Submit Search
Upload
O365 to cisco cloud guide
•
0 likes
•
1,886 views
M
Muthanna Ranganath
Follow
O365 to cisco cloud guide
Read less
Read more
Technology
Report
Share
Report
Share
1 of 23
Download now
Download to read offline
Recommended
Cisco Web and Email Security Overview
Cisco Web and Email Security Overview
Cisco Security
Cisco Identity Services Engine (ISE)
Cisco Identity Services Engine (ISE)
Anwesh Dixit
Email_Security Gateway.pptx
Email_Security Gateway.pptx
ssuser651fd4
Amazon GuardDuty Threat Detection and Remediation
Amazon GuardDuty Threat Detection and Remediation
Amazon Web Services
Content Delivery Network – CDN
Content Delivery Network – CDN
Ahmed Banafa
Conceptual security architecture
Conceptual security architecture
MubashirAslam5
Diving into Common AWS Misconfigurations
Diving into Common AWS Misconfigurations
Nikhil Sahoo
IronPort
IronPort
Netwax Lab
Recommended
Cisco Web and Email Security Overview
Cisco Web and Email Security Overview
Cisco Security
Cisco Identity Services Engine (ISE)
Cisco Identity Services Engine (ISE)
Anwesh Dixit
Email_Security Gateway.pptx
Email_Security Gateway.pptx
ssuser651fd4
Amazon GuardDuty Threat Detection and Remediation
Amazon GuardDuty Threat Detection and Remediation
Amazon Web Services
Content Delivery Network – CDN
Content Delivery Network – CDN
Ahmed Banafa
Conceptual security architecture
Conceptual security architecture
MubashirAslam5
Diving into Common AWS Misconfigurations
Diving into Common AWS Misconfigurations
Nikhil Sahoo
IronPort
IronPort
Netwax Lab
CLOUD NATIVE SECURITY
CLOUD NATIVE SECURITY
Maganathin Veeraragaloo
회사 계정/패스워드 그대로 AWS 관리 콘솔 및 EC2 인스턴스 사용하기 - 이정훈, AWS 솔루션즈 아키텍트:: AWS Summit O...
회사 계정/패스워드 그대로 AWS 관리 콘솔 및 EC2 인스턴스 사용하기 - 이정훈, AWS 솔루션즈 아키텍트:: AWS Summit O...
Amazon Web Services Korea
Cisco ASA Firepower
Cisco ASA Firepower
Anwesh Dixit
Microsoft Zero Trust
Microsoft Zero Trust
David J Rosenthal
Enhance network security with Multi-Factor Authentication for BYOD and guest ...
Enhance network security with Multi-Factor Authentication for BYOD and guest ...
Aruba, a Hewlett Packard Enterprise company
[Round table] zeroing in on zero trust architecture
[Round table] zeroing in on zero trust architecture
Denise Bailey
How to Intercept a Conversation Held on the Other Side of the Planet
How to Intercept a Conversation Held on the Other Side of the Planet
Positive Hack Days
Amazon Simple Email Service 101
Amazon Simple Email Service 101
Amazon Web Services
High-density 802.11ac Wi-Fi design and deployment for large public venues
High-density 802.11ac Wi-Fi design and deployment for large public venues
Aruba, a Hewlett Packard Enterprise company
AWS Security Best Practices and Design Patterns
AWS Security Best Practices and Design Patterns
Amazon Web Services
Security review using SABSA
Security review using SABSA
Maganathin Veeraragaloo
Using AWS CloudTrail Logs for Scalable, Automated Anomaly Detection - SID341 ...
Using AWS CloudTrail Logs for Scalable, Automated Anomaly Detection - SID341 ...
Amazon Web Services
Implementation of Amazon Connect, Powered By Accenture
Implementation of Amazon Connect, Powered By Accenture
Amazon Web Services
F5 Web Application Security
F5 Web Application Security
MarketingArrowECS_CZ
NIST Zero Trust Explained
NIST Zero Trust Explained
rtp2009
Bypassing Port-Security In 2018: Defeating MacSEC and 802.1x-2010
Bypassing Port-Security In 2018: Defeating MacSEC and 802.1x-2010
Priyanka Aash
Advanced Access Management with Aruba ClearPass #AirheadsConf Italy
Advanced Access Management with Aruba ClearPass #AirheadsConf Italy
Aruba, a Hewlett Packard Enterprise company
ClearPass Overview
ClearPass Overview
JoAnna Cheshire
Cisco Security Presentation
Cisco Security Presentation
Simplex
Security and compliance in Office 365 -Part 1
Security and compliance in Office 365 -Part 1
Vignesh Ganesan I Microsoft MVP
Microsoft365 Vs Atomic Data White Paper
Microsoft365 Vs Atomic Data White Paper
Jim Wolford
Webinar Mastery Series: How Security & Compliance become easier with SkyConne...
Webinar Mastery Series: How Security & Compliance become easier with SkyConne...
Mithi SkyConnect
More Related Content
What's hot
CLOUD NATIVE SECURITY
CLOUD NATIVE SECURITY
Maganathin Veeraragaloo
회사 계정/패스워드 그대로 AWS 관리 콘솔 및 EC2 인스턴스 사용하기 - 이정훈, AWS 솔루션즈 아키텍트:: AWS Summit O...
회사 계정/패스워드 그대로 AWS 관리 콘솔 및 EC2 인스턴스 사용하기 - 이정훈, AWS 솔루션즈 아키텍트:: AWS Summit O...
Amazon Web Services Korea
Cisco ASA Firepower
Cisco ASA Firepower
Anwesh Dixit
Microsoft Zero Trust
Microsoft Zero Trust
David J Rosenthal
Enhance network security with Multi-Factor Authentication for BYOD and guest ...
Enhance network security with Multi-Factor Authentication for BYOD and guest ...
Aruba, a Hewlett Packard Enterprise company
[Round table] zeroing in on zero trust architecture
[Round table] zeroing in on zero trust architecture
Denise Bailey
How to Intercept a Conversation Held on the Other Side of the Planet
How to Intercept a Conversation Held on the Other Side of the Planet
Positive Hack Days
Amazon Simple Email Service 101
Amazon Simple Email Service 101
Amazon Web Services
High-density 802.11ac Wi-Fi design and deployment for large public venues
High-density 802.11ac Wi-Fi design and deployment for large public venues
Aruba, a Hewlett Packard Enterprise company
AWS Security Best Practices and Design Patterns
AWS Security Best Practices and Design Patterns
Amazon Web Services
Security review using SABSA
Security review using SABSA
Maganathin Veeraragaloo
Using AWS CloudTrail Logs for Scalable, Automated Anomaly Detection - SID341 ...
