You can configure Microsoft Office 365 with the Barracuda Email Security Service as your inbound and/or outbound mail gateway.
If you make changes to the settings, allow a few minutes for the changes to take effect.
Office 365 IP addresses and user interfaces can change; refer to Microsoft documentation for configuration details.
Time Requirement
After you update your MX records, you must wait at least 24-48 hours before starting work on Step 4 below so that your emails are not rejected. Plan accordingly.
You can specify the Barracuda Email Security Service as an inbound mail gateway through which all incoming mail for your domain is filtered before reaching your Office 365 account. The Barracuda Email Security Service filters out spam and viruses, then passes the mail on to the Office 365 mail servers. Use the Configure Inbound Mail Flow instructions below to configure.
You can also specify the Barracuda Email Security Service as the outbound mail gateway through which all mail is sent from your domain via your Office 365 account to the recipient. As the outbound gateway, the Barracuda Email Security Service processes the mail by filtering out spam and viruses before final delivery. By configuring Office 365 as described in Configure Outbound Mail Flow below, you instruct the Office 365 mail servers to pass all outgoing mail from your domain to the Barracuda Email Security Service (the gateway server).
Step 1. Launch the Barracuda Email Security Service Setup Wizard
Before you launch the wizard, verify you have the following:
Note that you cannot reopen the wizard after you close or complete the wizard.
Log into Barracuda Cloud Control. On the left side, select Email Security.
The Email Security wizard launches. Click Next.
Select the Region for your Data Center. Then click Get Started.
After you select your region, you cannot change it.
- Enter the primary email domain you want to protect with Barracuda Email Security Service. Then click Next.
- The system automatically retrieves your current MX records and auto-fills that information as your Destination Server. If this is not the correct Destination Server, click Remove and add the Destination Server with the correct data.
If you want to add additional servers, enter data for those servers now.
After you properly configure the Destination Server, enter a valid User Name to test the mail server connection.
After you have determined that the settings are correct, click Next.
- Select your settings, accepting the default values or making changes if needed, then click Next.
- Barracuda Networks recommends waiting to configure outbound filtering until your inbound mail is fully cut over.
You will set up your Outbound Settings later.
Select the second option on this screen, then click Next to continue.
Barracuda Networks recommends verifying your domain via MX records with Priority 99. If you do not want to update MX records now, check the box and select a different method.
In the first case, click Verify MX Records. Otherwise, click Confirm Validation.
Note that after verifying your domain, any mail sent to your domain from another Barracuda ESS customer will be processed normally by your ESS account and not delivered via MX records.
When the verification is successful, click Next.
If the verification is not successful, a message appears, letting you know that the domain could not be verified.
If you are having DNS issues that you want to address, click Skip to exit the wizard. Behind the wizard, click the Domains tab to retry the validation.
- Click Finish to finalize the setup and close the wizard.
Step 2. Add Additional Email Domains (Optional)
You configured your primary email domain in Step 3 of the wizard, above.
Use the steps in the following section if you want to protect additional domains with Barracuda Email Security Service. If you are only protecting one domain, continue below with Step 3.
Obtain the hostname:
- Log into the Office 365 admin center.
- In the left pane, click Settings > Domains.
- In the Domains table, click on your domain.
- Take note of the hostname. This is the address of your destination mail server, for example, cudaware-com.mail.protection.outlook.com
Enter the hostname:
Barracuda Networks recommends using a hostname rather than an IP address so that you can move the destination mail server and update DNS records without making changes to the Barracuda Email Security Service configuration. This address indicates where the Barracuda Email Security Service should direct inbound mail from the Internet to your Office 365 Exchange server. For example, your domain displays to the Internet as: bess-domain.mail.protection.outlook.com
- Log into the Barracuda Cloud Control as administrator. In the left panel, click Email Security. Select the Domains tab, then click Add Domain.
- Enter the domain name and destination mail server hostname obtained from your Office 365 account:
- Click Add Domain; the Domain Settings page displays, listing the new domain.
- Verify that the domain is yours. Follow the instructions in How to Set Up MX Records for Domain Verification. Make sure that you see that the domain is successfully verified, then return to this page.
