ESS01 Barracuda Essentials Student Guide

Barracuda Essentials
Foundation - ESS01
COURSE HANDBOOK
Official training material for Barracuda certified trainings

and Authorized Training Centers.
Edition 2020 | Revision 3.0
campus.barracuda.com | campus@barracuda.com EMAIL PROTECTION

© Barracuda Networks Inc., January 31, 2020 10:08 AM. The information contained within this document is confidential and proprietary
to Barracuda Networks Inc. No portion of this document may be copied, distributed, publicized or used for other than internal
documentary purposes without the written consent of an official representative of Barracuda Networks Inc. All specifications are
subject to change without notice. Barracuda Networks Inc. assumes no responsibility for any inaccuracies in this document. Barracuda
Networks Inc. reserves the right to change, modify, transfer, or otherwise revise this publication without notice.
Table of Contents
Introduction
1.1 Introduction to Essentials 11

1.1.1 Barracuda Email Security 11
1.1.2 Advanced Threat Protection 11
1.1.3 Barracuda Cloud Archiving Service 11
1.1.4 Barracuda Cloud-to-Cloud Backup 12
1.1.5 Where to Start 12
1.1.6 The Roles of Archival and Backup 13
1.2 Barracuda Email Security Service Features 15

1.2.1 Inbound Email Protection 15
1.2.2 Outbound Email Protection 17
1.2.3 Sender Authentication 22

1.2.4 Email Continuity 24
1.3 Advanced Threat Protection Features 27

1.3.1 Options 27
1.3.2 Advanced Threat Protection Exemptions 29
1.3.3 Administrator Notification 29
1.3.4 ATP Exemptions 30
1.3.5 Message Log 30
1.3.6 View ATP Statistics 30
1.3.7 Deferred Delivery 30
1.4 Barracuda Cloud Archiving Service Features 33

1.4.1 Exchange Integration 33
1.4.2 PST File Import 34
1.4.3 Barracuda PST Enterprise 34
1.4.4 Archive Skype for Business Conversations 34
1.4.5 Retention Policies 34
1.4.6 Audit Log Filtering 35
1.4.7 User Accounts 35
1.4.8 Search Options 36
1.4.9 End-User Search Tools 37
1.5 Barracuda Cloud-to-Cloud Backup Service Features 39

1.5.1 Backup Schedules 39
1.5.3 Restore Data 40
1.5.4 Reports 40
1.5.5 Users 40
1.5.6 Email Notifications 41
Administration
2.1 Initial Deployment 45

2.1.1 Determine Your Deployment 45
2.1.2 Deploy Barracuda Essentials for Office 365 46
2.1.3 Configure via PowerShell 47
Barracuda Email Security Service
3.1 Introduction to Barracuda Email Security Service 51

3.1.1 Connection Management Layers 51
3.1.2 Mail Scanning Layers 52
3.1.3 Barracuda Antivirus Supercomputing Grid 52
3.1.4 Advanced Spam Detection 53
3.1.5 Predictive Sender Profiling 53
3.1.6 Monitored Outbound Email Volume 54
3.1.7 Encryption 54
3.2 Barracuda Email Security Service Deployment 55
3.3 Inbound Filtering Policy 67

3.3.1 IP Analysis 67
3.3.2 Content Analysis 68
3.3.3 Bulk Email Detection 70
3.3.4 Rate Control 71
3.4 Outbound Filtering Policy 73

3.4.1 DLP and Outbound Mail Encryption 73
3.4.3 Abuse Monitoring and Notifications 76
3.4.4 Outbound Quarantine 77
3.4.5 Outbound Rate Control 78
3.5 Advanced Configuration 79

3.5.1 Secured Message Transmission 79
3.5.3 Directory Services 80
3.6 Administration 81
3.6.2 User Authentication 82
3.6.3 Reports, Logs, and Notifications 84
3.6.4 Quarantine 86
3.7 Outbound Spam Protection 89
3.8 Advanced Threat Protection 91

3.8.1 Advanced Threat Protection Options 91
3.9 Email Continuity 95

3.9.1 Notifications and Status 96
3.9.2 Actions 96
Barracuda Cloud Archiving Service
4.1 Introduction to the Barracuda Cloud Archiving Service 99

4.1.1 Understanding Compliance 99
4.1.2 Litigation Support 99
4.1.3 Storage Management 99
4.1.4 Knowledge Management 100
4.1.5 Compliance 100
4.1.6 Data Retention 100
4.1.7 Litigation Holds 100
4.1.8 Datacenters by Region 101
4.2 Barracuda Cloud Archiving Service Deployment 103
4.3 PST Import 107

4.4 User Roles 109

4.4.1 User Roles 109
4.4.3 Local Accounts 109
4.4.4 LDAP Accounts 111

4.5 End-User Access 113
4.5.1 Barracuda Cloud Archiving Web Interface 113
4.5.2 Barracuda Outlook Add-In 113
4.5.3 Barracuda Stand-Alone Search Utility 114
4.5.4 Barracuda Mobile Companion App 115
4.6 Tools and Add-Ins 117

4.6.2 Stand-Alone Search Utility 117
4.6.3 Mobile Companion App 118
4.7 Exchange Integration 119

4.7.1 Exchange Operations 119
4.7.2 Email Import 120
4.7.3 Configure Office 365 Exchange Online Service Account and Import Historical Data 120
4.7.4 Archive Non-Email Items 124
4.7.5 Synchronize Folders 124
4.8 Search Options 125

4.8.1 Message Actions 125
4.8.2 Search as User 126
4.8.3 Select Messages 126
4.8.4 Resend to Me 126
4.8.5 Export Messages 126
4.8.6 Forward Messages 127
4.8.7 Tag Messages 127
4.8.8 Search As User 128
4.8.9 Available Actions 128
4.8.10 Build Search Queries 128
4.8.11 Advanced Search Parameters 128
4.8.12 Search Strings 129
4.8.13 Keyword Expressions 129
4.8.14 Wildcards 130
4.8.15 Domain-Based Search Strings 130
4.8.16 Compound Search Strings 130
4.8.17 Stop Words 130
4.8.18 Punctuation in Search Strings 130
4.8.19 Encrypted Email 131
4.9 Retention Policies 133

4.9.1 Global Retention Policy 133
4.9.2 Saved-Search Retention Policy 133

4.10 Litigation Holds 137
4.11 Audit Logs 139

4.11.1 Audit Log Tools and Options 139
Barracuda Cloud-to-Cloud Backup
5.1 Introduction to Barracuda Cloud Backup 143
5.2 Configure Impersonation for Exchange Online 145

5.2.1 Configure Impersonation 145
5.3 Configure an Exchange Online Data Source 149

5.3.1 Configure Exchange Online Data Source 149
5.4 Configure Impersonation for OneDrive for Business 153

5.5 Configure OneDrive for Business Data Source 159

5.5.1 Configure OneDrive for Business Data Source 159
5.6 Configure SharePoint Online Primary Site Collection Admin 163

5.6.1 Configure Site Collection Administrator 163
5.7 Configure SharePoint Online Data Source 165

5.7.1 Configure Data Source 165
5.8 Configure Backup Schedules 169

5.8.1 Configure a Backup Schedule 169
5.9 Restore Backup 171
5.10 Backup Reports 179

5.10.1 Backup Report 179
5.10.2 Restore Report 179
5.10.3 Audit Log Reports 179

Introduction
1.1 Introduction to Essentials 11
1.1.1 Barracuda Email Security 11
1.1.2 Advanced Threat Protection 11
1.1.3 Barracuda Cloud Archiving Service 11
1.1.4 Barracuda Cloud-to-Cloud Backup 12
1.1.5 Where to Start 12
1.1.6 The Roles of Archival and Backup 13
1.2 Barracuda Email Security Service Features 15

1.2.1 Inbound Email Protection 15
1.2.2 Outbound Email Protection 17
1.2.4 Email Continuity 24
1.3 Advanced Threat Protection Features 27

1.3.1 Options 27
1.4 Barracuda Cloud Archiving Service Features 33

1.4.1 Exchange Integration 33

1.4.4 Archive Skype for Business Conversations 34
1.4.6 Audit Log Filtering 35
1.4.8 Search Options 36
1.4.9 End-User Search Tools 37
1.5 Barracuda Cloud-to-Cloud Backup Service Features 39

1.5.1 Backup Schedules 39
1.5.3 Restore Data 40
1.5.4 Reports 40
1.5.5 Users 40
1.5.6 Email Notifications 41
9| Barracuda Campus • • EMAIL PROTECTION

10 | Barracuda Campus • • EMAIL PROTECTION
1.1 Introduction to Essentials
For pricing, feature lists, and datasheets, refer to the Barracuda Essentials product page on
the Barracuda website.
Barracuda Essentials provides the most complete, simple, and affordable solution for protecting
business emails and data in Office 365, Microsoft Exchange, and G Suite. It combines award-
winning email security, as well as a tamper-proof email archive to ensure compliance and simplify
litigation searches. For Office 365, Barracuda also offers full cloud-to-cloud backup and recovery
of your emails and files.
1.1.1 Barracuda Email Security

The Barracuda Email Security Service provides additional security features. It has a rich and
granular series of filters and malware management components, allowing greater flexibility
and stronger threat protection. The Barracuda Email Security Service is a comprehensive and
affordable cloud-based email security service that protects both inbound and outbound email
against the latest spam, viruses, worms, phishing, and denial of service attacks. Whether you
manage your own mail server or use a hosted service, spam and viruses are blocked in the cloud
prior to delivery to your network, saving network bandwidth and providing additional Denial of
Service (DoS) protection.
1.1.2 Advanced Threat Protection

The Advanced Threat Protection (ATP) service analyzes inbound email attachments with
most MIME types and publicly accessible direct download links in a separate, secured cloud
sandbox, detecting new threats and determining whether to block such messages. ATP
offers protection against advanced malware, zero-day exploits, and targeted attacks not
detected by the Barracuda Email Security Service virus scanning features. ATP is included with
all Essentials bundles.
The standalone Email Security option is available for purchase only through the Barracuda Self-
Service Gateway or Barracuda MSP.
1.1.3 Barracuda Cloud Archiving Service

It is important to guarantee that mail, once archived, cannot be modified, otherwise the archive
becomes an unreliable source of historical and auditing information. Furthermore, archived email
is stored alongside working data, exposing it to damage should something happen to the mail
server or hosted service.
Retention policies are a critical element of email archiving. They allow you to decide how long a
message is kept before it is deleted.
The Barracuda Cloud Archiving integrates with your mail server or hosted mail service to create a
cloud-based indexed archive, storing mail in a secure, separate repository for as long as needed
without risk of deletion.
The Barracuda Cloud Archiving Service provides advanced archiving functionality. Messages
stored in the Barracuda Cloud Archiving Service archive are immutable – they cannot be
changed after archiving, ensuring that the archive is an accurate record of messages received.

1.1.4 Barracuda Cloud-to-Cloud Backup
Barracuda Cloud-to-Cloud Backup protects Exchange Online, OneDrive for Business, and
SharePoint Online data by backing it up directly to Barracuda Cloud Storage. For Exchange
Online, Barracuda Cloud-to-Cloud Backup protects all email messages, including all attachments,
as well as the complete folder structure of each user’s mailbox. In OneDrive for Business, all files
under the Documents Library, including the entire folder structure, are protected. Easily locate
and restore folders, individual items, or entire mailboxes. Barracuda Cloud-to-Cloud Backup
provides complete protection of SharePoint Online. With item-level recovery options, items can
be restored directly into SharePoint Online from the backups of Document Libraries, Site Page
Libraries, and Picture Libraries in Team Site, Publishing Site, and Wiki Site
1.1.5 Where to Start

Barracuda Essentials is available in the following configurations:
Complete Edition (Available for Office 365 Only)
Cloud-based, multi-layer email security, archiving, and cloud-to-cloud backup for Office 365
mailboxes, OneDrive for Business, and SharePoint Online, which includes:
• Barracuda Email Security – Security service protecting both inbound and outbound email
against the latest spam, viruses, worms, phishing and DoS attacks.
• Advanced Threat Protection – ATP protects against advanced malware, zero-day exploits,

and targeted attacks.
• Barracuda Cloud Archiving Service – Journal mail directly from Office 365 to the Barracuda
Cloud to optimize email storage, meet regulatory compliance and e-discovery requirements,
and provide anytime/anywhere access to old emails.
• Barracuda Cloud-to-Cloud Backup – Protects Exchange Online, OneDrive for Business,

and SharePoint Online data by backing it up directly to Barracuda Cloud Storage. For
Exchange Online, Barracuda Cloud-to-Cloud Backup protects all email messages, including
all attachments, as well as the complete folder structure of each user’s mailbox. In OneDrive
for Business, all files under the Documents Library, including the entire folder structure,
are protected. Easily locate and restore folders, individual items, or entire mailboxes. For
SharePoint Online, all files and folders in Document Libraries, Site Assets, Picture Libraries,
and Form Templates in Team Sites and Public Sites are backed up.
Compliance Edition
Cloud-based spam prevention, email security, ATP, and archiving, which includes:

• Barracuda Cloud Archiving Service – Journal mail directly from your mail server or hosted
service to the Barracuda Cloud to optimize email storage, meet regulatory compliance and
e-discovery requirements, and provide anytime/anywhere access to old emails.
Security Edition
Cloud-based spam prevention, email security, and ATP, which includes:


Standalone Email Security
Cloud-based spam prevention and email security.
The standalone Barracuda Essentials Email Security option is available

only through the Barracuda Self-Service Gateway or Barracuda MSP.
against the latest spam, viruses, worms, phishing and denial of service attacks.
1.1.6 The Roles of Archival and Backup

Essentials can include both Cloud Archiving Service and Cloud-to-Cloud Backup. The
feature set is as follows:
CLOUD ARCHIVING SERVICE CLOUD-TO-CLOUD BACKUP

Data Storage x x
Exchange Integration x x
Retention Policy x x
Search x x
Deduplication x x
Administrator control x
Operator-specified data
x
sources, incl. files
Scheduling x
Revision-based x
Restore Browser x
Journaling-based x
Virus checking x
Advanced search x
Audit user role x

End-user access and restore x
Litigation hold x

1.2 Barracuda Email
Security Service Features
1.2.1 Inbound Email Protection

Inbound filtering includes:
• IP Analysis
• Content Analysis
• Regional Policies
• Bulk Email Detection
• Rate Control
• Sender and Recipient Analysis
• Advanced Threat Protection (available with most deployment options)
IP Analysis
Once the true sender of an email message is identified, the reputation and intent of that sender
should be determined before accepting the message as valid, or “not spam”. The best way to
address both issues is to know the IP addresses of trusted email senders and forwarders and
define those as exempt from scanning by adding them to a list of known good senders.
You can create a list of Trusted Forwarders by specifying one or more IP addresses of machines
that you have set up to forward email to the Barracuda Email Security Service from outside
sources. The Barracuda Email Security Service exempts any IP address in this list from Rate
Control, Sender Policy Framework (SPF) checks, and IP Reputation. In the Received headers,
the Barracuda Email Security Service continues looking beyond a Trusted Forwarder IP address
until it encounters the first non-trusted IP address. At this point, Rate Control, SPF checks, and IP
Reputation checks are applied. Configure on the Inbound Settings > IP Address Policies page.
Inbound Content Analysis

Set custom content filters for inbound messages based on message content and attachment file
name or MIME type on the Inbound Settings > Content Policies page.
• Attachment Filtering – Select whether to Block, Ignore, or Quarantine attachments based

on File Name or MIME type. Additionally, you can select to Block, Ignore, or Quarantine
attached archive files that require a password to unpack.
Message Content Filtering – Base message content filtering on any combination of Subject,
Headers, Body, Attachments, Sender, or Recipient, and select whether to Block, Ignore, or
Quarantine messages that meet the entered criteria. Use regular expressions as well as the
following special characters: . [ ] \ * ? $ ( ) | ^ @
Note that you must escape special characters with a backslash (“\”). See Regular Expressions
in the Campus Reference section for advanced filtering text patterns. HTML comments and tags
between characters in the HTML source of a message are filtered out so that content filtering
applies to the actual words as they appear when viewed in a web browser.

Regional Policies
You can select to Block or Quarantine messages based on country of origin or language on
the Inbound Settings > Regional Policies page, allowing you to reduce unwanted Inbound emails.
Bulk Email Detection

Many users subscribe to websites and lists and later forget that they subscribed, or subscribed
unknowingly. Email messages containing anything that looks like an unsubscribe link or
instruction may or may not be considered spam by the recipient. To provide users the opportunity
to decide, you can quarantine bulk email messages that contain unsubscribe links or instructions,
or you can choose to block them all, thereby reducing the load on your mail server. Configure
Bulk Email Detection on the Inbound Settings > Anti-Spam/Antivirus page. If this feature is set to
Block or Quarantine, email messages/domains that are exempted by users or the administrator
override this setting and are allowed.
Inbound Rate Control

This feature protects your organization from spammers or spam-programs (also known as “spam-
bots”) that send large amounts of email to the server in a small amount of time. Rate Control
for inbound mail is configured on the Inbound Settings > Rate Control page. The Rate Control
mechanism counts the number recipients for a domain from a sender (a single IP address) over
a half-hour timeframe and compares that number to the Maximum Recipients per Sender IP
Address per 30 minutes threshold you set on the page. If the number of inbound recipients for a
domain from a sender (a single IP address) exceeds this threshold within a half hour period, the
Barracuda Email Security Service defers any further connection attempts from that particular IP
address until the next half hour time frame and logs each attempt as deferred in the Message Log
with a reason of Rate Control.
Exemptions from Rate Control

You can exempt trusted IP addresses from Rate Control by adding a trusted
IP address to the Rate Control Exemption list. Organizations that relay email
through known servers or communicate frequently with known partners
can and should add the IP addresses of those trusted relays and good mail
servers to this list.
Sender and Recipient Analysis

Use the Inbound Settings > Sender Policies page to exempt, quarantine, or block messages
based on username, domain, or email address. The Barracuda Email Security Service applies
header scanning to both the Header and the Envelope From fields. In the Header field, only the
email address portion is checked. Note that wildcards, for example, asterisk (*) or the @ sign are
not supported. For example: *@customer.com is recognized as customer.com
Use the Inbound Settings > Recipient Policies page to specify whether to always Scan or

always Exempt (whitelist) a recipient email address. Exempt (whitelisted) recipients bypass spam
scoring (see Enable Cloudscan on the Inbound Settings > Anti-Spam/Anti-Virus page) as well as
all other blocklists. Virus scanning still applies.

Advanced Threat Protection
This service analyzes inbound email attachments with most MIME types in a separate, secured
cloud environment, detecting new threats and determining whether to block such messages. ATP
offers protection against advanced malware, zero-day exploits, and targeted attacks not detected
by the Barracuda Email Security Service virus scanning features.
1.2.2 Outbound Email Protection

Outbound filtering includes:
• Outbound Mail Data Leak Prevention (DLP) and Encryption
• Content Analysis
• Abuse Monitoring and Notifications
• Outbound Quarantine
• Outbound Rate Control
Outbound Mail Data Leak Prevention and Encryption

For health care providers, governmental agencies, and other entities who need to protect
private, sensitive and valuable information communicated via email, the Barracuda Email Security
Service provides Data Leak Prevention (DLP) features using email encryption. DLP enables
your organization to satisfy email compliance filtering for corporate policies and government
regulations such as HIPAA and Sarbanes-Oxley (SOX). Advanced content scanning is applied for
keywords inside commonly used text attachments, as well as email encryption. You can configure
email encryption policies per domain.
• Outbound Mail Encryption – Encryption is performed by the Barracuda Email Encryption

Service, which also provides a web interface, the Barracuda Message Center, for recipients to
retrieve encrypted messages.
Figure 1: Mail Flow for Encrypted messages sent through the Barracuda Email Security Service.
When the Barracuda Email Encryption Service encrypts the contents of a

message, the message body does not display in the Message Log. Only
the sender of the encrypted message(s) and the recipient can view the
body of an encrypted message. For more information about privacy, see
the Barracuda Networks Privacy Policy.

• Secure Sensitive Message Transmission – TLS provides secure transmission of email
content over an encrypted channel using the Secure Sockets Layer (SSL) - also known
as TLS. For DLP, you should require mail to be sent outbound from the Barracuda Email
Security Service over a TLS connection. To do so, enable Force TLS for each domain
on the Outbound Settings > DLP/Encryption page. Mail sent to these domains must be
transmitted across a TLS connection. If a TLS connection cannot be established, then the
mail will not be delivered.
• Define when to Encrypt Messages – Use the Outbound Settings > Content Policies page to
create policies for outbound message encryption in one or both sections:
• Message Content Filters – You can select the Encrypt action for outbound email based on
characteristics of the message’s subject, header or body. You can specify simple words or
phrases, or use Regular Expressions. Content filtering is case sensitive.
• Predefined Filters – You can select the Encrypt action for outbound email messages that
contain matches to pre-made patterns in the subject line, message body, or attachment.
Use the pre-defined data leakage patterns (specific to U.S.) to meet HIPAA and other email
security regulations:
• Credit Cards – Messages sent through the Barracuda Email Security Service containing
recognizable Master Card, Visa, American Express, Diners Club or Discover card
numbers will be subject to the action you choose.
• Social Security – Messages sent with valid social security numbers will be subject
to the action you choose. U.S. Social Security Numbers (SSN) must be entered in
the format nnn-nn-nnnn.
• Privacy – Messages will be subject to the action you choose if they contain two or
more of the following data types, using common U.S. data patterns only: credit cards
(including Japanese Credit Bureau), expiration date, date of birth, Social Security
number, driver’s license number, street address, or phone number.
• HIPAA – Messages will be subject to the action you choose if they contain TWO of the
types of items as described in Privacy above and ONE medical term, or ONE Privacy
item, ONE Address and ONE medical term. A street address can take the place of
Privacy patterns. So, for example, a U.S. Social Security Number (SSN), an address, and
one medical term is enough to trigger the HIPAA filter.
The format of this data varies depending on the country, and these
filters are more commonly used in the United States; they do not
apply to other locales. Because of the millions of ways that any of the
above information can be formatted, a determined person will likely
be able to find a way to defeat the patterns used. These filter options
are no match for educating employees about what is and is not
permissible to transmit via unencrypted email.
• Send/Receive Encrypted Messages – The Barracuda Message Center is a web-

based email client for receiving and managing encrypted email sent by the
Barracuda Email Security Service. The email client looks and behaves much like any
web-based email program.

Outbound Content Analysis
• Custom Content Filters – Customize content filtering based on any combination of subject,
headers, body, attachments, sender, or recipient, and apply to outbound mail. Filter actions
for outbound mail include Block, Allow, Quarantine, and Encrypt. Messages that meet the
Quarantine criteria are sent to the Outbound Quarantine for the administrator to evaluate.
Messages can then be viewed, delivered, rejected, deleted, or exported from the Overview >
Outbound Quarantine page.
• Attachment Content Filters – All outbound messages, including those from exempt

senders, go through attachment filtering. On the Outbound Settings > Content Policies
page, you can select to filter text matching the entered pattern based on File Name or
MIME type, and select whether to Block, Ignore, or Quarantine outbound messages.
Additionally, you can select to Block, Ignore, or Quarantine attached archive files that require
a password to unpack.
• Message Content Filters – Enter filter patterns and select to Block, Allow, Quarantine, or
Encrypt for Subject, Headers, Body, Attachments, Sender, or Recipient. Note that Header
filters are applied to both the header name and content of any header, while the Subject
filters only scan the contents of the Subject header. Use regular expressions as well as the
following special characters: . [ ] \ * ? $ ( ) | ^ @
When using these special characters, you must escape each character with a backslach (“\”).
• Predefined Filters – Select a predefined data leakage patterns (specific to the United

States) for Subject, Headers, Body, or Attachments. Select whether to Block, Quarantine,
or Encrypt outbound messages based on the filter. Add exemptions to predefined HIPAA
or Privacy content filters to prevent outbound emails that include phone number or street
address items from being blocked, quarantined, or encrypted.
• Image Analysis – Image analysis techniques protect against new image variants. Image
analysis is automatically configured in the Barracuda Email Security Service.
Abuse Monitoring and Notifications

Outbound email traffic is automatically monitored for Rate Control by the Barracuda Email Security
Service. If the volume of outbound mail messages from the service exceeds normal levels
during a 30 minute time frame, the Rate Control feature will take effect and outbound mail will be
deferred until the end of the 30 minute time frame. IP addresses of senders of outbound mail who
consistently trigger Rate Control is logged on the Outbound Settings > Abuse Monitor page in
the IP Addresses With Recent Abuse.
An abuse notification email may be sent to the administrator of your Barracuda Email Security
Service for various reasons. These include but are not limited to:
• Sending mail to more recipients per 30 minute period then allowed by the Barracuda
Email Security Service.
• Sending out mail to more invalid recipients than allowed by the Barracuda
• Sending out mail that has been classified by the Barracuda Email Security Service as spam or
as containing a virus.

