Enterprise DLP Administrator’s Guide
    : Create a Microsoft Exchange Outbound Connector
    Focus
    Download PDF
    Focus
    1. Home
    2. Enterprise DLP
    3. Enterprise DLP Administrator’s Guide
    4. Configure Enterprise DLP
    5. Email DLP
    6. Onboard Microsoft Exchange Online
    7. Create a Microsoft Exchange Outbound Connector
    Download PDF

    Enterprise DLP Administrator’s Guide

    Create a Microsoft Exchange Outbound Connector

    Table of Contents

    Create a Microsoft Exchange Outbound Connector

    Create an outbound Microsoft Exchange Online Connector to connect Microsoft Exchange with
    Enterprise Data Loss Prevention (E-DLP)
     for inline inspection of emails.
    Where Can I Use This?
    What Do I Need?
    • Strata Cloud Manager
    • Enterprise Data Loss Prevention (E-DLP)
       license
    • Data Security
       license
    • Prisma Access
       license
    • AIOps for NGFW Premium
       license
    • AIOps for NGFW Free
       license
    To prevents sensitive data exfiltration contained in outbound emails using
    Enterprise Data Loss Prevention (E-DLP)
    , you must create an outbound connector to control the flow of emails forwarded from Microsoft Exchange Online to
    Enterprise DLP
    .
    2. Select
      Mail flow
      Connectors
       and
      Add a connector
       to launch the Microsoft Exchange Connector wizard.
    3. Specify the connector source and destination.
      1. For
        Connection from
        , select
        Office 365
        .
      2. For
        Connection to
        , select
        Partner organization
        .
        A partner can be any third-party cloud service that provides services such as services, such as data protection. In this case, the third-party partner organization is Palo Alto Networks.
      3. Click
        Next
        .
    4. Name the Microsoft Exchange connector.
      1. Enter a descriptive
        Name
         for the connector.
      2. (
        Optional
        ) Enter a
        Description
         for the connector.
      3. (
        Best Practices
        ) For
        What do you want to do after connector is saved?
        , check (enable)
        Turn it on
        .
        Enable this to automatically turn on the connector after you have finished creating and saved the new Microsoft Exchange connector.
      4. Click
        Next
        .
    5. To specify when the connector should be used, select
      Only when I have a transport rule set up that redirects messages to this connector
       and click
      Next
      .
      Using the connector only when a transport rule exists enables fine-grained control of what action to take when an email contains sensitive data. By select this option, Microsoft Exchange enforces action on emails based on the action specified in the
      Enterprise DLP
       data profile.
    6. To configure the route settings for emails, check (enable)
      Route email through these smart hosts
       to add the following smart host Fully Qualified Domain Name (FQDN) and click
      Next
      .
      The FQDN specifies the region where emails are forwarded to the DLP cloud service for inspection and verdict rendering. This also generates and displays Email DLP incidents in the specified region. All processes and data related to Email DLP occur and are stored in this region.
      • United States
        mail.us-west1.email.dlp.paloaltonetworks.com
      • Europe
        mail.europe-west3.email.dlp.paloaltonetworks.com
      • APAC
        mail.asia-southeast1.email.dlp.paloaltonetworks.com
    7. Specify the security restrictions for the connector.
      1. Check (enable)
        Always use Transport Layer Security (TLS) to secure the connection
        .
        This is required to successfully forward emails for inspection. Disabling this setting causes the connector connection to be rejected.
      2. Select
        Issued by a trusted certificate authority (CA)
        .
      3. Check (enable)
        Add the subject name or subject alternative (SAM) matches to this domain:
         and add the following domain name.
        Adding the subject name is required for positive identification of the Palo Alto Networks DLP cloud service. The CA issuer FQDN you add must match the email routing FQDN you added in the previous step.
        • United States
          mail.us-west1.email.dlp.paloaltonetworks.com
        • Europe
          mail.europe-west3.email.dlp.paloaltonetworks.com
        • APAC
          mail.asia-southeast1.email.dlp.paloaltonetworks.com
      4. Click
        Next
        .
    8. Add a validation email.
      A valid email address associated with the email domain used by your organization. This is required to validate connectivity between the Microsoft Exchange Admin Center and the Palo Alto Networks smart host, and that emails can be successfully delivered.
      1. Add a valid email address for validation.
      2. Validate
        .
        The Microsoft Exchange validation tests take a few minutes to complete.
      3. Under the
        Task
        , verify that the
        Check connectivity
         validation test status to the
        Enterprise DLP
         FQDN displays
        Succeed
        .
        It is expected that the following errors occur when adding the validation email.
        • Validation failed
           error is displayed.
        • The
          Send test email
           validation test status displays
          Failed
          .
        These do not prevent you from creating the outbound connector and do not impact email forwarding to
        Enterprise DLP
        .
      4. Click
        Done
        .
      5. When prompted to confirm whether to proceed without successful validation, click
        Yes, proceed
        .
    9. Review the connector details and
      Create Connector
      .
      Click
      Done
       when prompted that the outbound connector was successfully created.
    10. Back in the Connectors page, verify the outbound connector is displayed and that the
      Status
       is
      On
      .
    11. The inbound connector is required to return emails forwarded to
      Enterprise DLP
       for inspection back to Microsoft Exchange.
      Skip this step if you have already created the inbound connector.
    12. After you successfully created the Microsoft Exchange connector, you must create Microsoft Exchange transports rule to forward emails to and from
      Enterprise DLP
      , and to specify what actions Microsoft Exchange takes based on the
      Enterprise DLP
       verdicts.

    Recommended For You

    © 2023 Palo Alto Networks, Inc. All rights reserved.