Enterprise DLP
Create Microsoft Exchange Connectors
Table of Contents
Create Microsoft Exchange Connectors
Create an outbound and inbound Microsoft Exchange Online Connector to forward and
return outbound emails sent from Microsoft Exchange to and from
Enterprise Data Loss Prevention (E-DLP)
for
inline inspection of emails. Where Can I Use This? | What Do I Need? |
---|---|
|
|
To prevents sensitive data exfiltration contained in outbound emails using
Enterprise Data Loss Prevention (E-DLP)
, you must create outbound and inbound Microsoft Exchange
Online connector to control the flow of emails forwarded from Microsoft Exchange
Online to Enterprise DLP
. The outbound connector controls the flow of outbound
emails from Microsoft Exchange to Enterprise DLP
for inspection and verdict
rendering. The inbound connector to return emails forwarded to Enterprise DLP
back to Microsoft Exchange and instruct Microsoft Exchange to take action based on
the transport rule.Create a Microsoft Exchange Outbound Connector
Create an outbound Microsoft Exchange Online Connector to connect Microsoft Exchange
with
Enterprise Data Loss Prevention (E-DLP)
for inline inspection of emails. - SelectandMail flowConnectorsAdd a connectorto launch the Microsoft Exchange Connector wizard.
- Specify the connector source and destination.
- ForConnection from, selectOffice 365.
- ForConnection to, selectPartner organization.A partner can be any third-party cloud service that provides services such as services, such as data protection. In this case, the third-party partner organization is Palo Alto Networks.
- ClickNext.
- Name the Microsoft Exchange connector.
- Enter a descriptiveNamefor the connector.
- (Optional) Enter aDescriptionfor the connector.
- (Best Practices) ForWhat do you want to do after connector is saved?, check (enable)Turn it on.Enable this to automatically turn on the connector after you have finished creating and saved the new Microsoft Exchange connector.
- ClickNext.
- To specify when the connector should be used, selectOnly when I have a transport rule set up that redirects messages to this connectorand clickNext.Using the connector only when a transport rule exists enables fine-grained control of what action to take when an email contains sensitive data. By select this option, Microsoft Exchange enforces action on emails based on the action specified in theEnterprise DLPdata profile.
- To configure the route settings for emails, check (enable)Route email through these smart hoststo add the following smart host Fully Qualified Domain Name (FQDN) and clickNext.The FQDN specifies the region where emails are forwarded to the DLP cloud service for inspection and verdict rendering. This also generates and displays Email DLP incidents in the specified region. All processes and data related to Email DLP occur and are stored in this region.
- United States—mail.us-west1.email.dlp.paloaltonetworks.comEurope—mail.europe-west3.email.dlp.paloaltonetworks.comAPAC—mail.asia-southeast1.email.dlp.paloaltonetworks.com
- Specify the security restrictions for the connector.
- Check (enable)Always use Transport Layer Security (TLS) to secure the connection.This is required to successfully forward emails for inspection. Disabling this setting causes the connector connection to be rejected.
- SelectIssued by a trusted certificate authority (CA).
- Check (enable)Add the subject name or subject alternative (SAM) matches to this domain:and add the following domain name.Adding the subject name is required for positive identification of the Palo Alto Networks DLP cloud service. The CA issuer FQDN you add must match the email routing FQDN you added in the previous step.
- United States—mail.us-west1.email.dlp.paloaltonetworks.comEurope—mail.europe-west3.email.dlp.paloaltonetworks.comAPAC—mail.asia-southeast1.email.dlp.paloaltonetworks.com
- ClickNext.
Add a validation email.A valid email address associated with the email domain used by your organization. This is required to validate connectivity between the Microsoft Exchange Admin Center and the Palo Alto Networks smart host, and that emails can be successfully delivered.- Add a valid email address for validation.
- Validate.The Microsoft Exchange validation tests take a few minutes to complete.
- Under theTask, verify that theCheck connectivityvalidation test status to theEnterprise DLPFQDN displaysSucceed.It is expected that the following errors occur when adding the validation email.
- Validation failederror is displayed.
- TheSend test emailvalidation test status displaysFailed.
Enterprise DLP. - ClickDone.
- When prompted to confirm whether to proceed without successful validation, clickYes, proceed.
Review the connector details andCreate Connector.ClickDonewhen prompted that the outbound connector was successfully created.Back in the Connectors page, verify the outbound connector is displayed and that theStatusisOn.Create the Microsoft Exchange inbound connector if not already created.The inbound connector is required to return emails forwarded toEnterprise DLPfor inspection back to Microsoft Exchange.Skip this step if you have already created the inbound connector.After you successfully created the Microsoft Exchange connectors, you must create Microsoft Exchange transports rule to forward emails to and fromEnterprise DLP, and to specify what actions Microsoft Exchange takes based on theEnterprise DLPverdicts.
Create a Microsoft Exchange Inbound ConnectorCreate an inbound Microsoft Exchange Online Connector to return emails forwarded toEnterprise Data Loss Prevention (E-DLP)for inline inspection back to Microsoft Exchange.- SelectandMail flowConnectorsAdd a connectorto launch the Microsoft Exchange Connector wizard.
