Barracuda Essentials for M365 v2020.

Barracuda
Barracuda
Total Email
Essentials for
Protection
Office365
(BTEP)
Services Configuration

Abstract
Abstract
The following is the walkthrough procedure for
configuring Total Email Protection & its
underlying services to protect your Office365
environment

This document constitutes proprietary and confidential information of Intronis. This document may not be disclosed, used or duplicated, in whole or in part 1
without the prior written consent of Intronis.

Copyright © 2003-2017 Intronis MSP Solutions by Barracuda. All rights reserved.

 Barracuda Total Email Protection v2022.03

GOAL OF THIS DOCUMENT .................................................................................................................................... 5

INTENDED AUDIENCE ......................................................................................................................................................5
GETTING STARTED WITH BARRACUDA TOTAL EMAIL PROTECTION (BTEP) ............................................................ 6
ECHOPLATFORM. ..........................................................................................................................................................6
Account Creation...................................................................................................................................................6
Activating Barracuda Total Email Protection ........................................................................................................7
Changing Seat Count / Product .............................................................................................................................9
UNDERSTANDING THE BARRACUDA CLOUD CONTROL (BCC) ............................................................................... 10
OVERVIEW ..................................................................................................................................................................10
HOW TO FIND MY SERIAL # ............................................................................................................................................10
GETTING STARTED WITH BARRACUDA EMAIL SECURITY SERVICE (BESS) ............................................................. 11
PROJECT PLAN .............................................................................................................................................................11
SET EXPECTATIONS AND TRAIN USERS ..............................................................................................................................11
Initial Email Template .........................................................................................................................................11
DAY OF DEPLOYMENT ...................................................................................................................................................12
Day of Deployment Template .............................................................................................................................12
PERFORM DEPLOYMENT ................................................................................................................................................13
Post Deployment Email Template .......................................................................................................................13
CONFIGURE BARRACUDA EMAIL SECURITY SERVICE (BESS) ................................................................................. 14
OVERVIEW ..................................................................................................................................................................14
PRE-REQUISITES ...........................................................................................................................................................14
INBOUND SCANNING SETUP ...........................................................................................................................................14
Add a Primary Domain to BESS ...........................................................................................................................14
Add Additional Domain(s) to BESS ......................................................................................................................17
Update Microsoft 365 Spam Policies ..................................................................................................................18
Create Receive Connector ...................................................................................................................................19
Add End User Accounts .......................................................................................................................................21
Default User Policy ..............................................................................................................................................22
End User Guide ....................................................................................................................................................22
BEST PRACTICE RECOMMENDATIONS ...............................................................................................................................23
Enable Email Continuity ......................................................................................................................................23
Enable Inbound Quarantine for Spam Scoring ....................................................................................................23
Quarantine Notification ......................................................................................................................................24
OUTBOUND SCANNING .................................................................................................................................................24
Send Connector ...................................................................................................................................................24
Sender Policy Framework (SPF) record. ...............................................................................................................26
Encryption ...........................................................................................................................................................26
Barracuda Email Security Service Outlook Add-in ...............................................................................................29
FINAL DEPLOYMENT STEPS .............................................................................................................................................31
POST DEPLOYMENT ............................................................................................................................................. 32
MONITORING THE SERVICE.............................................................................................................................................32
Message Log .......................................................................................................................................................32
Searching the Message Log ................................................................................................................................33
Reading the Message Log ...................................................................................................................................33
This document constitutes proprietary and confidential information of BarracudaMSP. This document may not be disclosed, used or duplicated, in whole or in 2
part without the prior written consent of BarracudaMSP.

Copyright © 2003-2021 BarracudaMSP. All rights reserved.

 Barracuda Total Email Protection v2022.03

Viewing Message Details ....................................................................................................................................34

Message Log Actions...........................................................................................................................................34
TUNING THE SERVICE ....................................................................................................................................................34
Exempt and Block Policies ...................................................................................................................................34
Import Existing Policies .......................................................................................................................................35
Creating New Policies..........................................................................................................................................35
Common “False Positives” ..................................................................................................................................35
BARRACUDA CLOUD ARCHIVING SERVICE (CAS) .................................................................................................. 37
OVERVIEW ..................................................................................................................................................................37
PRE-REQUISITES ...........................................................................................................................................................37
ADD ARCHIVING USERS THROUGH AZUREAD .....................................................................................................................37
Connect Directory: ..............................................................................................................................................37
Deploy Users based on Group: ............................................................................................................................37
ADD ARCHIVING DOMAIN TO BCC ...................................................................................................................................38
CONFIGURING JOURNAL ARCHIVING FOR OFFICE365 ..........................................................................................................38
CONFIGURE EXCHANGE INTEGRATION ..............................................................................................................................39
Exchange Database: Historical Import ................................................................................................................39
PST IMPORT ...............................................................................................................................................................46
ARCHIVE ENCRYPTED EMAIL FROM BESS ..........................................................................................................................47
CLOUD TO CLOUD BACKUP (CCB) ......................................................................................................................... 48
OVERVIEW ..................................................................................................................................................................48
PRE-REQUISITES: ..........................................................................................................................................................48
CONNECT TO OFFICE365 TENANT ...................................................................................................................................49
CONFIGURE YOUR OFFICE365 DATA SOURCES ...................................................................................................................52
PROTECT YOUR OFFICE365 DATA SOURCE ........................................................................................................................54
Protection Status.................................................................................................................................................54
Protect Browser ..................................................................................................................................................54
Backup Schedules ................................................................................................................................................55
Restore ................................................................................................................................................................55
REPORTS ....................................................................................................................................................................56
Audit Log .............................................................................................................................................................57
IMPERSONATION PROTECTION ............................................................................................................................ 59
IMPLEMENTATION OVERVIEW .........................................................................................................................................59
HOW TO CONFIGURE THE IMPERSONATION PROTECTION AI .................................................................................................60
Configuring Initial Customer ...............................................................................................................................60
Configure Impersonation Protection for Additional Customers ..........................................................................64
HOW TO CONFIGURE IMPERSONATION PROTECTION DOMAIN FRAUD ....................................................................................67
Configure Domain Fraud .....................................................................................................................................68
Viewing Reports ..................................................................................................................................................68
Switching DMARC to Enforcement Mode ...........................................................................................................70
INCIDENT RESPONSE (FORENSICS) ....................................................................................................................... 72
PREREQUISITES - ..........................................................................................................................................................72
NAVIGATE TO INCIDENT RESPONSE ..................................................................................................................................72
CONFIGURING INCIDENT RESPONSE (FORENSICS)................................................................................................................73
APPENDIX 1 – HOW TO LOCATE YOUR OFFICE365 DOMAIN OR MAIL SERVER ..................................................... 73
APPENDIX 2 – HOW TO CONFIGURE AD SYNC FOR BARRACUDA CLOUD ARCHIVING SERVICE (BCAS) .................. 75
This document constitutes proprietary and confidential information of BarracudaMSP. This document may not be disclosed, used or duplicated, in whole or in 3
part without the prior written consent of BarracudaMSP.

Copyright © 2003-2021 BarracudaMSP. All rights reserved.

 Barracuda Total Email Protection v2022.03

LDAP ........................................................................................................................................................................75
APPENDIX 3 – MANUALLY CONFIGURE JOURNALING (BCAS) ............................................................................... 77

This document constitutes proprietary and confidential information of BarracudaMSP. This document may not be disclosed, used or duplicated, in whole or in 4
part without the prior written consent of BarracudaMSP.

Copyright © 2003-2021 BarracudaMSP. All rights reserved.

 Barracuda Total Email Protection v2022.03

Goal of this Document

This document is designed to familiarize Barracuda MSP Partners with Barracuda Total Email Protection
for Microsoft 365. It will outline everything you need to better understand how to prepare for,
configure, and manage Barracuda Total Email Protection.

We will go in depth on how you can best prepare your customers prior to deploying our services. The
document will include step by step instructions on how to best configure the products according to
Barracuda best practices. Lastly, there are steps on how to monitor and manage the services to ensure
customer satisfaction.

Intended Audience
This guide is intended to be read by any Engineers that will be configuring and/or monitoring Barracuda
Total Email Protection.

This document constitutes proprietary and confidential information of BarracudaMSP. This document may not be disclosed, used or duplicated, in whole or in 5
part without the prior written consent of BarracudaMSP.

Copyright © 2003-2021 BarracudaMSP. All rights reserved.

 Barracuda Total Email Protection v2022.03

Getting Started with Barracuda Total Email Protection (BTEP)

Before you can configure Total Email Protection service for your customer you must first create an SMB
account for them and activate appropriate licenses within the ECHOplatform.

ECHOplatform.
The ECHOplatform gives you the convenience of multitenancy by providing the ability to create separate
child (SMB) accounts for each customer that reside within your partner “parent” account. For more
information on the ECHOplatform please review our Partner QuickStart Guide.

Account Creation
You’ll want to follow these steps for each unique customer you are bringing onboard Barracuda MSP.
1. Login to ECHOplatform with your ECHOplatform Admin credentials.
a. North American MSP – https://manage.barracudamsp.com
b. EMEA MSP - https://manage.echo.barracudamsp.com

Please Note: If you do not have these credentials please reach out to your MSP ECHOplatform portal
administrator. If you are unsure who your administrator is, please contact your BarracudaMSP Partner
Success Manager or Barracuda MSP Support.

2. Navigate to the Manage tab and select the Add Account button.

3. The New Account page is displayed. The fields with a red asterisk are required to be completed.

This document constitutes proprietary and confidential information of BarracudaMSP. This document may not be disclosed, used or duplicated, in whole or in 6
part without the prior written consent of BarracudaMSP.

Copyright © 2003-2021 BarracudaMSP. All rights reserved.

 Barracuda Total Email Protection v2022.03

•
The Username field requires a globally unique username. This field is restricted to
alphanumeric characters and underscore.
• Backup Package is how Barracuda MSP will bill you for any Intronis Backup usage. If your
customer isn’t using Intronis Backup select No Intronis Backup.
• Account Billing Plans allow you to generate reports based on how you plan on billing your
customer for Barracuda MSP products. If your customer isn’t using Intronis Backup select No
Intronis Backup.
• Portal Access allows you to set the customer’s permission level for Intronis Backup. If your
customer isn’t using Intronis Backup disregard.
• Complete all required fields(*) in the contact information on the right side with your
customer's information. You will need to provide the Country first before selecting the
State/Province.
Please Note: We will never reach out to your customer directly.
4. Save.

Activating Barracuda Total Email Protection

1. Click More Services, and then select Essential Services from the drop-down menu.

2. For the desired SMB account, click the Activate button.

This document constitutes proprietary and confidential information of BarracudaMSP. This document may not be disclosed, used or duplicated, in whole or in 7
part without the prior written consent of BarracudaMSP.

Copyright © 2003-2021 BarracudaMSP. All rights reserved.

 Barracuda Total Email Protection v2022.03

3. Find the product you would like to activate for this customer, click the correlated check box and
then click Activate.
Please Note: Barracuda considers a seat to be an Active email user. Barracuda does not
require licenses to be assigned for Inactive Accounts, Shared Mailboxes, Aliases, or
Distribution Groups.

This document constitutes proprietary and confidential information of BarracudaMSP. This document may not be disclosed, used or duplicated, in whole or in 8
part without the prior written consent of BarracudaMSP.

Copyright © 2003-2021 BarracudaMSP. All rights reserved.

 Barracuda Total Email Protection v2022.03

Please Note: You will only see the products you have purchased available for activation
which may differ from the screen shot below.

The activation process typically takes 5 minutes to fully propagate. During the activation process the
account and seat total will appear in Green text.

Please Note: The page does not automatically refresh. Refresh the page after 5 minutes and if activated
successfully the text will change to Black. If there are any errors the text will appear Red. Please contact
Support for any Failed Activations.
4. Next, we will configure the Total Email Protection Services. To do this click the Barracuda Cloud
Control link within the ECHOplatform.

Changing Seat Count / Product

While Barracuda MSP allows you to self-activate all Total Email Protection licenses, we’ll need to assist
in the event you ever need to upgrade a customer to add new products.

The quickest way to make these changes is to reach out to your Partner Success Manager who will be
able to assist you.

We also have a webform available in the activation page of the ECHOPlatform portal where you can
submit the customer account information.

All changes will be completed in 3-5 business days.

