Have an account?

  •   Personalized content
  •   Your products and support

Need an account?

Create an account

Configuring Office 365 (Microsoft) with Cisco Cloud Email Security (CES)

Available Languages

Download Options

  • PDF     (644.0 KB)
    View with Adobe Reader on a variety of devices
  • ePub     (721.0 KB)
    View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
  • Mobi (Kindle)     (455.3 KB)
    View on Kindle device or Kindle app on multiple devices
Updated:February 1, 2021
Document ID:214812

Introduction

This document covers the steps required to integrate Cisco Cloud Email Security (CES) with Microsoft Office 365 (O365), for inbound and outbound email delivery.

Prerequisites

Requirements

Cisco recommends that you have knowledge of these topics:

Components Used

This document is not restricted to specific software and hardware versions.

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.

Background Information

Your Cisco Cloud Email Security welcome letter includes your CES IP addresses and other pertinent information. In addition to the letter which you see below, you will also receive an encrypted email that provides you with additional details on the number of Email Security Appliances (ESA) and Security Management Appliances (SMA) provisioned for your CES allocation. If you have not received or do not have a copy of the letter, please contact ces-activations@cisco.com with your contact information, customer name, and domain name under service.

     

The IPs are dedicated to each client and are not likely to change without notification. You can use the assigned IPs or hostnames in the Office 365 configuration.

     

Note: It is highly recommended that you test these settings well before any planned production mail cut-over, because settings may take time to replicate in the Office 365 Exchange Online console. At a minimum, allow 1 hour for all changes to take effect.

     

Note: The IP addresses that you see in the screenshot above would be proportional to the number of ESA's which are provisioned to your CES allocation. For example, xxx.yy.157.139 would be the Data 1 interface IP address for ESA1, and xxx.yy.158.153 would be Data 1 interface IP address of ESA2. If your welcome letter does not include information for Data 2 (Outgoing interface IPs), please contact Cisco TAC to get the Data 2 interface added for your CES allocation

     

Configuring Office 365 (Microsoft) with Cisco Cloud Email Security (CES)

Configure Incoming Email in Office365 from CES

Bypass Spam Filtering Rule

  1. Log-in to the Office 365 Admin Center (https://portal.microsoft.com)
  2. In the left-hand menu, expand Admin Centers
  3. Click Exchange
  4. From the left-hand menu, navigate to mail flow > rules
  5. Click [+] to create a new rule
  6. Select Bypass spam filtering... in the drop-down list
  7. Enter in a name for your new rule: Bypass spam filtering - inbound email from Cisco CES
  8. For “*Apply this rule if...”, select: The sender - IP address is in any of these ranges or exactly matches
    • For the “specify IP address ranges” pop-up, add the IP addresses that are indicated in your CES welcome letter
    • Click OK
  9. For “*Do the following...”, the new rule has pre-selected: Set the spam confidence level (SCL) to... - Bypass spam filtering
  10. Click Save

Your bypass spam filtering rule should look similar to the following:

Receiving Connector

  1. Remain in the Exchange Admin Center
  2. From the left-hand menu, navigate to mail flow > connectors
  3. Click [+] to create a new connector
  4. In the "Select your mail flow scenario" pop-up window, choose the following:
    • From: Partner organization
    • To: Office365
  5. Click Next
  6. Enter in a name for your new connector: Inbound from Cisco CES
  7. Enter a description, if you wish
  8. Click Next
  9. Click Use the sender's IP address
  10. Click Next
  11. Click [+] and enter the IP addresses that are indicated in your CES welcome letter
  12. Click Next
  13. Select Reject email messages if they aren't sent over TLS
  14. Click Next
  15. Click Save

Your receiving connector setting should have similar to the following:

Configure Mail from CES to Office 365

  

Destination Controls

Impose a self-throttle by adding a delivery domain to Destination Controls. This can be removed later, but these are “new” IPs to Office 365, and we do not want any throttling by Microsoft due to their unknown reputation.

