Integrating Secure Email Gateway with Threat Defense

This chapter contains the following sections:

Overview of Threat Defense Connector

The Threat Defense Connector client connects the Secure Email Gateway with the Secure Email Threat Defense to scan messages for Advanced Phishing and Spoofing. The ability to perform cloud-based advanced threat scanning helps an organization to:

  • Get an advanced phishing and spoofing solution, and

  • Avail security solutions to ever-changing phishing problems much faster than ever before.

When you configure the Threat Defense Connector, the Secure Email Gateway sends a copy of the actual message as an attachment to the Threat Defense portal’s message intake address in journaled format.

Once a message is scanned by all the scanning engines in the Secure Email Gateway and the message is safe to be delivered, the message is duplicated. A copy of the message is queued to be sent as an attachment in RFC 822 format to the Secure Email Threat Defense for advanced scanning. The original message gets delivered to the original recipient.

Email Gateway sends emails that are meant for advanced threat scanning over the standard SMTP interface using a minimum of TLS 1.2 as required on the Secure Email Threat Defense for the SMTP conversation. Threat Defense scans the messages and appropriate remediation action is taken on the message originally delivered to the user mailbox.


Note

Advanced threat scanning using Threat Defense Connector is applicable only for incoming messages.
Figure 1. Overview of Threat Defense Connector


Related Topics

How to Configure Email Gateway to use Threat Defense Connector

Perform these steps in order:

Steps

Do This

More Information

Step 1

[On Secure Email Threat Defense] Set up the Secure Email Threat Defense portal to receive emails from Secure Email Gateway.

Set up Secure Email Threat Defense on Cisco Secure Email Threat Defense User Guide.

Step 2

Obtain the message intake address from the Secure Email Threat Defense portal.

Cisco Secure Email Threat Defense User Guide.

Step 3

Enable and configure Threat Defense Connector on Secure Email Gateway

Enabling Threat Defense Connector on Email Gateway

(Optional) Step 4

Enable or Disable Threat Defense Connector for individual mail policies.

Configuring the Incoming Mail Policy for Threat Defense Connector

Setting up the Threat Defense Portal to Receive Messages from Secure Email Gateway

As an email administrator, you need to set up the Secure Email Threat Defense to receive messages from Secure Email Gateway. For more information, see the Set up Secure Email Threat Defense chapter on the Secure Email Threat Defense User Guide.

Obtaining the Message Intake Address

Your message intake address is shown on the Secure Email Threat Defense setup page. If you need to find it after your initial setup, you can locate it on the Settings (gear icon) > Administration > Business page in the Account Details section. For more information, see Secure Email Threat Defense FAQ.

Enabling Threat Defense Connector on Email Gateway

You can enable this feature in the following ways:

  • Enable only Threat Defense Connector.

  • Enable Threat Defense Connector and Email Threat Defense API.

  • Enable Threat Defense Connector, Email Threat Defense API, and Email Threat Defense API Polling.


Note

Email Threat Defense API and Email Threat Defense API Polling are used if you use Microsoft Exchange Server (On-Premises). Enabling only the Email Threat Defense API is not useful if Email Threat Defense API Polling is not enabled. You must enable both the Email Threat Defense API and Email Threat Defense API Polling.

In cluster mode, you need to enable the Threat Defense Connector, Email Threat Defense API, and Email Threat Defense API Polling on only one email gateway in the cluster. These changes will be applied to all email gateways in the cluster. However, for Email Threat Defense API Polling, the Secure Email Gateway where you enabled this functionality will be considered the primary host with polling enabled.

Before you begin

  • Make sure that you have received the message intake address from Secure Email Threat Defense. Also, ensure that mail deliveries to this domain and recipient address are allowed.

  • Make sure that the timestamps of Secure Email Gateway and Secure Email Threat Defense are synchronized.

  • If you are using Microsoft Exchange server (on-premises), you must enable and configure the Email Threat Defense API Email Threat Defense API Polling in the Threat Defense Connector Settings to perform Mailbox Auto Remediation of convicted emails identified by Secure Email Threat Defense.

  • The API_HTTPD and API_HTTPSD port must be enabled in all email gateways in the cluster for this Email Threat Defense API to work.


Note

If you use custom SMTP routes for mail deliveries, make sure that you use DNS for deliveries to the message intake address domain. For example, by using "USEDNS" for the domain in the SMTP Routes.

Procedure

Step 1

Click Security Services > Threat Defense Connector.

Step 2

Click Enable.

Step 3

Select the Enable Threat Defense Connector checkbox.

Step 4

Enter the message intake address retrieved from the Email Threat Defense portal.

Note

 

You can also configure Threat Defense Connector for individual incoming mail policies and use separate message intake addresses for each incoming mail policy. Make sure that they use the same domain as the global message intake address used here. For more information, see Configuring the Incoming Mail Policy for Threat Defense Connector.

Step 5

If you are using Microsoft Exchange Server (On-Premises), select the Enable Email Threat Defense API checkbox.

Step 6

Enter the Client ID, Password, and API Key retrieved from the Email Threat Defense portal.

Step 7

Select the Action to be taken on message(s) in user's mailbox: checkbox to take an action on the malicious emails. You can choose one of the following actions:

  1. Forward to: Send the message to the specified email address(es). Enter the email address(es) to which the message should be forwarded.

  2. Delete: To delete the message from user's mailbox.

  3. Forward to and Delete: Send the message to the specified email address(es) and delete the message. Enter the email address(es) to which the message should be forwarded.

Step 8

Select Enable Email Threat Defense API Polling to enable the API polling from this email gateway in cluster mode. This email gateway acts as primary (host) in cluster mode.

Note

 

API Polling will only be enabled at the global level or default policy level, and not at individual policy levels.

Step 9

Click Submit and commit your changes.

Disabling Threat Defense Connector on Email Gateway

You can disable this feature in the following ways:

  • Disable only Email Threat Defense API polling.

  • Disable Email Threat Defense API, which also disables the Email Threat Defense API Polling.

  • Disable Threat Defense Connector, which also disables the Email Threat Defense API and Email Threat Defense API Polling.


Note

Email Threat Defense API and Email Threat Defense API Polling are used if you use Microsoft Exchange Server (On-Premises).

Procedure

Step 1

Click Security Services > Threat Defense Connector.

Step 2

Click Edit Global Settings.

Step 3

Clear the Enable Email Threat Defense API Polling checkbox to disable Threat Defense API Polling.

At this level, the Secure Email Gateway is still connected to the Email Threat Defense using the API when you disable only the Email Threat Defense API Polling. Polling is disabled if you want to remove this Email Gateway from Cluster mode.

Step 4

Clear the Enable Email Threat Defense API checkbox to disable Threat Defense API connection.

At this level, the Secure Email Gateway is still connected to the Email Threat Defense when you disable the Email Threat Defense API. Microsoft Exchange Server (On-Premises) services are disconnected when you disable the Email Threat Defense API.

Step 5

Clear the Enable Threat Defense Connector checkbox. This action disables the Threat Defense Connector on your Secure Email Gateway globally.

Step 6

Click Submit and commit your changes.

Threat Defense Connector and Clusters

If you use centralized management, you can enable the Threat Defense Connector at the cluster, group, and machine levels.

If you use Microsoft Exchange Server (On-Premises), you must use this feature only the cluster mode. Do not enable the Threat Defense Connector API in group or machine level.

When you add an Email Gateway with enabled Threat Defense Connector API polling to a cluster that already has a master Email Gateway (where Threat Defense Connector API polling is enabled at the cluster level), the API polling on the newly added device will be disabled. This is because the master Email Gateway will handle the polling for the entire cluster.


Note

Disable API polling before connecting the primary leader machines of the current and remote clusters. Enable API polling only after the inter-cluster configuration is complete, and ensure it is enabled in both clusters.


Note

If the master secure email gateway fails in a cluster with Threat Defense Connector and API polling, the admin must configure another master gateway in that cluster.

For Microsoft Exchange Server (On-Premises) deployments, when you disable Threat Defense Connector API from the master Email Gateway, it will also be disabled on all gateways in the cluster. Similarly, if you disable the Threat Defense Connector API on any Email Gateway within the cluster, it will be disabled on all other gateways in the cluster.

Configuring the Incoming Mail Policy for Threat Defense Connector

Before You Begin

Enabling Threat Defense Connector on Email Gateway

Procedure

Step 1

Click Mail Policies > Incoming Mail Policies.

Step 2

Click the link in the Threat Defense Connector column of the mail policy that you want to modify.

Step 3

Depending on your requirements, choose the following options:

  • [For the DEFAULT policy] Use Global Settings - Use the message intake address configured in Security Services > Threat Defense Connector page.

  • [For any other custom mail policy] Use Settings from Default Policy - Inherit the Threat Defense Connector settings of the default policy.

    Note

     

    By default, the Threat Defense Connector is disabled for the default policy. In case you have enabled it in a previous release, then the settings will be carried over when you upgrade to a new release.

  • Use Custom Message Intake Address - You can also use a different message intake address for the selected incoming mail policiy other than the one configured in the Security Services > Threat Defense Connector page. Make sure that you use the same domain for the custome message intake address as the global message intake address configured in Security Services > Threat Defense Connector page.

    Enter the message intake address in the text box.

  • No - Disable Threat Defense Connector for the selected incoming mail policy.

Step 4

Submit and commit your changes.

What to do next

To configure policy settings for Threat Defense Connector in CLI, use the policyconfig command. For more information, see CLI Reference Guide for AsyncOS for Cisco Secure Email Gateway .

Monitoring Threat Defense Connector Reports

You need to log in to Cisco Secure Threat Defense portal for viewing advanced scanning reports of Threat Defense Connector. For more information, see Cisco Secure Email Threat Defense User Guide.

You can view the the delivery status of outgoing emails under Monitor > Delivery Status. The Delivery Status Page provides monitoring information about email operations relating to a specific recipient domain. When Threat Defense Connector is enabled, you can view the delivery status of emails to the message intake address under the the.tdc.queue destination domain.

You can view the Email Threat Defense Remediation Report in the Remediation Report Page on the New Web Interface. For more information, see Remediation Report Page

Related Topics

Viewing Logs

The Threat Defense Connector information is posted to the Mail Logs with a prefix 'TDC'.

Examples of Threat Defense Connector Log Entries

Message Delivery Failed - TLS Error

In this example, the log shows a message that was not delivered because of TLS error when communicating with Threat Defense.

17 Aug 2022 05:52:04 (GMT +00:00) Message 3 queued for delivery.
17 Aug 2022 05:52:04 (GMT +00:00) (DCID O) Delivery started for message 3 to astra_victim@astra-cs.com.
17 Aug 2022 05:52:04 (GMT +00:00) (CID O) Delivery details: Message 3 sent to astra victim@astra-cs.com
17 Aug 2022 05:52:04 (GMT +00:00) Incoming connection (ICID 3) lost.
17 Aug 2022 05:52:04 (GMT +00:00) Message 3 to astra_victim@astra-cs.com received remote SMTP response "/dev/null'
17 Aug 2022 05:52:04 (GMT +00:00) TDC: Message 4 delivery failed to Cisco Secure Email Threat Defense: TLS Error.
Solution

To investigate further and fix this error, contact Cisco Technical Assistance Center (TAC).