Automatically Remediating Messages in Mailboxes

This chapter contains the following sections:

Overview

A file can turn malicious anytime, even after it has reached user’s mailbox. AMP can identify this as new information emerges and push retrospective alerts to your appliance. You can configure your appliance to perform auto-remedial actions on the messages in user mailbox when the threat verdict changes. For example, you can configure your appliance to delete the message from the recipient’s mailbox when the verdict of the attachment changes from clean to malicious.

The appliance can perform auto-remedial actions on the messages in the following mailbox deployments:

  • Microsoft Exchange online – mailbox hosted on Microsoft Office 365

  • Microsoft Exchange on-premise – a local Microsoft Exchange server

  • Hybrid/Multiple tenant configuration – a combination of mailboxes configured across Microsoft Exchange online and Microsoft Exchange on-premise deployments

Workflow

Figure 1. Mailbox Auto Remediation Workflow
  1. Message with an attachment reaches the appliance.
  2. The appliance queries the AMP server to evaluate the reputation of the attachment.
  3. The AMP server sends the verdict to the appliance. The verdict is clean or unknown.
  4. The appliance releases the message to the recipient.
  5. After a certain period, the appliance receives a verdict update from the AMP server. The new verdict is malicious.
  6. The appliance performs the configured remedial action on the message (with malicious attachment) residing in the recipient’s mailbox.

How the Appliance Performs Auto-Remedial Actions

  1. When the appliance receives a retrospective verdict from the AMP server, the appliance initiates the mailbox remediation processMessage with an attachment reaches the appliance.
  2. The appliance determines the email addresses to which the malicious message was delivered.
  3. The appliance identifies the recipient domains to which the email addresses belong.
  4. Based on the recipient domains, the appliance collects the account profile that is mapped to the domains.

    An account profile defines the mailbox settings that are used by the appliance to connect to the mailbox and perform the auto-remedial actions. You must create an account profile and map it to the recipient domains to successfully remediate the message from the mailbox.

  5. The appliance checks for the profile mapped to the domains:
    • [Only for hybrid or multi-tenant deployment] If it is a chained profile, the appliance attempts to perform remedial actions using all the account profiles in the chained profile.

      A chained profile is a combination of multiple account profiles. In case of a hybrid or multi-tenant deployment, where there are mailboxes present across multiple deployments, you must create a chained profile to combine all the profiles defined for mailboxes in the deployment. The appliance attempts to perform remedial actions based on the order in which the account profiles are added in the chained profile.

    • If it is not a chained profile, the appliance checks the profile type to know if it is an Microsoft Exchange online profile or an Microsoft Exchange on-premise profile.

  6. The appliance performs remedial actions using the identified profile and remediates the message.

    Note

    Mailbox remediation may fail for various reasons. For more information, see Troubleshooting Mailbox Remediation.


Contents

Performing Remedial Actions on Messages in Mailboxes

You can perform remedial actions on messages in the following mailbox deployments:

Performing Auto-Remedial Actions on Messages in Microsoft Exchange Online Mailboxes

If your organization is using Microsoft Exchange online to manage mailboxes, you can configure your appliance to perform auto-remedial actions on the messages in user mailbox when the threat verdict changes. For example, you can configure your appliance to delete the message from the recipient’s mailbox when the verdict of the attachment changes from clean to malicious.

Contents

How to Configure Remedial Action on Messages in Microsoft Exchange Online Mailboxes

Do This

More Info

Step 1

Review the prerequisites.

Prerequisites for Remediating Messages in Microsoft Exchange Online Mailboxes

Step 2

Register Email Security appliance as an application on Azure AD (Azure Management Portal).

Registering Your Appliance as an Application on Azure AD

Step 3

Enable the account settings on your appliance.

Enable mailbox remediation on your appliance.

Enabling Account Settings on Cisco Email Security Appliance

Step 4

Create an account profile of type Office 365/Hybrid (Graph API) on your appliance.

Create an Office 365 profile for the user mailbox and define the mailbox settings on the appliance.

