Use this article to deploy Email Gateway Defense for Exchange Server 2007 and 2010 in your environment.
Step 1. Ensure Connectivity and Redundancy
- Open your firewall ports to allow the IP address ranges based on your Barracuda Networks instance; see Email Gateway Defense IP Ranges Used for Configuration for a list of ranges based on your Barracuda Networks instance.
- Where relevant, verify your network subnet is granted access in the ACL on your mail server (and LDAP server, for that matter).
- Block all port 25 traffic except for that originating from Email Gateway Defense IP Ranges Used for Configuration based on your Barracuda Networks instance.
Step 2. Launch the Email Gateway Defense Setup Wizard
- Log into Email Gateway Defense, and click the link to launch the Email Gateway Defense Setup wizard.
Select the Region for your Data Center. Then click Get Started.
- The Specify Primary Email Domain page displays. Enter the primary domain you want to filter, for example:
corpdomain.com
Click Next. The Specify Email Servers page displays. Enter the mail server hostname (FQDN) or IP address for the domain entered in the previous step.
- Click Add. Enter an email address to test the server configuration, and click Test All Mail Servers.
- Once the mail server is verified, the Verified () icon displays in the status column and a confirmation message displays at the top of the page.
- Click Next. The Configure Settings page displays. Select from the following options:
- Virus Protection – Set to On to direct Email Gateway Defense to detect and block viruses on inbound email.
- Spam Protection – Set to On to direct Email Gateway Defense to evaluate inbound mail for spam based on a score assigned to each processed message. When set to Off inbound mail is not scanned for spam.
Spam Scoring – Set Spam Protection to On to enable Spam Scoring. Scoring ranges from 1 (definitely not spam) to 10 (definitely spam). Setting a score of '1' will likely block legitimate messages while setting a score of '10' will allow more messages through the system. Based on this score Email Gateway Defense blocks messages that appear to be spam and logs these messages in the user's Message Log with Score as the reason for the block.
Click Next. The Outbound page displays.
To verify your domain, replace your current MX records with Email Gateway Defense Primary and Backup MX records displayed on the page.
If you only want to route your inbound mail through Email Gateway Defense and not your outbound mail, select I do not want to route my e-mail through Barracuda at this time, and select the verification option:
Click Next, and click Next once again.
On the Select Data Center Region page, select the data center for your locale, and click Get Started.
Complete the wizard pages.
The Confirmation page displays. Confirm domain ownership, and then click Done.
Go to the Domains page and verify your settings.
Step 3. Set Up User Accounts
You can add users manually, or use your organization's LDAP server or Microsoft Entra ID service to automatically synchronize Email Gateway Defense with your active directory server. To create a few test accounts during the evaluation period, use the Manually Add Users steps below.
Decide how you want to use quarantine:
- Global quarantine – When selected, the administrator monitors the Message Log for quarantined mail and decides whether or not it is spam.
Per-user quarantine – When selected, users have quarantine accounts and can decide whether or not mail is spam. Set up several users for the evaluation and test the results. This option requires more initial effort to set up user accounts, possibly with sync to your active directory server, but less work for the administrator over time since users manage their quarantined mail.
Quarantine TypeCreate User AccountsManages Quarantine?User can Create Sender Allow List/Block ListGlobal No Admin No Per-user Yes User Yes
- If you select Global quarantine, there is no need to create user accounts.
- If you select Per-user quarantine, manually add a few test accounts on the Users > Add/Update Users page, and set Enable User Quarantine to Yes. The first time Email Gateway Defense receives an email for that user and the message is quarantined, the user receives a quarantine notification email at the scheduled quarantine notification interval. Depending on how you configure the quarantine notification interval on the Users > Quarantine Notification page, the user receives a quarantine digest at a specified time.
