While Exchange Online provides Data Leakage Prevention (DLP) capabilities, it’s still possible to integrate it with a third party DLP solution. The goal was to achieve this while still providing a solution that’s highly available and not dependent on on premises resources. Here’s the configuration we’ve picked to experiment with this.

The first thing needed to be setup was a pair of VM appliances hosted in Azure. Those appliances are receiving emails from Exchange Online, inspect them and send them back to Exchange Online. We could have opted with a configuration where the appliances would send the emails directly without involving Exchange again but we wanted to maintain the IP/service reputation and message tracking capabilities provided by Exchange. I will not got into the details of creating those VMs as this is vendor dependent. In our particular case, we uploaded a VM VHD to Azure Storage and then created an Azure Image using that. It was then fairly straightforward to deploy the VMs afterward using an Azure Resource Manager template. The VMs are part of an Azure Availability Set and an Azure Network Security Group for traffic filtering.

Once the VM appliances have been deployed in Azure IaaS, an Azure Load Balancer was configured in order to provide high availability. This is achieved by first configuring a load balancing rule for SMTP (port 25).

Load Balancing Rule Configuration



Once that was completed, an health probe that monitors the availability of the backend VMs delivering the DLP service again for port 25 was created.

Health Probe Configuration



With the Azure portion of the setup completed, we now move on to the Exchange Online configuration. First we configured two connectors. One to send emails from Exchange Online to the DLP solution and another to ensure that Exchange Online would accept emails from the DLP solution back and then send those to the Internet.

From Connector Configuration



To Connector Configuration



Once the connectors have been created, it was required to create a mail flow/transport rule that would send all emails to the DLP solution while also avoiding to create a mail loop when those emails would come back from it. To achieve this, the rule was configured to send all emails to the connector that’s responsible to send the emails to the DLP solution as an action and an exception on the sender IP address was configured. In this particular case, we want to make sure that all emails coming from the public IP of the load balancer in front of the DLP solution are excluded from that rule to avoid the mail loop.

Mail Flow Rule Configuration



With that configuration in place, we were able to successfully send the emails through the DLP servers and then back to Exchange Online to be sent on the Internet. We can confirm this by looking at the message trace in Exchange Online:

If you have any questions about this, let me know!