Office 365 MailFlow Scenarios and Best Practices

Microsoft Office 365 gives you the flexibility to configure mail flow based on your requirements and uses scenario to delivered email to your organisation’s mailboxes. The simplest way to configure mail flow is to allow Microsoft EOP to handle spam filter and Maiflow of your organisation. However, you may have already invested your infrastructure handle mail flow. Microsoft also accepts this situation and allow you to use your own spam filter.

The below scenario and use cases will allow you to determine how you can configure MailFlow of your organisation.

Mailbox Location MailFlow Entry Point Scenario & Usecases Recommended MailFlow Configuration  and Example MX record
Office 365 Office 365 Use Microsoft EOP

Demote or migrate all mailboxes to office 365

Use Office 365 mailboxes

MX record Pointed to Office 365


SPF:  v=spf1 -all


On-premises On-prem Prepare the on-prem to be cloud ready

Build and Sync AAD Connect

Built ADFS Farm

MX record Pointed to On-prem

SPF: v=spf1 include: -all

Third-party cloud, for example, G-Suite Both third-party and office 365 Prepare to migrate to Office 365

Stage mailbox data

MailFlow co-existance

MX record pointed to third-party cloud

MX record Pointed to On-prem

SPF: v=spf1 include: include: ASPMX.L.GOOGLE.COM -all

Combination of On-premises and Office 365 On-premises Hybrid Environment

Stage mailbox migration

MailFlow co-existance

MX record Pointed to On-prem spam filter

MX record Pointed to On-prem

SPF: v=spf1 include: -all

Combination of On-premises and Office 365 Third-party cloud spam filter Hybrid Environment

Stage mailbox migration

MailFlow co-existance

MX record Pointed to third-party cloud spam filter

MX record pointed to third-party cloud

MX record Pointed to On-prem

SPF: v=spf1 include: -all

MailFlow Configuration Prerequisites:

  1. Make sure that your email server (also called “on-premises mail server”) is set up and capable of sending and receiving mail to and from the Internet.
  2. Check that your on-premises email server has Transport Layer Security (TLS) enabled, with a valid public certification authority-signed (CA-signed) certificate.
  3. Make a note of the name or IP address of your external-facing email server. If you’re using Exchange, this will be the Fully Qualified Domain Name (FQDN) of your Edge Transport server or CAS that will receive an email from Office 365.
  4. Open port 25 on your firewall so that Office 365 can connect to your email servers.
  5. Make sure your firewall accepts connections from all Office 365 IP addresses. See Exchange Online Protection IP addresses for the published IP address range.
  6. Make a note of an email address for each domain in your organisation. You’ll need this later to test that your connector is working correctly.
  7. Make sure you add all datacenter IP addresses of Office 365 into your receive connector of on-premises Exchange server

Configure mail to flow from Office 365 to your email server and vice-versa. There are three steps for this:

  1. Configure your Office 365 environment.
  2. Set up a connector from Office 365 to your email server.
  3. Change your MX record to redirect your mail flow from the Internet to Office 365.

Note: For Exchange Hybrid Configuration wizard, connectors that deliver mail between Office 365 and Exchange Server will be set up already and listed here. You don’t need to set them up again, but you can edit them here if you need to.

  1. To create a connectorExchange in Office 365, click Admin, and then click to go to the Exchange admin center. Next, click mail flow click mail flow, and click connectors.
  2. To start the wizard, click the plus symbol +. On the first screen, choose the appropriate options when creating MailFlow from Office 365 to On-premises Server
  3. Click Next, and follow the instructions in the wizard.
  4. Repeat the step to create MailFlow between On-premises to Office 365.
  5. To redirect email flow to Office 365, change the MX (mail exchange) record for your domain to Microsoft EOP, i.e.

Relevant Articles:

Mailflow Co-existence between G-Suite and Office 365 during IMAP Migration

Office 365 Hybrid Deployment with Exchange 2016 Step by Step

Centralized MailFlow: NDR Remote Server returned ‘550 5.7.1 Unable to relay’

How to Configure Office 365 SMTP Relay

There are three ways you can setup SMTP Relay for Applications and multi-function devices using Office 365. All three options are elaborated here. Option 1 and Option 2 are configured within the application and devices. Option 3 are setup within the application/devices and within Office 365 Admin Centre.

Option1 – Client submission: Authenticate device or application directly with an Office 365 mailbox.

Smart Host:

Port: 587 TLS Enabled or Port 25


  • Send email to inside or outside of the organisation.
  • Send email from any devices or IP addresses.
  • Send email from any location


30 messages sent per minute, and a limit of 10,000 recipients per day.

Username: Azure AD username or and Azure AD Password

Option 2- Direct Send: Send mail directly from a printer or an application to Office 365

Smart Host: FQDN of the MX record of your domain.

SPF Record: v=spf1 ip4:<public IP address of registered domain> ~all

Port: 25


  • Uses Office 365 to send emails, but does not require a dedicated Office 365 mailbox.
  • Doesn’t require your device or application to have a static IP address. However, this is recommended if possible.
  • Doesn’t work with a connector; never configure a device to use a connector with direct send, this can cause problems.
  • Doesn’t require your device to support TLS.


  • Direct send cannot be used to deliver email to external recipients, for example, recipients with Yahoo or Gmail addresses.
  • Your messages will be subject to antispam checks.
  • Sent mail might be disrupted if your IP addresses are blocked by a spam list.
  • Office 365 uses throttling policies to protect the performance of the service.

