Professional Documents
Culture Documents
Foundation - ESS01
COURSE HANDBOOK
Introduction
1.5.4 Reports 40
1.5.5 Users 40
Administration
3.1.7 Encryption 54
3.6 Administration 81
3.6.1 User Accounts 81
3.6.4 Quarantine 86
3.9.2 Actions 96
4.7.3 Configure Office 365 Exchange Online Service Account and Import Historical Data 120
1.5.4 Reports 40
1.5.5 Users 40
Barracuda Essentials provides the most complete, simple, and affordable solution for protecting
business emails and data in Office 365, Microsoft Exchange, and G Suite. It combines award-
winning email security, as well as a tamper-proof email archive to ensure compliance and simplify
litigation searches. For Office 365, Barracuda also offers full cloud-to-cloud backup and recovery
of your emails and files.
The standalone Email Security option is available for purchase only through the Barracuda Self-
Service Gateway or Barracuda MSP.
Retention policies are a critical element of email archiving. They allow you to decide how long a
message is kept before it is deleted.
The Barracuda Cloud Archiving integrates with your mail server or hosted mail service to create a
cloud-based indexed archive, storing mail in a secure, separate repository for as long as needed
without risk of deletion.
The Barracuda Cloud Archiving Service provides advanced archiving functionality. Messages
stored in the Barracuda Cloud Archiving Service archive are immutable – they cannot be
changed after archiving, ensuring that the archive is an accurate record of messages received.
Cloud-based, multi-layer email security, archiving, and cloud-to-cloud backup for Office 365
mailboxes, OneDrive for Business, and SharePoint Online, which includes:
• Barracuda Email Security – Security service protecting both inbound and outbound email
against the latest spam, viruses, worms, phishing and DoS attacks.
• Barracuda Cloud Archiving Service – Journal mail directly from Office 365 to the Barracuda
Cloud to optimize email storage, meet regulatory compliance and e-discovery requirements,
and provide anytime/anywhere access to old emails.
Compliance Edition
Cloud-based spam prevention, email security, ATP, and archiving, which includes:
• Barracuda Email Security – Security service protecting both inbound and outbound email
against the latest spam, viruses, worms, phishing and DoS attacks.
• Barracuda Cloud Archiving Service – Journal mail directly from your mail server or hosted
service to the Barracuda Cloud to optimize email storage, meet regulatory compliance and
e-discovery requirements, and provide anytime/anywhere access to old emails.
Security Edition
• Barracuda Email Security – Security service protecting both inbound and outbound email
against the latest spam, viruses, worms, phishing and denial of service attacks.
Advanced search x
• IP Analysis
• Content Analysis
• Regional Policies
• Rate Control
IP Analysis
Once the true sender of an email message is identified, the reputation and intent of that sender
should be determined before accepting the message as valid, or “not spam”. The best way to
address both issues is to know the IP addresses of trusted email senders and forwarders and
define those as exempt from scanning by adding them to a list of known good senders.
You can create a list of Trusted Forwarders by specifying one or more IP addresses of machines
that you have set up to forward email to the Barracuda Email Security Service from outside
sources. The Barracuda Email Security Service exempts any IP address in this list from Rate
Control, Sender Policy Framework (SPF) checks, and IP Reputation. In the Received headers,
the Barracuda Email Security Service continues looking beyond a Trusted Forwarder IP address
until it encounters the first non-trusted IP address. At this point, Rate Control, SPF checks, and IP
Reputation checks are applied. Configure on the Inbound Settings > IP Address Policies page.
Message Content Filtering – Base message content filtering on any combination of Subject,
Headers, Body, Attachments, Sender, or Recipient, and select whether to Block, Ignore, or
Quarantine messages that meet the entered criteria. Use regular expressions as well as the
following special characters: . [ ] \ * ? $ ( ) | ^ @
Note that you must escape special characters with a backslash (“\”). See Regular Expressions
in the Campus Reference section for advanced filtering text patterns. HTML comments and tags
between characters in the HTML source of a message are filtered out so that content filtering
applies to the actual words as they appear when viewed in a web browser.
• Content Analysis
• Outbound Quarantine
Figure 1: Mail Flow for Encrypted messages sent through the Barracuda Email Security Service.
• Define when to Encrypt Messages – Use the Outbound Settings > Content Policies page to
create policies for outbound message encryption in one or both sections:
• Message Content Filters – You can select the Encrypt action for outbound email based on
characteristics of the message’s subject, header or body. You can specify simple words or
phrases, or use Regular Expressions. Content filtering is case sensitive.
• Predefined Filters – You can select the Encrypt action for outbound email messages that
contain matches to pre-made patterns in the subject line, message body, or attachment.
Use the pre-defined data leakage patterns (specific to U.S.) to meet HIPAA and other email
security regulations:
• Credit Cards – Messages sent through the Barracuda Email Security Service containing
recognizable Master Card, Visa, American Express, Diners Club or Discover card
numbers will be subject to the action you choose.
• Social Security – Messages sent with valid social security numbers will be subject
to the action you choose. U.S. Social Security Numbers (SSN) must be entered in
the format nnn-nn-nnnn.
• Privacy – Messages will be subject to the action you choose if they contain two or
more of the following data types, using common U.S. data patterns only: credit cards
(including Japanese Credit Bureau), expiration date, date of birth, Social Security
number, driver’s license number, street address, or phone number.
• HIPAA – Messages will be subject to the action you choose if they contain TWO of the
types of items as described in Privacy above and ONE medical term, or ONE Privacy
item, ONE Address and ONE medical term. A street address can take the place of
Privacy patterns. So, for example, a U.S. Social Security Number (SSN), an address, and
one medical term is enough to trigger the HIPAA filter.
The format of this data varies depending on the country, and these
filters are more commonly used in the United States; they do not
apply to other locales. Because of the millions of ways that any of the
above information can be formatted, a determined person will likely
be able to find a way to defeat the patterns used. These filter options
are no match for educating employees about what is and is not
permissible to transmit via unencrypted email.
• Message Content Filters – Enter filter patterns and select to Block, Allow, Quarantine, or
Encrypt for Subject, Headers, Body, Attachments, Sender, or Recipient. Note that Header
filters are applied to both the header name and content of any header, while the Subject
filters only scan the contents of the Subject header. Use regular expressions as well as the
following special characters: . [ ] \ * ? $ ( ) | ^ @
When using these special characters, you must escape each character with a backslach (“\”).
• Image Analysis – Image analysis techniques protect against new image variants. Image
analysis is automatically configured in the Barracuda Email Security Service.
An abuse notification email may be sent to the administrator of your Barracuda Email Security
Service for various reasons. These include but are not limited to:
• Sending mail to more recipients per 30 minute period then allowed by the Barracuda
Email Security Service.
• Sending out mail to more invalid recipients than allowed by the Barracuda
Email Security Service.
• Sending out mail that has been classified by the Barracuda Email Security Service as spam or
as containing a virus.
To prevent generation of an abuse notice, it is recommended that you spread out the delivery of
email blasts over a longer period of time or to smaller groups of recipients, and to make sure that
the addresses you are sending to are legitimate. The limits set by the Barracuda Email Security
Service on the number of recipients that can be sent mail per 30 minutes protects against an
outbound spam attack from a customer’s network.
• IP Addresses With Recent Abuse – The owner of an IP address that appears in this table on
the Outbound Settings > Abuse Monitor page for consistently exceeding Rate Controls may
use the Request Increased Limit button to request Barracuda Networks to allow a higher
volume of outbound mail so that Rate Control does not take effect.
• Suspended IP Addresses – IP addresses that send very high volumes of email, consistently
triggering Rate Controls, may be suspended from sending outbound mail through the
Barracuda Email Security Service. Contact Barracuda Networks Technical Support if your IP
address appears in this list.
Outbound Quarantine
Configure policies on the Outbound Settings pages to quarantine outgoing messages that meet
certain criteria. The administrator can view all quarantined outbound messages from senders
within the organization and select to delete, reject, deliver, or export those messages from
the Overview > Outbound Quarantine page.
Rejected Messages
When enabled by the administrator, the sender receives a non-delivery report
(NDR) indicating that their message will not be sent to the recipient.
When a message ends up in the outbound quarantine, the sender receives an NDR email
when Quarantine Sender Notification is enabled on the Outbound Settings > Notifications page.
The email template is configurable.
4. Configure the body of the NDR email using the Quarantine Notification Template.
5. Click Save Changes.
If the administrator rejects an email in the outbound quarantine, an NDR is sent to the email
sender. The email template is configurable.
a. Reject Notification Address – Enter the NDR ‘from’ address that the sender receives.
b. Reject Notification Subject – Enter the NDR subject that the sender receives.
2. Click Save Changes.
Note that rate limit is not a block of their mail, but a deferral. The mail server
retries this mail until it is all delivered. Per-user rate control only affects users
listed in the Users > Users List; the rate limit for users not in this page get the
per-domain rate limit, normally 250 per 30 minute period. Anyone sending
outbound mail through the Barracuda Email Security Service should be listed in
the Users > Users List page.
A sender may hit rate control limits due to your mail server configuration. For example, if a user
sends out a mass mailing to 1000 people, they will hit their rate control limit. Based on 150
recipients per 30 minute period, it will take at least 4 hours for all of the mail to be delivered. If
your mail server retries this deferred mail every few minutes this can cause the sender to remain
rate limited for a very long time. Barracuda recommends that you configure your mail server to
retry deferred connections every 30 minutes to avoid this issue.
If you have mail that must go out immediately, Barracuda recommends either:
• Bypassing the Barracuda Email Security Service and sending it directly to the Internet, or
If you are using a mass mail program that does not retry deferred mail,
Barracuda recommends that you configure the system to deliver the mail
directly to the Internet or have it relay the mail through a fully functional mail
server that can correctly handle deferred mail.
Exceeding rate control limits displays in your outbound abuse report page, however, if there is
a problem with your account resulting in your outbound IP address being blocked or a blocked
user email address, Barracuda will contact you via email or phone explaining the problem
requiring attention.
Select whether to enable SPF for checking inbound mail on the Inbound Settings
> Sender Authentication page. When enabled, Messages that fail SPF check are
blocked and logged as such.
If you have SPF checking enabled on your mail server or network, it is critical
when using the Barracuda Email Security Service that you either disable SPF
checking in the service or add the Barracuda Email Security Service IP ranges
64.235.144.0/20 and 209.222.80.0/21 to your SPF exemptions. Otherwise, your
SPF checker blocks mail from domains with an SPF record set to Block because
the mail is coming from a Barracuda Email Security Service IP address not in the
sender’s SPF record. For more information, see the Project Overview.
You can optionally enable Sender Rewriting Scheme (SRS) for a specific domain
from the Domains > Domain Manager > Domain Settings page. When enabled,
the IP address of the sending mail server is visible to the SPF verification
agent on the recipient’s end. The recipient’s SPF agent checks the reverse MX
records for your domain and verifies your IP address as an authorized sender to
ensure message delivery to the recipient.
2. Go to the Inbound Settings > Sender Authentication page, and select from the available
options in the Use Sender Policy Framework section:
a. Block FAIL – The SPF FAIL (also referred to as Hard FAIL) response indicates that the IP
address of the message sender does not match the IP address or range of IP addresses
specified in the sending domain name’s SPF record, and that the real owner of the domain
has specifically indicated that such messages should be rejected (blocked) as spoofed.
b. Block FAIL, SOFTFAIL – The SPF SOFTFAIL response indicates that the message sender’s
IP address does not match the IP address or range of IP addresses specified in the
sending domain name’s SPF record. A SOFTFAIL means that the domain owner did not
specify how such messages should be handled.
You can exempt mail relay servers and other machines from SPF checks that are set up
specifically to forward mail to the Barracuda Email Security Service from outside sources. Mail
from these IP addresses is still scanned for spam.
To assure outbound mail from your Barracuda Email Security Service that Barracuda Networks is
the authorized sending mail service, add the following to the SPF record INCLUDE line for each
domain sending outbound mail based on your Barracuda Email Security Service instance. For
example, type: include:spf.ess.barracudanetworks.com -all
DKIM uses a public and private key-pair system. An encrypted public key is published to the
sending server’s DNS records, and each outgoing message is then signed by the server using
the corresponding private key. For incoming messages, when the Barracuda Email Security
Service sees that message is signed, it retrieves the public key from the sending server’s DNS
records and uses that key to validate the messages’s DKIM signature.
Specify DKIM policy settings on the Inbound Settings > Sender Authentication page:
• Block – Messages from a domain that fails DKIM verification are blocked.
• Quarantine – Messages from a domain that fails DKIM verification are quarantined.
• Off – When set to Off, the Barracuda Email Security Service does not run DKIM checks for
inbound messages. This is the default setting.
Additionally, you can select to exempt specific domains from DKIM verification.
Specify DMARC policy settings on the Inbound Settings > Sender Authentication page:
• Enable DMARC –
• When set to Yes, DMARC enables a sending domain to specify policy for messages
that fail DKIM or SPF.
• When set to No, the Barracuda Email Security Service does not run DMARC checks for
inbound messages and the SPF and DKIM policy settings are used to verify the IP address
range and sending domain.
Additionally, you can select to exempt specific domains from DMARC verification.
Enable Email Continuity for all users on all domains on the account to comply with business
continuity regulations.
When Email Continuity and spooling are enabled, the Barracuda Email Security Service
continually checks designated mail server connections. When the service determines a mail
server is offline, spooling begins immediately and Email Continuity begins 10 minutes later. The
Barracuda Email Security Service then continues to check designated mail server availability
until the connection is restored. Once the service determines spooling has stopped and email
is flowing, Email Continuity remains active for up to an hour after spooling has stopped
and email is flowing.
• The original mail headers and timestamp sent/received during an outage are synchronized to
the primary mail server to minimize end-user confusion.
• Message for the primary and alias email are delivered to the primary account.
• When replying to a message or forwarding a message from Email Continuity, the sender is the
primary email address.
• Outbound messages sent via Email Continuity are subject to the configured outbound policies.
• When Email Continuity is enabled, if the administrator logs in as a user, that user’s
message log is view-only.
• You cannot access or send messages via quarantine notification email when Email
Continuity is in effect.
When Email Continuity is activated, users can continue to view their messages in the Message
Log. In addition to the standard message actions in the Message Log view, users can compose
a new message, and forward or reply to a message. Spooled messages display in the account
admin, domain admin, recipient, and sender Message Logs when Email Continuity is running.
Enable spooling for each domain where you want to enable Email Continuity, and then enable
Email Continuity on the Users > Email Continuity page.
1.3.1 Options
Configure policies on the Inbound Settings > Content Policies page, and specify how and when
attachments are scanned on the ATP Settings page.
This option does not delay email processing, however, the email recipient can
potentially open an infected attachment.
This option provides more security and prevents the email recipient from
opening infected attachments. These messages appear in the Message log
and Pending Scan displays in the Reason column. The mail server retries
until the scan is complete and no virus is detected in the attachment, at which
point the message is delivered. Note that messages with attachments may
be temporarily deferred while queued for scanning. If the message status is
deferred for more than four hours, the message is quarantined.
Attachments from exempted entries are not sent to the ATP cloud. Note that
these exemptions apply to ATP scanning only and do not apply to Barracuda
Email Security Service virus scanning.
• ATP Service Unavailable – Message is deferred because the ATP service is temporarily
unavailable. The message is retried and, when the scan is complete and if no virus is
detected, the message is delivered.
5. The Email Delivery Warning dialog box displays a list of attachments, one or more of which is
suspected of being Infected. If you want to deliver the email and the associated attachments,
first review the report for each attachment.
6. Click View Report for the suspicious attachment, and review the report details.
• Email Import – Import email into your Barracuda Cloud Archiving Service that meets the
specified criteria. See the following Barracuda Campus articles for configuration details:
• Non-Email Sync – In addition to emails that are automatically sent to the Barracuda Cloud
Archiving Service for storage, you can configure non-email items such as Appointments,
Contacts, Notes, and Tasks for archive. This enables you to get a more complete picture of all
items that are or have been stored on your mail server or hosted mail service, and eliminates
the need to keep .pst files around solely for the purposes of retaining this information.
• Folder Sync – Import the complete folder structure of the selected Item Sources, including
custom folders and sub-folders. The nightly folder synchronization process scans the
specified mailboxes, and imports the user’s folder structure, including custom folders
and sub-folders, into the Barracuda Cloud Archiving Service. Note that a Folder Sync job
does not import emails to the Barracuda Cloud Archiving Service, it only imports the
folder structure. Email messages are sent to the Barracuda Cloud Archiving Service via
real-time journaling.
If the age of any message exceeds the maximum age allowed by all Saved
Search retention policies that apply to the message, that message is
permanently deleted from the Service. The Global Retention Policy setting does
not apply to any messages that match a Saved Search retention policy.
If a message matches more than one Saved Search-based policy, then the message is kept
according to the longest policy length. If it matches a Saved Search-based policy as well as the
global policy, then the Saved Search policy takes precedence.
Litigation Holds
Litigation Holds are created by auditors to prevent messages that meet the criteria for a specific
Saved Search from being removed from the Barracuda Cloud Archiving Service. The system
administrator must first Enable Litigation Holds before auditors are given the option to create
Litigation Holds from the Saved Searches tab on the Basic > Search page.
The following information about active Litigation Holds displays here, visible only to the
system administrator:
• Auditor – The account name of the Auditor who created the Litigation Hold
• Saved Search – The name of the Saved Search associated with this Litigation Hold
• Hold End Date – The date and time when this Litigation Hold expires
To delete a litigation hold you must have system administrator rights; click the trash can icon
following the Litigation Hold you want to delete.
• Local Accounts – These accounts reside only on the Barracuda Cloud Archiving Service and
are created from the Users > User Add/Update page in the administration interface.
• LDAP Accounts – These accounts reside in your LDAP directory. Once LDAP is configured
on the Barracuda Cloud Archiving Service, users can log in using their regular network
credentials to view and create flags for messages in their personal archive.
User Roles
Local accounts are created with one of the following roles:
• User – Able only to view messages accessible to the account, either because the username
for the account is also that of the sender or recipient of a message, or because it has been
given explicit access to view an email address via Alias Linking.
• Admin – Able to view all items from any user, not just those listed for the account. Also able
to create and activate policies, and can make other system or network changes.
The assigned role can be changed at a later date from the Users > Accounts page, but only the
last assigned role is active.
• Basic Search – Use the Basic Search mode to perform a quick search across all messages.
The Basic Search interface accepts a word or phrase on which to search, and returns all
available messages that contain the specified text in either the header or message body. This
mode is useful when searching for that handful of emails to or from someone on a specific
topic, or when looking for any message that contains a particular phrase. These are one-time
searches as these cannot be saved for later use. All search terms for Basic Search must be in
one of the following formats:
Text-based, Multi-Text, Wildcards, or Domain-based
• Advanced Search – Use the Advanced Search mode to perform complex search
queries based on selected attributes. Use the following options to build and save
Advanced search queries:
• To add additional search parameters – Click the plus sign (+) to the left of a
search criteria line.
• To remove a search parameter – Click the minus sign (-) to the left of the search
parameter you want to remove.
• To AND or OR search parameters – Once you have more than one search criteria line,
the AND button displays at the end of each search parameter signifies that it will be
logically ANDed to the next specified parameter. If your next criteria is to be logically
ORed, click AND to toggle it to OR and vise versa.
• To save a search query – Click Save Search below the search criteria and enter the name
under which the query is to be saved; if you enter a name that already exists, the new
search parameters replace the previous search criteria.
See Understanding Basic and Advanced Search in Barracuda Campus for message actions,
search tips, search strings, and keyword expressions.
• Barracuda Outlook Add-In – Allows users to perform various functions with messages that
are stored through your organization’s Barracuda Cloud Archiving Service, including:
• Search for archived messages and other Microsoft Outlook data such as Contacts;
• View and interact with (forward, reply to, etc.) all of your archived Outlook items; and
• Archive messages.
• Barracuda Standalone Search Utility – Download and install the utility on your Windows or
Mac OS X-based system to search archives without using Barracuda Archive Search Outlook
or logging in to the Barracuda Cloud Archiving web interface.
• Search for archived messages based on email content, or constrain the search to a date
range, a specific sender or recipient, or subject line content;
• Search deleted messages and emails no longer visible in your mail application;
• View and interact with (reply to, reply all, forward) archived messages;
Barracuda Cloud-to-Cloud Backup for Office 365 protects Exchange Online, OneDrive for
Business, and SharePoint Online data by backing it up directly to Barracuda Cloud Storage.
Barracuda Cloud-to-Cloud Backup for Office 365 can be used as an add-on to an on-premises
Barracuda Backup appliance or as a standalone subscription without an appliance. For Exchange
Online, Barracuda Cloud-to-Cloud Backup protects all email messages, including all attachments,
as well as the complete folder structure of each users’ mailbox. In OneDrive for Business, all files
under the Documents Library, including the entire folder structure, are protected. For SharePoint,
protects Online files and folders in Document Libraries, Site Assets, Site Pages, Picture Libraries,
and Form Templates in Team Sites, Public Sites, Wiki Sites, and Publishing Sites.
For an overview of your backup activity and storage details, see the Status page
in the web interface.
Configure retention policies for data stored in Barracuda Cloud Backup on the Backup >
Retention Policies page. Be sure to configure retention policies for your data. Not doing so
means that some unwanted data will be moved across the Internet and stored.
Historic data is retained according to the retention policy timeline. Data backed up using
Barracuda’s cloud treats Sunday as the end of week in accordance with the ISO date standard.
When you define a retention policy, begin by selecting either a preset template or a previously
defined policy as a starting point. This helps you avoid creating multiple retention policies for the
same sets of data. You can create one policy for all of the data sources on a Barracuda Backup
Server, or create different policies that include subsets of the data.
1.5.4 Reports
Use the Reports page to view backup and restore details as well as an audit log of all activities in
the Barracuda Cloud Backup web interface:
• Backup Reports – Barracuda Backup provides a detailed report for each backup that is run.
In addition, any backup process currently running displays. Backup reports include details
about the backup such as when the backup started, duration, size, if there were any errors
or warnings, and any new, changed, or removed items. Reports also include links to each
backed up file to view or download the item from the report. Click Details to view recent
activity in chart form. You can also view a list of backed up files including the number of
new, changed, and removed files, as well as a list of any errors encountered during backup.
Click Download the report as a .csv file to your local system.
• Restore Reports – You can view restoration details in the Reports > Restore page. To specify
how you want to sort the table, click on a heading, and then click on the up/down arrows to
the right of each heading to specify either an ascending or descending sort. Click Details to
view all details for the selected restoration including any encountered errors.
• Audit Log Reports – The Reports > Audit Log page displays a report of all activities in
the Barracuda Cloud Backup web interface by time and date, by user, and by action.
Logged activity includes log on authentication, changes to settings, changes to account
information, and more. Click Details for additional information for a specific activity.
1.5.5 Users
Use the Admin > Users page to administer users that have access to the Barracuda Cloud
Backup web interface.
Edit user details from this page by selecting a user and clicking Edit to the right of the user. You
can edit the following user options, all of which are specific to this service:
• Restrict access to the Barracuda Cloud Backup web interface to one or more IP addresses.
Enter an IP block in single 192.168.1.100 notation, CIDR net block 192.168.1.0/24 notation, or a
range in 192.168.0.0-192.168.0.128 notation to restrict the IP address for the selected user. Use
a comma to separate multiple IP blocks.
• An Account Administrator can create new users and manage billing information, and has
full access to Barracuda Cloud Backup and all appliances associated with the account.
• An Operator cannot restore data or edit user accounts; operators are limited to viewing
statistics and modifying backup configuration.