Using AWS CloudTrail Logs for Scalable, Automated Anomaly Detection - SID341 ...
Amazon Web Services
Implementation of Amazon Connect, Powered By Accenture
Implementation of Amazon Connect, Powered By Accenture
Amazon Web Services
F5 Web Application Security
F5 Web Application Security
MarketingArrowECS_CZ
NIST Zero Trust Explained
NIST Zero Trust Explained
rtp2009
Bypassing Port-Security In 2018: Defeating MacSEC and 802.1x-2010
Bypassing Port-Security In 2018: Defeating MacSEC and 802.1x-2010
Priyanka Aash
Advanced Access Management with Aruba ClearPass #AirheadsConf Italy
Advanced Access Management with Aruba ClearPass #AirheadsConf Italy
Aruba, a Hewlett Packard Enterprise company
ClearPass Overview
ClearPass Overview
JoAnna Cheshire
Cisco Security Presentation
Cisco Security Presentation
Simplex
Security and compliance in Office 365 -Part 1
Security and compliance in Office 365 -Part 1
Vignesh Ganesan I Microsoft MVP
What's hot
(20)
CLOUD NATIVE SECURITY
CLOUD NATIVE SECURITY
회사 계정/패스워드 그대로 AWS 관리 콘솔 및 EC2 인스턴스 사용하기 - 이정훈, AWS 솔루션즈 아키텍트:: AWS Summit O...
회사 계정/패스워드 그대로 AWS 관리 콘솔 및 EC2 인스턴스 사용하기 - 이정훈, AWS 솔루션즈 아키텍트:: AWS Summit O...
Cisco ASA Firepower
Cisco ASA Firepower
Microsoft Zero Trust
Microsoft Zero Trust
Enhance network security with Multi-Factor Authentication for BYOD and guest ...
Enhance network security with Multi-Factor Authentication for BYOD and guest ...
[Round table] zeroing in on zero trust architecture
[Round table] zeroing in on zero trust architecture
How to Intercept a Conversation Held on the Other Side of the Planet
How to Intercept a Conversation Held on the Other Side of the Planet
Amazon Simple Email Service 101
Amazon Simple Email Service 101
High-density 802.11ac Wi-Fi design and deployment for large public venues
High-density 802.11ac Wi-Fi design and deployment for large public venues
AWS Security Best Practices and Design Patterns
AWS Security Best Practices and Design Patterns
Security review using SABSA
Security review using SABSA
Using AWS CloudTrail Logs for Scalable, Automated Anomaly Detection - SID341 ...
Using AWS CloudTrail Logs for Scalable, Automated Anomaly Detection - SID341 ...
Implementation of Amazon Connect, Powered By Accenture
Implementation of Amazon Connect, Powered By Accenture
F5 Web Application Security
F5 Web Application Security
NIST Zero Trust Explained
NIST Zero Trust Explained
Bypassing Port-Security In 2018: Defeating MacSEC and 802.1x-2010
Bypassing Port-Security In 2018: Defeating MacSEC and 802.1x-2010
Advanced Access Management with Aruba ClearPass #AirheadsConf Italy
Advanced Access Management with Aruba ClearPass #AirheadsConf Italy
ClearPass Overview
ClearPass Overview
Cisco Security Presentation
Cisco Security Presentation
Security and compliance in Office 365 -Part 1
Security and compliance in Office 365 -Part 1
Similar to O365 to cisco cloud guide
Microsoft365 Vs Atomic Data White Paper
Microsoft365 Vs Atomic Data White Paper
Jim Wolford
Webinar Mastery Series: How Security & Compliance become easier with SkyConne...
Webinar Mastery Series: How Security & Compliance become easier with SkyConne...
Mithi SkyConnect
Webinar - Which Email Archiving Strategy is Right for Your Business?
Webinar - Which Email Archiving Strategy is Right for Your Business?
Vaultastic
EO-TH-v2-End-Users.pptx
EO-TH-v2-End-Users.pptx
ssuser9dddf7
Exchange Integration
Exchange Integration
Connecting Software
Mimecast for Office 365 Solution Brief
Mimecast for Office 365 Solution Brief
julesmartin
Top 5 Benefits of MS-Exchange Email Hosting
Top 5 Benefits of MS-Exchange Email Hosting
Avni Rajput
Presentation a hitchhiker’s guide to the inter-cloud
Presentation a hitchhiker’s guide to the inter-cloud
xKinAnx
I017225966
I017225966
IOSR Journals
A Secure Framework for Cloud Computing With Multi-cloud Service Providers
A Secure Framework for Cloud Computing With Multi-cloud Service Providers
iosrjce
Take a Leap into the Connected Cloud; 3 Trending Hybrid Cloud Scenarios
Take a Leap into the Connected Cloud; 3 Trending Hybrid Cloud Scenarios
Gina Montgomery, V-TSP
Why Migrate your emails to a Cloud solution?
Why Migrate your emails to a Cloud solution?
Chris Allen
Web servicesintegrationwhitepaper
Web servicesintegrationwhitepaper
Automotive Digital Marketing Professional Community
Unlocking The Secrets: AWS Whitepapers That Simplify Cloud Computing
Unlocking The Secrets: AWS Whitepapers That Simplify Cloud Computing
FredReynolds2
Cloud_computing Notes.docx
Cloud_computing Notes.docx
Bhavana Sangamnerkar
Privacy Issues of Cloud Computing in the Federal Sector
Privacy Issues of Cloud Computing in the Federal Sector
Lew Oleinick
CloudMail Slick
CloudMail Slick
RapidScale
Cloud computing understanding security risk and management
Cloud computing understanding security risk and management
Shamsundar Machale (CISSP, CEH)
50120130406006
50120130406006
IAEME Publication
Ms o365 privacy in the public cloud - 12-12-11 final standard
Ms o365 privacy in the public cloud - 12-12-11 final standard
Kate Wakefield
Similar to O365 to cisco cloud guide
(20)
Microsoft365 Vs Atomic Data White Paper
Microsoft365 Vs Atomic Data White Paper
Webinar Mastery Series: How Security & Compliance become easier with SkyConne...
Webinar Mastery Series: How Security & Compliance become easier with SkyConne...
Webinar - Which Email Archiving Strategy is Right for Your Business?
Webinar - Which Email Archiving Strategy is Right for Your Business?