This document constitutes proprietary and confidential information of BarracudaMSP. This document may not be disclosed, used or duplicated, in whole or in 9
part without the prior written consent of BarracudaMSP.

Copyright © 2003-2021 BarracudaMSP. All rights reserved.

 Barracuda Total Email Protection v2022.03

Understanding the Barracuda Cloud Control (BCC)

Overview
As a partner, we want to provide you with as much clarity as possible to make your job easier. One of
the more attractive features of the Barracuda Cloud Control interface is its central management design;
all your customer’s Total Email Protection Services can be managed from one login! Below is a brief
explanation of the layout and navigation tips for your MSP account.

Whenever you log into your BCC account, your default page will bring you to your MSP “parent”
account. Think of this as the root that contains all your underlying “child” SMB customer accounts.

Please Note: You should never configure any services on the MSP Parent account!

1. In the top right-hand corner of the BCC (https://login.barracudanetworks.com) portal is your

customer Account Switcher.

In this example, your MSP “parent account” would be “Intronis Demo (Default)”. As you move forward
with this configuration walkthrough, ensure that you select the appropriate customer account from the
account dropdown.

How to find my Serial #

Once activated, each customer will have their own specific serial number. You will need to provide this
serial number to Support should you ever open a ticket. Every Total Email Protection product activated
against a single customer shares the same serial number.

All serials can be found from the respective product’s dashboard. For example, Cloud to Cloud Backup
and Cloud Archiving Service display the information at the top of the product’s primary Dashboard. The
serial number for the Email Security Service is anchored to the bottom of the browser by scrolling to the
bottom most portion of the primary dashboard.

This document constitutes proprietary and confidential information of BarracudaMSP. This document may not be disclosed, used or duplicated, in whole or in 10
part without the prior written consent of BarracudaMSP.

Copyright © 2003-2021 BarracudaMSP. All rights reserved.

 Barracuda Total Email Protection v2022.03

Getting Started with Barracuda Email Security Service (BESS)

Project Plan
It’s important to speak with your customer before deploying the Barracuda Email Security Service to set
a clear timeline of events and expectations. Creating a proper project plan will not only ensure the
migration goes as smooth as possible but also helps your customer prepare themselves for the expected
changes ahead of time.

The first thing you’ll want to do is build a project timeline. This timeline will include updating the
customer with training materials and setting expectations, scheduling the deployment with them,
configuring the service, and monitoring mail flow post deployment to ensure there is no email
downtime.

Set Expectations and Train Users

Once you’ve gotten your project schedule determined you’ll want to make sure the customers are
clearly aware of the next steps. We recommend using something like the email template below as the
initial communication.

Please Note: We advise that you send out this initial email 2-3 days prior to performing the
migration.

Initial Email Template

“Hello [Customer Contact],

We will be switching over your email filtering from [Current Service Name] to Barracuda Total
Email Protection. We will work to make the transition seamless and we aim for 0 downtime
through the process.

The deployment will take place on [Scheduled Date and Time]. During this time, all users will be
able to use email without issue, but we’ll want to make sure they are trained on how to use the
new solution prior to making the switch.

Please send all users the Barracuda Total Email Protection user guide so they can familiarize
themselves with features like the Quarantine Notification, Message Log, adding to the Exempt /
Block, and how to release messages.
https://campus.barracuda.com/product/essentials/doc/3211272/barracuda-email-security-
service-user-guide/

You’ll also want to provide them the Encryption Message Center User Guide which outlines
everything they need to know when sending and receiving encrypted email.
https://campus.barracuda.com/product/essentials/doc/70584038/barracuda-message-center-
user-guide/?sl=AW0haKjl7X_svXEFusi_&so=1

Lastly, we’ll be installing an Outlook Add-in to all User’s Outlook to make Email Encryption faster
and simpler. Please ensure all users review the Outlook Add-in user guide to familiarize
themselves with the process.
This document constitutes proprietary and confidential information of BarracudaMSP. This document may not be disclosed, used or duplicated, in whole or in 11
part without the prior written consent of BarracudaMSP.

Copyright © 2003-2021 BarracudaMSP. All rights reserved.

 Barracuda Total Email Protection v2022.03

https://campus.barracuda.com/product/essentials/doc/71861422/barracuda-essentials-for-
email-security-outlook-add-in-user-guide/?sl=AW07EoS57X_svXEFuy40&so=5

We appreciate your patience and cooperation throughout this process, and we’ll continue to
update you as we move through the deployment. Let us know if you have any questions
throughout this process.

[Signature] “

Day of Deployment
On the day of the scheduled deployment you’ll want to reach out to your customer again reminding
them of the deployment while opening clear lines of communication throughout the process. This is also
a great time to encourage them to make sure the users have gone through the Email Security Service
and the Email Encryption training guides.

Day of Deployment Template

“Hello [Customer Contact]

We will be switching over your email filtering from [Current Service Name] to Barracuda Total
Email Protection as scheduled today at [deployment time]. Users will be able to use email as
normal and we are working to ensure there is no downtime.

Please ensure that all users have reviewed the Email Security Service and Encryption training
documents (linked below) sent in the previous email to reduce any confusion or frustration.
https://campus.barracuda.com/product/essentials/doc/3211272/barracuda-email-security-
service-user-guide/

https://campus.barracuda.com/product/essentials/doc/70584038/barracuda-message-center-
user-guide/?sl=AW0haKjl7X_svXEFusi_&so=1

https://campus.barracuda.com/product/essentials/doc/71861422/barracuda-essentials-for-
email-security-outlook-add-in-user-guide/?sl=AW07EoS57X_svXEFuy40&so=5

It’s important to keep in mind that we will need to tune the email filter and will closely monitor
all mail flow to ensure everything is working properly. It is possible some mail that was being
delivered previously is now quarantined or blocked. Please let our team know immediately of any
issues so we can adjust the rules accordingly and deliver any mail as soon as possible.

We appreciate your patience with this process and will let you know when the migration has
been completed.

[signature]”

This document constitutes proprietary and confidential information of BarracudaMSP. This document may not be disclosed, used or duplicated, in whole or in 12
part without the prior written consent of BarracudaMSP.

Copyright © 2003-2021 BarracudaMSP. All rights reserved.

 Barracuda Total Email Protection v2022.03

Perform Deployment
You’ll want to go through with the deployment as scheduled. Step by step instructions for configuring
and tuning the service are available later in this guide.

This will include:

1. Creating a Customer account in the ECHOplatform
2. Activating services
3. Configuring ESS
4. Configuring CAS
5. Configuring CCB
6. Monitoring all services

Once the Deployment has been completed and mail is flowing through Barracuda, you’ll want to update
your customer.

Post Deployment Email Template

“Hello [Customer Contact]

We wanted to update you and let you know that the deployment to Barracuda Total Email
Protection has completed successfully.

It is possible over the next several days that some mail that was previously delivered is being
blocked or quarantined. Our team is monitoring your email to handle any of these issues as they
come in.

Please let us know immediately of any issues you notice so we can update policies as needed and
tune the filter as quickly as possible. We expect these issues to be rare and most of them should
be resolved in the next 1-2 days.

[Include a paragraph about how users can report any issues including contact information]

[signature]”

This document constitutes proprietary and confidential information of BarracudaMSP. This document may not be disclosed, used or duplicated, in whole or in 13
part without the prior written consent of BarracudaMSP.

Copyright © 2003-2021 BarracudaMSP. All rights reserved.

 Barracuda Total Email Protection v2022.03

Configure Barracuda Email Security Service (BESS)

Overview
Barracuda Email Security is a, scalable, cloud-based email security solution that comprehensively
protects organizations against advanced email-based attacks, data loss and minimizes business
disruptions. BESS protects against spam, viruses and known malware, while also providing granular
policy management and monitoring controls for customized rules. In this section, we will walk through
the setup for Inbound & Outbound Scanning as well Encryption.

Pre-requisites
You will need access to the following in order to configure Barracuda BESS.

Please Note: This process does not automatically go live after configuration; this process will guide
you to cut over to our service when you and your customer are ready based on your project timeline.

• ECHOplatform account created for this customer

• Barracuda Cloud Control - https://login.barracuda.com
• Customer’s Office365 mail server
PLEASE NOTE: if you do not know your customers domain or mail server you can find it
by referencing Appendix 1.
• DNS Management Console – You will need the customer’s credentials to access their domain
settings.
• Global Administrator Credentials to Customer’s M365 Tenant

Inbound Scanning Setup

In this section we will configure the customer’s primary domain for BESS. This will be done using the
configuration BESS wizard. You will want to have the client’s domain & mail server information available
for this step.

Add a Primary Domain to BESS

1. Login to the BCC (https://login.barracuda.com) console.
2. Select the Account you wish to filter email for from the Account Switcher at the top right-hand side
of the Barracuda Cloud Control
3. Click on Email Security from the left-hand menu.
4. If this is your first-time logging into a customer’s Email Security service, you will be prompted with
the wizard automatically:

This document constitutes proprietary and confidential information of BarracudaMSP. This document may not be disclosed, used or duplicated, in whole or in 14
part without the prior written consent of BarracudaMSP.

Copyright © 2003-2021 BarracudaMSP. All rights reserved.

 Barracuda Total Email Protection v2022.03

5. If you’ve already logged into their service before, but you have not yet started the configuration,
click here to start the wizard:

6. Select the region where the mail will be scanned.

a) US (USA)
b) UK (England)
c) DE (Germany)
d) CA (Canada)
e) AU (Australia)
7. Enter the customer primary domain in the space provided.

This document constitutes proprietary and confidential information of BarracudaMSP. This document may not be disclosed, used or duplicated, in whole or in 15
part without the prior written consent of BarracudaMSP.

Copyright © 2003-2021 BarracudaMSP. All rights reserved.

 Barracuda Total Email Protection v2022.03

8. Enter the mail server where email will be delivered after filtering in the space provided, this will be
the MX record value from M365 and click add.
a) Example: <domain>-com.mail.protection.outlook.com

9. Enter any email address on the domain, then click Test All Mail Servers.
Please Note: This will deliver a test email to the address provided but no action will be required
from that email.
10. Click Next to continue with the defaults.
By default, Virus & Spam Protection are enabled, and the CloudScan Spam Scoring system’s block
threshold is set to 5. Leaving Virus Protection enabled directs the BESS to detect and block viruses
on inbound mail. Leaving Spam Protection enabled directs the BESS to evaluate inbound mail for
spam based on a score assigned to each processed message. CloudScan Spam Scoring grades each
inbound message, scoring ranges from 1 (not spam) to 10 (definitely spam).

11. Update customer MX records with records provided

This document constitutes proprietary and confidential information of BarracudaMSP. This document may not be disclosed, used or duplicated, in whole or in 16
part without the prior written consent of BarracudaMSP.

Copyright © 2003-2021 BarracudaMSP. All rights reserved.

 Barracuda Total Email Protection v2022.03

Add the 2 MX records generated in the wizard, see the example below. Ensure you check with your
DNS provider for the appropriate syntax. If you are not ready to cut over to the BESS service and
plan to later, use a priority of 99. Otherwise ensure the priority is 10(a) / 20(b) and no other records
exist with a higher priority. This will allow us to validate the domain ownership and provides
authorization to route mail. When you have verified that mail flow is operational through the
Barracuda service, please remove the old Microsoft 365 MX record, may take up to 48 hours for
propagation.

12. Click Next to finalize the domain creation.

Add Additional Domain(s) to BESS

Follow these steps if your customer has domains that route email besides the primary domain added
through the Wizard in the steps above. If your customer only has one email domain, you can skip this
section.

1. Click Domains and click Edit in the Settings column for the desired domain.
2. Click Add Domain button.
3. Enter the Domain Name and Mail Server into the appropriate fields and click Add Domain.
4. Click on the domain name to expand the field and reveal the MX Records.
5. Add these to the domains DNS.
6. Click Verify next to the domain name once the MX records have propagated DNS and verify by
MX.

This document constitutes proprietary and confidential information of BarracudaMSP. This document may not be disclosed, used or duplicated, in whole or in 17
part without the prior written consent of BarracudaMSP.

Copyright © 2003-2021 BarracudaMSP. All rights reserved.

 Barracuda Total Email Protection v2022.03

Update Microsoft 365 Spam Policies

While not required, we recommend defining a rule to bypass the Exchange Online Protection filtering.
This will allow messages scanned by the Barracuda Email Security Service to properly pass through
unfiltered, as well as prevent against duplicate quarantine logs within Exchange.