If your network sends out a large email blast, this may trigger an abuse notice from the Barracuda
Email Security Service. This notice informs you that you are sending out mail to more recipients
per 30 minute period then the Barracuda Email Security Service allows. This is not a block of your
mail, but rather delays the delivery of the messages. The mail will eventually go out, but at a much
slower rate over a longer period of time.
To prevent generation of an abuse notice, it is recommended that you spread out the delivery of
email blasts over a longer period of time or to smaller groups of recipients, and to make sure that
the addresses you are sending to are legitimate. The limits set by the Barracuda Email Security
Service on the number of recipients that can be sent mail per 30 minutes protects against an
outbound spam attack from a customer’s network.
• IP Addresses With Recent Abuse – The owner of an IP address that appears in this table on
the Outbound Settings > Abuse Monitor page for consistently exceeding Rate Controls may
use the Request Increased Limit button to request Barracuda Networks to allow a higher
volume of outbound mail so that Rate Control does not take effect.
• Suspended IP Addresses – IP addresses that send very high volumes of email, consistently
triggering Rate Controls, may be suspended from sending outbound mail through the
Barracuda Email Security Service. Contact Barracuda Networks Technical Support if your IP
address appears in this list.
Outbound Quarantine
Configure policies on the Outbound Settings pages to quarantine outgoing messages that meet
certain criteria. The administrator can view all quarantined outbound messages from senders
within the organization and select to delete, reject, deliver, or export those messages from
the Overview > Outbound Quarantine page.
Rejected Messages
When enabled by the administrator, the sender receives a non-delivery report
(NDR) indicating that their message will not be sent to the recipient.
When a message ends up in the outbound quarantine, the sender receives an NDR email
when Quarantine Sender Notification is enabled on the Outbound Settings > Notifications page.
The email template is configurable.
Configure Sender Quarantine Notification

Use the following steps to configure sender quarantine notifications:
1. On the Outbound Settings > Notifications page, in the Sender Quarantine

Notification section, select Yes to send a notification to the sender of a
quarantined outbound message.
2. Enter the Quarantine Notification Address.
3. Enter the subject of the NDR in the Quarantine Notification Subject field.
4. Configure the body of the NDR email using the Quarantine Notification Template.
5. Click Save Changes.
If the administrator rejects an email in the outbound quarantine, an NDR is sent to the email
sender. The email template is configurable.

Configure Rejected Message Sender Notification
Use the following steps to configure sender quarantine notifications:
1. On the Outbound Settings > Notifications page, enter the following details in the Notification

to Sender of Rejected Message section:
a. Reject Notification Address – Enter the NDR ‘from’ address that the sender receives.
b. Reject Notification Subject – Enter the NDR subject that the sender receives.
c. Reject Notification Template – Configure the body of the NDR.
Outbound Rate Control

The Barracuda Email Security Service outbound rate limit is the number of messages an
individual user on the account can send out per day. By default, the Barracuda Email Security
Service outbound rate limit is set to 150 recipients per 30 minutes per sender, or 7200 recipients
per day. If users are hitting this rate limit, then they are sending mail to more than 150 recipients
per 30 minute period.
Note that rate limit is not a block of their mail, but a deferral. The mail server
retries this mail until it is all delivered. Per-user rate control only affects users
listed in the Users > Users List; the rate limit for users not in this page get the
per-domain rate limit, normally 250 per 30 minute period. Anyone sending
outbound mail through the Barracuda Email Security Service should be listed in
the Users > Users List page.
A sender may hit rate control limits due to your mail server configuration. For example, if a user
sends out a mass mailing to 1000 people, they will hit their rate control limit. Based on 150
recipients per 30 minute period, it will take at least 4 hours for all of the mail to be delivered. If
your mail server retries this deferred mail every few minutes this can cause the sender to remain
rate limited for a very long time. Barracuda recommends that you configure your mail server to
retry deferred connections every 30 minutes to avoid this issue.
If you have mail that must go out immediately, Barracuda recommends either:
• Bypassing the Barracuda Email Security Service and sending it directly to the Internet, or
• Use a mass mailing service designed for this purpose.
If you are using a mass mail program that does not retry deferred mail,
Barracuda recommends that you configure the system to deliver the mail
directly to the Internet or have it relay the mail through a fully functional mail
server that can correctly handle deferred mail.
Exceeding rate control limits displays in your outbound abuse report page, however, if there is
a problem with your account resulting in your outbound IP address being blocked or a blocked
user email address, Barracuda will contact you via email or phone explaining the problem
requiring attention.

1.2.3 Sender Authentication
Sender Authentication mechanisms enable the Barracuda Email Security Service to protect your
network and users from spammers who might “spoof” a domain or otherwise hide the identity of
the true sender. Sender authentication includes:
• How to Configure Sender Policy Framework
• Content Analysis - Outbound
Sender Policy Framework

SPF is an open standard specifying a method to prevent sender address forgery. The current
version of SPF protects the envelope sender address, which is used for message delivery. SPF
works by having domains publish reverse MX records to display which machines are designated
as mail sending machines for that domain. When receiving a message from a domain, the
recipient can check those records to verify mail is coming from a designated sending machine. If
the message fails the SPF check, it is assumed to be spam.
Select whether to enable SPF for checking inbound mail on the Inbound Settings
> Sender Authentication page. When enabled, Messages that fail SPF check are
blocked and logged as such.
If you have SPF checking enabled on your mail server or network, it is critical
when using the Barracuda Email Security Service that you either disable SPF
checking in the service or add the Barracuda Email Security Service IP ranges
64.235.144.0/20 and 209.222.80.0/21 to your SPF exemptions. Otherwise, your
SPF checker blocks mail from domains with an SPF record set to Block because
the mail is coming from a Barracuda Email Security Service IP address not in the
sender’s SPF record. For more information, see the Project Overview.
You can optionally enable Sender Rewriting Scheme (SRS) for a specific domain
from the Domains > Domain Manager > Domain Settings page. When enabled,
the IP address of the sending mail server is visible to the SPF verification
agent on the recipient’s end. The recipient’s SPF agent checks the reverse MX
records for your domain and verifies your IP address as an authorized sender to
ensure message delivery to the recipient.
Configure SPF for Inbound Mail

1. Log in to your Barracuda Cloud Control account, and click Email Security in the left pane.
2. Go to the Inbound Settings > Sender Authentication page, and select from the available
options in the Use Sender Policy Framework section:
a. Block FAIL – The SPF FAIL (also referred to as Hard FAIL) response indicates that the IP
address of the message sender does not match the IP address or range of IP addresses
specified in the sending domain name’s SPF record, and that the real owner of the domain
has specifically indicated that such messages should be rejected (blocked) as spoofed.
b. Block FAIL, SOFTFAIL – The SPF SOFTFAIL response indicates that the message sender’s
IP address does not match the IP address or range of IP addresses specified in the
sending domain name’s SPF record. A SOFTFAIL means that the domain owner did not
specify how such messages should be handled.

c. Off – When set to Off, the Barracuda Email Security Service does not query DNS for an
SPF record for the sending domain to verify whether the sender is the true owner of that
domain. If you are concerned about domain spoofing, enable one of the SPF options.
You can optionally enable Sender Rewriting Scheme (SRS) for a

specific domain on the
Domains > Domain Settings page. When enabled, the sending
mail server IP address is visible to the SPF verification agent on the
recipient’s end. The recipient’s SPF agent checks the reverse MX
records for your domain and verifies your IP address as an authorized
sender to ensure message delivery to the recipient.
You can exempt mail relay servers and other machines from SPF checks that are set up
specifically to forward mail to the Barracuda Email Security Service from outside sources. Mail
from these IP addresses is still scanned for spam.
Exempt Trusted IP Addresses from SPF Checks

1. Log in to your Barracuda Cloud Control account, and click Email Security in the left pane.
2. Go to the Inbound Settings > Sender Authentication page, and in the Use Sender Policy

Framework section, enter the IP Address and Netmask and optional Comment.
3. Click Add in the Actions column, and click Save Changes.
To assure outbound mail from your Barracuda Email Security Service that Barracuda Networks is
the authorized sending mail service, add the following to the SPF record INCLUDE line for each
domain sending outbound mail based on your Barracuda Email Security Service instance. For
example, type: include:spf.ess.barracudanetworks.com -all
Domain Keys Identified Mail

The DKIM email authentication method allows a sending domain to cryptographically sign
outgoing messages. When a message is received from a domain, the Barracuda Email Security
Service verifies that the message is from the sending domain and that the message has
not been tampered with.
DKIM uses a public and private key-pair system. An encrypted public key is published to the
sending server’s DNS records, and each outgoing message is then signed by the server using
the corresponding private key. For incoming messages, when the Barracuda Email Security
Service sees that message is signed, it retrieves the public key from the sending server’s DNS
records and uses that key to validate the messages’s DKIM signature.
Specify DKIM policy settings on the Inbound Settings > Sender Authentication page:
• Block – Messages from a domain that fails DKIM verification are blocked.
• Quarantine – Messages from a domain that fails DKIM verification are quarantined.
• Off – When set to Off, the Barracuda Email Security Service does not run DKIM checks for
inbound messages. This is the default setting.
Additionally, you can select to exempt specific domains from DKIM verification.

Domain-Based Message Authentication,
Reporting, and Conformance
DMARC is built on top of the email authentication mechanisms Sender Policy Framework (SPF)
and DomainKeys Inspection (DKIM); you must have both an SPF and a DKIM record published for
the domain to set DMARC policies.
Specify DMARC policy settings on the Inbound Settings > Sender Authentication page:
• Enable DMARC –
• When set to Yes, DMARC enables a sending domain to specify policy for messages
that fail DKIM or SPF.
• When set to No, the Barracuda Email Security Service does not run DMARC checks for
inbound messages and the SPF and DKIM policy settings are used to verify the IP address
range and sending domain.
Additionally, you can select to exempt specific domains from DMARC verification.
1.2.4 Email Continuity

Email Continuity allows end-users to send, receive, compose, and forward emails when
designated mail servers are unavailable. Note that Email Continuity is automatically disabled
after 96 hours. Messages in the Email Continuity are viewable in the Message list for 30 days,
after which they expire.
Enable Email Continuity for all users on all domains on the account to comply with business
continuity regulations.
When Email Continuity and spooling are enabled, the Barracuda Email Security Service
continually checks designated mail server connections. When the service determines a mail
server is offline, spooling begins immediately and Email Continuity begins 10 minutes later. The
Barracuda Email Security Service then continues to check designated mail server availability
until the connection is restored. Once the service determines spooling has stopped and email
is flowing, Email Continuity remains active for up to an hour after spooling has stopped
and email is flowing.
Figure 1. Designated Mail Servers are Available, Mail is Flowing.

Figure 2. Designated Mail Servers are Unavailable, Email Continuity is Enabled.
Note the following:
• The original mail headers and timestamp sent/received during an outage are synchronized to
the primary mail server to minimize end-user confusion.
• Message for the primary and alias email are delivered to the primary account.
• When replying to a message or forwarding a message from Email Continuity, the sender is the
primary email address.
• Outbound messages sent via Email Continuity are subject to the configured outbound policies.
• When Email Continuity is enabled, if the administrator logs in as a user, that user’s
message log is view-only.
• Messages cannot be deleted from the Email Continuity Service.
• You cannot access or send messages via quarantine notification email when Email
Continuity is in effect.
When Email Continuity is activated, users can continue to view their messages in the Message
Log. In addition to the standard message actions in the Message Log view, users can compose
a new message, and forward or reply to a message. Spooled messages display in the account
admin, domain admin, recipient, and sender Message Logs when Email Continuity is running.
Enable spooling for each domain where you want to enable Email Continuity, and then enable
Email Continuity on the Users > Email Continuity page.

1.3 Advanced
Threat Protection Features
The Advanced Threat Protection (ATP) service analyzes inbound email attachments with most
MIME types and publicly accessible direct download links in a separate, secured cloud sandbox,
detecting new threats and determining whether to block such messages. ATP offers protection
against advanced malware, zero-day exploits, and targeted attacks not detected by the
Barracuda Email Security Service virus scanning features. Enable ATP on the ATP Settings page.
When ATP determines an attachment or publicly accessible direct download

link contains a threat and blocks the message, review the ATP Report
before determining whether to deliver the message. See Advanced Threat
Protection Reports and Understanding Advanced Threat Protection Reports
for more information.
1.3.1 Options
Configure policies on the Inbound Settings > Content Policies page, and specify how and when
attachments are scanned on the ATP Settings page.
Deliver First, then Scan

When selected, the ATP service attempts to scan the mail in real time. If the ATP scan completes
in real time and a virus is detected, the message is blocked and is not delivered. If the ATP
scan does not complete in real time, the message is delivered; if the ATP service determines
the attachment to be suspicious or virus-infected upon completion, the recipient is notified, and
if Notify Admin is set to Yes, an email alert is sent to the specified admin address.
Figure 1. Scan is Complete in Real Time, No Threat Detected.

Figure 2. Mail is Delivered Before Scan Complete; Threat Detected.
This option does not delay email processing, however, the email recipient can
potentially open an infected attachment.
Scan First, then Deliver

When selected, the ATP service scans new messages with attachments before delivery. If a
virus is detected in an attachment, or the attachment is a known threat, the message is blocked,
otherwise, the message is delivered to the recipient.
This option provides more security and prevents the email recipient from
opening infected attachments. These messages appear in the Message log
and Pending Scan displays in the Reason column. The mail server retries
until the scan is complete and no virus is detected in the attachment, at which
point the message is delivered. Note that messages with attachments may
be temporarily deferred while queued for scanning. If the message status is
deferred for more than four hours, the message is quarantined.
Figure 3. Attachment is Recognized as a Known Threat.

Figure 4. Attachment is Scanned and Determined to be Suspicious.
Figure 5. No Threat Detected in Attachment.
Advanced Threat Protection Disabled

When set to No, ATP is disabled.
1.3.2 Advanced Threat Protection Exemptions

When ATP is set to either Deliver First, then Scan or Scan First, then Deliver, you can exempt
sender email addresses, sender domains, recipient email addresses, recipient domains, or
sender IP addresses from ATP scanning in the ATP Exemptions section on the ATP Settings page.
Attachments from exempted entries are not sent to the ATP cloud. Note that
these exemptions apply to ATP scanning only and do not apply to Barracuda
Email Security Service virus scanning.
1.3.3 Administrator Notification

When Deliver First, then Scan is selected, select Yes for Notify Admin to notify the
administrator when a virus is detected by the ATP service in a scanned attachment. The email
notification includes the sender, recipient, attachment type, and detected virus. Enter the
admin email address in the ATP Notification Email field address. Infected attachments are
listed in the ATP Log.

1.3.4 ATP Exemptions
sender IP addresses from ATP scanning. Attachments from exempted entries are not sent to the
ATP cloud. Note that these exemptions apply to ATP scanning only and do not apply to Barracuda
1.3.5 Message Log

Messages blocked or deferred by the ATP service are listed in the Message Log with the
following codes listed in the Reason column:
• Advanced Threat Protection – Message is blocked by the ATP service due to an

infected attachment.
• Pending Scan (Scan First, then Deliver enabled) – Message is deferred while the attachment

is scanned. The mail server retries until the scan is complete. Once complete, if no virus is
detected, the message is delivered.
• ATP Service Unavailable – Message is deferred because the ATP service is temporarily
unavailable. The message is retried and, when the scan is complete and if no virus is
1.3.6 View ATP Statistics

The Dashboard page displays statistics of scanned attachments determined to be
infected by the ATP service.
1.3.7 Deferred Delivery

If a message scanned by ATP is quarantined or blocked (for example, ATP determines the
message attachment is suspicious), the admin can select to deliver the message.
Determine Whether to Deliver Message

1. Log in to Barracuda Email Security Service as the administrator, and go
to Overview > Message Log.
2. Set message filters and search criteria as needed, and click Search.
3. Messages blocked by ATP display as Not Delivered.
4. Click on the message, and in the reading pane, click ATP Reports.
5. The Email Delivery Warning dialog box displays a list of attachments, one or more of which is
suspected of being Infected. If you want to deliver the email and the associated attachments,
first review the report for each attachment.
6. Click View Report for the suspicious attachment, and review the report details.
7. Repeat step 6 for each attachment.

8. Once you review all attachments, and if you determine you want to deliver the email and
the associated attachments, review and accept the disclaimer, and click Deliver in the Email
Delivery Warning dialog box.
9. If the message is delivered successfully, the Delivery Status changes to Delivered. If the mail

cannot be delivered, this is reflected as a notice in your browser window and the Delivery
Status does not change.

1.4 Barracuda Cloud
Archiving Service Features
The Barracuda Cloud Archiving Service is a Software as a Service (SaaS) solution hosted in the
Barracuda Cloud. The Barracuda Cloud Archiving Service integrates with Microsoft Office 365,
Exchange Server, and G Suite to create a cloud-based indexed archive. This approach ensures
email is stored securely in a separate repository for as long as needed without risk of deletion.
1.4.1 Exchange Integration

Configure actions that the Barracuda Cloud Archiving Service is to execute on Microsoft Office
365 Exchange Online or Exchange Server on the Mail Sources > Exchange Integration page in
the web interface. Define the following operations:
• Email Import – Import email into your Barracuda Cloud Archiving Service that meets the
specified criteria. See the following Barracuda Campus articles for configuration details:
• How to Configure an Office 365 Exchange Online Service Account and

Import Historical Data
• Microsoft Exchange Server 2013 and Newer Operations
• Microsoft Exchange Server 2007 and 2010 Operations
Importing is a one-time event and can only be scheduled for immediate

execution. An additional date parameter is required when importing
messages, where the date is defined to be either the date that the message
was created on Exchange, or the date that appears in the Date field in the
message, whichever produces more results.
This option imports all Exchange items along with the folder information. If
you want to update all folder information only and none of the contents, use
the Folder Sync option.
• Non-Email Sync – In addition to emails that are automatically sent to the Barracuda Cloud
Archiving Service for storage, you can configure non-email items such as Appointments,
Contacts, Notes, and Tasks for archive. This enables you to get a more complete picture of all
items that are or have been stored on your mail server or hosted mail service, and eliminates
the need to keep .pst files around solely for the purposes of retaining this information.
• Folder Sync – Import the complete folder structure of the selected Item Sources, including
custom folders and sub-folders. The nightly folder synchronization process scans the
specified mailboxes, and imports the user’s folder structure, including custom folders
and sub-folders, into the Barracuda Cloud Archiving Service. Note that a Folder Sync job
does not import emails to the Barracuda Cloud Archiving Service, it only imports the
folder structure. Email messages are sent to the Barracuda Cloud Archiving Service via
real-time journaling.

1.4.2 PST File Import
A .pst file is an MS Personal Storage Table, and contains email messages exported from
Microsoft Outlook. Some .pst files also contain additional Microsoft Outlook items such as
Appointments and Contacts. Password-protected .pst files are accepted as well as non-password-
protected files. To allow users to import their own PST files directly from the Mail Sources > PST
Import page, set Allow PST File Uploads to Yes.
1.4.3 Barracuda PST Enterprise

With Barracuda PST Enterprise, IT administrators can control email data stored by end-users
in individual PST files and those scattered across the organization, eliminating the risks
associated with PST files, as well as reducing ongoing costs and supporting IT requirements for
Compliance and eDiscovery.
1.4.4 Archive Skype for Business Conversations

An Office 365 Exchange Online service account provides Exchange Server directory permissions
to grant the Barracuda Cloud Archiving Service read access to all mailboxes. For configuration
details, see How to Archive Skype for Business Conversations in Barracuda Campus.
1.4.5 Retention Policies

Data retention policies allow you to specify message retention policies and Saved Search
retention policies on the
Policy > Retention page. Retention policies are the only way to purge messages; data cannot be
directly deleted by a user. By default, automated archived message purging on the Barracuda
Cloud Archiving Service is disabled. If you enable this ability, the Global Retention Policy and any
Saved Search retention policies are run against all the archived messages weekly on Friday night.
If the age of any message exceeds the maximum age allowed by all Saved
Search retention policies that apply to the message, that message is
permanently deleted from the Service. The Global Retention Policy setting does
not apply to any messages that match a Saved Search retention policy.
To enable or disable the automatic message expiration capability:
• On the Policy > Retention page, specify whether to Allow automatic message deletion.
Global Retention Policy

The Global Retention Policy applies to all archived messages. When retention policies are run
against the archived messages weekly on Friday night, any messages stored on the Barracuda
Cloud Archiving Service that are older than this age are deleted unless they match an existing
Saved Search policy.

Saved Search Retention Policy
A Saved Search retention policy enables you to automatically expire messages that match a
particular set of content criteria defined in the Basic > Search page. Use this feature to create
exceptions to the global Retention Policy. Saved searches containing tags cannot be used in a
Saved Search retention policy and do not appear in the list of available Saved Searches.
If a message matches more than one Saved Search-based policy, then the message is kept
according to the longest policy length. If it matches a Saved Search-based policy as well as the
global policy, then the Saved Search policy takes precedence.
Litigation Holds
Litigation Holds are created by auditors to prevent messages that meet the criteria for a specific
Saved Search from being removed from the Barracuda Cloud Archiving Service. The system
administrator must first Enable Litigation Holds before auditors are given the option to create
Litigation Holds from the Saved Searches tab on the Basic > Search page.
The following information about active Litigation Holds displays here, visible only to the
system administrator:
• Auditor – The account name of the Auditor who created the Litigation Hold
• Saved Search – The name of the Saved Search associated with this Litigation Hold
• Hold End Date – The date and time when this Litigation Hold expires
To delete a litigation hold you must have system administrator rights; click the trash can icon
following the Litigation Hold you want to delete.
1.4.6 Audit Log Filtering

The Advanced > Audit Log page displays a list of all activities, including search-related activities
initiated by the system. In this view you can browse through the list, or perform a search to filter
on a subset of activities. You can filter by start/end dates, user name, and item type. Click on an
activity to display the activity details in the Details pane.
1.4.7 User Accounts

There are two types of accounts on the Barracuda Cloud Archiving Service:
• Local Accounts – These accounts reside only on the Barracuda Cloud Archiving Service and
are created from the Users > User Add/Update page in the administration interface.
• LDAP Accounts – These accounts reside in your LDAP directory. Once LDAP is configured
on the Barracuda Cloud Archiving Service, users can log in using their regular network
credentials to view and create flags for messages in their personal archive.
User Roles
Local accounts are created with one of the following roles:
• User – Able only to view messages accessible to the account, either because the username
for the account is also that of the sender or recipient of a message, or because it has been
given explicit access to view an email address via Alias Linking.

• Auditor – Able to create and activate policies, and view, search, and export any messages
to/from the domains to which they have access. Additionally, Auditors can save and name an
Advanced search for re-execution at a later time from the Saved Searches tab. To create a
“Domain Auditor” (an auditor with access to only a subset of the domains on your Barracuda
Cloud Archiving Service), set the role to Auditor and specify at least one domain. If no
domains are specified, then all messages in the entire Barracuda Cloud Archiving Service
are accessible. No auditor account has access to any system or network configuration
information on the Barracuda Cloud Archiving Service.
• Admin – Able to view all items from any user, not just those listed for the account. Also able
to create and activate policies, and can make other system or network changes.
The assigned role can be changed at a later date from the Users > Accounts page, but only the
last assigned role is active.
1.4.8 Search Options

Searches can only be made over messages that the searcher has read access to, so privacy
is always preserved.
• Basic Search – Use the Basic Search mode to perform a quick search across all messages.
The Basic Search interface accepts a word or phrase on which to search, and returns all
available messages that contain the specified text in either the header or message body. This
mode is useful when searching for that handful of emails to or from someone on a specific
topic, or when looking for any message that contains a particular phrase. These are one-time
searches as these cannot be saved for later use. All search terms for Basic Search must be in
one of the following formats:
Text-based, Multi-Text, Wildcards, or Domain-based
• Advanced Search – Use the Advanced Search mode to perform complex search
queries based on selected attributes. Use the following options to build and save
Advanced search queries:
• To add additional search parameters – Click the plus sign (+) to the left of a
search criteria line.
• To remove a search parameter – Click the minus sign (-) to the left of the search
parameter you want to remove.
• To AND or OR search parameters – Once you have more than one search criteria line,
the AND button displays at the end of each search parameter signifies that it will be
logically ANDed to the next specified parameter. If your next criteria is to be logically
ORed, click AND to toggle it to OR and vise versa.
• To save a search query – Click Save Search below the search criteria and enter the name
under which the query is to be saved; if you enter a name that already exists, the new
search parameters replace the previous search criteria.
• To run a previously-saved search – Click the Saved Searches tab, and click Search in

the Actions column following the Saved Search you want to run.
See Understanding Basic and Advanced Search in Barracuda Campus for message actions,
search tips, search strings, and keyword expressions.

1.4.9 End-User Search Tools
In addition to the Barracuda Cloud Archiving Service web interface, end-users can
search messages via:
• Barracuda Outlook Add-In – Allows users to perform various functions with messages that
are stored through your organization’s Barracuda Cloud Archiving Service, including:
• Synchronize your archived folders with Outlook;
• Search for archived messages and other Microsoft Outlook data such as Contacts;
• View and interact with (forward, reply to, etc.) all of your archived Outlook items; and
• Archive messages.
• Barracuda Standalone Search Utility – Download and install the utility on your Windows or
Mac OS X-based system to search archives without using Barracuda Archive Search Outlook
or logging in to the Barracuda Cloud Archiving web interface.
• Barracuda Cloud Archiving Service Mobile Applications – The Barracuda Companion

mobile application, available for Android and iOS, allows you to perform various
actions with your messages that are stored on your organization’s Barracuda Cloud
Archiving Service including:
• Search for archived messages based on email content, or constrain the search to a date
range, a specific sender or recipient, or subject line content;
• Search deleted messages and emails no longer visible in your mail application;
• View and interact with (reply to, reply all, forward) archived messages;
• Save a search query; and
• Redeliver messages to your mailbox using the Resend to Me option.

