Skip to main content

Check out Interactive Visual Stories to gain hands-on experience with the SSE product features. Click here.

Skyhigh Security

Configure Inline DLP

Configure a new connector in Office 365 to allow the proper flow of email traffic. For details, see Configure mail flow using connectors in Office 365.


  • Skyhigh CASB supports only User Mailboxes, ideally from the Service account that is integrated. Shared Mailboxes are not supported.
  • To be assigned a dedicated PoP, contact Skyhigh Support

Step 1: Set up Exchange Online in Skyhigh CASB

The first step is to enable Inline DLP for Exchange Online in Skyhigh CASB.

To enable Exchange Online:

  1. Go to Settings > Service Management.
  2. Click Microsoft Exchange Online.
  3. If Exchange Online has been configured, click Default. Otherwise, click New Instance.
  4. Click Setup, then click Configure to the right of Configure Email DLP.
    MSEO Config.png
  5. On the Business Requirements page, select Inline Only. Click Next.
    Inline Email DLP Biz Reqs.png
  6. Review the prerequisites, then select I have reviewed all prerequisites and click Next.
    Inline Email DLP Prereqs.png
  7. On the Email DLP Configuration page, add the following:
    • Under Email Domains, add domains for DLP. Select one or more Microsoft Exchange Online domains, and then the email domain associated with your Trellix ePO deployment. Make sure that the domains belong to your tenant and are not common public domains.
    • Under Inline Email DLP, enter a value for Host Name and the Port. Make sure that the automatically generated Skyhigh CASB Email Server Domain is correct. Click Next.

NOTE: Under Select Domains, if you do not see the desired domain names, then add a domain to Microsoft 365 UI. To add domains, see Add a domain to Microsoft 365 documentation.

  1. For Quarantine Settings, you can enter an optional email address where quarantined files are sent. To enable this option, select Quarantine Emails and Attachments, then type the email address. Click Next.
  2. On the Summary page, make sure all settings are correct. Click Done.
    Inline Email DLP Summary.png

Step 2: Create a Security Group

Create a security group in Office 365 with a few email addresses for testing. Once you're happy with the performance, you can then either add security groups or use Inline DLP with all email addresses in your organization.

For instructions, see Manage mail-enabled security groups.

Make sure to set the following:

  • Type. Mail-enabled security group
  • Name. SkyhighCASBEmailDLP
  • Allow people outside of my organization to send email to this distribution group. OFF

Step 3: Create Mail Connectors

Create two mail connectors. The first connector sends emails from Office 365 to Skyhigh CASB for inspection, and the second accepts emails after Skyhigh CASB scans them. For details on setting up connectors in Office 365, see here.

To update the IP addresses in the second connector (Skyhigh CASB to Office 365), Skyhigh recommends you to create a new connector (Skyhigh CASB to Office 365) and add all the IP addresses from the Skyhigh CASB source IP addresses list mentioned below. Send a test email outside your organization to make sure that it is delivered successfully using the newly created connector. You can also disable the old connector after 24 hours.

Smart Host Names

Use the following smart host names in the first connector (Office 365 to Skyhigh CASB):

  • United States:
    • sjc-api-pop:
    • east-api-pop:
    • Sydney POP:
    • New Sydney POP:
    • India POP:
  • EU:
    • Frankfurt SPOP:
    • Stockholm POP:

Allow list IP addresses to be used in the second connector (Skyhigh CASB to Office 365). IP addresses for Skyhigh CASB environments to use with connectors are listed here:

Skyhigh CASB Source IP Addresses
United States Canada EU GOV

Route Email from Office 365 to Skyhigh CASB

To create a mail connector to route email from Office 365 to Skyhigh CASB for inspection:

  1. Log in to Office 365 as a Global Admin and go to the Exchange Admin center.
  2. Select Mail flow, then connectors.
  3. Add a connector. Follow the instructions at Set up connectors to route mail between Office 365 and your own email servers. Make sure to set the following options:
    • Name the new connector Office 365 to Skyhigh CASB Cloud Email DLP.
    • Make sure to select "Only when I have a transport rule set up that redirects messages to this connector" when setting up the new connector.
    • Make sure to select Always use TLS and Any digital certificate, including self-signed when you are prompted how to connect Office 365 to your partner's email server.

Next, create another connector to accept emails after Skyhigh CASB scans them. 

Route Email Back After Scanning

To create a connector to accept email after scanning:

  1. Return to Mail flow, then connectors.
  2. Add a connector.
  3. Under Select your mail flow scenario, set the following:
    • From. Your organization's email server
    • To. Office 365
  4. Click Next.
  5. On the New connector page, enter the following:
    • Name. Skyhigh CASB Cloud Email DLP to Office 365.
    • Description. Receives email after Skyhigh CASB DLP scans them.
  6. Under What do you want to do after connector is saved, select both of the following:
    • Turn it on
    • Retain internal Exchange email headers
  7. Click Next.
  8. On the Edit Connector page, under How should Office 365 identify email from your email server, select By verifying that the IP address of the sending server matches one of these IP addresses that belong to your organization. Then type a list of all Source IP addresses.
  9. Click Next.
  10. You should now have two connectors, one configured in each direction:

Step 4: Create Mail Routing Rule in Office 365

Specify the mail routing rule for the new connectors.

  1. Log in to Office 365 as a Global Admin and go to the Exchange Admin center.
  2. Select Mail flow > rules.
  3. On the Set rule conditions page, configure the following rules and conditions:
    • Name. Enter Send to Skyhigh Cloud Email DLP for inspection.
    • Apply this rule if. Select The sender is a member of this group. (security group was created in Step 2).
    • Do the following. Select Redirect the message to and select the following connector
  • On the Select connector dialog, choose Office 365 to Skyhigh Cloud Email DLP connector. Click Save.

IMPORTANT:  We recommend setting up email DLP only on EXTERNAL OUTBOUND emails. Internal communications between employees/users within an organization don't need to be scanned with the same degree of security.

  • Except if. Select The message headers..., then choose matches these text patterns.
    • Click Enter text; type X-SHN-DLP-SCAN. Click Save.
    • Enter success in the text field and then click Next.
  1. On the Set rule settings page, set the Rule mode as Enforce and Severity as Not specified.
  2. Click Next.
  3. On the Review and finish page, review all the changes made and click Finish.

Step 5: Test

Once the integration is complete, you must test it.

To test outbound email:

  1. Log in to your Office 365 account using a user that is a member of the security group you created in Step 2.
  2. Send a test email to your work email address and confirm it is received.

To confirm the test message was relayed via Skyhigh CASB Email DLP:

You can use the message trace in the Exchange admin center to verify that Inline DLP is functioning.

  1. Use a custom date range to filter out noise as required.
  2. Create a policy that triggers low (log only), medium (quarantine), and high (delete)
  3. Find the message you sent to yourself earlier, and double-click to review the details.
  4. Review the message trace and confirm the email was sent out using the connector.
  • Was this article helpful?