Repeat these steps, as needed, for additional Office 365 domains before continuing with Step 3 below.
Step 3. Create Transport Rule to Bypass Spam Filtering
Log into the Office 365 admin center, and go to Admin centers > Exchange.
- In the left pane, click mail flow, and click rules.
- Click the + symbol, and click Bypass spam filtering:
- In the new rule page, enter a Name to represent the rule.
- From the Apply this rule drop-down menu, select The sender > IP address is in any of these ranges or exactly matches:
- In the specify IP address ranges page, enter the IP address/range for the Sender (Barracuda Email Security Service). For example, if you are in the US region, type 64.235.144.0/20.
For other regions, refer to the IP addresses listed in Barracuda Email Security Service IP Ranges. If your region has only one IP address range, you can skip ahead to Step 8 below. - If there is more than one IP address or range, click the + symbol, then type the next IP address or range. For example, for the US region, type 209.222.80.0/21, and click the + symbol:
- Click OK, and click Save to create the transport rule.
- Click the Edit icon for the rule, scroll to the Properties of this rule section, and in the Priority field, type 0.
Click Save.
Step 4. Restrict Inbound Mail to the Barracuda Email Security Service IP Range
Time Requirement
It is essential that you wait at least 24-48 hours after you update your MX records before you begin working on the steps in this section. That time is needed for the records to propagate so your email will not be rejected.
The steps in this section enhance the security of the connection between Barracuda Email Security Service and Office 365. It will only allow inbound email to come from the Barracuda system.
- Install Exchange Online module.
- If you have already installed Exchange Online module, proceed to the next step.
- To install Exchange Online module, open Windows PowerShell as an administrator and enter the following command:
Install-Module -Name ExchangeOnlineManagement
- Connect to Exchange Online Powershell and log in with your Office 365 administrator account using the following command:
- Find the correct IP range based on the region selected when setting up your Barracuda Email Security Service instance. Refer to the Barracuda Email Security Service IP Ranges for the IP ranges corresponding to your region.
After you connect to Exchange Online PowerShell, run the appropriate PowerShell script based on your region:
PowerShell Script for the Australia Region
New-InboundConnector -ConnectorType Partner -Name "Barracuda Inbound Connector" -RequireTls $true -SenderDomains * -SenderIPAddresses 3.24.133.128/25 -RestrictDomainstoIPAddresses $true
PowerShell Script for the Canada Region
New-InboundConnector -ConnectorType Partner -Name "Barracuda Inbound Connector" -RequireTls $true -SenderDomains * -SenderIPAddresses 15.222.16.128/25 -RestrictDomainstoIPAddresses $true
PowerShell Script for the German Region
New-InboundConnector -ConnectorType Partner -Name "Barracuda Inbound Connector" -RequireTls $true -SenderDomains * -SenderIPAddresses 35.157.190.224/27,18.185.115.192/26,18.184.203.224/27 -RestrictDomainstoIPAddresses $true
PowerShell Script for the UK Region
New-InboundConnector -ConnectorType Partner -Name "Barracuda Inbound Connector" -RequireTls $true -SenderDomains * -SenderIPAddresses 35.176.92.96/27,18.133.136.128/26,18.133.136.96/27 -RestrictDomainstoIPAddresses $true
PowerShell Script for the US Region
New-InboundConnector -ConnectorType Partner -Name "Barracuda Inbound Connector" -RequireTls $true -SenderDomains * -SenderIPAddresses 64.235.144.0/24,64.235.145.0/24,64.235.146.0/24,64.235.147.0/24,64.235.148.0/24,64.235.149.0/24,64.235.150.0/24,64.235.151.0/24,64.235.152.0/24,64.235.153.0/24,64.235.154.0/24,64.235.155.0/24,64.235.156.0/24,64.235.157.0/24,64.235.158.0/24,64.235.159.0/24,209.222.80.0/24,209.222.81.0/24,209.222.82.0/24,209.222.83.0/24,209.222.84.0/24,209.222.85.0/24,209.222.86.0/24,209.222.87.0/24 -RestrictDomainstoIPAddresses $true
Step 5. Configure Sender Policy Framework for Outbound Mail
To assure Barracuda Networks is the authorized sending mail service of outbound mail from your Barracuda Email Security Service, add the following to the Sender Policy Framework (SPF) record INCLUDE line of the SPF record for your sending mail server for each domain sending outbound mail. Select the relevant SPF INCLUDE based on the region you selected for your Barracuda Email Security Service:
AU (Australia)
include:spf.ess.au.barracudanetworks.com -all
CA (Canada)
include:spf.ess.ca.barracudanetworks.com -all
DE (Germany)
include:spf.ess.de.barracudanetworks.com -all
UK (United Kingdom)
include:spf.ess.uk.barracudanetworks.com -all
US (United States)
include:spf.ess.barracudanetworks.com -all
For more information, see Sender Authentication.
