Solved: Mailbox Auto Remediation for O365 on ESA

Doug Maxfield · ‎08-07-2017

Good Morning,

Reading through the document "How-To Configure Mailbox Auto Remediation for Office 365 on Cisco Email Security". It talks about "Building a Public and Private Certificate and Key Pair". We have previously generated these items for SSH access to our Cloud ESA. Can we use the same Key Pairs or do you recommend generating new Key Pairs?

Thanks in advance,

Doug

Doug Maxfield · ‎05-18-2018

Update on this:

We were able to get the Auto Remediation working correctly. The step that I questioned about yesterday should be the path in your O365 deployment to get to OWA. In our case, it was https://outlook.office.com/OWA. I also believe that we may have missed a step in configuring the required permission. We set them, but believe that we forgot to select the "Grant Permissions" option. After doing those 2 items, we were able to successfully connect from cESA to O365 with the Connect Check test.

Doug

View solution in original post

Robert Sherwin · ‎08-09-2017

You are referencing the following article?

How-to configure Azure AD and Office 365 mailbox settings for ESA

I would recommend just creating a new pair specifically for this operation. Doesn't need to be anything fancy, just simple self signed cert, export - etc. In my testing and repros on this, I have seen instances where existing pub/private key pairs caused the .json build to fail.

This white paper gives the same technique I use, using XCA:

https://www.cisco.com/c/dam/en/us/products/collateral/security/email-security-appliance/guide-c07-738370.pdf

I like my steps in my article better to do the actual setup, though.

-Robert

Cheers,
Robert Sherwin

Doug Maxfield · ‎08-09-2017

Robert,

Thanks for the reply. I have both articles printed out and reviewing them.

Doug

Doug Maxfield · ‎08-11-2017

We have followed the instructions provided, and believe everything is configured properly, but when running the "Check Connection" test at the very end, we are receiving a failure with the following error message:

Connection Unsuccessful.

Details:
int() argument must be a string or a number, not 'Sequence'

Not sure if this is a configuration issue on our side, or what, but if you have any insight, or have any idea of how to dig deeper into the problem, it would be appreciated.

Thanks

Roland Gregori · ‎04-10-2018

Hi Doug,

have you ever found a solution for this as we are facing the same issue.

Thanks

Roland

Robert Sherwin · ‎04-13-2018

How did you create the certificate? Are you Windows user, or Linux/OS X user?

Can you try out a script for me, if you are Linux/OS X user ---

https://github.com/robsherw/my_azure

The only time I have seen the int() error is when there is issue wrong w/ the certificate, and that sprials into invalidating the whole Azure setup process. Happy to get some more feedback and see if we can get this corrected for you.

Cheers,
Robert Sherwin

Doug Maxfield · ‎05-17-2018

Sorry to bring up an old thread.

We are looking at this again and believe that we have gotten much closer. The "int" error is gone and now it looks likes it's a connection error:

Connection Unsuccessful.

Details:
Unable to connect to Office 365 services with the specified parameters. Please verify Azure AD details and retry.

I believe I might know where the problem is but need some clarification. Going through the Auto Remediation for Office 365 guide, on page 6, in the section "Register your CES Cluster as an Application in Azure", #6 says "Sign-on URL in the form, with a note that says "This is the URL where users can sign in an use your appliance."

What are we looking for here? I put in our cESA URL and that isn't working. But our users are not allow access to the cESA except for Spam Quarantine. Are you looking for our O365 OWA access? Just need some help to figure it out.

The document that I'm using is dated 2016. Is there a new document to follow?

Thanks,

Doug

Doug Maxfield · ‎05-18-2018

Update on this:

We were able to get the Auto Remediation working correctly. The step that I questioned about yesterday should be the path in your O365 deployment to get to OWA. In our case, it was https://outlook.office.com/OWA. I also believe that we may have missed a step in configuring the required permission. We set them, but believe that we forgot to select the "Grant Permissions" option. After doing those 2 items, we were able to successfully connect from cESA to O365 with the Connect Check test.

Doug

andrew.brazier · ‎08-06-2019

This document has been updated taking into account Azure changes and with more detail around the certificates process. Much improved! :-)

https://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/211404-How-to-configure-Azure-AD-and-Office-365.html#anc9