1.5 Barracuda Cloud-to-Cloud
Backup Service Features
The Barracuda Cloud-to-Cloud Backup Service is available for Office 365 only.
Barracuda Cloud-to-Cloud Backup for Office 365 protects Exchange Online, OneDrive for
Business, and SharePoint Online data by backing it up directly to Barracuda Cloud Storage.
Barracuda Cloud-to-Cloud Backup for Office 365 can be used as an add-on to an on-premises
Barracuda Backup appliance or as a standalone subscription without an appliance. For Exchange
as well as the complete folder structure of each users’ mailbox. In OneDrive for Business, all files
under the Documents Library, including the entire folder structure, are protected. For SharePoint,
protects Online files and folders in Document Libraries, Site Assets, Site Pages, Picture Libraries,
and Form Templates in Team Sites, Public Sites, Wiki Sites, and Publishing Sites.
For an overview of your backup activity and storage details, see the Status page
in the web interface.
1.5.1 Backup Schedules

Use the Backup > Schedules page to create backup schedules for selection when setting up
your data sources. When Barracuda Backup identifies new or changed information, each file is
analyzed at the bit level, and only the new bit sequences in the files themselves are copied and
transferred, saving both bandwidth and storage space. Define granular schedules, and select
specific sets of data to back up. Configure multiple schedules for each source, each with different
sets of data selected.
1.5.2 Retention Policies

Use retention policies to define the length of time you retain historic data based on
daily, forever, or never.
Purging applies to historic file revisions only; your current data is never

impacted by a retention policy.
Configure retention policies for data stored in Barracuda Cloud Backup on the Backup >
Retention Policies page. Be sure to configure retention policies for your data. Not doing so
means that some unwanted data will be moved across the Internet and stored.
Historic data is retained according to the retention policy timeline. Data backed up using
Barracuda’s cloud treats Sunday as the end of week in accordance with the ISO date standard.
When you define a retention policy, begin by selecting either a preset template or a previously
defined policy as a starting point. This helps you avoid creating multiple retention policies for the
same sets of data. You can create one policy for all of the data sources on a Barracuda Backup
Server, or create different policies that include subsets of the data.

1.5.3 Restore Data
Use the Restore page to restore data from Barracuda Cloud Storage. You can restore single
files or entire systems.
1.5.4 Reports
Use the Reports page to view backup and restore details as well as an audit log of all activities in
the Barracuda Cloud Backup web interface:
• Backup Reports – Barracuda Backup provides a detailed report for each backup that is run.
In addition, any backup process currently running displays. Backup reports include details
about the backup such as when the backup started, duration, size, if there were any errors
or warnings, and any new, changed, or removed items. Reports also include links to each
backed up file to view or download the item from the report. Click Details to view recent
activity in chart form. You can also view a list of backed up files including the number of
new, changed, and removed files, as well as a list of any errors encountered during backup.
Click Download the report as a .csv file to your local system.
• Restore Reports – You can view restoration details in the Reports > Restore page. To specify
how you want to sort the table, click on a heading, and then click on the up/down arrows to
the right of each heading to specify either an ascending or descending sort. Click Details to
view all details for the selected restoration including any encountered errors.
• Audit Log Reports – The Reports > Audit Log page displays a report of all activities in
the Barracuda Cloud Backup web interface by time and date, by user, and by action.
Logged activity includes log on authentication, changes to settings, changes to account
information, and more. Click Details for additional information for a specific activity.
1.5.5 Users
Use the Admin > Users page to administer users that have access to the Barracuda Cloud
Backup web interface.
Edit user details from this page by selecting a user and clicking Edit to the right of the user. You
can edit the following user options, all of which are specific to this service:
• Receive emails with Backup reports and error condition alerts.
• Restrict access to the Barracuda Cloud Backup web interface to one or more IP addresses.
Enter an IP block in single 192.168.1.100 notation, CIDR net block 192.168.1.0/24 notation, or a
range in 192.168.0.0-192.168.0.128 notation to restrict the IP address for the selected user. Use
a comma to separate multiple IP blocks.
• Designate the user’s role:
• An Account Administrator can create new users and manage billing information, and has
full access to Barracuda Cloud Backup and all appliances associated with the account.
• A Barracuda Backup Server Administrator has full access to specific Barracuda Cloud

Backup and all appliances associated with the account including data restore. A Barracuda
Backup Server Administrator cannot edit or view other user accounts.
• An Operator cannot restore data or edit user accounts; operators are limited to viewing
statistics and modifying backup configuration.

• Helpdesk user access is limited to viewing role status, statistics, and the restore browser
and restore reports. User can restore data and stop running restores.
• Status user access is limited to viewing the Status page for Barracuda Backup appliances
to which they have access.
Click Add & Remove Users to add a new user, edit details for an existing user, or delete a user.
1.5.6 Email Notifications

Specify the type of email notification for each user:
• Backup Summary Reports – When selected, an email notification containing a summary of

each backup job is sent
• Backup Detailed Reports – When selected, an email notification containing a list of all
items backed up is sent
• Alerts – When selected, an email notification is sent if a backup job has errors
• Notices – When selected, if the account includes physical appliances, a notice is sent when
the Barracuda Backup software is updated

Administration
2.1 Initial Deployment 45
2.1.1 Determine Your Deployment 45
2.1.2 Deploy Barracuda Essentials for Office 365 46
2.1.3 Configure via PowerShell 47

2.1 Initial Deployment
• Office 365
• G Suite
• Exchange 2007/2010
• Exchange 2013 and Higher
To complete the configuration wizard, you must have the following:
• Office 365 admin credentials
• Credentials to run a PowerShell script or terminal to manually execute PowerShell scripts
• PowerShell system requirements
Office 365 Admin Credentials

If you are deploying to Office 365, verify you have admin credentials. An Office 365 administrator
with the admin role global admin has complete access and control over the Office 365 suite
of products. You can assign admin roles to an individual user or group of users. For more
information, see the Microsoft Office support article Assign admin roles in Office 365.
PowerShell Requirements
The Essentials Wizard utilizes PowerShell scripts to quickly configure and set up your services.
Before getting started, verify you have the following:
• Windows 8 or 8.1
• Windows Server 2012 or Windows Server 2012 R2
• Windows 7 Service Pack 1 (SP1)
• Windows Server 2008 R2 SP1
• Microsoft .NET Framework 4.5 or 4.5.1 and either the Windows Management Framework 3.0
or the Windows Management Framework 4.0 available from the Microsoft downloads page
• Verify the service account has a mailbox, and is not hidden in the Global Address
listConfigure and centrally
• PowerShell credentials
2.1.1 Determine Your Deployment

• Complete Edition
• Compliance Edition
• Security Edition
• Standalone Email Security
In the examples that follow, we will deploy the Barracuda Essentials Complete
Edition for Office 365.

2.1.2 Deploy Barracuda Essentials for Office 365
1. Go to https://login.barracudanetworks.com, and log in with your Barracuda Cloud

Control credentials.
2. Open a new browser window, and go https://www.barracuda.com.
3. Go to Products > Essentials for Office 365. Click Editions, and click Free Trial under the plan
you want to try or buy.
4. In the Plan Details plan page, enter the Number of users, and select the Subscription
Type. Click Continue.
5. The Barracuda Account page displays your Barracuda Cloud Control account
information. Click Continue.
6. In the Billing Details (Optional) page, enter your billing information to purchase Essentials for
Office 365 or leave the Billing Information section blank to start your free evaluation.
7. Click Continue.
8. Your order details display. Click Set Up Essentials to launch the Essentials wizard.
Run the Essentials Wizard

1. When the Essentials wizard launches, the Getting Started page displays. Click Continue.
2. The Link Office 365 Account page displays. Click Authorize; the Office 365
login screen displays.
3. Enter your Office 365 admin credentials, and click Sign in. In the Office 365 permissions
page, click Accept to connect Essentials to your Office 365 account.
4. The Route Outbound Email page displays. Use this page to create outbound email
connectors for domains on your Office 365 account. By default, Route outbound email
for all domains through Barracuda Essentials is selected and a list of all domains that
will be configured displays. Click Continue; the wizard verifies your domains and
replaces your current MX records with the Barracuda Email Security Service Primary
and Backup MX records.
5. Click Continue. The Configure Office 365 page displays. Use this page to configure and
set up your services. Select Allow Barracuda to configure connectors and permissions
(recommended) to automatically configure permissions via PowerShell.
6. When prompted, log in using your Office 365 admin credentials, and click OK. Once
configuration is complete and your Office 365 account authorizes the connection, the
Configuration Summary displays. Click OK.
This completes the initial configuration. You can now configure the services included in
the selected edition.

Configure Permissions
On the Configure Office 365 page in the Essentials Wizard, you can select to automatically
configure permissions, download and run the PowerShell scripts, or manually configure
permissions without using the PowerShell scripts.
2.1.3 Configure via PowerShell

If you select to automatically configure permissions, no further action is required. Once
the PowerShell script runs, the following settings are added to the Barracuda Essentials
for Office 365 account:
• Outbound Email routing is set up through Barracuda Email Security Service
• Email Journaling is set up through Barracuda Cloud Archiving Service (if you selected Email
Security and Compliance or Complete Protection and Compliance)
• User impersonation for Exchange Online and all OneDrive for Business sites is configured
Following are the steps to download and run the PowerShell scripts, and manually
configure permissions.
Download and Run the Windows PowerShell Script
Before running the PowerShell script, verify the wizard has

completed successfully.
Download Microsoft Tools

1. Download and install the SharePoint Online Management Shell from the Microsoft
Windows Download Center
2. Download and install the Microsoft Online Services Sign-In Assistant from the Microsoft
Windows Download Center
Run the PowerShell Script

1. Log in to the Windows Server, and open Windows PowerShell.
2. Run the PowerShell script:
• Click Download PowerShell Script to download the script to your local system, or
• Click View PowerShell Script to display and copy the script
3. When prompted, enter the Office 365 global admin credentials used on the Link Office
365 page in the Wizard.
4. If the wizard is unable to connect to your Office 365 account, click Retry connection.
5. Once authorized, click Finish.

If you encounter errors when running the PowerShell script, contact
Barracuda Networks Technical Support.
Manually Configure Permissions

If you select to manually configure permissions, you must configure:
• Outbound Email routing through Barracuda Email Security Service
• Email Journaling through Barracuda Cloud Archiving Service
• User impersonation for Exchange Online and all OneDrive for Business sites

Barracuda Email Security Service
3.1 Introduction to Barracuda Email Security Service 51
3.1.1 Connection Management Layers 51
3.1.2 Mail Scanning Layers 52
3.1.3 Barracuda Antivirus Supercomputing Grid 52
3.1.4 Advanced Spam Detection 53
3.1.5 Predictive Sender Profiling 53
3.1.6 Monitored Outbound Email Volume 54
3.1.7 Encryption 54
3.2 Barracuda Email Security Service Deployment 55
3.3 Inbound Filtering Policy 67

3.3.1 IP Analysis 67
3.3.3 Bulk Email Detection 70
3.3.4 Rate Control 71
3.4 Outbound Filtering Policy 73

3.4.1 DLP and Outbound Mail Encryption 73
3.4.3 Abuse Monitoring and Notifications 76
3.4.4 Outbound Quarantine 77
3.4.5 Outbound Rate Control 78
3.5 Advanced Configuration 79

3.5.1 Secured Message Transmission 79
3.5.3 Directory Services 80
3.6 Administration 81
3.6.2 User Authentication 82
3.6.3 Reports, Logs, and Notifications 84
3.6.4 Quarantine 86
3.7 Outbound Spam Protection 89
3.8 Advanced Threat Protection 91

3.8.1 Advanced Threat Protection Options 91

3.9 Email Continuity 95

3.9.1 Notifications and Status 96
3.9.2 Actions 96

3.1 Introduction to Barracuda
Email Security Service
The Barracuda Email Security Service protects both inbound and outbound email against
the latest spam, viruses, worms, phishing, denial of service attacks, and zero-day threats.
The Barracuda Email Security Service acts as a filter in front of your hosted email service or
servers. Spam and viruses are blocked in the cloud prior to delivery to your network, saving
network bandwidth and providing additional Denial of Service protection. The Barracuda Email
Security Service is flexible, allowing in-depth configuration and customization.
The Barracuda Email Security Service is a pass-through service, accepting connections from
a mail server, getting the initial “rcpt to” line and connecting to the destination mail server. The
service then monitors the data stream for any spam or virus content and applies policies you
configure in the web interface.
3.1.1 Connection Management Layers

Connection Management layers identify and block unwanted email messages before accepting
the message body for further processing. Connection filtering allows you to block/whitelist:
• Sender IP addresses
• Sender email addresses / domains
• Email messages written in specific languages
• Email messages sent from specific countries / regions
Denial of Service Protection (DoS)

The Barracuda Email Security Service receives inbound email on behalf of the organization,
insulating your organization’s mail server from receiving direct Internet connections and
associated threats. This layer does not apply to outbound mail.
Rate Control
Automated spam software can be used to send large amounts of email to a single mail server.
To protect the email infrastructure from these flood-based attacks, the Barracuda Email Security
Service counts the number of recipients from a sender to a domain during a 30 minute interval
and defers the connections once a particular threshold is exceeded. Inbound Rate Control is a
threshold for the number of recipients a domain is willing to receive from a sender (a single IP
address) during a 30 minute interval. Inbound Rate Control is configurable while Outbound Rate
Control is set automatically by the Barracuda Email Security Service.
IP Analysis
After applying rate controls based on IP address, the Barracuda Email Security Service performs
analysis on the IP address of email based on Barracuda Reputation, external blocklits, and
allowed and blocked IP address lists.

Sender Authentication
Declaring an invalid “from” address is a common practice used by spammers. The Barracuda
Email Security Service Sender Authentication layer uses a number of techniques on inbound mail
to both validate the sender of an email message and apply policy. Sender Policy Framework (SPF)
tracks sender authentication by having domains publish reverse MX records to display which
machines are designated as mail sending machines for that domain. The recipient can check
those records to make sure mail is coming from a designated sending machine.
3.1.2 Mail Scanning Layers

The most basic level of mail scanning is virus scanning. The Barracuda Email Security
Service utilizes three layers of virus scanning and automatically decompresses archives for
comprehensive protection. By utilizing virus definitions, Barracuda Email Security Service
customers receive the best and most comprehensive virus and malware protection available. The
three layers of virus scanning of inbound and outbound mail include:
• Powerful open source virus definitions from the open source community help monitor and
block the latest virus threats.
• Proprietary virus definitions, gathered and maintained by Barracuda Central, our advanced
24/7 security operations center that works to continuously monitor and block the
latest Internet threats.
• Barracuda Real-Time System (BRTS). This feature provides fingerprint analysis, virus
protection and intent analysis. When enabled, any new virus or spam outbreak can be
stopped in real-time for industry-leading response times to email-borne threats. BRTS allows
customers to report virus and spam propagation activity at an early stage to Barracuda
Central. Virus Scanning takes precedence over all other mail scanning techniques and
is applied even when mail passes through the Connection Management layers. As such,
even email coming from exempt IP addresses, sender domains, sender email addresses, or
recipients are still scanned for viruses and quarantined if a virus is detected.
Additionally, Barracuda offers the subscription-based Advanced Threat Protection (ATP) service,
a cloud-based virus service that applies to inbound messages. ATP analyzes email attachments
in a separate secured cloud environment to detect new threats and determine whether to
block such messages.
3.1.3 Barracuda Antivirus Supercomputing Grid

An additional, patent-pending layer of virus protection offered by the Barracuda Email Security
Service is the Barracuda Antivirus Supercomputing Grid, which can protect your network from
polymorphic viruses. Not only does it detect new outbreaks similar to known viruses, it also
identifies new threats for which signatures have never existed using “premonition” technology.
Intent Analysis
All spam messages have an “intent” – to get a user to reply to an email, to visit a website, or to
call a phone number. Intent analysis involves researching email addresses, web links and phone
numbers embedded in email messages to determine whether they are associated with legitimate
entities. Frequently, Intent Analysis is the defense layer that catches phishing attacks. When
enabled, the Barracuda Email Security Service applies various forms of Intent Analysis to both

inbound and outbound mail, including real-time and multi-level intent (or ‘content’) analysis. Multi-
level intent is the process of identifying URLs in an email message body that redirect to known
spam or malware sites.
3.1.4 Advanced Spam Detection

You can configure spam detection for custom categories by setting a content type score.
This score ranges from 0 (definitely not spam) to 10 (definitely spam). Based on this score, the
Barracuda Email Security Service blocks messages that appear to be spam. These messages
display in the user’s Message Log with the category responsible for the block.
3.1.5 Predictive Sender Profiling

When spammers try to hide their identities, the Barracuda Email Security Service can use
Predictive Sender Profiling to identify behavior of all senders and reject connections and/or
messages from spammers. This involves looking beyond the reputation of the apparent sender of
a message, just like a bank needs to look beyond the reputation of a valid credit card holder of a
card that is lost or stolen and used for fraud. Some examples of spammer behavior that attempts
to hide behind a valid domain, and the Barracuda Email Security Service features that address
them, include the following:
• Sending too many emails from a single network address – Automated spam software can
be used to send large amounts of email from a single mail server. Through Rate Control the
Barracuda Email Security Service limits the number of connections made from any IP address
within a 30 minute time period. Violations are logged to identify spammers. Inbound Rate
Control is configurable while Outbound rate control is set automatically by the Barracuda
• Attempting to send to too many invalid recipients – Many spammers attack email
infrastructures by harvesting email addresses. Recipient Verification on the Barracuda Email
Security Service allows the system to automatically reject SMTP connection attempts from
email senders that attempt to send to too many invalid recipients, a behavior indicative of
directory harvest or dictionary attacks.
• Registering new domains for spam campaigns – Because registering new domain names is
fast and inexpensive, many spammers switch domain names used in a campaign and send
blast emails on the first day of domain registration. Realtime Intent Analysis on the Barracuda
Email Security Service is typically used for new domain names and involves performing DNS
lookups and comparing DNS configuration of new domains against the DNS configurations of
known spammer domains.
• Using free Internet services to redirect to known spam domains – Use of free websites to
redirect to known spammer websites is a growing practice used by spammers to hide or
obfuscate their identity from mail scanning techniques such as Intent Analysis. With Multi-
level Intent Analysis, the Barracuda Email Security Service inspects the results of web queries
to URIs of well-known free websites for redirections to known spammer sites.
Notifications
The Barracuda Email Security Service sends out two kinds of notifications:

• Quarantine Digest – For email recipients listed in the Barracuda Email Security Service
database, a notification email containing a summary of quarantined email is sent to their
email address at an interval you specify for users.
• Attachment Blocking for Content – A notification is sent to the message sender when it is
blocked due to attachment content filtering.
3.1.6 Monitored Outbound Email Volume

The Barracuda Email Security Service monitors the volume of outbound email from the system
to the Internet. If the volume exceeds normal thresholds during any given 30 minute interval, the
Rate Control function takes effect, causing all outbound mail to be deferred until the end of the
30 minute time frame. The outbound mail flow then continues unless the volume is exceeded
again in the next 30 minute interval. If so, Rate Control is again triggered and outbound mail is
deferred until the end of the time frame. The allowable volume of outbound mail for an IP address
can potentially be increased if the user clicks Request Increased Limit on the Outbound Settings
> Abuse Monitor page. The request is reviewed by Barracuda Networks to determine whether to
increase the limit on the rate of outbound mail. If this situation occurs frequently for a particular
sending IP address, that IP address is listed in the Outbound Settings > Abuse Monitor page in
the IP Addresses With Recent Abuse table.
3.1.7 Encryption
To prevent data leakage and ensure compliance with financial, health care and other federally-
regulated agency information policies, the Barracuda Email Security Service provides several
types of encryption for inbound and outbound message traffic.
Encrypted Channel
TLS provides secure transmission of email content, both inbound and outbound, over an
encrypted channel using the Secure Sockets Layer (SSL) - also known as TLS.
To require mail to be sent outbound from the Barracuda Email Security Service over a
TLS connection, enable Force TLS for each domain on the Outbound Settings > DLP/
Encryption page. Mail sent to these domains must be transmitted across a TLS connection. If a
TLS connection cannot be established, mail will not be delivered.
To require mail coming inbound to the Barracuda Email Security Service to use a TLS connection,
set SMTP Over TLS to Required on the Domains > Settings page for each domain. When set
to Required, if TLS is available on your organization’s mail server, inbound mail is sent over a TLS
channel. If not, mail is sent in cleartext.
Outbound Mail Encryption

For guaranteed message encryption and ensured outbound message delivery, use the Barracuda
Message Center to encrypt the contents of certain outbound messages. Create policies for when
to encrypt outbound messages on the Outbound Settings > Content Policies page for a domain.

3.2 Barracuda Email
Security Service Deployment
Once you complete the Essentials setup wizard, the Essentials page displays in Barracuda Cloud
Control where you can complete the configuration of your services. This section uses an Office
365 deployment example. For step-by-step setup details for Exchange Server and G Suite, refer
to Barracuda Campus.
Step 1. Add Users

You can add users manually or use LDAP or Azure AD authentication to automatically synchronize
the Barracuda Email Security Service with your active directory.
Use the following steps to manually add users.
Manually Add Users

1. Log in to https://login.barracudanetworks.com/ using your account credentials, and
click Email Security in the left pane.
2. Go to the Users > Add/Update Users page.
3. In the User Accounts field, enter each user email address for the domain on a separate line,
and then select from the following options:
a. Enable User Quarantine – All emails for the user which meet the configured block policy
go to the user’s quarantine account.
Depending on how you have configured the quarantine notification

interval on the Users > Quarantine Notification page, the user receives
a quarantine digest at a specified time. From the Users > Quarantine
Notification page you can also enable the user to set their own
quarantine notification interval.
b. Notify New Users – When set to Yes, users receive a welcome email once
the account is created.
4. Click Save Changes. The users are added to the Users > Users List table where you can
select from the following actions:
a. Edit – Click to specify domains this user can manage.
b. Reset – Click to send the user an email with instructions on how to reset
their account password.
c. Log in as this user – Click to view or change the user’s settings (for example, quarantine
notifications), view/manage the domains this user manages, and view/search/manage
the user’s Message Log.
d. Delete – Click to remove the user account.

Add Users via LDAP
You can synchronize the Barracuda Email Security Service with your existing LDAP server to
automatically create accounts for all users in the domain.
To ensure that the service can connect with your network, allow
traffic originating from the range of network addresses based on your
Barracuda Email Security Service instance; see Barracuda Email Security
Service IP Ranges for a list of ranges based on your Barracuda Email
Security Service instance.
Use the following steps to add users via LDAP.
Set Up LDAP
2. Go to the Domains page, and click Edit in the Settings column to the right of the domain.
3. In the Domains > Domain Settings page, scroll to the Directory Services section,

select LDAP, and click Save Changes at the top of the page.
4. In the LDAP Configuration section, configure the variables for your LDAP server.
5. In the Test LDAP Configuration Settings section, enter a valid email address in the
Testing Email Address field to test your LDAP settings; if left blank, LDAP settings are only
tested for connection.
6. Click Test Settings.
7. Optionally, expand the Advanced LDAP Configuration section, and set the user filter options.
8. In the Directory Options section, specify the following options:
a. Synchronize Automatically – Set to Yes if you are using LDAP and want the Barracuda
Email Security Service to automatically synchronize your LDAP users to its database on a
regular basis for recipient verification. With Microsoft Exchange server, the synchronization
is incremental. Select No if you want to synchronize manually in case your LDAP server is
not always available. To synchronize manually, click Synchronize Now.
b. Use LDAP for Authentication – Set to Yes to enable LDAP for user login authentication.
You can disable this setting if your LDAP server is unavailable for a period of time.
c. Authentication Filter – Filter used to look up an email address and determine if it is valid
for this domain. The filter consists of a series of attributes that might contain the email
address. If the email address is found in any of those attributes, then the account is valid
and is allowed by the Barracuda Email Security Service.
Add Users via Azure AD

Configure recipient verification with Azure Active Directory (AD) to allow end-users to sign in to
the Barracuda Email Security Service using their Azure AD credentials, and optionally, configure
Single Sign-On (SSO) for a domain so that authenticated users can access all or a subset of
the restricted resources by authenticating just once using their Azure AD credentials. SSO

is a mechanism where a single set of user credentials is used for authentication and
authorization to access multiple applications across different web servers and platforms, without
having to re-authenticate.
Complete the following steps for each domain you want to synchronize with Azure AD.
Azure AD Setup
click Email Security.
2. Click Domains, and click Edit in the Settings column for the domain.
3. In the Domains > Domain Settings page, scroll to Directory Services, select Azure AD,

and click Save Changes.
4. Scroll down to the Status section, and click Authorize; the Authorize Azure AD dialog box

displays. Click Continue. When prompted, log in to your Microsoft Office 365 account using
your administrator credentials.
5. In the Authorization page, click Accept to authorize the Barracuda Email Security Service to

connect to your Azure AD directory.
6. In the Barracuda Email Security Service Domain Settings page, the Status field displays

as Active; the Authorized Account and Authorization Date display below the status:
7. Click Sync Now to add your Azure AD users to the Barracuda Email Security Service. The
synchronization progress displays; allow the process to complete.
8. In the Synchronization Options section, select Synchronize Automatically. When selected,

the Barracuda Email Security Service automatically synchronizes with your Azure AD
directory every 15 minutes and adds/updates your users.
If you select Manual, you must click Sync Now to synchronize the
Barracuda Email Security Service with your Azure AD directory
and add/update users.
9. To use SSO, click Yes for Enable Single Sign On. Once enabled, users are prompted to log
in to their Microsoft Office 365 account when accessing their messages in the Barracuda
10. Click Save at the top of the page to save your settings and return to the Domains page.

Step 2. Add Additional Email Domains (Optional)
Optionally, you can manually add additional email domains. You must first obtain the
hostname from the Office 365 admin center, and then enter the hostname in the Barracuda
Use the following steps to add an additional email domain.
Obtain the Hostname

1. Log in to the Office 365 admin center.
2. In the left pane, click Settings >Domains.
3. In the Domains table, click on your domain.
4. Take note of the hostname. This is the address of your destination mail server, for example,
cudaware-com.mail.protection.outlook.com
Enter the Hostname
Barracuda recommends using a hostname rather than an IP address so that you

can move the destination mail server and update DNS records without making
changes to the Barracuda Email Security Service configuration. This address
indicates where the Barracuda Email Security Service should direct inbound
mail from the Internet to your Office 365 Exchange server. For example, your
domain displays to the Internet as: bess-domain.mail.protection.outlook.com

2. Click Domains, and click Add Domain.
3. Enter the domain name and destination mail server hostname obtained from your Office 365
account in the dialog box.
4. Click Add; the Domain Settings page displays where you can complete your configuration.

