Skip to content

Office 365 Hybrid Configuration for Content Scanning

Introduction

About this Document

In this document, we explain how to set up Office 365 in a hybrid network environment. The purpose is to allow AXS Guard to process all your incoming Office 365 mail traffic so that:

  • You can centrally manage all email policies on AXS Guard.

  • Incoming mails are automatically scanned for viruses, malware and phishing attempts.

  • Mail reports can be generated on AXS Guard (GDPR).

  • Email troubleshooting is centralized.

  • System administrators have a central overview of all sent and received e-mail traffic.

Office 365 Mail Flow with AXS Guard

AXS Guard License Requirements

The following AXS Guard bundles and licenses are required:

  • Standard Software Bundle (this includes the Office 365 FAST lane wizard)

  • Essentials Content Scanning License (a Premium Content Scanning license is recommended)

Info

Premium Content scanning includes access to over 70 antivirus engines and domain blacklists, in addition to a variety of tools for extracting useful information from the analyzed content.

To check your content scanning license details:

  1. Log in to AXS Guard as an administrator.

  2. Go to System > License > Content Scanning.

    Content Scanning License Details

Microsoft Documentation & References

Microsoft Doc

Link

Exchange Server Hybrid Deployments

https://docs.microsoft.com/en-us/exchange/exchange-hybrid

Hybrid deployment prerequisites

https://docs.microsoft.com/en-us/exchange/hybrid-deployment-prerequisites

Transport options in Exchange hybrid deployments

https://docs.microsoft.com/en-us/exchange/transport-options

Office 365 URLs and IP address ranges

https://docs.microsoft.com/en-us/office365/enterprise/urls-and-ip-address-ranges

Outbound spam protection - Office 365

https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/outbound-spam-controls?view=o365-worldwide

Troubleshooting the hybrid mail flow

https://techcommunity.microsoft.com/t5/exchange-team-blog/demystifying-and-troubleshooting-hybrid-mail-flow-when-is-a/ba-p/1420838

Best practices for Exchange Online, Microsoft 365 and Office 365

https://docs.microsoft.com/en-us/exchange/mail-flow-best-practices/mail-flow-best-practices

Configuration Requirements

  • Public and private DNS records (A, MX, SPF) must be properly configured. Adequate SPF records must be present on all DNS servers that are handling DNS requests for your mail domain, including internal DNS servers. Also see the official Office 365 documentation for additional information.

  • The AXS Guard mail server must be correctly configured (mail policies, mail filters, etc). See the E-mail server manual under System Administration on this site for step-by-step instructions.

  • Active Directory users are synced with AXS Guard. See the Directory Services manual under System Administration on this site for step-by-step configuration instructions.

  • You successfully completed the Microsoft Office 365 registration and configuration. Also see how to set up user synchronization with a local AD server.

SPF Record Configuration

SPF identifies mail servers which are allowed to send mail on your organization’s behalf.

Adequate SPF records must be present on any DNS server that is handling DNS requests for your mail domain, including internal DNS servers.

In a hybrid scenario, AXS Guard as well as Microsoft’s Office 365 SMTP servers must be allowed to relay e-mail for your organization. This means that you must add an adequate Sender Policy Framework (SPF) TXT record to your DNS server(s) to prevent false positives in spoofing detection. See the official Office 365 documentation for additional information.

Office 365 Configuration

Set up connectors to route mail between Microsoft 365 or Office 365 and your own email servers and to avoid false spam positives. See the official Office 365 documentation for additional information and configuration instructions.

AXS Guard Configuration

Domain Settings

Forward incoming mail for your domain to smtp.office365.com.

  1. Go to E-mail > Domains.

  2. Select your corporate domain.

  3. Change the Type to Forwarded.

  4. Set the Computer to forward to to Unlisted.

  5. Enter smtp.office365.com in the Unlisted Computer field.

    Migrating per Domain

Port Forwarding Rules

Forward all internal mail coming from Office 365 to TCP port 25 of your on-premise Exchange server. Use the following Office 365 source IP address ranges in your port forwarding rules (also see the official Microsoft Documentation):

Office 365 source IP address ranges
40.92.0.0/15
40.107.0.0/16
52.100.0.0/14
104.47.0.0/17
  1. Go to Network > NAT > Port Forwarding.
  2. Create a rule for each Office 365 source IP address range as shown in the example below.

Important

Use the second public IP address of your AXS Guard appliance in the Coming to IP Address field. Also see the illustration at the beginning of this document.

Port Forwarding

Office 365 FAST Lane

About

The Office 365 FAST lane wizard helps you to optimize the bandwidth settings for your Internet traffic. This wizard will not only help you to securely connect your network with the Microsoft Office 365 cloud and configure the optimal bandwidth settings for your Office 365 apps and services, it will also automatically optimize the AXS Guard proxy (WPAD) configuration.

The AXS Guard proxy automatically scans all web traffic for viruses and other malware and ensures that all client connections towards Office 365 services are optimal.

Important

  • Your clients must be configured for WPAD. See the article in Knowledge Base > Web Access > Automated Proxy Detection for additional information and configuration instructions.
  • The use of this wizard is optional.

Starting the Wizard

  1. Log in to AXS Guard as an administrator.

  2. Click on the Wizards button in the top pane.

  3. Select the "Office 365 FAST Lane Wizard".

  4. Follow the on-screen instructions.

    AXS Guard Wizard Overview Page