Mailbox Auto Remediation features 13.0 AsyncOS and newer: On-Premise Exchange, Hybrid Multi-tenant and Chained Queries

Introduction

This article covers newly added Mailbox Auto Remediation (MAR) features introduced for AsyncOS 13.0 for Email Security.

  

  

Prerequisites

• AsyncOS 13.0 or newer for ESA
• License keys for File Reputation and File Analysis
• MS Office365 or MS Exchange On-Premise implementation

  

  

Background Information

MAR was introduced in AsyncOS 10.0 and only supported Office 365 Online.

13.0 and newer AsyncOS capabilities:

• Microsoft Exchange Online – mailbox hosted on Microsoft Office 365
• Microsoft Exchange on-premise – a local Microsoft Exchange server
• Hybrid/Multiple tenant configuration – a combination of mailboxes configured across Microsoft Exchange Online and Microsoft Exchange on-premise deployments

Initial setup steps can be found in the original MAR setup guide for O365 along with an addendum for changes to the O365 for 13.0 and newer.

The original article is still valid and covers an explanation of the feature as well as steps to generate Certificates for O365 Azure implementation, ESA settings, and general troubleshooting.

How-to configure Azure AD and Office 365 mailbox settings for ESA

New changes to the Azure side API Permissions for 13.0

The current User Guide provides more in-depth detail of the Auto Remediation Feature.

The Chapter: Automatically Remediating Messages in Mailboxes

Configure multiple "Account Profiles."

ESA 13.0 and newer support multiple account profiles created with Exchange Online, Exchange On-Premise, OR both:

• If your company includes a complex setup with domains segregated and residing on different deployment
• If your company is absorbing a new acquisition and wants to include their domain to use the MAR feature
  • Then, creating multiple account profiles would allow more flexibility than previous ESA capabilities

Configure Exchange Online/O365 Profile

• Creating an account profile for O365/Azure is included in the 2 links listed above within the Background Section.

Office 365/Hybrid (Graph API) – select this for configuring a mailbox deployed on Exchange online and enter the following details:

• Client ID and Tenant ID of the application that you registered on the Azure Management Portal.
• A thumbprint of the certificate (value of $base64Thumbprint ).
• Upload the private key of the certificate. Click Choose File and select the .pem file.

Sample Profile connecting to O365

Configure Exchange On-Premise Profile

• Creating an account profile for an On-Premise Exchange instance is much simpler.
• This method requires a user account with ApplicationImpersonation.
• Browse to Exchange Admin Center using the following format, replaced with your values. https://mail.yourdomain.com/ecp/
• Once logged in, navigate to Permissions > Admin Roles > + to add a new profile. If you have an existing role, you may add the designated user account to the members.
• Create the name and description. Scroll down to "Roles: +" to add, the role. Scroll down, highlight "ApplicationImpersonation," Add, Ok
• Returning to the newly created profile, select "Members: +" locate and add the user account you have designated for use on the ESA.
• Commit all changes.
• More detailed instructions would require Administrator side research on the MS Support pages.

• Next login to the ESA WebUI and navigate to Account Settings.
• Create Account Profile, Name, Description.
• Select the dropdown option "Profile Type: Exchange On-Premise."
• Populate the username/password and Host: value.
• Acceptable parameters for the Host: value is included in the image.
• Submit and Commit Changes.

Sample Exchange On-Premise Profile

Samples of MAR Account Profiles

Configure Domain Mapping

Domain Mapping is the assignment of a domain(s) to an account Profile.

Every Implementation requires at least one Domain Mapping:

1. WebUI Navigate to System Administration > Account Settings > Create Domain Mapping.
2. Enter the domain names separated by commas (full list of acceptable domain formats are listed in Image1.)
3. If there is only one Account Profile in the whole configuration, then populate the Domain Name: ALL.
4. A Domain may only be used once.

Domain Mapping SampleImage 1. Acceptable Domain Formats

Domain Mapping Sample

  

  

Configure Chained Profiles

This action is only needed if you want to remediate messages in a mailbox on a hybrid or multi-tenant deployment.

The profiles should be added by the highest priority first. The Most heavily utilized Domain Profile First.

1. WebUI > Navigate to > System Administration > Account Settings > Create Chained Profiles.
2. Add the Profile Name, Description.
3. Select a domain from the Mar Profile: dropdown list.
4. Select "Add Account Profile" to add another domain profile until the choices have been completed.
5. Submit and Commit Changes.

Chain Profile Creation.

  

  

Verify each Account Profile

Confirm each Account Profile by selecting the 'Test Profile' button while in an individual profile.

1. WebUI > Navigate > System Administration > Account Settings > Choose one of the Account Profiles
2. Select the bottom left button 'Test Connection.'
3. Populate the 'Email Address: field' and select 'Test Connection.'

