Connectors and Transport Rule on Exchange Online

TMCAS Outbound Connector

The following is an example of the TMCAS Outbound Connector.

Mail flow scenario

From: Office 365

To: Partner organization

Name

TMCAS Outbound Connector

Status

On

Use of connector

Use only when I have a transport rule set up that redirects messages to this connector.

Routing

Route email messages through these smart hosts: f993**********************447b.outrelay-site name.tmcas.trendmicro.com‎

Security restrictions

Always use Transport Layer Security ‎(TLS)‎ and connect only if the recipient’s email server certificate is issued by a trusted certificate authority ‎(CA)‎.

Validation

Last validation result: ‎Validation failed

Last validation time: ‎‎

In the above information:

Field

Description

Status

Connector status.

The default value is On because the connector is automatically turned on after created.

Routing

Destination to which emails are redirected for security scanning.

The address (as indicated by f993**********************447b.outrelay-site name.tmcas.trendmicro.com in this example) indicates a Cloud App Security server address, which comprises a unique ID assigned by Cloud App Security to your company followed by the FQDN of Cloud App Security at your serving site.

Validation

Information about validating that the TMCAS Outbound Connector can successfully redirect emails to Cloud App Security.

The result is Validation failed because Cloud App Security is unable to perform automatic validation due to restrictions on the Exchange Online platform. You can click Validate this connector under Validation to perform manual validation.

TMCAS Inbound Connector

The following is an example of the TMCAS Inbound Connector.

Mail flow scenario

From: Your organization's email server

To: Office 365

Name

TMCAS Inbound Connector

Status

On

How to identify email sent from your email server

Identify incoming messages from your email server by verifying that the sending server‎'s IP address is within these IP address ranges: <IP_address_range>, and the sender‎'s email address is an accepted domain for your organization.

In the above information:

Field

Description

Mail flow scenario

From is set to Your organization’s email server. This is necessary because the Cloud App Security server sending back emails must be regarded as your organization’s email server in order to successfully send back emails to Exchange Online.

Status

Connector status.

The default value is On because the connector is automatically turned on after created.

How to identify email sent from your email server

To identify an email sent from your email server, Cloud App Security applies two criteria:

  • The sender’s email address belongs to a domain of your organization that is protected by Cloud App Security.

  • The sending server’s IP address is within the IP address range of the Cloud App Security server for Outbound Protection at your serving site (as indicated by <IP_address_range> in the above sample).

Transport Rule

The following is an example of the transport rule.

TMCAS Outgoing Transport Rule_0

If the message...

Is sent to 'Outside the organization'

and sender's address domain portion belongs to any of these domains: '*********' or '*********' or '*********'

Do the following...

Route the message using the connector named 'TMCAS Outbound Connector'.

and Set audit severity level to 'Do not audit'

and set message header 'LOOP-IDENTIFIER' with the value '301a**********************c55d '

and Stop processing more rules

Except if...

sender ip addresses belong to one of these ranges: '<IP_address_range>'

or 'LOOP-IDENTIFIER' header contains ''301a**********************c55d''

Rule mode

Enforce

Additional properties

Sender address matches: Header or envelope

Version: 15.0.5.2

In the above information:

Field

Description

Do the following

When an email meets the criteria set in this rule, the email will not be processed by other rules.

Except if...

Cloud App Security uses two methods to prevent an email from being looped:

  • Check the loop identifier: A LOOP-IDENTIFIER (as indicated by 301a**********************c55d in the above sample) is added to an email before it is routed to the TMCAS Outbound Connector. When the email is sent back from Cloud App Security, the same LOOP-IDENTIFIER value is found and the email will not be processed by this rule again.

  • Check the sender’s IP address: If the IP address of the email sender belongs to the IP address range of the Cloud App Security server for Outbound Protection at your serving site (as indicated by <IP_address_range> in the above example), the email will not be processed by this rule.