Before you Begin, make sure that you have:

  • Acquired the private key of the certificate in .pem format. See Certificate for Secure Communication.

  • The values of the following parameters:

    • Client ID and Tenant ID of the application that you registered on the Azure Management Portal.

    • See Step 9 of Registering Your Appliance as an Application on Azure AD.

    • Certificate thumbprint ($base64Thumbprint). See Step 8 of Registering Your Appliance as an Application on Azure AD.

See Creating an Account Profile.

Step 5

Add the recipient domain and map the domain to the Office 365 profile.

Add the domain that the recipient mailbox belongs and map the domain to the Office 365 account profile.

See Mapping Domains to the Account Profile.

Step 6

[For Automatic Remediation only] Configure your appliance to perform remedial actions on messages delivered to end users when the threat verdict changes to malicious.

Configure Automatic Remedial Actions on Messages in the Mailboxes

Performing Auto-Remedial Actions on Messages in Microsoft Exchange On-Premise Mailboxes

You can configure the appliance to remediate messages from a mailbox on an Exchange on-premise server. The appliance uses a user account with impersonator privileges to access the Exchange on-premise mailbox and perform remedial actions on the message. You must create this user account with impersonator privileges on the mail exchange server to which the appliance has to connect and remediate the message.


Note

Cisco has validated Automatic mailbox remediation only on Microsoft Exchange 2013 and 2016.


Contents

How to Configure Remedial Actions on Messages in Microsoft Exchange On-Premise Mailboxes

Do This

More Info

Step 1

Review the prerequisites.

Prerequisites for Remediating Messages in an On-Premise Account

Step 2

Enable the account settings on your appliance.

Enable mailbox auto remediation on your appliance.

Enabling Account Settings on Cisco Email Security Appliance

Step 3

Create an account profile of type On-Premise on your appliance.

Create an On-Premise profile for the user mailbox and define the mailbox settings on your appliance.

Before you begin, make sure that you have:
  • The impersonator user account details

  • The host name of the local mail exchange server

Creating an Account Profile.

Step 4

Add the recipient domain and map the domain to the On-premise account profile.

Add the domain that the recipient mailbox belongs and map the domain to the On-premise account profile.

See Mapping Domains to the Account Profile.

Step 5

Configure your appliance to perform remedial actions on messages delivered to end users when the threat verdict changes to malicious.

Configure Automatic Remedial Actions on Messages in the Mailboxes

Performing Auto-Remedial Actions on Messages in Mailboxes on Hybrid Deployment

You can configure a single appliance to remediate messages from a hybrid exchange deployment or multiple exchange tenants. For example, if your organization is in a process of moving the mailbox from Microsoft Exchange on-premise to Microsoft Exchange online, there will be mailboxes deployed on Microsoft Exchange online and Microsoft Exchange on-premise until the migration is complete.

To automatically remediate messages from multiple mailboxes configured across different deployments, create a chained profile. A chained profile combines all the account profiles of a hybrid or multi-tenant deployment. The order in which the profiles are added to the chained profile defines the priority in which the appliance checks the profile to remediate messages.

When the appliance receives a retrospective verdict from the AMP server, the appliance attempts to perform the remediation action using each profile present in the chained profile in the order of priority defined in the chained profile.

Contents

How to Perform Remedial Actions on Messages in Mailboxes on Hybrid Deployment

Do This

More Info

Step 1

Review the prerequisites.

Ensure that all the prerequisites for performing auto-remedial actions on Microsoft Exchange online and Microsoft Exchange on-premise mailboxes are met for a hybrid or multi-tenant deployment.

See Prerequisites.

Step 2

Register Email Security appliance as an application on Azure AD (Azure Management Portal).

Registering Your Appliance as an Application on Azure AD

Step 3

Enable the account settings on your appliance.

Enable mailbox remediation on your appliance.

See Enabling Account Settings on Cisco Email Security Appliance.

Step 4

Create account profiles for all the mailboxes in the hybrid/multi-tenant deployment.

Create account profiles for the user mailboxes and define mailbox settings on the appliance.

