Evaluate Barracuda Essentials for Office 365 Email Security for 30 days, after which you can purchase and link the service to your account.
Complete the steps in this section of this 30-day evaluation guide to deploy the service in your environment.
Step 1. Ensure Connectivity and Redundancy
Open your firewall ports to allow the IP address ranges 184.108.40.206/20 and 220.127.116.11/21 for LDAP Connectivity
Step 2. Launch the Barracuda Email Security Service Setup Wizard
- Log in to Barracuda Email Security Service, and click Enter Linking Code and Serial Number to activate your subscription:
- Enter the Serial Number and Linking Code, and click Activate Subscription:
- In the setup page, click Set up to the right of Email Security:
- In the setup wizard, click Get Started. The Specify Primary Email Domain page displays.
- Enter the primary Office 365 domain you want to filter, for example: cudaware.com
Click Next. The Specify Email Servers page displays. Enter the mail server hostname (FQDN) or IP address for the domain entered in the previous step, for example:
- Click Add. Enter an email address to test the server configuration, and click Test All Mail Servers.
- Once the mail server is verified, the Verified () icon displays in the status column and a confirmation message displays at the top of the page:
- Click Next. The Configure Settings page displays. Select from the following options:
- Virus Protection – Set to On to direct the Barracuda Email Security Service to detect and block viruses on inbound email.
Spam Protection – Set to On to direct the Barracuda Email Security Service to evaluate inbound mail for spam based on a score assigned to each processed message. When set to Off inbound mail is not scanned for spam.
Spam Scoring – Set Spam Protection to On to enable Spam Scoring. Scoring ranges from 1 (definitely not spam) to 10 (definitely spam). Setting a score of '1' will likely block legitimate messages while setting a score of '10' will allow more messages through the system. Based on this score the Barracuda Email Security Service blocks messages that appear to be spam and logs these messages in the user's Message Log with Score as the reason for the block.
Click Next. The Outbound page displays.
To verify your domain, replace your current MX records with the Barracuda Email Security Service Primary and Backup MX records displayed on the page:
- If you only want to route your inbound mail through the Barracuda Email Security Service and not your outbound mail, select I do not want to route my e-mail through Barracuda at this time :
- Select the verification option:
- CNAME Records – To use the CNAME records method to verify the domain ownership:
Log in to your DNS Server and, under this domain, create a subdomain whose name is created by concatenating 'barracuda' and the CNAME token shown in the Route Email Through Barracuda page. For example:
Point the CNAME record of that subdomain to ess.barracuda.com
Click Confirm Validation in the Route Email Through Barracuda page.
Email to Technical Contact – This method sends a verification email to the technical contact email address, if it exists, listed on your domain's WHOIS entry.
Email to the postmaster – This method sends a verification email to the postmaster email address for your domain. The confirmation email includes a link that the recipient must click to verify the domain.
- CNAME Records – To use the CNAME records method to verify the domain ownership:
Click Next , and click Next once again.
On the Select Data Center Region page, select the data center for your locale, and click Get Started.
Complete the wizard pages.
The Confirmation page displays. Confirm domain ownership, and then click Done.
Go to the Domains page and verify your settings.
Step 3. Set Up User Accounts
You can add users manually or use LDAP authentication to automatically synchronize the Barracuda Email Security Service with your LDAP server.
Manually Add Users
- Go to Users > Add/Update Users:
- In the User Accounts field, enter each user email address for the domain on a separate line, and then select from the following options:
Enable User Quarantine – All emails for the user which meet the configured block policy go to the user's quarantine account.
- Notify New Users – When set to Yes, users receive a welcome email once the account is created.
- Click Save Changes. The users are added to the Users > Users List table where you can select from the following actions:
- Edit – Click to specify domains this user can manage.
- Reset – Click to send the user an email with instructions on how to reset their account password.
- Log in as this user – Click to view or change the user's settings (for example, quarantine notifications), view/manage the domains this user manages, and v iew/search/manage the user's Message Log.
