We use cookies on our website to ensure we provide you with the best experience on our website. By using our website, you agree to the use of cookies for analytics and personalized content.This website uses cookies. More Information
It seems like your browser didn't download the required fonts. Please revise your security settings and try again.

Step 1 - Set Up Essentials for Office 365

  • Last updated on

For each Barracuda Cloud Control account, you can have either a linked Barracuda Email Security Gateway appliance or a Barracuda Email Security Service subscription. You cannot use a single Barracuda Cloud Control account for both a linked appliance and the service subscription.

This article assumes you are deploying Barracuda Services for the first time. If you previously deployed Barracuda Cloud-to-Cloud Backup, Barracuda Email Security Service, or the Barracuda Cloud Archiving Service and want to migrate to Barracuda Essentials for Office 365, contact your Barracuda Networks sales representative.

Complete All Steps
Be sure to complete all steps on this page that are required for the components in your plan. For example, if you have Barracuda Cloud Archiving Service, be sure to create the send connector, as described in Step 2 below.

Ensure Connectivity and Redundancy

Important
The Barracuda Email Security Service connects with your network from various IP addresses, including performing LDAP lookups. To ensure that the service can connect with your network, allow traffic originating from the range of network addresses based on your Barracuda Email Security Service instance; see Barracuda Email Security Service IP Ranges.

Select Your Plan

Determine the plan that best suits your organization's needs. The available options are built on the following components:

  • Barracuda Email Security – Security service protecting both inbound and outbound email against the latest spam, viruses, worms, phishing and denial of service attacks.
  • Advanced Threat Protection – Protects against advanced malware, zero-day exploits, and targeted attacks.
  • Barracuda Cloud Archiving Service – Journal mail directly from Office 365 to the Barracuda Cloud to optimize email storage, meet regulatory compliance and e-discovery requirements, and provide anytime/anywhere access to old emails.
  • Barracuda Cloud-to-Cloud Backup – Protects Exchange Online, OneDrive for Business, and SharePoint Online data by backing it up directly to Barracuda Cloud Storage. For Exchange Online, Barracuda Cloud-to-Cloud Backup protects all email messages, including all attachments, as well as the complete folder structure of each user's mailbox. In OneDrive for Business, all files under the Documents Library, including the entire folder structure, are protected. Easily locate and restore folders, individual items, or entire mailboxes. Barracuda Cloud-to-Cloud Backup provides complete protection of SharePoint Online. With item-level recovery options, items can be restored directly into SharePoint Online from the backups of Document Libraries, Site Page Libraries, and Picture Libraries in Team Site, Publishing Site, and Wiki Site.

Table 1. Plan Options
 Complete EditionCompliance EditionSecurity Edition
Barracuda Email Security Servicecheckmarkicon.pngcheckmarkicon.pngcheckmarkicon.png
Advanced Threat Protectioncheckmarkicon.pngcheckmarkicon.pngcheckmarkicon.png
Barracuda Cloud Archiving Servicecheckmarkicon.pngcheckmarkicon.png 
Barracuda Cloud-to-Cloud Backupcheckmarkicon.png  

Step 1. Set Up Essentials

To complete the setup you must have a Barracuda Cloud Control account. If you do not already have an account, go to https://login.barracudanetworks.com/ and click Create a User. Enter your name, email address, and company name, and specify whether this is a partner account. Click Create User; for partners, be sure to read How to Add a Managed Customer Account. Follow the instructions emailed to the entered email account to create your Barracuda Cloud Control account. See Password Complexity Policies before setting up your password.
See also: Partner Accounts.

  1. Go to https://login.barracudanetworks.com and log in with your Barracuda Cloud Control credentials.
  2. Open a new browser window, go to https://www.barracuda.com/products/essentials, click Buy Now.

  3. In the Plan Detailspage, the selected plan displays; click the drop-down menu if you want to select a different option.
  4. Enter the Number of users, and select the Subscription Type. Verify your order summary in the right pane, and click Continue.

    If you are not signed into Barracuda Cloud Control, click Sign in in the right pane. If you do not have a Barracuda Cloud Control account, use the left pane to create and sign in to your account.

  5. The Barracuda Account page displays your Barracuda Cloud Control account information. If you want to sign in using a different account, click Sign out and use a different account.
  6. Select from the following Client Account options:
    1. Add this service to an existing Barracuda account – Select the desired Account from the drop-down menu, and select your location from the Location of Use drop-down menu
    2. Create a new Barracuda account for this service – Enter the new account details.
  7. Click Continue.
  8. In the Billing Details (Optional) page, enter your billing information to purchase the service, or leave the Billing Information section blank to start a free 14-day evaluation. Click Continue.