EO-TH-v2-End-Users.pptx
EO-TH-v2-End-Users.pptx
Exchange Integration
Exchange Integration
Mimecast for Office 365 Solution Brief
Mimecast for Office 365 Solution Brief
Top 5 Benefits of MS-Exchange Email Hosting
Top 5 Benefits of MS-Exchange Email Hosting
Presentation a hitchhiker’s guide to the inter-cloud
Presentation a hitchhiker’s guide to the inter-cloud
I017225966
I017225966
A Secure Framework for Cloud Computing With Multi-cloud Service Providers
A Secure Framework for Cloud Computing With Multi-cloud Service Providers
Take a Leap into the Connected Cloud; 3 Trending Hybrid Cloud Scenarios
Take a Leap into the Connected Cloud; 3 Trending Hybrid Cloud Scenarios
Why Migrate your emails to a Cloud solution?
Why Migrate your emails to a Cloud solution?
Web servicesintegrationwhitepaper
Web servicesintegrationwhitepaper
Unlocking The Secrets: AWS Whitepapers That Simplify Cloud Computing
Unlocking The Secrets: AWS Whitepapers That Simplify Cloud Computing
Cloud_computing Notes.docx
Cloud_computing Notes.docx
Privacy Issues of Cloud Computing in the Federal Sector
Privacy Issues of Cloud Computing in the Federal Sector
CloudMail Slick
CloudMail Slick
Cloud computing understanding security risk and management
Cloud computing understanding security risk and management
50120130406006
50120130406006
Ms o365 privacy in the public cloud - 12-12-11 final standard
Ms o365 privacy in the public cloud - 12-12-11 final standard
Recently uploaded
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Delhi Call girls
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
Puma Security, LLC
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
BookNet Canada
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
Delhi Call girls
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
2toLead Limited
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
Sinan KOZAK
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
null - The Open Security Community
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Safe Software
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
Malak Abu Hammad
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning era
Deakin University
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
BookNet Canada
Unlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power Systems
Precisely
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
null - The Open Security Community
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
Fwdays
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
Fwdays
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
Memoori
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
carlostorres15106
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
naman860154
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
null - The Open Security Community
Recently uploaded
(20)
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning era
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Unlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power Systems
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
O365 to cisco cloud guide
1.
© 2017 Cisco
and/or its affiliates. All rights reserved.1 How-To Configure Message Routing Between Cisco Cloud Email Security and Office 365 Beginning with AsyncOS 10.0 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Email Security How–to Guide Configure Message Routing Between Cisco Cloud Email Security and Office 365 Cisco Public
2.
© 2017 Cisco
and/or its affiliates. All rights reserved.2 Contents About This Document 3 ACME’s Migration to the Cloud 3 Cisco Cloud Email Security to Office 365 Configuration Summary 6 Routing Inbound Traffic to Cisco Cloud Email Security (CES) 6 Routing Incoming Traffic from Cisco CES to Office 365 8 Troubleshooting Incoming Message Routing 9 Routing Outbound Traffic from Office 365 to Cisco Cloud Email Security 15 Troubleshooting Outgoing Message Routing 19 Preventing an Open Relay Through Office 365 20 CLI Troubleshooting Commands 23 Cisco Email Security How–to Guide Configure Message Routing Between Cisco Cloud Email Security and Office 365 Cisco Public
3.
© 2017 Cisco
and/or its affiliates. All rights reserved.3 About This Document Microsoft Exchange has become the standard email system used by midsize to large-scale organizations globally. With the rise of cloud applications, Microsoft has introduced Office 365. This guide explains how Office 365 customers can boost their email security by integrating with Cisco® Cloud Email Security (CES). This document is for Cisco® engineers and customers who will deploy Cisco Email Security Solution AsyncOS 10.0 and greater. This document covers: • A brief discussion on why Cisco Cloud Email Security (CES) is positioned in front of Office 365 • Overview of the Integration Process • Routing Inbound Traffic to Cisco Cloud Email Security • Troubleshooting Inbound Traffic • Routing Outbound Traffic from Office 365 to Cisco CES • Troubleshooting Outbound Traffic • Preventing an Open Relay Prerequisites • Access to the Office 365 EOP admin account • Access to the Cisco Cloud Email Security (CES) admin account • MX records for Office 365 account • MX records for CES account • Familiarity with the CES User Interface • Access to CES Cluster Command Line Interface (Support Ticket) Note on CLI Access: We recommend that you get CLI access, as this will greatly help in troubleshooting. The biggest benefit of using SSH is real time mail logging. When using message tracking on the SMA to troubleshoot live issues, information isn’t immediately populated. But in the CLI, we can see mail being processed in real time, which could show any error as they arise. See CLI Troubleshooting Commands on page 23. ACME’s Migration to the Cloud We’ve all been witness to the cloud evolution. Organizations are increasingly moving their operations and resources off site to provide services that were traditionally housed internally. The migration to online services has provided many benefits. Even small businesses can now have enterprise-class redundancy and disaster recovery without the capital outlay for telecommunication, network, and server resources. Only one vender to deal with for desktop applications, business file sharing, video, mobile phone administration and enterprise email! Like other on premise resources, companies have seized at the next logical step in moving their mailboxes to the cloud in favor of managing a local mail server. However, they also acknowledge that the sending and receiving of banking, trading, sales contracts, and legal documents, over email must continue to be done in a secure fashion, as it was done when all resources were on premise. Long before the days of hosted datacenters, Microsoft did have rudimentary security in their Exchange server, but that proved inadequate. This lead to dedicated security venders, such as IronPort, creating secure email gateways to protect those mail servers. Microsoft, after all, was focused on user applications, not security. Fast-forward to the present, Microsoft is still focused on end user applications but marketing them as a SAAS offering. In acknowledging customer apprehension about migrating assets to the cloud, Microsoft offers “just good enough” email security. However, it is wrong to view security as another cloud application. As 80% of enterprise infections occur through email, it remains the number 1 threat vector. That harsh reality is often realized by Office 365 customers who lack of protection against phishing and zero-day attacks. As it was in the past, it is still today prudent to choose a dedicated security vender, like Cisco Cloud Email Security, as the gateway provider in front of your Office 365 mailboxes. Here in Cisco Security, we make it our business to analyze what malicious actors are doing every minute and updating how all our security products respond to them. Cloud hosting of end user applications is a different business focus. This paper describes a fictitious company named ACME Inc that realizes the importance of dedicated email security. Below in Figure 1 is ACME’s infrastructure following the complete migration to Office 365. Cisco Email Security How–to Guide Configure Message Routing Between Cisco Cloud Email Security and Office 365 Cisco Public
4.
