Create a Microsoft Exchange Proofpoint Server Connector

Prepare your Proofpoint server to encrypt emails inspected by
Enterprise DLP
.
Enable DKIM signing for your Proofpoint server.
When enabling DKIM signing, you must also select
Enabled for the domain
.
Additionally, keep a record of your DKIM public key. This is required when updating your domain host records.
Contact your email domain provider to update your SPF record.
Add your Proofpoint IP address to your SPF record.
This is required to forward emails to Proofpoint for encryption. Skip this step if you have already updated your SPF record with your Proofpoint IP address.
Add the DKIM public key to your domain host records.
Log in to the Microsoft Exchange Admin Center.
Select
Mail flow
Connectors
and
Add a connector
to launch the Microsoft Exchange Connector wizard.
Specify the connector source and destination.
For
Connection from
, select
Office 365
.
For
Connection to
, select
Partner organization
.
A partner can be any third-party cloud service that provides services such as services, such as data protection. In this case, the third-party partner organization is Palo Alto Networks.
Click
Next
.
Name the Microsoft Exchange connector.
Enter a descriptive
Name
for the connector.
(
Optional
) Enter a
Description
for the connector.
(
Best Practices
) For
What do you want to do after connector is saved?
, check (enable)
Turn it on
.
Enable this to automatically turn on the connector after you have finished creating and saved the new Microsoft Exchange connector.
Click
Next
.
To specify when the connector should be used, select
Only when I have a transport rule set up that redirects messages to this connector
and click
Next
.
To configure the route settings for your Proofpoint server, check (enable)
Route email through these smart hosts
to add the Proofpoint server smart host Fully Qualified Domain Name (FQDN) and click
Next
.
Specify the security restrictions for the connector.
Check (enable)
Always use Transport Layer Security (TLS) to secure the connection
.
This is required to successfully forward emails for inspection. Disabling this setting causes the connector connection to be rejected.
Select
Issued by a trusted certificate authority (CA)
.
Click
Next
.
Add a validation email.
A valid email address associated with the email domain used by your organization. This is required to validate connectivity between the Microsoft Exchange Admin Center and the Palo Alto Networks smart host, and that emails can be successfully delivered.
Add a valid email address for validation.
Validate
.
The Microsoft Exchange validation tests take a few minutes to complete.
Under the
Task
, verify that the
Check connectivity
validation test status to the
Enterprise DLP
FQDN displays
Succeed
.
Click
Done
.
When prompted to confirm whether to proceed without successful validation, click
Yes, proceed
.
Review the connector details and
Create Connector
.
Click
Done
when prompted that the outbound connector was successfully created.
Back in the Connectors page, verify the outbound connector is displayed and that the
Status
is
On
.
Create the Microsoft Exchange outbound and inbound connectors if not already created.
The outbound connector is required to control the flow of emails forwarded from Microsoft Exchange Online to
Enterprise DLP
for inline inspection The inbound connector is required to return emails forwarded to
Enterprise DLP
for inspection back to Microsoft Exchange.
Skip this step if you have already created the outbound and inbound connectors.
Create Microsoft Exchange Transport Rules.
After you successfully created the Microsoft Exchange connectors, you must create Microsoft Exchange transports rule to forward emails to and from
Enterprise DLP
, and to specify what actions Microsoft Exchange takes based on the
Enterprise DLP
verdicts.