- If you have an SPF record set up for your domain, edit the existing record, and add the following to the INCLUDE line for each domain sending outbound mail based on your Barracuda Email Security Service instance. For example:
include:spf.ess.barracudanetworks.com -all
- If you do not have an SPF record set up for your domain, use the following value to create a TXT record that creates a HARD Fail SPF for your domain based on your Barracuda Email Security Service instance. For example:
v=spf1 include:spf.ess.barracudanetworks.com -all
Step 6. Configure User Accounts and User Lists
Expand and complete the steps in the appropriate section, based on your organization's setup.
If you make setting changes, allow a few minutes for the changes to take effect.
Sender authentication and recipient verification are a critical part of maintaining security of email flowing into and out of your organization. By identifying known trusted senders and recipients of email, you can block a large percentage of spam, viruses and malware from your network. Once you have entered information about your LDAP server, click Test Settings on the Domain Settings page to ensure that the Barracuda Email Security Service can communicate with the server. LDAP server types supported include Active Directory, Novell eDirectory, Domino Directory and OpenLDAP.
LDAP Lookup
You can synchronize the Barracuda Email Security Service with your existing LDAP server to automatically create accounts for all users in the domain. For more information about user accounts, see Managing User Accounts.
LDAP lookup configuration and LDAP authentication of user logins is done by domain on the Domains > Domain Settings page. On the Domains page, click Edit in the Settings column to the right of the domain name. Once you configure your LDAP settings on the Domains > Domain Settings page, click Synchronize Now to create user accounts for all users in your LDAP server.
Important
The Barracuda Email Security Service connects with your network from various IP addresses, including performing LDAP lookups. To ensure that the service can connect with your network, allow traffic originating from the range of network addresses based on your Barracuda Email Security Service instance; see Barracuda Email Security Service IP Ranges for a list of ranges based on your Barracuda Email Security Service instance.
- Log into https://login.barracudanetworks.com/ using your account credentials, and click Email Security in the left pane.
- Go to the Domains page, and click Edit in the Settings column to the right of the domain.
- In the Domains > Domain Settings page, scroll to the Directory Services section, select LDAP, and click Save Changes at the top of the page.
- In the LDAP Configuration section, configure the following variables:
-
LDAP Host – The server utilized for LDAP lookups. If this setting is a hostname, and is contained in multiple A records, then fail-over capabilities are available if the Barracuda Email Security Service is unable to connect to one of the machines listed here.
-
Port – Port used to connect to the LDAP service on the specified LDAP Server. Typically port 389 is used for regular LDAP and LDAP using the STARTTLS mode for privacy. Port 636 is assigned to the LDAPS service (LDAP over SSL/TLS).
-
Use SSL (LDAPS) – By default, LDAP traffic is transmitted unsecured. You can make LDAP traffic confidential and secure by using Secure Sockets Layer (SSL)/Transport Layer Security (TLS) technology by selecting Yes for this option.
-
Bind DN (Username) – Username used to connect to the LDAP service on the specified LDAP Server. If in the form accountname@domain.com, the username is transformed into a proper LDAP bind DN, for example, CN=accountname,CN=users,DC=domain,DC=com, when accessing the LDAP server. Sometimes the default transformation does not generate a proper bind DN. In such cases, a fully formed and valid bind DN must be entered.