© 2017 Cisco
and/or its affiliates. All rights reserved.4 In Figure 2, ACME has modified their MX records to direct their incoming mail flow through Cisco Cloud Email Security (CES). They rest assured with features such as enhanced protection against zero-day attacks and Office 365 Mailbox Remediation, which allows Cisco CES to remove malicious files from an Office 365 mailbox. Similar mail flow arrangements have been made for outbound message flow, for AMCE to realize the benefits of Data Loss Prevention, Push or Pull Encryption, consolidated reporting and message tracking through a dedicated gateway with their own private IP address. In this paper we address the transition from Figure 1 to Figure 2. Figure 1. Email Flow for Office 365 Before Integration with Cisco CES Office 365 Exchange Online Email Flow Inbound Email External Client Outbound Email Company HQ Before Integration MX Record acme-com.mail.prortection.outlook.com.com Mailboxes Figure 2. Email Flow for Office 365 After Integration with Cisco CES Office 365 3 2 1 Exchange Online Mailboxes Email Flow Inbound Email External Client Outbound Email Company HQ After Integration Cisco Cloud SMA DLP, A/V, A/S, Encryption ESA Cluster Cisco Cisco Email Security How–to Guide Configure Message Routing Between Cisco Cloud Email Security and Office 365 Cisco Public
5.
© 2017 Cisco
and/or its affiliates. All rights reserved.5 Many Office 365 customers will be in a hybrid scenario where some of their mailboxes have migrated to Office 365 while others have stayed behind in the on premise Exchange server, for corporate reasons. Their MX record may have changed to point at Office 365, or it may continue to point to their current exchange server, as shown in Figure 3. Where the MX record points doesn’t matter since on premise exchange and Exchange Online will behave has two Exchange servers owned by Acme. They will synchronize and deliver messages between themselves depending on the final destination of a message. Figure 4 shows Hybrid Cloud after the Integration with Cisco Cloud Email Security (CES). The application in Figure 4 is very similar to Figure 2. In both cases the new MX records will point to the CES cluster. From CES the mail flow is routed to different destinations; in the pure cloud application, it is routed to Exchange Online, in the hybrid application it is routed to the on premise Exchange server. Our point here is that CES is flexible and can be implemented in a variety of scenarios. However, to optimize the ability of CES to filter messages, it should be placed as the first mail hop in the organization. This allows for implementing Sender Base Reputation filtering for blocking messages from known bad senders. The rest of this guide will focus on the pure cloud migration shown as the transition from Figure 1 to Figure 2. However, the techniques are valid for applying to the other topologies. Figure 3. Hybrid Email Flow for Office 365 before Integration with Cisco CES Office 365 Exchange Online Dir Synch MX Record mail.acme.comEmail Flow External Client Company HQ Microsoft Exchange Hybrid Cloud Before Integration Mailboxes Figure 4. Hybrid Email Flow for Office 365 after Integration with Cisco CES Office 365 Exchange Online MX Records esa1.acme-com.c3s2.com esa2.acme-com.c3s2.com Mailboxes External Client Hybrid Cloud After Integration Cisco Cloud SMA DLP, A/V, A/S, Encryption ESA Cluster Cisco Email Flow Company HQ Microsoft Exchange Cisco Email Security How–to Guide Configure Message Routing Between Cisco Cloud Email Security and Office 365 Cisco Public
6.
© 2017 Cisco
and/or its affiliates. All rights reserved.6 Cisco Cloud Email Security to Office 365 Configuration Summary Inbound Routing 1. Record the MX record pointing to your Office 365 account: ______________________ 2. Record the MX records for you Cisco CES account: ____________ ______________________________ 3. In the Office 365 EOP Admin Center click: Home > Edit a domain. 4. Change the DNS provider’s MX records from the Office 365 address to those provided by your Cisco CES account. 5. In the CES admin account, add the mail domains to the Recipient Access Table (RAT). 6. In the CES admin account, add an SMTP route that points to the mail server located in the domain that you defined in the RAT. Note: This mail server’s address may be the original MX record for EOP, or it may be the customer’s on premise server in a hybrid environment. See Figures 2 and 4. 7. In the Office 365 EOP Admin Center navigate to Protection > Connection filter > default policy and create an “IP Allow List”. Here you will enter the IP addresses associated with the public MX records to your CES account. 8. Send a test message to your Office 365 mailbox. 9. Use Message Tracking in Cisco CES and Message Trace in Office 365 to verify that the message was routed correctly. Outbound Routing 1. In the Office 365 EOP Admin Center, go to: Mail Flow > Connector > Outbound Connectors > Add. 2. On the “Select your mail flow scenario” page, choose the following: a. From: Office 365 b. To: Partner Organization 3. On the New connector page (you will be presented with several sub configuration pages). See pg. 15 Step 4 for the details of creating this connector. At this point the “validate connector” step will fail. 4. Log into your CES account and configure the domain “.protection. outlook.com” in the RELAYLIST of the OutgoingMail listener. 5. In Office 365 EOP admin center, click: “Validate this connector” again. This time it should succeed. 6. In EOP admin center, click: Mail flow > Rules > Add Rule “+” For details on completing this rule, see steps 7 – 12 on pg. 17. 7. Send a test message outbound from an Office 365 mailbox. 8. Use Message Tracking in Cisco CES and Message Trace in Office 365 to verify that the message was routed correctly. Routing Inbound Traffic to Cisco Cloud Email Security (CES) Figure 5. Cisco Email Security Appliances Hosted in Data Centers 1 External Client After Integration Cisco Cloud SMA DLP, A/V, A/S, Encryption ESA Cluster Cisco MX Records esa1.acme-com.c3s2.com esa2.acme-com.c3s2.com Following Acme’s migration to the cloud, their MX record pointed to acme-com.mail.protection.outlook.com.com, as shown in Figure 1. After integration with Cisco CES their new MX records are esa1.acme- com.c3s2.com and esa2.acme-com.c3s2.com. These are provided when the customer sets up the CES account for an evaluation or for production mail. They point to the Email Security Appliances hosted in redundant Cisco data centers. See Figure 5. To begin production mail flow, Acme’s IT staff changes the company’s Domain Name System (DNS) MX records from acme-com.mail.protection.outlook.com.com to the new records just referenced. Cisco Email Security How–to Guide Configure Message Routing Between Cisco Cloud Email Security and Office 365 Cisco Public
7.