  1. Log-in to your ESA in CES
  2. Navigate to Mail Policies > Destination Controls
  3. Click Add Destination
  4. Use the following settings:
    1. Destination: enter your domain name
    2. Concurrent Connections: 10
    3. Maximum Messages Per Connection: 20
    4. TLS Support: Preferred
  5. Click Submit
  6. Click Commit Changes in the upper right hand of the UI to save your configuration changes 

     

Your final Destination Control Table should look similar to:

  

     

Recipient Access Table

Next, set the Recipient Access Table (RAT) to accept mail for your domains:

  1. Navigate to Mail Policies > Recipient Access Table (RAT)
    • Note: Make sure the Listener is for "Incoming Listener" or "IncomingMail"
  2. Click Add Recipient
  3. Add your domains in the Recipient Address field
  4. Select the default action of Accept
  5. Click Submit
  6. Click Commit Changes in the upper right hand of the UI to save your configuration changes  

          

The example shown is for the domain "domain.com":

  

     

SMTP Routes

You will need to set the SMTP route to deliver mail from CES to your Office 365 domain:

  1. Navigate to Network > SMTP Routes
  2. Click Add Route...
  3. Receiving Domain: enter your domain name
  4. Destination Hosts: add your original Office 365 MX record
  5. Click Submit
  6. Click Commit Changes in the upper right hand of the UI to save your configuration changes   

     

Your final SMTP Route Settings should look similar to:

     

DNS (MX record) Configuration

At this point, you are ready to cut over the domain through a Mail Exchange (MX) record change. Work with your DNS administrator to resolve your MX records to the IP addresses for your CES as provided in your Cisco CES welcome letter.

You will want to verify the change to the MX record from your Office 365 console as well:

  1. Log-in to the Office 365 Admin console (https://admin.microsoft.com)
  2. Navigate to Home > Setup > Domains
  3. Select your default domain name
  4. Click Check DNS

     

You will see the current "MX Records" according to how Office 365 looks up your DNS and MX records associated with your domain:

     

     

Note: Ignore the warning above: “One or more of these records haven’t been added correctly yet. step-by-step instructions."  Following the “step-by-step instructions" will reset the MX records to what was originally configured to redirect to your Office 365 account. Doing so will remove the CES cluster from the incoming traffic flow.

     

Testing Inbound Email

Test inbound mail by sending a message to your Office 365 email address. Check to see that it arrives in your Office 365 email inbox.

Validate the mail logs by using Message Tracking on your Cisco Content Security Management Appliance (SMA) provided with your CES service.

To see mail logs on your SMA:

  1. Log-in to your SMA (https://sma.iphmx.com/ng-login)
  2. Click Tracking
  3. Enter the needed search criteria and click Search; you should see results similar to:

     

To see mail logs in Office 365:

  1. Log-in to the Office 365 Admin Center (https://admin.microsoft.com)
  2. Expand Admin Centers
  3. Click Exchange
  4. Navigate to mail flow > message trace
  5. Enter the needed search criteria and click search; you should see results similar to:

  

     

Configure Outgoing Email from Office 365 to CES

  

Configure RELAYLIST in CES

Please refer to your CES welcome letter. A secondary interface will be specified for outbound messages via your ESA.

  

  1. Log-in to your ESA in CES
  2. Navigate to Mail Policies > HAT Overview
    • Note: Make sure the Listener is for "Outgoing Listener" or "OutgoingMail"
  3. Click Add Sender Group...
  4. Configure the Sender Group as:
    1. Name: RELAY_O365
    2. Comment:  enter if you wish to notate your sender group
    3. Policy: RELAYED
    4. Click Submit and Add Senders
    5. Sender: .protection.outlook.com
      • Note: The "." (dot) at the beginning of the sender domain name is required
    6. Click Submit
    7. Click Commit Changes in the upper right hand of the UI to save your configuration changes      

  

Your final SMTP Route Settings should look similar to:

  

  

Enable TLS

  1. Click << Back to HAT Overview
  2. Click the Mail Flow Policy named: RELAYED
  3. Look for the Security Features > Encryption and Authentication
  4. In the TLS section, choose: Preferred
  5. Click Submit
  6. Click Commit Changes in the upper right hand of the UI to save your configuration changes      

  

  

     

