Skip to main content

Use cases

Configure GMail using Google Workspace for GravityZone Security for Email

Follow these procedure to integrate GravityZone Security for Email with Google Workspace Gmail, for inbound and outbound email delivery.:

To configure GravityZone Security for Email for use with Google Workspace follow the steps below:

Configuring Inbound Mail

  1. Go to Products > GravityZone Security for Email > Product Configuration.

  2. Go to Inbound Mail.

  3. Click the Add button emailsecadd.png to add a new delivery route.

  4. Select your Domain from the drop-down list.

  5. Under Cost set route priority to 5.

    The cost defines route priority for multiple routes.The lower the number, the higher the priority.

  6. Under Route enter the following: ASPMX.L.GOOGLE.COM

  7. Update to save changes.

  8. Repeat steps 3 to 7 to add the following routes and associated costs:

    ALT1.ASPMX.L.GOOGLE.COM with the cost of 10

    ALT2.ASPMX.L.GOOGLE.COM with the cost of 15

    ALT3.ASPMX.L.GOOGLE.COM with the cost of 20

    ALT4.ASPMX.L.GOOGLE.COM with the cost of 25

    The final routes should look similar to the ones in the screenshot below.

    gsuite_final_routes.png

Configuring Outbound Mail

  1. Go to Products > GravityZone Security for Email > Product Configuration.

  2. Go to Outbound Mail.

  3. Click the Add emailsecadd.png button.

  4. Under Hostname enter the following hostname:

    spf://_spf.google.com

  5. Update to save changes.

You should configure GMail using Google Workspace to block any inbound email that does not originate from the GravityZone Security for Email (EMS) product. However, you will need to do this via a two-step process. This section is split into two sections – prior MX record change and post MX record change.

Prior to changing MX records

Before changing MX records it is recommended that the GravityZone Security for Email IP addresses are added to the inbound gateway so that when MX records are changed all messages are not quarantined.

Note

You may already have inbound gateway entries listed. If this is the case you need to append the entries below to the existing list and then remove the existing entries once the MX records have been changed.

Follow the steps below:

  1. Login to the Google Workspace Admin Console with an administrators account.

  2. Click on the Menu button google_workspace_dots.PNG.

  3. Select Admin > Apps > Google Workspace.

  4. Click on GMail to take you to Settings for Gmail.

  5. Click on Advanced Settings at the bottom of the page.

  6. Scroll down to Spam, phishing, and malware and configure/edit the Inbound Gateways.

  7. Add a Name to the Inbound setting.

  8. Add the IP addresses for our service and click Save.

    The entries should look like this if using the EU servers:

    104340_1.png

    Note

    Ensure you do not check the Reject all mail not from gateway IPs box.

  9. At the bottom of the Advanced Settings page, click Save to apply the changes.

  10. Ensure that this configuration is replicated to Google Workspace before changing any MX records.

    Note

    It can take up to an hour for changes to propagate to user accounts for GMail using Google Workspace You can track changes in the Admin console audit log.

Post MX record change

Once MX records have been changed and replicated to the internet email should start flowing through the GravityZone Security for Email product. You can verify this via the GravityZone Security for Email Activity reports and charts.  You can also check this in the Google Workspace portal by following these steps:

  1. Login to the Google Workspace Admin Console with an administrators account.

  2. Click on the Menu button google_workspace_dots.PNG.

  3. Select Admin > Apps > Google Workpace.

  4. Click on GMail to take you to Settings for Gmail.

  5. Click on Setup.

  6. Check that the MX records match the below:

Additional Options

By default, Gmail using Google Workspace will still scan all emails for spam.  If you do not want Google Workspace to quarantine any of the messages, you can whitelist the GravityZone Security for Email service IP’s. To do this follow these steps:

  1. Login to the Google Workspace Admin Console with an administrators account.

  2. Click on the Menu button google_workspace_dots.PNG.

  3. Select Admin > Apps > Google Workpace.

  4. Click on GMail to take you to Settings for Gmail.

  5. Click on Advanced Settings at the bottom of the page.

  6. Scroll down to Spam, phishing, and malware and under Email whitelist add the GravityZone Security for Email service IP addresses:

    The entries should look like this if using the EU servers:

    104340_2.png
  7. At the bottom of the Advanced Settings page, click Save to apply the changes

Warning

If there are valid reasons for inbound messages to be delivered direct to Google Workspace the IP addresses of the sending servers should be added to the Inbound Gateways section prior to making this change. Failure to do so will block messages coming from those servers.