1. Log in to the Office365 portal.

2. Expand Admin Centers in the left pane, then click Exchange.

3. Click on Mail flow, then Rules, then click the ‘+’ to create a new Bypass Spam Filtering rule.
4. Name the rule Barracuda Spam Bypass
5. *Apply this rule if… > The sender > IP address is in any of these ranges or exactly matches
6. Enter the Barracuda IP Range specific to your region and select OK.
US: 209.222.80.0/21
UK: 35.176.92.96/27
DE (Germany): 35.157.190.224/27
AU (Australia): 3.24.133.128/25
CA (Canada): 15.222.16.128/25
7. Leave the remaining settings at defaults and click save.

Please Note: Once the rule is created, click the pencil or edit symbol within the Exchange admin
center in order to change the priority to 0 – this ensures that this rule is processed first.

This document constitutes proprietary and confidential information of BarracudaMSP. This document may not be disclosed, used or duplicated, in whole or in 18
part without the prior written consent of BarracudaMSP.

Copyright © 2003-2021 BarracudaMSP. All rights reserved.

 Barracuda Total Email Protection v2022.03

Create Receive Connector

In order to ensure that mail is always delivered from our IP Ranges we must create a Receive Connector.
We use a handful of IP addresses to define the connector.
1. Log in to your Office365 portal, or your customer’s Office365 portal.
2. Expand Admin Centers in the left pane, then click Exchange.
3. Click on Mail flow, then Connectors and then click the "+" to create a new connector.
4. In "Select your mail flow scenario" Choose From: Partner Organization To: Microsoft 365

This document constitutes proprietary and confidential information of BarracudaMSP. This document may not be disclosed, used or duplicated, in whole or in 19
part without the prior written consent of BarracudaMSP.

Copyright © 2003-2021 BarracudaMSP. All rights reserved.

 Barracuda Total Email Protection v2022.03

5. Name the rule Barracuda Inbound

6. On the "New Connector" page select Use the sender's IP Address, Click next.

This document constitutes proprietary and confidential information of BarracudaMSP. This document may not be disclosed, used or duplicated, in whole or in 20
part without the prior written consent of BarracudaMSP.

Copyright © 2003-2021 BarracudaMSP. All rights reserved.

 Barracuda Total Email Protection v2022.03

7. On the next page, hit the "+" to specify the sender IP address range. Ex. US Region enter the below
addresses:
209.222.80.0/24
209.222.81.0/24
209.222.82.0/24
209.222.83.0/24
209.222.84.0/24
209.222.85.0/24
209.222.86.0/24
209.222.87.0/24

8. Click Next
9. Leave the setting on "Reject email messages if they aren't sent over TLS. Click Next
10. Click Save.

Add End User Accounts

You can add users manually or use LDAP or Azure AD authentication to automatically synchronize the
Barracuda Email Security Service with your active directory server. It is important to add user accounts
so individuals can receive Quarantine Notifications, access mail in the event of Email Continuity, and
manage Quarantine / exempts.

This document constitutes proprietary and confidential information of BarracudaMSP. This document may not be disclosed, used or duplicated, in whole or in 21
part without the prior written consent of BarracudaMSP.

Copyright © 2003-2021 BarracudaMSP. All rights reserved.

 Barracuda Total Email Protection v2022.03

In this section we’ll cover how to Configure User Authentication using Azure AD. For information or for
instructions on how to add users manually or through LDAP sync please see our Add End User Guide on
Barracuda Campus.

1. Click Domains and click Edit in the Settings column for the desired domain.
2. In the Domains > Domain Settings page, scroll to the Directory Services section, and
select Azure AD, and click Save Changes at the top of the page.
3. Scroll down to the Status section and click Authorize.
4. The Authorize Azure AD dialog box displays. Click Continue.
5. When prompted, log in to your Microsoft 365 account using your administrator credentials.
6. In the Authorization page, click Accept to authorize the Barracuda Email Security Service to
connect to your Azure AD directory.
7. In the Barracuda Email Security Service Domain Settings page, the Status field displays
as Active; the Authorized Account and Authorization Date display below the status:

8. Click Sync Now to add your Azure AD users to the Barracuda Email Security Service.
9. The synchronization progress displays; allow the process to complete.
10. In the Synchronization Options section, select Synchronize Automatically. When selected, the
Barracuda Email Security Service automatically synchronizes with your Azure AD directory every
15 minutes and adds/updates your users.

Please Note: If you select Manual, you must click Sync Now to synchronize the
Barracuda Email Security Service with your Azure AD directory and add/update users.

11. To use SSO, click Yes for Enable Single Sign On. Once enabled, users are prompted to log in to
their Microsoft 365 account when accessing their messages in the Barracuda Email Security
Service.
12. Click Save at the top of the page to save your settings and return to the Domains page.

Default User Policy

By default, BESS prevents end users from viewing or delivering blocked messages as well as preventing
them from exempting the sending domain or email address. This and some other user related settings
can be adjusted under Users > Default Policy.

End User Guide

For information on the End User experience with BESS please see our End User Guide within Barracuda
Campus. This guide will outline topics such as Quarantine Notification, updating Sender Policies, and
how to use the Message Log.

This document constitutes proprietary and confidential information of BarracudaMSP. This document may not be disclosed, used or duplicated, in whole or in 22
part without the prior written consent of BarracudaMSP.

Copyright © 2003-2021 BarracudaMSP. All rights reserved.

 Barracuda Total Email Protection v2022.03

Best Practice Recommendations

The following sections are not required but if configured, will add more layers to your security &
business continuity measures to further protect your client’s environment.

Enable Email Continuity

With this feature enabled, your end users will be able to continue business communications even if
Microsoft 365 goes offline. Our Email Continuity service for Business Continuity works by keeping a
“heartbeat” with your client’s mail server & if it goes offline, we will automatically failover mail server
responsibilities for up to 96 hours.

1. Navigate to the Users tab across the top menu bar, then click Email Continuity.
2. Click the radio button for Auto-Enable, then click OK to enable spooling.

Enable Inbound Quarantine for Spam Scoring

By default, all BESS scans will either Deliver, Block, Defer, or Quarantine a message. In order to enable
quarantine for messages based on their Spam Score, you must raise the CloudScan scoring value for
quarantine to a value greater than 0. We recommend setting the value to 3.0 as a good starting place
for new implementations.

1. Navigate to the Inbound Settings > Anti-Spam/Antivirus.

2. Under CloudScan Scoring > Quarantine: Set the Quarantine threshold to 3.0.
Please Note: This is a good starting point as most malicious spam attacks are graded 3 or higher
but may need to be modified later if the policy is too strict or too lenient.

This document constitutes proprietary and confidential information of BarracudaMSP. This document may not be disclosed, used or duplicated, in whole or in 23
part without the prior written consent of BarracudaMSP.

Copyright © 2003-2021 BarracudaMSP. All rights reserved.

 Barracuda Total Email Protection v2022.03

Quarantine Notification
Now that Quarantine has been enabled and Users have been added into the system, we can configure
the schedule the Quarantine Notification email will be sent to the users.
1. Navigate to Users > Quarantine Notification.
2. Change “Default Interval for user quarantine notifications” to Scheduled.
3. Select the time window(s) when you’d like users to receive a summary report of all items
marked as quarantine since their last summary.
a. If you would like users to be able to set their own schedule for their own personal
accounts you can change “Allow users to specify interval” to Yes and direct them to our
End User Guide for more information.

Please Note: If the customer has no preference, we typically recommend sending the
Quarantine Notifications twice a day. The first at 6AM and the second at 1PM.

CONGRATULATIONS YOU ARE NOW CONFIGURED FOR

COMPREHENSIVE PROTECTION AGAINST SPAM , VIRUSES &
MALWARE, ADVANCED PHISHING ATTACKS AND SOPHISTICATED ,
ZERO-DAY THREATS LIKE RANSOMWARE !

Outbound Scanning
Barracuda will scan outbound mail for spam and viruses, as well as scan outbound mail for material that
should remain internal (for Data Loss Prevention [DLP]) or be encrypted via the Email Encryption
Service.

Barracuda ESS is NOT an email relay. There are strictly enforced rate limits in place for all emails coming
from a specific email or IP address. These rules are in place to prevent Blocking of our service and any
potential mail outage. Customers who are currently sending mass mailers through their Office365
account and not leveraging a 3rd party service should not enable outbound scanning.

Barracuda will allow 150 recipients per 30 minutes for a managed user (Added to users list) and 150
recipients per 30 minutes CUMULATIVE for all unmanaged users (NOT added to users list).

Send Connector
You will need to add an outbound send connector within Office365 to route outbound mail through a
Barracuda smart host.

1. Ensure you have a copy of the BESS outbound hostname for your domain.

If you have forgotten, login to BCC [select the appropriate customer from the account switcher] >
Email Security go to Domains (1), click anywhere on the domain (2) to expand more details and
copy the outbound hostname under the MX records configuration.

This document constitutes proprietary and confidential information of BarracudaMSP. This document may not be disclosed, used or duplicated, in whole or in 24
part without the prior written consent of BarracudaMSP.

Copyright © 2003-2021 BarracudaMSP. All rights reserved.

 Barracuda Total Email Protection v2022.03

2. Within Office365 go to Admin Center for Exchange > Mail flow, click Connectors, then click ‘+’ to
add a new Outbound Connector.
3. Select From: M365 and point the connector To: Partner Organization
4. Enter a Name for the connector. For example, "Barracuda Outbound."
Please Note: If you do not wish to route outbound mail through Barracuda at this time, deselect
the Enable Outbound Connector box below. This can be enabled later when you are ready to
finalize this deployment.
5. If you would like to route ALL outbound mail through Barracuda (Recommended), leave “Only when
email messages are sent to these domains” selected and click the Plus “+” button.
6. On the add domain screen enter Asterisk “*” to wildcard all email. Select OK and Next.
7. For the New connector screen, you will want to “Route email through these smart hosts” and select
the Plus “+”.
8. Here you will enter the Barracuda Smart Host found above in Step 1 and Save and select Next.
9. Next, you will want to leave the default to “Always user TLS…” and “Issued by a trusted CA” and
select Next.

10. Confirm all the settings look correct in the preview screen and click Next.
11. Before you can start routing email through the smart host, Microsoft requires you to test and
validate the connector.
a) Select the Plus “+” and enter an email address from Outside of the M365 tenant for Microsoft to
send a test message through. This will deliver a test message to the address, but no further
action is required.

This document constitutes proprietary and confidential information of BarracudaMSP. This document may not be disclosed, used or duplicated, in whole or in 25
part without the prior written consent of BarracudaMSP.

Copyright © 2003-2021 BarracudaMSP. All rights reserved.

 Barracuda Total Email Protection v2022.03

Please Note: If you have chosen not to turn on the connector you may receive an “error”
that the message wasn’t delivered. This will not affect mail flow once you turn the
connector on to go live with Outbound scanning.
Sender Policy Framework (SPF) record.
Now that you are successfully routing outbound email through the BESS, recipient mail servers will begin
seeing mail sent from your customers domain arriving from the Barracuda mail servers. This will cause
most of the mail to fail until you update the customer’s SPF record in their DNS.

Login to the customer’s DNS management platform then update their SPF TXT record to include the
Barracuda BESS FQDN:
US: include:spf.ess.barracudanetworks.com
UK: include:spf.ess.uk.barracudanetworks.com
DE (Germany): include:spf.ess.de.barracudanetworks.com
AU: include:spf.ess.au.barracudanetworks.com
CA: include:spf.ess.ca.barracudanetworks.com

If they do not have an SPF record in place, please create a new TXT record against their domain:
v=spf1 [region specific record] -all

For more details about updating your customers SPF record please contact your DNS provider. If your
DNS provider is unable to leverage host names, please use the Barracuda IP ranges.

Encryption
Overview
The BESS can perform encryption on outbound mail in order to secure transmission of sensitive mail.
This encryption service is initiated by keyword content policies scanned on outbound messages or
through use of our Outlook Add-in. The recipient is sent a customizable link to the Barracuda Message
Center where they can review and reply to the encrypted message. For more information about how our
encryption service works, please read the following Barracuda Campus KB article.