© 2017 Cisco
and/or its affiliates. All rights reserved.7 Figures 6 and 7 illustrate this below. In less than 24 hours, DNS servers around the Internet will detect this change and begin their forwarding to the CES Appliances for Acme. Incoming messages will be scanned for spam, viruses, malicious file attachments, and malicious URLs. Other email hygiene will also be performed prior to delivery to Office 365. Note: All of these DNS records are for illustration and not actual customer records. In Office 365 Admin Center click: Home > Edit a domain as shown in Figure 6. This change the MX records to those provided for your CES account. In Figure 7, we have changed the MX records for domain: acme.com. From: acme-com.mail.protection.outlook.com.com to esa1.acme-com.c3s2.com and esa2.acme-com.c3s2.com. Figure 6. acme-com.mail.protection.outlook.com.com Figure 7. esa1.acme-com.c3s2.com and esa2.acme-com.c3s2.com Important: Note the warning in Figure 7: “One or more of these records haven’t been added correctly yet. step-by-step instructions” Following the link to the “step-by-step” instructions will automatically reset the MX records back those that point at the Office 365 account. This will remove the CES cluster from the incoming traffic flow. Cisco Email Security How–to Guide Configure Message Routing Between Cisco Cloud Email Security and Office 365 Cisco Public
8.
© 2017 Cisco
and/or its affiliates. All rights reserved.8 Routing Incoming Traffic from Cisco CES to Office 365 Incoming messages that have been filtered by CES need to be routed to the Office 365 Mailboxes. There are routing configurations that need to be addresses in both CES and Office 365, as shown in Figure 8. Figure 8. Routing Configurations Office 365 Incoming Message Flow MX Record Public Listener 68.232.161.26acme.mailprotection.outlook.com Exchange Online Mailboxes Cisco Cloud SMA DLP, A/V, A/S, Encryption ESA Cluster SMTP Route Recipient Access Table IP Allow List Mail Policies 1. Acme’s mail domain(s) need to be defined in Cisco’s CES Recipient Access Table (RAT). 2. In CES, the destination mail server’s (in EOP) FQDN needs to be associated with Acme’s mail domain. This requires configuring an SMTP Route in Cisco’s CES SMTP Route table. 3. The Sender Address in CES needs to be defined in an Office 365 IP Allow list. Note: The traffic for these steps is identified by the blue arrow in Figure 8. 4. In the CES cluster UI, click: Mail Policies > Recipient Access Table click: Add Recipient. Enter the recipient domain. In our example: acme.com. Click: Submit at the bottom right-hand side. See Figure 9. Figure 9. Adding the Recipient Domain 5. In the CES cluster UI, click: Network > SMTP Route. Click: Add Route. Enter the recipient domain and the FQDN for the destination mail server: acme.mail.protection.outlook.com. Note: This was the original MX record provided by Microsoft to our fictitious company, Acme Inc. Click: Submit at the bottom right-hand side of Figure 10. Click: Commit Changes. Note: We have not considered SMTP Call-Ahead. If you are concerned about verifying the recipient addresses of downstream Office 365 mailboxes, then see “Configuring SMTP Call-Ahead” in the AsyncOS User Guide. Figure 10. Adding an SMTP Route 6. The Sender Addresses of the CES cluster needs to be defined in an Office 365 IP Allow list. The public IP addresses of the ESA cluster, pointed to by MX records, will both receive inbound traffic from the internet and forward that traffic to Office 365. You can determine these IP addresses as shown in Figure 11. These can now be added to allow list in Office 365. The allow list will by: a. In the Exchange admin center (EAC) in Figure 12, navigate to Protection Connection filter, and then double-click the default policy, as shown in Figure 12 below. b. Click the Connection filtering menu item and then create the lists you want and choose the IP Allow list. Cisco Email Security How–to Guide Configure Message Routing Between Cisco Cloud Email Security and Office 365 Cisco Public
9.
© 2017 Cisco
and/or its affiliates. All rights reserved.9 Figure 11. Determining IP Addresses Figure 12. Choosing the IP Allow List c. Commit your changes. If the MX records have been updated, then you should be able send an external message through CES and into your Office 365 mailbox. Note: An alternative to configuring a Connection Filter would be configuring a Connector. The difference with the latter is that you can set TLS restrictions on incoming connections from CES of TLS preferred or TLS required. With the Connection Filter, you cannot force TLS, since no TLS preference settings are available. But it will accept a TLS connection from CES anyway. For both methods of configuring O365, Anti-spam is disabled, but Anti-Virus (and ATP if licensed) are still available. This is important to consider since there is a low cost Cisco CES skew available that does not include anti-virus. See: https://technet.microsoft.com/en-us/library/jj937232(v=exchg.150). aspx#BKMK_HostedMailFlowWithThirdPartyCloud. For Enabling TLS from Cisco CES to Office 365 see: “Working with Destination Controls” in the User Guide. Troubleshooting Incoming Message Routing Troubleshooting is unnecessary if you have sent and received a test message that has passed though CES and into the Office 365 account. We would log into the CES appliance, telnet to the FQDN of your tenant (what was used as your MX record for O365), and perform a telnet test. But if not, then first verify that the SMTP route is correct as shown Figure 13. Figure 13. Verifying the SMTP Route Go to MX Toolbox to verify connectivity to your SMTP gateway, in the CES account, and that port 25 is available: http://mxtoolbox.com/. Note: Firewall rules typically block telnet from command line on port 25 to email gateways. Figure 14. Verifying Connectivity to the SMTP Gateway Cisco Email Security How–to Guide Configure Message Routing Between Cisco Cloud Email Security and Office 365 Cisco Public
10.
© 2017 Cisco
and/or its affiliates. All rights reserved.10 After verifying port 25 access with MX Toolbox, the next step is to verify that message traffic can be routed through the ESA cluster. An incoming email may be rejected by incorrectly configuring the RAT. Or a message could be dropped by a malformed policy. You can check these problems by searching for a lost message by using Message Tracking on the SMA, as shown on the right in Figure 15. For example, if this test message was dropped we could find out why by searching on the envelope sender and clicking on “Show Details”. If the same message is re-injected and processed several times without delivery, then the RAT entry does not have a matching SMTP route! Message Tracking requires a few minutes to resolve after sending the test message. Alternatively, you can simulate the processing of message using the Trace Tool as shown below in Figure 16. Figure 15. Searching for a Lost Message In ESA cluster UI, Click on: System Administration Trace. If you have access to the CES command line interface, then you can test SMTP connectivity from CES to O365 by telneting on port 25 to the FQDN of your O365 tenant address (what was used as your MX record for O365). Open two shells to you CES account, then initiate telnet from one while running “tail mail_logs” on the other. This allows you to immediately see any failures. To learn more about telnet on port 25, see: https://technet.microsoft.com/en-us/library/ bb123686(v=exchg.160).aspx. Cisco Email Security How–to Guide Configure Message Routing Between Cisco Cloud Email Security and Office 365 Cisco Public
11.