• Status user access is limited to viewing the Status page for Barracuda Backup appliances
to which they have access.
Click Add & Remove Users to add a new user, edit details for an existing user, or delete a user.
• Backup Detailed Reports – When selected, an email notification containing a list of all
items backed up is sent
• Alerts – When selected, an email notification is sent if a backup job has errors
• Notices – When selected, if the account includes physical appliances, a notice is sent when
the Barracuda Backup software is updated
• G Suite
• Exchange 2007/2010
PowerShell Requirements
The Essentials Wizard utilizes PowerShell scripts to quickly configure and set up your services.
Before getting started, verify you have the following:
• Windows 8 or 8.1
• Microsoft .NET Framework 4.5 or 4.5.1 and either the Windows Management Framework 3.0
or the Windows Management Framework 4.0 available from the Microsoft downloads page
• Verify the service account has a mailbox, and is not hidden in the Global Address
listConfigure and centrally
• PowerShell credentials
• Compliance Edition
• Security Edition
In the examples that follow, we will deploy the Barracuda Essentials Complete
Edition for Office 365.
3. Go to Products > Essentials for Office 365. Click Editions, and click Free Trial under the plan
you want to try or buy.
4. In the Plan Details plan page, enter the Number of users, and select the Subscription
Type. Click Continue.
5. The Barracuda Account page displays your Barracuda Cloud Control account
information. Click Continue.
6. In the Billing Details (Optional) page, enter your billing information to purchase Essentials for
Office 365 or leave the Billing Information section blank to start your free evaluation.
7. Click Continue.
8. Your order details display. Click Set Up Essentials to launch the Essentials wizard.
2. The Link Office 365 Account page displays. Click Authorize; the Office 365
login screen displays.
3. Enter your Office 365 admin credentials, and click Sign in. In the Office 365 permissions
page, click Accept to connect Essentials to your Office 365 account.
4. The Route Outbound Email page displays. Use this page to create outbound email
connectors for domains on your Office 365 account. By default, Route outbound email
for all domains through Barracuda Essentials is selected and a list of all domains that
will be configured displays. Click Continue; the wizard verifies your domains and
replaces your current MX records with the Barracuda Email Security Service Primary
and Backup MX records.
5. Click Continue. The Configure Office 365 page displays. Use this page to configure and
set up your services. Select Allow Barracuda to configure connectors and permissions
(recommended) to automatically configure permissions via PowerShell.
6. When prompted, log in using your Office 365 admin credentials, and click OK. Once
configuration is complete and your Office 365 account authorizes the connection, the
Configuration Summary displays. Click OK.
This completes the initial configuration. You can now configure the services included in
the selected edition.
• Email Journaling is set up through Barracuda Cloud Archiving Service (if you selected Email
Security and Compliance or Complete Protection and Compliance)
• User impersonation for Exchange Online and all OneDrive for Business sites is configured
Following are the steps to download and run the PowerShell scripts, and manually
configure permissions.
2. Download and install the Microsoft Online Services Sign-In Assistant from the Microsoft
Windows Download Center
• Click Download PowerShell Script to download the script to your local system, or
3. When prompted, enter the Office 365 global admin credentials used on the Link Office
365 page in the Wizard.
4. If the wizard is unable to connect to your Office 365 account, click Retry connection.
• User impersonation for Exchange Online and all OneDrive for Business sites
3.1.7 Encryption 54
3.6 Administration 81
3.6.1 User Accounts 81
3.6.4 Quarantine 86
3.9.2 Actions 96
The Barracuda Email Security Service is a pass-through service, accepting connections from
a mail server, getting the initial “rcpt to” line and connecting to the destination mail server. The
service then monitors the data stream for any spam or virus content and applies policies you
configure in the web interface.
• Sender IP addresses
Rate Control
Automated spam software can be used to send large amounts of email to a single mail server.
To protect the email infrastructure from these flood-based attacks, the Barracuda Email Security
Service counts the number of recipients from a sender to a domain during a 30 minute interval
and defers the connections once a particular threshold is exceeded. Inbound Rate Control is a
threshold for the number of recipients a domain is willing to receive from a sender (a single IP
address) during a 30 minute interval. Inbound Rate Control is configurable while Outbound Rate
Control is set automatically by the Barracuda Email Security Service.
IP Analysis
After applying rate controls based on IP address, the Barracuda Email Security Service performs
analysis on the IP address of email based on Barracuda Reputation, external blocklits, and
allowed and blocked IP address lists.
• Powerful open source virus definitions from the open source community help monitor and
block the latest virus threats.
• Proprietary virus definitions, gathered and maintained by Barracuda Central, our advanced
24/7 security operations center that works to continuously monitor and block the
latest Internet threats.
• Barracuda Real-Time System (BRTS). This feature provides fingerprint analysis, virus
protection and intent analysis. When enabled, any new virus or spam outbreak can be
stopped in real-time for industry-leading response times to email-borne threats. BRTS allows
customers to report virus and spam propagation activity at an early stage to Barracuda
Central. Virus Scanning takes precedence over all other mail scanning techniques and
is applied even when mail passes through the Connection Management layers. As such,
even email coming from exempt IP addresses, sender domains, sender email addresses, or
recipients are still scanned for viruses and quarantined if a virus is detected.
Additionally, Barracuda offers the subscription-based Advanced Threat Protection (ATP) service,
a cloud-based virus service that applies to inbound messages. ATP analyzes email attachments
in a separate secured cloud environment to detect new threats and determine whether to
block such messages.
Intent Analysis
All spam messages have an “intent” – to get a user to reply to an email, to visit a website, or to
call a phone number. Intent analysis involves researching email addresses, web links and phone
numbers embedded in email messages to determine whether they are associated with legitimate
entities. Frequently, Intent Analysis is the defense layer that catches phishing attacks. When
enabled, the Barracuda Email Security Service applies various forms of Intent Analysis to both
• Sending too many emails from a single network address – Automated spam software can
be used to send large amounts of email from a single mail server. Through Rate Control the
Barracuda Email Security Service limits the number of connections made from any IP address
within a 30 minute time period. Violations are logged to identify spammers. Inbound Rate
Control is configurable while Outbound rate control is set automatically by the Barracuda
Email Security Service.
• Attempting to send to too many invalid recipients – Many spammers attack email
infrastructures by harvesting email addresses. Recipient Verification on the Barracuda Email
Security Service allows the system to automatically reject SMTP connection attempts from
email senders that attempt to send to too many invalid recipients, a behavior indicative of
directory harvest or dictionary attacks.
• Registering new domains for spam campaigns – Because registering new domain names is
fast and inexpensive, many spammers switch domain names used in a campaign and send
blast emails on the first day of domain registration. Realtime Intent Analysis on the Barracuda
Email Security Service is typically used for new domain names and involves performing DNS
lookups and comparing DNS configuration of new domains against the DNS configurations of
known spammer domains.
• Using free Internet services to redirect to known spam domains – Use of free websites to
redirect to known spammer websites is a growing practice used by spammers to hide or
obfuscate their identity from mail scanning techniques such as Intent Analysis. With Multi-
level Intent Analysis, the Barracuda Email Security Service inspects the results of web queries
to URIs of well-known free websites for redirections to known spammer sites.
Notifications
The Barracuda Email Security Service sends out two kinds of notifications:
• Attachment Blocking for Content – A notification is sent to the message sender when it is
blocked due to attachment content filtering.
3.1.7 Encryption
To prevent data leakage and ensure compliance with financial, health care and other federally-
regulated agency information policies, the Barracuda Email Security Service provides several
types of encryption for inbound and outbound message traffic.
Encrypted Channel
TLS provides secure transmission of email content, both inbound and outbound, over an
encrypted channel using the Secure Sockets Layer (SSL) - also known as TLS.
To require mail to be sent outbound from the Barracuda Email Security Service over a
TLS connection, enable Force TLS for each domain on the Outbound Settings > DLP/
Encryption page. Mail sent to these domains must be transmitted across a TLS connection. If a
TLS connection cannot be established, mail will not be delivered.
To require mail coming inbound to the Barracuda Email Security Service to use a TLS connection,
set SMTP Over TLS to Required on the Domains > Settings page for each domain. When set
to Required, if TLS is available on your organization’s mail server, inbound mail is sent over a TLS
channel. If not, mail is sent in cleartext.
3. In the User Accounts field, enter each user email address for the domain on a separate line,
and then select from the following options:
a. Enable User Quarantine – All emails for the user which meet the configured block policy
go to the user’s quarantine account.
b. Notify New Users – When set to Yes, users receive a welcome email once
the account is created.
4. Click Save Changes. The users are added to the Users > Users List table where you can
select from the following actions:
b. Reset – Click to send the user an email with instructions on how to reset
their account password.
c. Log in as this user – Click to view or change the user’s settings (for example, quarantine
notifications), view/manage the domains this user manages, and view/search/manage
the user’s Message Log.
To ensure that the service can connect with your network, allow
traffic originating from the range of network addresses based on your
Barracuda Email Security Service instance; see Barracuda Email Security
Service IP Ranges for a list of ranges based on your Barracuda Email
Security Service instance.
Set Up LDAP
1. Log in to https://login.barracudanetworks.com/ using your account credentials, and
click Email Security in the left pane.
2. Go to the Domains page, and click Edit in the Settings column to the right of the domain.
4. In the LDAP Configuration section, configure the variables for your LDAP server.
5. In the Test LDAP Configuration Settings section, enter a valid email address in the
Testing Email Address field to test your LDAP settings; if left blank, LDAP settings are only
tested for connection.
7. Optionally, expand the Advanced LDAP Configuration section, and set the user filter options.
a. Synchronize Automatically – Set to Yes if you are using LDAP and want the Barracuda
Email Security Service to automatically synchronize your LDAP users to its database on a
regular basis for recipient verification. With Microsoft Exchange server, the synchronization
is incremental. Select No if you want to synchronize manually in case your LDAP server is
not always available. To synchronize manually, click Synchronize Now.
b. Use LDAP for Authentication – Set to Yes to enable LDAP for user login authentication.
You can disable this setting if your LDAP server is unavailable for a period of time.
c. Authentication Filter – Filter used to look up an email address and determine if it is valid
for this domain. The filter consists of a series of attributes that might contain the email
address. If the email address is found in any of those attributes, then the account is valid
and is allowed by the Barracuda Email Security Service.
Complete the following steps for each domain you want to synchronize with Azure AD.
Azure AD Setup
1. Log in to https://login.barracudanetworks.com/ using your account credentials, and
click Email Security.
7. Click Sync Now to add your Azure AD users to the Barracuda Email Security Service. The
synchronization progress displays; allow the process to complete.
If you select Manual, you must click Sync Now to synchronize the
Barracuda Email Security Service with your Azure AD directory
and add/update users.
9. To use SSO, click Yes for Enable Single Sign On. Once enabled, users are prompted to log
in to their Microsoft Office 365 account when accessing their messages in the Barracuda
Email Security Service.
10. Click Save at the top of the page to save your settings and return to the Domains page.
4. Take note of the hostname. This is the address of your destination mail server, for example,
cudaware-com.mail.protection.outlook.com
3. Enter the domain name and destination mail server hostname obtained from your Office 365
account in the dialog box.
4. Click Add; the Domain Settings page displays where you can complete your configuration.
5. In the specify IP address ranges page, type the IP address range for the Sender (Barracuda
Email Security Service) based on your Barracuda Email Security Service instance, for
example, type: 64.235.144.0/20, and click the + symbol.
6. Type the next IP address range for the Sender, for example, type 209.222.80.0/21,
and click the + symbol:
7. Click OK.
10. Verify the new rule displays at the top of the list of mail flow rules. If the rule is not at the top,
click on the rule, and use the Up arrow to move the rule to the top of the list.
After updating your MX records, allow 24 hours before completing the steps in
this section to allow the records to propagate.
Use the steps in this section to restrict inbound mail to the Barracuda Email Security
Service IP address range.
