Check Point Harmony Email & Collaboration provides API-based email security for Google Workspace, protecting Gmail and Google Drive from phishing, malware, and data loss without requiring MX record changes. This guide covers the complete integration process using the Check Point Infinity Portal.
Prerequisites
Before you begin, ensure you have:
- Check Point Infinity Portal account with Harmony Email & Collaboration license or trial
- Google Workspace Super Admin credentials for granting application permissions
- Active Google Workspace subscription (any edition)
- Google Admin Console access for policy verification
- List of domains configured in your Google Workspace
Understanding Protection Modes
Harmony Email offers two protection modes for Google Workspace:
| Mode | Description | Email Processing Time | Best For |
|---|---|---|---|
| Monitor Only | Scans emails after delivery, logs threats | No delay | Initial testing, evaluation |
| Protect (Inline) | Scans emails before delivery, blocks threats | 10 sec - 5 min | Production protection |
Check Point recommends starting with Monitor mode to understand your threat landscape, then enabling Inline protection for active threat prevention.
Step 1: Access the Infinity Portal
- Navigate to https://portal.checkpoint.com
- Sign in with your Check Point account credentials
- If you need an account, click Create Account and complete registration
- Click the Menu icon (three horizontal lines) in the top left
- Under Harmony, click Email & Collaboration
Step 2: Start Google Workspace Activation
- On the Harmony Email dashboard, click Start Free Trial or Already have a contract
- Click Let's Get Started on the welcome page
- Locate Google Workspace (Gmail and Google Drive) and click Start
Step 3: Authorize Google Workspace Connection
- Click Authorize to begin the Google OAuth flow
- You'll be redirected to Google's sign-in page
- Sign in with your Google Workspace Super Admin credentials
- Review the permissions requested by Harmony Email & Collaboration:
| Permission | Purpose |
|---|---|
| View and manage Gmail | Scan email content and take security actions |
| View and manage Drive files | Scan shared files for malware and sensitive data |
| View and manage groups | Apply policies to specific user groups |
| View organization units | Enumerate users and organizational structure |
- Click Allow to grant the requested permissions
- Wait for the authorization to complete and redirect back to Infinity Portal
Step 4: Configure Protection Scope
After authorization, select which users to protect:
All Users
- Select Protect all users in the organization
- This includes all active Gmail accounts in your Google Workspace
- Click Continue
Specific Groups or OUs
- Select Protect specific groups or organizational units
- Search for and select the Google Groups or OUs to protect
- Click Add for each selection
- Click Continue when finished
Tip: For large organizations, consider a phased rollout starting with IT and security teams before expanding to all users.
Step 5: Complete Initial Setup
- Review your configuration summary
- Click Activate to complete the initial setup
- Harmony Email will begin synchronizing with Google Workspace
The system will now:
- Connect to your Google Workspace environment
- Enumerate protected users and groups
- Begin the initial learning and calibration process
Step 6: Configure Google Admin Console Settings
For Inline (Protect) mode, Harmony Email creates content compliance rules in Google Admin Console. Verify these are correctly configured:
Access Google Admin Console
- Go to https://admin.google.com
- Sign in with your Super Admin credentials
- Navigate to Apps > Google Workspace > Gmail > Compliance
Verify Content Compliance Rules
Harmony Email creates the following rules automatically:
| Rule Name | Purpose |
|---|---|
[tenantname]_inline_ei | Inbound email scanning |
[tenantname]_inline_eo | Outbound email scanning |
[tenantname]_inline_ii | Internal email scanning |
- Locate the Harmony Email rules in the Content Compliance section
- Verify each rule is Enabled
- Confirm the rules are applied to the correct organizational units
Configure Inbound Gateway (If Required)
For Inline protection, you may need to configure an inbound gateway:
- In Google Admin Console, go to Apps > Google Workspace > Gmail > Spam, Phishing and Malware
- Under Inbound gateway, verify Check Point's IP ranges are whitelisted
- This ensures scanned emails aren't flagged as suspicious
Step 7: Enable Protection Mode
After initial setup completes, enable your desired protection mode:
Enable Monitor Mode (Default)
- In Harmony Email portal, go to Policy
- Expand Gmail
- Verify the default policy is set to Monitor Only
- This mode logs threats without blocking emails