  9. Once the setup process is complete, click Finish. The setup page displays in Barracuda Cloud Control and your 14-day trial begins immediately.

  10. Click Set up to get started.

Be sure to continue with the instructions in Step 2, based on the components you are setting up.

Step 2. Configure Connectors and Permissions

Barracuda Email Security Service

  1. In Barracuda Cloud Control, in the left panel, click Barracuda Email Security Service. Click Domains, then click Add Domain.
  2. In the dialog box, enter the primary Office 365 Domain Name you want to filter, for example: example.com
  3. Enter the Mail Server hostname (FQDN) or IP address for the domain entered in the previous step, for example: example-com.mail.protection.outlook.com
  4. Click Add Domain.

  5. Click Verify in the Mail Servers column; the Domains >Domain settings page displays. Select the manner in which to verify the domain ownership:

    • MX Records – Replace your current MX records with the Barracuda Email Security Service MX records displayed on the verify page.
    • CNAME Records – Validate your domain by adding a CNAME record.
    • Email to the domain's technical contact – Send a verification email to the technical contact email address listed on your domain's WHOIS entry.

      This verification option is not available if the Barracuda Email Security Service cannot find your domain's WHOIS entry. If there is not a technical contact, then only the MX Records, CNAME, and Email to the Postmaster options displays on this page.

    • Email to the postmaster – Send a verification email to the postmaster email address for your domain. The confirmation email will include a link that the recipient can click to verify the domain.

      This option is available if the Barracuda Email Security Service can find your postmaster in your domain’s WHOIS records. This method sends a verification email to the postmaster email address for your domain. The confirmation email includes a link that the recipient must click to verify the domain.

  6. On the Domains page, in the Settings column, click Edit. The Domains > Domain Settings page displays. You can complete the configuration there.

 

Barracuda Cloud Archiving Service

Option 1. Configure Journaling from the Web Interface

  1. In Barracuda Cloud Control, in the left panel, click Archiver.
  2. Go to the Mail Sources > SMTP Journaling page.
  3. In the Journaling Setup Scripts section, locate the Office 365 Setup Script and click Run Script.
  4. Follow the onscreen prompts to configure Office 365 to journal mail to the Barracuda Cloud Archiving Service.

Option 2. Configure Journaling via Script

  1. In Barracuda Cloud Control, in the left panel, click Archiver.
  2. Go to the Mail Sources >SMTP Journaling page.
  3. In the Journaling Setup Scripts section, locate the appropriate script for your system. Click Download to save the PowerShell script to your local system or click Show Script to copy the script to your clipboard.
  4. Open Windows PowerShell, and run the script to configure Office 365 to journal mail to the Barracuda Cloud Archiving Service. 

Option 3. Manually Configure Journaling

Add a Remote Domain and Connector

  1. Log into Office 365 Exchange admin center.
  2. Select mail flow > remote domains.
  3. Click the + symbol. In the new remote domain, complete the following:
    1. Name – Type Barracuda Cloud Archiving Service
    2. Remote Domain – Enter your region-specific MAS hostname, for example, type: mas.barracudanetworks.com

      For a list of region-specific MAS hostnames, see Data Centers by Region.

    3. Out of Office automatic reply types – Select None
    4. Automatic replies – Select Allow automatic forwarding
    5. Message reporting – Clear all options
    6. Use rich-text format – Select Never
    7. Supported Character Set – Set both options to None
      NewRemoteDomain.png
  4. Click Save.
  5. Click Mail flow > connectors, and click the + symbol.
  6. The Select your mail flow scenario page displays.
  7. From the From menu, select Office 365, and from the To menu, select Partner organization. Click Next.
    MailFlowScenario.png 
  8. Enter a Name and (optional) Description to identify the connector. Click Next.
    NewConnector.png 

  9. Specify the domain, then click OK.
    AddDomain2.png

  10. Select Only when email messages are sent to these domains, click the +  symbol, and in the add domain field, type your region-specific MAS hostname, for example: mas.barracudanetworks.com. Click Next.
    AddDomainMas.png

  11. Select Use the MX record associated with the partner's domain. Click Next.
    UseMXRecords.png
  12. Select Always use Transport Layer Security (TLS) to secure the connection (recommended), then select Any digital certificate, including self-signed certificates. Click Next.
    TLS.png
  13. In the confirmation page, verify your settings, then click Next.
    ConfirmSettings.png
    Office 365 runs a test to verify your settings.