4. In the new rule page, enter a Name to represent the rule. For example, type:
Barracuda ESS IP restriction
6. From the Apply this rule if drop-down menu, select The Sender > Is External/Internal >
Outside the organization.
7. From the Do the following drop-down menu, select Reject this message
with the explanation.
8. Enter the message you want included in the non-delivery report (NDR) that is sent to the
sender. For example, enter:
You have attempted to bypass our Email Security Service. Please
ensure your DNS is up-to-date and try sending your message again.
10. Select The Sender > Sender’s IP address is in any of these ranges or exactly matches,
and enter the Barracuda Email Security Service IP range based on your Barracuda Email
Security Service instance.
11. Enter the Barracuda Email Security Service IP range, for example: 64.235.144.0/20
12. Click the + symbol.
13. Enter the Barracuda Email Security Service IP range, for example: 209.222.80.0/21
14. Click the + symbol.
16. Scroll to the Properties of this rule section, and in the Priority field, type: 0
17. In the new rule page, click Stop processing more rules, and click Save to create the rule.
18. Office 365 is now configured to block any email that does not originate from the Barracuda
Email Security Service IP address ranges.
If you complete both Step 3. Create Transport Rule and Step 4. Restrict
Inbound Mail to the Barracuda Email Security Service IP Range, verify the
Restrict Inbound Mail from Outside Your Organization to the Barracuda
Email Security Service IP Range rule displays first in the mail flow rules list,
and the Transport Rule rule displays second in the mail flow rule list.
2. Click Domains, and click on the domain name to toggle the MX Records configuration; make
note of the Outbound Hostname.
3. Log in to the Office 365 admin center, and go to Admin centers > Exchange.
5. Click the + symbol and use the wizard to create a new connector.
10. Go to the Barracuda Email Security Service, click the Domains tab, and click on the domain
name to toggle the MX records configuration. Copy your outbound hostname, and enter it in
the add smart host page:
12. Click Next. In the confirmation page, verify your settings and click Next. Office 365 runs a test
to verify your settings:
13. When the verification page displays, enter a test email address, and click Validate. Once the
verification is complete, your mail flow settings are added.
• If you have an SPF record set up for your domain, edit the existing record, and add
the following to the INCLUDE line for each domain sending outbound mail based on
your Barracuda Email Security Service instance. For example: include:spf.ess.
barracudanetworks.com -all
• If you do not have an SPF record set up for your domain, use the following value to
create a TXT record that creates a HARDFail SPF for your domain based on your
Barracuda Email Security Service instance. For example: v=spf1 include:spf.ess.
barracudanetworks.com -all
See Sender Policy Framework for Outbound Mail for INCLUDE values based on your Barracuda
Email Security Service instance.
3.3.1 IP Analysis
Once the true sender of an email message is identified, you need to determine the reputation
and intent of that sender before accepting the message as valid, or “not spam”. The best way to
address both issues is to know the IP addresses of trusted email senders and forwarders and
define those as exempt from scanning by adding them to a list of known trusted senders.
Create a list of Trusted Forwarders by specifying one or more IP addresses of machines that you
have set up to forward email to the Barracuda Email Security Service from outside sources. The
Barracuda Email Security Service exempts any IP address in this list from Rate Control, Sender
Policy Framework (SPF) checks, and IP Reputation. In the Received headers, the Barracuda Email
Security Service continues looking beyond a Trusted Forwarder IP address until it encounters the
first non-trusted IP address. At this point, Rate Control, SPF checks, and IP Reputation checks are
applied. Configure on the Inbound Settings > IP Address Policies page.
Be aware that blocklists can generate false-positives (legitimate messages that are blocked).
Messages blocked due to external blocklists or the BRBL are the only blocked messages that are
not sent to the user’s Message Log.
Email Categorization
Email Categorization gives administrators more control over what they believe to be spam, even
if those messages do not meet the technical definition of spam. Most users do not realize that
newsletters and other subscription-based emails, while they are considered to be bulk email, are
not technically unsolicited - which means that they cannot be blocked by default as spam. The
senders of these emails may have a good reputation, but the user may no longer want to receive,
for example, a mass mailing from a club or vendor membership. The Email Categorization feature
assigns this type of email to categories that display on the Inbound Settings > Anti-Spam/
Antivirus page, and the administrator can then create block, quarantine, or allow policies by
category. When set to Off, no categorization scanning is performed.
• Attachment Filtering – For inbound mail, you can filter attachments based
on File Name or MIME Type.
• Password Protected Archive Filtering – For inbound mail, you can select to block, quarantine,
or ignore messages containing archive file attachments.
• Password Protected Microsoft Documents – For inbound mail, you can select to block,
quarantine, or ignore messages containing password protected Microsoft documents.
• Message Content Filters – Base message content filtering on any combination of subject,
headers, body, attachments, sender or recipient filters. You can specify actions to take with
messages based on pre-made patterns (regular expressions) in the subject line, headers,
message body, sender or recipient lines. Note that HTML comments and tags embedded
between characters in the HTML source of a message are filtered out so that content filtering
applies to the actual words as they appear when viewed in a web browser.
You can configure the Barracuda Email Security Service to evaluate and rewrite fraudulent URLs
so that, when clicked, the user is safely redirected to a valid domain or to a Barracuda domain
warning of the fraud. Configure on the Inbound Settings > Anti-Phishing page:
• Link Protection – When enabled, the service automatically rewrites a deceptive URL in an
email message to a safe Barracuda URL, and delivers that message to the user.
Note that when Link Protection is enabled, URLs are not rewritten if the URL
is exempt, the URL is contained in an encrypted or protected message, or the
URL is within an attachment.
To minimize false positives and page load delays, Barracuda maintains a list of
domains considered safe. Because of this, some links detected in messages
are wrapped while others are not. For example, Barracuda does not currently
wrap google.com, but does wrap googlegroups.com because it provides
user-generated content.
Attachment Filtering
All messages, except those from exempt senders, go through attachment filtering. Use
the Inbound Settings > Content Policies page to specify actions to take on inbound messages
if they contain attachments with certain file name patterns or MIME types. If email is sent to a
recipient on a whitelist, content filtering is bypassed.
Messages that are blocked due to attachment filtering appear in the Message Log with the
word Attachment for the Reason if you click Show Details for the message.
Intent Analysis
The intent of spam messages is to get a user to reply to an email, visit a web site, or call a
phone number. Intent analysis involves researching email addresses, web links (URLs), and
phone numbers embedded in email messages to determine whether they are associated with
legitimate entities.
Frequently, Intent Analysis is the defense layer that catches phishing attacks. The Barracuda Email
Security Service applies the following forms of Intent Analysis to inbound mail, including real-time
and multi-level intent analysis:
• Intent Analysis – Markers of intent, such as URLs, are extracted and compared against a
database maintained by Barracuda Central.
• Real-Time Intent Analysis – For new domain names that may come into use, Real-Time Intent
Analysis involves performing DNS lookups against known URL blocklists.
• Multilevel Intent Analysis – Use of free websites to redirect to known spammer websites is
a growing practice used by spammers to hide or obfuscate their identity from mail scanning
techniques such as Intent Analysis. Multilevel Intent Analysis involves inspecting the results of
Web queries to URLs of well-known free websites for redirections to known spammer sites.
Enable Intent Analysis on the Inbound Settings > Anti-Phishing page. Domains found in the body
of email messages can also be blocked based on or exempt from Intent Analysis on that page.
The Rate Control mechanism counts the number of recipients for a domain from a sender (a single
IP address) over a half-hour time frame and compares that number to the Maximum Recipients
per Sender IP Address/30 minutes threshold you set on the page. If the number of inbound
recipients for a domain from a sender (a single IP address) exceeds this threshold within a half
hour period, the Barracuda Email Security Service defers any further connection attempts from
that particular IP address until the next half hour time frame and logs each attempt as deferred in
the Message Log with a Reason of Rate Control.
You can exempt trusted IP addresses from Rate Control by adding a trusted IP address to the Rate
Control Exemption list. Organizations that relay email through known servers or communicate
frequently with known partners can and should add the IP addresses of those trusted relays and
good mail servers to this list.
• Data Leak Prevention (DLP) filtering using pre-defined patterns such as credit card number,
social security number, driver’s license or HIPAA medical terms, to block, quarantine, or
encrypt outbound messages. Exceptions to DLP block/quarantine policy can be created for
emails containing phone numbers and/or street addresses. See the Outbound Settings >
Content Policies page for details.
Figure 1: Mail Flow for Encrypted messages sent through the Barracuda Email Security Service.
• Message Content Filters – You can select the Encrypt action for outbound email based on
characteristics of the message’s subject, header or body. You can specify simple words or
phrases, or use Regular Expressions. Content filtering is case sensitive.
• Predefined Filters – You can select the Encrypt action for outbound email messages that
contain matches to pre-made patterns in the subject line, message body or attachment. Use
the following pre-defined data leakage patterns (specific to U.S.) to meet HIPAA and other
email security regulations:
• Credit Cards – Messages sent through the Barracuda Email Security Service containing
recognizable Master Card, Visa, American Express, Diners Club or Discover card numbers
will be subject to the action you choose.
• Social Security – Messages sent with valid social security numbers will be subject
to the action you choose. U.S. Social Security Numbers (SSN) must be entered in
the format nnn-nn-nnnn.
• Privacy – Messages will be subject to the action you choose if they contain two or more
of the following data types, using common U.S. data patterns only: credit cards (including
Japanese Credit Bureau), expiration date, date of birth, Social Security number, driver’s
license number, street address, or phone number. Phone numbers must be entered in one
of the following formats:
• nnn-nnn-nnnn
• (nnn)nnn-nnnn
• nnn.nnn.nnnn
• HIPAA – Messages are subject to the action you choose if they contain TWO of the types
of items as described in Privacy above and ONE medical term, or ONE Privacy item, ONE
Address and ONE medical term. A street address can take the place of Privacy patterns.
So, for example, a U.S. Social Security Number (SSN), an address, and one medical term is
enough to trigger the HIPAA filter.
The format of this data varies depending on the country, and these
filters are more commonly used in the United States; they do not apply
to other locales. Because of the millions of ways that any of the above
information can be formatted, a determined person will likely be able to
find a way to defeat the patterns used. These filter options are no match
for educating employees about what is and is not permissible to transmit
via unencrypted email.
Click Help on the Outbound Settings > Content Policies page in the Barracuda Email Security
Service web interface for more details.
1. Outbound messages that meet the filtering criteria and policies configured as described
above are encrypted and appear in the Message Log, but the message body does not
appear in the log for security purposes.
2. The Barracuda Message Center sends an email notification to the recipient including a link
the recipient can click to view and retrieve the message from the Barracuda Message Center.
3. The first time the recipient clicks this link, the Barracuda Message Center prompts them
to create a password.
4. The recipient logs into the Barracuda Message Center and is presented with a list of email
messages. All encrypted messages received appear in this list for a finite retention period or
until deleted by the recipient.
When the recipient replies to the encrypted email message, the response is also encrypted and
the sender receives a notification that includes a link to view and retrieve the message from the
Barracuda Message Center.
Messages that meet the Quarantine criteria are sent to the Outbound Quarantine for the
administrator to evaluate. Messages can then be viewed, delivered, rejected, deleted, or exported
from the Overview > Outbound Quarantine page.
. [ ] \ * ? $ ( ) | ^ @
When using the above special characters, you must escape each character with a backslach (“\”).
Predefined Filters
Select a predefined data leakage patterns (specific to the United States) for Subject, Headers,
Body, or Attachments. Select whether to Block, Quarantine, or Encrypt outbound messages
based on the filter.
Image Analysis
Image analysis techniques protect against new image variants. Image analysis is automatically
configured in the Barracuda Email Security Service.
Abuse Notifications
An abuse notification email may be sent to the administrator of your Barracuda Email Security
Service for various reasons. These include but are not limited to:
• Sending out mail to more invalid recipients than allowed by the Barracuda
Email Security Service.