Test each Profile to verify successful connectivity

Troubleshooting

Logs Contain:

• mail_logs: Final remediation action and summary
• mar_logs: The sequence in which remediation was performed
• Test Connection option in the UI: used to verify connectivity and permission

There is a lot of information that can be determined by the email test from the Account Settings:

Troubleshooting using Test Connection

• The SMTP address has no mailbox associated with it.
  • The user mailbox that is being used does not exist.
• Access is denied. Check credentials and try again.
  • Application configured in Microsoft Azure does not have the required permission to access the Office 365 mailbox.
• Application with identifier '<client_id>' was not found in the directory <tenant_id>.
  • Client ID on the Account Profile Settings page is invalid.
• No service namespace named'<tenant_id>'was found in the data store.
  • Tenant ID on the Account Profile Settings page is invalid.
• Error validating credentials. Credential validation failed.
  • Certificate Thumbprint on the Account Profile page is invalid.
  • The profile type that is used to access the mailbox may be incorrect. For example, accessing an on-prem mailbox using an Office 365 profile.
  • The required permissions to access the mailbox may be missing.
• Invalid username or password entered for the exchange server.
  • Impersonator Account Username and Password entered in the profile are not valid.
• The account does not have permission to impersonate the requested user.
  • Impersonator Role privileges are not assigned to the user account configured in the profile.
• Please check host <hostname> is a valid exchange server address.
  • The On-prem Exchange server Hostname entered in the profile is invalid.
• The mailbox cannot be accessed using this profile or the required permissions may be missing.
  • A valid mailbox is being accessed using the wrong type of profile. Example an on-prem mailbox being accessed using an o365 profile.

Sample of successful remediation for a single profile:

Fri Aug 30 11:57:30 2019 Info: Process ready for Mailbox Remediation
Fri Aug 30 12:29:54 2019 Info: MID: 782107 Attempting to remediate using `azure-rtptac` profile for recipient testuser@rtprocks.com. Attempt number : 1
Fri Aug 30 12:29:54 2019 Info: MID: 782107 Trying to perform the forward and delete action on Office 365 or Hybrid exchange for SHA256: 
1e6f324 982d4eb71ad967e79261a6435aef928b57bc523dbb3e7de4ed65941ab recipient's (testuser@rtprocks.com) mailbox.
Fri Aug 30 12:29:58 2019 Info: MID: 782107 Message forwarded successfully to admin_mar@rtprocks.com.
Fri Aug 30 12:29:58 2019 Info: MID: 782107 Message deleted successfully from testuser@rtprocks.com mailbox.
Fri Aug 30 12:29:58 2019 Info: MID: 782107 Remediation succeeded with `azure-rtptac` profile for recipient testuser@rtprocks.com.

Sample of successful remediation for a chained profile:

Mon Oct 14 15:01:01 2019 Info: MID: 24 Attempting gto remediate using 'azurertptac' profile for recipient charella@rtptacsecondary.com . Attempt number : 1
Mon Oct 14 15:01:01 2019 Info: MID: 24 Trying to perfrm the delete action on Office 365 or Hybrid exchange for SHA256: 1e6f324982d4eb71ad967e79261a6435aef928b57bc523dbb3e7de4ed65941ab
recipients (charella@rtptacsecondary.com) mailbox
Mon Oct 14 15:01:09 2019 Info: MID: 24 Unable to read message(s) from the recipient's (charella@rtptacsecondary.com ) mailbox. Error: The mailbox cannot be accessed using this profile or the required
permissions may be missing
Mon Oct 14 15:01:09 2019 Info: MID: 24 Attempting to remediate using 'exchange-mar-2' profile for recipient charella@rtptacsecondary.com . Attempt number : 1
Mon Oct 14 15:01:09 2019 Info: MID: 24 Trying to perform the delete action on On Premise Exchange for SHA256: 1e6f324982d4eb71ad967e79261a6435aef928b57bc523dbb3e7de4ed65941ab 
recipient's (charella@rtptacsecondary.com) mailbox.
Mon Oct 14 15:01:16 2019 Info: MID: 24 Message deleted successfully from charella@rtptacsecondary.com mailbox.
Mon Oct 14 15:01:16 2019 Info: MID: 24 Remediation succeeded with 'exchange-mar-2' profile for recipient charella@rtptacsecondary.com. Not trying further profile.

Related Information

• How-to configure Azure AD and Office 365 mailbox settings for ESA
• Technical Support & Document - Cisco Systems
• Cisco Email Security Appliance - Product Support
• Cisco Email Security Appliance - Release Notes
• Cisco Email Security Appliance - End-User Guides
• Cisco Content Security Management Appliance - Product Support
• Cisco Content Security Management Appliance - Release Notes
• Cisco Content Security Management Appliance - End-User Guides