It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda Email Gateway Defense
formerly Email Security

Microsoft 365 Inline Deployment

  • Last updated on

With an inline deployment, emails are thoroughly examined before it reaches a recipient’s inbox. Email Gateway Defense becomes a step in the SMTP processing sequence and actively engages with incoming email messages. Based on your policies, various messages are blocked before reaching the inbox.

Benefits

An inline deployment provides customers with layered security and filtering. Filtering messages in a gateway helps to ensure that malicious emails are never delivered. Finally, an API integration with Barracuda Impersonation Protection provides post-delivery detection and protection.

Another benefit to inline deployment is the ability to improve email security without depending on changes to DNS MX records. This is particularly helpful when various teams manage different aspects of your organization.

Limitations

Inline deployments are not without disadvantages. For example, email continuity and spooling are not available. In some cases, when emails are received from other Microsoft 365 customers, SPF and DMARC checks will not be performed.

Getting Started

The following sections detail how to configure Email Gateway Defense and add mail flow rules and connectors to route emails.

Outbound email processing through Email Gateway Defense is not currently supported. Note that this also includes initiating outbound encryption using the Barracuda Message Center (i.e. using the Outlook Add-In to encrypt a message from their client).

Configure Email Gateway Defense
  1. Log into your Barracuda Cloud Control account, and click Email Gateway Defense in the left pane.

  2. In the Email Gateway Defense wizard, enter a valid email address from the email server domain you want to protect with Email Gateway Defense. Click Detect email server.
    The system automatically auto-fills your destination mail server.

    egdWizardSpecifyMailSvr.png

  3. Click Save and Exit to exit the wizard.

  4. Verify your domain by sending an email to the postmaster email address for your domain. A postmaster is a mail server’s administrator and has the associated email address postmaster@domain.com.

  5. On the Domains page, click Edit. Under Mail Servers, click Add Mail Server and enter your mail server.

  6. On the Domains page, note the primary and backup MX records. You will need this when setting up mail flow rules in Exchange.

    egd_mxrecords1.png

    Note that a warning message such as “MX records are misconfigured” will appear on the Domains page and can be ignored.

  7. Go to the Inbound Settings > IP Address Policies page. Using Bulk Edit, add the following Microsoft365 Exchange Online IP address ranges as Trusted Forwarders. These are subject to change based on Microsoft.

    40.92.0.0,255.254.0.0,Office365 
    40.107.0.0,255.255.0.0,Office365 
    52.100.0.0,255.252.0.0,Office365 
    104.47.0.0,255.255.128.0,Office365 

    For more information, see the Microsoft article https://learn.microsoft.com/en-us/microsoft-365/enterprise/urls-and-ip-address-ranges?view=o365-worldwide#exchange-online..

Your initial configuration of Email Gateway Defense is complete.

Set Up Exchange Online

This inline deployment option is a separate set up from the standard deployment option. Choose only one of the options when setting up Email Gateway Defense.

For the standard deployment option, see Step 2 - Configure Microsoft 365 for Inbound and Outbound Mail.

For the inline deployment option, use the following steps to set up your inbound/outbound connectors and mail flow rules.

Set Up a New Outbound Connector From Microsoft 365 to Barracuda Networks
  1. Log into the Microsoft 365 admin center https://admin.exchange.microsoft.com/.

  2. In the left pane, click Mail flow, and click Connectors.

  3. Click the Add a connector button, and use the wizard to create a new connector.

  4. For Connection from, select Office 365. For Connection to, select Partner organization.

  5. Click Next. Enter a Name such as Email Gateway Defense Outbound Connector and (optional) Description to identify the connector.

  6. Click Next. Select Only when I have a transport rule set up that redirects messages to this connector.

  7. Click Next. Select Route email through these smart host, and click the + symbol.  

    1. Copy your inbound hostnames from the MX records, and enter them in the add smart host page.

  8. Click Next. Use the default settings for the Security restrictions: Always use Transport Layer Security (TLS) to secure the connection (recommended) > Issues by Trusted certificate authority (CA):

  9. Enter an external email address to validate the connector. For this test, it is important to use an email address from outside your organization, like a gmail or yahoo email address. Click Validate

  10. Once the validation process is complete, click Next. Review your settings and then click Create connector.

Set Up a New Inbound Connector From Partner to Microsoft 365

Create a partner connector to establish a secure connection between Barracuda and Microsoft servers when receiving processed mail by Barracuda Networks.

  1. Install Exchange Online module.

    • If you have already installed Exchange Online module, proceed to the next step.

    • To install Exchange Online module, open Windows PowerShell as an administrator and enter the following command: 
      Install-Module -Name ExchangeOnlineManagement

  2. Connect to Exchange Online Powershell and log in with your Microsoft 365 administrator account using the following command:

  3. Find the correct IP range based on the region selected when setting up your Barracuda Networks instance. Refer to the Email Gateway Defense IP Ranges Used for Configuration for the IP ranges corresponding to your region. 