Before you Begin, make sure that you have:

  • Acquired the private key of the certificate in .pem format. See Certificate for Secure Communication.

  • The values of the following parameters:

    • Client ID and Tenant ID of the application that you registered on the Azure Management Portal.

    • See Step 9 of Registering Your Appliance as an Application on Azure AD.

    • Certificate thumbprint ($base64Thumbprint). See Step 8 of Registering Your Appliance as an Application on Azure AD.

  • The impersonator user account details

  • The host name of the local mail exchange server

See Creating an Account Profile.

Step 5

Create a chained profile.

Create a chained profile and add all the profiles of a hybrid/multi- tenant deployment.

See Creating a Chained Profile.

Step 6

Add the recipients’ domains and map them to the chained profile.

Add the domains that the recipients’ mailboxes belong and map the domains to the chained profile.

See Mapping Domains to the Account Profile.

Step 7

Configure your appliance to perform remedial actions on messages delivered to end users when the threat verdict changes to malicious.

Configure Automatic Remedial Actions on Messages in the Mailboxes

Configuring Mailbox Auto Remediation on Cisco Email Security Appliance

Prerequisites

Prerequisites for Remediating Messages in Microsoft Exchange Online Mailboxes

Feature Keys for File Reputation Service and the File Analysis Service

Make sure that you have:

  • Added the feature keys for the file reputation service and the file analysis service to you appliance.
  • Enabled File Reputation and Analysis feature on your appliance. See File Reputation Filtering and File Analysis.
Office 365 Accounts

Make sure that you have the following accounts that are required to register your appliance with Azure AD:

  • An Office 365 business account
  • An Azure AD subscription associated with your Office 365 business account

For more information, contact your Office 365 administrator.

Certificate for Secure Communication

To secure the communication between Office 365 services and your appliance, you must set up a certificate in one of the following ways: create a self-signed certificate or obtain a certificate from a trusted CA.

You must have:

  • A public key in .crt or .p12 format. Make sure that the emailAddress is set to the email address of the Office 365 administrator ( <admin_username>@<domain>.com ).
  • An associated private key in .pem format, with keysize at least 2048 bit.

For more information, see https://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/211404-How-to-configure-Azure-AD-and-Office-365.html.


Note

Private keys with passphrase are not supported in this release.

Prerequisites for Remediating Messages in an On-Premise Account

Feature Keys for File Reputation Service and the File Analysis Service

Make sure that you have:

  • Added the feature keys for the file reputation service and the file analysis service to you appliance.
  • Enabled File Reputation and Analysis feature on your appliance. See File Reputation Filtering and File Analysis.
(Optional) Import Microsoft Exchange Web Service (EWS) Certificate

If you are using a self-signed certificate on an Microsoft Exchange on-premise server for the EWS service, you must import the certificate from the Microsoft Exchange on-premise server into the Email Security appliance. To import a certificate, see Importing a Certificate.

Add a User to the Impersonator Role

The appliance uses a user account that has impersonator privileges to access the Microsoft Exchange on-premise mailbox. The mail exchange administrator must create a user account with impersonator privileges on the local exchange server. The appliance used this user account to remediate messages from the mailbox.

Procedure

Step 1

Create a user account for which impersonator privileges must be assigned. This user account is used by the appliance to access and operate the mailbox to remediate the messages.

Step 2

Log in to the Microsoft Exchange Control Panel interface using administrator credentials.

Step 3

Navigate to Permissions -> Admin Roles.

Step 4

Create a role and assign the ‘ApplicationImpersonation’ privileges for the role.

Step 5

Add the user account for which the impersonator privileges must be assigned as a member of this new role.


Registering Your Appliance as an Application on Azure AD

Office 365 services use Azure Active Directory (Azure AD) to provide secure access to users' mailboxes. For your appliance to access the Office 365 mailboxes, you must register your appliance with Azure AD. The following are the high level steps you need to perform to register your appliance with Azure AD. For detailed instructions, see Microsoft documentation ( https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app ).

Before You Begin

Perform the tasks described in Prerequisites for Remediating Messages in Microsoft Exchange Online Mailboxes.