• Sending out mail that has been classified by the Barracuda Email Security Service as spam or
as containing a virus.
If your network sends out a large email blast, this may trigger an abuse notice from the Barracuda
Email Security Service. This notice informs you that you are sending out mail to more than
150 recipients per 30 minute period. This is not a block of your mail, but rather delays the
delivery of the messages. The mail will eventually go out, but at a much slower rate over a
longer period of time.
Suspended IP Addresses
IP addresses that send very high volumes of email, consistently triggering Rate Controls, may be
suspended from sending outbound mail through the Barracuda Email Security Service.
Rejected Messages
When enabled by the administrator, the sender receives a non-delivery report
(NDR) indicating that their message will not be sent to the recipient.
Note that rate limit is not a block of their mail, but a deferral. The mail server
retries this mail until it is all delivered.
Per-user rate control only affects users listed in the Users > Users List; the rate
limit for users not in this page get the per-domain rate limit, normally 250 per
30 minute period. Anyone sending outbound mail through the Barracuda Email
Security Service should be listed in the Users > Users List page.
A sender may hit rate control limits due to your mail server configuration. For example, if a user
sends out a mass mailing to 1000 people, they will hit their rate control limit. Based on 150
recipients per 30 minute period, it will take at least 4 hours for all of the mail to be delivered. If
your mail server retries this deferred mail every few minutes this can cause the sender to remain
rate limited for a very long time. Barracuda recommends that you configure your mail server to
retry deferred connections every 30 minutes to avoid this issue.
If you have mail that must go out immediately, Barracuda recommends either:
• Bypassing the Barracuda Email Security Service and sending it directly to the Internet, or
If you are using a mass mail program that does not retry deferred mail,
Barracuda recommends that you configure the system to deliver the mail
directly to the Internet or have it relay the mail through a fully functional mail
server that can correctly handle deferred mail.
Exceeding rate control limits displays in your outbound abuse report page, however, if there is
a problem with your account resulting in your outbound IP address being blocked or a blocked
user email address, Barracuda will contact you via email or phone explaining the problem
requiring attention.
To require mail to be sent outbound from the Barracuda Email Security Service over a TLS
connection, you can enable Force TLS for each domain on the Outbound Settings > DLP/
Encryption page. Mail sent to these domains must be transmitted across a TLS connection. If a
TLS connection can not be established, then the mail will not be delivered.
To require mail coming inbound to the Barracuda Email Security Service to use a TLS connection,
use the SMTP Over TLS setting on the Domains > Settings page for each domain. If you
enable SMTP over TLS, then if TLS is available on your organization’s mail server, inbound mail is
sent over a TLS channel. If not, mail is sent in cleartext.
When Sender Policy Framework (SPF) checking is enabled on the mail server or
network, it is critical when using the Barracuda Email Security Service that you
either disable SPF checking in the service or add the Barracuda Email Security
Service IP ranges to your SPF exemptions based on your Barracuda Email
Security Service instance; see Barracuda Email Security Service IP Ranges in
Barracuda Campus for a list of IP rages based on your Barracuda Email Security
Service instance. If this is not done, the SPF checker blocks mail from domains
with an SPF record set to Block. This is because the mail is coming from
a Barracuda Email Security Service IP address not in the sender’s SPF record.
Messages that fail SPF check can be blocked and are logged as such. Enable or disable the SPF
feature for checking inbound mail from the Inbound Settings > Sender Authentication page.
Note that if you enable SPF, you can also enable the Sender Rewriting Scheme (SRS). This option
is configurable from the Advanced Configuration section of the Domains > Domain Settings
page and, when enabled, the Barracuda Email Security Service makes the IP address of your
sending mail server visible to the agent performing SPF verification on the recipient’s end.
• Log in as a user.
• Set default email scanning policies for managed and unmanaged users.
Users can view their quarantine inbox (Message Log) and set account preferences. Available
settings are dependent upon administrator settings.
• Change password.
• Use the current account as an alias to link accounts. From the Settings > Linked
Accounts page, the user can add additional email addresses they may have in the same
domain for which quarantined email should be forwarded to this account.
• Create exempt and blocklists for email addresses, users, and domains.
See the Barracuda Email Security Service User Guide for more information.
• Unmanaged Users – All email senders and recipients for the configured domains, but who
are not in your users list for some reason.
If you do not modify the default scan/block/allow policies, all email is scanned
rather than blocked or allowed.
The welcome email is only sent to a user when you manually create
the account, it is not sent if the account is created automatically.
Accounts can be automatically created by setting the Automatically Add
Users option to Yes on the Domains > Settings page.
• Enable User Quarantine – When set to Yes, the Barracuda Email Security Service sends a
notification that the user has quarantined messages. Set a predefined notification interval or
allow users to override this setting and configure their own notification interval on the Users >
Quarantine Notification page.
You can configure Single Sign-On (SSO) for a domain so that authenticated users can access
all or a subset of the restricted resources by authenticating just once using their Azure AD
credentials. SSO is a mechanism where a single set of user credentials is used for authentication
and authorization to access multiple applications across different web servers and platforms,
without having to re-authenticate.
The SSO environment protects defined resources (websites and applications) by requiring the
following steps before granting access:
Complete the Azure AD setup steps for each domain you want to synchronize with
your Azure AD directory.
2. Click Domains, and click Edit in the Settings column for the desired domain.
3. In the Domains > Domain Settings page, scroll to the Directory Services section, and select
Azure AD, and click Save Changes at the top of the page.
6. When prompted, log in to your Microsoft Office 365 account using your
administrator credentials.
7. In the Authorization page, click Accept to authorize the Barracuda Email Security Service to
connect to your Azure AD directory.
8. In the Barracuda Email Security Service Domain Settings page, the Status field displays as
Active; the Authorized Account and Authorization Date display below the status:
9. Click Sync Now to add your Azure AD users to the Barracuda Email Security Service.
11. In the Synchronization Options section, select Synchronize Automatically. When selected,
the Barracuda Email Security Service automatically synchronizes with your Azure AD
directory every 15 minutes and adds/updates your users.
If you select Manual, you must click Sync Now to synchronize the
Barracuda Email Security Service with your Azure AD directory
and add/update users.
12. To use SSO, click Yes for Enable Single Sign On. Once enabled, users are prompted to log
in to their Microsoft Office 365 account when accessing their messages in the Barracuda
Email Security Service.
13. Click Save at the top of the page to save your settings and return to the Domains page.
Complete the LDAP setup steps for each domain you want to synchronize with your LDAP server.
Set Up LDAP
1. Log in to https://login.barracudanetworks.com/ using your account credentials, and click
Email Security in the left pane.
2. Click Domains, and click Edit in the Settings column for the desired domain.
3. In the Domains > Domain Settings page, scroll to the Directory Services section, and select
LDAP, and click Save Changes at the top of the page.
5. Click test Settings to ensure the Barracuda Email Security Service can
communicate with the server.
7. Click Save at the top of the page to save your settings and return to the Domains page.
Dashboard
The Dashboard page displays summarized inbound and outbound email statistics for the
Barracuda Email Security Service. You can view statistics for a single domain or all verified
domains on your account. From the Dashboard, you can view the following details:
• Traffic Status – View the data and time of the most recently received and sent messages.
• Subscriptions – View Barracuda Email Security Service account and Advanced Threat
Protection (ATP) subscription status.
• Inbound Email Statistics – View a graph of the total inbound messages processed, in the
time frame, by number allowed, blocked, quarantined, and blocked for virus.
• Outbound: Top Recipients/Senders Blocked – View top recipient and senders blocked.
• Last Blocked: ATP – View filename and file type of attachment determined to
be infected by ATP.
Message Log
The Message Log is a window into how the current spam, virus, and policy settings are filtering
email coming through the Barracuda Email Security Service. Use the information in the log to help
tune your inbound and outbound policy settings.
Sort messages using the Advanced Search feature to quickly view email by allowed, deferred,
quarantined, encrypted (outbound), or blocked messages by domain, sender, recipient, time
range (last 2- 30 days), envelope to, envelope from, reason, action taken, date or subject.
The Message Log reflects all email traffic through the Barracuda Email Security Service at the
global level. If you click on a verified domain on the Domains > Domain Manager page, a tab
for the Message Log for that domain displays. Additionally, you can track end-user quarantine
notifications in the Message Log.
Reports
Use the Reports tab to generate reports including:
• Inbound Traffic
• Outbound Traffic
Reports cover global activity across all domains for which you have mail filtered, with up to a
maximum history of 30 days of data. Use the calendar controls to set the start date; note that you
cannot run a report that covers more than a seven day period.
• Sending mail to more recipients per 30 minute period than allowed by the Barracuda
Email Security Service;
• Sending mail to more invalid recipients than allowed by the Barracuda Email Security Service;
• Sending mail that has been classified by the Barracuda Email Security Service as spam or
as containing a virus.
Rejected Messages
When enabled by the administrator, the sender receives a non-delivery report
(NDR) indicating that their message will not be sent to the recipient.
Set Up Notification
1. On the Outbound Settings > Notifications page, in the Admin Quarantine
Notification section, select the Notification Interval:
2. Enter the email address to which the report is to be sent in the Notification Address field.
3. Click Save Changes.
4. Configure the body of the NDR email using the Quarantine Notification Template.
Configure NDR
1. On the Outbound Settings > Notifications page, enter the following details in the Notification
to Sender of Rejected Message section:
a. Reject Notification Address – Enter the NDR ‘from’ address that the sender receives.
b. Reject Notification Subject – Enter the NDR subject that the sender receives.
2. Click Save Changes.
The following policies are applied by default to all outbound mail by the Barracuda
Email Security Service:
• Data Leak Prevention (DLP) filtering using pre-defined patterns such as credit card number,
social security number, driver’s license, or HIPAA medical terms, to block, quarantine, or
encrypt outbound messages;
• Create exceptions to DLP block/quarantine policy for emails containing phone numbers and/
or street addresses on the Outbound Settings > Content Policies page;
When ATP determines an attachment contains a threat and blocks the message,
review the ATP Report before determining whether to deliver the message.
This option provides more security and prevents the email recipient from
opening infected attachments. These messages appear in the Message log
and Pending Scan displays in the Reason column. The mail server retries
until the scan is complete and no virus is detected in the attachment, at which
point the message is delivered. Note that messages with attachments may
be temporarily deferred while queued for scanning. If the message status is
deferred for more than four hours, the message is quarantined.
Attachments from exempted entries are not sent to the ATP cloud. Note that
these exemptions apply to ATP scanning only and do not apply to Barracuda
Email Security Service virus scanning.
• ATP Service Unavailable – Message is deferred because the ATP service is temporarily
unavailable. The message is retried and, when the scan is complete and if no virus is
detected, the message is delivered.
Enable Email Continuity for all users on all domains on the account to comply with business
continuity regulations. Keep the following rules in mind:
• The original mail headers and timestamp sent/received during an outage are synchronized to
the primary mail server to minimize end-user confusion.
• Message for the primary and alias email are delivered to the primary account.
• When replying to a message or forwarding a message from Email Continuity, the sender is
the primary email address.
• When Email Continuity is enabled, if the administrator logs in as a user, that user’s
message log is view-only.
• You cannot access or send messages via quarantine notification email when Email
Continuity is in effect.
You must enable spooling for each domain where you want to enable Email Continuity.
Enable Spooling
1. Log in to Barracuda Email Security Service as the administrator, and click Domains.
2. For the domain where you want to enable Email Continuity, click Edit in the Settings column.
5. Complete steps 2 through 4 for each domain where you want to enable Email Continuity.
The Email Continuity status displays the date and time after which it is disabled (after 96 hours).
• Email Server Offline/Online Status – Once enabled, the administrator is notified when the
mail server goes offline and when it comes back online:
• Email Continuity Status – If spooling or Email Continuity is enabled for more than 96 hours, a
warning displays in the Barracuda Email Security Service dashboard
3.9.2 Actions
When Email Continuity is activated, users can continue to view their messages in the Message
Log. In addition to the standard message actions in the Message Log view, users can compose
a new message, and forward or reply to a message. Spooled messages display in the account
admin, domain admin, recipient, and sender Message Logs when Email Continuity is running.
