Transcription
Barracuda EssentialsBarracuda Essentials for Office 365 - EmailSecurity and ComplianceThe articles in this section assume you are deploying the Email Security and Compliance components—BarracudaEmail Security and Barracuda Cloud Archiving Services—for the first time. If you previously deployed one of thesecomponents and wish to migrate to Barracuda Essentials for Office 365, contact your Barracuda sales representative.Barracuda Essentials for Office 365 Email Security and Compliance provides: Critical multi-layer security and compliance for Office 365;Effective protection against Spam and Phishing emails;Complete email archival for compliance and eDiscovery through granular policies;Easy to use applications to access and manage archived email from any device;Full functionality free for 30 days.Barracuda Essentials for Office 365 - Email Security and Compliance includes a 90-day Barracuda PST Enterprise triallicense. For details on finding, migrating, and restoring PST files using Barracuda PST Enterprise, refer to the GettingStarted section in the Barracuda PST Enterprise TechLibrary.Barracuda Email Security ServiceYou can specify the Barracuda Email Security Service as an inbound mail gateway through which all incoming mail for yourdomain passes before reaching your Office 365 account. The Barracuda Email Security Service filters out spam and viruses,and then passes the mail on to Office 365 mail servers. Additionally, you can specify the Barracuda Email Security Service asthe outbound mail gateway through which all mail is sent from your domain via your Office 365 account to the recipient. Asthe outbound gateway, the Barracuda Email Security Service processes the mail by filtering out spam and viruses beforefinal delivery.Barracuda Cloud Archiving ServiceThe Barracuda Cloud Archiving Service is a Software as a Service (SaaS) solution hosted in the Barracuda Cloud, previouslyreferred to as 'direct to cloud'. The Barracuda Cloud Archiving Service is designed for customers that do not want to managea physical or virtual appliance. It is simpler to deploy than public cloud versions of Barracuda Message Archiver, withoutadditional infrastructure investment.Where to Start Step 1 – Email Security and Compliance SetupStep 2 – Deploy Email Security and /SecurityCompliance1 / 27
ompliance2 / 27
Step 1 - Email Security and ComplianceSetupThis step assumes you are deploying the components of Email Security and Compliance—Barracuda Email Securityand Barracuda Cloud Archiving Services—for the first time. If you previously deployed one of these components andwish to migrate to Barracuda Essentials for Office 365, contact your Barracuda Networks sales representative.1. Go to barracuda.com, and from the Products drop-down menu, click Essentials for Office 365.2. In the Product page, click Free Trial:3. The Select a plan page displays. Select Email Security and Compliance, enter the number of Users, and clickContinue:4. In the Contact Info page:a. New Customer – Enter your contact information; all fields are required. Click Continue.b. Existing Customer – Enter your Barracuda Cloud Control account login ls/SecurityCompliance3 / 27
5. Click Continue. Verify the account details. If you need to change your account, click Sign out and use a differentaccount.If you are a reseller, use the Client information section to select the account to which to add the service orcreate a new account for the service. Click Grant me (the reseller) administrative access to this service to setadministrative access.6. Click Begin 30-Day Free Trial:7. Once the setup process is complete the Barracuda Essentials for Office 365 Setup page displays in a new windowand your 30-day trial begins immediately.8. The ADMIN Set Up Essentials for Office 365 Setup page displays the selected plan and the Subscription Statusdisplays as Free Trial.Continue with Step 2. Deploy Email Security and Compliance to set up the Barracuda Email Security and BarracudaCloud Archiving SecurityCompliance4 / 27
Step 2 - Deploy Email Security andComplianceBarracuda recommends setting up Email Security before the Cloud Archiving Service.Evaluate Barracuda Essentials for Office 365 Email Security and Compliance for 30 days, after which you can purchase andlink the services to your account.In this article:Complete the steps in each section of this 30-day evaluation guide to deploy services in your environment.Barracuda Cloud Archiving Service is integrated with Barracuda Cloud Control LDAP. Barracuda Email Security Servicehas a separate LDAP configuration setup to support multiple user roles across configured domains.Section I. Barracuda Email Security ServiceOffice 365 IP addresses and user interfaces can change; refer to Microsoft documentation for configuration details.Step 1. Launch the Barracuda Email Security Service Setup WizardAlternatively, you can manually set up the Barracuda Email