Office 365 - Email - Manual Integration

Introduction

The Office 365 onboarding process to Avanan, during which customers bind their Office 365 environment to Avanan, can be executed either automatically or manually.

In automated mode, you need to approve the Office 365 App in the SaaS Apps Store on your portal, and all configuration changes are applied by Avanan. Additionally, any changes made to the Office 365 policies on your portal, will be automatically reflected in the Office 365 environment.

In manual mode, no changes are applied to the Office 365 environment by Avanan, all changes need to be implemented manually. Furthermore, any change to the Office 365 policies on your portal, should be implemented manually on the Mail-Flow rules.

 

Policy Modes

These are the supported policy modes:

  • Monitor - monitors the emails and creates the relevant event.
  • Detect and Prevent - creates an event, and also performs retroactive enforcement for Inbound emails already delivered to users.
  • Inline - All emails are reviewed before delivery to the user.

Monitor and Detect and Prevent have the same configuration in Office 365.

 

Manual Integration with Office 365

Note that in some configurations we refer to {portal}, this is an indication of your portal name. For example, if your portal is customer-x.avanan.net, then you will need to replace ‘{portal}’ with ‘customer-x’.

 

Step 1: Connectors

In this step, you define two connectors:

  • Journaling Outbound - For Monitoring mode. Required in all modes.
  • Inbound connector - For all modes.

These connectors send traffic to and receive traffic from the cloud.

For information on the configuration for Inline see later.

 

Create new connectors

In the Exchange admin center, go to Mail flow > connectors.

Create the following connectors based on the following configuration.

 

Inbound Connector

To configure the inbound connector

  1. For From, select Partner organization.
  2. For To, select Office 365.
  3. Click Next.
  4. For Name, enter Avanan Inbound.
  5. For Description, enter Avanan Inbound Connector.
  6. For What do you want to do after the connector is saved?, select Turn it on.
  7. Click Next.
  8. For How do you want to identify the partner organization, select Use the sender's IP address.
  9. Click Next.
  10. Under Specify the sender IP address range, click the + icon.
    1. If your data residency is in the United States, enter this IP address: 35.174.145.124
    2. If your data residency is in Europe, enter this IP address: 52.212.19.177
    3. If your data residency is in Canada, enter this IP address: 15.222.110.90
  11. Click OK and then Next.
  12. Under What security restrictions do you want to apply?, select Reject email messages if they are not sent over TLS.
  13. Click Next.
  14. In the Settings Confirmation window, make sure your settings are correct before you click Save.

DLP inbound connector

To configure the DLP inbound connector

Similar to the Avanan Outbound connector, with the following changes:

  • For from, enter Your organization mail server (step 1).
  • For Name, enter Avanan DLP Inbound (step 4).
  • Under Specify the sender IP address range (step 10).
    • If your data residency is in the United States, enter this IP address: 3.214.204.181

 

Journaling Outbound Connector 

To configure the outbound connector

  1. For From, select Office 365.
  2. For To, select Your organization mail server.
  3. Click Next.
  4. For Name, enter Avanan Journaling Outbound.
  5. For Description (Optional), enter Avanan Journaling Outbound connector.
  6. For What do you want to do after connector is saved?, select Turn it on.
  7. Click Next.
  8. For When do you want to use this connector?, select Only when email messages are sent to these domains.
  9. Click the + icon to add a new domain: {portal}-mail.avanan.net. Replace {portal} with your portal name.
  10. Click OK and then Next.
  11. Under How do you want to route email messages?, select Route email through these smart hosts.
  12. Click the + icon to add a smart host, and enter the host domain name: {portal}-host.avanan.net. Replace {portal} with your portal name.
  13. Click Save and then Next.
  14. Under How should Office 365 connect to your partner organization's email server?, select Always use Transport Layer Security (TLS) to secure the connection.
  15. For Connect only if the recipient's email server certificate matches this criteria, select Any digital certificate, including self-signed certificates.
  16. Click Next.
  17. Check your settings before validation and click Next.
  18. Click the + icon and enter this email address: {portal}@{portal}-mail.avanan.net. Replace {portal} with your portal name.
  19. Click Validate. Make sure that both connectors were created.



 

Step 2: Creating connector filter

To configure the connector filter:

  1. In the Exchange admin center, go to Protection > Connection filter.
  2. Click the icon to edit the default rule.
  3. Under Connection filtering > IP Allow list, click the + icon.
  4. Under add allowed IP address,
    1. If your data residency is in the United States, enter these IP address: 35.174.145.124, 3.214.204.181
    2. If your data residency is in Australia, enter this IP address: 13.211.69.231
    3. If your data residency is in Europe, enter this IP address: 52.212.19.177

 

Step 3: Journal Rule

The journal rule is used for the monitoring mode. The journal rule configures Office 365 to send all emails to Avanan.

 

Note: Before you create a journal rule, you must specify an account to receive journal reports that cannot be delivered to the journal destination.

 

Please follow the steps in this guide to configure this mailbox.

 

The journal rule should be configured as follows:

  1. In the Exchange admin center, go to Compliance management > Journal rules.
  2. Click the + icon to create a new journal rule.
  3. Enter this information in the Journal Rule window:
    1. For Send journal reports to, enter {portal}@{portal}-mail.avanan.net. Replace {portal} with your portal name.
    2. For Name, enter Avanan - Monitor.
    3. For If the message is sent to or received from..., select (Apply to all messages).

