Connect Microsoft Exchange and

Enterprise DLP

Contact your email domain provider to update your SFP record to add the required
Enterprise DLP
service IP addresses.
Add the IP addresses for the region where your email domain is hosted. You can update your SFP record with multiple regional IP addresses if you have email domains hosted in multiple regions.
APAC
—
35.186.151.226
and
34.87.43.120
E.U
—
34.141.90.172
and
34.107.47.119
U.S
—
34.168.197.200
and
34.83.143.116
(
Best Practices
) Confirm that Active Directory is properly configured so email senders have a manager to approve or reject quarantined emails.
Microsoft Exchange Active Directory is required to assign a manager to a sender. You can create a transport rule to quarantine and send the email for approval by the sender's manager. To successfully quarantine a sender's email if sensitive data is detected by
Enterprise DLP
, a sender must have a manager assigned.
If no manager is assigned to a user, then the quarantined email is sent to the recipient because no manager is assigned to approve or reject the email.
(
Best Practices
) Save Evidence for Investigative Analysis with Enterprise DLP.
Palo Alto Networks recommends configuring evidence storage so you can download emails for investigative analysis when your review Email DLP incidents.
Set up the Cloud Identity Engine (CIE).
CIE is recommended so you can create targeted Email DLP policies.
Create the Microsoft Exchange connectors and transport rules, and create the Email DLP Policy.
Palo Alto Networks recommends setting up all connectors, transport rules and Email DLP policies to ensure enforcements begins as soon as you successfully connect Microsoft Exchange Online to
Enterprise DLP
.
Create a Microsoft Exchange Outbound Connector
The outbound connector controls the flow of emails forwarded from Microsoft Exchange to
Enterprise DLP
.
Create a Microsoft Exchange Inbound Connector
The inbound connector controls the flow of emails forwarded to
Enterprise DLP
back to Microsoft Exchange.
Create Microsoft Exchange Transport Rules
Transport rules allows Microsoft Exchange to forward emails to
Enterprise DLP
and establishes the actions Microsoft Exchange takes based on the hosted quarantine, admin approval, manager approval, encrypt, or block transport rules verdicts rendered by
Enterprise DLP
.
Add a Enterprise DLP Email Policy
The DLP email policy specifies the incident severity and the action
Enterprise DLP
takes when matching traffic is inspected and sensitive data is detected.
Obtain Your Microsoft Exchange Domain and Relay Host.
Log in to
Strata Cloud Manager
.
Select
Manage
Configuration
SaaS Security
Settings
Apps Onboarding
.
Search for
Exchange
and click
Microsoft Exchange
.

In the
Email DLP Instance
, click
Add Instance
.
In the
Setup Connectors and Rules
page, click
Continue to Next Section
since you have already configured the outbound connector, inbound connector, and transport rules.
In the
Configure Smart Host
page, add the email domains and relay hosts.
Adding one or more email domains and relay hosts is required to ensure emails inspected by
Enterprise DLP
are successfully forwarded back to Microsoft Exchange.
Enter an
Email Domain
and its corresponding
Relay Host
you obtained in the previous step.
Obtain Your Microsoft Exchange Domain and Relay Host if you don't have the Microsoft Exchange email domain and relay host immediately available.
(
Optional
)
Add
any additional email domains and relay hosts as needed.
Connect
.
Microsoft Exchange is now successfully connected and onboarded.

Configure the Email DLP settings.
Snippet Settings for
SaaS Security
(Email DLP Only)
Policy Evaluation Timeout Settings for
SaaS Security
(Email DLP Only)
Evidence Storage