  1. Login to your Google Workspace Admin Console with an administrator account.

  2. Click on the Menu button google_workspace_dots.PNG.

  3. Select Admin > Apps > Google Workpace.

  4. Click on GMail to take you to Settings for Gmail.

  5. At the bottom of the page, click Advanced Settings.

  6. Go to Hosts > Add Route.

  7. Enter a Name for the route, such as GravityZone Security for Email Outbound.

  8. In the Specify email server select Multiple hosts.

  9. Add a primary entry for each of the outbound servers based on your region.

    • For US and ROW open ports 25 and 587 and add the following hosts:

      smtp1.us.scanscope.netsmtp2.us.scanscope.net
    • For EU open ports 25 and 587 and add the following hosts:

      smtp1.scanscope.netsmtp2.scanscope.net
      gsuite_ems_outbound.png
  10. Click Save.

  11. Navigate back to General settings > Routing > Routing section.

  12. Click Configure for routing.

    The Add settings option appears.

  13. Enter a Name for the rule, such as GravityZone Security for Email Outbound Rule.

  14. Under Messages to affect(section 1), select Outbound.

  15. Under For the above types of messages, do the following(section 3), select Change route.

  16. Change Normal routing to GravityZone Security for Email Outbound Rule, created above.

  17. (Optional)Under Encryption (onward delivery only), select Require Secure Transport (TLS).

  18. Click Add Settings or Save if you are editing an existing configuration.

  19. At the bottom of the Advanced Settings page, click Save to apply changes.

    Note

    It can take up to one hour for your settings to come into effect. You can track changes in the Admin console audit log.

  1. Login to the Google Workspace Admin Console with an administrators account.

  2. Click on the Menu button google_workspace_dots.PNG.

  3. Select Admin > Apps > Google Workpace.

  4. Click on GMail to take you to Settings for Gmail.

  5. Click on Hosts section.

  6. Click on the Add Route button.

  7. Give the route a Name like “Google Internal”.

  8. In the Specify Email server select Multiple hosts.

  9. Add a primary entry for each of the GMail Servers listed below:

    aspmx.l.google.com
    alt1.aspmx.l.google.com
    alt2.aspmx.l.google.com
    alt3.aspmx.l.google.com
    alt4.aspmx.l.google.com
    104340_3.png
  10. Click Save.

  11. Go to the General setting tab and scroll to the Routing setting in the Routing section.

  12. Click on Add Another for Routing. This will open up a new Add setting option.

  13. Enter a name like Internal Route.

  14. Select the checkbox for Internal – Sending  in Messages to affect.

  15. Select only affect specific envelope recipients and define a REGEX for your internal domain.

    104340_4.png

    Note

    For multiple domains you can add them into the regex in this format:

    .*@firstdomain\.com|.*@seconddomain\.co\.uk
  16. Select Change route in For the above types of messages, to do the following.

  17. Change the Normal routing to the one created above.

    104340_5.png
  18. Click on Show Options at the bottom of this page and Select Users and Groups” under Account types to affect:

    104340_6.png
  19. Click the Add Setting button, then click Save.

  20. At the bottom of the Advanced Settings page, click Save.

Note

Now all internal mail is routed directly to Google servers, and all other mail routes through the GravityZone Security for Email Outbound Gateway.

Video tutorials

Configure outbound DKIM

DomainKeys Identified Mail (DKIM) adds a digital signature to safeguard the email content of your outbound source. Configuring DKIM increases your domain reputation with different providers.

Each domain covered by GravityZone Security for Email will have its own key, so each domain will need to be configured before it can be DKIM-enabled.

Note

GravityZone Security for Email comes with a default system Message Rule called Apply DKIM which is enabled by default; however, outbound messages won't be signed unless you have configured outbound DKIM, by following the steps below.

