Skip to main content
Skyhigh Security

Configure Inline DLP

Configure a new connector in Office 365 to allow the proper flow of email traffic.

For more information, see Configure mail flow using connectors in Office 365.

Prerequisites

  • Skyhigh CASB supports only User Mailboxes, ideally from the Service account that is integrated. Shared Mailboxes are not supported.
  • To be assigned a dedicated PoP, contact Support

Step 1: Set up Exchange Online in Skyhigh CASB

The first step is to enable Inline DLP for Exchange Online in Skyhigh CASB.

To enable Exchange Online:

  1. Go to Settings > Service Management.
  2. Click Microsoft Exchange Online.
  3. If Exchange Online has been configured, click Default. Otherwise, click New Instance.
  4. Click Setup, then click Configure to the right of Configure Email DLP.
    MSEO Config.png
  5. In the Business Requirements screen, select Inline Only. Click Next.
    Inline Email DLP Biz Reqs.png
  6. Review the prerequisites, then select I have reviewed all prerequisites and click Next.
    Inline Email DLP Prereqs.png
  7. Now add domains for DLP. Select one or more Microsoft Exchange Online domains, and then the email domain associated with your Trellix ePO deployment. Next, enter a value for Host Name and the Port. Make sure that the automatically generated Skyhigh CASB Email Server Domain is correct. Click Next.
    clipboard_ec01b77eba43e6432d38ab1a795a60173.png

NOTE: Under Select Domains, if you do not see the desired domain names then add a domain to Microsoft 365 UI. To add domains, see Add a domain to Microsoft 365 documentation.

  1. For Quarantine Settings, you can enter an optional email address where quarantined files are sent. To enable this option, select Quarantine Emails and Attachments, then type the email address. Click Next.
    Inline Email DLP Quarantine.png
  2. In the Summary screen, make sure all settings are correct. Click Done.
    Inline Email DLP Summary.png

Step 2: Create a Security Group

Create a security group in Office 365 with a few email addresses for testing. Once you're happy with the performance, you can then either add security groups, or use Inline DLP with all email addresses in your organization.

For instructions, see Manage mail-enabled security groups.

Make sure to set the following:

  • Type: Mail-enabled security group
  • Name: MVCEmailDLP
  • Allow people outside of my organization to send email to this distribution group: OFF

Step 3: Create Mail Connectors

Create two mail connectors. The first connector sends emails from O365 to Skyhigh CASB for inspection, and the second accepts emails after Skyhigh CASB scans them.

If you're unfamiliar with setting up connectors in Office 365, you can find information here.

IP addresses for Skyhigh CASB environments to use with connecters are listed here:

United States

POP DNS name: mail-inline.api-pop.myshn.net

  • 52.8.140.255
  • 35.169.47.31
  • 18.217.82.134
  • 54.164.132.26
Canada
  • 35.182.84.200
  • 15.222.68.144
  • 15.222.50.218
  • 35.183.159.113
EU

Allow list IP addresses for Ireland POP. These are IP addresses in Ireland NAT Gateways:

  • 54.154.11.112
  • 52.208.188.45
  • 52.214.141.239

Allow list IP addresses for Stockholm POP. These are IP addresses in Stockholm NAT Gateways:

  • 13.48.141.247
  • 13.48.175.172
  • 13.48.146.72

Allow list IP addresses for Frankfurt euprod SPOP. These are IP addresses in Frankfurt NAT Gateways:

  • 35.157.197.205
  • 3.120.8.62
  • 3.120.122.0
GOV
  • 52.61.94.253
  • 15.200.38.217
  • 18.252.127.142
  • 18.252.136.33

Route Email from Office 365 to Skyhigh CASB

To create a mail connector to route email from Office 365 to Skyhigh CASB for inspection:

  1. Log in to Office 365 as a Global Admin and navigate to the Exchange Admin center.
  2. Select Mail flow, then connectors.
  3. Add a connector. Follow the instructions at Set up connectors to route mail between Office 365 and your own email servers. Make sure to set the following options:
    • Name the new connector Office 365 to Skyhigh CASB Cloud Email DLP.
    • Make sure to select "Only when I have a transport rule set up that redirects messages to this connector" when setting up the new connector.
    • Make sure to select Always use TLS and Any digital certificate, including self-signed when you are prompted how to connect Office 365 to your partner's email server.

Next, create another connector to accept emails after Skyhigh CASB scans them. 

Route Email Back After Scanning

To create a connector to accept email after scanning:

  1. Return to Mail flow, then connectors.
  2. Add a connector.
  3. Under Select your mail flow scenario, set the following:
    • From: Your organization's email server
    • To: Office 365
  4. Click Next.
  5. In the New connector screen, enter the following:
    • Name: Skyhigh CASB Cloud Email DLP to Office 365.
    • Description: Receives email after Skyhigh CASB DLP scans them.
  6. Under What do you want to do after connector is saved, select both of the following:
    • Turn it on
    • Retain internal Exchange email headers
  7. Click Next.
  8. In the Edit Connector screen, under How should Office 365 identify email from your email server, select By verifying that the IP address of the sending server matches one of these IP addresses that belong to your organization. Then type a list of all Source IP addresses.
  9. Click Next.
  10. You should now have two connectors, one configured in each direction:
    clipboard_e7d46b9294d6b7141891851cdff15f452.png

Step 4: Create Mail Routing Rule in Office 365

Now that connectors are set up, specify the mail routing rule.

  1. Log in to Office 365 as a Global Admin and navigate to the Exchange Admin center.
  2. Select Mail flow, then rules.
  3. Configure a new rule as follows:
    • Name: Send to Skyhigh CASB Cloud Email DLP for inspection
    • Apply this rule if: The sender is a member of the [security group you created earlier in Step 2].
  4. Click More options
  5. From the Do the following menu, select Redirect the message to and then select the following connector
    clipboard_ef31d63320c925d3767eae54c8448481a.png
  6. Select the Office 365 to Skyhigh CASB Cloud Email DLP connector. Click OK.
    IMPORTANT:  We recommend setting up email DLP only on EXTERNAL OUTBOUND emails. Internal communications between employees/users within an organization don't need to be scanned with the same degree of security.
    clipboard_e5561019a3bfd650b2ab6b87bde67f1e3.png
  7. Next, in the new rule screen, add an exception. Under Except if, select A message header, then pick matches these text patterns. Click Enter text; type X-SHN-DLP-SCAN. Click OK.
  8. Enter success in the text field and then click OK.
  9. Deselect Audit this rule with severity level, and then click Save to save the rule.
    clipboard_e1dc4e0981aadffb190124a84e5508563.png

Step 5: Test

Once the integration is complete, you must test it.

To test outbound email:

  1. Log in to your Office 365 account using a user that is a member of the security group you created in Step 2.
  2. Send a test email to your work email address and confirm it is received.

To confirm the test message was relayed via Skyhigh CASB Email DLP:

You can use the message trace in the Exchange admin center to verify that Inline DLP is functioning.

  1. Use a custom date range to filter out noise as required.
  2. Create a policy that triggers low (log only), medium (quarantine) and high (delete)
  3. Find the message you sent to yourself earlier, and double-click to review details.
  4. Review the message trace and confirm the email was sent out using the connector.
    clipboard_ed6b7d5aa4f3cb865c43d8d79b4109e16.png
  • Was this article helpful?