icon-unified.svg
Experience Center

Configuring Microsoft Exchange for Zscaler Outbound Email DLP

Zscaler Outbound Email Data Loss Prevention (DLP) allows you to establish a connection between your Exchange server and Zscaler's cutting-edge Data Loss Prevention (DLP) tools to prevent the exfiltration of sensitive data in outbound emails sent to external domains. To do so, you must configure connectors to allow bidirectional communication between your Exchange server and the Zscaler smart host, and you must configure mail flow rules (also known as transport rules) to determine how mail flows from your Exchange server to the Zscaler service, and vice versa.

This article explains how to configure your Exchange server to use a Zscaler smart host for a basic use case. To learn more about configuring your Exchange server for other use cases, refer to the Microsoft technical documentation. To learn about configuring your Gmail server for Outbound email DLP, see Configuring Gmail for Zscaler Outbound Email DLP.

To configure the Exchange server to use a Zscaler smart host:

  • To create a connector so that outbound email sent to external domains is routed from Exchange to the Zscaler smart host:

    1. Sign in to the Exchange Admin Center.
    2. In the left-side navigation, go to Mail flow > Connectors.

      The Connectors page appears.

      The Connectors page in the Microsoft Exchange Admin Center

      Close
    3. On the Connectors page, click Add a connector.
      The Add a connector panel opens.
    4. In the Connection from section select Office 365, and in the Connection to section, select Partner organization, then click Next.

    5. Specify a name (i.e., Office-to-Zscaler) and an optional description, deselect the Turn it on checkbox, then click Next.

      Zscaler recommends disabling the connector that sends email from your Exchange server to the Zscaler smart host until all connectors and mail flow rules are configured.

    6. On the Use of connector page, select Only when I have a transport rule set up that redirects messages to this connector, then click Next.

    7. On the Routing page, select Route email through these smart hosts, specify the Smart Host FQDN, then click the + button to add the smart host server.

      The Connector Routing page in the Microsoft Exchange Admin Center

      Close

      You can find the Smart Host FQDN on the Edit Email Tenant page in the Admin Portal.

    8. Click Next.
    9. On the Security restrictions page, select Issued by a trusted certificate authority, then select the Add the subject name or subject alternative name (SAN) matches this domain name checkbox. Enter the domain for the Zscaler cloud where your smart host is located (i.e., *.zscloud.net), then click Next.

      The Connector Security Restrictions page in the Microsoft Exchange Admin Center

      Close
    10. On the Validation email page, enter a validation email address for the smart host server, then click the Add icon to add the email address.
    11. Click Validate to validate the connection to the smart host server.
      You receive a confirmation message. The validation for the email address might fail because mail flow rules aren't in place yet. Before you continue setting up the connector, however, ensure that the connectivity task is successful.
    12. Click Next.
      If you receive a confirmation message because the test email didn't send successfully, click Yes, proceed.
    13. Review the connector settings, then click Create connector.

      A confirmation page appears.
    14. Click Done.
      You return to the Connectors page and the new connector appears in the list.
    Close

  • To create a connector to receive processed email from the Zscaler smart host:

    1. Sign in to the Exchange Admin Center.
    2. In the left-side navigation, go to Mail flow > Connectors.

      The Connectors page appears.

      The Connectors page in the Microsoft Exchange Admin Center

      Close
    3. On the Connectors page, click Add a connector.
      The Add a connector panel opens.
    4. In the Connection from section select Your organization's email server, then click Next.
    5. Specify a name (i.e., Zscaler-to-Office) and an optional description, then click Next.
    6. On the Authenticating sent email page, select By verifying that the sender domain matches one of the following domains, enter the domain for the Zscaler cloud where your smart host is located (i.e., *.zscloud.net), click the Add icon, then click Next.
    7. Review the connector settings, then click Create connector.