  1. Go to Products > Product Configuration > Domains.

  2. To view the DKIM public key, click on the view email_sec_dkim.png button. Click the icon next to the domain you wish to configure to display the DKIM.

    93678_1.png
  3. Write a DNS txt entry for the domain.

    Note

    You need to create a txt record for ussems._domainkey.xxxxxx, where xxxxxx is your domain name.

    Here is an example of what should be seen on a nslookup. This entry should match the entry found in step 2.

    93678_2.png
  4. Repeat steps 1 to 3 for all of your domains and then wait for the domain TTL to expire.

  5. Return to the Domains section and click the Verify and Enable DKIM button. The DKIM status will be updated to Success if the DKIM key can be verified against the domain DNS. At least one domain must have DKIM verified in order to enable DKIM on your account.

    Note

    If you remove all DKIM verified domains, or wish to disable DKIM on your account please remember to verify DKIM again. If no domains can be verified then DKIM will be fully disabled.

If you want outbound mail to be DKIM-signed for some, but not all, of the domains on your account, follow the steps below.

  1. Go to Products > Custom Rule Data.

  2. Click the New button at the bottom of the screen and select Rule Data

    emailsecruledata.png
  3. Enter a name, and Click Update.

  4. Add the domain(s) for which you would like to enable DKIM under Value.

    Note

    Keep each domain as a separate line.

    93678_3.png
  5. Click Save.

    A window appears with your domain’s DKIM key (public key).

  6. Go to Products > Message Rules.

  7. Click the Add Rule button.

    75100_13.png
  8. Enter a name click the Add button.

    75100_14.png
  9. Configure the new rule:

    1. Add the following conditions:

      Condition name

      Match type

      Condition value

      Direction

      Matches

      Outbound

      DKIM Enabled

      Matches

      Enabled

      Sender

      Matches

      Select the Custom Rule Data previously created at step 3.

    2. Add the following action:

      Action name

      Value

      DKIM Signing

      RSA Key

    EMS_rule_DKIM_signing_93678_en.png
  10. Click Save.

  11. Drag the rule to top of the Message Rules list to give it the highest priority.

  12. Search for the Apply DKIM signing system message rule in the Message Rule list and click the On button to turn the rule off.

    93678_5.png

Configure outbound email for Exchange 2016

It is important that you configure your Exchange connectors to send outbound email out through the MailSafe service. This ensures that both your outbound traffic is scanned and your traffic is profiled to help improve spam filtering. This article explains how to configure your connectors correctly.

  1. Login to the Microsoft Exchange Server as an administrator.

  2. Open Exchange Admin Center by visiting https://your-exchange-servers-hostname/ecp.

  3. In the left Pane, select mail flowConnectors.

  4. Select the + icon to create a new send connector.

  5. Enter an identifiable name for your connector such as Email Security Mail Relay.

  6. Ensure the type is set to Custom.

  7. Select Next.

  8. Specify the mail to be relayed by the option Route mail through smart hosts.

  9. Select the +” icon to create a new smart host.

  10. Create connectors for each sending hosts in the appropriate cluster - either US or EU.

  11. Select Next.

  12. Ensure Smart Host Authentication is set to None.

  13. Select Next.

  14. For the Address space, select the + button to add a domain.

  15. Enter the FQDN as * and change the cost to 10.

  16. Click Save.

  17. On the Source Server page, add any other Exchange Servers that should be able to send email to this connector by hitting the + button. In most cases where there is only one server, the server will already be added. Click Next.

  18. Click Finish.

Configure outbound DMARC

GravityZone Security for Email provides the ability to participate in DMARC (Domain Message Authentication Reporting and Conformance) for email authentication.

Note

For more information refer to How DMARC works.

Before configuring any DMARC DNS entry, you must ensure that the following are true:

Create a DNS Resource Record of type TEXT with a record name like _dmarc.domain.TLD. For example, the Resource Record name for domain testdomain.co.uk is _dmarc.testdomain.co.uk.

Note

The record name must start with _dmarc (including the underscore).

The text content of a simple starter record should be similar to:

v=DMARC1; p=none; ruf=mailto:[email protected]; aspf=s
  • aspf=s specifies "strict" checking of SPF (the default is "relaxed").