Enable Protect (Inline) Mode
- Navigate to Policy in Harmony Email portal
- Expand Gmail
- Click the default threat protection policy
- Change Policy Protection Mode to Prevent (Inline)
- Click Save
When Inline mode is enabled, emails are:
- Received by Google Workspace
- Redirected to Harmony Email for scanning
- Scanned for threats (typically 10 seconds to 5 minutes)
- Returned to Google Workspace for delivery (if clean) or quarantined (if malicious)
Step 8: Configure Policy Rules
Customize protection with specific policy rules:
Create a New Policy Rule
- Go to Policy > Add a New Policy Rule
- Select Gmail under Choose SaaS
- Select the security type:
- Anti-Phishing: Detect phishing and BEC attacks
- Anti-Malware: Block malicious attachments
- DLP: Prevent data loss
- Configure rule settings:
- Direction: Inbound, Outbound, or Internal
- Action: Detect, Prevent, or Quarantine
- Scope: All users or specific groups
- Click Save
Recommended Policy Configuration
| Traffic Direction | Anti-Phishing | Anti-Malware | DLP |
|---|---|---|---|
| Inbound | Prevent | Prevent | Monitor |
| Outbound | Monitor | Prevent | Prevent |
| Internal | Monitor | Monitor | Monitor |
Step 9: Configure Google Drive Protection
Harmony Email also protects files shared through Google Drive:
- In Harmony Email portal, go to Policy
- Expand Google Drive
- Configure protection rules for:
- File uploads: Scan files uploaded to Drive
- File sharing: Monitor external sharing
- DLP: Detect sensitive data in documents
Enable Drive Scanning
- Click Add a New Policy Rule
- Select Google Drive under Choose SaaS
- Select Anti-Malware or DLP
- Configure scanning options:
- Scan on upload
- Scan on share
- Scan existing files (optional)
- Click Save
Step 10: Verify the Connection
Confirm your integration is working correctly:
Check Connection Status
- Go to Overview > SaaS Status
- Verify Gmail shows Connected
- Verify Google Drive shows Connected (if enabled)
- Check the Last Sync timestamp
Review Protected Users
- Navigate to Users & Groups
- Verify the expected Google Workspace users are listed
- Confirm user status shows Active
Test Email Scanning
- Send a test email with an EICAR test file attachment
- Check the Events section for detection
- Verify the appropriate action was taken
Troubleshooting Common Issues
Authorization Fails
Symptoms: Google login fails or permissions aren't granted.
Solutions:
- Ensure you're using Super Admin credentials
- Check for browser extensions blocking pop-ups
- Try an incognito/private browser window
- Verify no Google Workspace restrictions prevent third-party app access
Content Compliance Rules Not Created
Symptoms: Inline protection doesn't work; rules missing in Google Admin.
Solutions:
- Verify Super Admin permissions were granted correctly
- Manually check and enable rules in Google Admin Console
- Contact Check Point support for rule recreation
Emails Delayed Significantly
Symptoms: Emails take more than 5 minutes for Inline scanning.
Solutions:
- Check Check Point service status for any outages
- Review email volume; high volume may cause delays
- Consider using Monitor mode for less critical traffic
- Contact support if delays exceed SLA
Drive Files Not Scanning
Symptoms: Google Drive protection shows connected but files aren't scanned.
Solutions:
- Verify Drive permissions were granted during authorization
- Check policy rules are configured for Google Drive
- Ensure file size is under the scanning limit (10 MB)
- Review user is in a protected group
Manual Integration (Advanced)
If automatic integration isn't suitable, you can manually configure Google Workspace:
Create Content Compliance Rules Manually
- In Google Admin Console, go to Apps > Google Workspace > Gmail > Compliance
- Click Add another rule under Content Compliance
- Configure rule for inbound traffic:
- Name:
checkpoint_inline_inbound - Messages to affect: Inbound
- Route: Check Point scanning server
- Name:
- Repeat for outbound and internal traffic
- Reference the Manual Integration Guide for specific settings
Next Steps
After successfully connecting to Google Workspace:
- Fine-tune policies: Adjust detection sensitivity based on initial findings
- Configure DLP: Enable data loss prevention for sensitive information
- Set up alerts: Create notifications for high-severity threats
- Enable quarantine management: Configure end-user quarantine access
- Review dashboards: Monitor threat trends and security metrics
Additional Resources
- Harmony Email & Collaboration Admin Guide
- Google Workspace Activation Documentation
- Google Workspace Marketplace - Harmony Email
Need expert help with email security? Inventive HQ offers comprehensive Check Point deployment and management services. Contact us for a free consultation.