Configure Mail from Office 365 to CES

  1. Log-in to the Office 365 Admin Center (https://admin.microsoft.com)
  2. Expand Admin Centers
  3. Click Exchange
  4. Navigate to mail flow > connectors
  5. Click [+] to create a new connector
  6. In the “Select your mail flow scenario” pop-up window, choose the following:
    • From: Office365
    • To: Partner organization
  7. Click Next
  8. Enter in a name for your new connector: Outbound to Cisco CES
  9. Enter a description, if you wish
  10. Click Next
  11. For "When do you want to use this connector?"
    • Select: Only when I have a transport rule set up that redirects messages to this connector
    • Click Next
  12. Click Route email through these smart hosts
  13. Click [+] and enter the outbound IP addresses or hostnames that are indicated in your CES welcome letter
  14. Click Save
  15. Click Next
  16. For "How should Office 365 connect to your partner organization's email server?"
    • Select: Always use Transport Layer Security (TLS) to secure the connection (recommended)
    • Select Any digital certificate, including self-signed certificates
    • Click Next
  17. You will be presented the confirmation screen
  18. Click Next
  19. Use [+] to enter in a valid email address for validating your connector and click OK
  20. Click Validate and allow the validation to run
  21. Once complete, click Close
  22. Click Save

     

Your outbound connector setting should look similar to:

  

     

Create a Mail Flow Rule

  1. Log-in to your Exchange admin center (https://outlook.office365.com)
  2. Click on mail flow; You should be on the ‘rules’ tab
  3. Click [+] to add a new rule
  4. Select Create a new rule
  5. Enter in a name for your new rule: Outbound to Cisco CES
  6. For “*Apply this rule if...”, select: The sender is located...
    • For the “select sender location” pop-up, select: Inside the organization
    • Click OK
  7. Click More options...
  8. Click add condition button and insert a second condition
    • Select: The recipient...
    • Select: Is external/internal
    • For the “select sender location” pop-up, select: Outside the organization
    • Click OK
  9. For “*Do the following...”, select: Redirect the message to...
    • Select: the following connector
    • And select your “Outbound to Cisco CES” connector
    • Click OK
  10. Return to “*Do the following...”, and insert a second action:
    • Select: Modify the message properties...
    • Select: set the message header
    • Set the message header: X-OUTBOUND-AUTH
    • Click OK
    • Set the value: mysecretkey
    • Click OK
  11. Click Save

  

Note: To prevent unauthorized messages from Microsoft, a secret x-header can be stamped when messages leave your Office 365 domain; this header is then evaluated and removed before delivery to the Internet.

     

Your Office 365 Routing configuration should look similar to:

          

Finally, access the CLI for your ESA.  

     

NoteCES Customer CLI Access

     

You will need to create a message filter to inspect the presence and value of the x-header and remove the header if exists. If no header exists, drop the message.

  1. Log-in to your ESA in CES via the CLI
  2. Run the Filters command
  3. As your ESA is clustered in CES, hit return to edit the filters in "Cluster" mode
  4. Use the New operation to create the following message filter, copy, and paste: 
    office365_outbound: if sendergroup == "RELAY_O365" {
    if header("X-OUTBOUND-AUTH") == "^mysecretkey$" {
    strip-header("X-OUTBOUND-AUTH");
    } else {
    drop();
    }
    }
  5. Hit return one time to create a new, blank line
  6. Enter "." on the new line to end creating your new message filter
  7. Hit return one time to exit the Filters menu
  8. Run the Commit command to save the changes to your configuration

     

Testing Outbound Email  

     

Test outbound mail by sending a message from your Office 365 email address to an external domain recipient.  You can review message tracking from your SMA to assure it was routed outbound properly.

  

Example of message tracking where the x-header does not match:

     

Example of message tracking with successful delivery:

  

     

Related Information

Technical Support & Documentation - Cisco Systems

Contributed by

  • Alex Chan
    Technical Marketing Engineer Cisco Email Security
  • Robert Sherwin
    Technical Marketing Engineer Cisco Email Security
  • Anvitha Prabhu
    Cisco TAC Engineer

Was this Document Helpful?

FeedbackFeedback

Contact Cisco

Related Cisco Community Discussions

This Document Applies to These Products

About Us
Contact Us
Work with Us