Configuring Office 365 (Microsoft) with CiscoCloud Email Security (CES) Contents

IntroductionPrerequisitesRequirementsComponents UsedBackground InformationConfiguring Office 365 (Microsoft) with Cisco Cloud Email Security (CES)Configure Incoming Email in Office 365 from CESConfigure Mail from CES to Office 365Configure Outgoing Email from Office 365 to CESRelated Information

Introduction

This document covers the steps required to integrate Cisco Cloud Email Security (CES) withMicrosoft Office 365 (O365), for inbound and outbound email delivery.

Prerequisites

Requirements

Cisco recommends that you have knowledge of these topics:

CES●

CLI access to your CES environment: CES Customer CLI Access●

Microsoft Office 365●

SMTP●

DNS●

Components Used

This document is not restricted to specific software and hardware versions.

The information in this document was created from the devices in a specific lab environment. All ofthe devices used in this document started with a cleared (default) configuration. If your network islive, ensure that you understand the potential impact of any command.

Background Information

Your Cisco Cloud Email Security welcome letter includes your CES IP addresses and other

pertinent information. If you have not received or do not have a copy of the letter, please contactces-activations@cisco.com with your contact information, customer name, and domain nameunder service.

    

The IPs are dedicated to each client and are not likely to change without notification. You can usethe assigned IPs or hostnames in the Office 365 configuration.

    

Note: It is highly recommended that you test these settings well before any plannedproduction mail cut-over, because settings may take time to replicate in the Office 365Exchange Online console. At a minimum, allow 1 hour for all changes to take effect.

    

    

Configuring Office 365 (Microsoft) with Cisco Cloud EmailSecurity (CES)

Configure Incoming Email in Office 365 from CES

Receiving Connector

Log-in to the Office 365 Admin Center (https://portal.microsoft.com)1.In the left-hand menu, expand Admin Centers2.Click Exchange3.From the left-hand menu, navigate to mail flow > connectors4.Click [+] to create a new connector5.In the “Select your mail flow scenario” pop-up window, choose the following: From: PartnerorganizationTo: Office365

6.

Click Next7.Enter in a name for your new connector: Inbound from Cisco CES8.Enter a description, if you wish9.

Click Next10.Click Use the sender’s IP address11.Click Next12.Click [+] and enter the IP addresses that are indicated in your CES welcome letter13.Click Next14.Select Reject email messages if they aren't sent over TLS15.Click Next16.Click Save17.

You should have similar to the following:

  

  

Configure Mail from CES to Office 365

  

Destination Controls

Impose a self-throttle by adding a delivery domain to Destination Controls. This can be removedlater, but these are “new” IPs to Office 365, and we do not want any throttling by Microsoft due totheir unknown reputation.

Log-in to your Email Security Appliance (ESA) in CES1.Navigate to Mail Policies > Destination Controls2.Click Add Destination3.Use the following settings: Destination: enter your domain nameConcurrent Connections:10Maximum Messages Per Connection: 20TLS Support: Preferred

4.

Click Submit5.Click Commit Changes in the upper right hand of the UI to save your configuration changes 6.

    

Your final Destination Control Table should look similar to:

  

    

Recipient Access Table

Next, set the Recipient Access Table (RAT) to accept mail for your domains:

Navigate to Mail Policies > Recipient Access Table (RAT) Note: Make sure the Listener isfor "Incoming Listener" or "IncomingMail"

1.

Click Add Recipient2.Add your domains in the Recipient Address field3.Select the default action of Accept4.Click Submit5.Click Commit Changes in the upper right hand of the UI to save your configurationchanges  

6.

         

The example shown is for the domain "domain.com":

  

    

SMTP Routes

You will need to set the SMTP route to deliver mail from CES to your Office 365 domain:

Navigate to Network > SMTP Routes1.Click Add Route...2.Receiving Domain: enter your domain name3.Destination Hosts: add your original Office 365 MX record4.Click Submit5.Click Commit Changes in the upper right hand of the UI to save your configurationchanges   

6.

    

Your final SMTP Route Settings should look similar to:

    

DNS (MX record) Configuration

At this point, you are ready to cut over the domain through a Mail Exchange (MX) record change.Work with your DNS administrator to resolve your MX records to the IP addresses for your CES asprovided in your Cisco CES welcome letter.

You will want to verify the change to the MX record from your Office 365 console as well:

Log-in to the Office 365 Admin console (https://admin.microsoft.com)1.Navigate to Home > Setup > Domains2.Select your default domain name3.Click Check DNS4.

     

You will see the current "MX Records" according to how Office 365 looks up your DNS and MXrecords associated with your domain:

    

    

Note: Ignore the warning above: “One or more of these records haven’t been added correctly yet.step-by-step instructions."  Following the “step-by-step instructions" will reset the MX records towhat was originally configured to redirect to your Office 365 account. Doing so will remove theCES cluster from the incoming traffic flow.

    

Testing Inbound Email

Test inbound mail by sending a message to your Office 365 email address. Check to see that itarrives in your Office 365 email inbox.

Validate the mail logs by using Message Tracking on your Cisco Content Security ManagementAppliance (SMA) provided with your CES service.