Procedure


Step 1

Sign into the Azure Management Portal using your Office 365 business account credentials.

Step 2

Add a new application to the directory linked to your Office 365 subscription.

Step 3

Navigate to App Registrations > New Registration to add a new application.

Step 4

While adding a new application, make sure that you:

  • Specify the application name and the account types the application must support.

  • (Optional) Select the application type as Web and provide the URL where users can sign-in and use your appliance.

Step 5

Assign the permissions that the application requires. Click API permissions on the navigation pane and click Add a permission.

Step 6

Select Microsoft Graph >Application permissions and assign the following permissions:

  • Mail.Read – Read mail in all mailboxes

  • Mail. ReadWrite - Read and write mail in all mailboxes

  • Mail.Send - Send mail as any user

Step 7

Grant admin consent for all the requested permissions for all accounts in the organization.

Step 8

Secure the communication between the Office 365 services and the appliance by updating the application manifest with the key credentials from the public key certificate. Perform the following steps:

  1. Using a Windows PowerShell prompt, get the values for $base64Thumbprint , $base64Value , and $keyid from the public key certificate. See the example below. From the Windows PowerShell prompt, navigate to the directory containing the public key certificate and run the following:

    Example:

    $cer = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2
    $cer.Import(".\mycer.cer") 
    $bin = $cer.GetRawCertData() 
    $base64Value = [System.Convert]::ToBase64String($bin) 
    $bin = $cer.GetCertHash() 
    $base64Thumbprint = [System.Convert]::ToBase64String($bin) 
    $keyid = [System.Guid]::NewGuid().ToString()

    After running the above commands, run the following commands to extract their values:

    $keyid 
    $base64Value 
    $base64Thumbprint
  2. Click Manifest on left pane of the registered application pane to open the manifest of the application.

  3. In the manifest text editor, replace the empty KeyCredentials property with the following JSON:

    Example:

    "keyCredentials": [
    {
    "customKeyIdentifier": "$base64Thumbprint_from_step_1",
    "keyId": "$keyid_from_step1",
    "type": "AsymmetricX509Cert",
    "usage": "Verify",
    "value": "$base64Value_from_step1"
    }
    ],

Example:

In the above JSON snippet, make sure that you replace the values of $base64Thumbprint , $base64Value, and $keyid with the values you obtained in step a. Each value must be entered in a single line

Step 9

After registering your appliance with Azure AD, note down the following details from the Azure Management Portal from the Overview pane of the registered application:

In this case, the Tenant ID is abcd1234-bcdd-469d-8545-a0662708cbc3 .


What to do next

Enabling Account Settings on Cisco Email Security Appliance

Enabling Account Settings on Cisco Email Security Appliance

Before You Begin

Make sure that you have:

Procedure


Step 1

Log in to the appliance.

Step 2

Click System Administration > Account Settings.

Step 3

Click Enable.

Step 4

Select Enable Account Settings.

Step 5

(Optional) Enter the maximum number of attempts the appliance makes to connect to the mailbox to remediate the message. The value must be an integer from 1 to 5.

Step 6

(Optional) Enter the number of seconds the appliance must wait before the connection times out to the hybrid mail exchange server. The value must be an integer from 15 to 90.

Step 7

(Optional) Enter the number of seconds the appliance must wait before the connection times out to the local mail exchange server. The value must be an integer from 15 to 90.

Step 8

Submit and commit your changes.


What to do next

Creating an Account Profile

Creating an Account Profile

An account profile defines the mailbox parameters that are required for the appliance to connect to the mailbox and perform remedial actions when the thread verdict of the message in the mailbox turns malicious.

Each profile credentials are related to one single tenant. If you want to perform remediation across multiple tenants, then you have to configure one profile for each tenant and chain them together using a chained profile. However, if you are using a load balancer for a multi-tenant deployment, you can still configure a single profile and use the hostname of the load balancer while creating a profile.