Manually Add Users
Automatically Add Users
You can configure user authentication via your organization's LDAP server or Microsoft Entra ID service. For complete setup details, see the following articles:
- How to Configure User Authentication with Microsoft Entra ID
- How to Configure User Authentication Using LDAP
Step 4. Configure Outbound Mail Scanning
- Log into Email Gateway Defense, and go to Outbound Settings > Sender IP Address Ranges.
Enter the IP Address and Domain Name (logging domain) and optional Comment for IP address ranges allowed to send outgoing email from your domains, and click Add.
Add all IP addresses from which outgoing mail is allowed to flow through Email Gateway Defense. The Logging Domain is the domain name that appears in the Message Log as the sending domain for the associated IP address.
Step 5. Set Up Email Gateway Defense Outbound Scanning
Complete the following steps for each domain from which you are relaying outbound mail:
- Log into Email Gateway Defense, click Domains, and click on the domain name to toggle the MX records configuration; make note of the Outbound Hostname.
- Open the Exchange Management Console.
- Under Organization Configuration, select Hub Transport, and then click the Send Connectors tab:
- In the Name field, type:
Email Gateway Defense Outbound Connector
- Click Next. The Address Space page displays:
- Click Add. The SMTP Address space dialog box displays. In the Address field, type an asterisk:
*
- Click OK, and click Next in the Address space page.
The Network settings page displays. Select Route mail through the following smart hosts:
- Click Add. Enter the Outbound Hostname from Step 1 above, and click OK.
- Click Next in the Network settings page. The Source Server page displays. If your Exchange servers are not listed, click Add.
- In the Select Hub Transport dialog box, select all servers that have Hub Transport roles installed, and click OK.
- Click Next in the Source Server page. The New Connector displays. Review your settings:
- Click New, and then click OK to save your connector and route outbound mail through Email Gateway Defense.
Step 6. Verify Mail is Flowing
- Log into Email Gateway Defense.
In the Dashboard page verify inbound and outbound messages are being logged for the selected domain.
Step 7. Configure Sender Policy Framework for Outbound Mail
To assure Barracuda Networks is the authorized sending mail service of outbound mail from Email Gateway Defense, add the following to the Sender Policy Framework (SPF) record INCLUDE line of the SPF record for your sending mail server for each domain sending outbound mail. Select the relevant SPF INCLUDE based on the region you selected for your Barracuda Networks instance:
AU (Australia)
include:spf.ess.au.barracudanetworks.com -all
CA (Canada)
include:spf.ess.ca.barracudanetworks.com -all
DE (Germany)
include:spf.ess.de.barracudanetworks.com -all
IN (India)
include:spf.ess.in.barracudanetworks.com -all
UK (United Kingdom)
include:spf.ess.uk.barracudanetworks.com -all
US (United States)
include:spf.ess.barracudanetworks.com -all
See Sender Authentication for more information.
- If you have an SPF record set up for your domain, edit the existing record, and add the following to the INCLUDE line for each domain sending outbound mail based on your Barracuda Networks instance. For example:
include:spf.ess.barracudanetworks.com -all
- If you do not have an SPF record set up for your domain, use the following value to create a TXT record that creates a HARD Fail SPF for your domain based on your Barracuda Networks instance. For example:
v=spf1 include:spf.ess.barracudanetworks.com -all
Step 8. Enable Advanced Threat Protection
Files blocked by ATP display on the Dashboard.
- Go to ATP Settings, and select the desired option:
- Deliver First, then Scan – Attachments are delivered with the message to the recipient and then scanned by the ATP service; if a virus is detected, an email notification is sent to the email recipient. Additionally, if Notify Admin is set to Yes, and a virus is detected in the scanned attachment, an email is sent to the administrator.
- Scan First, then Deliver – Attachments are scanned by the ATP service before delivery. If a virus is detected in the attachment the message is blocked, otherwise it is delivered to the recipient.
Select whether to Notify Admin if a virus is detected in a scanned attachment. When set to Yes, enter the ATP Notification Email address in the associated field.