  • ruf= provides the email address to which DMARC failure reports should be sent.

  • p=none specifies a policy of "none" - the recipient should not reject or quarantine any messages simply because they do not align with this DMARC policy. The recipient could of course reject or quarantine the messages for other reasons.

You should start to receive reports to the email address you specified every 24 hours. After reviewing the reports and confirming that valid messages from your domains do pass evaluation, you may then request that recipients act on messages that do not align with the policy, by changing the policy to quarantine or reject.

Receive notifications for add on licensing expiration

Configure Inbound mail on Office 365 to reject non-EMS emails

You should configure Office 365 to block any inbound email that does not originate from GravityZone Security for Email product. There are two options available discussed below. The option best suited to you depends on your environment and requirements.

This method will allow the GravityZone Security for Email server IP addresses to deliver emails even if spam filtering is enabled in Office 365. This will ensure emails processed by the GravityZone Security for Email product are delivered without delay and do not land in the junk mailbox folder for Office 365 users.

Note

Your EMS account must have an inbound TLS rule for this option to complete successfully.

  1. Login to Office 365 Exchange Admin Center and go to Admin Centers > Classic Exchange Admin Center.

  2. Go to Protection > Connection Filter.

  3. Edit the Default entry and navigate to the Connection Filtering tab.

  4. In the Allowed IP Address section, add all of the IP addresses for the GravityZone Security for Email region you are using - see Europe, United States.

  5. Click Enable Safe List and then Save.

Note

Office 365 is now configured to block any email that does not originate from EMS.

Using a rule provides more flexibility than just using IP address, for example you could control based on email address or attachment  Depending on your requirements or environment this may be the best option, if you have other means to restrict direct connection to your Office 365 tenant other than just IP address.

  1. Log in to the Office 365 Admin Center, and go to Admin Centers > Exchange.

  2. In the left-hand pane, click Mail Flow and then Rules.

  3. Click + and then click Create a new rule.

  4. In the New Rule page, enter a Name to represent the rule. For example, Email Security IP restriction.

  5. Scroll down and click More options.

  6. From the Apply this rule if drop-down menu, select The Sender, Is External/Internal and Outside the organization.

  7. From the Do the following drop-down menu, select Block the message and Reject the message with the Explanation.

  8. Click Enter text and enter the message that you want to include in the non-delivery report (NDR) that will be sent to the email's sender. For example:

    IP restricted, not using MX record. Please ensure your DNS is up-to-date and try sending this message again.
  9. Click Add exception.

  10. Select Sender and then Sender's IP address is in the range or exactly matches, and enter the GravityZone Security for Email IP for your cluster - see Europe, United States.

  11. Click + to add each of the IP addresses for your region.

  12. Once all the IP addresses have been added, click OK.

  13. Scroll to the Properties of the rule section. Under Match sender address in message, select Header or Envelope.

  14. Click Stop processing more rules.

  15. Click Save.

  16. Verify that the new rule displays at the top of the list of mail flow rules. If it's not at the top, select the rule and use the Up arrow to move it.

Note

Office 365 is now configured to block any email that does not originate from EMS.

Working with LinkScan

LinkScan is a feature that adds an additional security layer to incoming e-mails. All contained URLs are rewritten to redirect users to the LinkScan domain, where the URL is scanned and checked for threats, including deep redirect scanning and document detection.

GravityZone Security for Email implements this feature through the LinkScan action, which, when triggered, rewrites all the URLs contained in an email. To implement the feature, you need to have a Message Rule set in place that applies this action to your messages based on specific conditions.

Rewriting URLs

URLs inside emails are rewritten so that they will pass through the linkscan.io domain before taking the user to the original destination. A rewritten URL has the following format:

https://lsems.gravityzone.bitdefender.com/scan/<string>

When a user clicks a rewritten URL, the LinkScan service checks the underlying URL against multiple threat intelligence feeds:

Example 4. A clean URL with the Click to Continue operating mode enabled
150340_3.png


Example 5. A URL that has a threat with the Auto Redirect unless Threat Detected operating mode enabled
150340_4.png


Creating a LinkScan rule

To create a new LinkScan rule, follow the steps below:

  1. Go to Products > GravityZone Security for Email > Message Rules.

  2. Click the Add Rule emailsecadd.png button at the upper right side of the screen.

  3. Add a descriptive name for the rule and click the Add emailsecadd2.png button.

  4. Add a Direction condition and set it to Inbound.

  5. (optional) Add a Sender In List condition and set it to Does Not Match: All Safe Lists.