Before You Begin

Make sure that you have:

  • Enabled the account settings. See Enabling Account Settings on Cisco Email Security Appliance.
  • A valid email address in the Microsoft Exchange online or Microsoft Exchange on-premise server.
  • The parameters required to configure the Microsoft Exchange online or Microsoft Exchange on-premise account.

Procedure


Step 1

Log in to the appliance.

Step 2

Click System Administration > Account Settings.

Step 3

Click Create Account Profile.

Step 4

Enter a name and description for the profile.

Step 5

Select the profile type based on the mailbox deployment:

  • Office 365/Hybrid (Graph API) – Select this to configure a mailbox deployed on Microsoft Exchange online and enter the following details:Client ID and Tenant ID of the application that you registered on the Azure Management Portal.
    • Client ID and Tenant ID of the application that you registered on the Azure Management Portal.

    • Thumbprint of the certificate (value of $base64Thumbprint ).

    • Upload the private key of the certificate. Click Choose File and select the .pem file.

  • Exchange On-premise - Select this to configure a mailbox deployed on Microsoft Exchange on-premise and enter the following details:

    • Enter the username and password of the user account with impersonator privileges. For more information, see Add a User to the Impersonator Role.

    • Enter the hostname of the Microsoft Exchange on-premise server.

      Note 

      If you are using a load balancer for a multi-tenant deployment, you must configure the hostname of your load balancer.

Step 6

Verify whether the appliance can connect to the Microsoft Exchange online or Exchange on-premsie server.

  1. Click Test Connection.

  2. Enter an email address. This must be a valid email address in the Microsoft Exchange online or Microsoft Exchange on-premise.

  3. Click Test Connection.

    The status is displayed confirming whether your appliance can connect to the mailbox server.
  4. 4. Click Done. For troubleshooting the errors, see Troubleshooting Mailbox Remediation.

Step 7

Submit and commit your changes.


What to do next

Creating a Chained Profile

This task is mandatory only if you want to remediate messages in a mailbox on a hybrid or multi-tenant deployments.

Before You Begin

Make sure that you have at least one account profile added on your appliance:

Procedure


Step 1

Log in to the appliance.

Step 2

Click System Administration > Account Settings.

Step 3

Click Create Chained Profile.

Step 4

Enter a name and description for the chained profile.

Step 5

Select the account profile you want to add to the chained profile from the drop-down menu. To add more profiles, click Add Account Profile.

Note 
  • You must add the profiles in the order of priority in which you want the appliance to check the profile for remediating the message.
  • You can create a maximum of five chained profiles at a time on your appliance.

  • You can add a maximum of 10 account profiles per chained profile.

Step 6

Submit and commit your changes.


What to do next

Mapping Domains to the Account Profile

Mapping Domains to the Account Profile

You must define the domain to which the recipient’s mailbox belongs. The domain is then mapped to the account profile which is used by the appliance to remediate message in the mailbox.


Note

  • You can edit the domain mapping to add new domains to the existing domain mapped to the profile.

  • The domain mapping is unique to a profile. Domains mapped to one profile cannot be mapped to another.


Before You Begin

Make sure that you have at least one account profile added on your appliance.

Procedure


Step 1

Log in to the appliance.

Step 2

Click System Administration > Account Settings.

Step 3

Click Create Domain Mapping.

Step 4

Enter the domain names separated my commas. If you want to map the profile to all the domains, type the string ‘ALL’.

Step 5

Select the profile to be mapped to the domain(s). You can also map a chained profile to the domain(s).

Step 6

Submit and commit your changes.


What to do next

Configure Automatic Remedial Actions on Messages in the Mailboxes

Configure Automatic Remedial Actions on Messages in the Mailboxes

Before You Begin

Make sure that you have enabled mailbox remediation and configured the account settings on your Cisco Secure Email Cloud Gateway. See Enabling Account Settings on Cisco Email Security Appliance.

Procedure


Step 1

Select Configuration > Mail Configuration > Inbound > Incoming Policies .

Step 2

Click the drop-down arrow next to the policy you want to edit.

Step 3

Click the edit icon next to AMP column.