Step 3. Create Transport Rule
Use the following steps to create a transport rule.
Create Transport Rule

1. Log in to the Office 365 admin center, and go to Admin centers > Exchange.
2. In the left pane, click mail flow, and click rules. Click the + symbol, and

click Bypass spam filtering:
3. In the new rule page, enter a Name to represent the rule.

4. From the Apply this rule drop-down menu, select The sender > IP address is in any of these
ranges or exactly matches:
5. In the specify IP address ranges page, type the IP address range for the Sender (Barracuda
Email Security Service) based on your Barracuda Email Security Service instance, for
example, type: 64.235.144.0/20, and click the + symbol.
6. Type the next IP address range for the Sender, for example, type 209.222.80.0/21,
and click the + symbol:
7. Click OK.
8. Scroll to the Properties of this rule section, and in the Priority field, type: 0
9. Click Save to create the transport rule.
10. Verify the new rule displays at the top of the list of mail flow rules. If the rule is not at the top,
click on the rule, and use the Up arrow to move the rule to the top of the list.

Step 4. Restrict Inbound Mail to the Barracuda Email Security
Service IP Range (Optional)
After updating your MX records, allow 24 hours before completing the steps in
this section to allow the records to propagate.
Use the steps in this section to restrict inbound mail to the Barracuda Email Security
Service IP address range.
Restrict Inbound Mail

2. In the left pane, click mail flow, and click rules.
3. Click the + symbol, and click Create a new rule.
4. In the new rule page, enter a Name to represent the rule. For example, type:
Barracuda ESS IP restriction
5. Scroll down to and click Advanced Options.
6. From the Apply this rule if drop-down menu, select The Sender > Is External/Internal >
Outside the organization.
7. From the Do the following drop-down menu, select Reject this message
with the explanation.
8. Enter the message you want included in the non-delivery report (NDR) that is sent to the
sender. For example, enter:
You have attempted to bypass our Email Security Service. Please
ensure your DNS is up-to-date and try sending your message again.
9. Click Add Exception.
10. Select The Sender > Sender’s IP address is in any of these ranges or exactly matches,
and enter the Barracuda Email Security Service IP range based on your Barracuda Email
Security Service instance.
11. Enter the Barracuda Email Security Service IP range, for example: 64.235.144.0/20
12. Click the + symbol.
13. Enter the Barracuda Email Security Service IP range, for example: 209.222.80.0/21
14. Click the + symbol.
15. Click OK.
16. Scroll to the Properties of this rule section, and in the Priority field, type: 0
17. In the new rule page, click Stop processing more rules, and click Save to create the rule.
18. Office 365 is now configured to block any email that does not originate from the Barracuda
Email Security Service IP address ranges.

19. Verify the new rule displays at the top of the list of mail flow rules. If the rule is not at the top,
click on the rule, and use the Up arrow to move the rule to the top of the list.
If you complete both Step 3. Create Transport Rule and Step 4. Restrict
Inbound Mail to the Barracuda Email Security Service IP Range, verify the
Restrict Inbound Mail from Outside Your Organization to the Barracuda
Email Security Service IP Range rule displays first in the mail flow rules list,
and the Transport Rule rule displays second in the mail flow rule list.
Step 5. Configure Outbound Mail

Use this section to configure outbound mail.
Configure Outbound Mail

2. Click Domains, and click on the domain name to toggle the MX Records configuration; make
note of the Outbound Hostname.
4. In the left pane, click mail flow, and click connectors.
5. Click the + symbol and use the wizard to create a new connector.
6. From the From drop-down menu, select Office 365, and from the To drop-down menu,

select Partner organization:
7. Enter a Name and (optional) Description to identify the connector.

8. Click Next. Select Only when email messages are sent to these domains, click the + symbol,
and enter an asterisk (*) in the add domain field:
9. Click OK, and click Next. Select Route email through these smart hosts,

and click the + symbol.
10. Go to the Barracuda Email Security Service, click the Domains tab, and click on the domain
name to toggle the MX records configuration. Copy your outbound hostname, and enter it in
the add smart host page:

11. Click Save, and click Next. Use the default setting, Always use Transport Layer Security (TLS)
to secure the connection (recommended) > Issued by Trusted certificate authority (CA):
12. Click Next. In the confirmation page, verify your settings and click Next. Office 365 runs a test
to verify your settings:
13. When the verification page displays, enter a test email address, and click Validate. Once the
verification is complete, your mail flow settings are added.

Step 6. Configure Sender Policy Framework for Outbound Mail
To assure outbound mail from your Barracuda Email Security Service that Barracuda Networks
is the authorized sending mail service, add the following to the Sender Policy Framework (SPF)
record INCLUDE line for each domain sending outbound mail based on the region you selected
for your Barracuda Email Security Service.
• If you have an SPF record set up for your domain, edit the existing record, and add
the following to the INCLUDE line for each domain sending outbound mail based on
your Barracuda Email Security Service instance. For example: include:spf.ess.
barracudanetworks.com -all
• If you do not have an SPF record set up for your domain, use the following value to
create a TXT record that creates a HARDFail SPF for your domain based on your
Barracuda Email Security Service instance. For example: v=spf1 include:spf.ess.
barracudanetworks.com -all
See Sender Policy Framework for Outbound Mail for INCLUDE values based on your Barracuda
Email Security Service instance.

3.3 Inbound Filtering Policy
Barracuda Email Security Service consists of multiple, overlapping layers of security. The first layer
is based on analysis, specified policy, real-time threat information and custom blocklists, and is
primarily aimed at identification of the origin of threats. The second layer specified here looks
specifically at content and the identification of threats. It includes deep forms of content analysis.
The third layer consists of measures designed to restrict mail throughput via incoming mail, such
as controls on bulk email and rate control.
3.3.1 IP Analysis
Once the true sender of an email message is identified, you need to determine the reputation
and intent of that sender before accepting the message as valid, or “not spam”. The best way to
address both issues is to know the IP addresses of trusted email senders and forwarders and
define those as exempt from scanning by adding them to a list of known trusted senders.
Barracuda Networks does not recommend exempting domains because

spammers may spoof domain names. When possible, it is recommended that
you exempt by IP address only.
Create a list of Trusted Forwarders by specifying one or more IP addresses of machines that you
have set up to forward email to the Barracuda Email Security Service from outside sources. The
Barracuda Email Security Service exempts any IP address in this list from Rate Control, Sender
Policy Framework (SPF) checks, and IP Reputation. In the Received headers, the Barracuda Email
Security Service continues looking beyond a Trusted Forwarder IP address until it encounters the
first non-trusted IP address. At this point, Rate Control, SPF checks, and IP Reputation checks are
applied. Configure on the Inbound Settings > IP Address Policies page.

Barracuda Reputation and Email Categorization
Barracuda Reputation is a database maintained by Barracuda Central and includes a list of IP
addresses of known good senders as well as known spammers, or IP addresses with a “poor”
reputation. This data is collected from spam traps and other systems throughout the Internet.
The sending history associated with the IP addresses of all sending mail servers is analyzed
to determine the likelihood of legitimate messages arriving from those addresses. Updates to
Barracuda Reputation are made continuously by Barracuda Central engineering.
External Blocklist Services

Several organizations maintain external blocklists. External blocklists, sometimes called DNSBLs or
RBLs, are lists of IP addresses from which potential spam originates. In conjunction with Barracuda
Reputation, the Barracuda Email Security Service uses these lists to verify the authenticity of the
messages you receive. Configure on the Inbound Settings > Custom RBLs page.
Be aware that blocklists can generate false-positives (legitimate messages that are blocked).
Messages blocked due to external blocklists or the BRBL are the only blocked messages that are
not sent to the user’s Message Log.
Email Categorization
Email Categorization gives administrators more control over what they believe to be spam, even
if those messages do not meet the technical definition of spam. Most users do not realize that
newsletters and other subscription-based emails, while they are considered to be bulk email, are
not technically unsolicited - which means that they cannot be blocked by default as spam. The
senders of these emails may have a good reputation, but the user may no longer want to receive,
for example, a mass mailing from a club or vendor membership. The Email Categorization feature
assigns this type of email to categories that display on the Inbound Settings > Anti-Spam/
Antivirus page, and the administrator can then create block, quarantine, or allow policies by
category. When set to Off, no categorization scanning is performed.
3.3.2 Content Analysis

Administrators can set custom content filters for inbound messages based on message content
and attachment file name or MIME type on the Inbound Settings > Content Policies page.
• Attachment Filtering – For inbound mail, you can filter attachments based
on File Name or MIME Type.
• Password Protected Archive Filtering – For inbound mail, you can select to block, quarantine,
or ignore messages containing archive file attachments.
• Password Protected Microsoft Documents – For inbound mail, you can select to block,
quarantine, or ignore messages containing password protected Microsoft documents.
• Message Content Filters – Base message content filtering on any combination of subject,
headers, body, attachments, sender or recipient filters. You can specify actions to take with
messages based on pre-made patterns (regular expressions) in the subject line, headers,
message body, sender or recipient lines. Note that HTML comments and tags embedded
between characters in the HTML source of a message are filtered out so that content filtering
applies to the actual words as they appear when viewed in a web browser.

Anti-Fraud and Anti-Phishing Protection
Phishing scams are typically fraudulent email messages that appear to come from legitimate
senders, for example, a university, an Internet service provider, or a financial institution. These
messages usually contain a URL that, when clicked, directs the user to a spoofed website or
otherwise tricks the user to reveal private information such as login, password, or other sensitive
data. This information is then used to commit identity and/or monetary theft.
You can configure the Barracuda Email Security Service to evaluate and rewrite fraudulent URLs
so that, when clicked, the user is safely redirected to a valid domain or to a Barracuda domain
warning of the fraud. Configure on the Inbound Settings > Anti-Phishing page:
• Barracuda Anti-Fraud Intelligence – This Barracuda Networks anti-phishing detection feature

uses a special Bayesian database for detecting Phishing scams.
• Link Protection – When enabled, the service automatically rewrites a deceptive URL in an
email message to a safe Barracuda URL, and delivers that message to the user.
Note that when Link Protection is enabled, URLs are not rewritten if the URL
is exempt, the URL is contained in an encrypted or protected message, or the
URL is within an attachment.
To minimize false positives and page load delays, Barracuda maintains a list of
domains considered safe. Because of this, some links detected in messages
are wrapped while others are not. For example, Barracuda does not currently
wrap google.com, but does wrap googlegroups.com because it provides
user-generated content.
• Typosquatting Protection – Typosquatting is a common trick used by hackers to fool

users into thinking they are visiting a valid domain but the domain name is misspelled.
Typosquatting is detected only if the URL is rewritten, that is, if it is not exempt. When
clicked, the user is taken to a different domain that may be spoofing the expected domain.
The Typosquatting Protection feature checks for common typos in the URL domain
name and, if found, rewrites the URL to the correct domain name so that the user visits
the intended website.
Barracuda typosquatting works with tools such as Desvio to determine

misspelled domain names. To protect your misspelled domains,
contact providers such as Desvio to add your misspelled domain name
variations to their list.
Attachment Filtering
All messages, except those from exempt senders, go through attachment filtering. Use
the Inbound Settings > Content Policies page to specify actions to take on inbound messages
if they contain attachments with certain file name patterns or MIME types. If email is sent to a
recipient on a whitelist, content filtering is bypassed.
Messages that are blocked due to attachment filtering appear in the Message Log with the
word Attachment for the Reason if you click Show Details for the message.

Image Analysis
Image spam represents about one third of all traffic on the Internet. The Barracuda Email Security
Service uses Image Analysis, which includes investigating image dimensions in JPG/JPEG images,
to protect against new image variants. In the Message Log, Image Analysis may sometimes result
in one of the following:
• A message is deferred if determined to be suspicious, with a reason of Suspicious
• A message is blocked with a reason of Image Analysis
Intent Analysis
The intent of spam messages is to get a user to reply to an email, visit a web site, or call a
phone number. Intent analysis involves researching email addresses, web links (URLs), and
phone numbers embedded in email messages to determine whether they are associated with
legitimate entities.
Frequently, Intent Analysis is the defense layer that catches phishing attacks. The Barracuda Email
Security Service applies the following forms of Intent Analysis to inbound mail, including real-time
and multi-level intent analysis:
• Intent Analysis – Markers of intent, such as URLs, are extracted and compared against a
database maintained by Barracuda Central.
• Real-Time Intent Analysis – For new domain names that may come into use, Real-Time Intent
Analysis involves performing DNS lookups against known URL blocklists.
• Multilevel Intent Analysis – Use of free websites to redirect to known spammer websites is
a growing practice used by spammers to hide or obfuscate their identity from mail scanning
techniques such as Intent Analysis. Multilevel Intent Analysis involves inspecting the results of
Web queries to URLs of well-known free websites for redirections to known spammer sites.
Enable Intent Analysis on the Inbound Settings > Anti-Phishing page. Domains found in the body
of email messages can also be blocked based on or exempt from Intent Analysis on that page.
3.3.3 Bulk Email Detection

Many users subscribe to websites and lists and later forget that they subscribed, or subscribed
unknowingly. Email messages containing anything that looks like an unsubscribe link or instruction
may or may not be considered spam by the recipient. To provide users the opportunity to decide,
you can quarantine bulk email messages that contain unsubscribe links or instructions, or you can
choose to block them all, thereby reducing the load on your mail server. Configure Bulk Email
Detection on the Inbound Settings > Anti-Spam/Antivirus page.
If this feature is set to Block or Quarantine, email messages/domains that are

exempted by users or the administrator override this setting and are allowed.

3.3.4 Rate Control
The Barracuda Email Security Service Rate Control feature protects your organization from
spammers or spam-programs (also known as “spam-bots”) that send large amounts of email
to the server in a small amount of time. Configure rate control on the Inbound Settings
> Rate Control page.
The Rate Control mechanism counts the number of recipients for a domain from a sender (a single
IP address) over a half-hour time frame and compares that number to the Maximum Recipients
per Sender IP Address/30 minutes threshold you set on the page. If the number of inbound
recipients for a domain from a sender (a single IP address) exceeds this threshold within a half
hour period, the Barracuda Email Security Service defers any further connection attempts from
that particular IP address until the next half hour time frame and logs each attempt as deferred in
the Message Log with a Reason of Rate Control.
You can exempt trusted IP addresses from Rate Control by adding a trusted IP address to the Rate
Control Exemption list. Organizations that relay email through known servers or communicate
frequently with known partners can and should add the IP addresses of those trusted relays and
good mail servers to this list.

3.4 Outbound Filtering Policy
Outbound filtering options are configured on the Outbound Settings pages of the Barracuda
Email Security Service and are different from those for inbound filtering, including:
• Optional encryption for secure message transmission.
• Data Leak Prevention (DLP) filtering using pre-defined patterns such as credit card number,
social security number, driver’s license or HIPAA medical terms, to block, quarantine, or
encrypt outbound messages. Exceptions to DLP block/quarantine policy can be created for
emails containing phone numbers and/or street addresses. See the Outbound Settings >
Content Policies page for details.
• Outbound Quarantine and quarantine notifications, enabling administrators to deliver, reject,

delete or export outbound messages from senders within the organization.
3.4.1 DLP and Outbound Mail Encryption

For health care providers, governmental agencies and other entities who need to protect private,
sensitive, and valuable information communicated via email, the Barracuda Email Security
Service provides Data Leak Prevention (DLP) features using email encryption. DLP enables
your organization to satisfy email compliance filtering for corporate policies and government
regulations such as HIPAA and Sarbanes-Oxley (SOX). Advanced content scanning is applied for
keywords inside commonly used text attachments, as well as email encryption. You can configure
email encryption policies per domain.

Encryption is performed by the Barracuda Email Encryption Service, which also provides a web
interface, the Barracuda Message Center, for recipients to retrieve encrypted messages.
Figure 1: Mail Flow for Encrypted messages sent through the Barracuda Email Security Service.
When the Barracuda Email Encryption Service encrypts the contents of a

message, the message body does not display in the Message Log. Only the
sender of the encrypted message(s) and the recipient can view the body of
an encrypted message.
Secure Sensitive Message Transmission

encrypted channel using the Secure Sockets Layer (SSL) - also known as TLS. For DLP, you
should require mail to be sent outbound from the Barracuda Email Security Service over a TLS

connection. To do so, enable Force TLS for each domain on the Outbound Settings > DLP/
TLS connection can not be established, then the mail will not be delivered.
Create Policies for when to Encrypt Messages

Use the Outbound Settings > Content Policies page to create policies for encryption of outbound
message in one or both sections:
• Message Content Filters – You can select the Encrypt action for outbound email based on
characteristics of the message’s subject, header or body. You can specify simple words or
phrases, or use Regular Expressions. Content filtering is case sensitive.
• Predefined Filters – You can select the Encrypt action for outbound email messages that
contain matches to pre-made patterns in the subject line, message body or attachment. Use
the following pre-defined data leakage patterns (specific to U.S.) to meet HIPAA and other
email security regulations:
• Credit Cards – Messages sent through the Barracuda Email Security Service containing
recognizable Master Card, Visa, American Express, Diners Club or Discover card numbers
will be subject to the action you choose.
• Social Security – Messages sent with valid social security numbers will be subject
to the action you choose. U.S. Social Security Numbers (SSN) must be entered in
the format nnn-nn-nnnn.
• Privacy – Messages will be subject to the action you choose if they contain two or more
of the following data types, using common U.S. data patterns only: credit cards (including
Japanese Credit Bureau), expiration date, date of birth, Social Security number, driver’s
license number, street address, or phone number. Phone numbers must be entered in one
of the following formats:
• nnn-nnn-nnnn
• (nnn)nnn-nnnn
• nnn.nnn.nnnn
• HIPAA – Messages are subject to the action you choose if they contain TWO of the types
of items as described in Privacy above and ONE medical term, or ONE Privacy item, ONE
Address and ONE medical term. A street address can take the place of Privacy patterns.
So, for example, a U.S. Social Security Number (SSN), an address, and one medical term is
enough to trigger the HIPAA filter.
The format of this data varies depending on the country, and these
filters are more commonly used in the United States; they do not apply
to other locales. Because of the millions of ways that any of the above
information can be formatted, a determined person will likely be able to
find a way to defeat the patterns used. These filter options are no match
for educating employees about what is and is not permissible to transmit
via unencrypted email.
Click Help on the Outbound Settings > Content Policies page in the Barracuda Email Security
Service web interface for more details.

Send and Receive Encrypted Messages
The Barracuda Message Center is a web-based email client for receiving and managing
encrypted email sent by the Barracuda Email Security Service. The email client looks and behaves
much like any web-based email program
(see Figure 2). The workflow for sending and receiving encrypted messages is as follows:
1. Outbound messages that meet the filtering criteria and policies configured as described
above are encrypted and appear in the Message Log, but the message body does not
appear in the log for security purposes.
2. The Barracuda Message Center sends an email notification to the recipient including a link
the recipient can click to view and retrieve the message from the Barracuda Message Center.
3. The first time the recipient clicks this link, the Barracuda Message Center prompts them
to create a password.
4. The recipient logs into the Barracuda Message Center and is presented with a list of email
messages. All encrypted messages received appear in this list for a finite retention period or
until deleted by the recipient.
Figure 2: Barracuda Message Center web interface
When the recipient replies to the encrypted email message, the response is also encrypted and
the sender receives a notification that includes a link to view and retrieve the message from the
Barracuda Message Center.
3.4.2 Content Analysis

Custom Content Filters
Customize content filtering based on any combination of subject, headers, body, attachments,
sender, or recipient, and apply to outbound mail. See the Outbound Settings > Content Policies
page for settings. Filter actions for outbound mail include Block, Allow, Quarantine, and Encrypt.
Messages that meet the Quarantine criteria are sent to the Outbound Quarantine for the
administrator to evaluate. Messages can then be viewed, delivered, rejected, deleted, or exported
from the Overview > Outbound Quarantine page.
Attachment Content Filters

All outbound messages, including those from exempt senders, go through attachment filtering. On
the Outbound Settings > Content Policies page, you can select to filter text matching the entered
pattern based on File Name or MIME type, and select whether to Block, Ignore, or Quarantine
outbound messages. Additionally, you can select to Block, Ignore, or Quarantine attached archive
files that require a password to unpack.

Message Content Filters
Enter filter patterns and select to Block, Allow, Quarantine, or Encrypt for Subject, Headers, Body,
Attachments, Sender, or Recipient. Note that Header filters are applied to both the header name
and content of any header, while the Subject filters only scan the contents of the Subject header.
Use regular expressions as well as the following special characters:
. [ ] \ * ? $ ( ) | ^ @
When using the above special characters, you must escape each character with a backslach (“\”).
Predefined Filters
Select a predefined data leakage patterns (specific to the United States) for Subject, Headers,
Body, or Attachments. Select whether to Block, Quarantine, or Encrypt outbound messages
based on the filter.
Predefined Filter Exceptions

Add exemptions to predefined HIPAA or Privacy content filters to prevent outbound emails that
include phone number or street address items from being blocked, quarantined, or encrypted.
Image Analysis
Image analysis techniques protect against new image variants. Image analysis is automatically
configured in the Barracuda Email Security Service.
3.4.3 Abuse Monitoring and Notifications

Outbound email traffic is automatically monitored for Rate Control by the Barracuda Email Security
Service. If the volume of outbound mail messages from the service exceeds normal levels
during a 30 minute time frame, the Rate Control feature will take effect and outbound mail will be
deferred until the end of the 30 minute time frame. IP addresses of senders of outbound mail who
consistently trigger Rate Control will be logged on the Outbound Settings > Abuse Monitor page
in the IP Addresses With Recent Abuse table.
Abuse Notifications
An abuse notification email may be sent to the administrator of your Barracuda Email Security
Service for various reasons. These include but are not limited to:
• Sending mail to more than 150 recipients per 30 minute period.
• Sending out mail to more invalid recipients than allowed by the Barracuda
• Sending out mail that has been classified by the Barracuda Email Security Service as spam or
If your network sends out a large email blast, this may trigger an abuse notice from the Barracuda
Email Security Service. This notice informs you that you are sending out mail to more than
150 recipients per 30 minute period. This is not a block of your mail, but rather delays the
delivery of the messages. The mail will eventually go out, but at a much slower rate over a
longer period of time.

To prevent generation of an abuse notice, it is recommended that you spread out the delivery of
email blasts over a longer period of time or to smaller groups of recipients, and to make sure that
the addresses you are sending to are legitimate. The limits set by the Barracuda Email Security
Service on the number of recipients that can be sent mail per 30 minutes protects against an
outbound spam attack from a customer’s network.
IP Addresses with Recent Abuse

The owner of an IP address that appears in this table on the Outbound Settings > Abuse
Monitor page for consistently exceeding Rate Controls can click Request Increased Limit to
request Barracuda Networks to allow a higher volume of outbound mail so that Rate Control
does not take effect.
Suspended IP Addresses
IP addresses that send very high volumes of email, consistently triggering Rate Controls, may be
suspended from sending outbound mail through the Barracuda Email Security Service.
3.4.4 Outbound Quarantine

Configure policies on the Outbound Settings pages to quarantine outgoing messages that meet
certain criteria. The administrator can view all quarantined outbound messages from senders
within the organization and select to delete, reject, deliver, or export those messages from the
Overview > Outbound Quarantine page.
Rejected Messages
Admin Quarantine Notification

Configure Outbound Quarantine Notifications and NDRs for administrators and senders of
quarantined mail on the Outbound Settings > Notifications page. The domain administrator
receives a quarantine summary report at a specified interval, listing outbound quarantined
messages since the last report.
Sender Quarantine Notification

When a message ends up in the outbound quarantine, the sender receives an NDR email when
Quarantine Sender Notification is enabled on the Outbound Settings > Notifications page. The
email template is configurable.
Rejected Message Notification


3.4.5 Outbound Rate Control
The Barracuda Email Security Service outbound rate limit is the number of messages an
individual user on the account can send out per day. By default, the Barracuda Email Security
Service outbound rate limit is set to 150 recipients per 30 minutes per sender, or 7200 recipients
per day. If users are hitting this rate limit, then they are sending mail to more than 150 recipients
per 30 minute period.
Note that rate limit is not a block of their mail, but a deferral. The mail server
retries this mail until it is all delivered.
Per-user rate control only affects users listed in the Users > Users List; the rate
limit for users not in this page get the per-domain rate limit, normally 250 per
30 minute period. Anyone sending outbound mail through the Barracuda Email
Security Service should be listed in the Users > Users List page.
A sender may hit rate control limits due to your mail server configuration. For example, if a user
sends out a mass mailing to 1000 people, they will hit their rate control limit. Based on 150
recipients per 30 minute period, it will take at least 4 hours for all of the mail to be delivered. If
your mail server retries this deferred mail every few minutes this can cause the sender to remain
rate limited for a very long time. Barracuda recommends that you configure your mail server to
retry deferred connections every 30 minutes to avoid this issue.
If you have mail that must go out immediately, Barracuda recommends either:
• Bypassing the Barracuda Email Security Service and sending it directly to the Internet, or
• Use a mass mailing service designed for this purpose.
If you are using a mass mail program that does not retry deferred mail,
Barracuda recommends that you configure the system to deliver the mail
directly to the Internet or have it relay the mail through a fully functional mail
server that can correctly handle deferred mail.
Exceeding rate control limits displays in your outbound abuse report page, however, if there is
a problem with your account resulting in your outbound IP address being blocked or a blocked
user email address, Barracuda will contact you via email or phone explaining the problem
requiring attention.

3.5 Advanced Configuration
3.5.1 Secured Message Transmission

To prevent data leakage and ensure compliance with financial, health care and other federally-
regulated agency information policies, the Barracuda Email Security Service provides several
types of encryption for inbound and outbound message traffic.
Send Messages Over an Encrypted Channel

encrypted channel using the Secure Sockets Layer (SSL).
To require mail to be sent outbound from the Barracuda Email Security Service over a TLS
connection, you can enable Force TLS for each domain on the Outbound Settings > DLP/
TLS connection can not be established, then the mail will not be delivered.
To require mail coming inbound to the Barracuda Email Security Service to use a TLS connection,
use the SMTP Over TLS setting on the Domains > Settings page for each domain. If you
enable SMTP over TLS, then if TLS is available on your organization’s mail server, inbound mail is
sent over a TLS channel. If not, mail is sent in cleartext.

