Skip to main content
McAfee MVISION Cloud

Integrate Inline Email DLP with McAfee ePO

When using Inline Email DLP, Exchange Online remediation actions occur in real time so data never leaves your organization through Exchange Online email messages.


The following components are required for this feature:

  • Exchange Online mail routing (connectors and rules)
  • Sky Gateway (mail is routed from Office 365 to Sky Gateway proxy)
  • Sky Link (API) connection to Exchange Online for quarantine and delete remediation actions

Email flow

Office 365 is configured to send messages through Sky Gateway so it can inspect the contents of the message. Sky Gateway acts as an SMTP proxy and as such never stores or queues messages. Messages are processed in real time and require an active inbound and outbound SMTP session to proxy both legs.

The email flow is as follows:

  1. A user in your organization sends a message.
  2. Based on mail routing rules configured in Exchange Online, messages are forwarded to the Sky Gateway SMTP server.
  3. The Sky Gateway SMTP server proxies the connection from Exchange Online server (2), performs DLP inspection, and proxies back the connection to Exchange Online server (4).
  4. Exchange Online receives the message.
  5. Exchange Online forwards the message onto one or more original destinations.




Message Transport Error Handling

As the Sky Gateway acts as an SMTP proxy, it never accepts the SMTP connection unless the outbound leg can be established. Sky Gateway never queues or stores messages so both legs of the connection must be up for messages to flow. This ensures that Exchange Online handles any issues with connections. If a connection fails, the sending Exchange Online will re-queue the message and try again.

Error messages received from the receiving SMTP gateway are relayed back to the sending SMTP gateway so the sending gateway can re-queue the message for transport.



Remediation Options

Because Inline DLP is done in real-time, it requires the API-based Sky Gateway integration. Sky Gateway ensures that emails are blocked, deleted, or quarantined before they ever leave a sender's email account. For example, if you set up a DLP policy that deletes emails containing sensitive keywords, any message containing a specified word is deleted from a sender's mailbox. With Sky Gateway you can choose from the following options:

  • Block. When an email is blocked, the email remains in the sender's Sent folder, but the intended recipient does not receive the message. The MVISION Cloud admin does not receive a copy of the email in the Quarantined folder. The email does not leave the sender's account.
  • Delete. When an email is deleted, the email is removed from the sender's Sent folder, and the intended recipient does not get the email. The MVISION Cloud admin does not receive the email in the Quarantined folder. 
  • Quarantine. When an email is quarantined, the MVISION Cloud Admin receives the email in the Quarantined folder. Emails are quarantined in real-time, via API.
  • Notifications. You can choose to notify users and/or MVISION Cloud admins via email when messages are blocked, deleted, or quarantined.
  • Block Failed. Block Failed indicates that no modifications are made to the incident response because the email has left the sender’s account, the block has failed, and the email has reached the recipients. 
  • Add X Header Failed. Add X Header Failed indicates that no header is added. No modifications are made to the incident response because the block has failed and the email has reached the recipients. 


Inline Email DLP Prerequisites

To configure Inline DLP, you need the following:

  • McAfee MVISION Cloud tenant
  • A Microsoft Office 365 account with global admin permissions
  • An Exchange Online email account

Make sure that you've confirmed that you can send and receive emails before proceeding.


Integration Steps

  1. In McAfee MVISION Cloud, select Settings | Integrations | ePolicy Orchestrator.
  2. Click Enable to begin to use McAfee ePO Exchange Online policies instead of any policies in McAfee MVISION Cloud.
  3. Click Edit Users to add a user account associated with the Service Account that will have the ePO Connector Role.
  4. In McAfee ePO, connect to McAfee MVISION Cloud. Then return to McAfee MVISION Cloud and click I Did This.
  5. In McAfee ePO extend rules to McAfee MVISION Cloud. Then in McAfee MVISION Cloud click I Did This.


Enabling inline DLP

There are five steps to enabling Inline DLP: set up Exchange Online in McAfee MVISION Cloud, route email from Office 365 to McAfee MVISION Cloud, route email back after scanning, create a mail routing rule in Office 365, and test the setup.

Before you begin

To allow the proper flow of email traffic set up a new connector in Office 365. You can learn more about connectors at Configure mail flow using connectors in Office 365.