Step 4

Select the Enable Mailbox Auto Remediation checkbox.

Step 5

Specify the action to be taken on messages delivered to end users when the threat verdict changes to malicious. Depending on your requirements, choose one of the following remedial actions:

  • Forward to an email address. Select this option to forward the message with malicious attachment to a specified user, for example, an email administrator.
  • Delete the message. Select this option to permanently delete the message with malicious attachment from the end user’s mailbox.
  • Forward to an email address and delete the message. Select this option to forward the message with malicious attachment to a specified user, for example, an email administrator and permanently delete that message from the end user’s mailbox.
Step 6

Submit your changes.


What to do next

Related Topics

Upgrading to AsyncOS 13.0 and Later Releases

The mailbox settings defined in the previous AsyncOS versions are migrated seamlessly during the upgrade. This mailbox is created with the profile name as ‘Default’ and mapped to ‘ALL’ domains. This profile can be edited as required after the upgrade. Ensure that your application has access to Microsoft Graph API on Azure Active Directory to auto-remediate messages from Microsoft Exchange online mailboxes. For more information, see Registering Your Appliance as an Application on Azure AD.

Monitoring Mailbox Remediation Results

You can view the details of the mailbox remediation results using the Mailbox Auto Remediation report page (Monitor > Mailbox Auto Remediation). Use this report to view details such as:

  • Remedial actions taken on messages
  • The filenames associated with a SHA-256 hash
  • A list of profile names defined for the recipients for whom the mailbox remediation was successful or unsuccessful
  • Reason for the remediation failure
  • No profile mapped to the domain

The Recipients for whom remediation was unsuccessful field is updated in the following scenarios:

  • The message containing the attachment is no longer available in the mailbox, for example, the end user deleted the message.

  • Invalid Mailbox: The recipient is not a valid Microsoft Exchange online or Microsoft Exchange on-premise user, or the recipient does not belong to the Microsoft Exchange online or an Microsoft Exchange on-premise domain account configured on your appliance.
  • The message containing the attachment is no longer available in the mailbox, for example, the end user deleted the message.
  • Authentication Error: The user account provided on your appliance to connect to the Microsoft Exchange on-premise mailbox is incorrect.
  • Connection Error: There is a connectivity issue between your appliance and Microsoft Exchange online or Microsoft Exchange on-premise services when the appliance attempts to perform the remedial action.
  • Permission Error:
    • In case of a Microsoft Exchange on-premise account, the user account provided on your appliance to connect to the Microsoft Exchange on-premise mailbox is not assigned the impersonator role.
    • In case of a Microsoft Exchange online account, the Office 365 application does not have the required permission to access the recipient mailbox.

  • No Profile Mapped for domain: There is no profile mapped to the recipient domain.
  • Mailbox is Inaccessible or Invalid:
    • The profile type of the account profile that is used to access the mailbox is incorrect.
    • The recipient is not a valid Microsoft Exchange online or Microsoft Exchange on-premise user.
    • The recipient does not belong to the Microsoft Exchange online or an Microsoft Exchange on-premise domain account configured on your appliance.i

Click on a SHA-256 hash to view the related messages in Message Tracking.

Troubleshooting Mailbox Remediation

Connection Errors

Problem

While trying to check the connection between your appliance and recipent mailbox on the Account Settings page (System Administration > Account Settings), you receive an error message: Connection Unsuccessful.

Solution

Depending on the response from the server, do one of the following:

Error Message

Reason and Solution


The SMTP address has no mailbox 
associated with it

You have entered an email address that is not part of the associated mail domain.

Enter a valid email address and check the connection again.

The mailbox cannot be accessed using this profile or the required permissions may be missing
Verify that:
  • You have the required permission to access the user mailbox. The Micrsoft Exchange online account can be accessed only using the Microsoft Graph API and the Microsoft Exchange on-premise account using an user account with impersonator privileges.
  • You have selected the incorrect profile type. Modify the profile details on the Edit Account Profile page and check the connection again.
Access is denied. Check credentials and try again

The Office 365 application configured in Microsoft Azure does not have the required permission to access the Microsoft Exchange online mailbox.