  14. In the Barracuda Cloud Archiving Service, go to the Mail Sources > SMTP Journaling page and copy the email address from the SMTP Journaling Info section, for example: bma_mycompany@mas.barracudanetworks.com

  15. In Office 365, paste this email address into the provided field in the Verification page, and click Validate.

    Note that the sending email portion of the verification may fail depending on your Office 365 configuration. This is not a concern as long as it passes the connectivity test.

  16. When verification is complete, your mail flow settings are added.

.

Create a Non-Delivery Report Recipient

Before creating journal rules, specify a journal recipient for non-delivery reports (NDRs) to reduce the risk of losing journal reports:
ndrWarning.png

  1. Log into your Office 365 Exchange admin center.
  2. Select compliance management > journal rules.
  3. If an NDR email recipient is not already specified, click Select address to the right of Send undeliverable journal reports to field:
    SelectAddress.png
  4. Browse to and select a recipient from the address book.
    You can search for a recipient by typing all or part of a display name, and then clicking the Search icon, or click on either the Display Name or E-Mail Address heading to sort the list.
  5. After you select a recipient, click OK. In the NDRs for undeliverable journal reports window, click Save.

    Best Practice
    Create a shared mailbox and use that mailbox for the NDR recipient.

Configure Office 365 to Send Journal Mail

  1. Log into Office 365 Exchange admin center.
  2. Select compliance management > journal rules.
  3. Click the + symbol. In the new journal rule dialog box and complete the following:
    1. Send journal reports to – Enter the journaling address from the Mail Sources > SMTP page in the Barracuda Cloud Archiving web interface. This is called the journaling mailbox.
    2. Name – By default, the name of the journal rule is automatically generated from the journal recipients. If there are existing journal rules that contain the same journal recipients, numbers are automatically appended to the journal rule name to avoid duplicates. If you choose to override the automatically-generated name by typing in a custom name, verify the name is unique and descriptive.
    3. If the message is sent to or received from – Select Apply to all messages to journal all recipients.
    4. Journal the following messages – Select All messages to journal all messages regardless of source or destination:
      journalRule.png

      Because the journaling mailbox may contain sensitive information, it is recommended that you create organization-wide policies that govern who can access the journaling mailboxes in your organization.

  4. Click Save. The rule is added toe journal rules table.

Once you complete the configuration, mail begins forwarding to the Barracuda Cloud Archiving Service. Log in to the web interface as the administrator, and go to the Basic > Dashboard page. Processed mail displays in the Message Statistics table. Statistics are cached and may take up to 30 minutes to appear.

For additional configuration options and features, log in to the web interface, and click Help.

 

Barracuda Cloud-to-Cloud Backup

Configure Impersonation for OneDrive for Business

Step 1. Create a New Service Account

  1. Log in to your Office 365 Management Panel using an account with administrative privileges, and click users and groups in the left pane.
  2. Click the + symbol to create a new account.
  3. In the details page, enter the details for the new service account, and click next.
  4. In the settings page, select Yes to assign administrator permissions, and from the drop-down menu, select Global administrator. Optionally, you can add an alternate email address and location. Click next.
  5. In the assign licenses page, make no changes. Click next.
  6. In the send results in email page, click Create. The service account details are sent to the admin.
  7. To activate the account, log in to your Office 365 Management Panel using the new service account, and update the password.

Step 2. Configure Permissions

Use this step to configure permissions for current users

There are two options you can use to give the service account created in Step 1. Create a New Service Account access to user accounts:

  • Option 1 Run a SharePoint Online Management Shell script to automatically apply the proper permissions to each user account; this is the preferred and fastest. If you have multiple users, this is also the easiest method.
    or 
  • Option 2 – Manually configure each user account from within the Microsoft SharePoint Admin Center. If you have only a few users, this is the easiest method.
Option 1. Configure Permissions Using a SharePoint Online Management Shell Script
  1. Download and open the AdminRights.ps1 script using a text editor such as Notepad.
  2. Navigate to and edit the following four variables:
    adminrightsscript.png 
    • $o365login – Replace with your Office 365 service account or administrator account username.
    • $o365pw – Replace with your Office 365 service account or administrator account password.
    • $spAdminURL – Replace with the same URL used in your organization's OneDrive URL, but suffixed with -admin  
    • $spMyURL – Replace with the same URL used in your organizations’ OneDrive URL, but suffixed with -my
  3. Save and close the script.
  4. Locate the SharePoint Online Management Shell installed in Step 1, then right-click and click Run as administrator.
  5. Change your working directory within the SharePoint Online Management Shell to the location where you saved the AdminRights.ps1 script:
    changelocation.png 
  6. Run the following command:
    Set-ExecutionPolicy Unrestricted 
  7. Run the following command to run the AdminRights.ps1 script:
    .\AdminRights.ps1
    runscript.png 
  8. Press Enter to exit the script.
  9. Exit SharePoint Online Management Shell.

