It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda Campus Barracuda Campus
Barracuda Email Protection
Overview Documentation Training Certification Materials

Note

If you purchased one of the following products, refer to Barracuda Total Email Protection.

  • Total Email Protection 
  • Total Email Security 
  • Essentials Complete 
  • Essentials Compliance 
  • Essentials Security

Email Protection Advanced Plan Initial Deployment

  • Last updated on

Step 1. Launch the Setup Wizard

Before you launch the wizard, verify you have the following:

  • Microsoft 365 admin credentials

Note that you cannot reopen the wizard after you have completed the wizard. if you have started the wizard but did not complete it, log into Barracuda Cloud Control, select the product on the left side. In the top banner, click Set Up Now to relaunch the wizard.

The setup wizard includes steps to identify your email server, add MX records, and remove MX records. The setup wizard also includes steps to connect to Incident Response and Impersonation Protection. Each of the domains where you want to filter email must be verified for proof of ownership; Barracuda Networks does not process email for a domain until the verification process is complete.

Note that after verifying your domain, any mail sent to your domain from another Barracuda customer will be processed normally by your Email Protection account and not delivered via MX records.

Note that if you are using the inline deployment method, you must use the new onboarding wizard and cannot skip the “Connect to Microsoft” in step 3 below.

  1. Log into Barracuda Cloud Control. If this is your first time launching the setup wizard, you will be redirected to the Barracuda Trials Hub page. Click Open under Email Protection.

    73cf04f7-79da-4638-9b84-b6caf5e8da6f.png

    Alternatively, if you have started the setup wizard but did not complete it, after logging into BarracudaOne, select your product on the left side. In the top banner, click Set Up Now to launch the setup wizard.

    The setup wizard launches. 

  2. Click Next in the upper right corner to get started.

  3. Click Connect to connect to Microsoft.

    beaf32f6-b8b2-4aeb-ac7e-8ed46b822e15.png

  4. You will be prompted to log in with a global admin account to give permissions to the application to access your Microsoft data. Click Accept to authorize Barracuda Networks to access your details.

  5. Once you are connected, Barracuda Networks will initiate a scan to identify any email threats. During this process, click Next in the upper right corner to continue.

    b0689752-1147-42ec-bd83-124e7474d7c5.png

  6. Select the Region for your data center. Then click Next.

    After you select your region, you cannot change it.

    6e5bf564-5b32-47c1-82bc-f9f9308ce48e.png

  7. Confirm the domain you would like to protect. Then click Next.

    a4e50d04-f74e-4521-aa41-b134597e99ea.png

  8. Choose your deployment method. For more information, see MX Deployment vs. Inline Deployment.

    egd_deploymentMethodMX.png

Note that inline deployment currently only supports a single domain. To protect multiple domains, select MX record deployment.

  1. To set up your email flow, you will need to add the new MX records and remove the old MX records.

  2. To add the new MX records:

    1. Log into your DNS hosting account.

    2. Add the primary and backup MX records shown in the Add new MX records section. Instructions for your DNS hosting provider will vary; you can use search terms such as add, edit, manage, or MX records.

      EGD_setupWizard_addMXrecords.png

    3. Add the MX records with a low priority, for example, 99. Adding the new MX records to your existing list should look similar to this:

      egd_wizard_addMXrecords1.png

      After updating your MX records, allow at least 24-48 hours before completing the next step to allow time for your changes to propagate.

    4. Verify that the new MX records have been added by clicking on the Verify records button. 

    5. Once your MX records are added, a green verified check markgreen-verified.pngwill appear next to the MX record.

  3. To remove the old MX Records:

    1. Log into your DNS hosting account.

    2. Remove the existing MX records shown in the Remove old MX records section. Instructions for your DNS hosting provider will vary; you can use search terms such as add, edit, manage, or MX records.

      EGD_newSetupWizardRemoveMXrecords.png

    3. Update the priority of your primary and backup Barracuda MX records to 1 and 10. 

    4. In the setup wizard, verify that your non-Barracuda Networks MX records have been removed by clicking on the Verify update button.