For guaranteed message encryption and ensured delivery of outbound messages, use the
Barracuda Message Center to encrypt the contents of certain outbound messages. You can
create policies for when to encrypt outbound messages on the Outbound Settings > Content
Policies page for a domain.
3.5.2 Sender Authentication

Sender Authentication mechanisms enable the Barracuda Email Security Service to protect
your network and users from spammers who might “spoof” a domain or otherwise hide the
identity of the true sender.
Sender Policy Framework
When Sender Policy Framework (SPF) checking is enabled on the mail server or
network, it is critical when using the Barracuda Email Security Service that you
either disable SPF checking in the service or add the Barracuda Email Security
Service IP ranges to your SPF exemptions based on your Barracuda Email
Security Service instance; see Barracuda Email Security Service IP Ranges in
Barracuda Campus for a list of IP rages based on your Barracuda Email Security
Service instance. If this is not done, the SPF checker blocks mail from domains
with an SPF record set to Block. This is because the mail is coming from
a Barracuda Email Security Service IP address not in the sender’s SPF record.

SPF is an open standard specifying a method to prevent sender address forgery. The current
version of SPF protects the envelope sender address, which is used for message delivery. SPF
works by having domains publish reverse MX records to display which machines are designated
as mail sending machines for that domain. When receiving a message from a domain, the
recipient can check those records to verify mail is coming from a designated sending machine. If
the message fails the SPF check, it is assumed to be spam.
Messages that fail SPF check can be blocked and are logged as such. Enable or disable the SPF
feature for checking inbound mail from the Inbound Settings > Sender Authentication page.
Note that if you enable SPF, you can also enable the Sender Rewriting Scheme (SRS). This option
is configurable from the Advanced Configuration section of the Domains > Domain Settings
page and, when enabled, the Barracuda Email Security Service makes the IP address of your
sending mail server visible to the agent performing SPF verification on the recipient’s end.
Blocking No PTR Records

While the A record for a domain points to an IP address, the PTR record resolves the IP address
to a domain/hostname; PTR records are used for reverse DNS lookup. Enabling this feature
means that the Barracuda Email Security Service queries DNS for the SPF record of the sending
domain and, if there is no entry for the sending IP address, that is, no PTR record, the message is
blocked. Configure on the Inbound Settings > Sender Authentication page.
Custom Policies and Sender Spoof Protection

Enable Sender Spoof Protection on the Inbound > Sender Authentication page when you do
not have an SPF record set up for your domain. Use Sender Spoof Protection to block “From”
addresses that use your domain. Note that Sender Spoof Protection is for inbound mail only, and
does not stop your domain from being spoofed at other mail servers.
3.5.3 Directory Services

User authentication and recipient verification are a critical part of maintaining security of email
flowing into and out of your organization. By identifying known trusted senders and recipients
of email, you can block a large percentage of spam, viruses, and malware from your network.
Configure directory services on the Domain > Domain Settings page.

3.6 Administration
3.6.1 User Accounts

Administrators can manage user accounts for all domains configured in the Barracuda Email
Security Service from the Users tab, including:
• Manually add or delete users.
• Set a user as domain administrator to select domains.
• Log in as a user.
• Set notification status for account and domain administrators.
• Set default email scanning policies for managed and unmanaged users.
• Enable user quarantine and quarantine notification interval.
• Set the default time zone for all users.
• Change user account passwords and settings.
Users can view their quarantine inbox (Message Log) and set account preferences. Available
settings are dependent upon administrator settings.
• Modify individual settings for quarantine notification reports.
• Deliver or delete quarantined messages.
• Change password.
• Use the current account as an alias to link accounts. From the Settings > Linked
Accounts page, the user can add additional email addresses they may have in the same
domain for which quarantined email should be forwarded to this account.
• Create exempt and blocklists for email addresses, users, and domains.
See the Barracuda Email Security Service User Guide for more information.
Default User Settings

Configure default scan/block/allow policies for both Managed Users and Unmanaged Users on
the Users > Default Policy page:
• Managed Users – Users configured either manually or by synchronizing with your LDAP

server or Azure AD. Managed Users display in the Users > Users List page.
• Unmanaged Users – All email senders and recipients for the configured domains, but who
are not in your users list for some reason.
If you do not modify the default scan/block/allow policies, all email is scanned
rather than blocked or allowed.
Add or Update Users

From the Users > Add/Update Users page, you can:

• Manually create or update user accounts – When Notify New Users is set to Yes, the
Barracuda Email Security Service sends a welcome email once the account is created. The
email states that the user has a new quarantine account and includes a link to log in to
change their password or review account settings. Note that the link will expire in 7 days.
Once the user receives their first quarantined email in their quarantine inbox (Message Log),
a second email is generated as the first quarantine notification. This email is only generated
if there is a notification interval set and the recipient has received at least one message
marked with the Action Quarantine.
The welcome email is only sent to a user when you manually create
the account, it is not sent if the account is created automatically.
Accounts can be automatically created by setting the Automatically Add
Users option to Yes on the Domains > Settings page.
• Enable User Quarantine – When set to Yes, the Barracuda Email Security Service sends a
notification that the user has quarantined messages. Set a predefined notification interval or
allow users to override this setting and configure their own notification interval on the Users >
Quarantine Notification page.
3.6.2 User Authentication

Sender and recipient verification are a critical part of maintaining security of email flowing into
and out of your organization. By identifying known trusted email senders and recipients, you can
block a large percentage of spam, viruses, and malware from your network.
Azure Active Directory and Single Sign On

Configure recipient verification with Azure Active Directory (AD) to allow end-users to sign in to
the Barracuda Email Security Service using their Azure AD credentials. Once logged in, users can
view their quarantine messages.
You can configure Single Sign-On (SSO) for a domain so that authenticated users can access
all or a subset of the restricted resources by authenticating just once using their Azure AD
credentials. SSO is a mechanism where a single set of user credentials is used for authentication
and authorization to access multiple applications across different web servers and platforms,
without having to re-authenticate.
The SSO environment protects defined resources (websites and applications) by requiring the
following steps before granting access:
• Authentication: Authentication verifies the identity of a user using login credentials.
• Authorization: Authorization applies permissions to determine if this user may access

the requested resource.
Complete the Azure AD setup steps for each domain you want to synchronize with
your Azure AD directory.

Set Up Azure AD
1. Log in to https://login.barracudanetworks.com/ using your account credentials, and click
Email Security in the left pane.
2. Click Domains, and click Edit in the Settings column for the desired domain.
3. In the Domains > Domain Settings page, scroll to the Directory Services section, and select
Azure AD, and click Save Changes at the top of the page.
4. Scroll down to the Status section, and click Authorize.
5. The Authorize Azure AD dialog box displays. Click Continue.
6. When prompted, log in to your Microsoft Office 365 account using your
administrator credentials.
7. In the Authorization page, click Accept to authorize the Barracuda Email Security Service to
connect to your Azure AD directory.
8. In the Barracuda Email Security Service Domain Settings page, the Status field displays as
Active; the Authorized Account and Authorization Date display below the status:
9. Click Sync Now to add your Azure AD users to the Barracuda Email Security Service.
10. The synchronization progress displays; allow the process to complete.
the Barracuda Email Security Service automatically synchronizes with your Azure AD
directory every 15 minutes and adds/updates your users.
If you select Manual, you must click Sync Now to synchronize the
Barracuda Email Security Service with your Azure AD directory
and add/update users.
12. To use SSO, click Yes for Enable Single Sign On. Once enabled, users are prompted to log
in to their Microsoft Office 365 account when accessing their messages in the Barracuda
LDAP User Authentication

You can synchronize the Barracuda Email Security Service with your existing LDAP server to
automatically create accounts for all users in the domain. LDAP lookup configuration and LDAP
authentication of user logins is done by domain on the Domains > Domain Settings page. On

the Domains page, click Edit in the Settings column to the right of the domain name. Once you
configure your LDAP settings on the Domains > Domain Settings page, click Synchronize Now
to create user accounts for all users in your LDAP server.
Complete the LDAP setup steps for each domain you want to synchronize with your LDAP server.
Set Up LDAP
Email Security in the left pane.
2. Click Domains, and click Edit in the Settings column for the desired domain.
3. In the Domains > Domain Settings page, scroll to the Directory Services section, and select
LDAP, and click Save Changes at the top of the page.
4. Enter your LDAP server settings in the provided fields.
5. Click test Settings to ensure the Barracuda Email Security Service can
communicate with the server.

the Barracuda Email Security Service automatically synchronizes your LDAP users to its
database on a regular basis for recipient verification. With Microsoft Exchange server, the
synchronization is incremental. Select No if you want to synchronize manually in case your
LDAP server is not always available. To synchronize manually, click Synchronize Now.
3.6.3 Reports, Logs, and Notifications

The Barracuda Email Security Service includes numerous reports and logs.
Dashboard
The Dashboard page displays summarized inbound and outbound email statistics for the
Barracuda Email Security Service. You can view statistics for a single domain or all verified
domains on your account. From the Dashboard, you can view the following details:
• Threat Origins – View geographic origins of threats detected in email processed by the

Barracuda Email Security Service for the domains in your account.
• Top Recipient Domains/Top Sender Domains – View total number of messages processed,

number of blocked messages, or number of allowed messages.
• Traffic Status – View the data and time of the most recently received and sent messages.
• Subscriptions – View Barracuda Email Security Service account and Advanced Threat
Protection (ATP) subscription status.
• Inbound Email Statistics – View a graph of the total inbound messages processed, in the
time frame, by number allowed, blocked, quarantined, and blocked for virus.
• Inbound: Top Recipients/Senders Blocked – View either recipients of inbound blocked

messages or senders of inbound blocked messages.

• Outbound Email Statistics: Overview – View a graph of the total outbound messages
processed, in the time frame, by number sent (allowed), blocked, and quarantined.
• Outbound: Top Recipients/Senders Blocked – View top recipient and senders blocked.
• Total Threats/Viruses: Overview – View viruses detected by the Barracuda Email Security

Service virus scanner, as well as advanced threats detected by ATP including file type.
• Last Blocked: ATP – View filename and file type of attachment determined to
be infected by ATP.
Message Log
The Message Log is a window into how the current spam, virus, and policy settings are filtering
email coming through the Barracuda Email Security Service. Use the information in the log to help
tune your inbound and outbound policy settings.
Sort messages using the Advanced Search feature to quickly view email by allowed, deferred,
quarantined, encrypted (outbound), or blocked messages by domain, sender, recipient, time
range (last 2- 30 days), envelope to, envelope from, reason, action taken, date or subject.
The Message Log reflects all email traffic through the Barracuda Email Security Service at the
global level. If you click on a verified domain on the Domains > Domain Manager page, a tab
for the Message Log for that domain displays. Additionally, you can track end-user quarantine
notifications in the Message Log.
Reports
Use the Reports tab to generate reports including:
• Inbound Traffic
• Outbound Traffic
• Top Email Senders/Recipients
• Top Spam Senders/Recipients
• Top Virus Senders/Recipients
• Top Blocked Senders/Recipients
Reports cover global activity across all domains for which you have mail filtered, with up to a
maximum history of 30 days of data. Use the calendar controls to set the start date; note that you
cannot run a report that covers more than a seven day period.
• Sending mail to more recipients per 30 minute period than allowed by the Barracuda
Email Security Service;
• Sending mail to more invalid recipients than allowed by the Barracuda Email Security Service;
• Sending mail that has been classified by the Barracuda Email Security Service as spam or

3.6.4 Quarantine
Configure policies on the Outbound Settings > Content Policies pages to quarantine outgoing
messages that meet certain criteria. The administrator can view all quarantined outbound
messages from senders within the organization and select to delete, reject, deliver, or export
those messages from the Overview > Outbound Quarantine page.
Rejected Messages
Configure Outbound Quarantine Notifications and NDRs for administrators and senders of

quarantined mail on the Outbound Settings > Notifications page.
Admin Quarantine Notification

The domain administrator receives a quarantine summary report at a specified interval, listing
outbound quarantined messages since the last report.
Set Up Notification
1. On the Outbound Settings > Notifications page, in the Admin Quarantine
Notification section, select the Notification Interval:
• Never – When selected, no quarantine summary report is sent.
• Immediately – A quarantine summary is sent to the enter Notification

Address once you save changes.
• Scheduled – When selected, the Schedule notification intervals section displays. Click

and drag to select the day and time when you want the notification sent.
2. Enter the email address to which the report is to be sent in the Notification Address field.
Sender Quarantine Notification

When a message ends up in the outbound quarantine, the sender receives an NDR email
when Quarantine Sender Notification is enabled on the Outbound Settings > Notifications page.
The email template is configurable.
Set Up Sender Quarantine Notification

1. On the Outbound Settings > Notifications page, in the Sender Quarantine
Notification section, select Yes to send a notification to the sender of a
quarantined outbound message.
2. Enter the Quarantine Notification Address.
3. Enter the subject of the NDR in the Quarantine Notification Subject field.
4. Configure the body of the NDR email using the Quarantine Notification Template.

Notification to Sender of Rejected Message
Configure NDR
1. On the Outbound Settings > Notifications page, enter the following details in the Notification
to Sender of Rejected Message section:
a. Reject Notification Address – Enter the NDR ‘from’ address that the sender receives.
b. Reject Notification Subject – Enter the NDR subject that the sender receives.
c. Reject Notification Template – Configure the body of the NDR.

3.7 Outbound Spam Protection
By scanning all outbound messages, you can ensure that all email leaving your
organization is legitimate, virus-free, and does not leak private or sensitive information from
inside the organization.
The following policies are applied by default to all outbound mail by the Barracuda
Email Security Service:
• Scanning for viruses and intent
• Scanning and scoring for spam content
• If a virus or spam is discovered in an outbound message, the message is not delivered;

however, mail caught for spam can be manually delivered by the administrator
You cannot bypass outbound mail virus or spam filtering.
Outbound filtering options are configured on the Outbound Settings pages:
• Optional encryption for secure message transmission;
• Data Leak Prevention (DLP) filtering using pre-defined patterns such as credit card number,
social security number, driver’s license, or HIPAA medical terms, to block, quarantine, or
encrypt outbound messages;
• Create exceptions to DLP block/quarantine policy for emails containing phone numbers and/
or street addresses on the Outbound Settings > Content Policies page;
• Set Outbound Quarantine and quarantine notifications to allow administrators to deliver,

reject, delete, or export outbound messages from senders within the organization.

3.8 Advanced Threat Protection
The Barracuda Email Security Service subscription-based Advanced Threat Protection (ATP)
service analyzes inbound email attachments with most MIME types in a separate, secured
cloud environment, detecting new threats and determining whether to block such messages.
ATP offers protection against advanced malware, zero-day exploits, and targeted attacks not
detected by the Barracuda Email Security Service virus scanning features. Enable ATP on
the ATP Settings page.
When ATP determines an attachment contains a threat and blocks the message,
review the ATP Report before determining whether to deliver the message.
3.8.1 Advanced Threat Protection Options

Configure policies on the Inbound Settings > Content Policies page, and specify how and when
attachments are scanned on the ATP Settings page.
Deliver First, then Scan

When selected, the ATP service attempts to scan the mail in real time. If the ATP scan completes
in real time and a virus is detected, the message is blocked and is not delivered. If the ATP
scan does not complete in real time, the message is delivered; if the ATP service determines
the attachment to be suspicious or virus-infected upon completion, the recipient is notified, and
if Notify Admin is set to Yes, an email alert is sent to the specified admin address.
Figure 1. Scan is Complete in Real Time, No Threat Detected.
Figure 2. Mail is Delivered Before Scan Complete; Threat Detected.

This option does not delay email processing, however, the email recipient can
potentially open an infected attachment.
Scan First, then Deliver

When selected, the ATP service scans new messages with attachments before delivery. If a
virus is detected in an attachment, or the attachment is a known threat, the message is blocked,
otherwise, the message is delivered to the recipient.
This option provides more security and prevents the email recipient from
opening infected attachments. These messages appear in the Message log
and Pending Scan displays in the Reason column. The mail server retries
until the scan is complete and no virus is detected in the attachment, at which
point the message is delivered. Note that messages with attachments may
be temporarily deferred while queued for scanning. If the message status is
deferred for more than four hours, the message is quarantined.
Figure 3. Attachment is Recognized as a Known Threat.
Figure 4. Attachment is Scanned and Determined to be Suspicious.

Figure 5. No Threat Detected in Attachment.
Advanced Threat Protection Disabled

When set to No on the ATP Settings page, ATP is disabled.
3.8.2 Advanced Threat Protection Exemptions

sender email addresses, sender domains, recipient email addresses, recipient domains, or sender
IP addresses from ATP scanning in the ATP Exemptions section on the ATP Settings page.
Attachments from exempted entries are not sent to the ATP cloud. Note that
these exemptions apply to ATP scanning only and do not apply to Barracuda
3.8.3 Administrator Notification

When Deliver First, then Scan is selected, select Yes for Notify Admin to notify the administrator
when a virus is detected by the ATP service in a scanned attachment. The email notification
includes the sender, recipient, attachment type, and detected virus. Enter the admin email address
in the ATP Notification Email field address. Infected attachments are listed in the ATP Log.

3.8.4 ATP Exemptions
sender IP addresses from ATP scanning. Attachments from exempted entries are not sent to
the ATP cloud. Note that these exemptions apply to ATP scanning only and do not apply to
Barracuda Email Security Service virus scanning.
3.8.5 Message Log

Messages blocked or deferred by the ATP service are listed in the Message Log with the
following codes listed in the Reason column:
• Advanced Threat Protection – Message is blocked by the ATP service due to an

infected attachment.
• Pending Scan (Scan First, then Deliver enabled) – Message is deferred while the attachment

is scanned. The mail server retries until the scan is complete. Once complete, if no virus is
• ATP Service Unavailable – Message is deferred because the ATP service is temporarily
unavailable. The message is retried and, when the scan is complete and if no virus is
3.8.6 View ATP Statistics

The Dashboard page displays statistics of scanned attachments determined to be
infected by the ATP service.
3.8.7 Deferred Delivery

If a message scanned by ATP is quarantined or blocked (for example, ATP determines the
message attachment is suspicious), the admin can select to deliver the message.

3.9 Email Continuity
Email Continuity allows end-users to send, receive, compose, and forward emails when
designated mail servers are unavailable. Note that Email Continuity is automatically disabled
after 96 hours. Messages in the Email Continuity are viewable in the Message list for 30 days,
after which they expire.
Enable Email Continuity for all users on all domains on the account to comply with business
continuity regulations. Keep the following rules in mind:
• The original mail headers and timestamp sent/received during an outage are synchronized to
the primary mail server to minimize end-user confusion.
• Message for the primary and alias email are delivered to the primary account.
• When replying to a message or forwarding a message from Email Continuity, the sender is
the primary email address.
• Outbound messages sent via Email Continuity are subject to the

configured outbound policies.
• When Email Continuity is enabled, if the administrator logs in as a user, that user’s
message log is view-only.
• Messages cannot be deleted from the Email Continuity Service.
• You cannot access or send messages via quarantine notification email when Email
Continuity is in effect.
You must enable spooling for each domain where you want to enable Email Continuity.
Enable Spooling
1. Log in to Barracuda Email Security Service as the administrator, and click Domains.
2. For the domain where you want to enable Email Continuity, click Edit in the Settings column.
3. In the Options section, set Spooling to Yes.
5. Complete steps 2 through 4 for each domain where you want to enable Email Continuity.
Once you enable spooling, enable Email Continuity.
Enable Email Continuity

1. Go to Users > Email Continuity.
2. Set Email Continuity to Auto-Enable.
The Email Continuity status displays the date and time after which it is disabled (after 96 hours).

3.9.1 Notifications and Status
When Email Continuity is enabled, the following notifications are available:
• Email Server Offline/Online Status – Once enabled, the administrator is notified when the
mail server goes offline and when it comes back online:
• Via Barracuda Email Security Service dashboard
• Via Barracuda Networks Android Mobile Application
• Via Barracuda Networks iOS Mobile Application
• Email Continuity Status – If spooling or Email Continuity is enabled for more than 96 hours, a
warning displays in the Barracuda Email Security Service dashboard
3.9.2 Actions
When Email Continuity is activated, users can continue to view their messages in the Message
Log. In addition to the standard message actions in the Message Log view, users can compose
a new message, and forward or reply to a message. Spooled messages display in the account
admin, domain admin, recipient, and sender Message Logs when Email Continuity is running.
When you view a message in the log, the following actions are available in
the Message View page:
• Click on a message in the email list to view the message body, and take actions:
• Compose a New Message
• Reply to the sender
• Forward a message with Delivery status of Delivered to one or more email addresses;
separate multiple addresses with a comma delimiter.
• You can select to download one or more messages from Email Continuity as a .eml file.

Barracuda Cloud Archiving Service
4.1 Introduction to the Barracuda Cloud Archiving Service 99
4.1.1 Understanding Compliance 99
4.1.2 Litigation Support 99
4.1.3 Storage Management 99
4.1.4 Knowledge Management 100
4.1.5 Compliance 100
4.1.6 Data Retention 100
4.1.7 Litigation Holds 100
4.1.8 Datacenters by Region 101
4.2 Barracuda Cloud Archiving Service Deployment 103
4.3 PST Import 107

4.4 User Roles 109

4.4.1 User Roles 109
4.4.3 Local Accounts 109
4.4.4 LDAP Accounts 111
4.5 End-User Access 113

4.5.1 Barracuda Cloud Archiving Web Interface 113
4.5.3 Barracuda Stand-Alone Search Utility 114

4.5.4 Barracuda Mobile Companion App 115
4.6 Tools and Add-Ins 117

4.6.2 Stand-Alone Search Utility 117
4.6.3 Mobile Companion App 118
4.7 Exchange Integration 119

4.7.1 Exchange Operations 119
4.7.2 Email Import 120
4.7.3 Configure Office 365 Exchange Online Service Account and Import Historical Data
120
4.7.4 Archive Non-Email Items 124
4.7.5 Synchronize Folders 124
4.8 Search Options 125

4.8.1 Message Actions 125
4.8.2 Search as User 126
4.8.3 Select Messages 126
4.8.4 Resend to Me 126
4.8.5 Export Messages 126
4.8.6 Forward Messages 127
4.8.7 Tag Messages 127
4.8.8 Search As User 128
4.8.9 Available Actions 128
4.8.10 Build Search Queries 128
4.8.11 Advanced Search Parameters 128
4.8.12 Search Strings 129
4.8.13 Keyword Expressions 129
4.8.14 Wildcards 130
4.8.15 Domain-Based Search Strings 130
4.8.16 Compound Search Strings 130
4.8.17 Stop Words 130
4.8.18 Punctuation in Search Strings 130
4.8.19 Encrypted Email 131
4.9 Retention Policies 133

4.9.1 Global Retention Policy 133
4.9.2 Saved-Search Retention Policy 133
4.10 Litigation Holds 137
4.11 Audit Logs 139

4.11.1 Audit Log Tools and Options 139

4.1 Introduction to the Barracuda
Cloud Archiving Service
The Barracuda Cloud Archiving Service is a Software as a Service (SaaS) solution hosted in
the Barracuda Cloud, previously referred to as direct-to-cloud. The Barracuda Cloud Archiving
Service is designed for customers that do not want to manage a physical or virtual appliance. It is
simpler to deploy than public cloud versions of Barracuda Message Archiver, without additional
infrastructure investment.
Emails are archived without the need to install any email client or server software. Barracuda’s
extensive and robust global cloud infrastructure ensures security, and centralized management
through the Cloud Control portal makes it simple.
4.1.1 Understanding Compliance

The Barracuda Cloud Archiving Service provides everything an organization needs to comply
with government regulations in a cloud solution. The Barracuda Cloud Archiving Service stores
and indexes all email for easy search and retrieval by both regular users and third-party auditors.
Backed by Energize Updates, delivered by Barracuda Central, the Barracuda Cloud Archiving
Service receives automatic updates to its extensive library of virus and policy definitions to enable
enhanced monitoring of compliance and corporate guidelines as well as document file format
updates needed to decode content within email attachments.
The Barracuda Cloud Archiving Service features an easy-to-use web user interface, creating
an intuitive and cost-effective administration tool for the Software as a Service (SaaS) solution.
The web user interface allows administrators to define, manage, and control corporate archiving
settings and rules from a central location.
The Barracuda Cloud Archiving Service provides:
• Litigation Support
• Storage Management
• Knowledge Management
• Compliance
• Regulatory Compliance
4.1.2 Litigation Support

Litigation discovery involves all parties in a lawsuit and requires that all data or information
relevant to the lawsuit be provided as requested by the court of law. All email is stored and
indexed for easy search and retrieval by both regular users and third-party auditors.
4.1.3 Storage Management

Not only does the volume of email messages continue to increase, the size of the average email
itself is also on the rise. Due to the increased use of file attachments in email messages, the
average email size can range between 22KB and 350KB. As such, the ability for an organization
to adequately keep up with the storage demands of email can be costly. While storage

solutions can be used to deal with the problem of email message growth in the short term, the
Barracuda Cloud Archiving Service provides a more resourceful way of handling the issue over a
longer period of time.
4.1.4 Knowledge Management

A company’s email system contains a vast amount of vital corporate intelligence, some of
which is not replicated in any other data or material. If email is lost or is not easily accessible,
a company runs the risk of losing that intelligence. The Barracuda Cloud Archiving
Service provides management tools essential to storing and controlling access to an
organization’s knowledge base.
4.1.5 Compliance
Compliance issues are perhaps the driving force behind the increase in demand for an email
archiving solution. The sheer number of regulations requiring some form of email retention, as
well as the more specific parameters of how the email should be stored and for how long, can be
confusing for administrators.
Although many regulations exist and have varying requirements, compliance is

based on three concepts:
• Email permanence – Email must be maintained in its original form without

alteration or deletion
• Email security – Information must be protected against all threats including unauthorized
access to the email as well as physical damage. This same concept applies to the process of
legal discovery which often specifies who can access the email (i.e., legal teams) as well as
safeguards against the destruction of hard copies of the data
• Auditability – Email must be easily accessible in a timely fashion by authorized

personnel upon request
4.1.6 Data Retention

By default, automated purging of messages archived on the Barracuda Cloud Archiving Service
is disabled. When enabled, the Global Retention Policy and any Saved-Search retention policies
are run against all the archived messages once a week. You can allow messages to be deleted
from the Barracuda Cloud Archiving Service when the age of any message exceeds the maximum
age allowed by all matching Saved Search retention policies, or the Global Retention Policy if
no Saved Search retention policy matches the message. Retention policies are the only way to
purge messages; data cannot be deleted directly by a user.
4.1.7 Litigation Holds

Saved Search from being removed from the Barracuda Cloud Archiving Service.