- Delete – Click to remove the user account.
Automatically create user accounts for all users in the domain based on your LDAP directory.
- Click Domains, and click Edit in the Settings column for the desired domain.
- In the Domains > Domain Settings page, scroll to the Directory Services section, and enter your LDAP settings:
- LDAP Host – LDAP lookup server. If this setting is a hostname, and is contained in multiple A records, then fail-over capabilities are available if the Barracuda Email Security Service is unable to connect to one of the machines listed here.
- Port – Port used to connect to the LDAP service on the specified LDAP server. Typically port 389 is used for regular LDAP and LDAP using the STARTTLS mode for privacy. Port 636 is assigned to the LDAP over SSL/TLS (LDAPS) service.
- Use SSL (LDAPS) – By default, LDAP traffic is transmitted unsecured. Set to Yes to use Secure Sockets Layer (SSL) / Transport Layer Security (TLS) technology to make LDAP traffic confidential and secure.
- Bind DN/Username – Username used to connect to the LDAP service on the specified LDAP server. If of the form email@example.com, the username is transformed into a proper LDAP bind DN likeCN=accountname,CN=users,DC=domain,DC=com when accessing the LDAP server. Sometimes the default transformation does not generate a proper bind DN. In such cases, a fully formed and valid bind DN must be entered.
- Bind Password – Password used to connect to the LDAP service on the specified LDAP server.
- Base DN – Base DN directory. This is the starting search point in the LDAP tree. The default value looks up the 'defaultNamingContext' top-level attribute and uses it as the search base. For example, if your domain is test.com, your Base DN might be dc=test,dc=com.
- Authentication Filter – Filter used to look up an email address and determine if it is valid for this domain. The filter consists of a series of attributes that might contain the email address. If the email address is found in any of those attributes, then the account is valid and is allowed by the Barracuda Email Security Service.
- User Filter – Filter used to limit the accounts that the Barracuda Email Security Service creates when an LDAP query is made. For example, you could limit the LDAP synchronization to just users in certain sub-domains using the mail= paramater, or only synchronize user-objects in a certain organizational unit (OU) using the ou= parameter. Each type of LDAP server has specific query syntax, so consult the documentation for your LDAP server. See the Microsoft TechNet article LDAP Query Basics for LDAP query syntax and examples.
Example: Your list of valid users on your directory server includes 'User1', 'User2', 'User3', 'BJones', 'RWong', and 'JDoe', and you create the User Filter (name=*User*). In this case, the service would only create accounts for 'User1', 'User2', and 'User3'.
- Custom User Filter – Set to Yes to limit newly synchronized email users and linked email users strictly to this one domain.
- Mail Attributes – Attribute in your LDAP directory that contains the user's email address.
- Testing Email Address – Valid email address for use in testing LDAP settings. If this field is left blank, LDAP settings are only tested for connection.
- Synchronize Automatically – Set to Yes to automatically synchronize your LDAP users to the Barracuda Email Security Service database on a regular basis for recipient verification. With Microsoft Exchange server, the synchronization is incremental. When set to No, you must click Synchronize Now at the top of the section to manually synchronize your LDAP users to the Barracuda Email Security Service database.
- Use LDAP for Authentication – Set to Yes to enable LDAP for user login authentication. Set to No if your LDAP server will be unavailable for a period of time.
- In the Advanced Configurations section, set Sender Rewriting Scheme (SRS) to On to direct the Barracuda Email Security Service to rewrite the Envelope FROM address of inbound messages so that they appear to come from Barracuda Networks rather than the original sender. This is useful if you are using a hosted email service that cannot turn off Sender Policy Framework (SPF) checking. For more information, see Sender Policy Framework.
- Click Save Changes:
Step 4. Add Additional Email Domains
Use the steps in this section only if you wish to manually add additional email domains, otherwise, go to Step 5. Create transport rule.
Obtain the hostname:
- Log in to the Office 365 admin center.