© 2017 Cisco
and/or its affiliates. All rights reserved.11 Figure 16. Using the Trace Tool Also see CLI Troubleshooting Commands on page 23 of this guide. If you do not have CLI access, you can use the CES user interface as shown below. Messages received by CES but not delivered to O365 due to SMTP routing issues, will show up in the Delivery Status Report as an “Active Recipient” as shown below. Click: Monitor Delivery Status. With a malformed SMTP route, or if the receiving host down, the Host Status field in the delivery status would be Down. In Figure 17, the SMTP route to exchange.alpha.com is in error, but the routes to bce-acme.com and notes.alpha.com are correct. The record for exchange.alpha.com shows “3 Active Recipients”. This means that 3 messages are waiting in the CES delivery queue. The system will either retry to deliver a finite number of times and give up or deliver all of the queued messages when the route is fixed. This broken delivery would also show up in Message Tracking. Figure 17. Delivery Status Report Interface Cisco Email Security How–to Guide Configure Message Routing Between Cisco Cloud Email Security and Office 365 Cisco Public
12.
© 2017 Cisco
and/or its affiliates. All rights reserved.12 Message Tracking, as shown below in Figure 18, will indicate a malformed SMTP route, or downed host, for a message with “Message XXX queued for delivery” as the last record in the tracking report. If this MT reporting doesn’t change over time, then the SMTP route is incorrect or the host is down. This is shown in the report below, after clicking on the “Show Details” link. Figure 18. Message Tracking Office 365 Throttling of Partner IP addresses There are rare circumstances where Microsoft has not learnt newly established partner IP addresses. Even if you have configured your Office 365 account with a “Partner Connector” or an “IP Allow List”, they may throttle the traffic from the sending IP’s in your cluster, if those IPs are not established as known senders to Microsoft. In the CES user interface, this will show up in Delivery Status as follows: Figure 19. CES Cluster Delivery Status Report Cisco Email Security How–to Guide Configure Message Routing Between Cisco Cloud Email Security and Office 365 Cisco Public
13.
© 2017 Cisco
and/or its affiliates. All rights reserved.13 Here the CES recognizes protection.outlook.com as having a status of UP, but it continues to bounce many of the messages. Similarly in the CLI when using the Hoststatus command: HOSTSTATUS: hoststatus protection.outlook.com Host mail status for: ‘protection.outlook.com’ Status as of: Sat Dec 10 09:55:18 2016 GMT-5 Host up/down: up Recipients Sent: 188 Recipient Limit: 250 Minutes Left: 6 Counters: Queue Soft Bounced Events 2,029 Completion Completed Recipients 257 Hard Bounced Recipients 0 DNS Hard Bounces 0 5XX Hard Bounces 0 Filter Hard Bounces 0 Expired Hard Bounces 0 Other Hard Bounces 0 Delivered Recipients 257 Deleted Recipients 0 Office 365 Throttling of Partner IP addresses The resolution to this problem is to open a ticket with Microsoft. The following statements are from Microsoft Support addressing the throttling of our customer’s messages delivered from new IP addresses. These were assigned to the customer shortly after launching of our data center. Issue Statement Administrator has placed Cisco Anti Spam Appliance in front of Exchange Online Protection. Mail is now being queued up on Cisco Email Security. • Problem Scope We will consider this service request resolved once we’ve identified the issue with mail flow and resolved it or identified this is an issue with a third party appliance. Cisco Email Security presents the following error: 4.1.0 - Unknown address error (‘452’, [‘4.5.3 Too many recipients (AS780090) • Environment Cisco Cloud Email Security http://www.cisco.com/web/products/security/cloud_email/index.html • Root Cause New IP’s that are not recognized by Exhange Online are throttled from sending large counts of messages until a reputation can be built for them. The article below explains this throttling process. Office 365 Releases IP Throttling https://blogs.msdn.microsoft.com/tzink/2015/01/07/ office-365-releases-ip-throttling/ We observed that even though the Cisco Email Security IP addresses were added to the Inbound Connector of Office 365 the messages were being throttled. The messages sent did not exceed any of the Exchange Online Limitaions posted here. Receiving and Sending Limits https://technet.microsoft.com/en-us/library/exchange-online-limits. aspx#Anchor_5 • Resolution The antispam product engineering team added the IP addresses from the Cisco Email Secuity solution to the our backend IP Throttling Bypass list. This is a backend process that only they can perform for tenants. Currently there is not a way for our customers to update this list. Cisco Email Security How–to Guide Configure Message Routing Between Cisco Cloud Email Security and Office 365 Cisco Public
14.
© 2017 Cisco
and/or its affiliates. All rights reserved.14 If a message has been delivered from your Cisco CES account to Office 365, but it has not been received in the recipient mailbox, you can determine how it was remediated in Office 365 by using Office 365 Message Trace. In the following example, we have sent a message through CES to an O365 recipient that does not exist. Since the domain is correct, and routing in CES configured correctly the message forwarded successfully to Office 365 where it is dropped. To find out what happened, go to Exchange admin center, as shown in Figure 19 below. Click: mail flow message trace. As shown below in Figure 19, we entered the senders address, indicated delivery status as Failed and ran the search. The report indicates why the message wasn’t delivered and that an NDR report was returned. Figure 20. Exchange Admin Center Cisco Email Security How–to Guide Configure Message Routing Between Cisco Cloud Email Security and Office 365 Cisco Public
15.
