Showing results for 
Search instead for 
Did you mean: 

Office 365 Email Routing Using ESA


Dear support,

we are looking to migrate to office  365, however i would like to keep email routing via on-premise iron-port appliance. 

I need to ensure the following:

1. Email sent from Office 365 to external (internet) routes through on-prem ESA and normal content filter,outbound mail policy and DLP policy applies

2. Email sent between two users in office 365 does not need to route via onprem.

3. Outbound email from on-prem, continues to route email as normal with content filter,outbound mail policy and DLP policy applied.

4. Email sent from on-prem user to cloud user (i.e. our private O365 tenant) goes back out via ESA en-route to office 365,however without any filtering, or DLP policy

please has anyone implemented this scenario. I need some guidance as i am not great with ESA appliance

17 Replies 17


I am trying to configure our system according to the following instructions.
(Outbound from EXO -> On-Premises ESA -> External Domains.)
If has been configured as RELAY, doesnt that mean that mails from foreign external EXO Domains to us are also sent via this relay config? So there is no filtering either?


I am trying to setup the same as you described, and have the same question about  I have read that you can apply a message content filter, but would that drop the message from other external 365 domains that are sending mail to users?  What do you need to apply to have messages from your company 365 be relayed through CES and allow external 365 users email not use the sender relay list and be seen as inbound email. 

Cisco Employee
Cisco Employee

@rschwendeman Use a different "private" listener for outbound emails from your O365 tenant to external domains. Configure O365 connector configuration to send outgoing emails via the private listener. Setup the RELAYLIST under this new listener with sender as

As highlighted in the guide, setup the message filter with a condition matching your private listener name. This is way its matched only for connections landing on the outbound/private listener and other connections on incoming listener are ignored.

office365_outbound: if sendergroup == "RELAY_O365" {
if header("X-OUTBOUND-AUTH") == "^mysecretkey$" {
} else {

In retrospect, all external O365 tenants rely on MX records which will be pointed to incoming listener IP address (ensure there's no RELAYLIST configured for

Your own O365 tenant uses the connector configuration to relay outbound emails to private listener.




Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers