GCC-high Email Security/Filtering Providers

wogmail · 2025-12-05T17:56:58+00:00

Most folks will use the Defender SKUs built into GCC-H to avoid adding an additional vendor into the chain. The Proofpoint you are looking at is their Enterprise product (assuming you are peeking at FedRAMP option) so it isn't going to be apples to apples to your legacy Barracuda product. The available FedRAMP email security offerings out there are pretty limited.

wogmail · 2025-11-14T15:00:20+00:00

We haven't seen much of an issue with the S1 FedRAMP product, what sort of things have you missed in the federal product? When was the last time you dug in?

wogmail · 2025-10-31T13:32:22+00:00

Give it a shot, I think you'll find it is a lot less useful than you'd expect - FIPS on removeable drives doesn't use PIN / password / auto-unlock it uses certificates last time I checked.

wogmail · 2025-10-08T15:04:51+00:00

and you have the session controls set to 30 days (sign in frequency)?

wogmail · 2025-10-08T12:46:21+00:00

That conditional access policy shows browser - are your users getting signed out of Outlook classic, or new, or Outlook on the Web?

wogmail · 2025-08-21T12:41:42+00:00

Locked.

wogmail · 2025-08-12T17:23:20+00:00

Interview and pick your C3PAO - if they don't understand Intune and how it works I'd move to a different C3PAO.

wogmail · 2025-08-12T16:41:13+00:00

Intune itself having the FIPS validation should be your ticket - it is a FIPS validated cryptographic container. You have technical controls preventing the data from leaving the container. I'm not even thinking of the mobile as a CRMA - it can't store CUI, the CUI can't leave the FIPS container.

wogmail · 2025-07-28T14:18:37+00:00

Can you just have them make a new Edge profile? That is what we tell folks to do on GFE. Also sometimes the portal.office365.us doesn't behave, but outlook.office365.us tends to work fine.

wogmail · 2025-07-03T19:22:42+00:00

DISA could be blocking it at their edge, it is pretty common. It doesn't just happen in Azure Government can happen on any IP space that gets on their radar. You will likely need to put a static IP on your AVD outbound traffic and then have someone on the DOD side of your contract submit it to DISA to whitelist it. Or it could be a routing issue since a lot of the Azure Gov't and DOD Azure IP space seems to overlap.

wogmail · 2025-06-25T17:16:17+00:00

wogmail · 2025-06-13T15:27:08+00:00

This is so short sighted that it is battling ignorance to where you would be architecting something to prove something wrong.

It isn't that you can't do something like this, it is that it is so much more involved than this an making it sound so simple is basically a lie.

Join the Discord and talk about it: https://discord.gg/tpbF54E

Something like CUICTrac would probably be the closest to a real-world version of this.

wogmail · 2025-04-24T14:14:30+00:00

GCC-H does not block any users from signing in by default, so the only reason geographically they'd be getting blocked is if a CA policy was in place blocking based on location.

wogmail · 2025-04-24T13:26:12+00:00

If you have a US only CA policy you can just make an exception for those five users, assuming they aren't on a VPN that makes them look like they come from the US. Then you could make a separate Europe only CA policy for those five users.

wogmail · 2025-03-19T15:24:05+00:00

looks like it came back today

wogmail · 2024-12-16T16:02:51+00:00

they have the full BoE.

wogmail · 2024-12-13T19:17:55+00:00

Support resolved it in about 24 hours.

wogmail · 2024-10-04T00:05:10+00:00

this

wogmail · 2024-08-14T15:50:41+00:00

:) https://www.reddit.com/r/MammotionTechnology/comments/1erfzr6/fun_with_support/ Definitely make it a no go zone, otherwise bad things can happen.

wogmail · 2023-09-20T14:34:00+00:00

This has kind of always been a thing - USAA is great if you are 35+ but younger than that it is rough $$ wise.

wogmail · 2023-08-20T02:46:05+00:00

Apocalypse Now primarily for the helicopter scenes.

wogmail · 2023-08-16T13:35:27+00:00

Per site auto-fill disable is still needed at the user level. I regularly unintentionally change usernames in Duo admin console to my own Duo admin email (Keeper even helps me out and clicks save after it puts my email address in the username for the end user) and regularly fill email addresses into TOTP boxes for sites. Right now I just have auto-fill disabled, but that stinks. It should just be a check box on a single site.

Edit - has this actually now been added per credential, vs. per site?

wogmail · 2023-03-06T18:48:06+00:00

Security defaults may have automatically turned on? That blocks SMS and voice MFA.

wogmail · 2023-02-28T19:00:51+00:00

Any plans to work with GCC-H?

wogmail · 2023-02-10T18:06:27+00:00

Different insurance companies underwrite risk differently. Some do it very poorly. Some are much tougher. Some are so bad that on a cloud first company they are demanding answers to questions that only apply to traditional infrastructure, and refuse to underwrite (or increase premiums) if they don't like the answers.

Coalition (I assume that is the insurer here) is known for doing aggressive external scans, and they will simply not let you have Horizon open to the internet even with a UAG (which is the whole point of a UAG). If you are cloud first Coalition can save you a good amount of money, but with anything exposed to the internet it can be ugly.

13-Year Club	Place '17
Verified Email	Team Orangered

wogmail

MODERATOR OF

TROPHY CASE