Security Service using the web interface.1. In the ADMIN Set Up Essentials for Office 365 Setup page, click Set up to the right of Email Security to launchthe Barracuda Email Security Service Setup wizard.2. Click Get Started. The Specify Primary Email Domain page displays. Enter the primary Office 365 domain youwant to filter, for example:corpdomain.com3. Click Next. The Specify Email Servers page displays. Enter the mail server hostname (FQDN) or IP address for thedomain entered in the previous step, for If the Barracuda Email Security Service Setup wizard has already identified your mail server IP based on the MX record,the Mail Servers field pre-populates.4. Click Add. Enter an email address to test the server configuration, and click Test All Mail Servers.5.Once the mail server is verified, the Verified () icon displays in the status column and a confirmation messagedisplays at the top of the page.6. Click Next. The Configure Settings page displays. Select from the following options:a. Virus Protection – Set to On to direct the Barracuda Email Security Service to detect and block viruses on inboundemail.b. Spam Protection – Set to On to direct the Barracuda Email Security Service to evaluate inbound mail for spam basedon a score assigned to each processed message. When set to Off inbound mail is not scanned for spam.c. Spam Scoring – Set Spam Protection to On to enable Spam Scoring. Scoring ranges from 1 (definitely not spam)to 10 (definitely spam). Setting a score of '1' will likely block legitimate messages while setting a score of '10' willallow more messages through the system. Based on this score the Barracuda Email Security Service blocks messagesthat appear to be spam and logs these messages in the user's Message Log with Score as the reason for the urityCompliance5 / 27
The following features, configured on the INBOUND SETTINGS Anti-Spam/Antivirus page, are enabled whenSpam Protection is set to On: Barracuda Reputation Block List (BRBL) – Database of IP addresses manually verified to be a noted source ofspam. Barracuda Real-Time System (BRTS) – Advanced service to detect zero-hour spam and virus outbreaks evenwhere traditional heuristics and signatures to detect such messages do not yet exist. Sender Policy Framework (SPF) – Block Fail is disabled. Barracuda Anti-Fraud Intelligence – Barracuda Networks anti-phishing detection which uses a special Bayesiandatabase for detecting Phishing scams. Intent Analysis – Blocking based on intent analysis. CloudScan Scoring – A cloud-based spam scanning engine which assigns a score to each message processedranging from 0 (definitely not spam) to 10 (definitely spam).7. Click Next. The Route Email Through Barracuda page displays.8. To verify your domain, replace your current MX records with the Barracuda Email Security Service Primary and BackupMX records displayed on the page.During the evaluation period, to complete the verification process but allow your legitimate mail to continue using yourcurrent mail server, you can add the MX records with a low priority, for example, 99.Some mail may appear in theMessage Log after making this MX record change as spammers routinely send mail to all MX records for a domain.Onceyou have made the change to your MX records, return to the Route Email Through Barracuda page and click VerifyMX Records. The Barracuda Email Security Service should see the changes made and verify your domain. If thedomain does not verify correctly, verify that your MX changes are live. You can do this by using the following sites thatreturn your MX oogleapps.com/apps/dig/ (select the MX option)If your domain's MX records do not display in theBarracuda Email Security Service MX records, you must wait until they display before your domain can be verified.9. If you only want to route your inbound mail through the Barracuda Email Security Service and not your outbound mail,select I do not want to route my e-mail through Barracuda at this time, and select the verification option:a. CNAME Records – To use the CNAME records method to verify the domain ownership:i. Log in to your DNS Server and, under this domain, create a subdomain whose name is created by concatenating'barracuda' and the CNAME token shown in the Route Email Through Barracuda page. For example:barracuda30929916985.corpdomain.comii. Point the CNAME record of that subdomain to ess.barracuda.com Allow the DNS propagation to take effectbefore proceeding.iii. Click Confirm Validation in the Route Email Through Barracuda page.b. Email to the postmaster – This method sends a verification email to the postmaster email address for your domain.The confirmation email includes a link that the recipient must click to verify the domain.c. Email to Technical Contact – This method sends a verification email to the technical contact email address, if itexists, listed on your domain's WHOIS entry. This verification option is