/
Step 2 - Configure Microsoft 365 for Inbound and Outbound Mail

Step 2 - Configure Microsoft 365 for Inbound and Outbound Mail

You can configure Microsoft 365 with Email Gateway Defense as your inbound and/or outbound mail gateway.

If you make changes to the settings, allow a few minutes for the changes to take effect.

Microsoft 365 IP addresses and user interfaces can change; refer to Microsoft documentation for configuration details.

You can specify Email Gateway Defense as an inbound mail gateway through which all incoming mail for your domain is filtered before reaching your Microsoft 365 account. Email Gateway Defense filters out spam and viruses, then passes the mail on to the Microsoft 365 mail servers. 

You can also specify Email Gateway Defense as the outbound mail gateway through which all mail is sent from your domain via your Microsoft 365 account to the recipient. As the outbound gateway, Email Gateway Defense processes the mail by filtering out spam and viruses before final delivery. By configuring Microsoft 365, you instruct the Microsoft 365 mail servers to pass all outgoing mail from your domain to Email Gateway Defense (the gateway server).

Step 1. Launch the Email Gateway Defense Setup Wizard

Before you launch the wizard, verify you have the following:

  • Microsoft 365 admin credentials

  • Credentials to run a PowerShell script or terminal to manually execute PowerShell scripts

Note that you cannot reopen the wizard after you have completed the wizard. if you have started the wizard but did not complete it, log into Barracuda Cloud Control, select Email Gateway Defense on the left side. In the top banner, click Set Up Now to relaunch the wizard.

The setup wizard includes steps to identify your email server, add MX records, and remove MX records. Each of the domains where you want to filter email must be verified by Email Gateway Defense for proof of ownership; Email Gateway Defense does not process email for a domain until the verification process is complete.

Note that after verifying your domain, any mail sent to your domain from another Barracuda Email Gateway Defense customer will be processed normally by your Email Gateway Defense account and not delivered via MX records.

  1. Log into Barracuda Cloud Control. If this is your first time launching the Email Gateway Defense setup wizard, you will be redirected to the Barracuda Trials Hub page. Click Open under Email Security.

    Alternatively, if you have started the setup wizard but did not complete it, after logging into Barracuda Cloud Control, select Email Gateway Defense on the left side. In the top banner, click Set Up Now to launch the setup wizard.

    The Email Gateway Defense wizard launches. 

  2. Click Next in the upper right corner to get started.

  3. Click Connect to connect to Microsoft. 




  4. You will be prompted to log in with a global admin account to give permissions to the application to access your Microsoft data. Click Accept to authorize Barracuda Networks to access your details.

  5. Once you are connected, Barracuda Networks will initiate a scan to identify any email threats. During this process, click Next in the upper right corner to continue.

  6. Select the Region for your data center. Then click Next.

  7. Confirm the domain you would like to protect. Then click Next.

  8. Choose your deployment method. 

     

     

  1. To set up your email flow, you will need to add the new MX records and remove the old MX records.

  2. To add the new MX records:

    1. Log into your DNS hosting account.

    2. Add the primary and backup MX records shown in the Add new MX records section. Instructions for your DNS hosting provider will vary; you can use search terms such as add, edit, manage, or MX records.

      EGD_setupWizard_addMXrecords.png

    3. Add the MX records with a low priority, for example, 99. Adding the new MX records to your existing list should look similar to this:

      egd_wizard_addMXrecords1.png

      After updating your MX records, allow at least 24-48 hours before completing the next step to allow time for your changes to propagate.

    4. Verify that the new Email Gateway Defense MX records have been added by clicking on the Verify records button. 

    5. Once your MX records are added, a green verified check markgreen-verified.png will appear next to the MX record.

  3. To remove the old MX Records:

    1. Log into your DNS hosting account.

    2. Remove the existing MX records shown in the Remove old MX records section. Instructions for your DNS hosting provider will vary; you can use search terms such as add, edit, manage, or MX records.