4.1.8 Datacenters by Region
When setting up the Barracuda Cloud Archiving Service, use the MAS hostnames
based on your region.
See Data Centers by Region in Barracuda Campus for the latest MAS hostnames by region.

4.2 Barracuda Cloud
Archiving Service Deployment
Step 1. Add Users to Your Barracuda Cloud Control Account
Add users through Active Directory (AD) authentication and associate a role and whose mail can
be viewed with an AD user or group, or manually configure and assign roles to local accounts
in the web interface.
Understanding Roles
• Auditor – Able to create and activate policies, and view, search, and export any messages to/
from the domains to which they have access. Additionally, Auditors can save and name an
Active Directory Configuration

Use AD authentication to store and administer Barracuda Cloud Archiving Service user accounts
via your organization’s LDAP or Azure AD.
Use the following steps to set up Barracuda Cloud Control LDAP authentication.
Set Up LDAP
1. Log in to https://login.barracudanetworks.com/ as the account administrator.
2. In Barracuda Cloud Control, go to the Admin >Directories page, and click Add Directory
> LDAP Active Directory; the Create Directory wizard displays. In the Info page, specify
the following details:
a. Enter a name to represent the directory in the Directory Name field.
b. Toggle User / Group Sync to On to synchronize with AD.
c. Toggle Authenticate to On to allow users to authenticate using their LDAP AD

credentials. When toggled Off, users must authenticate using their Barracuda Cloud
Control credentials.
d. Optionally, enter the administrator contact email address.
3. Click Save & Continue.
4. In the Host page, enter the your LDAP host details.

5. Click Add Domain; the domain is added to the Domains field. Click Verify.
6. Click Test to verify connectivity. If the connection is successful, Connected displays. If the
connection fails, verify the entered LDAP host details. Click Continue.
7. In the Domains page, click Add domain to add the domain to the AD configuration. Complete
this step for each domain you want to add.
8. To verify you own the domains you plan to include in your AD configuration, select the
manner in which to verify the domains:
• Copy a META tag to your domain header, or
• Add a TXT record to your host’s DNS management settings
9. Click Verify. Once the domain is verified, it is added to the Directories table in the Admin >
Directories page in Barracuda Cloud Control.
Use the following steps to set up Barracuda Cloud Control Azure AD authentication.
Set Up Azure AD
1. Log in to https://login.barracudanetworks.com/ as the account administrator.
2. In Barracuda Cloud Control, go to the Admin >Directories page, and click Add Directory >
Azure Active Directory; the Create Directory wizard displays.
3. Click Add Directory > Azure Active Directory; the Create Directory wizard displays. In the
Info page, enter a name to represent the directory in the Directory Name field.
4. Click Connect to Microsoft to sign in to Microsoft and authorize Barracuda Cloud Control to
connect to your Azure AD account.
5. Once authorization is complete, toggle User / Group Sync to On to

synchronize with Azure AD.
6. Toggle Authenticate to On to allow users to authenticate using their Azure AD credentials.

When toggled Off, users must authenticate using their Barracuda Cloud Control credentials.
7. Optionally, enter the administrator contact email address. Click Save & Continue.
8. Once verification is complete, your Azure AD domains display in the wizard. Click Done.
Use the following steps to associate LDAP or Azure AD users and groups to a role and
list of email addresses.
Associate a Role
Archiver in the left pane.
2. Go to the Users > LDAP User Add/Update page. In the LDAP User/Group field, enter the
User or Group name to which the permissions apply.
3. Select the Role for the specified user or group account:
a. User Role – Specify mailbox addresses to include or exclude from the account. Click
Include these Addresses, and enter a mailbox address you want to make available to the
specified account. Click Add. Click Exclude these Addresses, and enter a mailbox address
you want to hide from the specified account. Click Add.

b. Author Role – Configure the desired permissions. Enter a Domain for which the auditor
can view mail, and click Add. Once you define Saved Searches on the Basic > Search
page in the web interface, you can select the Saved Search from the drop-down menu
to filter the auditor’s search results. Enter a mailbox address you want to hide from the
specified account in the Exclude these addresses field, and click Add.
c. Admin Role – Specify mailbox addresses that you want to hide from the specified
account, and then click Add.
4. Click Save.
Local accounts reside only on the Barracuda Cloud Archiving Service.
Manually Add Local Accounts

2. Go to the Users > User Add/Update page, and enter the user’s Email Address and
the User Display Name.
3. Enter all aliases associated with the entered email address, one entry per line.
4. Enter the account password and select the user role for the account.
5. If you select the user role Auditor enter the following additional details:
a. Enter a domain for which the auditor can view messages and other Outlook items,
and click Add. Any messages that includes an email address in the listed domains in
either the From, To, or CC/Bcc areas, or any items that belong to a user in the specified
domains, display in search results. To allow the auditor to view all items from all domains,
leave this field blank.
b. In the Saved Search drop-down menu, select a defined Saved-Search to automatically

apply to all searches performed by this auditor. Note that the parameters in the Saved
Search take precedence over any domain limitations that may be specified above, as well
as over any attempts by the auditor to Search As any other account.
Step 2. Add Email Domains
Add email domains and fully-qualified domain names (FQDNs) you want to archive. The FQDN
consists of a host or system name and domain name, including the top-level domain. Any
messages sent to any recipient in the listed domains are added to the archive.
Add Email Domains

2. Go to the Basic > Domain Management page, and enter the domain or FQDN in the
LOCAL DOMAINS field.
3. Click Add, and then click Save.


4.3 PST Import
4.3.1 PST File Import

You can import the contents of any .pst file from Microsoft Mail Sources > PST Import page,
set Allow PST File Uploads to Yes.
Before importing .pst files, ensure that LDAP services for your Active Directory
(AD) server are configured. This ensures that SMTP aliases associated with the
message sender and recipients are resolvable.
The Barracuda Cloud Archiving Service can accept one .pst file at a time for immediate import
from the web interface. Files that are imported directly in this manner are processed immediately
and their contents is added. Because processing files for import can be resource-intensive,
Immediate Import supports files of less than 250 MB in size.
To upload PSTs larger than 250 MB or to upload more than one PST at a time,
you can utilize an SFTP share. Contact Barracuda Technical Support to get
the SFTP share enabled.
Assign a PST File

Use the following steps to assign a PST file to an LDAP user and make the contents searchable
from within the web interface:
1. Log in to the web interface, go to the Basic > Search page, and click the PSTs & Tags tab.
2. Expand PSTs, and then expand the Unassigned PSTs folder.
3. Right-click on a PST file, and click Assign PST.
4. In the Assign PST dialog box, enter the first few characters of either the username or the
email address of the user to which to assign the PST file:
5. As you type in the user field, matching users display in a drop-down list. Select the user to
which to assign the PST file, and click OK.

The list of users populates based on your LDAP directory; you can only
assign a PST file to a user found in the list.
6. The PST file now displays in the Assigned PSTs folder under the selected user name.
You can also assign a PST file by dragging it to a specific user listed in the
Assigned PSTs folder.
Once a PST file is assigned to a user, the user can select and search PST folders and search
inside PST files one at a time.
Unassign a PST File

To unassign a PST file, complete either of the following actions:
• Right-click the PST file and click Unassign PST; the PST displays in
the Unassigned PSTs folder
• Click and drag the PST file to the Unassigned PSTs folder
4.3.2 Barracuda PST Enterprise

With Barracuda PST Enterprise, IT administrators can control email data stored by end-users in
individual PST files and those scattered across the organization, eliminating the risks associated
with PST files, as well as reducing ongoing costs and supporting IT requirements for Compliance
and eDiscovery. For details on finding, migrating, and restoring PST files using Barracuda PST
Enterprise, refer to Barracuda PST Enterprise in Barracuda Campus.

4.4 User Roles
4.4.1 User Roles

Local accounts are created with one of the following roles:
• Auditor – Able to create and activate policies, and view, search, and export any messages
to/from the domains to which they have access. Additionally, Auditors can save and name an
The assigned role can be changed at a later date from the Users > Accounts page, but only the
last assigned role is active.
4.4.2 User Accounts

There are two types of accounts on the Barracuda Cloud Archiving Service:
• Local Accounts
• LDAP or Azure AD Accounts
4.4.3 Local Accounts

Local Accounts reside only on the Barracuda Cloud Archiving Service and are created on
the Users > User Add/Update page in the web interface.
Add Local Users

Use the following steps to manually create or update a user account:
1. Go to the Users > User Add/Update page.
2. Enter the user’s Email Address and enter the User Display Name.
3. Click Populate to retrieve all aliases associated with the LDAP for the entered email address;
note that you must configure an LDAP server on the Users > Directory Services page
to use this feature.
4. Enter the account password and select the user role for the account.
5. If you select the user role ‘Auditor’ enter the following additional details:

• Enter a domain for which the auditor can view messages and other Outlook items,
and click Add. Any messages that includes an email address in the listed domains in
either the From, To, or CC/Bcc areas, or any items that belong to a user in the specified
domains, display in search results. To allow the auditor to view all items from all
domains, leave this field blank.
• In the Saved Search drop-down menu, select a defined Saved-Search to automatically

apply to all searches performed by this auditor. Note that the parameters in the Saved
Search take precedence over any domain limitations that may be specified above, as
well as over any attempts by the auditor to Search As any other account.
Local Account Email Alias Group Membership

Archived messages that are sent to a mailing group are visible in the personal message archive
for every member of that group. For example, if csmith@company.com, patjones@company.com,
and bdavis@company.com are all members of sales@company.com, then any message that is
sent to sales@company.com is available in the archives of all three users.
To enable this ability, you must be using an Active Directory or LDAP server, and the lists must
reside on those servers.
Local Account Alias Linking

LDAP users often have one primary email address that is their user account name along with
several aliases for convenience. For example, csmith@company.com might also receive
messages as chris.smith@company.com,
chris@company.com, and c_smith@company.com. For organizations that use LDAP, messages
sent to any alias are also accessible from the primary user account.
In addition, you can create a local user account on the Barracuda Cloud Archiving Service
that has access to archived messages for multiple users. For example, you want a single user
account to see emails for chris.smith@company.com, pat.jones@company.com, and alex.pierce@
company.com, in addition to the_boss@company.com. To do so, create a local account on the
Barracuda Cloud Archiving Service (for example, “local_boss”), and list as aliases the email
addresses to which that account is to have access.
List Aliases for a New Account

1. Go to the Users > User Add/Update page.
2. Enter the new user Email Address, and enter the User Display Name.
3. Enter all email addresses used as aliases for this user, one alias per line in
the User Aliases field.
4. Add the desired password for the account, and click the user role from the
Role drop-down menu.
5. Click Save to save the list of aliases for that user. This account is added to the Users > Local
Accounts page including its aliases.

4.4.4 LDAP Accounts
LDAP accounts reside in your LDAP directory. Once LDAP is configured on the Barracuda Cloud
Archiving Service, users can log in using their regular network credentials to view and create
flags for messages in their personal archive.
LDAP Account Email Alias Group Membership

LDAP users often have one primary email address that is their user account name along with
several aliases for convenience. For example, csmith@company.com might also receive
messages as chris.smith@company.com, chris@company.com, and c_smith@company.com.
For organizations that use LDAP, messages sent to any alias are also accessible from the
primary user account.
You can enter an LDAP group name in the LDAP User/Group field and select a role for that group.
When a member of that group logs in to the Barracuda Cloud Archiving Service, they log in
with the assigned role.
LDAP Account Include/Exclude Rules

You can define exclude/include rules on the Users > LDAP User Add/Update page to set
permissions on whose mail the LDAP user or group members can view. The addresses must
belong to a user, group, or public folder on a configured LDAP server. When a configured user
runs a search, the following rules are in place:
1. Mail for addresses added to the Exclude these Addresses list are not displayed
unless the mail includes the user performing the search to assure that a user can
always see their own mail.
2. The Exclude these Addresses list always takes precedence; addresses added to the Include

these Addresses list are searchable unless the Exclude these Addresses list blocks the mail.
3. Because a user with the Admin or Auditor role can by default view all mail, users set to these
roles can only edit their Exclude these Addresses list.
4. If a user is not configured and is a member of a group, then the include/exclude rules

assigned to that group apply to that user. Additionally, if the unconfigured user is a member
of multiple groups, then the privileges for all of those groups are merged and that user is
assigned the least privileged role of those groups. This allows the Admin to apply include/
exclude rules to all users of a distribution group.
• Example 1: If Brian is not individually configured but is a member of the distribution

group HR, then the Admin can set the include/exclude rules for the group HR, and
Brian uses these settings when searching mail rather than seeing only his own mail.
• Example 2: If Josh is not individually configured but is a member of the distribution group
HR which has an Auditor role, and Josh is also a member of the group Employees which
has a User role, Josh has only the User role privileges when running a search.
5. A user cannot run a Search As User Search on the Basic > Search page on a user that is on
their Exclude these Addresses Exclusion Rules blocklist.

4.5 End-User Access
4.5.1 Barracuda Cloud Archiving Web Interface

Users can log in to the Barracuda Cloud Archiving Service through Barracuda Cloud Control
and search messages to which they have access privileges. If you are performing large or
complex search queries, or a search for the purpose of litigation, Barracuda recommends using
the Advanced Search option via the web interface rather than through the Outlook Add-In, Stand-
alone Search Utility, or Mobile app.
Search Using the Barracuda Cloud Archiving Web Interface

Use the following steps to search the Barracuda Cloud Archiving Service:
1. Log in to https://login.barracudanetworks.com/, click Archiver in the left pane, and

go to the Search page.
2. Enter your search criteria, and click Search.
3. All matching search results display in the Archive Search table.
4.5.2 Barracuda Outlook Add-In

The Barracuda Outlook Add-In search results are limited based on your assigned role and
customization options applied during deployment. For example, if you are assigned the User role,
the search result is limited to 50,000 messages. For best results, refine your search criteria.
For discovery purposes, Barracuda recommends logging in to the web interface, and running
your search using the Advanced Search option.
For deployment options, see Barracuda Outlook Add-In Deployment in Barracuda Campus.
Deploy the Barracuda Outlook Add-In

Before installing the Barracuda Outlook Add-In, you must close Outlook.
1. Log in to the Barracuda Cloud Archiving Service, and navigate to the Users >
Client Downloads page.
2. Click Download Now to the right of the Outlook Add-In Installer to download the executable
file to your local system.
3. Run the .exe file to launch the Setup Wizard.
4. Follow the onscreen instructions to install the Outlook Add-In.
For additional configuration options, refer to How to Install and Configure the Barracuda Outlook
Add-In in Barracuda Campus.

Search Archived Items
To search archived items, click the Search Archive icon to open the Search dialog box:
• Look for drop-down menu – Select the type of item you wish to search for; select Any type
of Item, Appointments, Contacts, Messages, Notes, Social Media, or Tasks.
• In drop-down list – Select the search location:
• All data – Search everywhere in the selected item type
• Specific folders – Click Specific folders, or click Browse to select one or more folders

across all of your Archiver stores in which to search; click OK to save your selections
• In drop-down list – Select the search location:
• Entire message
• Subject or body
• Subject only
• Body only
• Keyword expression
Archive Message Size Limit
Items archived using the Outlook Add-In buttons have a 300MB size limit.
The Barracuda Outlook Add-in tool includes an option to immediately archive a selected item(s).
Archive a Message
1. Select the desired item(s) in Outlook, and click the Archive icon; a progress window displays
while the item(s) is archived.
2. Double-click the archived message to open it in the message view.
Using this feature immediately sends the message for archiving; however, if
the Barracuda Cloud Archiving Service is currently in the midst of archiving
other messages, it may be a matter of minutes or even hours before the
archived messages are available. Once archived, the message appears in
the Barracuda Outlook Add-in search results.
4.5.3 Barracuda Stand-Alone Search Utility

Use the Barracuda Stand-Alone Search Utility to search archives without using the Barracuda
Outlook Add-In or logging in to the Barracuda Cloud Archiving web interface. When enabled
by the administrator, you can download and install Barracuda Archive Search on your Windows-
based or Mac OS X-based system to search archives without using the Barracuda Outlook Add-In
or logging in to the Barracuda Cloud Archiving web interface.

Barracuda Archive Search results are limited based on your assigned role and customization
options applied during deployment. For example, if you are assigned the User role, the search
result is limited to 50,000 messages. For best results, refine your search criteria.
For discovery purposes, Barracuda recommends logging in to the web interface, and running
your search using the Advanced options on the Basic > Search page.
For deployment instructions, see Barracuda Stand-Alone Search Utility Deployment Kit in

Barracuda Campus. You can install the utility on the Windows or Mac OS X.
4.5.4 Barracuda Mobile Companion App

The Barracuda Mobile Companion app, available for Android and iOS, provides easy access to
historical emails stored on your organization’s Barracuda Cloud Archiving Service including:
• Search for archived messages based on email content, or constrain the search to a date
range, a specific sender or recipient, or subject line content;
• Search deleted messages and emails no longer visible in your mail application;
• View and interact with (reply to, reply all, forward) archived messages;
• Save a search query; and
• Redeliver messages to your mailbox using the Resend to Me option.

4.6 Tools and Add-Ins
4.6.1 Barracuda Outlook Add-In

The Barracuda Outlook Add-In allows users to perform various functions with messages stored
through your organization’s Barracuda Cloud Archiving Service. The administrator can deploy and
configure the Outlook Add-In for all users in the service using the Outlook Add-In deployment
kit, or deploy via the Exchange manifest to automatically deploy the Outlook Add-In to all user
mailboxes. Optionally, you can allow users to individually install and configure the add-in.
To deploy using the Outlook Add-In Deployment Kit, first download and launch the .msi file.
Follow the onscreen instructions in the wizard to install the deployment kit. Copy the ADMX files
to your domain policy definitions directory on the domain controller, and then configure and
deploy the Outlook add-In using the Group Policy Editor for the domain where you are installing
the add-In. The Outlook Add-In supports Outlook versions 2010, 2013, and 2016. See Barracuda
Campus for detailed deployment instructions.
To deploy the add-in using the Manifest file, download the manifest file from the web interface.
An XML file is generated and installed, and the manifest is automatically deployed to all user
mailboxes. Archive search is activated once a user clicks on a message, composes a new
message, or clicks on or creates an appointment.
Once enabled via the Manifest file, users can search their archives from:
• Outlook 2013 or 2016;
• Outlook 2016 for Mac;
• Outlook Web Access (OWA); and
• Outlook apps for mobile platforms including Windows Phone, iOS devices,
and Android devices.
To allow individual users to install and use the Outlook Add-In, set Enable Client Access on the
Users > Client Downloads page to Yes. Once enabled, users can download the add-in from the
Basic > Client Downloads page.
The Barracuda Outlook Add-In search results are limited based on your assigned role and
customization options applied during deployment. For example, if you are assigned the User role,
the search result is limited to 50,000 messages. For best results, refine your search criteria.
4.6.2 Stand-Alone Search Utility

The Stand-Alone Search Utility allows you to search your archives without using the Barracuda
Outlook Add-In or logging in to the Barracuda Cloud Archiving Service web interface. This utility
allows users to search through their own archived messages directly from their desktop without
logging in to the Barracuda Cloud Archiving Service web interface, and perform such actions as
forwarding or replying to messages.
The search utility can be deployed to all users in your organization using the deployment kit, or
allow Windows and Mac users to individually install and configure the search utility.
To deploy using the Deployment Kit, download and extract the contents of the kit, including the
MSI and ADMX files. Use the Group Policy Object Editor to install, configure, and deploy the
stand-alone search utility. See Barracuda Campus for step-by-step setup instructions.

To allow individual users to install and use the Stand-Alone Search Utility, set Enable Client
Access and Show Stand-Alone Search Utility on the Users > Client Downloads page to Yes.
Once enabled, users can download the utility from the
Basic > Client Downloads page.
4.6.3 Mobile Companion App

The Barracuda Companion mobile app is available for Android, and iPhone, iPod Touch, and iPad.
Use the mobile app to perform various actions with your messages stored in your organization’s
Barracuda Cloud Archiving Service. To allow users to install and use the mobile apps, set Show
Mobile Apps on the Users > Client Downloads page to Yes. Once enabled, users can download
the mobile app from the Basic > Client Downloads page.
For Android installation, simply download and install the latest Android Barracuda Companion
mobile application available from the Google Play Store to your Android device. Launch the app,
and enter your corporate email credentials in the provided fields. Enter your MAS hostname in
the Host field, and click Login. You can now search your archived emails.
For iOS installation, download and install the latest iPhone Barracuda Archive Search application
from iTunes. Launch the app, and tap Barracuda Essentials in the Welcome screen. Enter your
corporate email credentials in the provided fields, and enter your MAS hostname in the Host field.
Tap Save. You can now search your archived emails.
See Data Centers by Region in Barracuda Campus for MAS hostnames based on your region.

4.7 Exchange Integration
To forward mail to the Barracuda Cloud Archiving Service, the Essentials Wizard sets up journaling
from your Office 365 environment to the Barracuda Cloud Archiving Service including:
• Remote domain
• Send connector
• Journaling rule for the Barracuda Cloud Archiving Service
4.7.1 Exchange Operations

Configure actions that the Barracuda Cloud Archiving Service is to execute on Microsoft Office
365 Exchange Online on the Mail Sources > Exchange Integration page in the web interface.
Define the following operations:
• Email Import – Import all Microsoft Exchange Online email into the service that meets
the specified criteria.
Importing is a one-time event and can only be scheduled for immediate

execution. An additional date parameter is required when importing
messages, where the date is defined to be either the date that the message
was created on Exchange, or the date that appears in the Date field in the
message, whichever produces more results. This option imports all Exchange
items along with the folder information. If you want to update all folder
information only and none of the contents, use the Folder Sync option.
• Non-Email Sync – In addition to emails that are automatically sent from Microsoft Office 365
Exchange Online to the Barracuda Cloud Archiving Service for storage, you can configure
non-email items such as Appointments, Contacts, Notes, and Tasks for archive. This enables
you to get a more complete picture of all items that are or have been stored on your
Exchange Server, and eliminates the need to keep .pst files around solely for the purposes of
retaining this information.
• Folder Sync – Import the complete folder structure of the selected Item Sources, including
custom folders and sub-folders. The nightly folder synchronization process scans the
specified Microsoft Office 365 Exchange Online user mailboxes, and imports the user’s
folder structure, including custom folders and sub-folders, into the Barracuda Cloud
Archiving Service. Note that a Folder Sync job does not import emails to the Barracuda
Cloud Archiving Service, it only imports the folder structure. Email messages are sent to the
Barracuda Cloud Archiving Service via real-time journaling.
When you schedule an action, you must configure the Exchange environment on which to base
the action. When setting up the Exchange import job in the web interface:
• Use the Exchange Online MX hostname followed by outlook.com;
• Use the GUID@domain-style hostname available when setting up an Outlook profile; or
• Use https://testconnectivity.microsoft.com/

4.7.2 Email Import
Use the following steps to automatically discover settings; for manual configuration, see How to
Configure Microsoft Exchange Online Email Import in Barracuda Campus: Configure Microsoft
Exchange Online Email Import.
Configure Microsoft Exchange Online Email Import

1. Log in to the Barracuda Cloud Archiving Service as the administrator, and go to Mail Sources
> Exchange Integration.
2. Click Start New Action. In the Select Action page, click Email Import.
3. In the Select Server page, click Add New Server.
4. In the Add New Server dialog, enter a name to identify the configuration as well as the
service account Username/Password.
5. Click Autodiscover; when the details display, click Save to add it to

the Server table. Click Continue.
6. In the Configure Action page, select All Users from the Source drop-down menu.
7. In the Schedule section, select Now for a one-time import, or click Nightly to configure an
ongoing nightly data import.
8. Click Continue.
9. Verify the configuration settings in the View Summary page, and click Submit to add

the Email Import to the Scheduled Actions table.
4.7.3 Configure Office 365 Exchange Online Service Account

and Import Historical Data
An Office 365 Exchange Online service account provides Exchange Server directory permissions
to grant the Barracuda Cloud Archiving Service read access to all mailboxes.
You must have the following to complete this configuration:
• Windows 8 or 8.1
• Windows Server 2012 or Windows Server 2012 R2
• Windows 7 Service Pack 1 (SP1)
• Windows Server 2008 R2 SP1
• Microsoft .NET Framework 4.5 or 4.5.1 and either the Windows Management Framework 3.0
or the Windows Management Framework 4.0
• Verify the service account has a mailbox, and is not hidden in the Global Address list

Microsoft Exchange Online message throttling policies set bandwidth limits and
restrict the number of processed messages. Throttling is enabled by default
in Microsoft Exchange Online. Currently you cannot set policies to disable
throttling in Exchange Online; for details, refer to the Microsoft Outlook dev
blog. Barracuda is working on a solution to provide this option in the future.
Step 1. Connect to Office 365 Exchange Online

1. Open Windows PowerShell, enter the following command, and then press Enter:
$UserCredential = Get-Credential
2. In the Windows PowerShell Credential Request dialog box, enter your Exchange Online user
name and password, and then click OK.
3. Enter the following command, and then press Enter:

$Session = New-PSSession -ConfigurationName Microsoft.Exchange
-ConnectionUri https://outlook.office365.com/powershell-liveid/
-Credential $UserCredential -Authentication Basic -AllowRedirection
See the Microsoft TechNet article Connect to Exchange Online PowerShell

for more information.

