Netskope Help

Send traffic from Netskope back to Exchange

If you are not using a third-party MTA, then you can configure Exchange to enable Netskope to send the traffic back to the Exchange server. The following flow diagram provides an overview of the loopback solution.

SMTP_with_NS_-_Loopback_to_Exchange.png

To enable Netskope to send the traffic back to the Exchange server, you must configure the following:

Configure the Microsoft O365 Exchange server as the Next Hop in the Netskope tenant

Follow the instructions in "Configure the Microsoft O365 Exchange server and the upstream MTA in the Netskope tenant" section of Configure Netskope SMTP Proxy with Microsoft O365 Exchange article.

To locate the Exchange server's IP/FQDN,

  1. In the Microsoft 365 admin center page, click ... Show All to view all the options and navigate to Settings > Domains.

    exchange-next-hop-1.png
  2. Click on the default domain and select the DNS records tab.

    exchange-next-hop-2.png
  3. Under Exchange Online, click MX, the MX record pane is displayed on the right side of the screen.

    exchange-next-hop-3.png
  4. Copy the value under Points to address or Value and paste it in the Netskope tenant. The next hop port is 25.

    smtp-_proxy-settings-_1.png

Note

If you are running SPF checks on your Exchange server, then you must add the Netskope domain to your Exchange server’s DNS TXT record. To add a new TXT record,

  1. In the Microsoft 365 admin center page, click ... Show All to view all the options and navigate to Settings > Domains.

  2. Click on the default domain, select the DNS records tab, and click Add record.

  3. In the Add a custom DNS record right pane, specify a name for the TXT record and specify the TXT value as _spf.goskope.com. Click Save.

Configure an inbound connector in Microsoft's Exchange admin center

Configure an inbound connector that allows Microsoft O365 Exchange to accept traffic from Netskope SMTP Proxy.

  1. In the Exchange admin center page, click mail flow and select connectors. Click the + icon to create a new connector.

    microsoft-exchange-config-2.png
  2. In the New Connector window, select your mail flow. In the From field select Your organization's email server and in the To field select Office 365. Click Next.

    microsoft-exchange-inbound-1.png
  3. Specify a name to identify the inbound connector and provide a description. Click Next.

    microsoft-exchange-inbound-2.png
  4. In the following screen, provide the list of IP addresses of Netskope SMTP proxy servers in CIDR notation that will be sending traffic to Exchange. Click Next.

    microsoft-exchange-inbound-3.png

    For a complete and updated list of IP addresses, see Netskope Email DLP (SMTP) List for Allowlisting.

  5. Review your settings and click Save. The new connector is created.

Example of a rule set up with an outbound connector
  1. Click on the rules tab and click the + icon to create a new rule.

    example-rule-1.png
  2. In the new rule window, provide the following inputs:

    1. Name: Provide a name for the rule, such as "Traffic to Netskope".

    2. Apply this rule if...: Select The recipient is located outside the organization.

    3. Do the following...: Select Redirect the message to the following connector. If you don't see this option, click More options... at the bottom of the new rule window.

      Select the connector you want to redirect messages to, from the pop-up window.

    4. Except if...: Click add exception and select A message header includes any of these words. Set the values to 'x-netskope-inspected' header includes 'true'.

    5. Set the rule properties to default and click Save.

      example-rule-2.png
Configure Exchange to allow Netskope SMTP Proxy server IP addresses
  1. In the Exchange admin center page, click protection and select connection filter.

    exchange-protection-1.png
  2. Select Default and click Edit. In the edit spam filter policy window, select connection filtering.

    exchange-protection-2.png
  3. Click the + icon to add the allowed IPs. Click Save.

For a complete and updated list of IP addresses, see Netskope Email DLP (SMTP) List for Allowlisting.