When you view a message in the log, the following actions are available in
the Message View page:
• Click on a message in the email list to view the message body, and take actions:
• Forward a message with Delivery status of Delivered to one or more email addresses;
separate multiple addresses with a comma delimiter.
• You can select to download one or more messages from Email Continuity as a .eml file.
4.7.3 Configure Office 365 Exchange Online Service Account and Import Historical Data
120
Emails are archived without the need to install any email client or server software. Barracuda’s
extensive and robust global cloud infrastructure ensures security, and centralized management
through the Cloud Control portal makes it simple.
The Barracuda Cloud Archiving Service features an easy-to-use web user interface, creating
an intuitive and cost-effective administration tool for the Software as a Service (SaaS) solution.
The web user interface allows administrators to define, manage, and control corporate archiving
settings and rules from a central location.
• Litigation Support
• Storage Management
• Knowledge Management
• Compliance
• Regulatory Compliance
4.1.5 Compliance
Compliance issues are perhaps the driving force behind the increase in demand for an email
archiving solution. The sheer number of regulations requiring some form of email retention, as
well as the more specific parameters of how the email should be stored and for how long, can be
confusing for administrators.
• Email security – Information must be protected against all threats including unauthorized
access to the email as well as physical damage. This same concept applies to the process of
legal discovery which often specifies who can access the email (i.e., legal teams) as well as
safeguards against the destruction of hard copies of the data
See Data Centers by Region in Barracuda Campus for the latest MAS hostnames by region.
Add users through Active Directory (AD) authentication and associate a role and whose mail can
be viewed with an AD user or group, or manually configure and assign roles to local accounts
in the web interface.
Understanding Roles
• User – Able only to view messages accessible to the account, either because the username
for the account is also that of the sender or recipient of a message, or because it has been
given explicit access to view an email address via Alias Linking.
• Auditor – Able to create and activate policies, and view, search, and export any messages to/
from the domains to which they have access. Additionally, Auditors can save and name an
Advanced search for re-execution at a later time from the Saved Searches tab. To create a
“Domain Auditor” (an auditor with access to only a subset of the domains on your Barracuda
Cloud Archiving Service), set the role to Auditor and specify at least one domain. If no
domains are specified, then all messages in the entire Barracuda Cloud Archiving Service
are accessible. No auditor account has access to any system or network configuration
information on the Barracuda Cloud Archiving Service.
• Admin – Able to view all items from any user, not just those listed for the account. Also able
to create and activate policies, and can make other system or network changes.
Use the following steps to set up Barracuda Cloud Control LDAP authentication.
Set Up LDAP
1. Log in to https://login.barracudanetworks.com/ as the account administrator.
2. In Barracuda Cloud Control, go to the Admin >Directories page, and click Add Directory
> LDAP Active Directory; the Create Directory wizard displays. In the Info page, specify
the following details:
6. Click Test to verify connectivity. If the connection is successful, Connected displays. If the
connection fails, verify the entered LDAP host details. Click Continue.
7. In the Domains page, click Add domain to add the domain to the AD configuration. Complete
this step for each domain you want to add.
8. To verify you own the domains you plan to include in your AD configuration, select the
manner in which to verify the domains:
9. Click Verify. Once the domain is verified, it is added to the Directories table in the Admin >
Directories page in Barracuda Cloud Control.
Use the following steps to set up Barracuda Cloud Control Azure AD authentication.
Set Up Azure AD
1. Log in to https://login.barracudanetworks.com/ as the account administrator.
2. In Barracuda Cloud Control, go to the Admin >Directories page, and click Add Directory >
Azure Active Directory; the Create Directory wizard displays.
3. Click Add Directory > Azure Active Directory; the Create Directory wizard displays. In the
Info page, enter a name to represent the directory in the Directory Name field.
4. Click Connect to Microsoft to sign in to Microsoft and authorize Barracuda Cloud Control to
connect to your Azure AD account.
7. Optionally, enter the administrator contact email address. Click Save & Continue.
8. Once verification is complete, your Azure AD domains display in the wizard. Click Done.
Use the following steps to associate LDAP or Azure AD users and groups to a role and
list of email addresses.
Associate a Role
1. Log in to https://login.barracudanetworks.com/ using your account credentials, and click
Archiver in the left pane.
2. Go to the Users > LDAP User Add/Update page. In the LDAP User/Group field, enter the
User or Group name to which the permissions apply.
a. User Role – Specify mailbox addresses to include or exclude from the account. Click
Include these Addresses, and enter a mailbox address you want to make available to the
specified account. Click Add. Click Exclude these Addresses, and enter a mailbox address
you want to hide from the specified account. Click Add.
c. Admin Role – Specify mailbox addresses that you want to hide from the specified
account, and then click Add.
4. Click Save.
2. Go to the Users > User Add/Update page, and enter the user’s Email Address and
the User Display Name.
3. Enter all aliases associated with the entered email address, one entry per line.
4. Enter the account password and select the user role for the account.
5. If you select the user role Auditor enter the following additional details:
a. Enter a domain for which the auditor can view messages and other Outlook items,
and click Add. Any messages that includes an email address in the listed domains in
either the From, To, or CC/Bcc areas, or any items that belong to a user in the specified
domains, display in search results. To allow the auditor to view all items from all domains,
leave this field blank.
Add email domains and fully-qualified domain names (FQDNs) you want to archive. The FQDN
consists of a host or system name and domain name, including the top-level domain. Any
messages sent to any recipient in the listed domains are added to the archive.
2. Go to the Basic > Domain Management page, and enter the domain or FQDN in the
LOCAL DOMAINS field.
Before importing .pst files, ensure that LDAP services for your Active Directory
(AD) server are configured. This ensures that SMTP aliases associated with the
message sender and recipients are resolvable.
The Barracuda Cloud Archiving Service can accept one .pst file at a time for immediate import
from the web interface. Files that are imported directly in this manner are processed immediately
and their contents is added. Because processing files for import can be resource-intensive,
Immediate Import supports files of less than 250 MB in size.
To upload PSTs larger than 250 MB or to upload more than one PST at a time,
you can utilize an SFTP share. Contact Barracuda Technical Support to get
the SFTP share enabled.
1. Log in to the web interface, go to the Basic > Search page, and click the PSTs & Tags tab.
4. In the Assign PST dialog box, enter the first few characters of either the username or the
email address of the user to which to assign the PST file:
5. As you type in the user field, matching users display in a drop-down list. Select the user to
which to assign the PST file, and click OK.
6. The PST file now displays in the Assigned PSTs folder under the selected user name.
You can also assign a PST file by dragging it to a specific user listed in the
Assigned PSTs folder.
Once a PST file is assigned to a user, the user can select and search PST folders and search
inside PST files one at a time.
• Right-click the PST file and click Unassign PST; the PST displays in
the Unassigned PSTs folder
• User – Able only to view messages accessible to the account, either because the username
for the account is also that of the sender or recipient of a message, or because it has been
given explicit access to view an email address via Alias Linking.
• Auditor – Able to create and activate policies, and view, search, and export any messages
to/from the domains to which they have access. Additionally, Auditors can save and name an
Advanced search for re-execution at a later time from the Saved Searches tab. To create a
“Domain Auditor” (an auditor with access to only a subset of the domains on your Barracuda
Cloud Archiving Service), set the role to Auditor and specify at least one domain. If no
domains are specified, then all messages in the entire Barracuda Cloud Archiving Service
are accessible. No auditor account has access to any system or network configuration
information on the Barracuda Cloud Archiving Service.
• Admin – Able to view all items from any user, not just those listed for the account. Also able
to create and activate policies, and can make other system or network changes.
The assigned role can be changed at a later date from the Users > Accounts page, but only the
last assigned role is active.
• Local Accounts
3. Click Populate to retrieve all aliases associated with the LDAP for the entered email address;
note that you must configure an LDAP server on the Users > Directory Services page
to use this feature.
4. Enter the account password and select the user role for the account.
5. If you select the user role ‘Auditor’ enter the following additional details:
To enable this ability, you must be using an Active Directory or LDAP server, and the lists must
reside on those servers.
In addition, you can create a local user account on the Barracuda Cloud Archiving Service
that has access to archived messages for multiple users. For example, you want a single user
account to see emails for chris.smith@company.com, pat.jones@company.com, and alex.pierce@
company.com, in addition to the_boss@company.com. To do so, create a local account on the
Barracuda Cloud Archiving Service (for example, “local_boss”), and list as aliases the email
addresses to which that account is to have access.
2. Enter the new user Email Address, and enter the User Display Name.
3. Enter all email addresses used as aliases for this user, one alias per line in
the User Aliases field.
4. Add the desired password for the account, and click the user role from the
Role drop-down menu.
5. Click Save to save the list of aliases for that user. This account is added to the Users > Local
Accounts page including its aliases.
You can enter an LDAP group name in the LDAP User/Group field and select a role for that group.
When a member of that group logs in to the Barracuda Cloud Archiving Service, they log in
with the assigned role.
1. Mail for addresses added to the Exclude these Addresses list are not displayed
unless the mail includes the user performing the search to assure that a user can
always see their own mail.
3. Because a user with the Admin or Auditor role can by default view all mail, users set to these
roles can only edit their Exclude these Addresses list.
• Example 2: If Josh is not individually configured but is a member of the distribution group
HR which has an Auditor role, and Josh is also a member of the group Employees which
has a User role, Josh has only the User role privileges when running a search.
5. A user cannot run a Search As User Search on the Basic > Search page on a user that is on
their Exclude these Addresses Exclusion Rules blocklist.
For discovery purposes, Barracuda recommends logging in to the web interface, and running
your search using the Advanced Search option.
1. Log in to the Barracuda Cloud Archiving Service, and navigate to the Users >
Client Downloads page.
2. Click Download Now to the right of the Outlook Add-In Installer to download the executable
file to your local system.
For additional configuration options, refer to How to Install and Configure the Barracuda Outlook
Add-In in Barracuda Campus.
• Look for drop-down menu – Select the type of item you wish to search for; select Any type
of Item, Appointments, Contacts, Messages, Notes, Social Media, or Tasks.
• Entire message
• Subject or body
• Subject only
• Body only
• Keyword expression
Items archived using the Outlook Add-In buttons have a 300MB size limit.
The Barracuda Outlook Add-in tool includes an option to immediately archive a selected item(s).
Archive a Message
1. Select the desired item(s) in Outlook, and click the Archive icon; a progress window displays
while the item(s) is archived.
Using this feature immediately sends the message for archiving; however, if
the Barracuda Cloud Archiving Service is currently in the midst of archiving
other messages, it may be a matter of minutes or even hours before the
archived messages are available. Once archived, the message appears in
the Barracuda Outlook Add-in search results.
For discovery purposes, Barracuda recommends logging in to the web interface, and running
your search using the Advanced options on the Basic > Search page.
• Search for archived messages based on email content, or constrain the search to a date
range, a specific sender or recipient, or subject line content;
• Search deleted messages and emails no longer visible in your mail application;
• View and interact with (reply to, reply all, forward) archived messages;
To deploy using the Outlook Add-In Deployment Kit, first download and launch the .msi file.
Follow the onscreen instructions in the wizard to install the deployment kit. Copy the ADMX files
to your domain policy definitions directory on the domain controller, and then configure and
deploy the Outlook add-In using the Group Policy Editor for the domain where you are installing
the add-In. The Outlook Add-In supports Outlook versions 2010, 2013, and 2016. See Barracuda
Campus for detailed deployment instructions.
To deploy the add-in using the Manifest file, download the manifest file from the web interface.
An XML file is generated and installed, and the manifest is automatically deployed to all user
mailboxes. Archive search is activated once a user clicks on a message, composes a new
message, or clicks on or creates an appointment.