- In the left pane, click Settings > Domains.
- In the Domains table, click on your domain.
- Take note of the hostname. This is the address of your destination mail server, for example, cudaware-com.mail.protection.outlook.com
Enter the hostname:
- Log in to the Barracuda Email Security Service as administrator, and click Domains, and click Add Domain.
- Enter the domain name and destination mail server hostname obtained from your Office 365 account in the dialog box.
- Click Add; the Domain Settings page displays.
Step 5. Create Transport Rule
Log in to the Office 365 admin center, and go to Admin centers > Exchange .
- In the left pane, click mail flow, and click rules.
- Click the + symbol, and click Bypass spam filtering :
- In the new rule page, enter a Name to represent the rule.
- From the Apply this rule drop-down menu, select The sender > IP address is in any of these ranges or exactly matches:
- In the specify IP address ranges page, type 18.104.22.168/20 as the IP address/range for the Sender (Barracuda Email Security Service), and click the + symbol.
- Type 22.214.171.124/21 as the next IP address/range for the Sender, and click the + symbol:
- Click OK, and then click Save to create the transport rule.
Step 6. Restrict Inbound Mail to the Barracuda Email Security Service IP Range (Optional)
Use the following steps if you want to restrict inbound mail to the Barracuda Email Security Service IP address range:
Select The Sender > Sender’s IP address is in any of these ranges or exactly matches, and enter the Barracuda Email Security Service IP range based on your Barracuda Email Security Service instance. Verify the new rule displays at the top of the list of mail flow rules. If the rule is not at the top, click on the rule, and use the Up () arrow to move the rule to the top of the list.
You have attempted to bypass our Email Security Service. Please ensure your DNS is up-to-date and try sending your message again.
Select The Sender > Sender’s IP address is in any of these ranges or exactly matches, and enter the Barracuda Email Security Service IP range based on your Barracuda Email Security Service instance.
Verify the new rule displays at the top of the list of mail flow rules. If the rule is not at the top, click on the rule, and use the Up () arrow to move the rule to the top of the list.
Step 7. Configure Outbound Mail
- Log in to the Barracuda Email Security Service, click Domains, and click on the domain name to toggle the MX Records configuration; make note of the Outbound Hostname.
- Log in to the Office 365 admin center, and go to Admin centers > Exchange.
- In the left pane, click mail flow, and click connectors.
Click the + symbol and use the wizard to create a new connector.
From the From drop-down menu, select Office 365, and from the To drop-down menu, select Partner organization:
Enter a Name and (optional) Description to identify the connector:
Click Next. Select Only when email messages are sent to these domains, click the + symbol, and enter an asterisk ( * ) followed by the domain you are testing in the add domain field. For example, type *.mydomain.com:
Click OK, and click Next. Select Route email through these smart hosts, and click the + symbol.
Go to the Barracuda Email Security Service, click the Domains tab, and click on the domain name to toggle the MX records configuration. Copy your outbound hostname, and enter it in the add smart host page:
Click Save, and click Next. Use the default setting, Always use Transport Layer Security (TLS) to secure the connection (recommended) > Issued by Trusted certificate authority (CA) :
Click Next. In the confirmation page, verify your settings and click Next. Office 365 runs a test to verify your settings:
When the verification page displays, enter a test email address, and click Validate. Once the verification is complete, your mail flow settings are added.
Step 8. Configure Sender Policy Framework for Outbound Mail
To assure Barracuda Networks is the authorized sending mail service for outbound mail recipients, review your domain's SPF record. See Sender Authentication for more information.
- If you have an SPF record set up for your domain, edit the existing record and add the following to the INCLUDE line for each domain sending outbound mail: include:spf.ess.barracudanetworks.com
- If you do not have an SPF record set up for your domain, use the following value to create a TXT record that creates a SOFTFAIL SPF for your domain: v=spf1 include:spf.ess.barracudanetworks.com ~all
- Barracuda Email Security Service User Guide
- Barracuda Message Center User Guide