1. Set up Exchange Online in MVISION Cloud

  1. Select Settings | Service Management.
  2. Click Microsoft Exchange Online.
  3. If Exchange Online has been configured, click Default. Otherwise click New Instance.
  4. Click Setup, then click Configure.
  5. On the Business Requirements screen, select Inline Only. Click Next.
  6. Review the prerequisites, then select I have reviewed all prerequisites and click Next.
  7. Now add domains that are used for McAfee DLP. Add the Microsoft Exchange Online domain(s), then the email domain associated with your McAfee ePO deployment. Next, enter a value for Host Name and the Port. Make sure that the automatically-generated MVISION Cloud Email Server Domain is correct. Click Next.
  8. For Quarantine Settings, you can enter an optional email address where quarantined files are sent. To enable this option, select Quarantine Emails and Attachments, then type the email address. Click Next.
  9. On the Summary screen, make sure all settings are correct. Click Done.

2. Create mail connectors — route email from Office 365 to MVISION Cloud

You'll need to create two mail connectors. The first connector sends emails from Office 365 to McAfee MVISION Cloud for inspection, and the second accepts emails after they were scanned by McAfee MVISION Cloud.

Before you begin

Create a Security Group. To limit the impact of enabling Inline DLP, it's wise to set up a security group in Office 365 with a few email addresses that you can use to test. Once you're happy with the performance, you can then either add additional security groups, or use Inline DLP with all email addresses in your organization. See Manage mail-enabled security groups for instructions.

Make sure to set the following:

  • Type: Mail-enabled security group
  • Name: SkyhighEmailDLP
  • Allow people outside of my organization to send email to this distribution group: OFF

To create mail connectors:

  1. Log in to Office 365 as a Global Admin and navigate to the Exchange Admin center.
  2. Select Mail flow, then connectors.
  3. Add a new connector. Follow the instructions you'll find here: Set up connectors to route mail between
  4. Office 365 and your own email server. Make sure to set the following options:
    1. Name the new connector Office 365 to MVISION Cloud Email DLP.
    2. Make sure to select Only when I have a transport rule set up that redirects messages to this connector when setting up the new connector.
    3. Be sure to select Always use TLS and Any digital certificate, including self signed when asked how to connect Office 365 to your partner's email server.

3. Create mail connectors — route email back after scanning

To route email back after scanning:

  1. Return to Mail flow, then connectors.
  2. Add a new connector.
  3. Under Select your mail flow scenario, set the following:
    • From: Your organization's email server
    • To: Office 365
  4. Click Next.
  5. On the New connector screen, enter the following:
    • Name: MVISION Cloud Cloud Email DLP to Office 365
    • Description: Receives email after they are scanned by MVISION Cloud DLP
  6. 6 Under What do you want to do after the connector is saved, select both of the following:
    • Turn it on
    • Retain internal Exchange email headers
  7. Click Next.
  8. On the Edit Connector screen, under How should Office 365 identify email from your email server, select By verifying that the IP address of the sending server matches one of these IP addresses that belong to your organization. Then type a list of all Source IP addresses.
  9. Click Next.

You should now have two connectors, one configured in each direction.

4. Create a mail routing rule in Office 365

To create a new mail routing rule:

  1. Log in to Office 365 as a Global Admin and navigate to the Exchange Admin center.
  2. Select Mail flow, then rules.
  3. Configure a new rule as follows:
    • Name: Send to MVISION Cloud Email DLP for inspection
    • Apply this rule if: The sender is a member of the [security group you created earlier in Step 2]
  4. Click More options.
  5. From the Do the following drop down, choose Redirect the message to then choose the following connector.
  6. Select the Office 365 to {{product} Email DLP connector. Click OK.
  7. On the new rule screen, add an exception. Under Except if, choose A message header matches, then pick matches these text patterns. Click Enter text then type X-SHN-DLP-SCAN. Click OK.
  8. Type success in the text box, then click OK.
  9. Deselect Audit this rule with severity level, then click Save to save the rule.

5. Test the setup

To test outbound email:

  1. Log in to your Office 365 account using a user that is a member of the security group you created in Step
  2. Send a test email to your work email address and confirm it is received. Confirm the test message was relayed by MVISION Cloud Email DLP.
  3. Use the message trace in the Microsoft Exchange admin center to verify that Inline DLP is functioning.
    1. Use a custom date range to filter out noise as required.
    2. Create a policy that will trigger low (log only), medium (quarantine) and high (delete).
    3. Find the message you sent to yourself earlier, and double-click to review details.
    4. Review the message trace and confirm the email was sent out using the connector.
  • Was this article helpful?