Skip to content

Office 365 Hybrid Configuration for Content Scanning

Introduction

About this Document

In this document, we explain how to set up Office 365 in a hybrid network environment.

The purpose of this setup is to allow AXS Guard to process all your Office 365 mail traffic so that:

  • You can centrally manage all email policies on AXS Guard.

  • Mail contents are automatically scanned for viruses, malware and phishing attempts.

  • Reports can be generated in a GDPR context.

  • Email troubleshooting is centralized.

  • Administrators have a central overview of all sent and received mail traffic.

Office 365 Mail Flow with AXS Guard

Minimum System Requirements

The following bundles and licenses are required:

  • Standard Software Bundle (this includes the Office 365 FAST lane wizard)

  • Essentials Content Scanning License (a Premium Content Scanning license is recommended)

Info

Premium Content scanning uses over 70 antivirus engines and domain blacklists, in addition to a variety of tools for extracting useful information from the analyzed content.

To check your content scanning license details:

  1. Log in to AXS Guard as an administrator.

  2. Go to System > License > Content Scanning.

    Content Scanning License Details

Configuration Requirements

Microsoft Documentation

Carefully read the following Microsoft documentation to avoid configuration difficulties.

Microsoft Doc

Link

Exchange Server Hybrid Deployments

https://docs.microsoft.com/en-us/exchange/exchange-hybrid

Hybrid deployment prerequisites

https://docs.microsoft.com/en-us/exchange/hybrid-deployment-prerequisites

Transport options in Exchange hybrid deployments

https://docs.microsoft.com/en-us/exchange/transport-options

Office 365 URLs and IP address ranges

https://docs.microsoft.com/en-us/office365/enterprise/urls-and-ip-address-ranges

AXS Guard

  • Public and private DNS records (A, MX, SPF) must be properly configured. Adequate SPF records must be present on all DNS servers that are handling DNS requests for your mail domain, including internal DNS servers. Also see the official Office 365 documentation for additional information.

  • The AXS Guard mail server has been correctly configured (mail policies, mail filters, etc). See the E-mail filtering guide under System Administration on this site for step-by-step instructions.

  • Active Directory users are synced with AXS Guard. See the Directory Services manual under System Administration on this site for step-by-step configuration instructions.

  • You successfully completed the Microsoft Office 365 registration and configuration. See how to set up synchronization with a local AD server on https://docs.microsoft.com/en-us/office365/enterprise/office-365-integration

SPF Record Configuration

Introduction

SPF identifies mail servers which are allowed to send mail on your organization’s behalf.

Adequate SPF records must be present on any DNS server that is handling DNS requests for your mail domain, including internal DNS servers.

In a hybrid scenario, AXS Guard as well as Microsoft’s Office 365 SMTP servers must be allowed to relay e-mail for your organization. This means that you must add an adequate Sender Policy Framework (SPF) TXT record to your DNS server(s) to prevent false positives in spoofing detection. See the official Office 365 documentation for additional information.

Once your SPF records are configured, you must disable the anti-spoofing check on AXS Guard.

Disabling Anti-Spoofing on AXS Guard

  1. Log in to the AXS Guard appliance as an administrator.

  2. Go to E-mail > Server and scroll down.

  3. Select the Security Checks tab.

  4. Ensure that Reject e-mail addresses of own domains from non-secure connections is disabled.

  5. Update your configuration.

    Disable Anti-Spoofing

Mail Flow Configuration

Introduction

Administrators can update the mail flow configuration per user or per domain in one go. Changing the configuration per user allows you to gradually migrate each user to Office 365. Changing the configuration on a domain level is faster and easier, but is only useful once all users have been migrated to Office 365 via the "per user" method.

Migration per User

This step can only be executed if you are configuring the mail flow for a local domain.

For a user-based configuration, simply configure a forward address to username@yourcompany.onmicrosoft.com for each user on AXS Guard. This allows you to keep a number of AXS Guard-specific parameters per user, such as forwards to multiple e-mail addresses, the ability to keep local copies, etc. The yourcompany.onmicrosoft.com domain must be resolvable by AXS Guard and is created automatically after completion of the Microsoft Office 365 online registration and configuration.