To see mail logs on your SMA:

Log-in to your SMA (https://sma.iphmx.com/ng-login)1.Click Tracking2.Enter the needed search criteria and click Search; you should see results similar to:3.

    

To see mail logs in Office 365:

Log-in to the Office 365 Admin Center (https://admin.microsoft.com)1.Expand Admin Centers2.Click Exchange3.Navigate to mail flow > message trace4.Enter the needed search criteria and click search; you should see results similar to:5.

  

    

Configure Outgoing Email from Office 365 to CES

  

Configure RELAYLIST in CES

Please refer to your CES welcome letter. A secondary interface will be specified for outboundmessages via your ESA.

  

Log-in to your Email Security Appliance (ESA) in CES1.Navigate to Mail Policies > HAT Overview Note: Make sure the Listener is for "OutgoingListener" or "OutgoingMail"

2.

Click Add Sender Group...3.Configure the Sender Group as: Name: RELAY_O365Comment:  enter if you wish to notateyour sender groupPolicy: RELAYEDClick Submit and AddSendersSender: .protection.outlook.com Note: The "." (dot) at the beginning of the senderdomain name is requiredClick SubmitClick Commit Changes in the upper right hand of theUI to save your configuration changes      

4.

  

Your final SMTP Route Settings should look similar to:

  

  

Enable TLS

Click << Back to HAT Overview1.Click the Mail Flow Policy named: RELAYED2.Look for the Security Features > Encryption and Authentication3.In the TLS section, choose: Preferred4.Click Submit5.Click Commit Changes in the upper right hand of the UI to save your configuration changes     

6.

  

  

    

Configure Mail from Office 365 to CES

Log-in to the Office 365 Admin Center (https://admin.microsoft.com)1.Expand Admin Centers2.Click Exchange3.Navigate to mail flow > connectors4.Click [+] to create a new connector5.In the “Select your mail flow scenario” pop-up window, choose the following: From:Office365To: Partner organization

6.

Click Next7.Enter in a name for your new connector: Outbound to Cisco CES8.Enter a description, if you wish9.

Click Next10.For "When do you want to use this connector?" Select: Only when I have a transport ruleset up that redirects messages to this connectorClick Next

11.

Click Route email through these smart hosts12.Click [+] and enter the outbound IP addresses or hostnames that are indicated in your CESwelcome letter

13.

Click Save14.Click Next15.For "How should Office 365 connect to your partner organization's email server?"Select: Always use Transport Layer Security (TLS) to secure the connection(recommended)Select Any digital certificate, including self-signed certificatesClickNext

16.

You will be presented the confirmation screen17.Click Next18.Use [+] to enter in a valid email address for validating your connector and click OK19.Click Validate and allow the validation to run20.

Once complete, click Close21.Click Save22.

     

Your outbound connector setting should look similar to:

  

    

Create a Mail Flow Rule

Log-in to your Exchange admin center (https://outlook.office365.com)1.Click on mail flow; You should be on the ‘rules’ tab2.Click [+] to add a new rule3.Select Create a new rule4.Enter in a name for your new rule: Outbound to Cisco CES5.For “*Apply this rule if...”, select: The sender is located... For the “select sender location”pop-up, select: Inside the organizationClick OK

6.

Click More options...7.

Click add condition button and insert a second condition Select: The recipient...Select: Isexternal/internalFor the “select sender location” pop-up, select: Outside theorganizationClick OK

8.

For “*Do the following...”, select: Redirect the message to... Select: the followingconnectorAnd select your “Outbound to Cisco CES” connectorClick OK

9.

Return to “*Do the following...”, and insert a second action: Select: Modify the messageproperties...Select: set the message headerSet the message header: X-OUTBOUND-AUTHClick OKSet the value: mysecretkeyClick OK

10.

Click Save11.  

Note: To prevent unauthorized messages from Microsoft, a secret x-header can be stamped whenmessages leave your Office 365 domain; this header is then evaluated and removed beforedelivery to the Internet.

    

Your Office 365 Routing configuration should look similar to:

         

Finally, access the CLI for your ESA.  

     

Note: CES Customer CLI Access

     

You will need to create a message filter to inspect the presence and value of the x-header, and remove the header if exists. If no header exists, drop themessage.

Log-in to your Email Security Appliance (ESA) in CES via the CLI1.Run the Filters command2.

As your ESA is clustered in CES, hit return to edit the filters in "Cluster" mode3.Use the New operation to create the following message filter, copy and paste:office365_outbound: if sendergroup == "RELAY_O365" {

if header("X-OUTBOUND-AUTH") == "^mysecretkey$" {

strip-header("X-OUTBOUND-AUTH");

} else {

drop();

}

}

4.

Hit return one time to create a new, blank line5.Enter "." on the new line to end creating your new message filter6.Hit return one time to exit the Filters menu7.Run the Commit command to save the changes to your configuration8.

    

Testing Outbound Email  

     

Test outbound mail by sending a message from your Office 365 email address to an externaldomain recipient.  You can review message tracking from your SMA to assure it was routedoutbound properly.

  

Example of message tracking where the x-header does not match:

    

Example of message tracking with successful delivery:

  

    

Related Information

Technical Support & Documentation - Cisco Systems