Configuring Google Workspace (G-Suite) with Sorb SCES

What is Google Workspace?

Google Workspace (also known as G-Suite) is a cloud-based solution from Google. It offers email, security, archiving and other capabilities delivered on Google’s worldwide network of cloud data centers.

Before you Start

Gather the information listed below. You will need this information later.

  • The MX record(s) for the domain(s) you are configuring for G-Suite
  • Your environment’s Sorb SCES IPs and SPF
  • Login details for your Google admin account

Configuring DNS hosted on Google Workspace(Optional if DNS hosting is at somewhere else)

  • Sign in to the Google Admin console.
  • From the console, navigate to Domains > Manage domains > View Details(Select <domain>) > MANAGE DOMAIN > Manage(Select <domain>)
  • On the left, select DNS in the menu
  • Click Manage custom records button, add/update both MX and TXT records, then click Save button

Configuring Google Workspace for inbound emails

  • Sign in to the Google Admin console.
  • From the console, navigate to Apps > Google Workspace > GmailSpam, phishing, and malware.
  • On the left, select the top-level organization. This is usually your domain.
  • Scroll to the Email allowlist setting, then click Edit. Key in Sorb Security Egress IPs and Subnets as showing in Figure-1, from Connection Details, then click SAVE button.
  • Scroll to the Inbound gateway setting, then click Edit. The Inbound gateway settings open on the page
  • Under Gateway IPs, add the following: Connection Details
  • Tag the messages (Required, when you configure Mark on Sorb SCES) as in Figure-2
Example: ^X-Sorbsecurity-Detected: yes$
Reminder: Header and Value at here have to match the configuration on Sorb SCES.
  • Check Reject all mail not coming from gateway IPs.
  • Check Require TLS for connection from the email gateways listed above
  • At the bottom, click Save. It can take up to 24 hours for changes to take effect.

Please refer to Google KB article for details.

Configuring Google Workspace for outbound emails

  • Set up the trusted source on SCES to accept and forward email only from ​Google Workspac​e mail server IP addresses.
  • Set up the Sender Policy Framework(SPF) from Connection Details.
  • Add outbound gateway route
    • In the Admin console, go to Menu > Apps > Google Workspace > Gmail > Hosts.
    • Click “ADD ROUTE“.
    • Enter Name, “SorbSecurity Outbound Gateways” and choose Multiple hosts. Then fill in your own two FQDN hosts with the port number 2525.
  • In the Admin console, go to Menu > Apps > Google Workspace > Gmail > Routing.
  • Click CONFIGURE of Routing.
    • Enter a route name for the gateway server in the Name field, “Route to SorbSecurity for outbound emails”
    • Check Outbound
    • Check “Add X-Gm-Original-To header”, “Add X-Gm-Spam and X-Gm-Phishy headers”, “Add custom headers”, “X-SorbSecurity-Outbound: Gmail”
    • Check Change the route, choose SorbSecurity Outbound Gateways. Then SAVE.