Migrating per User

Migration per Domain

Office 365

Configure the appropriate connectors in Office 365 to avoid false spam positives. See the official Office 365 documentation for additional information and configuration instructions.

AXS Guard

If all your users have been successfully migrated or if you do not want to perform a per-user migration and no longer need the per-user forward functionality, you can simply change the type of your corporate mail domain from local to forwarded. At this point, per-user forwards can be removed.

  1. Go to E-mail > Domains.

  2. Select your corporate domain.

  3. Change the Type to Forwarded.

  4. Set the Computer to forward to to Unlisted.

  5. Enter smtp.office365.com in the Unlisted Computer field.

    Migrating per Domain

SMTP Authentication

To allow users to also send messages via the AXS Guard SMTP server from the Internet, SMTP authentication must be properly configured.

  1. Go to E-mail > Server.

  2. Enable SMTP Authentication.

  3. Update your configuration.

    SMTP Authentication

Important

It is highly recommended to configure TLS for incoming connections when using SMTP authentication to prevent the interception of mail server credentials. Go to E-mail > TLS Policies > Local to configure a server certificate and TLS policies for SMTP traffic. Restrict user access to protect the server against brute-force attempts by creating appropriate authentication restrictions for SMTP. See Authentication > Advanced > Restrictions.

Configuring Clients for Outgoing Mail

Introduction

To allow AXS Guard to also scan outgoing messages, mail clients must be configured to use the AXS Guard SMTP server instead of the Office 365 SMTP server. This will ensure that all outgoing mail traffic is logged by AXS Guard and that its mail policies can be enforced. See the documentation of your mail client or the example below.

Setting up Outlook Manually for Secure SMTP and IMAP

  1. Open Outlook, then go to File > Info and then click Add Account.

    Outlook 2016 Account Configuration Example

  2. Click on Add Account in the File menu.

  3. Select Manually configure server settings or Additional server types and click Next.

  4. Select IMAP.

  5. Fill in the following fields:

    • Your name and the e-mail address you want to add

    • Account Type: select IMAP in the drop-down menu

    • Incoming mail server: outlook.office365.com (Where mails are stored and retrieved)

    • Outgoing mail server: smtp.yourcompany.com (Public MX record of AXS Guard)

    • User Name: enter the AXS Guard username

    • Password: enter the AXS Guard password

  6. Click More Settings and go to the Advanced tab.

  7. Enter the port numbers and select the encrypted connections.

    • Incoming mail server: 993

    • Type of encrypted connection: SSL

    • Outgoing mail server: 25

    • Type of encrypted connection: TLS

  8. Click OK > OK > Next > Finish.

Using the Office 365 FAST Lane Wizard

About

Once you are done migrating users to Office 365, it is highly recommended to run the Office 365 FAST lane wizard to optimize the bandwidth settings for your Internet traffic. This wizard will not only help you to securely connect your network with the Microsoft Office 365 cloud and configure the optimal bandwidth settings for your Office 365 apps and services, it will also automatically optimize the AXS Guard proxy (WPAD) configuration.

The AXS Guard proxy automatically scans all web traffic for viruses and other malware and ensures that all client connections towards Office 365 services are optimal.

Important

Your clients must be configured for WPAD. See the article in Knowledge Base > Web Access > Automated Proxy Detection for additional information and configuration instructions.

Starting the Wizard

  1. Log in to AXS Guard as an administrator.

  2. Click on the Wizards button in the top pane.

  3. Select the "Office 365 FAST Lane Wizard".

  4. Follow the on-screen instructions.

    AXS Guard Wizard Overview Page

Conclusion

The configuration as described in this document enables you to benefit from all existing AXS Guard capabilities, such as mail filtering, virus scanning, spam detection and reporting features. This setup requires no manual adjustments to your DNS (MX) records.