      EGD_newSetupWizardRemoveMXrecords.png

    3. Update the priority of your primary and backup Barracuda MX records to 1 and 10. 

    4. In the Email Gateway Defense wizard, verify that your non-Barracuda Networks MX records have been removed by clicking on the Verify update button.

    5. Once your MX records are removed, a green verified check markgreen-verified.png will appear. 

    6. After you have successfully completed all the steps in the Email Gateway Defense setup wizard, click the Complete setup button at the upper right corner. To exit the wizard and come back at a later time, click Exit

  1. After clicking Next, you will be prompted to sign into Microsoft to accept an additional application. This application will be used to create the necessary rules and connectors required for inline deployment. 

    permissions_requested.png

  2. After accepting permissions, you will be returned to the setup wizard. Click Next to begin the deployment.

  3. During deployment, the setup wizard will automatically create the following: 

    • Three mail flow rules – Two rules for processing inbound mail and one rule for outbound mail. Note: The outbound mail flow rule will be disabled by default. 

    • Three connectors – Two connectors for processing inbound mail and one connector for processing outbound mail. 

    • Anti-Spam connection filtering policy – An entry in the Anti-Spam connection filtering policy to bypass spam filtering for emails originating from Barracuda Networks.

    • Policy to allow spoofing – An “Allow spoofing” policy for emails sent from Barracuda Networks.

  4. Once the deployment is complete, click the Complete setup button at the upper right corner. You will be redirected to your Message Log. 

You have now successfully set up Email Gateway Defense using the inline deployment method.  

Note that this deployment has been configured only for mail sent to the domain selected in the setup wizard. 

Step 2. Deploy Partner Connector

The steps in this section enhance the security of the connection between Email Gateway Defense and Microsoft 365.

Create a Partner Connector

Creating a partner connector will allow you to use enhance filtering along with tenant access restrictions, ensuring a safe and secure environment.

  1. Log into https://admin.exchange.microsoft.com/#/connectors.

  2. Click the Add a connector button, and use the wizard to create a new connector.

    add_connector.png

  3. For Connection from, select Partner organization. Then, click Next.

    add_new_connector.png

  4. Enter a Name Barracuda Inbound Connector and (optional) Description to identify the connector. Then, click Next.

    connector_name.png

  5. Select By verifying that the IP address of the sending server matches one of the following IP addresses, which belong to your partner organization.

    1. Click the + to enter the correct IP range for your region. Then, click Next.
      This is the region selected when setting up your Barracuda Networks instance. Refer to the Email Gateway Defense IP Ranges Used for Configuration for the IP ranges corresponding to your region. 
      For example, for the US region, enter 209.222.82.0/24.

      authenticate_sent_email.png

  6. Use the default settings for the Security restrictions: Reject email messages if they aren’t sent over TLS. Then, click Next.

    security_restrictions.png

  7. Review your settings and then click Create connector.

    review_connector.png
Enable Enhanced Filtering for Connectors 

To enable Enhanced Filtering for Connectors, use the following instructions:

  1. Log into https://security.microsoft.com/skiplisting.

  2. Select Barracuda Inbound Connector, the partner connector you previously created.

  3. Select Automatically detect and skip the last IP address and Apply to entire organization.

  4. Click Save.

Review Microsoft Anti-Spam Settings

Enhanced Filtering for Connectors allows customers to continue to leverage anti-spam capabilities provided in Exchange Online. Review your Microsoft anti-spam policy to ensure it is configured to follow recommended best practices.

  1. Log into the Microsoft Defender portal https://security.microsoft.com/.

  2. On the left, navigate to Email & collaboration > Policies & rules.

  3. Select Threat policies Anti-spam.

  4. Select Anti-spam inbound policy (Default).

  5. Scroll down and click Edit actions.

  6. Review your settings and click Save.

Contact Us
Barracuda Campus
Barracuda Support