1. To configure, navigate to Email Security > Domains (1).

2. Click Settings next to the domain you want to enable encryption for.
3. Under the encryption sub-header, click Validate CNAME (2) to generate a new record.

Please note: each time you click the ‘Validate CNAME’ button, it will generate a new record. You will
need to update your CNAME record to reflect the newly generated CNAME record.

This document constitutes proprietary and confidential information of BarracudaMSP. This document may not be disclosed, used or duplicated, in whole or in 26
part without the prior written consent of BarracudaMSP.

Copyright © 2003-2021 BarracudaMSP. All rights reserved.

 Barracuda Total Email Protection v2022.03

4. Log in to your DNS management portal for this domain, and create a CNAME record using the prefix
before the <.customerdomain.com> that was generated in the prior step next to Validation status.
For example: barracuda30929916985
5. Point the CNAME record of that domain to encrypt.barracudanetworks.com

Please Note: Allow the DNS propagation to take effect before proceeding – this can take up to
24 hours for some providers.

6. Within the Domain settings in Barracuda Cloud Control (BCC) under the encryption section click
Confirm Validation to query DNS and resolve the CNAME. If DNS propagation takes longer than you
would like, you can validate via Postmaster instead.
7. Once the record is validated, a new subset of options will appear under the Encryption section for
notification customization: logo image upload & custom text/HTML fields to make the encrypted
message portal personalized for your customer’s recipients.

Please Note: We recommend enabling Allow Replies so recipients can reply directly through the
Barracuda Encryption Portal without having to compose a brand-new email thread to reply.

This document constitutes proprietary and confidential information of BarracudaMSP. This document may not be disclosed, used or duplicated, in whole or in 27
part without the prior written consent of BarracudaMSP.

Copyright © 2003-2021 BarracudaMSP. All rights reserved.

 Barracuda Total Email Protection v2022.03

For more information on the recipient experience and how to use the Encryption portal please visit our
Encryption Portal End User Guide in Campus.

Outbound Content Policies

Now that we have enabled all email to flow outbound through the BESS and enabled Encryption services
on the account, we need to define what specific messages or types of messages should encrypted.

Under the Outbound Settings > Content Policies > Message Content Filter section we can define these
policies.

You’ll want to work with your customer to define the policies that work best for them, we typically see
Subject Line based policies in place. In the below example, anytime a user enters the word “Encrypt” as
the first word in the Subject, the message will go through our encryption process.

Please Note: These content filters are Regular Expression aware.

Predefined Filters are often used for customers that need to fulfill certain compliances and are required
to
This document constitutes proprietary and confidential information of BarracudaMSP. This document may not be disclosed, used or duplicated, in whole or in 28
part without the prior written consent of BarracudaMSP.

Copyright © 2003-2021 BarracudaMSP. All rights reserved.

 Barracuda Total Email Protection v2022.03

secure any outgoing emails that contain Credit Card numbers, US Social Security numbers, or HIPAA
related information. You can configure predefined filters for each of these that match the Subject,
Headers, Body, or text-based Attachments.

Barracuda Email Security Service Outlook Add-in

In addition to encrypting email via the Outbound Content Policies defined above, users can also take
advantage of our Outlook Add-in. With the click of a button, users can easily encrypt any email Sent or
Replied to. Follow the steps below to deploy the Barracuda Email Security Outlook Add-in to all users in
your Exchange environment.
Please Note: The Barracuda Outlook Add-in supports Outlook version 2016 and Outlook Web
Access (OWA) running on Windows and Mac OS.
1. Go to https://appsource.microsoft.com/en-us/product/office/WA104381249?src=office in your
web browser and click “Get it now”.

2. When prompted, log in with your M365 Global Admin credentials to add the add-in to your
Exchange Admin Center Office Store.
3. Log in to your Exchange Admin Center as the administrator:

4. In the left pane, click organization, and click apps.

This document constitutes proprietary and confidential information of BarracudaMSP. This document may not be disclosed, used or duplicated, in whole or in 29
part without the prior written consent of BarracudaMSP.

Copyright © 2003-2021 BarracudaMSP. All rights reserved.

 Barracuda Total Email Protection v2022.03

5. Click +, and from the drop-down menu, select Add from Office Store:

6. Search for and select the Barracuda Essentials Outlook Add-In icon, and click Add to add it to
your apps:

This document constitutes proprietary and confidential information of BarracudaMSP. This document may not be disclosed, used or duplicated, in whole or in 30
part without the prior written consent of BarracudaMSP.

Copyright © 2003-2021 BarracudaMSP. All rights reserved.

 Barracuda Total Email Protection v2022.03

7. Double-click Barracuda Essentials to open the App Settings dialog box, and select the default
user setting:

Please Note: Mandatory, always enabled. Users can't disable this app – When selected,
the Outlook Add-In is automatically enabled, and the user cannot disable the Add-In
8. Click save.

Final Deployment Steps

Certain Steps shouldn’t be completed until the customer is ready to go live with the Barracuda Email
Security Service (BESS) solution.

1. DNS - Change MX records for the Barracuda BESS to priority of 10(a) & 20(b)
a. Raise the priority of their existing MX records (to 99) until you verify mail flow through BESS.
Verification can be done by going into the Message Log tab within the Barracuda Cloud Control
portal > Email Security > Overview – Once you’re confident everything is flowing through BESS,
delete their old MX records altogether typically after 24-48 hours of cutting over mail flow to
Barracuda.
2. Office365 - Enable the Outbound Send Connector in Office365 to allow outbound mail to flow
through the BESS. Go to the Admin Center for Exchange > Mail flow > Connectors. Select the ‘BESS
Outbound’ send connector and in the status pane to the right click ‘Turn it on’

This document constitutes proprietary and confidential information of BarracudaMSP. This document may not be disclosed, used or duplicated, in whole or in 31
part without the prior written consent of BarracudaMSP.

Copyright © 2003-2021 BarracudaMSP. All rights reserved.

 Barracuda Total Email Protection v2022.03

Post Deployment
Now that you and your team have successfully redirected the customer’s email to flow through
Barracuda, it is critical that you monitor the message log. As you’ve told the customer, all filters behave
differently so it’s possible Barracuda looks at certain emails more aggressively than the previous filter
and blocks things that were previously delivered.

You’ll need to make sure your team is monitoring the Message Log very closely for the first 2 days and
then periodically over the next 7 days to ensure nothing important is passing through or being blocked.

Make sure the customers know who to contact if they detect any issues with email to avoid frustration.

Monitoring the Service

It is most critical during the first 24-48 hours to monitor the Message log regularly for your customers.
You’ll want to look closely at Blocked and Quarantined emails to determine if something needs to be
delivered. Then, you’ll want to manually deliver the message and make any corresponding policy
changes.
Message Log
The Message Log is a window into how the current spam, virus, and policy settings are filtering email
coming through the Barracuda Email Security Service. Use the information in the log to help tune your
inbound and outbound policy settings. The Message Log can be accessed from Overview > Message Log.

Key features available in the Message Log include but are not limited to:
• 30-day history of all Inbound / Outbound Messages
• The ability to deliver quarantined or blocked messages
• The ability to view Message Body information

This document constitutes proprietary and confidential information of BarracudaMSP. This document may not be disclosed, used or duplicated, in whole or in 32
part without the prior written consent of BarracudaMSP.

Copyright © 2003-2021 BarracudaMSP. All rights reserved.

 Barracuda Total Email Protection v2022.03

Searching the Message Log

The Message Log allows you to run basic or advanced searches to find specific messages. This is very
helpful if your customer calls wondering if a message they were expecting was caught in the filter.

1. Message Filter – You can filter all displayed messages

a. Filter by Inbound or Outbound
b. Filter by All, Allowed, UI Delivered, Not Allowed (Blocked, Deferred, Quarantined)
2. Reading Pane – Shows a message preview in the Message log when a message is selected.
a. Recommended Off

To run a Basic Search, enter the keywords you’re searching for and specify a domain and time range a
message was received by Barracuda and select Search.

To run an Advanced Search, select the Advanced Search button. This will expand out a list of different
filters that can be applied to the Message Log, so it only displays messages with criteria you’re looking
for.
Reading the Message Log
Once you’ve refined your search and found the messages that you’re looking for you can begin to
investigate. Next, you’ll need to read the Message Log to get a better sense on why a message was
processed the way it was by Barracuda.

1. Status - The Status field shows if a message was Delivered, Quarantined, or Blocked.
a. Green indicates Delivered
b. Yellow Indicates Quarantined
c. Red Indicates blocked
d. White Indicates Deferred back to sending mail server
e. Brown Indicates the message was Encrypted (Outbound Only)
2. From - Sender email address (this may not match the address in the headers).
3. To – Recipient email address.
4. Subject – Message subject line

5. Date - Date and time the message was processed.

6. Size - Message size in bytes.
7. Delivery – Shows if a message was Delivered, Not Delivered, Deferred, Rejected, or Spooled.
8. Reason – A brief description of why the Action (Blocked, Deferred, etc.) was taken for that
message.
This document constitutes proprietary and confidential information of BarracudaMSP. This document may not be disclosed, used or duplicated, in whole or in 33
part without the prior written consent of BarracudaMSP.

Copyright © 2003-2021 BarracudaMSP. All rights reserved.

 Barracuda Total Email Protection v2022.03

a. To see a list of all reasons click here and select Reasons for Actions Taken
9. Score – Spam Score given to a message based on settings under Inbound Settings > Anti-Spam /
Antivirus.

Please Note: The Reason column is very important because it points to which engine caused the
message to be Not Delivered. This is a great place to determine where any Exempt or Block
policies need to be created.
Viewing Message Details
Now that you’ve found a message you’re looking for and have a better idea on how Barracuda
processed it, let’s look at the message details. Sometimes it’s important to view the message details to
see specifically why a message was blocked, allowed, quarantined or to view the headers of a message.
If you double click a message from the Message Log it opens the Message Details in a new browser tab.

This shows information such as the Message ID which is helpful to Support when troubleshooting a
message. Here you can also see the IP that the message originated from as well as the Envelope From
which is helpful in identifying Spoofed messages.
You also can Toggle between viewing the Message View which displays the Message Body and the
Source View which breaks out the headers of an email.
Message Log Actions
Once you’ve found a message and investigated it there are some actions that can be taken directly
through the Message Log.

If you determine a message that was Not Delivered turns out to be a false positive, you can Exempt the
sender email address and Deliver the message to the intended recipient.
On the flip side if there is a message that was Delivered but is spam, you can Block the sender Domain
and/or email address.

Tuning the Service

Exempt and Block Policies
Often your customer will have Exempt and Block policies in place with their existing filter. Barracuda
allows you to import these into the service as well as create any new policies needed as part of the
“tuning” phase.

This document constitutes proprietary and confidential information of BarracudaMSP. This document may not be disclosed, used or duplicated, in whole or in 34
part without the prior written consent of BarracudaMSP.

Copyright © 2003-2021 BarracudaMSP. All rights reserved.

 Barracuda Total Email Protection v2022.03

Import Existing Policies

If your customer has Exempt or Block policies in place in their current email filter, you’ll want to export
those to CSV. Next, navigate to the Inbound Settings tab in BESS to find the specific policy you’d like to
exempt or block through.

All “Policies” sections will include a Bulk Edit option where you can enter the policies from CSV. See each
specific policy for the correct syntax.

For example, IP Address Policies allows Barracuda to block or allow email originating from a specific IP
address range.

Creating New Policies

Often, part of the “tuning” process involves blocking or allowing email by using these policies. The
Message Log will detail why any message was not delivered and which scan prevented the email from
being delivered allowing you to Exempt appropriately. For more detailed information on all of the
Inbound Filtering Policies you can create please visit our Inbound Filtering Policy section of Barracuda
Campus.

Common “False Positives”

There are a few scans that we find need the most attention during the tuning period. These mostly
relate to Sender Authentication which puts the messages through certain DNS checks to try and cut back
on spoofed emails.
The problem that comes up is that not every sender has their DNS set up correctly, causing false
positives. To try and eliminate any customer frustration you’ll want to keep a close eye on these emails.
Monitor the Message Log for any message that is Quarantined or Blocked with a Reason SPF, DKIM, or
DMARC. After investigating the message, if you determine it is in fact a legitimate message, you’ll want
to follow the steps below. If it is spam you can ignore.