    5. Once your MX records are removed, a green verified check markgreen-verified.pngwill appear.

    6. After you have successfully completed all the steps in the setup wizard, click the Complete setup button at the upper right corner. To exit the wizard and come back at a later time, click Exit

  1. After clicking Next, you will be prompted to sign into Microsoft to accept an additional application. This application will be used to create the necessary rules and connectors required for inline deployment.

    egd_msPermissions.png

  2. After accepting permissions, you will be returned to the setup wizard. Click Next to begin the deployment.

  3. During deployment, the setup wizard will automatically create the following:

    • Three mail flow rules – Two rules for processing inbound mail and one rule for outbound mail. Note: The outbound mail flow rule will be disabled by default.

    • Three connectors – Two connectors for processing inbound mail and one connector for processing outbound mail.

    • Anti-Spam connection filtering policy – An entry in the Anti-Spam connection filtering policy to bypass spam filtering for emails originating from Barracuda Networks.

    • Policy to allow spoofing – An “Allow spoofing” policy for emails sent from Barracuda Networks.

  4. Once the deployment is complete, click the Complete setup button at the upper right corner. You will be redirected to your Message Log.

You have now successfully set up your Email Protection product using the inline deployment method.

Note that this deployment has been configured only for mail sent to the domain selected in the setup wizard.

Step 2. Add Additional Email Domains (Optional)

You configured your primary email domain in Step 1 of the wizard, above. Barracuda Networks recommends adding all Microsoft 365 accepted domains into Email Gateway Defense.

Repeat these steps, as needed, for additional Microsoft 365 domains before continuing with the next step.

Obtain the hostname:

  1. Log into the Microsoft 365 admin center.

  2. In the left pane, click Settings > Domains.

  3. In the Domains table, click on your domain.

  4. Take note of the hostname. This is the address of your destination mail server, for example, cudaware-com.mail.protection.outlook.com

Enter the hostname:

Barracuda Networks recommends using a hostname rather than an IP address so that you can move the destination mail server and update DNS records without making changes to the Email Gateway Defense configuration. This address indicates where Email Gateway Defense should direct inbound mail from the Internet to your Microsoft 365 Exchange server. For example, your domain displays to the Internet as: bess-domain.mail.protection.outlook.com

  1. Log into the Barracuda Cloud Control as administrator. In the left panel, click Email Gateway Defense. Select the Domains tab, then click Add Domain.

    AddDomain.png

  2. Enter the domain name and destination mail server hostname obtained from your Microsoft 365 account:

  3. Click Add Domain; the Domain Settings page displays, listing the new domain.

  4. Verify that the domain is yours. Follow the instructions in How to Set Up MX Records for Domain Verification. Make sure that you see that the domain is successfully verified, then return to this page. 

Step 3. Configure Tenant Restrictions

Note that this step only applies to MX records deployment.

Validate Mail Flow

The new inbound partner connector that was created will be used to enforce restrictions on your Microsoft tenant to prevent emails from bypassing your Barracuda Networks gateway defenses. Prior to enforcing those restrictions, it is important to validate your inbound mail flow to ensure there are no external senders that are sending emails directly to your Microsoft tenant. 

For instructions on how to validate mail flow, see Validating Mail Flow Before Restricting Access.

Restrict Access
Time Requirement

Make sure to wait at least 24 hours after updating MX records before enabling tenant restrictions. This will avoid any potential disruptions to mail delivery due to outdated MX records.

To update your Barracuda partner connector to require inbound mail to flow through Email Gateway Defense, connect to Exchange Online and run the following PowerShell command:

Set-InboundConnector -Identity "Barracuda Inbound Connector" -RestrictDomainstoIPAddresses $true

This completes the steps required to set up inbound mail filtering. To set up outbound mail filtering, continue below with the next steps.

Step 4. Configure Sender Policy Framework for Outbound Mail

To ensure Barracuda Networks is the authorized sending mail service of outbound mail from Email Gateway Defense, add the following to the Sender Policy Framework (SPF) record INCLUDE line of the SPF record for your sending mail server for each domain sending outbound mail. Select the relevant SPF INCLUDE based on the region you selected for your Barracuda Networks instance.

For more information, see Email Gateway Defense Outbound IP Ranges.