    Note

    This condition will exclude all emails received from senders included in your Safe lists from LinkScan URL rewriting and is not mandatory for the rule to function properly.

  6. Add a LinkScan action and set it to Click to Continue, Block on threat, Hide target URL with Doc Scan.

    Note

    This is the most restrictive setting. You can find more information on the other available settings here.

    76195_1.png
  7. Click the Save emailsecsave.png button.

Creating exclusions

Excluding emails

You can exclude emails from specific users by adding the user's email address to your company's Safe lists. URLs contained in emails received from this user will not be rewritten.

Excluding specific URLs

To exclude a specific URL follow the steps below:

  1. Go to Products > GravityZone Security for Email > Custom Rule Data.

  2. Click the Add New button at the upper lower side of the screen and select Rule RegEx.

  3. Give the rule a descriptive name and click Update.

  4. Add the URL you want excluded in the following format: \b(URL)\b. Add a forward slash / before each period . character and use | to separate multiple URLs.

    Example 6. Exclude google.com
    \b(google\.com)\b


    Example 7. Exclude google.com and www.yahoo.com
    \b(google\.com)\b|\b(www\.yahoo\.com)\b


  5. Click the Save button.

    150340_1.png
  6. Go to Products > GravityZone Security for Email > Message Rules.

  7. Start editing the LinkScan rule by double-clicking it.

  8. Add a Body condition, set it to Does not match and select the name of the Custom Rule Data you created.

  9. Click the Save button in the upper rights side of the screen.

    150340_2.png

Configure Office 365 for GravityZone Security for Email

Follow these procedures to integrate GravityZone Security for Email with Office 365, for inbound and outbound email delivery.

To configure GravityZone Security for Email for use with an Office 365 account follow the steps below:

1. Configure GravityZone Security for Email Inbound Mail

  1. Go to Products > GravityZone Security for Email > Product Configuration.

  2. Go to Inbound Mail.

  3. Click Add to add a new delivery route.

  4. Select your Domain from the drop-down list.

  5. Under Cost set route priority.

    The cost defines route priority for multiple routes.The lower the number, the higher the priority.

  6. Under Route enter the 0365 domain name (e.g. domain-com.mail.protection.outlook.com)

    Note

    This can be found under O365 > Settings > Domains > Domain Details > MX Value

  7. Update to save changes.

2. Configure GravityZone Security for Email Outbound Mail

  1. Go to Products > GravityZone Security for Email > Product Configuration.

  2. Go to Outbound Mail.

  3. Click Add.

  4. Under Hostname enter the following hostname:

    spf://spf.protection.outlook.com

  5. Update to save changes.

Please follow the steps in this article to restrict Office 365 and then return to this article to continue configuration.

Follow the steps below to configure Office 365 to always send messages using the EMS server:

  1. Log in to your Office 365 Admin Center, and go to Admin Centers > Exchange.

  2. In the left-hand pane, click Mail Flow > Connectors.

  3. Click + to add a new connector.

  4. In the From: field, select Office 365.

  5. In the To: field, select Partner Organization.

  6. Give the new connector a sensible name.

  7. Click Next.

  8. Under When do you want to use this connector? select Only when email messages are sent to these domains, then click the + icon and enter *.

  9. Click Next.

  10. Under How do you want to route email messages, select Route email through these smart hosts.

  11. Add hosts according to the correct addresses for your cluster - see Europe, United States.

  12. Click Next and then click Confirm to create the connector.

Note

If you wish to verify the connector, be sure not to use an internal address. For example, use a personal email address which is not a domain configured for your customer.

If the validation fails check the settings below before contacting technical support:

  • The connector is enabled.

  • The default domain is the domain configured in EMS domain settings (MailFlow > Accepted Domains).