not available if the Barracuda Email SecurityService cannot find your domain's WHOIS entry. If there is not a technical contact, then only the MX Records andEmail to the Postmaster options displays on this page.10. Click Next.11. The Confirmation page displays. confirm domain ownership, and then click Done.Step 2. Set Up User AccountsYou can add users manually or use LDAP authentication to automatically synchronize the Barracuda Email Security Servicewith your LDAP server. To create a few test accounts during the evaluation period, use the Manually Add Users stepsbelow.Decide how you want to use quarantine:Per-user quarantine – When selected, users have quarantine accounts and can decide whether or not mail is spam. Set upseveral users for the evaluation and test the results. This option requires more initial effort to set up user accounts, possiblywith sync to your LDAP server, but less work for the administrator over time since users manage their quarantined mail.Quarantine Type Create User Accounts Manages Quarantine?User can Create Sender yCompliance6 / 27
Global quarantine – When selected, the administrator monitors the Message Log for quarantined mail and decides whether or not it is spam.1. If you select Global quarantine, there is no need to create user accounts.2. If you select Per-user quarantine, then from the USERS Add/Update Users page manually add a few testaccounts, and set Enable User Quarantine to Yes. The first time the Barracuda Email Security Service receives anemail for that user and the message is quarantined, the user receives a quarantine notification email at the scheduledquarantine notification interval. Depending on how you configure the quarantine notification interval on the USERS Quarantine Notification page, the user receives a quarantine digest at a specified time.LDAP SynchronizationAutomatically create user accounts for all users in the domain based on your LDAP directory.ImportantThe Barracuda Email Security Service connects with your network from various IP addresses, including performingLDAP lookups. To ensure that the service can connect with your network, allow traffic originating from this range ofnetwork addresses: 64.235.144.0/201. Click DOMAINS, and click Settings in the Actions column for the desired domain.2. In the DOMAINS Domain Settings page, scroll to the Directory Services section, and enter your LDAP settings:a. LDAP Host – LDAP lookup server. If this setting is a hostname, and is contained in multiple A records, or multiplespace-separated hosts are provided, then fail-over capabilities will be available if the Barracuda Email Security Serviceis unable to connect to one of the machines listed here.b. Port – Port used to connect to the LDAP service on the specified LDAP server. Typically port 389 is used for regularLDAP and LDAP using the STARTTLS mode for privacy. Port 636 is assigned to the LDAP over SSL/TLS (LDAPS) service.c. Use SSL (LDAPS) – By default, LDAP traffic is transmitted unsecured. Set to Yes to use Secure Sockets Layer (SSL) /Transport Layer Security (TLS) technology to make LDAP traffic confidential and secure.d. Bind DN/Username – Username used to connect to the LDAP service on the specified LDAP server. If of the formaccountname@domain.com, the username is transformed into a proper LDAP bind DNlikeCN accountname,CN users,DC domain,DC com when accessing the LDAP server. Sometimes the defaulttransformation does not generate a proper bind DN. In such cases, a fully formed and valid bind DN must be entered.e. Bind Password – Password used to connect to the LDAP service on the specified LDAP server.f. Base DN – Base DN directory. This is the starting search point in the LDAP tree. The default value looks up the'defaultNamingContext' top-level attribute and uses it as the search base. For example, if your domain is test.com,your Base DN might be dc test,dc com.g. Authentication Filter – Filter used to look up an email address and determine if it is valid for this domain. The filterconsists of a series of attributes that might contain the email address. If the email address is found in any of thoseattributes, then the account is valid and is allowed by the Barracuda Email Security Service.h. User Filter – Filter used to limit the accounts that the Barracuda Email Security Service creates when an LDAP queryis made. For example, you could limit the LDAP synchronization to just users in certain sub-domains usingthe mail paramater, or only synchronize user-objects in a certain organizational unit (OU) using the ou parameter.Each type of LDAP server has specific query syntax, so consult the documentation for your LDAP server. See theMicrosoft TechNet article LDAP Query Basics for LDAP query syntax and examples.Example: Your list of valid users on your directory server includes 'User1', 'User2', 'User3', 'BJones', 'RWong', and'JDoe', and you create the User Filter (name *User*). In