AU (Australia)

include:spf.ess.au.barracudanetworks.com -all

CA (Canada)

include:spf.ess.ca.barracudanetworks.com -all

DE (Germany)

include:spf.ess.de.barracudanetworks.com -all

IN (India)

include:spf.ess.in.barracudanetworks.com -all

UK (United Kingdom)

include:spf.ess.uk.barracudanetworks.com -all

US (United States)

include:spf.ess.barracudanetworks.com -all

For more information, see Sender Authentication.

  • If you have an SPF record set up for your domain, edit the existing record, and add the following to the INCLUDE line for each domain sending outbound mail based on your Barracuda Networks instance. For example: include:spf.ess.barracudanetworks.com -all

  • If you do not have an SPF record set up for your domain, use the following value to create a TXT record that creates a HARD Fail SPF for your domain based on your Barracuda Networks instance. For example: v=spf1 include:spf.ess.barracudanetworks.com -all

Step 5. Configure Outbound Mail

Note that this step only applies to MX record deployment. For inline deployment, see enableMailFlow.

If you have more than one domain on your tenant (e.g., x.com and y.com) and you only want to filter one of the domains (like x.com), refer to How to Configure Microsoft 365 to Scan Only Selected Domains Outbound. The instructions in this section below describe how to filter for all domains for outbound mail.

If you have multiple outgoing account domains for Microsoft 365, you only need to make one send connector in Microsoft 365. You can use any one of the outbound smarthosts to make the send connector.

Each of your domains that you want to be able to send email must be added to Email Gateway Defense. Be sure to add all of your accepted Microsoft 365 domains into Email Gateway Defense before configuring outgoing email in this section.

Outbound Groups must be enabled on your Email Gateway Defense account. Contact Barracuda Networks Technical Support to request that Outbound Groups be enabled on your Email Gateway Defense account.

  1. Log into the Microsoft 365 admin center https://admin.exchange.microsoft.com/.

  2. In the left pane, click Mail flow, and click Connectors.

  3. Click the Add a connector button, and use the wizard to create a new connector.

  4. For Connection from, select Office 365. For Connection to, select Partner organization.

    ms_newConnector.png

  5. Click Next. Enter a Name and (optional) Description to identify the connector:

    ms_ConnectorName1.png

  6. Click Next. Select Only when email messages are sent to these domains. Enter an asterisk ( * ) in text box field and click the blue +.

    ms_UseofConnector2.png

  7. Click Next. Select Route email through these smart host, and click the + symbol.  

    1. Go to Email Gateway Defense, and click the Domains tab. Copy your outbound hostname from the Outbound Smarthost Configuration field, and enter it in the add smart host page. For example, d12345.o.ess.barracudanetworks.com.

      ms_ConnectorRouting.png

  8. Click Next. Use the default settings for the Security restrictions: Always use Transport Layer Security (TLS) to secure the connection (recommended) > Issues by Trusted certificate authority (CA):

    ms_SecurityRestrictions1.png

  9. Enter an external email address to validate the connector. For this test, it is important to use an email address from outside your organization, like a gmail or yahoo email address. Click Validate
    There are two parts of the validation:

    1. Test Connectivity – If this test fails, Outbound Groups is not enabled. Contact Barracuda Networks Technical Support and request that Outbound Groups be enabled on your Email Gateway Defense account.

    2. Send Test Email – If the test fails, there is no cause for concern. The test email comes from a Microsoft domain, not from your domain, so it is rejected. If you changed your domain away from onmicrosoft.com, the test should work. Note that you might still receive the email even if the test failed. 

      ms_validateEmail1.png

  10. Once the validation process is complete, click Next. Review your settings and then click Create connector.

Step 6. Enable Mail Flow Rule

Note that this step only applies to inline deployment.

  1. Navigate to the Exchange Admin Center (EAC) at https://admin.exchange.microsoft.com/#/transportrules or go to Mail flow > Rules.

  2. Select the mail flow rule named “Send outbound email to Barracuda for filtering”. This was automatically generated during the setup wizard when the inline deployment method was chosen.

  3. Use the toggle in the Enable or disable rule section near the top to enable the rule.

Step 7. Set up Domain Fraud Protection and DMARC

To set up Domain Fraud Protection, see the following:

Additional Resources

See the following for more information on how to get started with other Email Protection products.