© 2017 Cisco
and/or its affiliates. All rights reserved.15 Routing Outbound Traffic from Office 365 to Cisco Cloud Email Security Acme’s executive staff has made it clear they want email leaving the organization to adhere to various government regulations like the Health Insurance Portability and Accountability Act (HIPAA) and the Sarbanes- Oxley Act. To accomplish this, they route outbound email through the Cisco cloud, where policies are enforced using RSA DLP modules as well as the integrated Cisco Email Encryption. Note, RSA will be replaced with Cisco Data Loss Prevention that has at least equivalent features and functionality to RSA’s DLP. To route the email messages from Office 365 mailboxes to Cisco, three requirements must be met, as listed and shown below in Figure 21: • A secondary private interface must be configured on the customer’s CES account to receive EOP traffic. • An Outbound Connector must be configured in the EOP system that treats CES as a “smart host”. • A Transport Rule must be configured in EOP that identifies what outbound traffic is routed to CES. Figure 21. Enforcing Policies Office 365 Public Listener 68.232.161.126 acme.mailprotection.outlook.com Exchange Online Outgoing Message Flow Mailboxes Transport Rule Connector Cisco Cloud SMA DLP, A/V, A/S, Encryption ESA Cluster Smart Host ob1.acme-com.c3s2.iphmx.com RELAYLIST .protection.outlook.com A secondary interface must be configured on the customer’s CES account Standard CES accounts have two ESAVs, each with one interface to accommodate both incoming and outgoing mail flow. However, CES implementations that relay outgoing mail from O365 will require a secondary interface. The reason is that sending outgoing mail flow from one customer in a multitenant environment requires that multiple sending IPs be used. ACME’s O365 account may send on address A on one day and address B on another day. The choice of sending IP address is made by Microsoft’s infrastructure and not ACME. This means that the domain “.protection.outlook.com” that all Office 365 IP addresses reside in must be defined in the RELAYLIST of ACME’s CES account. However, this also means in theory that any Office 365 customer could use ACME’s CES relay interface. We avoid this by keeping the 2nd interface private (not advertised in ACME’s MX records). Since this topology is unique to routing outbound from Office 365, a 2nd interface requires a support ticket. Figure 22 below shows how to verify both outbound interfaces for acme.com. Note that this record was not visible when we performed an MX record lookup for acme.com back in Figure 13, which is as it should be. Figure 22. Verifying Outbound Interfaces An outbound connector must be configured in the EOP system 1. In the EOP Admin Center, select Exchange, then go to Mail Flow and click Connectors. (See Figure 23.) 2. In the Connectors, select Outbound Connectors and then Add. 3. On the “Select your mail flow scenario” page, choose the following: a. From: Office 365 b. To: Partner Organization Cisco Email Security How–to Guide Configure Message Routing Between Cisco Cloud Email Security and Office 365 Cisco Public
16.
© 2017 Cisco
and/or its affiliates. All rights reserved.16 Figure 23. Adding a Connector 4. On the New connector page (you will be presented with several sub configuration pages) Figure 24. Adding the Route a. Name: Outbound to Cisco Cloud provide a description, b. Click: Next c. When do you want to use this connector? Choose: Only when I have a transport rule set up that redirect’s messages to this connector. Click: Next d. How do you want to route email messages? Select: Route email through these smart hosts. e. Click: Add and add the route pointing to the Secondary interface. In our example: ob1.acme-com.c3s2.iphmx.com f. Click: Save g. Click: Next h. How should Office 365 connect to your partner organization’s email server? -- Always use Transport Layer Security (TLS) to secure the connection -- Any digital certificate, including self-signed certificates Note: If your Office 365 account has a certificate issued by a trusted authority, then we recommend that option. i. In the summary page, verify the New Connector Settings and click: Next. j. Click: Validate this connector. Reason for Failure: Outgoing Relay has not been configured in CES. Clicking on the Details will provide specifics. Figure 25. Verifying the Settings Cisco Email Security How–to Guide Configure Message Routing Between Cisco Cloud Email Security and Office 365 Cisco Public
17.
© 2017 Cisco
and/or its affiliates. All rights reserved.17 5. Log into your CES account and configure the domain .protection.outlook.com in the RELAYLIST of the OutgoingMail listener. See Figures 26 and 27. a. Click: Network Listeners. b. Select: HAT for OutgoingMail. c. Click the Send Group named: RELAYLIST. d. In the RELAYLIST click: Add Sender. e. Add the Sender: .protection.outlook.com. f. Click: Submit and Commit changes. Figure 26. Configuring the Listener 6. On the New Connector page, click: Validate this connector again. The STATUS should indicate Succeeded for each of the tasks. Figure 24 as shown in Figure 26. But that is only a port test from the new connector to CES. Note: Outbound message delivery through the new connector will still not occur until an O365 Transport Rule is configured. Figure 27. Adding a Sender Figure 28. Validating the Connector A Transport Rule must be configured in EOP that identifies what outbound traffic is routed to CES. 7. As shown in Figure 29, in the Exchange Admin Center, click: Mail flow Rules. 8. Click on the “+” symbol and choose “Create a New Rule”. Cisco Email Security How–to Guide Configure Message Routing Between Cisco Cloud Email Security and Office 365 Cisco Public
18.
© 2017 Cisco
and/or its affiliates. All rights reserved.18 Figure 29. Adding a Mail Flow Rule 9. As shown in Figure 30, name the Rule: Outbound Mailflow through CES 10. In the drop-down menu: Apply this rule if: Select: -- Sender is located … -- Inside the organization Note: Since the menus at this point are cascaded, there may be delay in resolving. Figure 30. Applying the Rule 11. As shown in Figure 31, In the drop-down menu Do the following, Select: -- Redirect the message to … -- The following connector -- Connector: Outbound to Cisco Cloud 12. Click: Save at the bottom right of the rule menu. Figure 31. Redirecting the Message Cisco Email Security How–to Guide Configure Message Routing Between Cisco Cloud Email Security and Office 365 Cisco Public
19.
© 2017 Cisco
and/or its affiliates. All rights reserved.19 Troubleshooting Outgoing Message Routing Send a test message from an Office 365 account to an external destination. If it gets lost along the path, you can use the tools; Message Trace in Office 365 and Message Tracking in Cisco Cloud Email Security to determine where the message was lost. Figures 30 and 31 below are Message Trace and Message Tracking respectively for the same message. Note that CES performs AV check for outbound delivery, but O365 does not. Figure 32. Microsoft Office 365 Message Trace If Office 365 is not able to connect to the IronPort, then there are two things to be verified: • Is the domain: .protection.outlook.com defined in the RELAYLIST for the CES listener OutgoingMail? See Figure 24. • Do the TLS settings between the O365 connector and the ob1.acme- com.c3s2.iphmx.com interface agree? See configuring Outbound Connector on pg 15. If Office 365 is able to connect but the message is dropped in the CES workflow, then that event will show up in message tracking, or in the mail logs if you have CLI access. One possible cause would be miss- application of the message filter: BEC_From_O365 discussed later in the section: Preventing an Open Relay Through Office 365. Figure 33. Cisco CES Message Tracking Cisco Email Security How–to Guide Configure Message Routing Between Cisco Cloud Email Security and Office 365 Cisco Public
20.