1. Deliver the Message from the Message Log

2. Take note of the failure Reason (SPF, DKIM, DMARC)
a. If SPF copy the sender’s IP Address
b. If DKIM or DMARC copy the sender’s domain name
3. Navigate to Inbound Settings > Sender Authentication

This document constitutes proprietary and confidential information of BarracudaMSP. This document may not be disclosed, used or duplicated, in whole or in 35
part without the prior written consent of BarracudaMSP.

Copyright © 2003-2021 BarracudaMSP. All rights reserved.

 Barracuda Total Email Protection v2022.03

4. Find the section to exempt based on the Reason the email was not delivered
a. For SPF add the sender’s IP address to the SPF Exemptions section
b. For DKIM add the sender’s domain to the DKIM Exempt section
c. For DMARC add the sender’s domain to the DMARC Exempt section

Barracuda Recommends setting User Sender Policy Framework to Block on HARDFAIL and Quarantine on
SOFTFAIL.

This document constitutes proprietary and confidential information of BarracudaMSP. This document may not be disclosed, used or duplicated, in whole or in 36
part without the prior written consent of BarracudaMSP.

Copyright © 2003-2021 BarracudaMSP. All rights reserved.

 Barracuda Essentials for M365 v2020.4

Barracuda Cloud Archiving Service (CAS)

Overview
In this section we will configure your customer’s Office365 domain to archive all messages, adhering to
compliance regulations and ensuring the facilitation of eDiscovery requests. Barracuda Cloud Archiving
(CAS) can be configured and put into production without interrupting the flow of mail or anything
related to the company’s email. The service works by journaling replicated, immutable copies of each
inbound and outbound message sent by or received for a given domain including internal messages. For
more information about the Barracuda Cloud Archiving Service, please read the following Barracuda
Campus KB article.

Pre-requisites
• ECHOplatform account created for this customer
• Barracuda Cloud Control - https://login.barracuda.com
• Customer’s Office365 Global Administrator credentials

Please Note: Any Microsoft CSPs will need to enable Conditional Access policies for Barracuda’s IP
range within Microsoft 365 prior to configuring CAS.

Add archiving users through AzureAD

Before configuring Journaling and Exchange integration you’ll first need to sync Azure AD to the
customer’s BCC account. Follow the steps below and allow up to 15 minutes for sync to complete before
moving on to the next section.

Please Note: If you wish to sync LDAP from an on prem AD server please see Appendix 2.

Use the following steps to set up Barracuda Cloud Control Azure AD authentication:

Connect Directory:
1. Log in to https://login.barracudanetworks.com/ as the account administrator, and go to Admin
> Directories.
2. Click Add Directory > Azure Active Directory; the Create Directory wizard displays. In the Info page,
enter a name to represent the directory in the Directory Name field.
3. Click Connect to Microsoft to sign in to Microsoft and authorize Barracuda Cloud Control to connect
to your Azure AD account.
4. Once authorization is complete, toggle User / Group Sync to On to synchronize with Azure AD.
5. Toggle Authenticate to On to allow users to authenticate using their Azure AD credentials. When
toggled Off, users must authenticate using their Barracuda Cloud Control credentials.
6. Optionally, enter the administrator contact email address. Click Save & Continue.
7. Once verification is complete, your Azure AD domains display in the wizard. Click Done.

Deploy Users based on Group:

1. Now that you’ve connected a directory, click Groups at the top of the Admin area in Cloud Control.
2. We deploy user access based on groups, find a group with the users you would like to implement
and click Edit.
a. If no suitable group is present, please create one and force another sync.
This document constitutes proprietary and confidential information of Intronis. This document may not be disclosed, used or duplicated, in whole or in part 37
without the prior written consent of Intronis.

Copyright © 2003-2017 Intronis MSP Solutions by Barracuda. All rights reserved.

 Barracuda Total Email Protection v2022.03

3. Within the Edit window, select Archiver (User).

4. All users in the group will now be able to login to the archiver with their M365/LDAP credentials.
a. They will also be given access to any aliases/proxy addresses set within the directory.

Add archiving domain to BCC

Often, archives will only need to be accessed by an Account Administrator who will complete searches
and fulfill eDiscovery requests.

1. Log in to Barracuda Cloud Control using your login credentials, click Archiver in the left pane, and
click the Archiver tab.
2. Click Run setup wizard.
3. The Welcome page displays. Click Get Started.
4. If you wish to use LDAP AD integration and haven’t configured it yet, please see Appendix 2. If not,
click skip, then yes skip to continue without configuring LDAP.
Please Note: Support can assist in re-enabling AD sync for this account at any time.
5. The Local Domains page displays. Enter email domains and fully-qualified domain names (FQDNs) to
be archived. Messages sent to any recipient in the listed domains are added to the archive. Enter a
domain and click Add, or add multiple domains separated with commas, and then click Add. The
added domains display in the Domains list.
6. Click Next.
7. The Retention page displays. Specify how long you want email archived to the Barracuda Cloud.
Please Note: By default, email will be archived forever, with no storage limitations.
8. Click Next. The Apply Changes page displays. Confirm your settings. Once you are satisfied,
click Apply Changes and Finish.
9. The page will refresh, click Mail Sources > SMTP Journaling where we can begin configuring the
service to Journal and import historical email.

Configuring Journal Archiving for Office365

Journaling setup has never been easier, Barracuda has created a PowerShell Script that can
automatically be run through BCC and utilizes Office365’s built in API. The steps below will outline
configuring Journaling directly from the web interface, for all deployment options please visit our
Journaling Options section on Barracuda Campus.

Please Note: The script can only be run through the portal if the Global Admin account for the
tenant does NOT have MFA enabled. If it does you’ll need to Manually Configure Journaling.

This document constitutes proprietary and confidential information of BarracudaMSP. This document may not be disclosed, used or duplicated, in whole or in 38
part without the prior written consent of BarracudaMSP.

Copyright © 2003-2021 BarracudaMSP. All rights reserved.

 Barracuda Total Email Protection v2022.03

1. Go to the Mail Sources > SMTP Journaling page.

2. Go to Journaling Setup Scripts > Microsoft 365 Setup Script, and click Run Script.
3. You will be prompted to enter Global Admin credentials to allow our application permissions to
Office365.
Please Note: This script will be directing archived messages to Barracuda’s Remote
domain and will do this via Send Connector. It will also create a Non-Licensed User on
the tenant to receive Non-Delivery Reports (NDR) in addition to creating a journaling rule
within the tenant.
Configure Exchange Integration
In addition to journaling mail, we offer the ability to integrate your Exchange database with the archiver
service. The steps below will show you how to configure 3 actions: a historical import of your Exchange
DB, synchronize non-email items (calendar, contacts, notes & tasks), and synchronize mailbox folder
structure.

Please note: the steps outlined below required a licensed Exchange account with global admin
rights to the client’s domain in order to synchronize data.

Exchange Database: Historical Import

Now that all mail is being archived it is important to pull in historical email to be indexed and searchable
within CAS. We will need to use a Licensed Exchange Global Administrator with a mailbox to run the
email sync.

**Note, Use the below ONLY if you have a physical or virtual Exchange server (not Microsoft 365)
: Run the PowerShell script (shown below) to ensure this user has the correct Access Rights to
the tenant.

Only use for On Premise Exchange:

1. Open Windows PowerShell as an Administrator, enter the following command, and then
press Enter:
$UserCredential = Get-Credential
2. In the Windows PowerShell Credential Request dialog box, enter your Exchange Online username
and password, and then click OK.

This document constitutes proprietary and confidential information of BarracudaMSP. This document may not be disclosed, used or duplicated, in whole or in 39
part without the prior written consent of BarracudaMSP.

Copyright © 2003-2021 BarracudaMSP. All rights reserved.

 Barracuda Total Email Protection v2022.03

3. Enter the following command, and then press Enter:

$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri
https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication
Basic -AllowRedirection
For more information, refer to the Microsoft TechNet article Connect to Exchange Online using
remote PowerShell.
4. Enter the following command, and then press Enter:
Import-PSSession $Session
5. Enter the following command, and then press Enter (make sure to update the
[email protected] user to your licensed M365 service account):
Get-Mailbox -ResultSize unlimited | Add-MailboxPermission -User [email protected] -
AccessRights fullaccess -InheritanceType all -Automapping $false
a. Permissions are assigned on existing mailboxes only; if additional mailboxes are added to your
organization, you must rerun this command.
b. For more information on adding mailbox permissions, see Add-MailboxPermission in the
Microsoft TechNet. For information on testing mailbox rights, see Get-MailboxPermission in the
Microsoft TechNet.

Kick off the import. Click “Start New Action”

Step 1 – Select Action

1. Pick from one of the three options. Email Import, Non-Email Sync, or Folder Sync.

- Email import: Usually a one-time import to capture existing messages on your mail server
and move them into the Barracuda Cloud Archiver.

- Non-Email Sync: This is a nightly sync that will capture Calendar appointments, Contacts,
tasks and Notes.

- Folder Sync: This is a nightly sync which captures the folder structure of the users. You can
see
This document constitutes proprietary and confidential information of BarracudaMSP. This document may not be disclosed, used or duplicated, in whole or in 40
part without the prior written consent of BarracudaMSP.

Copyright © 2003-2021 BarracudaMSP. All rights reserved.

 Barracuda Total Email Protection v2022.03

this structure reflected when looking at the “PSTs & Tags” option when logged in as an end
user.

Step 2 – Select Source

1. Click ‘Add new source’

2. Choose your Data Source, Exchange online (Microsoft 365) or Exchange Server:

This document constitutes proprietary and confidential information of BarracudaMSP. This document may not be disclosed, used or duplicated, in whole or in 41
part without the prior written consent of BarracudaMSP.

Copyright © 2003-2021 BarracudaMSP. All rights reserved.

 Barracuda Total Email Protection v2022.03

3. For Exchange Online simply type in your Global Admin Credentials.

For Exchange Servers make sure you have run the Power Shell permissions command
from the end of page 39 of this document. Then fill out the server info (example
below).

This document constitutes proprietary and confidential information of BarracudaMSP. This document may not be disclosed, used or duplicated, in whole or in 42
part without the prior written consent of BarracudaMSP.

Copyright © 2003-2021 BarracudaMSP. All rights reserved.

 Barracuda Total Email Protection v2022.03

Step 3 – Configure Action

1. In the Configure Action page, click Continue.

2. In the View Summary page, select All Users from the Source drop-down menu.
3. In the schedule section, enter the desired Date and Select Now. Click Continue.

This document constitutes proprietary and confidential information of BarracudaMSP. This document may not be disclosed, used or duplicated, in whole or in 43
part without the prior written consent of BarracudaMSP.

Copyright © 2003-2021 BarracudaMSP. All rights reserved.

 Barracuda Total Email Protection v2022.03

4. Verify the configuration settings in the View Summary page, and then click Submit to add the Email
Import to the Scheduled Actions table.

Exchange Non-Email Sync

1. Log in to the Barracuda Cloud Archiving Service as the admin and go to Mail Sources > Exchange
Integration.
2. Click Start New Action. In the Select Action page, click Non-Email.
3. If you previously imported your Exchange Historical email, the M365 server will be saved. If not,
please reference this section for connecting your M365 server.

4. In the Configure Action page, Click Continue.

5. In the View Summary page, select All Users from the Source drop-down menu. For item type, check
or de-check any of the items you would like to synchronize. For schedule, select Nightly. Then click
Continue.

This document constitutes proprietary and confidential information of BarracudaMSP. This document may not be disclosed, used or duplicated, in whole or in 44
part without the prior written consent of BarracudaMSP.

Copyright © 2003-2021 BarracudaMSP. All rights reserved.

 Barracuda Total Email Protection v2022.03

6. Verify the configuration settings in the View Summary page, and then click Submit to add the Email
Import to the Scheduled Actions table.

Exchange Folder Structure Sync

1. Log in to the Barracuda Cloud Archiving Service as the admin and go to Mail Sources > Exchange
Integration.
2. Click Start New Action. In the Select Action page, click Folder Sync.
3. If you previously imported your Exchange Historical email, the M365 server will be saved. If not,
please reference this section for connecting your M365 server.

4. In the Configure Action page, Click Continue.

This document constitutes proprietary and confidential information of BarracudaMSP. This document may not be disclosed, used or duplicated, in whole or in 45
part without the prior written consent of BarracudaMSP.

Copyright © 2003-2021 BarracudaMSP. All rights reserved.