-
Bind Password – Password used to connect to the LDAP service on the specified LDAP Server.
-
Base DN – Base DN for your directory. This is the starting search point in the LDAP tree. The default value looks up the
defaultNamingContext
top-level attribute and use it as the search base. For example, if your domain is test.com, your Base DN might be dc=test,dc=com.
-
Mail Attributes – Attribute in your LDAP directory that contains the user's email addresses.
The attributes listed in this field determine which user address is primary versus aliases for a user account. By default, the mail
attribute is listed first. Take caution changing the order of the attribute as you may encounter unexpected results. For example, adding proxyAddresses
as the first (primary) attribute in this field can create multiple accounts, one for each proxyAddress
, and the mail
attribute value is then listed as the alias.
-
The Barracuda Email Security Service will sync to your LDAP server from certain IP addresses. Ensure that your network and LDAP server accept connections from the IP ranges listed in Barracuda Email Security Service IP Ranges.
Use the Test LDAP Configuration Settings section, enter a valid email address in the Testing Email Address field to test your LDAP settings; if left blank, LDAP settings are only tested for connection.
Click Test Settings.
-
Optionally, expand the Advanced LDAP Configuration section, and set the following options:
-
User Filter – Set to Yes to limit newly synchronized email users and linked email users strictly to this one domain.
-
Custom User Filter – Filter used to limit the accounts that the Barracuda Email Security Service creates when an LDAP query is made. For example, you could limit the LDAP synchronization to just users in certain sub-domains using the mail= parameter, or only synchronize user-objects in a certain organizational unit (OU) using the ou= parameter. Each type of LDAP server has specific query syntax, so consult the documentation for your LDAP server. For Microsoft Exchange syntax and examples, see the TechNet article LDAP Query Basics.
Example: Your list of valid users on your directory server includes 'User1', 'User2', 'User3', 'BJones', 'RWong', and 'JDoe', and you create the User Filter (name=*User*). In this case, the service only creates accounts for 'User1', 'User2', and 'User3'.
- In the Directory Options section, specify the following options:
-
Synchronize Automatically – Set to Yes if you are using LDAP and want the Barracuda Email Security Service to automatically synchronize your LDAP users to its database on a regular basis for recipient verification. With Microsoft Exchange server, the synchronization is incremental. Select No if you want to synchronize manually in case your LDAP server is not always available. To synchronize manually, click Synchronize Now.
-
Use LDAP for Authentication – Set to Yes to enable LDAP for user login authentication. You can disable this setting if your LDAP server is unavailable for a period of time.
-
Authentication Filter – Filter used to look up an email address and determine if it is valid for this domain. The filter consists of a series of attributes that might contain the email address. If the email address is found in any of those attributes, then the account is valid and is allowed by the Barracuda Email Security Service.
The first time the Barracuda Email Security Service receives a Not Allowed email for a valid user, the service does the following:
- Uses the email address of the recipient as the username of the account and auto-generates a password. If Use LDAP for Authentication is set to No on the Domains > Domain Settings page, the user receives an email with the login information so they can access their quarantine account, otherwise, the user can use single sign-on via LDAP lookup.
- Places the quarantined message in the account holder’s quarantine inbox.
- Sends a quarantine summary report to the account holder at the specified notification interval, as set on the Users > Quarantine Notification page. If Allow users to specify interval is set to Yes on this page, then the quarantine summary report is sent to the user on the schedule specifies on the Settings > Quarantine Notification page once they log into their account. The default is Daily.
Azure Active Directory
Configure recipient verification with Azure Active Directory (AD) to allow end-users to sign in to the Barracuda Email Security Service using their Azure AD credentials. Once logged in, users can view their quarantine messages.
Note: If when setting up your Office 365 Enterprise applications you set Users can consent to apps accessing company data on their behalf to No, users might not be able to log into the Barracuda Email Security Service without administrator consent. To resolve this issue, reauthorize Azure AD from the Domain Settings page in the web interface. See the Azure Active Directory Authentication section of How to Restore LDAP or Azure AD Directory Services for step-by-step instructions on Azure AD reauthorization.
