On-Prem C100V Secure Email with O365

Garrett Hensley · ‎06-26-2024

I'm converting from on premise Exchange to O365 and following the documentation here: https://www.cisco.com/c/en/us/support/docs/security/cloud-email-security/214812-configuring-office-365-microsoft-with.html#toc-hId-1043986565

Where i'm stuck is configuring the "outgoing" mail. On prem I use the OutgoingMail listener that the exchange server uses to send mail. I have a sender group for that listener so exchange can relay mail. Makes great sense. However, we only NAT the "IncomingMail" interface to the outside of our firewall. So, Exchange online cannot reach the "IncomingMail" listener as it's behind the firewall and not nat'd to an outside address.

So, my question is...When setting up an on-premise Cisco Email Appliance with O365, do you typically NAT the other 2 addresses to the outside so you would use a total of 4 IP's on 2 appliances, or have both listeners on the same interface. A third option would to have Exchange Online us a different port if that's supported, in fact I think i would have to do that if I use a different listener on the same port.

UdupiKrishna · ‎06-26-2024

If you are working with integrating O365 it is recommended to have 2 different interfaces mapped to 2 different listeners.

1. You cant have 2 listeners on the same interface and use the same port number.

2. If you end up having just 1 listener, that is going to create a challenge when differentiating traffic that originates from you tenant vs other O365 tenants given they always uses random hostnames.

To answer your question, logically you should NAT both interfaces to Public IP addresses.

Public listener/Interface IP NAT - so that it can be used to send and receive emails from external domains.

Private listener/Interface IP NAT - For O365 to connect to the ESA.