Note - If you plan to use group filters in your setup, select the group you want to include in your policy.

    1. For Journal the following messages..., select All messages.
    2. Click Save.

 

Step 4: Create Inline Outbound Connectors

Outbound connector

  1. In the Exchange admin center, go to Mail Flow > connectors.
  2. Click the + icon to create a new connector.
  3. Enter this information as the connector details:
    1. For From, enter Office 365.
    2. For To, enter Partner organization.
    3. Click Next.
    4. For Name, enter Avanan Outbound.
    5. For Description (Optional), enter Avanan Outbound Connector.
    6. For What do you want to do after connector is saved?, select Turn it on
    7. Click Next.
    8. For When do you want to use this connector?, select Only when I have a transport rule to set up that redirects messages to this connector
    9. Click Next.
    10. For How do you want to route email messages?, select Route email through these smart hosts.
    11. Click the + icon to add a smart host: {portal}-host.avanan.net. Replace {portal} with your portal name.
    12. Click Save and then Next.
    13. For How should Office Office 365 connect to your partner organization's email server?, select Always use Transport Layer Security (TLS) to secure the connection.
    14. For Connect only if the recipient's email server certificate matches this criteria, select Any digital certificate, including self-signed certificates
    15. Click Next.
    16. Confirm your settings before validation and click Next.
    17. Click the + icon and enter this address: {portal}@{portal}-mail.avanan.net. Replace {portal} with your portal name.
    18. Click Validate.

 

DLP Outbound connector

Similar to the Avanan Outbound connector, with the following changes:

  • For To, enter Your organization mail server (step 3.b).
  • For Name, enter Avanan DLP Outbound (step 3.d).
  • Smart host: {portal}-dlp.avanan.net. Replace {portal} with your portal name (step 3.k).

 

Step 5: Create Inline rules

Create “Avanan - Protect” Inline rule

Use a similar configuration to the first mail-flow rule with the following configurations:

  1. For Name, enter Avanan - Protect.
  2. For Apply this rule if..., add two conditions:
    1. First condition - The sender is located outside the organization.
    2. Second condition - The recipient is located inside the organization.

If necessary, add another condition and specify the groups that should be inline.

  1. For Do the following..., add two actions:
    1. First action - Set a message header:
      1. For Set the message header, enter this Key = X-CLOUD-SEC-AV-Info
      2. For to the value, enter this Value = {Portal},office365_emails,inline
    2. Second action - Use the following connector, select Avanan Outbound connector.
  2. For Except if..., add the following exception:
    1. Sender's IP address is in the range:
      1. If your data residency is in the United States, enter this IP address: 35.174.145.124
      2. If your data residency is in Europe, enter this IP address: 52.212.19.177
      3. If your data residency is in Canada, enter this IP address: 15.222.110.90

Note - If you have other inbound connectors using IP addresses, add their IP addresses to this list.

  1. Select the checkbox for Stop processing more rules.
  2. Click Save.
  3. Make sure that Avanan - Protect rule is configured like this:

 

 

Protecting Microsoft 365 Group Mailboxes 

To protect group mailboxes, add the mailboxes to the Protect rule as a recipient or as a member of a Distribution List in the scope of the rule.

 

Create “Avanan - Protect Outgoing” Inline rule

Similar to the Avanan Outbound connector, with the following changes:

  • For Apply this rule if..., add two conditions (step 2):
    • First condition - The sender is located inside the organization.
    • Second condition - The recipient is located outside the organization.
  • For Do the following..., add two actions (step 3):
    • First action - Set a message header:
      • For Set the message header, enter this Key = X-CLOUD-SEC-AV-Info
      • For to the value, enter this Value = {Portal},office365_emails,sent,inline
    • Second action - Use the following connector, select Avanan DLP Outbound connector.
  • For Except if..., add the following exception (step 4):
    • Sender's IP address is in the range:
      • If your data residency is in the United States, enter these IP addresses: 35.174.145.124, 3.214.204.181

 

Step 6: Transport Rules - Inline Mode

The purpose of the transport rule is to implement the inline mode for the users that need to be inline. Every time you change the scope of the inline policy (add or remove users/groups) you need to edit the scope of the transport rule accordingly.

 

Junk filter rule

To configure the Avanan Junk filter rule

  1. For Name, enter Avanan - Junk Filter.
  2. For Apply this rule if..., add two conditions:
    1. First condition - A message header matches these patterns, for the header enter X-CLOUD-SEC-AV-SCL, and for the text patterns enter true.
    2. Second condition - Senders IP address is in the range -
      1. If your data residency is in the United States, enter this IP address: 35.174.145.124
      2. If your data residency is in Europe, enter this IP address: 52.212.19.177
      3. If your data residency is in Canada, enter this IP address: 15.222.110.90
  3. For Do the following…, select Modify the message properties and then set the spam confidence level (SCL).

 

Whitelist rule

To configure the Avanan whitelist rule

  1. For Name, enter Avanan - Whitelist.
  2. For Apply this rule if..., Sender's IP address is in the range:
    1. If your data residency is in the United States, enter this IP address: 35.174.145.124
    2. If your data residency is in Europe, enter this IP address: 52.212.19.177
    3. If your data residency is in Canada, enter this IP address: 15.222.110.90
  3. For Do the following..., set the spam confidence level (SCL) to...Bypass spam filtering.
  4. For Except if..., select A message header matches these text patterns.
  5. For text patterns, select X-CLOUD-SEC-AV-SCL header matches true.