White Paper
Cisco Cloud Email Security Interoperability with
Microsoft Office 365
We’ve all been witness to the “cloud” evolution and the technologies that have been driven by moving operations and
resources off-site to provide services that were traditionally housed internally. The migration to online services has
provided many benefits to companies; small businesses can now have enterprise class redundancy and disaster recovery
without the capital outlay for telecommunication, network and server resources.
Scalability, reliability and numerous other factors have led to this evolution. Companies looking to gain competitive
advantages and realizing that email, once thought to be not mission critical like financials, has become business critical.
Companies conduct a large portion of their business today via email. Banking, trading, sales contracts, legal documents
all are transferred securely and non-securely via electronic mail.
Companies have realized that a logical step to moving to the cloud is by moving mailboxes to hosted providers.
Microsoft Office 365 Hosted Mailboxes
Microsoft Exchange has become the standard email system used by many mid to large-scale organizations. In order to
gain an even larger market share Microsoft has introduced Office365.com, which will allow even a sole proprietorship
company to reap the benefits of Exchange without having to have the technical staff or the hardware necessary for an
Active Directory and Exchange infrastructure.
https://products.office.com/en-us/business/explore-office-365-for-business Office365 is much more than just email and
calendaring, it encompasses other Microsoft applications delivered via the public Internet. For the purpose of this paper
we will stay focused on email and mailboxes provided by Office365.
Microsoft Exchange Online Protection (EOP)
Microsoft EOP is a hosted filtering service that provides protection for Office365. FOPE provides the following list
of features:
●
Antispam
●
Antivirus
●
Policy enforcement
●
Disaster Recovery
●
Directory services
SLA’s provided by Microsoft EOP are as follows:
●
Spam Effectiveness >99%
●
False Positives <1:250,000
●
Virus detection and blocking of 100% of known viruses
●
Monthly uptime of 99.999%
●
Messages queuing for 2 days when the on-premises server cannot accept mail
More information available at https://technet.microsoft.com/en-us/library/dn762130%28v=exchg.150%29.aspx
© 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public.
Page 1 of 6
While these SLA’s and Microsoft market position in Exchange would point customers towards using Office 365 with EOP
as their email security solution, customer adoption to a more in-depth security solution has led to Microsoft having to
provide mechanisms to interoperate with 3rd party systems like DLP (Data Loss Prevention) or industry leading Email
Security vendors like Cisco Systems, Inc.’s, Email Security Appliance, cloud and on premise solutions
Cisco Email Security Services
Based on the same industry-leading technology that protects 50 percent of Fortune 1000 companies from inbound and
outbound email threats, the Cisco Cloud Email Security service allows customers to reduce their on-site data center
footprint and out task the management of their email security to trusted security experts. It provides a dedicated email
security infrastructure in multiple, resilient Cisco data centers to enable the highest levels of service availability and data
protection. Customers retain access to (and visibility of) the hosted infrastructure. With comprehensive reporting and
message tracking, maximum administrative flexibility is assured. This unique service is all-inclusive – with software,
hardware and support bundled together for simplicity.
Best-in-Class Features:
●
Powered by Cisco Talos, the industry’s largest threat intelligence service
●
Industry leading Anti-SPAM
●
Award winning Anti-Virus from Sophos and McAfee
●
Targeted Attack Prevention with Cisco AMP – Advanced Malware Protection
●
RSA Data Loss Prevention
●
Integrated Message Level Encryption
●
S/MIME encryption
●
Web in Email protection with URL categorization and reputation
●
Content Filtering – Inbound / Outbound
●
Transport Layer Security (TLS)
●
Anti-phishing and day-0 protection with Outbreak Filters
●
Role Based Administration
●
99.999% uptime
●
False positive rate of less than 1 in 1,000,000
●
Co-management
●
Multiple US and European Datacenters for redundancy
●
Dedicated IP addresses to avoid shared fate blacklisting
●
Financially backed Service Level Agreement
Cisco is proud to be recognized as a leader in the Gartner Magic Quadrant® for Email Gateways 2014
Cisco Talos
Cisco Email Security is part of Cisco’s comprehensive family of network security products and services. Organizations are
better positioned to detect and respond to threats when using best-of-breed products and services that fall under one
vendor “umbrella”—for example, because Cisco Email Security can “talk” to Cisco Adaptive Security Appliances, both can
be managed under the same security policy and threats can be identified and addressed faster.
Cisco Email Security leverages Cisco Talos, which sees 35 percent of the world’s email traffic, 75 TB of web data per day,
13 billion web requests, 1.6 million deployed devices, and more than 150 million endpoints. Cisco products integrate
technology from solutions like Cisco Web Security and Cisco Sourcefire, which addresses unwanted and potentially
© 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public.
Page 2 of 6
malicious URLs and file attachments in email. Organizations need this multi-vector intelligence in order to have best-inclass security and protect themselves from the latest of blended threats.
Why do you need Cisco Cloud Email Security with Office 365?
