using trustwave seg cloud with cloud-based email solutions · 3 provisioning trustwave seg cloud 2...
TRANSCRIPT
Using Trustwave SEG Cloud with Cloud-Based Email Solutions
.trust
Table of Contents
About This Document 1
1 Trustwave SEG Cloud for Anti-Malware with Cloud-Based Email Solutions 2 2 Networking and DNS Setup 2
3 Provisioning Trustwave SEG Cloud 2
4 Configuring Exchange Online 3 4.1 Set up a connector to send outgoing messages through SEG Cloud .......................................... 4 4.2 Set up a connector to accept incoming messages from SEG Cloud ............................................ 6 4.3 Set up the SEG Connector Agent for Azure AD ........................................................................... 7
5 Configuring G Suite Email 11 5.1 Set up an Outbound Mail Gateway to deliver outgoing messages to SEG Cloud ..................... 11 5.2 Set up an Inbound Mail Gateway to accept incoming messages from SEG Cloud ................... 11
About Trustwave 12
Trademarks 12
About This Document
This document is for the use of email administrators who are using Trustwave SEG Cloud to accept and filter messages from the Internet, and a cloud based solution to host user mailboxes.
This document provides specific instructions for configuration with Microsoft Exchange Online and Google G Suite. The same ideas can be used to configure other cloud-based mailbox hosting solutions.
Copyright © Trustwave Holdings, Inc. All rights reserved. This document is protected by copyright and any distribution, reproduction, copying, or decompilation is strictly prohibited without the prior written consent of Trustwave. Using Trustwave SEG Cloud with Cloud-Based Email Solutions - January 8, 2018 2
1 Trustwave SEG Cloud for Anti-Malware with Cloud-Based Email Solutions
In this scenario, the organization hosts user mailboxes on a cloud-based service such as Microsoft Exchange Online or Google G Suite Email. The organization uses the Trustwave SEG Cloud service to provide filtering of spam and malware, and other policy controls for both inbound and outbound messages.
Internet TrustwaveSEG Cloud
Cloud MailboxHosting Service
User Mailboxes
Connector
Connector
2 Networking and DNS Setup
1. Configure MX records for all your local domains to point to the Trustwave SEG Cloud environment: MX 10 seg.trustwave.com
Note: In most cases MX records are updated when you are ready to direct email into the new environment (after all other configuration is complete).
2. Add the SEG Cloud server to your SPF record. For example you might enter v=spf1 include:spf.seg.trustwave.com –all
3 Provisioning Trustwave SEG Cloud
Trustwave Provisioning or Managed Security Services must configure SEG Cloud to accept and deliver email for your domains.
1. SEG Cloud will deliver email incoming for your managed domains to the cloud hosting environment. Provide the delivery details to Trustwave.
Copyright © Trustwave Holdings, Inc. All rights reserved. This document is protected by copyright and any distribution, reproduction, copying, or decompilation is strictly prohibited without the prior written consent of Trustwave. Using Trustwave SEG Cloud with Cloud-Based Email Solutions - January 8, 2018 3
• For Exchange Online, use the “MX endpoint” of your Exchange Online environment (such as yourexampledomain-com.mail.protection.outlook.com).
• For G Suite email, use the list of servers documented as “G Suite MX record values.” At the time this document was last reviewed the values were as in the table below.
Destination Server Priority
ASPMX.L.GOOGLE.COM 1
ALT1. ASPMX.L.GOOGLE.COM 5
ALT2. ASPMX.L.GOOGLE.COM 5
ALT3. ASPMX.L.GOOGLE.COM 10
ALT4. ASPMX.L.GOOGLE.COM 10
2. SEG Cloud will accept email relaying (messages sent to other domains “from” your managed domains) based on the configured inbound delivery addresses. For Exchange Online and G Suite, to ensure that the relaying addresses are up to date, Trustwave will also configure relaying based on the SPF records published by the service.
4 Configuring Exchange Online
You will set up two connectors to route email between SEG Cloud and Exchange Online.
To complete this step, you must have an Office 365 Administrator credential with permission to create connectors. You may find that the validation process only works with a Microsoft browser.