Import-PSSession $Session

Get-Mailbox -ResultSize unlimited | Add-MailboxPermission
-User ServiceAccount@domain.com -AccessRights fullaccess
-InheritanceType all -Automapping $false
Permissions are assigned on existing mailboxes only; if additional

mailboxes are added to your organization, you must rerun this command.
For more information on adding mailbox permissions, see Add-
MailboxPermission in the Microsoft TechNet. For information on testing
mailbox rights, see
Get-MailboxPermission in the Microsoft TechNet.
Step 2. Import from Office 365 Exchange Online
When setting up the Exchange import job in the web interface, use the GUID@
domain-style hostname available when setting up an Outlook profile or use
https://testconnectivity.microsoft.com/.
Automatically Discover Settings

1. Log in to the Barracuda Cloud Archiving Service as the admin, and go to Mail Sources >
Exchange Integration.
4. In the Add New Server dialog box, enter a Configuration Name, the email address for the
service account and the service account password.
5. Click Autodiscover.
6. If autodiscover is unable to identify your settings, manually configure settings.
Manually Obtain Exchange Hostname Using PowerShell
Use the steps in this section only if autodiscover is unable to identify your
settings via Autodiscover.
1. Open Windows PowerShell, and connect to Office 365 Exchange Online.

$UserCredential = Get-Credential
3. In the Windows PowerShell Credential Request dialog box, enter your Exchange Online
admin username and password, and then click OK.

$Session = New-PSSession -ConfigurationName Microsoft.Exchange
-ConnectionUri https://outlook.office365.com/powershell-liveid/
-Credential $UserCredential -Authentication Basic -AllowRedirection
See the Microsoft TechNet article Connect to Exchange Online

PowerShell for more information.

Import-PSSession $Session

Get-Mailbox -Identity <username for service account> | Format-List
ExchangeGuid, PrimarySMTPAddress

7. To determine the Exchange Hostname, combine the ExchangeGuid with the domain portion
of the Primary PrimarySMTPAddress in the form ExchangeGuid@domain.com
8. To close out the remote PowerShell session, enter the following command,
and then press Enter:
Remove-PSSession $Session
Manually Configure Server Settings for Email Import
1. Log in to the Barracuda Cloud Archiving Service as the admin, and go to Mail Sources >
Exchange Integration.
4. In the Add New Server dialog, click Configure Manually; enter the Exchange details:
a. Configuration Name – Enter a name to identify the configuration. For

example, type: testdomain
b. Exchange Hostname – Enter the ExchangeGUID@Domain configured in the previous

section. For example, type: 2ee256dd-35d2-44e9-89c9-3df7987f93@domain.com
c. Username – Enter the service account username. For example, type:

ServiceAccount@testdomain.com
d. Password – Enter the password associated with the username.
e. Exchange 2013 – Select Yes.
f. Advanced Options – In the Proxy Server field type outlook.office365.com.
5. Click Save to add your configuration, and close the dialog box.
6. In the Configure Action page, click Continue.
7. In the View Summary page, select All Users from the Source drop-down menu.
8. Specify the desired Date and Schedule settings. Click Continue.
9. Verify the configuration settings in the View Summary page, and then click Submit to add the
Email Import to the Scheduled Actions table.

4.7.4 Archive Non-Email Items
In addition to emails that are automatically sent from Microsoft Office 365 Exchange Online to
the Barracuda Cloud Archiving Service for storage, you can configure non-email items such as
Appointments, Contacts, Notes, and Tasks for archive. This enables you to get a more complete
picture of all items that are or have been stored on your Exchange Server, and eliminates the
need to keep .pst files around solely for the purposes of retaining this information.
The archiving, or synchronization, of all non-email items is configured on the Mail Sources >

Exchange Integration page. You can configure synchronization of all or a portion of the Outlook
items, be it for all or selected users, on a recurring basis.
4.7.5 Synchronize Folders

The nightly folder synchronization process scans the specified Microsoft Office 365 Exchange
Online user mailboxes, and imports the user’s folder structure, including custom folders and
sub-folders, into the Barracuda Cloud Archiving Service. Note that a Folder Sync job does not
import emails to the Barracuda Cloud Archiving Service, it only imports the folder structure. Email
messages are sent to the Barracuda Cloud Archiving Service via real-time journaling.
You can specify folder structure synchronization for all or selected users on the Mail Sources >
Exchange Integration page based on the selected item source, and optionally specify a specific
server from which to archive. The synchronization process can be scheduled to run as soon
as possible, creating a one-time job that is not repeated, or configured to run nightly. When
configured to run nightly, the process starts at 10PM when the additional system load on the
Barracuda Cloud Archiving Service least impacts users.
Move Email Between Folders

When the user moves an email between folders, the Barracuda Cloud Archiving Service updates
the location of the email once the next nightly folder sync job runs and captures the new email
location information. Additionally, the Barracuda Cloud Archiving Service keeps track of all folders
in which an email has historically been located. Note that this does not cause any extra copies of
the mail to be stored; the association is actually performed by associating the email message ID
and the name of the folders in which the email should be shown.
The Barracuda Cloud Archiving Service keeps track of all folders in which an email has historically
been seen. This does not cause any extra copies of the mail to be stored; the association is
actually performed by associating the messageID of the email and the name of the folder(s) in
which that email should be shown.
Folder Synch
Outlook system folders (for example, Drafts, Sync Issues), Inbox, Deleted Items, and Sent Items
are not synchronized; a user’s custom folders under Inbox are scanned. In the Barracuda Cloud
Archiving Service’s folder view, data is shown in Inbox and Sent Items based upon the header
information in the mail itself. An email displays in a user’s Inbox if that user is on the recipient list,
and is visible in their Sent Items if the user’s SMTP address, or email aliases, appears in the From
header of the email.
When email is sent to the Barracuda Cloud Archiving Service via journaling, any emails in
the Deleted Items folder will have already been archived to the Barracuda Cloud Archiving
Service from the Inbox.

4.8 Search Options
You can conduct a search on the following aspects of a message:
• Message body content;
• Recipients and senders;
• Attachment type and content;
• Date
Searches can only be made over messages that the searcher has read access to, so privacy
is always preserved. Use the Basic Search page for quick one-time searches, or go to the
Advanced Search page for a full array of search options including complex search queries and
the ability to save searches. Saved Searches are the basis for Policy Alerts, used by Auditors
and Administrators to monitor compliance, and Retention Policies, to purge messages from the
archiver that are older than a specified date.
Punctuation is treated as white space in search strings with the following exceptions:
• Email addresses and Internet hostnames – Treated as single searchable tokens.

Example: user1@mycompany.com is treated as a single searchable token.
• Period (.) – When not followed by whitespace, a period is treated as part of a word.
Example: 1.2 is treated as a single searchable token.
• Hyphen (-) – When a token containing a hyphen also contains a number, the complete item is
treated as a part of the number.
Examples:
MD-1800 is considered a searchable word, including the hyphen.
hyphen-madness is treated as two words (“hyphen” “madness”) with the hyphen
treated as whitespace.
4.8.1 Message Actions

Easily collect messages for exporting or forwarding and add tags to messages for future re-
identification. You can control whether any or all of these actions are available to users on the
Basic > Administration page, in the Search Page Settings section.
When virus scanning is enabled on the Basic > Virus Checking page, forwarded
and exported messages are scanned for viruses. When disabled, forwarded
and exported messages are not scanned for viruses.
Messages journaled directly from Microsoft Exchange have additional hidden information, such as
bcc recipients and other SMTP data. End-users do not have access to this information; however,
for compliance reasons you may want to include this hidden information when messages are
exported or forwarded by the administrator or auditor. The Preserve Journal Wrappers setting,
also in the Search Page Settings section, causes the body of an exported or forwarded message
to consist of the complete envelope information with the actual contents of the email turned into
an attachment to the message.

If an option is not visible in the web interface, the administrator must enable the
option on the Basic > Administration page in the Search Page Settings section.
4.8.2 Search as User

From the Tools menu, select Search as User to execute a search across only those
messages that are accessible by the selected user. When this option is selected, a pop-
up appears prompting you for the username or email address whose access should be
emulated for the search.
4.8.3 Select Messages

The standard selection controls apply when selecting messages in the list view:
• To select one message, single-click on the desired message.
• To select multiple consecutive messages, single-click on a message, and Shift-click on

another message to select both messages along with all messages listed between those two
in the Message List.
• To select multiple individual messages, single-click on one message, and Ctrl-click on every
other message you want to select.
4.8.4 Resend to Me
To redeliver selected messages to your mailbox, select one or more messages, and then
click Resend to Me located at the top of the message list,
4.8.5 Export Messages

Once a search is executed and the results are listed in the Basic > Search page, you can choose
to export one or more of these messages as a .pst or .zip file.
To export one or more messages, select the desired item(s) from the message list using Shift- or
Ctrl-click to select multiple messages. Click the Tools menu at the top of the message list, and
click Export Messages. In the window select the desired action and export method. The desired
messages are gathered into a single .pst or .zip file:
• Export Name – A label used to identify this export task.
• Export Type – The format used to export messages:
• A single PST file suitable for loading into Microsoft Outlook
• A single ZIP file containing individual .eml files for each message, with files named under
one of the following conventions:
• Numerical – Serial counter, beginning with 0.
• Date – A string of numbers representing the date and time of the message.

• Date/From/To – A (long) string containing the date, time, sender and
recipient of the message.
• Content – Specify whether to export the Current Search Results or Selected Messages.
Export to – Select whether to export to the Barracuda Cloud Archiving Service for download to
your local system, or to a Barracuda Copy account.
• Chunk Size – Select the chunk size for the PST or ZIP export as 800MB, 4.7GB, or specify a
custom chunk size in gigabytes.
• Folder Data – Select Export if present to include folder data. Note that this option
is only available when logged in as an LDAP user; this option is not available when
logged in as the admin.
4.8.6 Forward Messages

Once you execute a search and the results display in the Basic > Search page, you can specify
one or more of these messages to be forwarded to a desired list of recipients.
To forward one or more messages, select the desired item(s) from the message list using Shift- or
Ctrl-click to select multiple messages. Click on Tools located at the top of the message list, and
select the desired action. A pop-up dialog prompts you for the email addresses of those users
that are to receive the selected messages; use semi-colons to separate multiple email addresses:
• Forward Selected – Each message selected in the Message List is individually forwarded
(re-delivered) to the specified email address. When this option is selected, a pop-up
prompts you for the desired forwarding email address. Use commas to separate multiple
delivery destinations.
• Forward All – All messages currently in the Message List are individually forwarded
(re-delivered) to the specified email address. When this option is selected, a pop-up
prompts you for the desired forwarding email address. Use commas to separate multiple
delivery destinations.
4.8.7 Tag Messages

Tag messages to easily identify any messages for future use. Tags can be any text, and can be
accessed only by the account that created them.
To tag one or more messages, execute a search in the Basic > Search page, and select the
desired item(s) from the message list using Shift- or Ctrl-click to select multiple messages. Click
PSTs & Tags, click on Tools located at the top of the message list, and select the desired Tag
action. A pop-up dialog prompts you for the tag text. Tags can then be used as search criteria,
allowing you to easily retrieve these messages at a later time:
• Tag Selected – Only the messages that have been selected in the Message List are
tagged. When this option is selected, a pop-up prompts you for the text with which
to tag the messages.
• Tag All – All messages currently in the Message are tagged. When this option is selected, a
pop-up prompts you for the text with which to tag the messages.
• Untag Selected – All tags removed from the selected messages; you cannot remove
individual tags on a message.

4.8.8 Search As User
Execute a search across only those messages that are accessible by a specific user. When this
option is selected, a pop-up prompts you for the username or email address of the user whose
access should be emulated for the search.
4.8.9 Available Actions

Many different actions are possible from the Advanced Search interface that help you to build
and save queries with multiple search parameters:
• Add search parameters – Click on the plus sign (+) located to the extreme left of a search
criteria line; a new search parameter line is added.
• Remove a search parameter – Click on the minus sign (-) located to the left of the search
parameter you wish to remove.
• AND or OR search parameters – Click AND at the end of a search parameter to signifies

that it is to be logically ANDed to the next specified parameter. If your next criteria is to be
logically ORed, click AND to toggle it to OR.
• Save a constructed query – In the SAVE AS field, enter the name under which the query
is to be saved, and click SAVE AS. If you enter a name that already exists, the new search
parameters overwrite the previously saved parameters under that name.
Run a previously-saved search – Select the Saved Search from the pulldown menu to load the
search parameters onto the page, then click Search.
4.8.10 Build Search Queries

When including both AND and OR search terms in a query, the order in which these terms are
placed is important. For example,
1. Add the first term “A”, and then add term “and B”; the query searches as: (A AND B)
2. Add a term “or C”; the query searches as: ((A AND B) OR C)
3. Add a term “and D”; the query searches as: (((A AND B) OR C) AND D)
This affects preparation and ordering of Advanced Search queries as follows. Typically, you
first build a population of results by using “OR”, and then subtract items from that population by
using “AND”. For example,
TermA OR
TermB OR
TermC AND
TermD
If you want to force a different order of operations by placing parentheses yourself, use the
Keyword Expressions search mode and construct your query according to those guidelines.
4.8.11 Advanced Search Parameters

Select the area of a message to which the search criteria applies.

Note that the browser time zone is used unless the time zone is specified in
a search query. For example, set the search criteria to All - Date - is equal to -
2013-01-21 15:41:50 -0500 where -500 is the time zone.For a list of advanced
search parameters, see Advanced Search Options in Barracuda Campus.
4.8.12 Search Strings

A search string is the format that the searched-for text must be in for searches through the
Barracuda Cloud Archiving Service. The search query tips in this article apply to both Basic and
Advanced search queries. When you enter terms in Basic Search mode, the search strings are
treated in the same manner as Advanced Search criteria formed with “All” “Entire Message”
“contains” criteria.
• Text-Based Search Strings – A single string or phrase of text, to be matched exactly as

entered. Valid formats are: a single word (with no whitespace) or a single double-quoted
sequence of words (separated by spaces).
• Integer Number-Based Search Strings – A single integer string in bytes to be matched

exactly to an index attribute as entered. Valid formats are: a single number (with no
whitespace). To find a range, use a Compound Search String. For example:
• Multi-Text Search Strings – A collection of Text-based words or phrases, separated by

spaces. Each item listed must match somewhere, but they do not have to be adjoining or
found in the order supplied. For example:
4.8.13 Keyword Expressions

Keyword expressions allow you to construct your own complex queries in Advanced Search,
letting you combine multiple keyword-based search terms that follow this basic syntax: search_
field:phrase. For a list of search_field values, refer to Keyword Expressions in Barracuda Campus.
The phrase can only contain a single item. However, that one item can be any
one of the following:
• a single Text-based string;
• a single Integer number-based string;
• a single Wildcarded string;
• a single Domain-based string (for to and from search_field only);
a single compound search string created by combining multiple strings with the

keywords AND and OR, and grouping the phrases with parentheses to control the logic.
When creating compound search strings, the keywords ‘AND’ and ‘OR’
must be capitalized.

4.8.14 Wildcards
Wildcards are characters in search strings that can match arbitrary characters in a search. They
can ONLY be used as part of a single word, and are NOT allowed as the first character of a
search word. They are also NOT allowed in any double-quoted string containing multiple words
(i.e., spaces). Wildcards are not allowed as part of a phrase, or any search string that is comprised
of more than one word, regardless of the use of double quotes.
• Asterisk (*) – The asterisk (*) as a multi-character wildcard, matching zero or more

occurrences of any and all characters.
• question mark (?) – The question mark (?) is a single-character wildcard, matching a single
occurrence of any one character. The number of question marks used denotes the exact
number of characters that must be matched.
4.8.15 Domain-Based Search Strings

The domain part, or everything after the at-sign (@), of an email.
4.8.16 Compound Search Strings

(Only Used in Keyword Expressions)
When creating compound search strings, the keywords ‘AND’ and ‘OR’
must be capitalized.
A combination of two or more strings in any of the above formats (Text-based, Multi-Text,
Wildcard, or Domain as applicable to the fields being searched) or with other Compound
search strings, each separated by the keywords AND or OR. Surround logical groupings with
parentheses as needed to determine order of operations.
Compound search strings of increasing complexity can be constructed by combining multiple

compound phrases themselves, to create a single query that identifies multiple search locations
in addition to multiple search patterns.
4.8.17 Stop Words

Stop Words are common words that are ignored in searches, and may be omitted.
Recognized Stop Words are:

a, an, and, are, as, at, be, but, by, for, if, in, into, is, it, no, not, of, on, or, such, that, the, their, then,
there, these, they, this, to, was, will, with
Stop Words are also ignored in wildcard searches, so make sure that the wildcards are attached
to letters that do not comprise a Stop Word in its entirety.
4.8.18 Punctuation in Search Strings

In general, punctuation is treated as a whitespace, and thus a delimiter between searchable
items. However, the following punctuation exceptions exist:

• Email addresses and Internet hostnames are treated as a single searchable
token. For example:
• If you enter the search criteria “user1@mycompany.com”, the address is treated as a

single searchable token.
• Period (.) – A period that is not followed by whitespace is treated as part of a word, that is, a
searchable token, and the period is searchable. For example:
• If you enter the search token “192.168.0.1” or “1.2”, the period is included in the search
results, and treated as a single searchable token.
• Hyphen (-) – When a token containing a hyphen also contains a number, the complete item is
treated as a part of the number. For example:
• Searching on “MD-1800” is considered a searchable word, including the hyphen.
• Searching “hyphen-madness” is treated as two words (“hyphen” “madness”) with the

hyphen treated as whitespace.
A Basic search is treated the same as a search using Advanced Search

criteria formed with “All” “Entire Message” “contains” criteria. Using “Entire
Message” “contains” with a string without quotes does not search for the
string. Rather, it treats the string as a list of tokens to be joined with ANDs.
You must use quotes around the string or use “Entire Message (phrase)” to
search for the string.
Also see Working with Apostrophes and Other Punctuation
in Barracuda Campus.
4.8.19 Encrypted Email

When you digitally sign a message, you embed information in the message that validates your
identity. When you encrypt a message, it appears to be “scrambled” and can only by read by
a person who has the message decryption key. Digitally signing a message ensures that the
message originated from the stated sender, and encrypting ensures that the message has not
been read or altered during transmission.
To encrypt messages, you can use the public-key cryptographic system. In this system, each
participant has two separate keys: a public encryption key and a private decryption key. When
someone wants to send you an encrypted message, you use your public key to generate
the encryption algorithm. When you receive the message, you must use your private key to
decrypt the message.
Because encrypted messages are secure, the content cannot be decrypted upon import by the
Barracuda Cloud Archiving Service, and the content is therefore unavailable for search via the
Barracuda Cloud Archiving Service.

4.9 Retention Policies
While the Barracuda Cloud Archiving Service can handle an archive of virtually unlimited size,
some organizations may want to expire messages as a matter of course. The Policy > Retention
page allows you to set the maximum age of an archived message before it is permanently purged
from the archive. Note that if an auditor has specified an indefinite hold on a Saved Search, the
retention policy is treated as an infinite lifetime.
By default, automated purging of messages archived to the Barracuda Cloud Archiving Service is
disabled. If you enable this ability, the Global Retention Policy and any Saved-Search retention
policies are run against all the archived messages weekly on Friday night.
If the age of any message exceeds the maximum age allowed by all Saved-
Search retention policies that apply to the message, that message is
permanently deleted from the Barracuda Cloud Archiving Service.
The Global Retention Policy setting does not apply to any messages that match a Saved-
Search retention policy.
To enable or disable the automatic message expiration, set the Allow automatic message
deletion option to Yes or No.
4.9.1 Global Retention Policy

The Global Retention Policy applies to every archived message. When retention policies are run
against the archived messages (weekly on Friday night), any messages stored on the Barracuda
Cloud Archiving Service that are older than this age are deleted unless they match an existing
Saved-Search policy.
Configure Global Retention Policy

1. On the Policy > Retention page, set Allow automatic message expiration to Yes.
2. Click Add Global Retention Policy to open the Add Retention Policy dialog.
3. In the Keep on cloud section, specify the total length of archived message retention:
a. Forever – Messages are retained in the Barracuda Cloud Archiving Service forever.
b. For – Enter the number of days to retain archived messages.
4. Click Submit to save the retention policy, and then click Save.
4.9.2 Saved-Search Retention Policy

You can define a retention policy based on a Saved Search to automatically delete archived
messages from the Barracuda Cloud Archiving Service. Note that before you can create a Saved
Search retention policy, you must create at least one Saved Search in the Basic > Search >
Advanced Search page.

Messages that match the specified Saved Search are permanently removed from the
Barracuda Cloud Archiving Service when the age of the message exceeds the specified Saved
Search policy length.
If you define multiple Saved Search retention policies, if the age of any message exceeds the
maximum age allowed by all Saved Search retention policies that apply to the message, that
message is permanently deleted from the Barracuda Cloud Archiving Service.
Litigation holds overwrite Saved Search and Global Retention Policies; a

litigation hold may be for a defined period of time or indefinite. If a message
matches more than one Saved Search-based policy, then the message
is kept according to the longest policy length. If it matches a Saved
Search-based policy as well as the global policy, then the Saved Search
policy takes precedence.
Because a Saved Search retention policy overrides the Global retention policy, Saved Search
retention policies are useful when you want to create exceptions to a global retention policy.
Set Up Saved Search Retention Policy

1. Log in to the Barracuda Cloud Archiving Service, go to the Basic > Search page, and in the
Standard tab, click Advanced.
2. Enter the search criteria, and click Save Search.
3. Enter the Search Name, and click OK.
4. Go to the Policy > Retention page, and verify that Allow automatic message deletion is
set to Yes; when set to Yes, the Saved Search policies are run against archived messages
weekly on Friday nights.
5. Click Add Retention Policy to open the Add Retention Policy dialog box.
6. From the Saved Search drop-down menu, select the name of the saved search on which to
base this retention policy.
7. In the Keep on box section, specify whether to retain archived messages forever, or for a

specified number of days:
• Forever – Messages meeting the Saved Search criteria on this Barracuda Cloud
Archiving Service are retained forever.
• For – Enter the number of days to retain archived messages that match the selected
Saved Search criteria.
8. Click Submit to save the Saved Search retention policy.
9. The Saved Search is added to the table.

If a message matches more than one Saved Search-based policy, then
the message is kept according to the longest policy length. If it matches
a Saved Search-based policy as well as the global policy, then the Saved
Search policy takes precedence.

4.10 Litigation Holds
Saved Search from being removed from the Barracuda Cloud Archiving Service. The system
administrator must first Enable Litigation Holds before auditors are given the option to create
Litigation Holds from the Saved Searches tab on the Basic > Search page.
The following information about active Litigation Holds will be displayed here, visible only to the
system administrator:
• Auditor – The account name of the Auditor who created the Litigation Hold
• Saved Search – The name of the Saved Search associated with this Litigation Hold
• Hold End Date – The date and time when this Litigation Hold expires
To delete a litigation hold you must have system administrator rights; click the trash can icon
following the Litigation Hold you want to delete.
Add a Litigation Hold

1. Log in to the Barracuda Message Archiver as an auditor, go to the Basic > Search page, and
click the Standard tab.
2. Click Advanced, enter your search criteria, and click Search.
3. When the search results return, click Save Search, enter the Search Name, and click OK.
4. Click the Saved Searches tab, and in the Actions column for the selected Saved Search,
click Apply Litigation Hold.
5. In the Apply Litigation Hold dialog, specify the Hold End Date as either:
• Indefinite – Content that matches the Saved Search is retained until the
Litigation Hold is cancelled
• Specific Date – Enter the expiration date

4.11 Audit Logs
The Audit Log displays a list of all activities, including search-related activities initiated by the
system. In this view you can browse through the list, or perform a search to filter on a subset of
activities. You can filter by start/end dates, user name, and item type. Click on an activity to display
the activity details in the Details pane.
4.11.1 Audit Log Tools and Options

The Audit Log includes the following tools and options:
• Page Navigation – Click on the navigation arrows or type a number in the Page field to move
through the Audit Log.
• Refresh Icon – Click the icon to update the page.
• Export – Click Export, enter an email address to which to send a .csv file containing the

selected audit logs in the dialog box, and click OK. Once the report generates, it is sent to
the specified email address.
• Tools – Click to select the number of items to display per page and to specify
the Details Pane location.
You can serach for activities in the Audit log.
Search Audit Log

1. Log in to the web interface, and go to the Advanced > Audit Log page. By default, all audit
log records display.
2. Enter the desired search criteria, and then click Search.
3. The results pane displays those items matching the entered criteria. Information displayed for
each record includes:
a. Date – When the action occurred and was logged in the Audit Log.
b. User – Which user performed this action. Some actions are performed automatically, not
actively by a specific user, displaying as user System.
c. Type – What type of action this record is for.
d. Detail – Many audit log records contain information in addition to the date, user,
and type. In some cases, a useful piece of this additional information is displayed in
the Detail column, for instance to narrow down a broad action type.
4. To view additional information, click on an item. Details display in the right pane.