Application with identifier 
'<client_id>' was not found in the 
directory <tenant_id> 

You have entered an invalid Client ID.

Modify the Client ID on the Account Profile page and check the connection again.


No service namespace named 
'<tenant_id>' was found in the 
data store. 

You have entered an invalid Tenant ID.

Modify the Tenant ID on the Account Profile page and check the connection again.


Error validating credentials. Credential 
validation failed

You have entered an invalid certificate thumbprint.

Modify the certificate thumbprint on the Account Profile page and check the connection again.


Error validating credentials. Client assertion 
contains an invalid signature.

You have entered an incorrect certificate thumbprint or you have uploaded an invalid or incorrect certificate private key.

Verify that:

  • You have entered the correct thumbprint.
  • You have uploaded the correct certificate private key.
  • The certificate private key is not expired.
  • The time zone of your appliance matches the time zone in the certificate private key.
The requested user <email address> is invalid

The email address entered does not match with the profile type of the account profile. Enter a valid email address or modify the account profile on the Account Profile page and check the connection again.

Failed to verify exchange server(‘<host name>’) certificate. If self-signed certificate is used on exchange server install its custom CA certificate
  • You have entered an invalid CA or self-signed certificate on the Microsoft Exchange on-premise server. Verify the certificate and check the connection again.
    Note 

    Ensure that the certificate you are using corresponds to the hostname provided in the profile. For example, if you have provided the IP address of the exchange server in your profile setting and the certificate is based on the hostname, then the connection will fail.

  • You have not imported the self-signed certificate from the Microsoft Exchange on-premise server to your appliance. For more information, see Importing a Certificate.
Invalid username or password entered for exchange server (‘<email address>’)

You have entered an invalid user name or password for the impersonator user account that is used to connect to the Microsoft Exchange on-premise mailbox.)

The account does not have permission to impersonate the requested user

The user account used to connect to the Microsoft Exchange on-premise mailbox is not a member of the impersonator role (does not have impersonator privileges).

Please check host <hostname> is valid exchange server address.

You have entered an incorrect hostname of the Microsoft Exchange on-premise server. Modify the hostname on the Account Profile page and check the connection again.

Viewing Logs

Mailbox remediation information is posted to the following logs:

  • Mail Logs ( mail_logs ). The time at which the mailbox remediation process started is posted to this log. Information about:
    • The time at which the mailbox remediation process started is posted to this log.
    • The reason for the unsuccessful remediation.
    • The number of recipients for whom the remediation was successful and unsuccessful.
  • Mailbox Auto Remediation Logs ( mar ). Information related to remediation status, actions performed, errors and so on are posted to this log.

Alerts

Alert: Connectivity Issues Between Appliance and Microsoft Exchange Services Detected

Problem

You receive an info-level alert indicating that there are connectivity issues between your appliance and Microsoft Exchange online or Microsoft Exchange on-premise services and the appliance is unable to perform the configured remedial action.

Solution

Do the following:

  • Check for network issues that might prevent the communication between your appliance and Microsoft Exchange online or Microsoft Exchange on-premise services.

    Review the network settings of your appliance . See Changing Network Settings.

  • Ensure that your application has access to Microsoft Graph API on Azure Active Directory.
  • Ensure that the user account used to access the Exchange on-premise mailbox has impersonator privileges.
  • Verify that the parameters configured in the corresponding profiles are valid and test the connection.
  • Check for firewall issues. See Firewall Information.
  • Check whether the Microsoft Exchange online or Microsoft Exchange on-premise services are operational.

Configured Remedial Actions Are Not Performed

Problem

After receiving a retrospective alert from the AMP server, configured remedial actions are not performed on the malicious messages in Exchange online and Exchange on-premise mailboxes.

Solution

Do the following:

  • Test the connection between your appliance and Exchange online and Exchange on-premise services. See Creating an Account Profile.
  • Check whether you have received the following alert: Connectivity Issues Between Appliance and Exchange online and Exchange on-premise Services Detected. See Alerts.