To create a connector in Office 365:
1. From the top left corner, open the menu and then click the gray box Admin.
Copyright © Trustwave Holdings, Inc. All rights reserved. This document is protected by copyright and any distribution, reproduction, copying, or decompilation is strictly prohibited without the prior written consent of Trustwave. Using Trustwave SEG Cloud with Cloud-Based Email Solutions - January 8, 2018 4
2. From the Admin left menu, click Exchange to go to the Exchange Admin Center.
3. Next, click mail flow, and then click connectors.
4.1 Set up a connector to send outgoing messages through SEG Cloud 1. To start the Connector wizard, click the plus symbol +.
2. On the first screen, choose a connector as follows: From: Office 365 To: Partner Organization Click Next.
Copyright © Trustwave Holdings, Inc. All rights reserved. This document is protected by copyright and any distribution, reproduction, copying, or decompilation is strictly prohibited without the prior written consent of Trustwave. Using Trustwave SEG Cloud with Cloud-Based Email Solutions - January 8, 2018 5
3. On the next screen, give the connector a name and a detailed description. If you want to enable this routing immediately, check the box Turn it on. Click Next.
4. On the following screen (When do you want to use this connector?), select Only when email
messages are sent to these domains.
Click + to add recipient domains. On the Add domain window, enter * (to signify all domains), and then click Next.
Copyright © Trustwave Holdings, Inc. All rights reserved. This document is protected by copyright and any distribution, reproduction, copying, or decompilation is strictly prohibited without the prior written consent of Trustwave. Using Trustwave SEG Cloud with Cloud-Based Email Solutions - January 8, 2018 6
5. On the next screen How do you want to route email messages?, select Route email through these smart hosts.
6. Click + to add a smart host.
7. Enter the externally resolvable hostname of the Trustwave SEG Cloud server: seg-outbound.trustwave.com
8. On the following screen How should Office 365 connect?:
9. The Transport Layer Security box should be selected.
10. Ensure that your connector validates. Save the connector.
4.2 Set up a connector to accept incoming messages from SEG Cloud
Note: When you set up a connector as described in this section, Exchange Online will ONLY accept incoming SMTP messages that are sent from the SEG Cloud servers at the IP addresses you specify. Messages from any other source will be refused.
The steps to accept incoming messages are similar to those for outgoing messages.
1. To start the Connector wizard, click the plus symbol +.
2. On the first screen, choose a connector as follows (note the direction): From: Partner Organization To: Office 365
Copyright © Trustwave Holdings, Inc. All rights reserved. This document is protected by copyright and any distribution, reproduction, copying, or decompilation is strictly prohibited without the prior written consent of Trustwave. Using Trustwave SEG Cloud with Cloud-Based Email Solutions - January 8, 2018 7
3. Give the connector a name and verbose description.
4. On the screen How do you want to identify the partner organization?, select Use the sender’s domain.
• Click + to add sender domains. On the Add domain window, enter * (to signify all domains)
5. On the screen What security restrictions do you want to apply?, select Reject email messages if they aren’t sent from within this IP address range
• Click + to add an IP address. On the Add ip address window, enter one of the IP address ranges of the Trustwave SEG Cloud servers.
Note: Because you can only enter ranges with /24 or higher, you must enter four ranges to cover the required addresses.
• Repeat until you have added all four ranges: 204.13.200.0/24 204.13.201.0/24 204.13.202.0/24 204.13.203.0/24
Copyright © Trustwave Holdings, Inc. All rights reserved. This document is protected by copyright and any distribution, reproduction, copying, or decompilation is strictly prohibited without the prior written consent of Trustwave. Using Trustwave SEG Cloud with Cloud-Based Email Solutions - January 8, 2018 8
6. Choose to Reject email messages if they aren’t sent over TLS. Do not require a subject name on the certificate.
The connector information should appear as below:
7. Save the connector.
4.3 Set up the SEG Connector Agent for Azure AD The Connector Agent is an optional module of SEG Cloud that allows you to retrieve information about local user groups and email addresses from your Active Directory server or LDAP server, for use in SEG SEG Cloud policy.
You can use the Connector Agent with Azure AD.
