FAQs

Table 1. Frequently Asked Questions (FAQs)

Question

Answer

How does Cloud App Security ensure high availability?

All Cloud App Security service components maintain a stateless design. As such, they freely scale when volume increases. By default, all customer-facing services are set up redundantly behind the Windows Azure Load Balancer to ensure high availability.

How does Cloud App Security guarantee data privacy in a multi-tenant environment?

Cloud App Security does not store original content (email messages and files). Cloud App Security gets access to email and file content in cloud applications and processes it in memory, without storing it upon completion.

Will Cloud App Security impede access speed to messages and files?

Cloud App Security has no impact on performance when customers receive email messages, upload files to, or download files from cloud applications and services.

How can a customer with a trial license migrate the configurations on the trial Cloud App Security management console to the production management console after they purchase Smart Protection Complete with a full license?

You need to attach the CLP account you created with the Cloud App Security trial license to your Smart Protection Complete full license first.

  1. Log on to the Trend Micro Customer Licensing Portal (CLP) https://clp.trendmicro.com using your CLP account credentials.

  2. Go to My Products/Services, and then click Provide Key.

  3. On the License Key screen, type your registration key, not the activation code, in the Provide your Activation Code or product key text box, and then click Continue.

  4. Select the check box and then click Continue to finish the process.

After you re-log on to the Cloud App Security production management console, all the configurations are migrated and your license is updated.

How do employees log on to Cloud App Security using Internet Explorer on Windows Server?

Internet Explorer has different default settings on Windows Server and other Windows versions. Enable active scripts for the "Internet" zone to log on to Cloud App Security through Internet Explorer on Windows Server.

  1. Open Internet Explorer.

  2. Go to Tools > Internet options > Security.

  3. Select the Internet zone.

  4. Click Custom Level. The Security Settings – Internet Zone window appears.

  5. Under the Scripting section, enable Active scripting.

  6. Click OK to close the Security Settings – Internet Zone window.

  7. Click OK to close Internet Options window.

Is a customer who purchased Trend Micro Smart Protection Complete able to use Cloud App Security in a different site from the one dictated by the customer's registration key or activation code?

No, Cloud App Security serves a customer in the site based on the region or country dictated by the customer's registration key or activation code. To use Cloud App Security in a different site, the customer needs to apply for a new Customer Licensing Portal account with a new registration key corresponding to the site they want to use.

Why cannot I restore or delete an email message that has been quarantined by Cloud App Security?

When an email message is quarantined, it is stored in the quarantine folder created by Cloud App Security for further processing. Upon receiving a request to restore or delete the message, Cloud App Security fails to do so if it cannot locate the message in the quarantine folder. When the issue occurs, check whether this message was moved out of the quarantine folder to somewhere else. You can go to Quarantine and view the Mail Location column to find the current location of the message.

When and how does Cloud App Security deprovision a service account for the Office 365 services if the customer's license expires?

If your license has reached the end of the grace period, Cloud App Security disables your CLP account. This means that the Cloud App Security management console is no longer accessible and Cloud App Security does not protect your services any more.

After 30 days of the grace period, Cloud App Security automatically de-provisions your CLP account:

  • For Exchange Online: Removes the quarantine folder.

  • For SharePoint Online / OneDrive:

    • Removes the remote event receiver from each site collection.

    • Removes the service account from each site collection's administrator group.

      Note:

      This applies only when the service account has been promoted Global Administrator privileges during the provisioning. If you did not select this option during provisioning, you can sign in to the Microsoft 365 admin center with your Global Administrator account at a later time and remove the service account manually.

    • Removes the quarantine document library.

Note:

Cloud App Security recommends that you delete quarantine logs before deprovisioning.

After the automatic deprovisioning, Microsoft removes the SharePoint user profiles 30 days after service account removal. There is still remaining data created for Cloud App Security that requires the following manual cleanup:

  • You need to manually remove service account users from the SharePoint/OneDrive user list.

  • You need to manually remove the Cloud App Security notification files.

How can a customer enable multi-factor authentication (MFA) on the Exchange Online and SharePoint Online Delegate Accounts after automatic provisioning?

On August 2, 2019, Microsoft implemented a mandatory Multi-Factor Authentication (MFA) policy for all partners re-selling Office 365 licenses to end users. The policy requires all administrator accounts in the Cloud Solution Provider (CSP) tenant to have Multi-Factor Authentication.

  • For the Authorized Accounts provisioned using token-based modern authentication, it is the recommended approach and has no impact by MFA enforcement.

  • For the Exchange Online and SharePoint Online Delegate Accounts created using the automatic provisioning process, they need to meet this partner security requirement, while at the same time maintaining their capability of being used to protect the Office 365 services. For more information about how to enable MFA for the Delegate Accounts, see https://success.trendmicro.com/solution/1123706.

How can a customer specify a name and location when downloading quarantined items, instead of using the default name?

When you download quarantined items through a web browser, Cloud App Security automatically generates a file name in a default format: <timestamp>_<email subject or file name>_<affected user's name>.

To customize the file name and location, configure the Downloads settings of your browser to always ask where to save each file before downloading.

Why does Cloud App Security still quarantine or delete email messages even when all policies are in the Monitor Only mode?

In Cloud App Security, the default Monitor Only policy takes effect only at the policy level. When requested to quarantine or delete an email message by integrated products or the Cloud App Security Threat Mitigation APIs, Cloud App Security quarantines or deletes the email message even if the default Monitor Only policy is enabled.

To ensure that Cloud App Security does not take any actions other than "Pass" when the default Monitor Only policy is enabled, perform the following:

  • Go to Administration > Global Settings > Suspicious Object List and disable the feature.

