I have a deployment where we have Network Monitor, SMTP Prevent, and Endpoint Protect deployed. One of the requirements for the Endpoint deployment is to monitor Outlook. The reason for this is due to zone-based security requirements, where we need to be able to inspect internal email traffic between internal users. However, one of the effects of this is that we see duplicate email incidents for any externally delivered email, as we are running the same policy set on Endpoint as we are on SMTP Prevent. When an incident occurs, we get one Network incident from the SMTP Prevent servers, and one Endpoint incident from the endpoint.
What I am trying to accomplish is eliminating the Endpoint incident when the mail is destined to an external recipient, since I know it has to go through SMTP Prevent anyway; and in conjunction with that, I would like to avoid creating duplicate policies for Endpoint and Network. I can't think of a way to accomplish this other than creating separate policies, where one would be deployed only to the Network servers, and the other (which would be deployed only to the Endpoint servers), would have a compound exception for SMTP (protocol) AND recipient matches pattern "mydomain.com" (all recipients must match).
The Agent Configuration doesn't allow you to create a "domain" type exception for SMTP, which is where I would hope to be able to do this.
Any good ideas out there?
Thanks in advance.
~Keith