Single Sign-On
You can configure Single Sign-On (SSO) for a domain so that authenticated users can access all or a subset of the restricted resources by authenticating just once using their Azure AD credentials. SSO is a mechanism where a single set of user credentials is used for authentication and authorization to access multiple applications across different web servers and platforms, without having to re-authenticate.
The SSO environment protects defined resources (websites and applications) by requiring the following steps before granting access:
- Authentication: Authentication verifies the identity of a user using login credentials.
- Authorization: Authorization applies permissions to determine if this user may access the requested resource.
Set Up Azure AD Authorization
Complete the steps in this section for each domain you want to synchronize with your Azure AD directory.
- Log into https://login.barracudanetworks.com/ using your account credentials, and click Email Security in the left pane.
- Click Domains, and click Edit in the Settings column for the desired domain.
- In the Domains > Domain Settings page, scroll to the Directory Services section, and select Azure AD, and click Save Changes at the top of the page.
- Scroll down to the Status section, and click Authorize.
- The Authorize Azure AD dialog box displays. Click Continue.
- When prompted, log into your Microsoft Office 365 account using your administrator credentials.
- In the Authorization page, click Accept to authorize the Barracuda Email Security Service to connect to your Azure AD directory.
- In the Barracuda Email Security Service Domain Settings page, the Status field displays as Active; the Authorized Account and Authorization Date display below the status:
- Click Sync Now to add your Azure AD users to the Barracuda Email Security Service. This will do a full synchronization with your Azure AD directory.
- The synchronization progress displays; allow the process to complete.
-
In the Synchronization Options section, select Synchronize Automatically. When selected, the Barracuda Email Security Service automatically synchronizes with your Azure AD directory every 15 minutes and adds/updates your users. If you encounter sync issues, such as new users not being properly synced between your Azure AD directory and the Barracuda Email Security Service user list, click Sync Now to manually synchronize the Barracuda Email Security Service with your Azure AD directory.
If you select Manual, you must click Sync Now to synchronize the Barracuda Email Security Service with your Azure AD directory and add/update users.
- To use SSO, click Yes for Enable Single Sign On. Once enabled, users are prompted to log in to their Microsoft Office 365 account when accessing their messages in the Barracuda Email Security Service.
- To use the Test Azure AD Configuration Settings section, enter a valid email address in the Testing Email Address field to test your Azure AD settings.
Click Test Settings.
- Click Save at the top of the page to save your settings and return to the Domains page.
If you previously set up LDAP authentication with your Barracuda Email Security Service account, your settings are not lost when you select Azure AD for a selected domain. Note, however, turning off Azure AD disables SSO and new users are not synchronized but recipient verification continues to function. For more information, see How to Restore LDAP or Azure AD Directory Services.
Step 7. Configure Outbound Mail
If you have multiple outgoing account domains for Office 365, you only need to make one send connector in Office 365. You can use any one of the outbound smarthosts to make the send connector.
Each of your domains that you want to be able to send email must be added to Barracuda Email Security Service. Be sure to add all of your accepted Office 365 domains into Barracuda Email Security Service before configuring outgoing email in this section.
Outbound Groups must be enabled on your Barracuda Email Security Service account. Contact Barracuda Networks Technical Support to request that Outbound Groups be enabled on your Barracuda Email Security Service account.
- Log into your Barracuda Cloud Control account. On the left side, select Email Security. Select the Domains tab. For the appropriate domain, click Edit.
- On the Domain Settings page, locate the Outbound Smarthost Configuration section and make note of the Hostname:
Log into the Office 365 Exchange admin center, and go to Admin centers > Exchange.
- In the left pane, click mail flow, and click connectors.
Click the + symbol, and use the wizard to create a new connector.
From the From drop-down menu, select Office 365, and from the To drop-down menu, select Partner organization:
Enter a Name and (optional) Description to identify the connector:
Click Next. Select Only when email messages are sent to these domains, click the + symbol, and enter an asterisk ( * ) in the add domain field.