Video tutorials

Enable editing DNS for your domain in Office 365

By default, the ability to add or update DNS records for managed domains in Office 365 is disabled. In order to configure and use GravityZone Security for Email you need to be able to edit your domain's DNS record to point to the service region you are using. To enable editing DNS records, follow the steps below:

  1. Log in to Office 365 Admin center.

  2. In the menu on the left side of the screen go to Settings > Domains.

  3. Check the box next to your domain name then click on Manage DNS.

    145233_1.png
  4. Click Continue.

    145233_2.png
  5. Uncheck the Exchange and Exchange Online box and click Continue.

    145233_3.png
  6. Click Done.

    145233_4.png

You will now be able to add and update the DNS records for your domain.

Install the Microsoft Outlook Add-in for Email Security

You can use Microsoft Outlook Add-in for Email Security to report messages as spam or phishing attacks directly from your inbox. Once reported, the message will be sent to Bitdefender and analyzed.

Requirements

  • The add-in is only accessible from a primary mailbox. You cannot use the add-in on a shared mailbox.

  • Compatible outlook versions:

    • Outlook 2013 or later for Windows

    • Outlook 2016 or later for Mac

    • Outlook on the web for Exchange 2013 on-premises and later versions

    • Outlook on iOS

    • Outlook on Android

    • Outlook on the web in Office 365 and outlook.com

  1. Copy the this add-in manifest URL :

  2. Go to the Office 365 admin center Add-in page and sign in.

  3. Click Deploy Add-in.

  4. Click Next.

  5. Select Upload custom apps.

  6. Select the I have a URL for the manifest file option and paste in this URL:

    https://download.bitdefender.com/business/EmailSecurity/OutlookAdd-in/emsaddinmanifest.xml
  7. Select Upload.

    169781_1.png
  8. Select the users you want to assign the add-in:

    • Everyone - all users in your company will have access to the add-in.

    • Specific users / groups - only the selected users will have access to the add-in.

    • Just me - only you will access to the add-in.

  9. Select the deployment method:

    • Fixed - the add-in will deploy automatically to all assigned users. Only you will be able to remove the add-in.

    • Available - users will have access to the add-in but will need to deploy it manually. All users will be able to remove the add-in.

    • Optional - the add-in will deploy automatically to all assigned users. All users will be able to remove the add-in.

  10. Click Deploy.

    169781_2.png

If successful, the following message will appear:

169781_3.png

The add-in should now appear in the list:

169781_4.png
  1. In Outlook, go to File > Manage Add-ins.

  2. Go to My add-ins.

  3. Under Custom Add-ins click Add a custom add-in and select Add from URL....

  4. Enter this URL:

    https://download.bitdefender.com/business/EmailSecurity/OutlookAdd-in/emsaddinmanifest.xml
  5. Click OK.

If successful, the Add-in will appear under My add-ins > Custom Addins

169781_5.png

Using the add-in to report an email

Once installed, the a button will appear in your Outlook interface:

  • For web version

    169781_6.png
  • For desktop app

    169781_7.png

To report an email follow the steps below:

  1. Select the email you wish to report.

  2. Click the Bitdefender add-in button.

  3. Select either Report spam or Report phishing.

Stop receiving marketing emails

To stop marketing emails, including those marked as high and medium reputation, you can follow one of the steps below:

  1. Use the link provided in each email to unsubscribe. This will only stop emails sent by that specific sender.

  2. Filter out the emails by creating a rule in Outlook. Set all emails containing one or both tags in the subject line to be sent to a specific folder or to Trash.

  3. Create a new rule in GravityZone Security for Email to filter out these emails for one or more users.

Exclude synchronized Azure Active Directory mailboxes from billing

All mailboxes added to GravityZone Security for Email as a result of synchronizing with Azure Active Directory (AAD) are identified by default as standard users, making them subject to billing. To be able to exclude o exclude shared mailboxes from billing, you need to provide the synchronization service with additional permissions to be able to read information from the Exchange API.

Grant access to synchronize Azure Active Directory shared mailboxes through Azure Active Directory

Note

This applies only to new Azure Active Directory connections. If you already have an existing Azure Active Directory connection, please assign the Office 365 Exchange Online API permission to it before continuing.