 Barracuda Total Email Protection v2022.03

5. In the View Summary page, select All Users from the Source drop-down menu. For item type, check
or de-check any of the items you would like to synchronize. For schedule, select Nightly. Then click
Continue.

6. Verify the configuration settings in the View Summary page, and then click Submit to add the Email
Import to the Scheduled Actions table.

PST Import
For any of your end users/clients who have local only PST files, we can ingest those into your archive in
order to adhere to your client’s compliance regulations.
Please Note: All PST files larger than 250MB will require Support Assistance. Please reach out to
our Support team and they will send you an SFTP link to securely upload your PSTs on Barracuda
bandwidth.

1. Log in to the Barracuda Cloud Archiving Service as the admin and go to Mail Sources > PST Import.
2. Under the Import PST files section, click Browse to navigate to the local only PST file.

This document constitutes proprietary and confidential information of BarracudaMSP. This document may not be disclosed, used or duplicated, in whole or in 46
part without the prior written consent of BarracudaMSP.

Copyright © 2003-2021 BarracudaMSP. All rights reserved.

 Barracuda Total Email Protection v2022.03

Archive Encrypted Email from BESS

Email conversations that have been encrypted via the Barracuda Email Security Service are held within
the Barracuda Encryption Portal and are not being captured by the journaling rules above. For
compliance reasons customers will also need to ensure these are archived and available for eDiscovery.

1. Log in to Barracuda Cloud Archiving Service and go to Mail Sources > Encrypted Messages.
2. Set Archive Encrypted Messages to Yes and click Save.
Please Note: If the Archive Encrypted Messages option is grayed out, verify you have configured
and verified at least one domain in the Barracuda Email Security Service and encrypted messages
display in the Message Center. Also verify that you have entitlements to both the Barracuda
Cloud Archiving Service and the Barracuda Email Security Service.
3. Once enabled, allow the sync to complete; note that the initial import may take multiple days.
4. When the sync is complete, run a search on the Basic > Search page to verify expected messages
have synced.

Please NOTE: This is ONLY available for the US Region.

This document constitutes proprietary and confidential information of BarracudaMSP. This document may not be disclosed, used or duplicated, in whole or in 47
part without the prior written consent of BarracudaMSP.

Copyright © 2003-2021 BarracudaMSP. All rights reserved.

 Barracuda Total Email Protection v2022.03

Cloud to Cloud Backup (CCB)

Overview
Hosting production data in the cloud does not mitigate the need for backup and recovery. Emails and
important documents are susceptible to corruption and risk being unrecoverable due to malicious
attacks or even accidental deletion.

The following Microsoft 365 data sources can be backed up, or protected, in Barracuda Cloud-to-Cloud
Backup:
• Exchange – Barracuda Cloud-to-Cloud Backup protects all email messages, attachments, and the
complete folder structure of each user's mailbox. You can restore messages, folders, or entire
mailboxes back to the original account or export via the download feature.
• SharePoint – Barracuda Cloud-to-Cloud Backup provides SharePoint Online protection. With
item-level recovery options, items can be restored directly into SharePoint Online from backup.
• OneDrive – Barracuda Cloud-to-Cloud Backup protects all files under the Documents Library,
including the entire folder structure. Just like with Exchange Online, files, folders, or entire
accounts can be restored back to the original account, a different account, or exported via the
download feature.
• Teams – Barracuda Cloud-to-Cloud Backup protects all your mail, calendar, and site data, along
with file data shared within Teams that includes the Group membership associated with Teams.

Pre-requisites:
• ECHOplatform account created for this customer
• Customer’s Office365 Global Administrator credentials

This document constitutes proprietary and confidential information of BarracudaMSP. This document may not be disclosed, used or duplicated, in whole or in 48
part without the prior written consent of BarracudaMSP.

Copyright © 2003-2021 BarracudaMSP. All rights reserved.

 Barracuda Total Email Protection v2022.03

Connect to Office365 Tenant

You will need to use an Office365 Global Administrator account to Connect the Office365 account to the
Cloud-to-Cloud Backup service.

These credentials will only be used for the initial connection to authorize the application process to your
M365 environment. These credentials will not be saved by Barracuda. The Global Administrator can be
removed or changed at anytime without affecting the backups in any way.

1. Log in to Barracuda Cloud Control and select the Cloud-to-Cloud Backup Source in the left pane.
2. Navigate to the Products tab from the top navigation menu, hover over the Office365 tile and
click CONNECT TO MICROSOFT.

3. Log in with a Global Administrator account to give the application permissions to access the M365
tenant.
4. Check the Consent on behalf of your organization box. Click Accept.

This document constitutes proprietary and confidential information of BarracudaMSP. This document may not be disclosed, used or duplicated, in whole or in 49
part without the prior written consent of BarracudaMSP.

Copyright © 2003-2021 BarracudaMSP. All rights reserved.

 Barracuda Total Email Protection v2022.03

5. You are redirected to a new login page to verify the Global Admin account information used in
Step 3.

This document constitutes proprietary and confidential information of BarracudaMSP. This document may not be disclosed, used or duplicated, in whole or in 50
part without the prior written consent of BarracudaMSP.

Copyright © 2003-2021 BarracudaMSP. All rights reserved.

 Barracuda Total Email Protection v2022.03

6. Review and click Accept to authorize Barracuda to back up data.

You will be redirected back to the Products page. Barracuda Cloud-to-Cloud Backup is now connected to
your Microsoft 365 tenant and will begin backing up data. All available services (Exchange, OneDrive,
SharePoint, and Teams) are automatically included in the backup.

This document constitutes proprietary and confidential information of BarracudaMSP. This document may not be disclosed, used or duplicated, in whole or in 51
part without the prior written consent of BarracudaMSP.

Copyright © 2003-2021 BarracudaMSP. All rights reserved.

 Barracuda Total Email Protection v2022.03

Configure your Office365 Data Sources

By default, the backups are inclusive. This means they will automatically select data for all
Accounts/Sites for all sources. You can selectively Include/Exclude data for any of the given data
sources.

1. Navigate to the Products page from the top navigation menu, hover over the Microsoft 365 tile,
and click CONFIGURE.

2. On the Configuration pop-up window, select the data sources you want to enable backups for.

3. After you select the data sources to back up, click CONFIGURE. A separate backup schedule for
each data source will run automatically.

Note that this action may take several minutes.

This document constitutes proprietary and confidential information of BarracudaMSP. This document may not be disclosed, used or duplicated, in whole or in 52
part without the prior written consent of BarracudaMSP.

Copyright © 2003-2021 BarracudaMSP. All rights reserved.

 Barracuda Total Email Protection v2022.03

This document constitutes proprietary and confidential information of BarracudaMSP. This document may not be disclosed, used or duplicated, in whole or in 53
part without the prior written consent of BarracudaMSP.

Copyright © 2003-2021 BarracudaMSP. All rights reserved.

 Barracuda Total Email Protection v2022.03

Protect your Office365 Data Source

In the Protect page, use the PROTECT button to protect your data source.

Protection Status
There are 3 data protection status available:
• Protected – The data is backed up during the next scheduled backup.
• Unprotected – The data is not backed up during the next scheduled backup.
• Disabled – The data was backed up at one point in time but has been deleted and no longer
exists.
Protect Browser
The Protect browser allows you to drill down 5 levels into the folder hierarchy (Figure 1) before the
folders shift to the left of the screen (Figure 2).

As you drill down the folder hierarchy, you will see the folder breadcrumb at the top. The breadcrumb
trail defines your current location in the hierarchy of your data source and enables you to navigate back
and forth between different levels in your data. This allows you to easily switch back and forth between
different folders.

Figure 1. Protect Browser 5 Levels Folder Hierarchy

This document constitutes proprietary and confidential information of BarracudaMSP. This document may not be disclosed, used or duplicated, in whole or in 54
part without the prior written consent of BarracudaMSP.

Copyright © 2003-2021 BarracudaMSP. All rights reserved.

 Barracuda Total Email Protection v2022.03

Figure 2. Protect Browser 5+ Levels Folder Hierarchy

Backup Schedules
Barracuda Cloud-to-Cloud Backup automatically configures backup schedules to run at the most optimal
time for each tenant. The day and time that the next scheduled backup is set to run is posted at the top
of the page. To run a backup on demand, click BACKUP NOW.

Restore
You can restore backed up Microsoft 365 data sources to the original location or specify a different user
location. Additionally, you can restore data based on historical revision and download data to your local
system.

In the Protect page, use the RESTORE button to restore your backed up data.

This document constitutes proprietary and confidential information of BarracudaMSP. This document may not be disclosed, used or duplicated, in whole or in 55
part without the prior written consent of BarracudaMSP.

Copyright © 2003-2021 BarracudaMSP. All rights reserved.

 Barracuda Total Email Protection v2022.03

Reports
Use the Reports page to view backup, export, and restore details. There is also an audit log of all
activities in Barracuda Cloud-to-Cloud Backup.

The Reports page provides a detailed report for each backup, export, or restore job that is run. In
addition, any processes currently running displays. Reports include details such as error or warning
status, data source, type of job, when the job started, size, and the number of new or removed items.
Click on any of the items to see the status and details of the backup, export, or restore job.

You can also download the item(s) you exported from the Protect page. Click Download next to the
item(s) you want to download.

This document constitutes proprietary and confidential information of BarracudaMSP. This document may not be disclosed, used or duplicated, in whole or in 56
part without the prior written consent of BarracudaMSP.

Copyright © 2003-2021 BarracudaMSP. All rights reserved.

 Barracuda Total Email Protection v2022.03

If there are any errors or warnings, a warning icon will show in the status column. Click on the
item to see details for why the job failed.

Audit Log
The Audit Log displays a report of all activities in Barracuda Cloud-to-Cloud Backup by user, IP address,
time, and description. Logged activities include log on authentication, changes to settings, changes to
account information, when a backup, restore, or export job started, and more.
Click the calendar for log activities that occurred on a specific day.

This document constitutes proprietary and confidential information of BarracudaMSP. This document may not be disclosed, used or duplicated, in whole or in 57
part without the prior written consent of BarracudaMSP.

Copyright © 2003-2021 BarracudaMSP. All rights reserved.

 Barracuda Total Email Protection v2022.03

This document constitutes proprietary and confidential information of BarracudaMSP. This document may not be disclosed, used or duplicated, in whole or in 58
part without the prior written consent of BarracudaMSP.

Copyright © 2003-2021 BarracudaMSP. All rights reserved.

 Barracuda Total Email Protection v2022.03

Impersonation Protection
Barracuda Impersonation Protection is a comprehensive artificial intelligence (AI) solution for real-time
spear phishing and cyber fraud defense. Delivered as a cloud service, Barracuda Impersonation
Protection utilizes artificial intelligence to protect people, businesses, and brands from spear phishing,
impersonation attempts, business email compromise (BEC), and cyber fraud.

There are three main components:

• A multi-layer AI engine that detects and blocks spear phishing attacks in real time and identifies
which employees are at highest risk of spear phishing
• Domain Fraud Protection that delivers visibility and analysis of DMARC reports, which prevent
phishing and brand hijacking and ensure deliverability of legitimate email traffic
• Ability to detect account takeover attempts and block email attacks launched from
compromised accounts.

Implementation Overview
1. Configure Impersonation Protection AI
2. Configure Impersonation Protection Domain Fraud (Reporting Mode)
3. Configure Impersonation Protection Domain Fraud (Enforcement Mode)

This document constitutes proprietary and confidential information of BarracudaMSP. This document may not be disclosed, used or duplicated, in whole or in 59
part without the prior written consent of BarracudaMSP.

Copyright © 2003-2021 BarracudaMSP. All rights reserved.

 Barracuda Total Email Protection v2022.03

How to Configure the Impersonation Protection AI

2 of the 3 main features of Impersonation Protection (Real-Time AI and Account Compromise) are
configured by simply entering in the customer’s M365 Global Admin credentials. It may take up to 24
hours to train the AI by analyzing existing email and build algorithmic patterns for the tenant before we
begin quarantining and reporting any suspicious emails.

Configuring Initial Customer

The deployment Wizard opens automatically for the first customer you configure Impersonation
Protection for. If you have already set up a customer on Impersonation Protection and are configuring a
subsequent customer skip to our section for adding additional customers.
1. First, log into Barracuda Cloud Control (BCC)with your Admin or Tech user account.
a. You can log in to BCC using the SSO link in ECHOplatform or by logging in directly from
login.barracudanetworks.com.