      A confirmation page appears.
    8. Click Done.
      You return to the Connectors page and the new connector appears in the list.
    Close

  • After setting up the connector for the Zscaler smart host, you must configure a mail flow rule to forward email to the Zscaler service. You add a header with information from your configured Zscaler smart host so that the Zscaler service can properly receive and process email content from your Exchange server.

    To configure a mail flow rule to forward email to the Zscaler service:

    1. Sign in to the Exchange Admin Center.
    2. In the left-side navigation, go to Mail flow > Rules.

      The Rules page appears.

      The Rules page in the Microsoft Exchange Admin Center

      Close
    3. On the Rules page, click Add a rule > Create a new rule.
      The New transport rule panel opens on the Set rule conditions page.
    4. On the Set rule conditions page:
      • Name: Enter a name for the transport rule.
      • Apply this rule if: Select The recipient in the first drop-down menu, then is external/internal from the second drop-down menu. In the select recipient location panel that opens, select Outside the organization from the drop-down menu, then click Save.
      • Do the following: Select Redirect the message to, then select The following connector from the second drop-down menu. In the select connector panel that opens, select the send connector you created earlier, then click Save.
      • Click the Add icon to add a condition to set a header for the Zscaler smart host you configured. This condition helps the Zscaler smart host identify the mail it receives from your Exchange server.
        1. In the And drop-down menu, select Modify the message properties, then in the Select one drop-down menu, select set a message header.
        2. Click the first instance of Enter text.

          The Send Rule dialog in the Microsoft Exchange Admin Center

          Close

          The message header panel appears.
        3. On the message header panel, for the message header value, enter X-Zscaler-TenantId, then click Save.

          The Send Rule dialog in the Microsoft Exchange Admin Center

          Close
        4. Click the second instance of Enter text.

          The Send Rule dialog in the Microsoft Exchange Admin Center

          Close
        5. For the message header value, paste the Key for Transport Rules value from the Admin Portal. You copied the Key for Transport Rules value when you configured the email tenant in the Admin Portal. You can also find the value on the Edit Email Tenant page in the Admin Portal.
      • Except if: To ensure that mail flow rules are configured correctly and that already-inspected email is not returned to the Zscaler smart host for inspection, you need to add an exception that includes the default Allow and Block Zscaler header values. To add the exception:
        1. In the Except if drop-down menu, select The message headers..., then select includes any of these words.
        2. Click Enter text to specify the name for the header.

          The Except if condition drop-down menu for mail flow rules in the Microsoft Exchange Admin Center

          Close

          The specify header name panel appears.
        3. On the specify header name panel, for the specify header name value, enter X-Zscaler-Block, then click Save.
        4. Click Enter words to specify the value for the header.

          The specify words or phrases panel appears.
        5. On the specify words or phrases panel, for the specify words or phrases value, enter 1 to indicate the Block action and click Add, then enter 0 to indicate the Allow action and click Add, then click Save.
          The configured exception appears.
        6. (Optional) Click the Add icon and follow the prompts to specify any necessary exceptions to the rule (i.e., if you want to exempt specific members of your organization from email content inspection).
    5. Click Next.
    6. On the Set rule settings page, ensure that Rule mode is set to Enforce, specify other settings for the rule as needed (i.e., severity, activation dates, etc.), then click Next.
    7. Review the rule settings, then click Finish.

      A confirmation page appears.
    8. Click Done.
      You return to the Rules page and the new rule appears in the list.
    Close

  • After the Zscaler service inspects and processes email content, it sends the content back to the Exchange server (to the next hop address configured on the email tenant). The following example shows how to configure a mail flow rule to use the default block header added by the Zscaler service to emails that trigger outbound email policy.

    To learn more about how Zscaler applies headers to emails that trigger outbound email policy rules, see Configuring Outbound Email Policy Rules.

    To configure an incoming mail flow rule on Exchange to use the default Zscaler block header:

    1. Sign in to the Exchange Admin Center.
    2. In the left-side navigation, go to Mail flow > Rules.

      The Rules page appears.