Once enabled via the Manifest file, users can search their archives from:
• Outlook apps for mobile platforms including Windows Phone, iOS devices,
and Android devices.
To allow individual users to install and use the Outlook Add-In, set Enable Client Access on the
Users > Client Downloads page to Yes. Once enabled, users can download the add-in from the
Basic > Client Downloads page.
The Barracuda Outlook Add-In search results are limited based on your assigned role and
customization options applied during deployment. For example, if you are assigned the User role,
the search result is limited to 50,000 messages. For best results, refine your search criteria.
The search utility can be deployed to all users in your organization using the deployment kit, or
allow Windows and Mac users to individually install and configure the search utility.
To deploy using the Deployment Kit, download and extract the contents of the kit, including the
MSI and ADMX files. Use the Group Policy Object Editor to install, configure, and deploy the
stand-alone search utility. See Barracuda Campus for step-by-step setup instructions.
For Android installation, simply download and install the latest Android Barracuda Companion
mobile application available from the Google Play Store to your Android device. Launch the app,
and enter your corporate email credentials in the provided fields. Enter your MAS hostname in
the Host field, and click Login. You can now search your archived emails.
For iOS installation, download and install the latest iPhone Barracuda Archive Search application
from iTunes. Launch the app, and tap Barracuda Essentials in the Welcome screen. Enter your
corporate email credentials in the provided fields, and enter your MAS hostname in the Host field.
Tap Save. You can now search your archived emails.
See Data Centers by Region in Barracuda Campus for MAS hostnames based on your region.
• Remote domain
• Send connector
• Email Import – Import all Microsoft Exchange Online email into the service that meets
the specified criteria.
• Non-Email Sync – In addition to emails that are automatically sent from Microsoft Office 365
Exchange Online to the Barracuda Cloud Archiving Service for storage, you can configure
non-email items such as Appointments, Contacts, Notes, and Tasks for archive. This enables
you to get a more complete picture of all items that are or have been stored on your
Exchange Server, and eliminates the need to keep .pst files around solely for the purposes of
retaining this information.
• Folder Sync – Import the complete folder structure of the selected Item Sources, including
custom folders and sub-folders. The nightly folder synchronization process scans the
specified Microsoft Office 365 Exchange Online user mailboxes, and imports the user’s
folder structure, including custom folders and sub-folders, into the Barracuda Cloud
Archiving Service. Note that a Folder Sync job does not import emails to the Barracuda
Cloud Archiving Service, it only imports the folder structure. Email messages are sent to the
Barracuda Cloud Archiving Service via real-time journaling.
When you schedule an action, you must configure the Exchange environment on which to base
the action. When setting up the Exchange import job in the web interface:
• Use https://testconnectivity.microsoft.com/
4. In the Add New Server dialog, enter a name to identify the configuration as well as the
service account Username/Password.
7. In the Schedule section, select Now for a one-time import, or click Nightly to configure an
ongoing nightly data import.
8. Click Continue.
• Windows 8 or 8.1
• Microsoft .NET Framework 4.5 or 4.5.1 and either the Windows Management Framework 3.0
or the Windows Management Framework 4.0
• Verify the service account has a mailbox, and is not hidden in the Global Address list
2. In the Windows PowerShell Credential Request dialog box, enter your Exchange Online user
name and password, and then click OK.
When setting up the Exchange import job in the web interface, use the GUID@
domain-style hostname available when setting up an Outlook profile or use
https://testconnectivity.microsoft.com/.
4. In the Add New Server dialog box, enter a Configuration Name, the email address for the
service account and the service account password.
5. Click Autodiscover.
Use the steps in this section only if autodiscover is unable to identify your
settings via Autodiscover.
3. In the Windows PowerShell Credential Request dialog box, enter your Exchange Online
admin username and password, and then click OK.
8. To close out the remote PowerShell session, enter the following command,
and then press Enter:
Remove-PSSession $Session
1. Log in to the Barracuda Cloud Archiving Service as the admin, and go to Mail Sources >
Exchange Integration.
4. In the Add New Server dialog, click Configure Manually; enter the Exchange details:
5. Click Save to add your configuration, and close the dialog box.
7. In the View Summary page, select All Users from the Source drop-down menu.
9. Verify the configuration settings in the View Summary page, and then click Submit to add the
Email Import to the Scheduled Actions table.
You can specify folder structure synchronization for all or selected users on the Mail Sources >
Exchange Integration page based on the selected item source, and optionally specify a specific
server from which to archive. The synchronization process can be scheduled to run as soon
as possible, creating a one-time job that is not repeated, or configured to run nightly. When
configured to run nightly, the process starts at 10PM when the additional system load on the
Barracuda Cloud Archiving Service least impacts users.
The Barracuda Cloud Archiving Service keeps track of all folders in which an email has historically
been seen. This does not cause any extra copies of the mail to be stored; the association is
actually performed by associating the messageID of the email and the name of the folder(s) in
which that email should be shown.
Folder Synch
Outlook system folders (for example, Drafts, Sync Issues), Inbox, Deleted Items, and Sent Items
are not synchronized; a user’s custom folders under Inbox are scanned. In the Barracuda Cloud
Archiving Service’s folder view, data is shown in Inbox and Sent Items based upon the header
information in the mail itself. An email displays in a user’s Inbox if that user is on the recipient list,
and is visible in their Sent Items if the user’s SMTP address, or email aliases, appears in the From
header of the email.
When email is sent to the Barracuda Cloud Archiving Service via journaling, any emails in
the Deleted Items folder will have already been archived to the Barracuda Cloud Archiving
Service from the Inbox.
• Date
Searches can only be made over messages that the searcher has read access to, so privacy
is always preserved. Use the Basic Search page for quick one-time searches, or go to the
Advanced Search page for a full array of search options including complex search queries and
the ability to save searches. Saved Searches are the basis for Policy Alerts, used by Auditors
and Administrators to monitor compliance, and Retention Policies, to purge messages from the
archiver that are older than a specified date.
Punctuation is treated as white space in search strings with the following exceptions:
• Period (.) – When not followed by whitespace, a period is treated as part of a word.
Example: 1.2 is treated as a single searchable token.
• Hyphen (-) – When a token containing a hyphen also contains a number, the complete item is
treated as a part of the number.
Examples:
MD-1800 is considered a searchable word, including the hyphen.
hyphen-madness is treated as two words (“hyphen” “madness”) with the hyphen
treated as whitespace.
When virus scanning is enabled on the Basic > Virus Checking page, forwarded
and exported messages are scanned for viruses. When disabled, forwarded
and exported messages are not scanned for viruses.
Messages journaled directly from Microsoft Exchange have additional hidden information, such as
bcc recipients and other SMTP data. End-users do not have access to this information; however,
for compliance reasons you may want to include this hidden information when messages are
exported or forwarded by the administrator or auditor. The Preserve Journal Wrappers setting,
also in the Search Page Settings section, causes the body of an exported or forwarded message
to consist of the complete envelope information with the actual contents of the email turned into
an attachment to the message.
• To select multiple individual messages, single-click on one message, and Ctrl-click on every
other message you want to select.
4.8.4 Resend to Me
To redeliver selected messages to your mailbox, select one or more messages, and then
click Resend to Me located at the top of the message list,
To export one or more messages, select the desired item(s) from the message list using Shift- or
Ctrl-click to select multiple messages. Click the Tools menu at the top of the message list, and
click Export Messages. In the window select the desired action and export method. The desired
messages are gathered into a single .pst or .zip file:
• A single ZIP file containing individual .eml files for each message, with files named under
one of the following conventions:
• Date – A string of numbers representing the date and time of the message.
Export to – Select whether to export to the Barracuda Cloud Archiving Service for download to
your local system, or to a Barracuda Copy account.
• Chunk Size – Select the chunk size for the PST or ZIP export as 800MB, 4.7GB, or specify a
custom chunk size in gigabytes.
• Folder Data – Select Export if present to include folder data. Note that this option
is only available when logged in as an LDAP user; this option is not available when
logged in as the admin.
To forward one or more messages, select the desired item(s) from the message list using Shift- or
Ctrl-click to select multiple messages. Click on Tools located at the top of the message list, and
select the desired action. A pop-up dialog prompts you for the email addresses of those users
that are to receive the selected messages; use semi-colons to separate multiple email addresses:
• Forward Selected – Each message selected in the Message List is individually forwarded
(re-delivered) to the specified email address. When this option is selected, a pop-up
prompts you for the desired forwarding email address. Use commas to separate multiple
delivery destinations.
• Forward All – All messages currently in the Message List are individually forwarded
(re-delivered) to the specified email address. When this option is selected, a pop-up
prompts you for the desired forwarding email address. Use commas to separate multiple
delivery destinations.
To tag one or more messages, execute a search in the Basic > Search page, and select the
desired item(s) from the message list using Shift- or Ctrl-click to select multiple messages. Click
PSTs & Tags, click on Tools located at the top of the message list, and select the desired Tag
action. A pop-up dialog prompts you for the tag text. Tags can then be used as search criteria,
allowing you to easily retrieve these messages at a later time:
• Tag Selected – Only the messages that have been selected in the Message List are
tagged. When this option is selected, a pop-up prompts you for the text with which
to tag the messages.
• Tag All – All messages currently in the Message are tagged. When this option is selected, a
pop-up prompts you for the text with which to tag the messages.
• Untag Selected – All tags removed from the selected messages; you cannot remove
individual tags on a message.
• Add search parameters – Click on the plus sign (+) located to the extreme left of a search
criteria line; a new search parameter line is added.
• Remove a search parameter – Click on the minus sign (-) located to the left of the search
parameter you wish to remove.
• Save a constructed query – In the SAVE AS field, enter the name under which the query
is to be saved, and click SAVE AS. If you enter a name that already exists, the new search
parameters overwrite the previously saved parameters under that name.
Run a previously-saved search – Select the Saved Search from the pulldown menu to load the
search parameters onto the page, then click Search.
1. Add the first term “A”, and then add term “and B”; the query searches as: (A AND B)
2. Add a term “or C”; the query searches as: ((A AND B) OR C)
3. Add a term “and D”; the query searches as: (((A AND B) OR C) AND D)
This affects preparation and ordering of Advanced Search queries as follows. Typically, you
first build a population of results by using “OR”, and then subtract items from that population by
using “AND”. For example,
TermA OR
TermB OR
TermC AND
TermD
If you want to force a different order of operations by placing parentheses yourself, use the
Keyword Expressions search mode and construct your query according to those guidelines.
The phrase can only contain a single item. However, that one item can be any
one of the following:
• a single Text-based string;
• a single Integer number-based string;
• a single Wildcarded string;
When creating compound search strings, the keywords ‘AND’ and ‘OR’
must be capitalized.
• question mark (?) – The question mark (?) is a single-character wildcard, matching a single
occurrence of any one character. The number of question marks used denotes the exact
number of characters that must be matched.
When creating compound search strings, the keywords ‘AND’ and ‘OR’
must be capitalized.
A combination of two or more strings in any of the above formats (Text-based, Multi-Text,
Wildcard, or Domain as applicable to the fields being searched) or with other Compound
search strings, each separated by the keywords AND or OR. Surround logical groupings with
parentheses as needed to determine order of operations.
Stop Words are also ignored in wildcard searches, so make sure that the wildcards are attached
to letters that do not comprise a Stop Word in its entirety.
• Period (.) – A period that is not followed by whitespace is treated as part of a word, that is, a
searchable token, and the period is searchable. For example:
• If you enter the search token “192.168.0.1” or “1.2”, the period is included in the search
results, and treated as a single searchable token.
• Hyphen (-) – When a token containing a hyphen also contains a number, the complete item is
treated as a part of the number. For example:
To encrypt messages, you can use the public-key cryptographic system. In this system, each
participant has two separate keys: a public encryption key and a private decryption key. When
someone wants to send you an encrypted message, you use your public key to generate
the encryption algorithm. When you receive the message, you must use your private key to
decrypt the message.