Please Note: You can only configure Impersonation Protection with an ECHOplatform Admin or
Tech level user account, using the default MSP account will prevent you from accessing the
service. From the BCC portal ensure your username has proper email format and does not end in
@barracudamsp.

2. Navigate to the Impersonation Protection login page. You can do this by clicking the
Impersonation Protection Single Sign On link from within Barracuda Cloud Control.

This document constitutes proprietary and confidential information of BarracudaMSP. This document may not be disclosed, used or duplicated, in whole or in 60
part without the prior written consent of BarracudaMSP.

Copyright © 2003-2021 BarracudaMSP. All rights reserved.

 Barracuda Total Email Protection v2022.03

a. If it is your first time logging in to Barracuda Impersonation Protection, you will be asked
to fill out contact information to finalize your user account creation. Enter your personal
user information, you won’t be required to enter this again.

This document constitutes proprietary and confidential information of BarracudaMSP. This document may not be disclosed, used or duplicated, in whole or in 61
part without the prior written consent of BarracudaMSP.

Copyright © 2003-2021 BarracudaMSP. All rights reserved.

 Barracuda Total Email Protection v2022.03

3. You will be presented with 2 configuration options, Enforcement Mode or Reporting Mode for
Impersonation Protection to use after the AI is trained. This setting can be changed at any time.
a. Enforcement Mode
i. When set in Enforcement Mode, Impersonation Protection will protect against
Spear Phishing threats. Any suspicious emails will be immediately moved to the
end user’s existing Junk folder and they will receive an email notification. You
will also receive a notification for any new threats.
b. Reporting Mode
i. When set in Reporting Mode, Impersonation Protection will not protect against
Spear Phishing attacks. The message will remain in the end users inbox and
neither the end user nor the MSP will be notified.

Please Note: Barracuda strongly recommends configuring Impersonation Protection in

Enforcement Mode. Some Partners prefer to start in Reporting mode if the customer
hasn’t been updated to the change.

4. You can adjust the Impersonation Protection enforcement policies by selecting the Gear icon at
the top right of the portal.

5. The screen shot below shows the configurable settings for the Impersonation Protection AI. We
recommend changing the Security Team Email to a helpdesk or support address the customer
can reach out to with any questions.

This document constitutes proprietary and confidential information of BarracudaMSP. This document may not be disclosed, used or duplicated, in whole or in 62
part without the prior written consent of BarracudaMSP.

Copyright © 2003-2021 BarracudaMSP. All rights reserved.

 Barracuda Total Email Protection v2022.03

6. Customize Alert allows you to tailor the end user facing notification to your specifications. You
can adjust:
a. Email from display name
b. Introduction (first sentence in the notice)
c. Signature
i. The contact address defaults to the user that configured, we recommend
switching this to helpdesk or support

This document constitutes proprietary and confidential information of BarracudaMSP. This document may not be disclosed, used or duplicated, in whole or in 63
part without the prior written consent of BarracudaMSP.

Copyright © 2003-2021 BarracudaMSP. All rights reserved.

 Barracuda Total Email Protection v2022.03

Configure Impersonation Protection for Additional Customers

If you have already configured Impersonation Protection for 1 of your customers, the configuration
Wizard will not appear upon login. Follow the steps below to configure Impersonation Protection for
additional customers.
1. Navigate to the Impersonation Protection login page. You can do this by clicking the
Impersonation Protection Single Sign On link from within Barracuda Cloud Control (screen shot
below) or by logging in directly from Impersonation Protection.barracudanetworks.com

2. At the top right-hand corner of the portal select the three dots and then select Connect
Microsoft 365 account.

3. Next, you will be presented with 2 options.

a. Select “I want to protect an account with Barracuda Impersonation Protection” if you
would like to enable Impersonation Protection real time AI for the account.

Please Note: “I want to run an Email Threat Scan” generates a report on past attacks.
This is typically used to demonstrate latent threats within a customer’s environment. It
can be a powerful sales tool for you.

4. From here you will see the list of ECHOplatform customer accounts in the dropdown, select the
customer you wish to configure Impersonation Protection for and click “Connect To Office 365”.

This document constitutes proprietary and confidential information of BarracudaMSP. This document may not be disclosed, used or duplicated, in whole or in 64
part without the prior written consent of BarracudaMSP.

Copyright © 2003-2021 BarracudaMSP. All rights reserved.

 Barracuda Total Email Protection v2022.03

5. You will be directed to a Microsoft SSO page. Enter the customer’s Global Admin credentials for
their M365 tenant and Accept the required permissions.

Please Note: Barracuda does not cache these credentials; they are used once to give
Impersonation Protection API access to the M365 tenant which can be revoked at any
time from within M365.
6. You will be redirected back to the Impersonation Protection Portal. At this time Impersonation
Protection will begin training the AI on this customer’s M365 tenant. This process may take up
to 24 hours depending on the size of the tenant. You will be notified via email when this phase
has been completed.
7. By default, Impersonation Protection will be configured in Enforcement Mode meaning once
the AI is trained, Impersonation Protection will move any suspected Spear Phishing emails to the
user’s existing Junk Folder. It will also notify both the recipient of the suspected spear phishing
email and the MSP through email notifications.
8. You can adjust the Impersonation Protection enforcement policies by selecting the Gear icon at
the top right of the portal.

9. The screen shot below shows the configurable settings for the Impersonation Protection AI. We
recommend changing the Security Team Email to a helpdesk or support address the customer
can reach out to with any questions.

This document constitutes proprietary and confidential information of BarracudaMSP. This document may not be disclosed, used or duplicated, in whole or in 65
part without the prior written consent of BarracudaMSP.

Copyright © 2003-2021 BarracudaMSP. All rights reserved.

 Barracuda Total Email Protection v2022.03

10. Customize Alert allows you to tailor the end user facing notification to your specifications. You
can adjust:
a. Email from display name
b. Introduction (first sentence in the notice)
c. Signature
i. The contact address defaults to the user that configured, we recommend
switching this to helpdesk or support

This document constitutes proprietary and confidential information of BarracudaMSP. This document may not be disclosed, used or duplicated, in whole or in 66
part without the prior written consent of BarracudaMSP.

Copyright © 2003-2021 BarracudaMSP. All rights reserved.

 Barracuda Total Email Protection v2022.03

How to Configure Impersonation Protection Domain Fraud

Domain Fraud will help you prevent spoofing of email messages that are sent “From” your domain. In
this section we will setup your SPF, DKIM, and DMARC records within DNS while providing clear
reporting of who is sending messages on behalf of your domain. Our goal is to first Report any sender
that is passing or failing these sender authentication checks and in time ultimately Reject the messages
that fail these checks to guarantee only legitimate messages pass.

It is important, especially when configuring DMARC, to ensure you have proper DNS records in place, so
all of your email messages are delivered properly. DMARC is dependent on having valid SPF and DKIM
records in place when recipient mail servers do lookups.

Sender Policy Framework (SPF) – SPF is a TXT record in your DNS which lists authorized hostnames or IP
addresses that can send mail from your domain. There are a lot of tools that you give permissions to
“spoof” your domain such as Marketing services like Constant Contact or Mail Chimp or email filters
such as Barracuda Email Security Service.

These tools all send mail that are From your domain but actually come from their own mail servers. You
will need to add these services to your SPF record so when a recipient mail server does an SPF lookup
they can tell if the sender is approved to send email on your behalf.
Click Here to learn more.

DomainKeys Identified Mail (DKIM) – DKIM is a TXT record in your DNS that is used to validate the
authenticity of email messages sent from your domain. It is a digital signature that your sending mail
server puts on all outbound messages.

When a recipient gets a message from your domain, their mail server accesses the public encryption key
in the DKIM TXT record in your DNS to determine if the original message has been altered or tampered
with in anyway.
Please Note: You will need to set up DKIM through M365 and any services you’re using. Please
refer to this Microsoft Guide for more information about DKIM and steps on how to enable it for
this tenant. You should also work with the service vendor so they can generate a DKIM record for
you to add to your DNS. We STRONGLY recommend you set up DKIM before fully enabling
DMARC.

Domain-based Message Authentication, Reporting & Conformance (DMARC) – DMARC combines both
SPF and DKIM requiring a message to be both from a valid source and unaltered from its original format
to be accepted by the recipient. It is a great way to ensure only legitimate messages from your domain
are being sent.

Click Here to learn more.

This document constitutes proprietary and confidential information of BarracudaMSP. This document may not be disclosed, used or duplicated, in whole or in 67
part without the prior written consent of BarracudaMSP.

Copyright © 2003-2021 BarracudaMSP. All rights reserved.

 Barracuda Total Email Protection v2022.03

Configure Domain Fraud

1. Select the Menu bar in the portal and Navigate to the Domain Fraud section.
2. Click the “Set up DMARC Reporting” link next to each of the listed domains to enter the setup
wizard. These steps will walk you through setup of your SPF and DMARC records which will allow
us to begin reporting activity for these domains to our User Interface. Follow the wizards
through to manually copy and paste the indicated records into your DNS.
a. These records may take a few minutes to fully propagate DNS before you can verify
them with Barracuda.

Please Note: This puts your DMARC into Reporting mode by default which does not prevent the
delivery of any emails that fail DMARC check. We recommend leaving your domain in this
reporting mode for 1-6 months to ensure we capture all valid email senders in reporting.

Once DMARC has been configured the Domain Fraud dashboard will display that Status, number of
Unknown High-Volume Sources and the number of Failures from Approved sources. This will give you
high level insight into how DMARC is responding within your environment.

Viewing Reports
Once DMARC is configured any mail server receiving email from your domain will begin to send DMARC
reports back to Barracuda Impersonation Protection. You can view these reports under the Domain
Fraud section of Impersonation Protection by selecting the View “DMARC Reporting Data” link next to a
specific domain.

There are several sections of the report Dashboard including Sources Identified by DMARC, Top
Countries Sending Email, and Your DNS Configuration.

Sources Identified by DMARC

This portion of the report will allow you to track all DMARC reports received by Impersonation
Protection over the last 30 days. You can mark any Source as Approved or Not Approved for easy
tracking of progress. Any sources that you have not yet Approved or Not Approved will appear as
Unknown.

The goal with this section of the report is to mark all known good senders as Approved and all known
bad senders as Not Approved. Anything as Unknown has not yet been classified by your team and
should be reviewed.

You are also able to see if Unknown sources are High or Low Volume while additionally seeing how
many of your Approved sources may be Failing DMARC.

The sources are also broken out into High Volume Sources and Low Volume Sources.

High Volume Sources

High Volume Sources is a group of services where most of the mail being sent from your Domain. These
are
This document constitutes proprietary and confidential information of BarracudaMSP. This document may not be disclosed, used or duplicated, in whole or in 68
part without the prior written consent of BarracudaMSP.

Copyright © 2003-2021 BarracudaMSP. All rights reserved.

 Barracuda Total Email Protection v2022.03

often the most important to correct as soon as possible since most of your mail comes from these
sources.

Low Volume Sources

Low Volume Sources is a group of services where a small amount of mail is being sent from your
Domain. These may be legitimate email senders that aren’t used frequently within your company.

Monitoring Approved Sources

After you have classified all High and Low Volume Sources as either Approved or Not Approved it’s time
to start monitoring the Approved sources. Click on the Approved title within the dashboard to see a list
of all sources you’ve approved.

Here you’ll be able to track how many DMARC reports were received over the last 30 days as well as the
DMARC success rate for each source.

We want to track and ensure that all Passed DMARC sources continue to stay that way while we work on
trying to turn Failed DMARC reports into passing. To do this select the Investigate link next to a failed
source to view more details.

This section allows us to filter the Fail reports vs the Pass to focus on why some reports may not have
passed. This report is broken into 2 mail columns – SPF Status vs DKIM Status.

For email to Pass DMARC it must pass at least 3 of the 4 criteria, view our campus article for more
information.
• Pass SPF
• Aligned SPF
• Pass DKIM
• Aligned DKIM

Top Countries Sending Email

This section of the report shows you where emails from your domain are coming from geographically.

This document constitutes proprietary and confidential information of BarracudaMSP. This document may not be disclosed, used or duplicated, in whole or in 69
part without the prior written consent of BarracudaMSP.

Copyright © 2003-2021 BarracudaMSP. All rights reserved.