  4. After you connect to Exchange Online PowerShell, run the appropriate PowerShell script based on your region: 

    PowerShell Script for the Australia Region

    New-InboundConnector -ConnectorType Partner -Name "Barracuda Inbound Connector" -RequireTls $true -SenderDomains * -SenderIPAddresses 3.24.133.128/25 

    PowerShell Script for the Canada Region

    New-InboundConnector -ConnectorType Partner -Name "Barracuda Inbound Connector" -RequireTls $true -SenderDomains * -SenderIPAddresses 15.222.16.128/25

    PowerShell Script for the German Region

    New-InboundConnector -ConnectorType Partner -Name "Barracuda Inbound Connector" -RequireTls $true -SenderDomains * -SenderIPAddresses 35.157.190.224/27

    PowerShell Script for the India Region

    New-InboundConnector -ConnectorType Partner -Name "Barracuda Inbound Connector" -RequireTls $true -SenderDomains * -SenderIPAddresses 13.200.136.128/25

    PowerShell Script for the UK Region

    New-InboundConnector -ConnectorType Partner -Name "Barracuda Inbound Connector" -RequireTls $true -SenderDomains * -SenderIPAddresses 35.176.92.96/27

    PowerShell Script for the US Region

    New-InboundConnector -ConnectorType Partner -Name "Barracuda Inbound Connector" -RequireTls $true -SenderDomains * -SenderIPAddresses 209.222.80.0/24,209.222.81.0/24,209.222.82.0/24,209.222.83.0/24,209.222.84.0/24,209.222.85.0/24,209.222.86.0/24,209.222.87.0/24
Add Additional Email Domains (Optional)

Barracuda Networks recommends adding all Microsoft 365 accepted domains into Email Gateway Defense.

Repeat these steps, as needed, for additional Microsoft 365 domains.

Obtain the hostname:

  1. Log into the Microsoft 365 admin center.

  2. In the left pane, click Settings > Domains.

  3. In the Domains table, click on your domain.

  4. Take note of the hostname. This is the address of your destination mail server, for example, cudaware-com.mail.protection.outlook.com

Enter the hostname:

Barracuda Networks recommends using a hostname rather than an IP address so that you can move the destination mail server and update DNS records without making changes to the Email Gateway Defense configuration. This address indicates where Email Gateway Defense should direct inbound mail from the Internet to your Microsoft 365 Exchange server. For example, your domain displays to the Internet as: bess-domain.mail.protection.outlook.com

  1. Log into the Barracuda Cloud Control as administrator. In the left panel, click Email Gateway Defense. Select the Domains tab, then click Add Domain.

  2. Enter the domain name and destination mail server hostname obtained from your Microsoft 365 account:

    AddDomain.png

  3. Click Add Domain; the Domain Settings page displays, listing the new domain.

  4. Verify that the domain is yours. Follow the instructions in How to Set Up MX Records for Domain Verification. Make sure that you see that the domain is successfully verified, then return to this page. 

Set Up Mail Flow Rules

Before setting up the mail flow rules, create a secret value. This will be used in the mail flow rules and will ensure mail is always scanned by Email Gateway Defense. For example, you can use openssl rand -hex 32 to create a 256-bit secret key. Ensure that the key is US ASCII characters only since it will be used in an email header. You can also use this link to create the secret key https://www.cryptool.org/en/cto/openssl/.

  1. Log into the Microsoft 365 admin center https://admin.exchange.microsoft.com/.

  2. In the left pane, click mail flow, and click rules.

  3. Click Add a rule.

  4. Select Create a new rule.

  5. In the new rule page, enter a Name to represent the rule. For example, Forward to Barracuda Networks unless secret header is present.

  6. Under Apply this rule if, select The sender > is external/internal > Outside the organization.

  7. Under Do the following:

    1. Select Redirect the message to > the following connector, and select the connector you defined above in Set Up a New Outbound Connector.

    2. Select Modify the message properties > set a message header X-BARRACUDA-SECRET to the value <your-secret-key>.

  8. Under Except if:

    1. Select A message header > matches these text patterns X-BARRACUDA-SECRET matches <your-secret-key>.

    2. Select The sender > IP address is in any of these ranges or exactly matches <your Email Gateway Defense region>. To find your Email Gateway Defense region, see Email Gateway Defense Outbound IP Ranges.

  9. Click Save.

  10. On the Set rule settings page, set the Severity to High and check Stop processing more rules.

  11. Click Next. Review the settings and then click Finish.

  12. On the Rules page, select the Forward to Barracuda Networks unless secret header is present rule and use the Move up button to move the rule to the top of the list.
    Alternatively, you can also edit rule settings and set its Priority to 0.

  13. Create another new rule and name it Remove Barracuda header secret from scanned emails.

  14. Under Apply this rule if, select A message header > matches these text patterns X-BARRACUDA-SECRET matches <your-secret-key>.

  15. Under Do the following, select Modify the message properties > remove a message header X-BARRACUDA-SECRET.

  16. On the Set rule settings page, set the Severity to High. Ensure Stop processing more rules is unchecked.

  17. Click Next. Review the settings and then click Finish.

  18. On the Rules page, select the Remove Barracuda header secret from scanned emails rule and use the Move up or Move down button to move the rule to the second position of the list.
    Alternatively, you can also edit rule settings and set its Priority to 1.

    inline_mailflowrules.png

    inline_mailflowrule8.png

    inline_mailflowrule2.png
  19. Set up additional allow policies for spoofing.
    Go to https://security.microsoft.com/tenantAllowBlockList and click on Spoofed Senders.

    egd_tenantAllowList.png

    1. Add two new entries, both with *,barracuda.com as the domain pair, one for internal and one for external.

      egd_tenantAllowList1.png

      egd_tenantAllowList2.png