Because encrypted messages are secure, the content cannot be decrypted upon import by the
Barracuda Cloud Archiving Service, and the content is therefore unavailable for search via the
Barracuda Cloud Archiving Service.
By default, automated purging of messages archived to the Barracuda Cloud Archiving Service is
disabled. If you enable this ability, the Global Retention Policy and any Saved-Search retention
policies are run against all the archived messages weekly on Friday night.
If the age of any message exceeds the maximum age allowed by all Saved-
Search retention policies that apply to the message, that message is
permanently deleted from the Barracuda Cloud Archiving Service.
The Global Retention Policy setting does not apply to any messages that match a Saved-
Search retention policy.
To enable or disable the automatic message expiration, set the Allow automatic message
deletion option to Yes or No.
If you define multiple Saved Search retention policies, if the age of any message exceeds the
maximum age allowed by all Saved Search retention policies that apply to the message, that
message is permanently deleted from the Barracuda Cloud Archiving Service.
Because a Saved Search retention policy overrides the Global retention policy, Saved Search
retention policies are useful when you want to create exceptions to a global retention policy.
4. Go to the Policy > Retention page, and verify that Allow automatic message deletion is
set to Yes; when set to Yes, the Saved Search policies are run against archived messages
weekly on Friday nights.
5. Click Add Retention Policy to open the Add Retention Policy dialog box.
6. From the Saved Search drop-down menu, select the name of the saved search on which to
base this retention policy.
• Forever – Messages meeting the Saved Search criteria on this Barracuda Cloud
Archiving Service are retained forever.
• For – Enter the number of days to retain archived messages that match the selected
Saved Search criteria.
The following information about active Litigation Holds will be displayed here, visible only to the
system administrator:
• Auditor – The account name of the Auditor who created the Litigation Hold
• Saved Search – The name of the Saved Search associated with this Litigation Hold
• Hold End Date – The date and time when this Litigation Hold expires
To delete a litigation hold you must have system administrator rights; click the trash can icon
following the Litigation Hold you want to delete.
3. When the search results return, click Save Search, enter the Search Name, and click OK.
4. Click the Saved Searches tab, and in the Actions column for the selected Saved Search,
click Apply Litigation Hold.
• Indefinite – Content that matches the Saved Search is retained until the
Litigation Hold is cancelled
• Page Navigation – Click on the navigation arrows or type a number in the Page field to move
through the Audit Log.
• Tools – Click to select the number of items to display per page and to specify
the Details Pane location.
3. The results pane displays those items matching the entered criteria. Information displayed for
each record includes:
a. Date – When the action occurred and was logged in the Audit Log.
b. User – Which user performed this action. Some actions are performed automatically, not
actively by a specific user, displaying as user System.
d. Detail – Many audit log records contain information in addition to the date, user,
and type. In some cases, a useful piece of this additional information is displayed in
the Detail column, for instance to narrow down a broad action type.
4. To view additional information, click on an item. Details display in the right pane.
1. Log in to your Office 365 Management Panel using an account with administrative privileges,
and click users and groups in the left pane.
3. In the details page, enter the details for the new service account, and click next.
4. In the settings page, select Yes to assign administrator permissions, and from the drop-down
menu, select Global administrator. Optionally, you can add an alternate email address and
location. Click next.
6. In the send results in email page, click Create. The service account details
are sent to the admin.
7. To activate the account, log in to your Office 365 Management Panel using the new service
account, and update the password.
1. Log in to your Office 365 Management Panel using an account with administrative privileges,
and go to permissions > admin roles.
5. Click OK.
6. Scroll down to Members, select the service account created in Step 1: Create a New Service
Account, and click add.
7. Click OK. Click Save to save your settings and close the Role Group window. The
Impersonation role is now listed in Admin Roles.
Use the following steps to assign the ApplicationImpersonation role using PowerShell:
2. Press Enter.
1. Log in to Barracuda Backup, and select the Cloud Source in the left pane.
3. The Data Sources page displays. Click Add a Cloud Provider, and enter the following details:
a. In the Cloud Provider description field, enter a name to represent the data source.
b. From the Cloud Provider type drop-down menu, select Microsoft Office 365.
c. Click Save.
c. Click Authorize.
5. In the Exchange Online page, click Accept to authorize Barracuda to back up data
from Exchange Online:
a. Enter a name to identify the data source in the Data Description field.
b. In the Add to schedule section, click the drop-down menu, and then click Add New:
8. Click OK. The Edit Exchange Online page is updated with the new schedule name.
10. In the Items to Back Up section, select individual items to back up, or click Apply to
all computers and data sources for this Barracuda Backup Cloud Service to back up
everything in Exchange Online.
11. In the Schedule Timeline section, select the day you want the schedule to run.
12. In the Daily Backup Timeline, specify the time of day the schedule is to run:
13. Click Save. Exchange Online is backed up based on your data source and schedule settings.
After downloading and installing the SharePoint Online Management Shell, you can
follow the steps in the Microsoft support article Assign eDiscovery permissions to
OneDrive for Business sites.
1. Log in to your Office 365 Management Panel using an account with administrative privileges,
and click users and groups in the left pane.
3. In the details page, enter the details for the new service account, and click next.
4. In the settings page, select Yes to assign administrator permissions, and from the drop-down
menu, select Global administrator. Optionally, you can add an alternate email address and
location. Click next.
6. In the send results in email page, click Create. The service account details
are sent to the admin.
7. To activate the account, log in to your Office 365 Management Panel using the new service
account, and update the password.
There are two options you can use to give the service account created in Step 1. Create a New
Service Account access to user accounts:
• Option 1 – Run a SharePoint Online Management Shell script to automatically apply the
proper permissions to each user account; this is the preferred and fastest. If you have
multiple users, this is also the easiest method.
or
1. Download and open the AdminRights.ps1 script using a text editor such as Notepad.
• $spAdminURL – Replace with the same URL used in your organization’s OneDrive
URL, but suffixed with -admin
• $spMyURL – Replace with the same URL used in your organizations’ OneDrive URL,
but suffixed with -my
4. Locate the SharePoint Online Management Shell installed in Step 1, then right-click and click
Run as administrator.
5. Change your working directory within the SharePoint Online Management Shell to the
location where you saved the AdminRights.ps1 script:
You must complete the steps in Option 1 each time you add new users.
1. Log in to your Office 365 Management Panel using the service account created in Step 1.
Create a New Service Account.
2. In the left pane click Admin centers > SharePoint, and click user profiles.
5. Click the user’s Account name, and then click Manage site collection owners:
6. The site collection owners dialog box displays. In the Site Collection Administrators
field, add the service account with administrative privileges or another account with
administrative privileges:
• Type the account name, and then click the Verify User icon, or
• Click the Directory icon, and navigate to and select the account from the directory:
7. Click OK. The service account or administrative account added as the user’s Site Collection
Administrator can now view the user’s entire OneDrive account.
8. Repeat Steps 3 through 7 for each user who’s OneDrive for Business data is to be backed up
with Barracuda Cloud-to-Cloud Backup.
Complete the following steps to set up impersonation permission for the service account on all
newly created OneDrive users:
1. Log in to your Office 365 Management Panel using the service account created in Step 1.
Create a New Service Account.
2. In the left pane click Admin centers > SharePoint, and click user profiles.
4. In the My Site Secondary Admin section, click Enable My Site secondary admin.
5. In the Secondary admin field, type the username of the newly created service account.
6. Click OK.
3. The Data Sources page displays. Click Add a Cloud Provider, and enter the following details:
a. In the Cloud Provider description field, enter a name to represent the data source.
c. Click Save.
a. From the Data Type drop-down menu, select OneDrive for Business.
b. Enter the OneDrive URL in the associated field; the URL is available once
you log in to OneDrive.
c. Click Authorize:
e. Enter your OneDrive for Business administrator login information, and then click Sign in.
a. Enter a name to identify the data source in the Data Description field.
b. In the Add to schedule section, click the drop-down menu, and then click Add New:
6. The Add New Schedule dialog box displays. Enter a name to represent the schedule:
7. Click OK. The Edit OneDrive for Business page is updated with the new schedule name.
10. In the Schedule Timeline section, select the day you want the schedule to run.
11. In the Daily Backup Timeline, specify the time of day the schedule is to run:
12. Click Save. OneDrive is backed up based on your data source and schedule settings.
You must complete the following steps for each SharePoint Site Collection
you want to back up.
1. Log in to your Office 365 Management Panel using an account with administrative privileges,
go to the Office 365 admin center, and click Admin centers > SharePoint.
2. Hover over and select the site collection you want to add the administrator to.
4. The manage administrators page displays. In the Site Collection Administrators section, enter the
name of the administrator you want to add as a Site Collection Administrator, and click the Check
Names icon to verify the user name is valid. For example, SharePoint Service Administrator:
5. Click OK to save your changes and add the selected administrator as the Site
Collection Administrator.
3. The Data Sources page displays. Click Add a Cloud Provider, and enter the following details:
a. In the Cloud Provider description field, enter a name to represent the data source.
b. From the Cloud Provider type drop-down menu, select Microsoft Office 365.
4. Click Save.
c. Click Authorize.
6. In the SharePoint Online page, click Accept to authorize Barracuda to back up data
from SharePoint Online:
a. Enter a name to identify the data source in the Data Description field.
b. In the Add to schedule section, click the drop-down menu, and then click Add New:
9. Click OK. The Edit SharePoint Online page is updated with the new schedule name.
11. In the Items to Back Up section, select individual items to back up, or click Apply to all
computers and data sources for this Barracuda Backup Cloud Service to back up everything
in SharePoint Online.
12. In the Schedule Timeline section, select the day you want the schedule to run.
13. In the Daily Backup Timeline, specify the time of day the schedule is to run:
14. Click Save. SharePoint Online is backed up based on your data source
and schedule settings.
1. Log in to Barracuda Backup, and select the Cloud-to-Cloud Backup Source in the left pane.
2. Go to Backup > Schedules.
5. In the Identify the data sources section, select the data to be backed up using this schedule.
You can select Apply to all computers and data sources for this Barracuda Cloud to Cloud
Backup or you can granularly select data down to a specific file or folder.
6. In the Schedule Timeline section, select the days you want the schedule to run. If you are
creating a one-time only backup schedule, deselect all days:
9. The backup schedule is now listed on the Schedules page and specifies the days and times
that it is to run. To run a backup on-demand, click Run Backup Now, to edit the schedule
click Edit, or to delete a schedule, click Remove:
1. Log in to Barracuda Backup, and select the Cloud-to-Cloud Backup source in the left pane.
3. Click Exchange Online in the left pane, and then select the user mailbox from
which to restore data:
5. Locate the email or folder to restore, or use the search field to locate the desired data:
8. Use the calendar to select the desired day to view data available for restore from that date.
9. Once you locate the email(s) or folder to restore, click Restore to the right of a single item, or
click Restore selected items if you selected multiple items:
13. Verify the messages or folders have been restored in the user’s Exchange Online mailbox.
1. Log in to Barracuda Backup, and select the Cloud-to-Cloud Backup Source in the left pane.
3. Click OneDrive for Business in the left pane, and then select the user account from
which to restore data:
4. Navigate through the folder structure to locate the file or folder you want to restore.
Alternatively, you can use the search field to locate the desired data:
6. Use the calendar to select the desired day to view data available for restore from that date.
7. Once you locate the file(s) or folder to restore, click Restore to the right of a single item, or
click Restore selected items if you selected multiple items:
11. Verify the files or folders have been restored in the user’s OneDrive for Business account.
1. Log in to Barracuda Backup, and click the Office 365 Backup in the left pane.
3. Click SharePoint Online in the left pane, and then select the Site from which to restore data:
4. Navigate through the folder structure to locate the file or folder you want to restore, or use
the search field to locate the desired data:
6. Use the calendar to select the desired day to view data available for restore from that date.
7. Once you locate the file(s) or folder to restore, click Restore to the right of a single item, or
click Restore selected items if you selected multiple items:
11. Verify the files or folders have been restored in the SharePoint Online Site.