this case, the service would only create accounts for 'User1','User2', and 'User3'.i. Custom User Filter – Set to Yes to limit newly synchronized email users and linked email users strictly to this onedomain.j. Mail Attributes – Attribute in your LDAP directory that contains the user's email address.k. Testing Email Address – Valid email address for use in testing LDAP settings. If this field is left blank, LDAP settingsare only tested for connection.l. Synchronize Automatically – Set to Yes to automatically synchronize your LDAP users to the Barracuda EmailSecurity Service database on a regular basis for recipient verification. With Microsoft Exchange server, thesynchronization is incremental. When set to No, you must click Synchronize Now at the top of the section tomanually synchronize your LDAP users to the Barracuda Email Security Service SecurityCompliance7 / 27
m. Use LDAP for Authentication – Set to Yes to enable LDAP for user login authentication. Set to No if your LDAPserver will be unavailable for a period of time.3. In the Advanced Configurations section, set Sender Rewriting Scheme (SRS) to On to direct the Barracuda EmailSecurity Service to rewrite the Envelope FROM address of inbound messages so that they appear to come from BarracudaNetworks rather than the original sender. This is useful if you are using a hosted email service that cannot turn offSender Policy Framework (SPF) checking. For more information, see Sender Policy Framework.4. Click Save Changes.The first time the Barracuda Email Security Service receives a Not Allowed email for a valid user, the service does thefollowing: Uses the email address of the recipient as the username of the account and auto-generates a password. If Use LDAPfor Authentication is set to No on the DOMAINS Domain Settings page, the user receives an email with thelogin information so they can access their quarantine account, otherwise, the user can use single sign-on via LDAPlookup.Places the quarantined message in the account holder’s quarantine inbox.Sends a quarantine summary report to the account holder at the specified notification interval, as set on the USERS Quarantine Notification page. If Allow users to specify interval is set to Yes on this page, then thequarantine summary report is sent to the user on the schedule specifies on the SETTINGS QuarantineNotification page once they log into their account. The default is Daily.Manually Add Users1. Go to USERS Add/Update Users.2. In the User Accounts field, enter each user email address for the domain on a separate line, and then select from thefollowing options:a. Enable User Quarantine – All emails for the user which meet the configured block policy go to the user's quarantineaccount.Depending on how you have configured the quarantine notification interval on the USERS QuarantineNotification page, the user receives a quarantine digest at a specified time. From the USERS QuarantineNotification page you can also enable the user to set their own quarantine notification interval.b. Notify New Users – When set to Yes, users receive a welcome email once the account is created.3. Click Save Changes. The users are added to the USERS Users List table where you can select from the followingactions:a. Edit – Click to specify domains this user can manage.b. Reset – Click to send the user an email with instructions on how to reset their account password.c. Log in as this user – Click to view or change the user's settings (for example, quarantine notifications), view/manage the domains this user manages, and v iew/search/manage the user's Message Log.d. Delete – Click to remove the user account.The first time the Barracuda Email Security Service receives an Allowed email for a non-existent user at a domainconfigured for the service, if that same recipient receives a second email 1-6 days later, a new user account is created.This method of new account creation does not use LDAP lookup, and the user receives an email from the BarracudaEmail Security Service with their login information so they can access their quarantine account.Step 3. Configure Inbound MailObtain the hostname:1. Log in to Office 365 as the administrator, and click DOMAINS in the left pane.2. In the Manage domains table, take note of the hostname. This is the address of your destination mail server, tyCompliance8 / 27
example, ourdomain-com.mail.protection.outlook.com3.Click the Plus () symbol to add a domain; the new journal rule dialog box displays.Enter the hostname:Barracuda recommends using a hostname rather than an IP address so that you can move the destinat
The Barracuda Cloud Archiving Service is a Software as a Service (SaaS) solution hosted in the Barracuda Cloud, previously referred to as 'direct to cloud'. The Barracuda Cloud Archiving Service is designed for customers that do not want to manage a physical or virtual appliance. It is simpler to deploy tha
