The following table lists the connectors, transport rules, and Microsoft 365 groups created in your Exchange Online service to implement mail flow for Inline Protection of Exchange Online:
Protection |
Category |
Item |
Description |
---|---|---|---|
Inbound protection |
Transport rule |
TMCAS Inline Incoming Domain Transport Rule |
Routes inbound email messages intended for users in specified domains to Cloud App Security for security scanning. |
TMCAS Inline Incoming User Transport Rule |
Routes inbound email messages intended for specified users to Cloud App Security for security scanning. All the specified users are added to the Microsoft 365 group TMCAS Inline Incoming O365 Virtual Group. |
||
TMCAS Inline Incoming Skip Spam Filter Transport Rule |
Skips the spam filter of Exchange Online. This prevents the Exchange Online mail server from mistakenly filter the inbound email messages returned by Cloud App Security as spam. Note:
This transport rule prevents a double anti-spam check but may generate security alerts for the emails. |
||
TMCAS Inline Incoming Move to Junk Folder Transport Rule |
Moves an inbound email message to Junk Folder when the message is applied the "Move to Junk Folder" action by Cloud App Security. |
||
Connector |
TMCAS Inline Outbound Connector for Incoming Message |
Routes inbound email messages to Cloud App Security. |
|
TMCAS Inline Inbound Connector for Incoming Message |
Receives inbound email messages from Cloud App Security. |
||
Microsoft 365 group |
TMCAS Inline Incoming O365 Virtual Group |
User group created to implement the transport rule for user-based inbound protection. |
|
Outbound protection |
Transport rule |
TMCAS Inline Outgoing Domain Transport Rule |
Routes outbound email messages sent from users in specified domains to Cloud App Security for security scanning. |
TMCAS Inline Outgoing User Transport Rule |
Routes outbound email messages sent from specified users to Cloud App Security for security scanning. All the specified users are added to the Microsoft 365 group TMCAS Inline Outgoing O365 Virtual Group. |
||
Connector |
TMCAS Inline Outbound Connector for Outgoing Message |
Routes outbound email messages to Cloud App Security. |
|
TMCAS Inline Inbound Connector for Outgoing Message |
Receives outbound email messages from Cloud App Security. |
||
Microsoft 365 group |
TMCAS Inline Outgoing O365 Virtual Group |
User group created to implement the transport rule for user-based outbound protection. |
The IP address range in the transport rules is the address of the Cloud App Security server at your serving site. For details, see the following table "Changes to Allow Lists".
To ensure that Inline Protection works properly and your email delivery functions as expected, do not modify the transport rules, connectors, and Microsoft 365 groups.
The following table lists the changes made by Cloud App Security to the allow lists in your Exchange Online service in order for emails to get delivered as expected after they are scanned by Inline Protection.
Allow List |
Change by Cloud App Security |
---|---|
Allow entries for spoofed senders in the Tenant Allow/Block List For more information, see Microsoft documentation. |
Adds a domain pair based on your serving site:
|
IP Allow List in connection filtering For more information, see Microsoft documentation. |
Adds the IP addresses of Cloud App Security MTAs for Inline Protection based on your serving site. The IP addresses of Cloud App Security for inbound protection are as follows:
The IP addresses of Cloud App Security for outbound protection are as follows:
|