- Specify the connector source and destination.
- ForConnection from, selectYour organization's email server.
- ClickNext.
- Name the Microsoft Exchange connector.
- Enter a descriptiveNamefor the connector.
- (Optional) Enter aDescriptionfor the connector.
- (Best Practices) ForWhat do you want to do after connector is saved?, check (enable)Turn it on.Enable this to automatically turn on the connector after you have finished creating and saved the new Microsoft Exchange connector.
- ClickNext.
- Specify the authentication IP addresses that Microsoft Exchange uses to verifyEnterprise DLP.The authentication IP addresses are required so thatEnterprise DLPcan forward emails back to Microsoft Exchange.
- SelectBy verifying that the IP address of the sending server matches one of the following IP address, which belong to your partner organization.
- Add the following to IP addresses.Add the IP addresses for the region where your email domain is hosted. You can add multiple regional IP addresses if you have email domains hosted in multiple regions.
- APAC—35.186.151.226and34.87.43.120
- E.U—34.141.90.172and34.107.47.119
- U.S—34.168.197.200and34.83.143.116
- Review the connector details andCreate Connector.ClickDonewhen prompted that the inbound connector was successfully created.
- Back in the Connectors page, verify the inbound connector is displayed and that theStatusisOn.
- Create the Microsoft Exchange outbound connector if not already created.The outbound connector is required to control the flow of emails forwarded from Microsoft Exchange Online toEnterprise DLPfor inline inspection.Skip this step if you have already created the outbound connector.
- After you successfully created the Microsoft Exchange connectors, you must create Microsoft Exchange transports rule to forward emails toEnterprise DLP, and to specify what actions Microsoft Exchange takes based on theEnterprise DLPverdicts.
Create a Microsoft Exchange Proofpoint Server ConnectorCreate a Microsoft Exchange Connector for your Proofpoint server to forward emails for encryption afterEnterprise Data Loss Prevention (E-DLP)inspection and verdict rendering.- Prepare your Proofpoint server to encrypt emails inspected byEnterprise DLP.
- Enable DKIM signing for your Proofpoint server.When enabling DKIM signing, you must also selectEnabled for the domain.Additionally, keep a record of your DKIM public key. This is required when updating your domain host records.
- Contact your email domain provider to update your SPF record.
- Add your Proofpoint IP address to your SPF record.This is required to forward emails to Proofpoint for encryption. Skip this step if you have already updated your SPF record with your Proofpoint IP address.
- Add the DKIM public key to your domain host records.
- SelectandMail flowConnectorsAdd a connectorto launch the Microsoft Exchange Connector wizard.
- Specify the connector source and destination.
- ForConnection from, selectOffice 365.
- ForConnection to, selectPartner organization.A partner can be any third-party cloud service that provides services such as services, such as data protection. In this case, the third-party partner organization is Palo Alto Networks.
- ClickNext.
- Name the Microsoft Exchange connector.
- Enter a descriptiveNamefor the connector.
- (Optional) Enter aDescriptionfor the connector.
- (Best Practices) ForWhat do you want to do after connector is saved?, check (enable)Turn it on.Enable this to automatically turn on the connector after you have finished creating and saved the new Microsoft Exchange connector.
- ClickNext.
- To specify when the connector should be used, selectOnly when I have a transport rule set up that redirects messages to this connectorand clickNext.
- To configure the route settings for your Proofpoint server, check (enable)Route email through these smart hoststo add the Proofpoint server smart host Fully Qualified Domain Name (FQDN) and clickNext.
- Specify the security restrictions for the connector.
- Check (enable)Always use Transport Layer Security (TLS) to secure the connection.This is required to successfully forward emails for inspection. Disabling this setting causes the connector connection to be rejected.
- SelectIssued by a trusted certificate authority (CA).
- ClickNext.
- Add a validation email.A valid email address associated with the email domain used by your organization. This is required to validate connectivity between the Microsoft Exchange Admin Center and the Palo Alto Networks smart host, and that emails can be successfully delivered.
- Add a valid email address for validation.
- Validate.The Microsoft Exchange validation tests take a few minutes to complete.
- Under theTask, verify that theCheck connectivityvalidation test status to theEnterprise DLPFQDN displaysSucceed.
- ClickDone.
- When prompted to confirm whether to proceed without successful validation, clickYes, proceed.
- Review the connector details andCreate Connector.ClickDonewhen prompted that the outbound connector was successfully created.
- Back in the Connectors page, verify the outbound connector is displayed and that theStatusisOn.
- Create the Microsoft Exchange outbound and inbound connectors if not already created.The outbound connector is required to control the flow of emails forwarded from Microsoft Exchange Online toEnterprise DLPfor inline inspection The inbound connector is required to return emails forwarded toEnterprise DLPfor inspection back to Microsoft Exchange.Skip this step if you have already created the outbound and inbound connectors.
- After you successfully created the Microsoft Exchange connectors, you must create Microsoft Exchange transports rule to forward emails to and fromEnterprise DLP, and to specify what actions Microsoft Exchange takes based on theEnterprise DLPverdicts.