Tip: For full instructions about how to download, install, and configure the Connector Agent, refer to the SEG Cloud Customer Guide.
• If you have a workstation or server available on premises that is a domain member, you can install and configure the Connector Agent in the same way as for a premises AD installation. Refer to the SEG Cloud Customer Guide.
• You can also use the Connector Agent to synchronize information from Azure AD using LDAPS.
Copyright © Trustwave Holdings, Inc. All rights reserved. This document is protected by copyright and any distribution, reproduction, copying, or decompilation is strictly prohibited without the prior written consent of Trustwave. Using Trustwave SEG Cloud with Cloud-Based Email Solutions - January 8, 2018 9
To use the Connector Agent with Azure AD LDAPS:
1. Configure Secure LDAP (LDAPS) in Azure AD Domain Services. See the Microsoft documentation for this task.
2. Once secure LDAP access to your managed domain over the internet is successfully enabled, the Azure AD Domain Services management site shows the external IP address that can be used to access your directory over LDAPS in the field EXTERNAL IP ADDRESS FOR LDAPS ACCESS.
3. Install the Connector Agent on any computer that has Internet access (HTTPS access to SEG Cloud,
and port 636 for LDAPS access to the Azure LDAPS IP address).
Copyright © Trustwave Holdings, Inc. All rights reserved. This document is protected by copyright and any distribution, reproduction, copying, or decompilation is strictly prohibited without the prior written consent of Trustwave. Using Trustwave SEG Cloud with Cloud-Based Email Solutions - January 8, 2018 10
4. Create a new connector, and specify a LDAP directory of type “Microsoft Active Directory”.
5. Enter the Azure LDAPS IP address. Specify port 636 and select Connect using SSL. Enter logon
credentials.
6. Click Next. The Agent tests the connection.
7. When the connection is successfully tested, continue the Wizard as described in the SEG Cloud Customer Guide.
8. When the connector has been successfully created, you can proceed to select groups for synchronization.
Copyright © Trustwave Holdings, Inc. All rights reserved. This document is protected by copyright and any distribution, reproduction, copying, or decompilation is strictly prohibited without the prior written consent of Trustwave. Using Trustwave SEG Cloud with Cloud-Based Email Solutions - January 8, 2018 11
5 Configuring G Suite Email
You will set up two gateways to route email between SEG Cloud and G Suite Email. To complete this step, you must have an Administrator credential for the service.
5.1 Set up an Outbound Mail Gateway to deliver outgoing messages to SEG Cloud
1. From the G Suite dashboard, go to Apps > G Suite > Gmail > Advanced settings.
2. In the Organizations section, highlight the top-level org.
3. Scroll down to the Outbound gateway section.
4. In the Outbound gateway text box, enter the externally resolvable hostname of the Trustwave SEG Cloud server: seg-outbound.trustwave.com
5. Save your changes.
5.2 Set up an Inbound Mail Gateway to accept incoming messages from SEG Cloud
1. From the G Suite dashboard, go to Apps > G Suite > Gmail > Advanced settings.
2. In the Organizations section, highlight your domain (top-level org).
3. Scroll down to Inbound gateway (you can also enter Inbound gateway in the search field).
4. Hover the cursor to the right of Inbound gateway. To create a new inbound gateway setting, click Configure. To edit an existing setting, click Edit.
5. Under Gateway IPs, enter the IP address range of the Trustwave SEG Cloud servers: 204.13.200.0/22
6. Also select Reject all mail not from gateway IPs and Require TLS for connections from the email gateways listed above.
7. Save your changes.
About Trustwave
Trustwave helps businesses fight cybercrime, protect data and reduce security risk. With cloud and managed security services, integrated technologies and a team of security experts, ethical hackers and researchers, Trustwave enables businesses to transform the way they manage their information security and compliance programs. More than three million businesses are enrolled in the Trustwave TrustKeeper® cloud platform, through which Trustwave delivers automated, efficient and cost-effective threat, vulnerability and compliance management. Trustwave is headquartered in Chicago, with customers in 96 countries. For more information about Trustwave, visit https://www.trustwave.com.
Trademarks
G Suite is a trademark of Google, Inc.