  • Go to Administration > Global Settings > Blocked Lists for Exchange Online, select your organization, and disable the feature.

  • Avoid taking actions on email messages through integrated products or the Threat Mitigation APIs.

For inbound messages scanned by Cloud App Security Inline Protection, how can I prevent the messages from being marked as unverified senders by Microsoft Exchange Online Protection (EOP)?

Add the domain of Cloud App Security Inline Protection to the Tenant Allow List of Microsoft based on your serving site.

  1. In the Microsoft 365 Defender portal, go to Policies & rules > Threat Policies > Rules > Tenant Allow/Block Lists.

  2. On the Tenant Allow/Block List screen, select the Spoofed senders tab, and then click +Add.

  3. In the Add new domain pairs panel that appears, configure the following settings:

    • Add domain pairs with wildcards: Enter the domain pair based on your serving site.

      • US site: *, inpost.tmcas.trendmicro.com

      • EU site: *, inpost-eu.tmcas.trendmicro.com

      • Japan site: *, inpost.tmcas.trendmicro.co.jp

      • Australia and New Zealand site: *, inpost-au.tmcas.trendmicro.com

      • Canada site: *, inpost-ca.tmcas.trendmicro.com

      • Singapore site: *, inpost.tmcas.trendmicro.com.sg

      • UK site: *, inpost.tmcas.trendmicro.co.uk

      • India site: *, inpost-in.tmcas.trendmicro.com

    • Spoof type: Select External.

    • Action: Select Allow.

  4. Click Add.

For more information, see Microsoft documentation.

For internal messages that are scanned by Cloud App Security Inline Protection, how can I prevent the messages from being marked as internal email spoofing by Microsoft Exchange Online Protection (EOP)?

Note:

Normally, Cloud App Security Inline Protection does not scan internal messages. However, in some cases, such as when internal messages are sent using a private mail server, the Exchange Online transport rule used by Cloud App Security Inline Protection can identify internal messages as inbound messages from external users and route the messages to Cloud App Security Inline Protection for scanning.

  • Solution 1: Add the domain of Cloud App Security Inline Protection to the Tenant Allow List of Microsoft based on your serving site.

    For details, see the answer for the question above.

  • Solution 2: Add the IP addresses of Cloud App Security Inline Protection MTAs for inbound messages to the SPF record for your domains.

    The IP addresses for each serving site are as follows:
    • US site: 20.245.215.64/28

    • EU site: 20.4.48.48/28

    • Japan site: 13.78.70.144/28

    • Australia and New Zealand site: 20.70.30.192/28

    • Canada site: 52.228.5.240/28

    • Singapore site: 52.163.102.112/28

    • UK site: 20.254.97.192/28

    • India site: 20.204.179.112/28

Is it necessary to add the IP addresses of Cloud App Security Inline Protection MTAs for outbound messages to the SPF record for my domains?

As recommended by Microsoft, you can add the IP addresses of Cloud App Security Inline Protection MTAs for outbound messages to the SPF record for your domains.

The IP addresses for each serving site are as follows:

  • US site: 20.66.85.0/28

  • EU site: 20.160.56.80/28

  • Japan site: 20.78.49.240/28

  • Australia and New Zealand site: 20.227.209.48/28

  • Canada site: 20.220.229.208/28

  • Singapore site: 52.163.216.240/28

  • UK site: 20.0.233.224/28

  • India site: 20.235.86.144/28

Why does my provisioning, configuration, or migration for Cloud App Security Inline Protection always fail?

  • Possible cause 1: The account used for provisioning for or migrating to Inline Protection belongs to a Microsoft 365 E5 developer subscription, which does not support inbound connector creation.

    Do not use an account belonging to a Microsoft 365 E5 developer subscription for provisioning or migration.

  • Possible cause 2: The total number of transport rules you have created in the Microsoft 365 admin center has reached the maximum limit.

    Remove unnecessary transport rules in the Microsoft 365 admin center before you continue.

For messages scanned by Cloud App Security Inline Protection, how can I prevent them from being rejected by the connection filtering of Microsoft EOP?

Add the IP addresses of Cloud App Security MTAs for Inline Protection to the IP Allow List of EOP.

  1. In the Microsoft 365 Defender portal, go to Email & Collaboration > Policies & Rules > Threat policies > Anti-spam in the Policies section.

  2. On the Anti-spam policies screen, select Connection filter policy (Default) from the list by clicking on the name of the policy.

  3. In the policy details panel that appears, configure the Description section and click Save.

  4. In the Connection filtering section, click Edit connection filter policy.

  5. In the panel that appears, configure Always allow messages from the following IP addresses or address range, which is the IP Allow list.

    Add the IP addresses of Cloud App Security MTAs for Inline Protection based on your serving site.

    The IP addresses of Cloud App Security Inline Protection MTAs for inbound messages are as follows:

    • US site: 20.245.215.64/28

    • EU site: 20.4.48.48/28

    • Japan site: 13.78.70.144/28

    • Australia and New Zealand site: 20.70.30.192/28

    • Canada site: 52.228.5.240/28

    • Singapore site: 52.163.102.112/28

    • UK site: 20.254.97.192/28

    • India site: 20.204.179.112/28

    The IP addresses of Cloud App Security Inline Protection MTAs for outbound messages are as follows:

    • US site: 20.66.85.0/28

    • EU site: 20.160.56.80/28

    • Japan site: 20.78.49.240/28

    • Australia and New Zealand site: 20.227.209.48/28

    • Canada site: 20.220.229.208/28

    • Singapore site: 52.163.216.240/28

    • UK site: 20.0.233.224/28

    • India site: 20.235.86.144/28

For more information, see Microsoft documentation.