© 2017 Cisco
and/or its affiliates. All rights reserved.20 Preventing an Open Relay Through Office 365 The Office 365 gateway is used for outbound routing can change for a customer, depending on internet conditions and geography. We illustrate this in Figure 34 below. The same gateway may even be used by multiple customers, a consequence of a multi-tenant environment. Microsoft probably secures its customers traffic flow so that one customer cannot use another customer’s smart host to relay its outbound traffic. Furthermore, Cisco does not advertise the MX record for the private interface on a CES account. However, for some customers’ additional security is required. TLS will secure the communication between the “MS Host” gateways (MS Host1/2 Figure 32) and the CES account. But unless MS has built in routing security measures, there is the possibility of a rogue customer’s traffic using the same TLS channel, spoofing the legitimate customers’ domain name and relaying off of that customer’s smart host. If such a scam on Acme.com were possible, significant damage could be done to their partner and customer relationships. Figure 34. A Change in Outbound Routing MS Host1 Cisco Cloud SMA DLP, A/V, A/S, Encryption ESA Cluster Acme.com Tenant String: 4b75c95205f94cbd1e307464c685a9ed Office 365 Multitenant Environment Preventing an Open Relay from Office 365 MS Host2 .protection.outlook.com Ob1.acme-com.c3s2.iphmx.co TLS Acme can mitigate this risk by configuring a message filter in their CES account that only allows outgoing mail flow from the domain: bce- demo.com AND the mail flow’s messages contain a unique string in an x-header. This unique string can be set in an X-header by using an Office 365 transport rule. Messages that fail the message filter will be dropped, and their activity recorded in reports. Those that pass will have their string removed and processed for outbound delivery. There are several hashing methods for creating this private string that can be associated with a domain, some are much harder to crack than others. If you are concerned about a brute force attack on your domain’s string, then please consult stronger cryptography methods than we list here. For our example we use MD5 hash: MD5 of (bce-acme.com) = 4b75c95205f94cbd1e307464c685a9ed This tool can be accessed at: http://md5-hash-online.waraxe.us/. For referencing in our O365 Transport Rule, and CES message filter, our Unique_String = 4b75c95205f94cbd1e307464c685a9ed Configuring a Transport Rule for Setting Unique String in X-Header 1. In Exchange Admin dashboard, click: Mail flow Rules. 2. Click on the “+” symbol and choose “Create a New Rule” 3. As shown in Figure 35, name the Rule: “Set Header X Tennant on..” 4. At the bottom-left side of the screen click: “More options…” More options allow you to pick the needed one for the next step. 5. In the drop-down menu: “*Apply this rule if..”, Click: The Sender.. - domain is - Add Domain Note: If your organization has multiple domains whose traffic is relayed through the CES, then all of them should be listed here. Figure 35. Creating a Rule Cisco Email Security How–to Guide Configure Message Routing Between Cisco Cloud Email Security and Office 365 Cisco Public
21.
© 2017 Cisco
and/or its affiliates. All rights reserved.21 6. See Figure 34. In the drop-down menu: “*Do the following..”, Click: Modify the message properties.. - set a message header - Add Message Header. a. Specify the header name: X-Tennant b. Specify the header value: Unique_String 7. Click: Save at the bottom-right hand side of the menu. 8. You should wait 10 minutes before seeing any changes to the outgoing messages. At that time, send a test message to an external mailbox to verify the X-Tennant string is present. Figure 36. Modifying the Message Properties 9. Using Outlook, you can view an X-header by going to: Message File - Properties , as shown in Figure 37. For more information, see: https://blogs.technet.microsoft.com/eopfieldnotes/2014/11/20/ easily-tell-which-transport-rules-a-message-triggered/ Figure 37. Viewing the X-Header Configuring a Message Filter in CES to Prevent an Open Relay from Office 365 10. Figure 36 represents a message filter designed to prevent open relayed traffic. This can be entered to your Cisco CES cluster by first: a. Opening an SSH session to the Cisco OPs Server. b. From OPs server, performing SSH to your CES cluster. c. If your O365 account has more than one domain that send through your CES account, you can modify line 6 of this code as follows: (mail-from != ‘@bce-acme.com$|@bce-acme2.com$’) where “|” is a logical OR. But any list of Office 365 domains described here must be matched in the transport rule described in Figure 33. Cisco Email Security How–to Guide Configure Message Routing Between Cisco Cloud Email Security and Office 365 Cisco Public
22.
© 2017 Cisco
and/or its affiliates. All rights reserved.22 Figure 38. Preventing Open Relayed Traffic 11. Once BEC_From_O365 is set and active, send outbound test messages to verify its operation. You can simulate failures by changing one character in the X-Tennant string Figure 34. Also verify that the filter has no effect on incoming traffic. 12. To keep the X-Tennant string private, you can use the filter: Remove_Tennant_String in Figure 39. Figure 39. Keeping the String Private 13. You can track your test activing using Reports on the SMA appliance. Go to: Email - Monitor - Message Filters Ours is shown in Figure 40. Figure 40. Monitoring Activity Cisco Email Security How–to Guide Configure Message Routing Between Cisco Cloud Email Security and Office 365 Cisco Public
23.
CLI Troubleshooting Commands Use
these commands for troubleshooting mail routing issues during CES to Office 365 setup. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R) C07-738366-01 10/17 grep [-C count] [-e regex] [-i] [-p] [-t] [regex] log_name The grep command can be used to search for text strings within logs. A combination of whole words and Regular Expressions can be used (ex. grep “Tue Nov 29 17:[1-3].*” mail_logs). logconfig Configures access to log files. findevent Find events in mail log files. tophosts mail3.example.com tophosts Sort results by: 1. Active Recipients 2. Connections Out 3. Delivered Recipients 4. Hard Bounced Recipients 5. Soft Bounced Events [1] 1 To get immediate information about the email queue and determine if a particular recipient host that CES is delivering to has receiving problems such as a queue buildup. Command returns a list of the top 20 recipient hosts in the queue. hoststatus Use this command in conjunction with tophosts. Get the status of the given hostname. showrecipients Use this command, in conjunction with tophosts, will provide you with a list of queued messages from a specific domain. tlsverify Establish an outbound TLS connection on demand and debug any TLS connection issues concerning a destination domain. tail Continuously display the end of a log file. The tail command also accepts the name or number of a log to view as a parameter: tail 9 or tail mail_logs. network SMTPPING Can be used in place of telnet on port 25. Used for verifying SMTP connectivity to a remote mail server or mail gateway. topin Display the top hosts by number of incoming connections. nslookup Command can confirm that the appliance is able to reach and resolve hostnames and IP addresses from a working DNS (domain name service) server. Cisco Email Security How–to Guide Configure Message Routing Between Cisco Cloud Email Security and Office 365 Cisco Public
Download now