  1. Sign in to Azure Active Directory with an Administrator account.

  2. In the menu on the right side of the page, select Roles and administrators.

    153578_1.png
  3. Use the search box to locate the Security Reader role and check the box next to it.

    153578_2.png

    Note

    This will grant the Unified Security Service Active Directory sync access to read extended information about Azure AD objects.

    Important

    Due to a recent Microsoft Azure update, you may not be able to assign this role via the Azure portal. As an alterntive, please use Azure CLI or PowerShell.

  4. Click on the azure_button.PNG button on the right side of the screen and select Description.

    153578_3.png
  5. Select the Assignments page from the menu on the right side of the screen and click Add assignments.

    153578_4.png
  6. Search for USS AzureAD, click on it to select it, and then click on Add.

    153578_5.png

The necessary permissions have now been granted to the synchronization service.

Note

If the Azure portal does not allow you to assign the role to the USS AzureAD application, you can use the Azure CLI tool or PowerShell as an alternative.

Grant access to synchronize Azure Active Directory shared mailboxes through Azure CLI

  1. Start the Azure CLI tool:

    docker run -it mcr.microsoft.com/azure-cli
  2. Log in as a user with permission to assign roles:

    az login
  3. Follow the prompts to open a browser and authenticate the CLI

  4. Find the Object ID of USS AzureAD (this can also be found in the Azure > Enterprise Applications > USS AzureAD section):

    az ad sp list --all --query "[].{objectId:objectId}" --filter "displayName eq 'USS AzureAD'"
  5. Assign the Security Reader role to USS AzureAD (where $objectId is the Object ID from step 3):

    az rest --method post --url https://graph.microsoft.com/beta/roleManagement/directory/roleAssignments --body "{\"principalId\":\"$objectId\",\"roleDefinitionId\":\"5d6b6bb7-de71-4623-b4af-96380a352509\",\"directoryScopeId\":\"/\"}"

Grant access to synchronize Azure Active Directory shared mailboxes through PowerShell

  1. Download and install the AzureAD PowerShell module.

  2. Log in to your tenant as a Global Administrator:

    Connect-AzureAD
  3. Get the service principal ObjectID using the command:

    Get-AzureADServicePrincipal
  4. View the Object ID’s of the Azure AD Directory Roles:

    Get-AzureADDirectoryRole | sort DisplayName

    Note

    This will also display the available directory roles.

  5. Set a directory role to Service Principal:

    dd-AzureADDirectoryRoleMember -ObjectId -RefObjectId 

    Note

    ObjectId is the object ID of the directory role from step 4 and RefObjectId is the object ID of the Service Principal from step 3.

  6. Check the current directory roles assigned for the Service Principal:

    Get-AzureADServicePrincipalMembership -ObjectId

    Note

    ObjectId is the object ID of the Service Principal from step 3.

It may take up to 15 minutes for changes to propagate.

Add the Exchange Online API permission to an existing Azure Active Directory connection

Note

Only follow this procedure for Azure Active Directory connections created prior to 21st October 2020.

  1. Sign in to Azure Active Directory with an Administrator account.

  2. In the menu on the right side of the page, select Enterprise applications.

    153578_6.png
  3. Search for USS AzureAD and select it.

    153578_7.png
  4. In the menu on the right side of the page, select Permissions.

    153578_8.png
  5. Click the Grant admin consent for <company name> button.

  6. Proceed with the authentication and click Accept.

The Office 365 Exchange Online permission will now appear in the Admin Consent tab.

Configure outbound email for Exchange 2007/2010

It is important that you configure your Exchange connectors to send outbound email out through the MailSafe service. This ensures that both your outbound traffic is scanned and your traffic is profiled to help improve spam filtering. This article explains how to configure your connectors correctly.

  1. Login to the Microsoft Exchange Server as an administrator.

  2. Go to Start > All Programs > Microsoft Exchange 2010 > Exchange Management Console to open the Exchange Management Console.