    You must complete the steps in Option 1 each time you add new users.

Option 2. Configure Permissions from the Microsoft SharePoint Admin Center
  1. Log in to your Office 365 Management Panel using the service account created in Step 1. Create a New Service Account.
  2. In the left pane click Admin centers > SharePoint, and click user profiles.   
  3. Click Manage User Profiles:
    manageuserprofiles.png
  4. In the Find profiles field, type the name of a user who's OneDrive for Business data is to be backed up, and then click Find:
    findted.png 
  5. Click the user's Account name, and then click Manage site collection owners:
    manageowners.png
  6. The site collection owners dialog box displays. In the Site Collection Administrators field, add the service account with administrative privileges or another account with administrative privileges:
    • Type the account name, and then click the Verify User (verifyuser.png) icon, or
    • Click the Directory (finduser.png) icon, and navigate to and select the account from the directory:
      SiteCollAdminsBCCB.png
  7. Click OK. The service account or administrative account added as the user's Site Collection Administrator can now view the user's entire OneDrive account.
  8. Repeat Steps 3 through 7 for each user who's OneDrive for Business data is to be backed up with Barracuda Cloud-to-Cloud Backup.

Step 3. Set Up Impersonation Permissions

Use these steps when adding all future users.

Complete the following steps to set up impersonation permission for the service account on all newly created OneDrive users:

  1. Log in to your Office 365 Management Panel using the service account created in Step 1. Create a New Service Account.
  2. In the left pane click Admin centers > SharePoint, and click user profiles.   
  3. In the My Site Settings section, Click Setup My Sites.
  4. In the My Site Secondary Admin section, click Enable My Site secondary admin.
  5. In the Secondary admin field, type the username of the newly created service account.
  6. Click OK.

Configure Impersonation for Exchange Online

In order for Barracuda Cloud-to-Cloud Backup to access user mailboxes for backup, you must create a new service account with administrative privileges and apply the impersonation role to that account.

To configure impersonation within Exchange Online:

Step 1. Create a New Service Account

  1. Log in to your Office 365 Management Panel using an account with administrative privileges, and click users and groups in the left pane.
  2. Click the + symbol to create a new account.
  3. In the details page, enter the details for the new service account, and click next.
  4. In the settings page, select Yes to assign administrator permissions, and from the drop-down menu, select Global administrator. Optionally, you can add an alternate email address and location. Click next.
  5. In the assign licenses page, make no changes. Click next.
  6. In the send results in email page, click Create. The service account details are sent to the admin.
  7. To activate the account, log in to your Office 365 Management Panel using the new service account, and update the password.

Step 2. Create Impersonation Role

Option 1. Manually Set Up Impersonation

  1. Log in to your Office 365 Management Panel using an account with administrative privileges, and go to permissions > admin roles.
  2. Click the + symbol. In the new role group dialog box, type BarracudaBackupImpersonation in both the Name and Description fields:
    newrolegroup.png 
  3. Scroll down to Roles, and click the + symbol.
  4. From the list, select ApplicationImpersonation, and click add:
    AppImpersonationRoleBCCB.png
  5. Click OK.
  6. Scroll down to Members, select the service account created in Step 1: Create a New Service Account, and click add
  7. Click OK. Click Save to save your settings and close the Role Group window. The Impersonation role is now listed in Admin Roles.

Option 2. Set Up Impersonation via PowerShell

Use the following steps to assign the ApplicationImpersonation role using PowerShell:

  1. At the PowerShell command prompt, enter the following command:
    New-ManagementRoleAssignment –name:impersonationAssignmentName –Role:ApplicationImpersonation –User:serviceAccount
    Where:
    name is the friendly name of the role assignment. Each time you assign a role, an entry is made in the role-based access control (RBAC) roles list. You can verify role assignments by using the Get-ManagementRoleAssignment cmdlet found in the Microsoft Dev Center article How to: Configure impersonation.
    Role is the RBAC role to assign. When you set up impersonation, you assign the ApplicationImpersonation role.
    User is the service account.

  2. Press Enter.

 

Continue with Step 2 - Complete Service Configuration

 

Last updated on