Connectors, Transport Rules, Groups, and Allow Lists for Inline Protection

The following table lists the connectors, transport rules, and Microsoft 365 groups created in your Exchange Online service to implement mail flow for Inline Protection of Exchange Online:

Protection

Category

Item

Description

Inbound protection

Transport rule

TMCAS Inline Incoming Domain Transport Rule

Routes inbound email messages intended for users in specified domains to Cloud App Security for security scanning.

TMCAS Inline Incoming User Transport Rule

Routes inbound email messages intended for specified users to Cloud App Security for security scanning.

All the specified users are added to the Microsoft 365 group TMCAS Inline Incoming O365 Virtual Group.

TMCAS Inline Incoming Skip Spam Filter Transport Rule

Skips the spam filter of Exchange Online. This prevents the Exchange Online mail server from mistakenly filter the inbound email messages returned by Cloud App Security as spam.

Note:

This transport rule prevents a double anti-spam check but may generate security alerts for the emails.

TMCAS Inline Incoming Move to Junk Folder Transport Rule

Moves an inbound email message to Junk Folder when the message is applied the "Move to Junk Folder" action by Cloud App Security.

Connector

TMCAS Inline Outbound Connector for Incoming Message

Routes inbound email messages to Cloud App Security.

TMCAS Inline Inbound Connector for Incoming Message

Receives inbound email messages from Cloud App Security.

Microsoft 365 group

TMCAS Inline Incoming O365 Virtual Group

User group created to implement the transport rule for user-based inbound protection.

Outbound protection

Transport rule

TMCAS Inline Outgoing Domain Transport Rule

Routes outbound email messages sent from users in specified domains to Cloud App Security for security scanning.

TMCAS Inline Outgoing User Transport Rule

Routes outbound email messages sent from specified users to Cloud App Security for security scanning.

All the specified users are added to the Microsoft 365 group TMCAS Inline Outgoing O365 Virtual Group.

Connector

TMCAS Inline Outbound Connector for Outgoing Message

Routes outbound email messages to Cloud App Security.

TMCAS Inline Inbound Connector for Outgoing Message

Receives outbound email messages from Cloud App Security.

Microsoft 365 group

TMCAS Inline Outgoing O365 Virtual Group

User group created to implement the transport rule for user-based outbound protection.

The IP address range in the transport rules is the address of the Cloud App Security server at your serving site. For details, see the following table "Changes to Allow Lists".

Note:

To ensure that Inline Protection works properly and your email delivery functions as expected, do not modify the transport rules, connectors, and Microsoft 365 groups.

The following table lists the changes made by Cloud App Security to the allow lists in your Exchange Online service in order for emails to get delivered as expected after they are scanned by Inline Protection.

Table 1. Changes to Allow Lists

Allow List

Change by Cloud App Security

Allow entries for spoofed senders in the Tenant Allow/Block List

For more information, see Microsoft documentation.

Adds a domain pair based on your serving site:

  • US site: *, inpost.tmcas.trendmicro.com

  • EU site: *, inpost-eu.tmcas.trendmicro.com

  • Japan site: *, inpost.tmcas.trendmicro.co.jp

  • Australia and New Zealand site: *, inpost-au.tmcas.trendmicro.com

  • Canada site: *, inpost-ca.tmcas.trendmicro.com

  • Singapore site: *, inpost.tmcas.trendmicro.com.sg

  • UK site: *, inpost.tmcas.trendmicro.co.uk

  • India site: *, inpost-in.tmcas.trendmicro.com

IP Allow List in connection filtering

For more information, see Microsoft documentation.

Adds the IP addresses of Cloud App Security MTAs for Inline Protection based on your serving site.

The IP addresses of Cloud App Security for inbound protection are as follows:

  • US site: 20.245.215.64/28, 104.42.189.70, 104.210.58.247, 20.72.147.113, 20.72.140.32

  • EU site: 20.4.48.48/28, 20.107.69.176, 20.126.6.52, 20.54.65.186, 20.54.68.116

  • Japan site: 13.78.70.144/28, 20.222.63.30, 20.222.57.14, 104.46.234.4, 138.91.24.196

  • Australia and New Zealand site: 20.70.30.192/28, 20.213.240.47, 20.227.136.26, 20.39.98.128, 20.39.97.72

  • Canada site: 52.228.5.240/28, 52.228.125.192, 52.139.13.199, 52.229.100.53, 20.104.170.121

  • Singapore site: 52.163.102.112/28, 20.43.148.81, 20.195.17.218

  • UK site: 20.254.97.192/28, 20.68.25.194, 20.68.210.42, 52.142.171.1, 52.142.170.52

  • India site: 20.204.179.112/28, 20.204.44.59, 20.204.113.71, 20.219.110.223, 13.71.71.12

The IP addresses of Cloud App Security for outbound protection are as follows:

  • US site: 20.66.85.0/28, 104.210.59.109, 104.42.190.154, 20.72.147.115, 20.72.140.41

  • EU site: 20.160.56.80/28, 20.126.64.109, 20.126.70.251, 20.54.65.179, 20.54.68.120

  • Japan site: 20.78.49.240/28, 20.222.60.8, 52.140.200.104, 104.46.227.238, 104.46.237.93

  • Australia and New Zealand site: 20.227.209.48/28, 20.227.165.104, 20.213.244.63, 20.39.98.131, 20.39.97.73

  • Canada site: 20.220.229.208/28, 52.228.125.196, 52.139.13.202, 20.104.170.106, 20.104.172.35

  • Singapore site: 52.163.216.240/28, 20.43.148.85, 20.195.17.222

  • UK site: 20.0.233.224/28, 20.68.214.138, 20.68.212.120, 52.142.171.6, 52.142.170.53

  • India site: 20.235.86.144/28, 4.213.51.121, 4.213.51.126, 104.211.202.104, 52.172.7.14
Parent topic: Provisioning an Exchange Online (Inline Mode) Authorized Account