  3. In the left Pane, go to Microsoft Exchange > Organization Configuration.

  4. Select Hub Transport.

  5. In the middle pane, select the Send Connectors tab. A list of send connectors will be displayed.

  6. Delete any Send Connectors that are destined for the internet. This will normally be all of them.

  7. Create connectors for each sending hosts in the appropriate cluster - either US or EU.

  8. In the right pane, select the New Send Connector link.

  9. Enter the Name as per the cluster list, and select the Intended use as Internet.

  10. Select Next.

  11. On the Address Space page, select the Add button to add an SMTP Address Space.

  12. Enter the Address Space as * and the Cost as 10. Click OK to create the connector, and then click Next to continue.

  13. On the Network Settings page, select Route Mail Through the following Smart Hosts.

  14. Click the Add button to add a smart host.

  15. When prompted, select Fully Qualified Domain Name and the first hostname from the appropriate cluster - either US or EU.

  16. Click Next.

  17. On the Configure Smart Host Authentication settings page, select None and then click Next.

  18. On the Source Server page, add any other Exchange Servers that should be able to send email to this connector. In most cases, where there is only one server, the server will already be added. Click Next.

  19. On the final page, click New to create the connector.

  20. Click Finish.

Safelist GravityZone Security for Email IP addresses in Office 365

If you are using GravityZone Security for Email and delivering clean emails to Office 365, it is essential to bypass Exchange Online Protection (EOP) to ensure smooth delivery of emails. Failure to add the bypass rules will allow Office 365 to interfere with email delivery, causing unexpected results and behavior for end users.

Note

Even with the EOP bypass rules in place Office 365 will still provide anti-malware scanning

  1. Log in to Office 365 and go to Admin > Exchange Admin Center.

  2. Select Rules under the Mailflow section. Click the + icon and select Create a new rule...

  3. Enter a name for the new rule (for example, Spam exclusion for Email Security).

  4. Select More Options.

  5. From the Apply this rule if... drop down menu, expand The sender... menu option and select IP address is in any of these ranges or exactly matches. In the dialog that opens, enter in each of the IP addresses based on the GravityZone Security for Email region in use.

    174459_1.png

    You can find a list of our IP addresses here:

  6. From the Do the following... drop down menu, expand the Modify the message properties... menu option and select set the spam confidence level (SCL) option to Bypass spam filtering.

    174459_2.png

    Note

    The final rule should look similar to the example below:

    174459_3.png
  7. Click Save to save the rule

Clutter is a feature that moves low-priority emails out of user's inbox to a folder called Clutter. Clutter analyzes user's email habits, and based on past behavior, it determines the messages that the user most likely to ignore. To make sure that emails are always delivered to the user's inbox, you must bypass the Clutter.  To do this amend the above rule and add the following entries.

  1. Select Add Action and then expand Modify the message properties... and select set a message header.

  2. Click the first Enter text link and paste the following exactly as it appears (case sensitive):

    X-MS-Exchange-Organization-BypassClutter
  3. Click the second Enter text link and paste the following exactly as it appears (case sensitive):

    true

    The rule should now look similar to the example below:

    174459_4.png
  4. Click Save to save the changes.

Focused Inbox is a feature that automatically evaluates incoming emails and direct them to two views: Focused and Others. To make sure the email messages are always delivered to the user's Focused inbox, you must bypass the evaluation.  To do this, create a new rule:

  1. Click the + icon and then select Create a new rule....

  2. Give the rule a name (for example Bypass Focused Inbox evaluation).

  3. Click on More Options.

  4. From the Apply this rule if... drop down menu, expand The sender... menu option and select IP address is in any of these ranges or exactly matches. In the dialog that opens, enter in each of the IP addresses based on the GravityZone Security for Email region in use.

    You can find a list of our IP addresses here:

  5. From the Do the following... drop down menu, expand the Modify the message properties... menu and select set a message header.

  6. Click the first Enter text link and paste the following exactly as it appears (case sensitive):

    X-MS-Exchange-Organization-BypassFocusedInbox
  7. Click the second Enter text link and paste the following exactly as it appears (case sensitive):

    true

    The rule should now look similar to the example below:

    174459_5.png

Warning

Ensure that the Focused Inbox rule has a higher priority than the rule to bypass Office 365 spam protection