Click OK, and click Next. Select Route email through these smart hosts, and click the + symbol.
Go to the Barracuda Email Security Service, and click the Domains tab. Copy your outbound hostname from the MX records, and enter it in the add smart host page:
- Click Save, and click Next. Use the default setting, Always use Transport Layer Security (TLS) to secure the connection (recommended) > Issued by Trusted certificate authority (CA):
- Click Next. In the confirmation page, verify your settings and click Next. Office 365 runs a test to verify your settings:
- When the verification page displays, enter a test email address, and click Validate. For this test, it is important to use an email address from outside your organization, like a gmail or yahoo email address.
There are two parts of the validation:
- Test Connectivity – If this test fails, Outbound Groups is not enabled. Contact Barracuda Networks Technical Support and request that Outbound Groups be enabled on your Barracuda Email Security Service account.
- Send Test Email – If the test fails, there is no cause for concern. The test email comes from a Microsoft domain, not from your domain, so it is rejected. If you changed your domain away from
onmicrosoft.com
, the test should work.
- Click Save. Your mail flow settings are added.
Barracuda Email Security Service now accepts outbound traffic from Outlook 365.
Log into the Office 365 Exchange Admin Center.
- In the left pane, click Mail flow, and click Connectors.
Click the Add a connector button, and use the wizard to create a new connector.
For Connection from, select Office 365. For Connection to, select Partner organization.
Enter a Name and (optional) Description to identify the connector:
Click Next. Select Only when email messages are sent to these domains. Enter an asterisk ( * ) in text box field and click the blue +.
Click Next. Select Route email through these smart hosts.
Go to the Barracuda Email Security Service, and click the Domains tab. Copy your outbound hostname from the MX records, and enter it in the Routing page.
- Click Next. Use the default settings for the Security restrictions: Always use Transport Layer Security (TLS) to secure the connection (recommended) > Issued by Trusted certificate authority (CA).
- Enter an external email address to validate the connector. For this test, it is important to use an email address from outside your organization, like a gmail or yahoo email address.
There are two parts of the validation:
- Test Connectivity – If this test fails, Outbound Groups is not enabled. Contact Barracuda Networks Technical Support and request that Outbound Groups be enabled on your Barracuda Email Security Service account.
- Send Test Email – If the test fails, there is no cause for concern. The test email comes from a Microsoft domain, not from your domain, so it is rejected. If you changed your domain away from
onmicrosoft.com
, the test should work. Note that you might still receive the email even if the test failed.
- Click Next. If the test email failed, you will need to confirm that you wish to continue without successful validation by clicking Yes in the orange pop-up dialog box. Click Next.
- Verify your settings, and click Create connector to complete the process.
Barracuda Email Security Service now accepts outbound traffic from Outlook 365.
Step 8. Disable RTF (Rich Text Format) (Optional)
Customers sending outbound mail through Barracuda Essentials can consider disabling Rich Text Format (RTF) on their outbound external mail. RTF, also known as TNEF, is a Microsoft proprietary encoding that can be configured at the client or organization level. RTF encoding can cause issues with attachments converting to winmail.dat
files which can only be read by other Outlook clients. This can cause problems for outbound content/DLP policies that examine attachments. For example, if an end user sends an email with a PDF attachment that contains a SSN and the email is sent with RTF encoding, Barracuda Essentials would not be able to scan the PDF and identify the SSN to apply a DLP policy. By disabling RTF at the account level, it will force all outbound external mail to be HTML encoded instead.
To disable RTF on Exchange Online and Exchange 2013 and newer, use one of the following methods.
Set-RemoteDomain -Identity Default -TNEFEnabled $false
- Log into the Office 365 Exchange Admin Center.
- In the left pane, click Mail flow > Remote domains.
- Edit the Default remote domain.
- Under Text and character set, select Never for Use rich-text format.
- Click save.
For additional configuration options and features, log into the Barracuda Email Security Service web interface, and click Help.
Continue with Step 3 - Complete Service Configuration.