLP Agent

   The RPM client will be installed under the following location:
   /opt/ciphercloud/edlp

2. Go to the /opt/ciphercloud/edlp/bin directory.

3. Run the setup file using the following command:
   ./edlp_setup.sh

4. When prompted, enter the auth token to complete the installation process.
   To get the auth token, go to Administration > Enterprise Integration > Data Loss Prevention (Auth Token column). To hide the auth token from view, click the Column Filter icon at the upper right, and uncheck Auth Token.

Note
You can access logs from the /opt/ciphercloud/edlp/logs directory.
Stopping and starting the EDLP agent service

• To stop the EDLP agent service, enter the following command: systemctl stop ciphercloud-edlp
• To start the EDLP agent service, enter the following command: systemctl start ciphercloud-edlp

Checking the EDLP agent status

• To check the status of the EDLP agent service, enter the following command: systemctl status ciphercloud-edlp

Symantec DLP response rule configuration (Vontu service)
In the Symantec DLP configuration (Manage tab / Configure Response Rule), you need to enter information about the violation and the policies violated, as shown, with violation as the keyword. Enclose the name of each violated policy between dollar signs, separated by commas. The policy name or names should be exactly the same as they are entered in CASB. Format the policy entries as follows:
$PolicyNameA, PolicyNameB, PolicyNameC$

Configuring the Forcepoint Security Manager and Protector
Perform the following steps to configure the Forcepoint Security Manager and Protector:

1. In the General tab, enable the ICAP system module with the default port of 1344.
2. In the HTTP/HTTPS tab, set the mode to Blocking for the ICAP server.
3. Under Policy Management, add a new policy from the Predefined policy list or create a custom policy. Then, deploy the new policy.

Manually upgrading the SIEM, EDLP, and Log Agents
Depending on your OS and the type of package that you want to install, perform the steps in the following sections to upgrade the on-premise connectors manually. This manual upgrade procedure is applicable for EDLP, SIEM, and Log Agent.
For CentOS and RHEL
If you installed the rpm package in the previous version, upgrade the connector using an RPM package.
For instructions, see the Upgrading a connector using an RPM package section.
Upgrading a connector using an RPM package

1. From the Management Console, go to Administration > System Settings > Downloads.
2. Click the download icon for the On-premise Connector rpm package.
3. Copy the downloaded RPM package to the Node Server on which you want to install.
4. Log in to the Node Server.
5. Stop the Node Server services: sudo service node-server stop
6. Run the following command: sudo yum install epel-release
7. Run the following command to upgrade the connector: sudo yum upgrade ./enterprise-connector*.rpm
8. Start the Node server services: sudo service node-server start

For Ubuntu
If your previous connector was installed using a Tar package, to get the latest connector version, you can either perform a fresh installation using a Debian package (Method 1) or upgrade the connector using a Tar package (Method 2).
If your previous connector was installed using a Debian package, you can upgrade the connector using a Debian package (Method 3).
Method 1 (Recommended): Installing the latest connector version using a Debian package
If your previous connector was installed using a Tar package, to get the latest connector version, you can perform a fresh installation of the latest connector version using a Debian package. Detailed steps for this procedure are provided below.
Pros:

• You can use service/systemctl commands to start/stop the services.
• Additional dependencies required for other features are automatically installed by the apt command.

Cons:

• As this is a fresh installation, you are required to run install.sh script.
• Provide the details such as nodeName, authToken etc, during the installation.

Method 2: Upgrading a connector using a Tar package
Pros:

• No need to run the install.sh script again.

Cons:

• You need to use the sudo bash