      The Rules page in the Microsoft Exchange Admin Center

      Close
    3. On the Rules page, click Add a rule > Create a new rule.
      The New transport rule panel opens on the Set rule conditions page.
    4. On the Set rule conditions page:
      1. In the Name field, enter a name for the transport rule (i.e., Zscaler-to-Office-Block).
      2. In the Apply this rule if drop-down menu, select The recipient in the first drop-down menu, then is external/internal from the second drop-down menu. In the select recipient location panel that opens, select Outside the organization from the drop-down menu, then click Save.
      3. Also in the Apply this rule if section, click the Add icon to add a condition to the rule that specifies the name:value pair for the Zscaler block header.
        The And drop-down menu appears.
      4. To specify the name:value pair for the Zscaler block header, in the And drop-down menu, select The message headers..., then select includes any of these words.
      5. Click Enter text to specify the name for the header.

        The Rules option in the Microsoft Exchange Admin Center

        Close

        The specify header name panel appears.
      6. On the specify header name panel, for the specify header name value, enter X-Zscaler-Block, then click Save.
      7. Click Enter words to specify the value for the header.

        The specify words or phrases panel appears.

      8. On the specify words or phrases panel, for the specify words or phrases value, enter 1 to indicate that the message is blocked, click Add, select the value, then click Save.

        You can use the same basic process to map a custom header to an action in Exchange. For example, you can configure an outbound email policy rule in the Admin Portal to attach a custom header (e.g., X-Zscaler-Encrypt:1) to emails that trigger the policy. You can then map the custom header to the appropriate action in Exchange. To learn more, refer to the Microsoft technical documentation.

      9. In the Do the following drop-down menu, select Block the message.
      10. In the Select one drop-down menu, select reject the message and include an explanation.
        The specify rejection reason panel opens.
      11. In the specify rejection reason field, a message sent to recipients whose emails contain sensitive information, then click Save.

        The Provide message text page in the Microsoft Exchange Admin Center

        Close
      12. For the Except if option, specify any necessary exceptions to the rule (i.e., if you want to exempt specific members of your organization from email content inspection).
    5. Click Next.
    6. On the Set rule settings page, ensure that Rule mode is set to Enforce, specify other settings for the rule as needed (i.e., severity, activation dates, etc.), then click Next.
    7. Review the rule settings, then click Finish.

      A confirmation page appears.
    8. Click Done.
      You return to the Rules page and the new rule appears in the list.
    Close

  • With connectors and mail flow rules in place, you can safely enable the connector created at the beginning that sends email from your Exchange server for inspection by the Zscaler smart host.

    To enable the smart host send connector:

    1. Sign in to the Exchange Admin Center.
    2. In the left-side navigation, go to Mail flow > Connectors.

      The Connectors page appears.

      The Connectors page in the Microsoft Exchange Admin Center

      Close
    3. On the Connectors page, click the name of the send connector in the list.
      The information panel for the send connector appears.
    4. In the Status section, click Edit name or status.

      The Connector name panel appears.
    5. On the Connector name panel, select the Turn it on checkbox, then click Next.
    6. If prompted to send a validation email, click Validate.
      On the confirmation message page, click Save.
      You receive confirmation that the connector has been updated.
    7. Close the Connector name panel.
      You return to the Connectors page, and the connector is enabled.
    Close

With these settings configured, and with a Zscaler outbound email policy rule configured to detect and block sensitive information, users who try to send an email containing HIPAA information to an external domain receive a message from the Exchange server that their message was blocked.

Related Articles
What Is Zscaler Outbound Email DLP?Step-by-Step Configuration Guide for Zscaler Outbound Email DLPUnderstanding Outbound Email Policy EnforcementAbout Email TenantsAdding Email TenantsEditing Email TenantsConfiguring Gmail for Zscaler Outbound Email DLPConfiguring Microsoft Exchange for Zscaler Outbound Email DLPAbout Email ProfilesAdding Email ProfilesEditing Email ProfilesAbout Outbound Email PolicyConfiguring Outbound Email Policy Rules