 Barracuda Total Email Protection v2022.03

Your DNS Configuration

Rather than logging into DNS to track the records you’ve configured the Your Configuration section
displays the current DNS records for the selected domain.

Switching DMARC to Enforcement Mode

Once you are positive all sources that send mail from your domain are passing SPF/DKIM/DMARC, you
can feel comfortable switching DMARC into Enforcement mode.

To switch your DMARC from Reporting mode into Enforcement mode all you need to do is go to the
Your DNS Configuration section of the DMARC dashboard and select Enforce DMARC.

Please Note: You only want to do this when you are sure that domains that SHOULD pass for
DKIM, DMARC and SPF are in fact passing with no issues.

This document constitutes proprietary and confidential information of BarracudaMSP. This document may not be disclosed, used or duplicated, in whole or in 70
part without the prior written consent of BarracudaMSP.

Copyright © 2003-2021 BarracudaMSP. All rights reserved.

 Barracuda Total Email Protection v2022.03

Copy the new value generated within the wizard and update your DNS record.

This document constitutes proprietary and confidential information of BarracudaMSP. This document may not be disclosed, used or duplicated, in whole or in 71
part without the prior written consent of BarracudaMSP.

Copyright © 2003-2021 BarracudaMSP. All rights reserved.

 Barracuda Total Email Protection v2022.03

Incident Response (Forensics)

Barracuda Incident Response is a tool that focuses on mail after it’s been delivered. Its primary function
is to streamline the lookup and removal of unwanted messages in the mailboxes of end users. It has
organic lookups, suggestions, and regional lookup tools to locate messages. It also adds user reporting
features that allow admins to become aware of undesired messages as reported by the users
themselves. Finally, it ties all its capabilities into Automated Workflows which allows you to set
thresholds which trigger removal of messages, policy changes, and even Email & Slack notifications.

Prerequisites -
You will need to make sure that Incident Response has been activated in the Echo platform against the
account you are working with. If you have Impersonation Protection you will also want to make sure you
go through the Impersonation Protection configuration first. Configuring Incident Response AFTER
Impersonation Protection streamlines the configuration.

Navigate to Incident Response

Make your way to the Incident Response portal by going through Barracuda Cloud Control (shown in
screen shot 1) or go directly to the website forensics.barracudanetworks.com and log in with your email
and password. This would be the same credentials you would use for Echo.

This document constitutes proprietary and confidential information of BarracudaMSP. This document may not be disclosed, used or duplicated, in whole or in 72
part without the prior written consent of BarracudaMSP.

Copyright © 2003-2021 BarracudaMSP. All rights reserved.

 Barracuda Total Email Protection v2022.03

Configuring Incident Response (Forensics)

If you have already setup your Impersonation Protection configuration for the account you intend to
configure Incident Response for then all you have to do is click “Start Free Trial” (as shown in the image
below). Otherwise, when you click this button, it will prompt you to accept permissions using a Global
Admin from the Microsoft 365 tenant in question. Incident Response will set itself up automatically from
there. It may take a few hours but no more than 24 hours.

** Note, you are not actually starting a trial. The wording in the button just has not been updated yet.
The serial number for Incident Response will be pulled from Echo for this account.

Appendix 1 – How to locate your Office365 domain or mail server

The steps below will show you how to locate your customer’s Office365 domain & mail server in order
to help facilitate the deployment for Email Security.

This document constitutes proprietary and confidential information of BarracudaMSP. This document may not be disclosed, used or duplicated, in whole or in 73
part without the prior written consent of BarracudaMSP.

Copyright © 2003-2021 BarracudaMSP. All rights reserved.

 Barracuda Total Email Protection v2022.03

1. Login to your customer’s Office365 Portal, then going to the Admin Center (1) and click on Settings
(2) > Domains (3).
2. Once loaded click on the customer’s domain. Make sure to select
“customerdomain.com” & not the ‘customerdomain.onmicrosoft.com’.

3. Drill into the DNS settings, then drill into the Exchange Online section.
Copy the MX record ‘Points to address of value’ to clipboard, this is their
mail server:
a. i.e. <domain>-com.mail.protection.outlook.com

This document constitutes proprietary and confidential information of BarracudaMSP. This document may not be disclosed, used or duplicated, in whole or in 74
part without the prior written consent of BarracudaMSP.

Copyright © 2003-2021 BarracudaMSP. All rights reserved.

 Barracuda Essentials for M365 v2020.4

Appendix 2 – How to configure AD Sync for Barracuda Cloud Archiving

Service (BCAS)

LDAP
The steps below walk you through the configuration for LDAP AD integration using the Initials Setup
wizard.

Use the following steps to set up Barracuda Cloud Control LDAP authentication:

1. Log in to https://login.barracudanetworks.com/ as the account administrator, and go to Admin

> Directories.
2. Click Add Directory > LDAP Active Directory; the Create Directory wizard displays. In
the Info page, specify the following details:
a. Enter a name to represent the directory in the Directory Name field.
b. Toggle User / Group Sync to On to synchronize with AD.
c. Toggle Authenticate to On to allow users to authenticate using their LDAP AD
credentials. When toggled Off, users must authenticate using their Barracuda Cloud
Control credentials.
d. Optionally, enter the administrator contact email address:

3. Click Save & Continue.

4. In the Host page, enter the following details for your LDAP host:
a. LDAP Host IP address
b. LDAP Host Port
c. Base domain name
d. Username
e. Password
f. Select the Connection Security as STARTTLS, LDAPS, or None.
5. Click Add Domain; the domain is added to the Domains field. Click Verify.

This document constitutes proprietary and confidential information of Intronis. This document may not be disclosed, used or duplicated, in whole or in part
without the prior written consent of Intronis.
75
Copyright © 2003-2017 Intronis MSP Solutions by Barracuda. All rights reserved.
 Barracuda Total Email Protection v2022.03

6. Click Test to verify connectivity. If the connection is successful, Connected displays. If the
connection fails, verify the entered LDAP host details. Click Continue.
7. In the Domains page, click Add domain to add the domain to the AD configuration. Complete
this step for each domain you want to add.
8. To verify you own the domains you plan to include in your AD configuration, select the way to
verify the domains:
a. Copy a META tag to your domain header, or
b. Add a TXT record to your host's DNS management settings

9. Click Verify. Once the domain is verified, it is added to the Directories table in the Admin >
Directories page in Barracuda Cloud Control.

This document constitutes proprietary and confidential information of BarracudaMSP. This document may not be disclosed, used or duplicated, in whole or in 76
part without the prior written consent of BarracudaMSP.

Copyright © 2003-2021 BarracudaMSP. All rights reserved.

 Barracuda Total Email Protection v2022.03

Appendix 3 – Manually Configure Journaling (BCAS)

Step 1. Add a Remote Domain and Connector

1. Log in to Microsoft 365 Exchange admin center.

2. Select mail flow > remote domains.
3. Click the + symbol. In the new remote domain, complete the following:
a. Name – Type Barracuda Cloud Archiving Service
b. Remote Domain – Type your region-specific MAS hostname, for
example: mas.barracudanetworks.com

See Data Centers by Region for a list of region-specific MAS hostnames.

c. Out of Office automatic reply types – Select None

d. Automatic replies – Select Allow automatic forwarding
e. Message reporting – Clear all options
f. Use rich-text format – Select Never
g. Supported Character Set – Set both options to None

4. Click Save.
5. Click Mail flow > connectors and click the + symbol.
6. The Select your mail flow scenario page displays.
This document constitutes proprietary and confidential information of BarracudaMSP. This document may not be disclosed, used or duplicated, in whole or in 77
part without the prior written consent of BarracudaMSP.

Copyright © 2003-2021 BarracudaMSP. All rights reserved.

 Barracuda Total Email Protection v2022.03

7. From the From drop-down menu, select Microsoft 365, and from the To drop-down menu,
select Partner organization:

8. Enter a Name and (optional) Description to identify the connector:

This document constitutes proprietary and confidential information of BarracudaMSP. This document may not be disclosed, used or duplicated, in whole or in 78
part without the prior written consent of BarracudaMSP.

Copyright © 2003-2021 BarracudaMSP. All rights reserved.

 Barracuda Total Email Protection v2022.03

9. Click Next. Select Only when email messages are sent to these domains, click the + symbol,
and in the add domain field, type your region-specific MAS hostname, for
example: mas.barracudanetworks.com
See Data Centers by Region for a list of region-specific MAS hostnames.

This document constitutes proprietary and confidential information of BarracudaMSP. This document may not be disclosed, used or duplicated, in whole or in 79
part without the prior written consent of BarracudaMSP.

Copyright © 2003-2021 BarracudaMSP. All rights reserved.

 Barracuda Total Email Protection v2022.03

10. Click OK:

11. Click Next. Select Use the MX record associated with the partner's domain:

This document constitutes proprietary and confidential information of BarracudaMSP. This document may not be disclosed, used or duplicated, in whole or in 80
part without the prior written consent of BarracudaMSP.

Copyright © 2003-2021 BarracudaMSP. All rights reserved.

 Barracuda Total Email Protection v2022.03

12. Select Always use Transport Layer Security (TLS) to secure the connection (recommended) >
Any digital certificate, including self-signed certificates:

13. Click Next. In the confirmation page, verify your settings:

14. Click Next. Microsoft 365 runs a test to verify your settings.
15. Go to the Mail Sources > SMTP Journaling page in the Barracuda Cloud Archiving Service, and
copy the email address from the SMTP Journaling Info section, for
example: [email protected]
16. In Microsoft 365, paste this email address into the provided field in the Verification page, and
click Validate.
Note that the sending email portion of the verification may fail depending on your Microsoft
365 configuration. This is not a concern as long as it passes the connectivity test.
17. Once the verification is complete, your mail flow settings are added.

Step 2. Create a Non-Delivery Report Recipient

This document constitutes proprietary and confidential information of BarracudaMSP. This document may not be disclosed, used or duplicated, in whole or in 81
part without the prior written consent of BarracudaMSP.

Copyright © 2003-2021 BarracudaMSP. All rights reserved.

 Barracuda Total Email Protection v2022.03

Before creating journal rules, specify a journal recipient for non-delivery reports (NDRs) to reduce the
risk of losing journal reports:

To create an NDR recipient,

1. Log in to your Microsoft 365 Exchange admin center.

2. Select compliance management > journal rules.
3. If an NDR email recipient is not already specified, click Select address to the right of Send
undeliverable journal reports to field:

4. Browse to and select a recipient from the address book.

5. You can search for a recipient by typing all or part of a display name, and then clicking
the Search icon, or click on either the Display Name or E-Mail Address heading to sort the list.
6. Click OK once you select a recipient, and in the NDRs for undeliverable journal reports window,
click Save.
Best Practice
Create a shared mailbox and use that mailbox as the NDR recipient.

Step 3. Configure Microsoft 365 to Send Journal Mail

This document constitutes proprietary and confidential information of BarracudaMSP. This document may not be disclosed, used or duplicated, in whole or in 82
part without the prior written consent of BarracudaMSP.

Copyright © 2003-2021 BarracudaMSP. All rights reserved.

 Barracuda Total Email Protection v2022.03

1. Log in to Microsoft 365 Exchange admin center.

2. Select compliance management > journal rules.
3. Click the + symbol. In the new journal rule dialog box, complete the following:
a. Send journal reports to – Enter the journaling address from the Mail Sources > SMTP
Journaling page in the Barracuda Cloud Archiving web interface. This is called the
journaling mailbox.
b. Name – By default, the name of the journal rule is automatically generated from the
journal recipients. If there are existing journal rules that contain the same journal
recipients, numbers are automatically appended to the journal rule name to avoid
duplicates. If you choose to override the automatically-generated name by typing in a
custom name, verify the name is unique and descriptive.
c. If the message is sent to or received from – Select Apply to all messages to journal all
recipients.
d. Journal the following messages – Select All messages to journal all messages regardless
of source or destination:

Because the journaling mailbox may contain sensitive information, it is recommended

that you create organization-wide policies that govern who can access the journaling
mailboxes in your organization.

4. Click Save. The rule is added to the journal rules table.

This document constitutes proprietary and confidential information of BarracudaMSP. This document may not be disclosed, used or duplicated, in whole or in 83
part without the prior written consent of BarracudaMSP.

Copyright © 2003-2021 BarracudaMSP. All rights reserved.