In addition to the best-in-class messaging security features listed above, the prime reasons why you will benefit from
Cisco Cloud Email Security are:
●
Industry leading protection from email based threats, including phishing and targeted attacks, with the highest
efficacy (99% catch rate, < 1/1M false positives)
●
Top controls for Data Loss Prevention (DLP) and Secure Messaging, essential for a protected and
secure organization
●
Integrated message level encryption—no 3rd party products necessary
●
Ability to leverage Cisco Talos, for protection against multi-vector sophisticated attacks
●
Near real time graphical message tracking—real time available from command line interface
●
With a dedicated client infrastructure, organizations will benefit by having no shared fate and reduced risk of
outages caused by another customer
●
Dedicated monitoring and support for Cisco Hosted Email Security customers
●
Customer controlled reporting with Cisco support available to assist if needed
Integrating Office 365 with Cisco Cloud Email Security
Fortunately for Office 365 customers Microsoft has made integration with 3rd party systems fairly easy. The ability
inside of the Office365 environment to create Smart Host connectors for EOP to route email to these systems is
well documented. See Microsoft Exchange library.
Routing Inbound mail for SPAM filtering to Cisco Cloud Email Security
Email routing takes place via the use of Mail Exchange (MX) records. These records are DNS entries that tell systems
where to deliver email. In a non-hosted environment this record typically points to the customers on-premise MTA
(message transfer agent), which could be a Microsoft Exchange server, or any X flavored Sendmail variant.
The MX records points to the IP address (usually an inbound NAT on the firewall), which accepts incoming SMTP
connections. This MTA may also be a special purpose appliance like the Cisco Email Security Appliance (ESA).
As seen in the below diagram customers may have many MX records pointing to various IP addresses for redundancy.
Cisco Hosted Email Security Services provides customers with 2 MX records to provide MX redundancy in addition to
datacenter redundancy.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public.
Page 3 of 6
Let examine how the customer Acme, Inc. (a fictitious company), would migrate their email security to Microsoft Office365
and Cisco Cloud Email Security.
Today Acme, Inc. houses their email systems internally and all messages are filtered by a homegrown application that
hasn’t provided the level of protection necessary for Acme’s employees. Acme has made the decision to move both the
mailboxes for the employees as well as the email security infrastructure to the cloud and has selected a combination of
Microsoft Office365 and Cisco Cloud Email Security.
Acme’s IT staff has arranged for both services to be active and has configured the Office365 environment with their users
mailboxes. Acme’s current mx record points to mail.acme.com. The Cisco Cloud Email Security environment has been
configured and is ready for production traffic. MX records of mx1.acme.iphmx.com and mx2.acme.iphmx.com have been
created. These records point to the Cisco Email Security Appliances hosted in redundant Cisco’s datacenters. Acme and
their business partner have configured the Cisco Cloud protection to route email received for Acme’s domain to the
Microsoft Office365 servers where they will be delivered to the end users mailbox.
Acme’s IT staff changes the companies DNS MX records from mail.acme.com to mx1 and mx2.acme.iphmx.com and over
a period of up to 24 hours DNS server around the Internet will detect this change and begin forwarding email to the Cisco
Cloud Email Security Appliances for Acme.
The messages will be scanned incoming for Anti-Spam, Anti-Virus, malicious file attachments, and malicious URL’s and
other email hygiene will be performed prior to delivery to Office365.
Routing Outbound Email Delivery from Office 365 to Cisco Cloud Email Security
Acme’s Executive staff has made it clear they want email leaving their organization to adhere to various government
regulations like HIPAA and Sarbanes Oxley. In order to accomplish this Acme’s IT staff has made the decision to route
outbound email through the Cisco Cloud where policy enforcement using the RSA Data Loss Prevention modules as well
as the integrated Cisco Email Encryption can be utilized.
In order to route the email messages from the Microsoft Office 365 mailboxes to Cisco an Outbound Connector must be
configured in the FOPE system. For more information see https://technet.microsoft.com/enus/library/ms.exch.eac.connectorselection%28v=exchg.150%29.aspx
1.
In the EOP Admin Center select Exchange then go to Mail Flow and click Connectors2.
In the Connectors select
Outbound Connectors and then Add
3.
Name the connector: Outbound to Cisco Cloud
© 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public.
Page 4 of 6
4.
Specify the recipient domain as *.*
5.
Deliver all messages to the following destination: mx1.acme.iphmx.com and mx2.acme.iphmx.com
6.
Select Transport Layer Security (TLS) and select validation against self-signed certificate
7.
Save your changes
In the Cisco Cloud Email Security configure the following
1.
Mail Policies/HAT Overview
2.
Add the Office 365 domain: acme.onmicrosoft.com to the RELAYLIST policy and Commit changes
Now Acme Inc has all the benefits of hosted mailboxes by Office 365 and the industries best email protection from Cisco
Cloud Email Security.
Cloud Hosted Email Security with Office365
© 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public.
Page 5 of 6
Printed in USA
© 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public.
C11-727691-00
04/13
Page 6 of 6