Barracuda Cloud-to-Cloud Backup
5.1 Introduction to Barracuda Cloud Backup 143
5.2 Configure Impersonation for Exchange Online 145

5.3 Configure an Exchange Online Data Source 149

5.3.1 Configure Exchange Online Data Source 149
5.4 Configure Impersonation for OneDrive for Business 153

5.5 Configure OneDrive for Business Data Source 159

5.5.1 Configure OneDrive for Business Data Source 159
5.6 Configure SharePoint Online Primary Site Collection Admin 163

5.6.1 Configure Site Collection Administrator 163
5.7 Configure SharePoint Online Data Source 165

5.7.1 Configure Data Source 165
5.8 Configure Backup Schedules 169

5.8.1 Configure a Backup Schedule 169
5.9 Restore Backup 171
5.10 Backup Reports 179

5.10.1 Backup Report 179
5.10.2 Restore Report 179

5.10.3 Audit Log Reports 179

5.1 Introduction to
Barracuda Cloud Backup
Barracuda Cloud-to-Cloud Backup for Office 365 protects Exchange Online, OneDrive for
Business, and SharePoint Online data by backing it up directly to Barracuda Cloud Storage.
Barracuda Cloud-to-Cloud Backup for Office 365 can be used as an add-on to an on-premises
Barracuda Backup appliance or as a standalone subscription without an appliance. For Exchange
as well as the complete folder structure of each users’ mailbox. In OneDrive for Business, all files
under the Documents Library, including the entire folder structure, are protected. For SharePoint
Online, Barracuda Cloud-to-Cloud Backup protects online files and folders in Document Libraries,
Site Assets, Site Pages, Picture Libraries, and Form Templates in Team Sites, Public Sites, Wiki
Sites, and Publishing Sites.

5.2 Configure Impersonation
for Exchange Online
In order for Barracuda Cloud-to-Cloud Backup to access user mailboxes for backup, you must first
create a new service account with administrative privileges and apply the impersonation role to
that account for Exchange Online, as described in the section that follows.
5.2.1 Configure Impersonation

In order for Barracuda Cloud-to-Cloud Backup to access user mailboxes for backup, you must
create a new service account with administrative privileges and apply the impersonation
role to that account.
Step 1. Create a New Service Account
To configure impersonation within Exchange Online:
1. Log in to your Office 365 Management Panel using an account with administrative privileges,
and click users and groups in the left pane.
2. Click the + symbol to create a new account.
3. In the details page, enter the details for the new service account, and click next.
4. In the settings page, select Yes to assign administrator permissions, and from the drop-down
menu, select Global administrator. Optionally, you can add an alternate email address and
location. Click next.
5. In the assign licenses page, make no changes. Click next.
6. In the send results in email page, click Create. The service account details
are sent to the admin.
7. To activate the account, log in to your Office 365 Management Panel using the new service
account, and update the password.
Step 2. Create Impersonation Role
Option 1. Manually Set Up Impersonation
and go to permissions > admin roles.

2. Click the + symbol. In the new role group dialog box, type
BarracudaBackupImpersonation in both the Name and Description fields:
3. Scroll down to Roles, and click the + symbol.

4. From the list, select ApplicationImpersonation, and click add:
5. Click OK.
6. Scroll down to Members, select the service account created in Step 1: Create a New Service
Account, and click add.
7. Click OK. Click Save to save your settings and close the Role Group window. The
Impersonation role is now listed in Admin Roles.
Option 2. Set Up Impersonation via PowerShell
Use the following steps to assign the ApplicationImpersonation role using PowerShell:
1. At the PowerShell command prompt, enter the following command:

New-ManagementRoleAssignment –name:impersonationAssignmentName –
Role:ApplicationImpersonation –User:serviceAccount
Where:
name is the friendly name of the role assignment. Each time you assign a role, an entry is
made in the role-based access control (RBAC) roles list. You can verify role assignments by
using the Get-ManagementRoleAssignment cmdlet found in the Microsoft Dev Center article
How to: Configure impersonation.
Role is the RBAC role to assign. When you set up impersonation, you assign the
ApplicationImpersonation role.
User is the service account.
2. Press Enter.

5.3 Configure an
Exchange Online Data Source
Configure Exchange Online to back up data directly to Barracuda Cloud Storage. When
you back up Exchange Online, Barracuda Cloud-to-Cloud Backup protects all email messages,
attachments, and the complete folder structure of each user mailbox. Messages, folders, or entire
mailboxes can be restored back to the original account, a different account, or exported via
the download feature.
5.3.1 Configure Exchange Online Data Source

Use the following steps to set up Exchange Online backup:
1. Log in to Barracuda Backup, and select the Cloud Source in the left pane.
2. In the Status page, click Exchange Online:
3. The Data Sources page displays. Click Add a Cloud Provider, and enter the following details:
a. In the Cloud Provider description field, enter a name to represent the data source.
b. From the Cloud Provider type drop-down menu, select Microsoft Office 365.
c. Click Save.
4. The Add a Cloud Data Source dialog box displays:
a. From the Data Type drop-down menu, select Exchange Online:
b. Enter Your Office365 domain URL.
The URL is available once you log in to Exchange Online.
c. Click Authorize.

If you are not currently logged into the Exchange Online account, the
Microsoft login page displays. Enter your Exchange Online administrator
login information, and then click Sign in.
5. In the Exchange Online page, click Accept to authorize Barracuda to back up data
from Exchange Online:
6. The Edit Exchange Online page displays.
a. Enter a name to identify the data source in the Data Description field.
b. In the Add to schedule section, click the drop-down menu, and then click Add New:

7. The Add New Schedule dialog box displays. Enter a name to represent the schedule:
8. Click OK. The Edit Exchange Online page is updated with the new schedule name.
9. Click Save. The Edit Backup Schedule page displays.
10. In the Items to Back Up section, select individual items to back up, or click Apply to
all computers and data sources for this Barracuda Backup Cloud Service to back up
everything in Exchange Online.
11. In the Schedule Timeline section, select the day you want the schedule to run.
12. In the Daily Backup Timeline, specify the time of day the schedule is to run:
13. Click Save. Exchange Online is backed up based on your data source and schedule settings.

5.4 Configure Impersonation for
OneDrive for Business
Download and install the SharePoint Online Management Shell from the Microsoft Windows
Download Center to a windows computer with PowerShell installed, and download
the AdminRights.ps1 script to the same Windows computer where you installed SharePoint
Online Management Shell.
After downloading and installing the SharePoint Online Management Shell, you can
follow the steps in the Microsoft support article Assign eDiscovery permissions to
OneDrive for Business sites.
5.4.1 Configure Impersonation

In order for Barracuda Cloud-to-Cloud Backup to access OneDrive user accounts for backup, you
must create a new service account with administrative privileges, and then assign that account
SharePoint Site Collection Administrator privileges.
Step 1. Create a New Service Account
and click users and groups in the left pane.
2. click the + symbol to create a new account.
3. In the details page, enter the details for the new service account, and click next.
4. In the settings page, select Yes to assign administrator permissions, and from the drop-down
menu, select Global administrator. Optionally, you can add an alternate email address and
location. Click next.
5. In the assign licenses page, make no changes. Click next.
6. In the send results in email page, click Create. The service account details
are sent to the admin.
7. To activate the account, log in to your Office 365 Management Panel using the new service
account, and update the password.
Step 2. Configure Permissions
Use this step to configure permissions for current users.
There are two options you can use to give the service account created in Step 1. Create a New
Service Account access to user accounts:
• Option 1 – Run a SharePoint Online Management Shell script to automatically apply the
proper permissions to each user account; this is the preferred and fastest. If you have
multiple users, this is also the easiest method.
or

• Option 2 – Manually configure each user account from within the Microsoft SharePoint Admin
Center. If you have only a few users, this is the easiest method.
Option 1. Configure Permissions Using a SharePoint Online Management Shell Script
1. Download and open the AdminRights.ps1 script using a text editor such as Notepad.
2. Navigate to and edit the following four variables:
• $o365login – Replace with your Office 365 service account or

administrator account username.
• $o365pw – Replace with your Office 365 service account or

administrator account password.
• $spAdminURL – Replace with the same URL used in your organization’s OneDrive
URL, but suffixed with -admin
• $spMyURL – Replace with the same URL used in your organizations’ OneDrive URL,
but suffixed with -my
3. Save and close the script.
4. Locate the SharePoint Online Management Shell installed in Step 1, then right-click and click
Run as administrator.
5. Change your working directory within the SharePoint Online Management Shell to the
location where you saved the AdminRights.ps1 script:
6. Run the following command:

Set-ExecutionPolicy Unrestricted

7. Run the following command to run the AdminRights.ps1 script:
.\AdminRights.ps1
8. Press Enter to exit the script.
9. Exit SharePoint Online Management Shell.
You must complete the steps in Option 1 each time you add new users.
Option 2. Configure Permissions from the Microsoft SharePoint Admin Center
1. Log in to your Office 365 Management Panel using the service account created in Step 1.
Create a New Service Account.
2. In the left pane click Admin centers > SharePoint, and click user profiles.
3. Click Manage User Profiles:

4. In the Find profiles field, type the name of a user who’s OneDrive for Business data is to be
backed up, and then click Find:
5. Click the user’s Account name, and then click Manage site collection owners:
6. The site collection owners dialog box displays. In the Site Collection Administrators
field, add the service account with administrative privileges or another account with
administrative privileges:
• Type the account name, and then click the Verify User icon, or
• Click the Directory icon, and navigate to and select the account from the directory:
7. Click OK. The service account or administrative account added as the user’s Site Collection
Administrator can now view the user’s entire OneDrive account.
8. Repeat Steps 3 through 7 for each user who’s OneDrive for Business data is to be backed up
with Barracuda Cloud-to-Cloud Backup.

Step 3. Set Up Impersonation Permissions
Use these steps when adding all future users.
Complete the following steps to set up impersonation permission for the service account on all
newly created OneDrive users:
1. Log in to your Office 365 Management Panel using the service account created in Step 1.
Create a New Service Account.
2. In the left pane click Admin centers > SharePoint, and click user profiles.
3. In the My Site Settings section, Click Setup My Sites.
4. In the My Site Secondary Admin section, click Enable My Site secondary admin.
5. In the Secondary admin field, type the username of the newly created service account.
6. Click OK.

5.5 Configure OneDrive for
Business Data Source
Configure OneDrive for Business to back up data directly to Barracuda Cloud Storage. When
backing up OneDrive for Business using Barracuda Cloud-to-Cloud Backup, all files under the
Documents Library, including the entire folder structure, are protected. Files, folders, or entire
accounts can be restored back to the original account, a different account, or exported via
the download feature.
5.5.1 Configure OneDrive for Business Data Source

1. Log in to Barracuda Backup, and select the Cloud-to-Cloud Backup Source in the left pane.
2. In the Status page, click OneDrive for Business:
b. From the Cloud Provider Type drop-down menu, select Microsoft.
c. Click Save.
4. The Add a Cloud Data Source page displays:
a. From the Data Type drop-down menu, select OneDrive for Business.
b. Enter the OneDrive URL in the associated field; the URL is available once
you log in to OneDrive.
c. Click Authorize:

d. If you are not currently logged into the OneDrive for Business account, the Microsoft
login page displays:
e. Enter your OneDrive for Business administrator login information, and then click Sign in.
5. The Edit OneDrive for Business page displays:
7. Click OK. The Edit OneDrive for Business page is updated with the new schedule name.
9. In the Items to Back Up section:
a. Select individual items to back up, or

b. To back up everything on OneDrive, click Apply to all computers and data sources for
this Barracuda Backup Cloud Service.
12. Click Save. OneDrive is backed up based on your data source and schedule settings.

5.6 Configure SharePoint Online
Primary Site Collection Admin
In order for Barracuda Cloud-to-Cloud Backup to access SharePoint sites, you must first create a
primary site collection administrator for each SharePoint Site collection data source.
5.6.1 Configure Site Collection Administrator

In order for Barracuda Cloud-to-Cloud Backup to access SharePoint sites, you must create a
primary site collection administrator.
You must complete the following steps for each SharePoint Site Collection
you want to back up.
To configure the primary site collection administrator for SharePoint Online:
go to the Office 365 admin center, and click Admin centers > SharePoint.
2. Hover over and select the site collection you want to add the administrator to.
3. Click Owners > Manage Administrators:
4. The manage administrators page displays. In the Site Collection Administrators section, enter the
name of the administrator you want to add as a Site Collection Administrator, and click the Check
Names icon to verify the user name is valid. For example, SharePoint Service Administrator:
5. Click OK to save your changes and add the selected administrator as the Site
Collection Administrator.

5.7 Configure
SharePoint Online Data Source
Configure SharePoint Online to back up data directly to Barracuda Cloud Storage. Barracuda
Cloud-to-Cloud Backup provides complete protection of SharePoint Online. With item-level
recovery options, items can be restored back directly into SharePoint Online from the backups
of Document Libraries, Site Assets, Site Pages, Picture Libraries, and Form Templates in Team
Sites, Public Sites, Wiki Sites, and Publishing Sites. Barracuda Cloud-to-Cloud Backup for Office
365 eliminates the risk of lost content due to accidental or malicious deletion. You can also retain
email messages and files indefinitely if users were to leave your organization—all without having
to purchase additional licenses.
5.7.1 Configure Data Source

1. Log in to Barracuda Backup, and select the Cloud Source in the left pane.
2. In the Status page, click SharePoint Online:
b. From the Cloud Provider type drop-down menu, select Microsoft Office 365.
4. Click Save.
5. The Add a Cloud Data Source dialog box displays:
a. From the Data Type drop-down menu, select SharePoint Online.
b. Enter Your Office365 domain URL.
The URL is available once you log in to SharePoint Online.
c. Click Authorize.

If you are not currently logged in to the SharePoint Online account, the
Microsoft login page displays. Enter your SharePoint Online administrator
login information, and then click Sign in.
6. In the SharePoint Online page, click Accept to authorize Barracuda to back up data
from SharePoint Online:
7. The Edit SharePoint Online page displays. Complete the following:

9. Click OK. The Edit SharePoint Online page is updated with the new schedule name.
11. In the Items to Back Up section, select individual items to back up, or click Apply to all
computers and data sources for this Barracuda Backup Cloud Service to back up everything
in SharePoint Online.
14. Click Save. SharePoint Online is backed up based on your data source
and schedule settings.

5.8 Configure Backup Schedules
Use the Backup > Schedules page to create backup schedules for selection when setting up
your data sources. Once your data sources are set up, data is collected from each data source
for the first time during an initial backup period. Once the initial backup is complete, Barracuda
Cloud-to-Cloud Backup checks for changed and new data based on the data source backup
schedules. When new or changed information is identified, each file is analyzed at the bit level,
and only the new bit sequences in the files themselves are copied and transferred.
5.8.1 Configure a Backup Schedule

Use the following steps to schedule an Office 365 backup:
2. Go to Backup > Schedules.
3. On the Schedules page, click Add a Schedule in the upper right-hand corner.
4. Enter a name for your schedule in the Schedule name field:
5. In the Identify the data sources section, select the data to be backed up using this schedule.
You can select Apply to all computers and data sources for this Barracuda Cloud to Cloud
Backup or you can granularly select data down to a specific file or folder.
6. In the Schedule Timeline section, select the days you want the schedule to run. If you are
creating a one-time only backup schedule, deselect all days:

7. In the Daily Backup Timeline section, enter a start time for your backup schedule. To repeat
a backup schedule throughout a 24-hour period, select the Repeat option and specify the
frequency of the backup and the end time. A backup schedule cannot span multiple days:
8. Once you have configured your backup schedule, click Save.
9. The backup schedule is now listed on the Schedules page and specifies the days and times
that it is to run. To run a backup on-demand, click Run Backup Now, to edit the schedule
click Edit, or to delete a schedule, click Remove:

5.9 Restore Backup
Use the Restore > Restore Browser page to restore backed up Office 365 data sources. You can
restore single files or entire systems.
Restore an Exchange Online Data Source
Use the following steps restore an Exchange Online backup:
1. Log in to Barracuda Backup, and select the Cloud-to-Cloud Backup source in the left pane.
2. Click the Restore tab, and then click Restore Browser.
3. Click Exchange Online in the left pane, and then select the user mailbox from
which to restore data:
4. Select the folder from which to restore data:
5. Locate the email or folder to restore, or use the search field to locate the desired data:

6. The default view displays data that was present during the last backup.
7. To find a historical email or folder revision from a previous date, click Change

Date in the left pane:
8. Use the calendar to select the desired day to view data available for restore from that date.
9. Once you locate the email(s) or folder to restore, click Restore to the right of a single item, or
click Restore selected items if you selected multiple items:
10. The Restore dialog box displays. Select to restore to the Original Location and Original Path,

or click Specify New Path and specify a different user and path:

11. Click Start Restore. A notification displays that the restore is in progress:
12. To view restore status, go to the Reports > Restore page.
13. Verify the messages or folders have been restored in the user’s Exchange Online mailbox.
Restore a OneDrive for Business Data Source
Use the following steps to restore OneDrive for Business data:
2. Click the Restore tab, and then click Restore Browser.
3. Click OneDrive for Business in the left pane, and then select the user account from
which to restore data:
4. Navigate through the folder structure to locate the file or folder you want to restore.
Alternatively, you can use the search field to locate the desired data:

5. The default view displays data present during the last backup. To find a historical revision of
a file or folder, click Change Date in the left pane:
7. Once you locate the file(s) or folder to restore, click Restore to the right of a single item, or
8. The Restore dialog box displays. Select to restore to the Original Location and Original Path,

or click Specify New Path and specify a different user and path:
11. Verify the files or folders have been restored in the user’s OneDrive for Business account.

Restore a SharePoint Online Data Source
Use the following steps to restore SharePoint Online data:
1. Log in to Barracuda Backup, and click the Office 365 Backup in the left pane.
2. Click Restore > Restore Browser.
3. Click SharePoint Online in the left pane, and then select the Site from which to restore data:
4. Navigate through the folder structure to locate the file or folder you want to restore, or use
the search field to locate the desired data:

5. The default view displays data present during the last backup. To find a historical revision of a
file or folder, click Change Date in the left pane:
7. Once you locate the file(s) or folder to restore, click Restore to the right of a single item, or

8. The Restore dialog box displays. Select to restore to the Original Location and Original Path:
11. Verify the files or folders have been restored in the SharePoint Online Site.

5.10 Backup Reports
Use the Reports page to view backup and restore details as well as an audit log of all activities in
the Barracuda Cloud Backup web interface.
5.10.1 Backup Report

Go to Reports > Backup to view a detailed report for each backup that is run. In addition, any
backup process currently running displays. Backup reports include details about the backup
such as when the backup started, duration, size, if there were any errors or warnings, and any
new, changed, or removed items. Reports also include links to each backed up file to view or
download the item from the report. Click Details to view recent activity in chart form. You can also
view a list of backed up files including the number of new, changed, and removed files, as well as
a list of any errors encountered during backup. Click Download to save the report as a .csv file
to your local system.
5.10.2 Restore Report

You can view restoration details in the Reports > Restore page. To specify how you wish to sort
the table, click on a heading, and then click on the up/down arrows to the right of each heading
to specify either an ascending or descending sort. Click Details to view all details for the selected
restoration including any encountered errors.
5.10.3 Audit Log Reports

The Reports > Audit Log page displays a report of all activities in the Barracuda Cloud
Backup web interface by time and date, by user, and by action. Logged activity includes log on
authentication, changes to settings, changes to account information, and more. Click Details for
additional information for a specific activity.

campus.barracuda.com | campus@barracuda.com
• UK 1.0 • Copyright 2020 Barracuda Networks, Inc. • barracuda.com

Barracuda Networks and the Barracuda Networks logo are registered trademarks of Barracuda Networks, Inc. in the United States. All other names are the property of their respective owners.

ESS01 Barracuda Essentials Student Guide

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

ESS01 Barracuda Essentials Student Guide

Uploaded by

Copyright:

Available Formats

Barracuda Essentials

Official training material for Barracuda certified trainings

Edition 2020 | Revision 3.0

campus.barracuda.com | campus@barracuda.com EMAIL PROTECTION

1.1 Introduction to Essentials 11

1.1.2 Advanced Threat Protection 11

1.1.3 Barracuda Cloud Archiving Service 11

1.1.4 Barracuda Cloud-to-Cloud Backup 12

1.1.5 Where to Start 12

1.1.6 The Roles of Archival and Backup 13

1.2 Barracuda Email Security Service Features 15

1.2.2 Outbound Email Protection 17

1.2.3 Sender Authentication 22

1.3 Advanced Threat Protection Features 27

1.3.2 Advanced Threat Protection Exemptions 29

1.3.3 Administrator Notification 29

1.3.4 ATP Exemptions 30

1.3.5 Message Log 30

1.3.6 View ATP Statistics 30

1.3.7 Deferred Delivery 30

1.4 Barracuda Cloud Archiving Service Features 33

1.4.2 PST File Import 34

1.4.3 Barracuda PST Enterprise 34

1.4.4 Archive Skype for Business Conversations 34

1.4.5 Retention Policies 34

1.4.6 Audit Log Filtering 35

1.4.7 User Accounts 35

1.4.8 Search Options 36

1.4.9 End-User Search Tools 37

1.5 Barracuda Cloud-to-Cloud Backup Service Features 39

1.5.2 Retention Policies 39

1.5.3 Restore Data 40

1.5.6 Email Notifications 41

2.1 Initial Deployment 45

2.1.2 Deploy Barracuda Essentials for Office 365 46

2.1.3 Configure via PowerShell 47

Barracuda Email Security Service

3.1 Introduction to Barracuda Email Security Service 51

3.1.2 Mail Scanning Layers 52

3.1.3 Barracuda Antivirus Supercomputing Grid 52

3.1.4 Advanced Spam Detection 53

3.1.5 Predictive Sender Profiling 53

3.1.6 Monitored Outbound Email Volume 54

3.2 Barracuda Email Security Service Deployment 55

3.3 Inbound Filtering Policy 67

3.3.2 Content Analysis 68

3.3.3 Bulk Email Detection 70

3.3.4 Rate Control 71

3.4 Outbound Filtering Policy 73

3.4.2 Content Analysis 75

3.4.3 Abuse Monitoring and Notifications 76

3.4.4 Outbound Quarantine 77

3.4.5 Outbound Rate Control 78

3.5 Advanced Configuration 79

3.5.2 Sender Authentication 79

3.5.3 Directory Services 80

3.6.2 User Authentication 82

3.6.3 Reports, Logs, and Notifications 84

3.7 Outbound Spam Protection 89

3.8 Advanced Threat Protection 91

3.8.2 Advanced Threat Protection Exemptions 93

3.8.3 Administrator Notification 93

3.8.4 ATP Exemptions 94

3.8.5 Message Log 94

1.1 Introduction to Essentials 11

1.1.2 Advanced Threat Protection 11

1.1.3 Barracuda Cloud Archiving Service 11

1.1.4 Barracuda Cloud-to-Cloud Backup 12

1.1.5 Where to Start 12

1.1.6 The Roles of Archival and Backup 13

1.2 Barracuda Email Security Service Features 15

1.2.2 Outbound Email Protection 17

1.2.3 Sender Authentication 22

1.3 Advanced Threat Protection Features 27

1.3.2 Advanced Threat Protection Exemptions 29

1.3.3 Administrator Notification 29

1.3.4 ATP Exemptions 30

1.3.5 Message Log 30

1.3.6 View ATP Statistics 30

1.3.7 Deferred Delivery 30

1.4 Barracuda Cloud Archiving Service Features 33

1.4.2 PST File Import 34

1.4.3 Barracuda PST Enterprise 34

1.4.4 Archive Skype for Business Conversations 34

1.4.5 Retention Policies 34

1.4.6 Audit Log Filtering 35

1.4.7 User Accounts 35

1.4.8 Search Options 36

1.4.9 End-User Search Tools 37

1.5 Barracuda Cloud-to-Cloud Backup Service Features 39

1.5.2 Retention Policies 39

1.5.3 Restore Data 40

1.5.6 Email Notifications 41

2.1 Initial Deployment 45

2.1.2 Deploy Barracuda Essentials for Office 365 46

2.1.3 Configure via PowerShell 47

3.1 Introduction to Barracuda Email Security Service 51

3.1.2 Mail Scanning Layers 52

3.1.3 Barracuda Antivirus Supercomputing Grid 52

3.1.4 Advanced Spam Detection 53

3.1.5 Predictive Sender Profiling 53

3.1.6 Monitored Outbound Email Volume 54

3.2 Barracuda Email Security Service Deployment 55

3.3 Inbound Filtering Policy 67

3.3.2 Content Analysis 68

3.3.3 Bulk Email Detection 70

3.3.4 Rate Control 71

3.4 Outbound Filtering Policy 73

3.4.2 Content Analysis 75

3.4.3 Abuse Monitoring and Notifications 76

3.4.4 Outbound Quarantine 77

3.4.5 Outbound Rate Control 78

3.5 Advanced Configuration 79

3.5.2 Sender Authentication 79

3.5.3 Directory Services 80

3.6.2 User Authentication 82

3.6.3 Reports, Logs, and Notifications 84

3.7 Outbound Spam Protection 89

3.8 Advanced Threat Protection 91

3.8.2 Advanced Threat Protection Exemptions 93

3.8.3 Administrator Notification 93

3.8.4 ATP Exemptions 94

3.8.5 Message Log 94

3.8.6 View ATP Statistics 94

3.8.7 Deferred Delivery 94

3.9 Email Continuity 95

4.1 Introduction to the Barracuda Cloud Archiving Service 99

4.1.2 Litigation Support 99

4.1.3 Storage Management 99

4.1.4 Knowledge Management 100

4.1.5 Compliance 100

4.1.6 Data Retention 100

4.1.7 Litigation Holds 100

4.1.8 Datacenters by Region 101

4.2 Barracuda Cloud Archiving Service Deployment 103

4.3 PST Import 107

4.3.2 Barracuda PST Enterprise 108

4.4 User Roles 109

4.4.3 Local Accounts 109

4.4.4 LDAP Accounts 111

4.5.2 Barracuda Outlook Add-In 113

4.5.3 Barracuda Stand-Alone Search Utility 114

4.5.4 Barracuda Mobile Companion App 115

4.6 Tools and Add-Ins 117