Username: Any email address for one of your Office 365 accepted domains and Azure AD Password

Option 3 – Special Send Connector: Configure a connector to send mail using Office 365 SMTP relay

Smart Host: FQDN of the MX record of your domain.

SPF Record: v=spf1 ip4:<Public IP Address of registered domain> ~all

Port: 25

Username: Any email address for one of your Office 365 accepted domains and Azure AD Password


  • Office 365 SMTP relay does not require the use of a licensed Office 365 mailbox to send emails.
  • Office 365 SMTP relay has higher sending limits than SMTP client submission; senders are not bound by the 30 messages per minute or 10,000 recipients per day limits.


  • Sent mail can be disrupted if your IP addresses are blocked by a spam list.
  • Reasonable limits are imposed for sending.
  • Requires static un-shared IP addresses (unless a certificate is used).

Setting Up Option 3:


  1. Sign in to Office 365.
  2. Select Domains. Select the Domain e.g. Click Manage DNS and find the MX record. The MX record will have a POINTS TO ADDRESS value that looks similar to
  3. Make a note of the MX record POINTS TO ADDRESS
  4. Go to a MX recording finding web site and find the IP address of MX record using below steps.

Open Command Prompt from internet connected computer, Type


>Set q=mx

> where is your domain name.


  1. In Office 365, click Admin, and then click Exchange to go to the Exchange admin center.
  2. In the Exchange admin center, click mail flow, and click connectors. click the plus symbol +. On the first screen, choose the options From Your Organisation to Office 365, Click Next, and give the connector a name.
  3. On the next screen, choose the option By verifying that the IP address of the sending server matches one of these IP addresses that belong to your organization, and add the IP address of MX Record from step 1.
  1. Leave all the other fields with their default values, and select Save.
  2. Test the configuration, send a test email from your device or application, and confirm that it was received by the recipient.

TrendMicro Worry-Free Business Advanced Configuration Step by Step

Trend Micro Worry-Free Business Security (WFBS) protects business users and assets from data theft, identity theft, risky websites, and spam (Advanced only).

Trend Micro offers the following editions:

Standard: Designed to protect clients (desktops, portable computers, and servers) on your local network. This edition includes Outbreak Defence, Firewall, and Antivirus/Anti-spyware scanning. It also comes with technical support, malware/virus pattern file downloads, real-time scanning, and program updates for one year.

Advanced: Designed to protect clients and Microsoft Exchange servers on your network. In addition to all the features in Worry-Free Business Security Standard, this edition includes Anti-spam, Content Filtering, Data Loss Prevention, and Attachment Blocking.

Features worry-free business Features

  • Component Updates
  • Device Control
  • Antivirus/Anti-spyware
  • Firewall
  • Web Reputation
  • URL Filtering
  • Behavior Monitoring
  • User Tools
  • Instant Messaging Content
  • Filtering
  • Mail Scan (POP3)
  • Mail Scan (IMAP)
  • Anti-Spam (IMAP)
  • Email Message Content
  • Filtering
  • Email Message Data Loss Prevention
  • Attachment Blocking

TrendMicro Components:

Registration Key

A Registration Key comes with your purchase of Worry-Free Business Security. It has

22 characters (including hyphens) and is in the following format: xx-xxxx-xxxxx-xxxxx-xxxxx

Use a fully licensed Registration Key to register Worry-Free Business Security on the Trend Micro website at

Security Server

At the center of Worry-Free Business Security is the Security Server. The Security Server hosts the web console, the centralized web-based management console for Worry-Free Business Security. Hosts the Web Console, downloads updates from the Trend Micro ActiveUpdate Server, collects and stores logs, and helps control virus/malware Outbreaks Manages all agents from a single location

Scan Server

The Security Server includes a service called Scan Server, which is automatically installed during Security Server installation. As such, there is no need to install it separately. The Scan Server runs under the process name iCRCService.exe and appears as Trend Micro Smart Scan Service from Microsoft Management Console.

Downloads scanning-specific components from Trend Micro and uses them to scan clients


Agents protect clients from security threats. Clients include desktops, servers, and Microsoft Exchange servers.

Security Agent Protects desktops and servers from security threats and intrusions Protects Windows 7/Vista/XP/Server 2003/Server 2008 computers from malware/viruses, spyware/grayware, Trojans, and other threats

Messaging Security Agent Protects Microsoft Exchange servers from email-borne security Threats

Web Console

The web console is the central point for monitoring clients throughout the corporate network. It comes with a set of default settings and values that you can configure based on your security requirements and specifications. The web console uses standard Internet technologies, such as Java, CGI, HTML, and HTTP.

WFBS Ports

WFBS uses the following ports:

Server listening port (HTTP port): Used to access the Security Server. By default, WFBS uses one of the following:

IIS server default website: The same port number as your HTTP server’s TCP port.

IIS server virtual website: 8059

Apache server: 8059

Client listening port: A randomly generated port number through which the Security Agent and Messaging Security Agent receive commands from the Security Server.

Trend Micro Security (for Mac) Communication port: Used by the Trend Micro Security (for Mac) server to communicate with Mac clients. The default is port 61617.

SMTP port: Used by the Security Server to send reports and notifications to administrators through email. The default is port 25.

Proxy port: Used for connections through a proxy server.

Systems requirements:

  • 1 vCPU, 2GB RAM, 10GB additional space
  • IIS 7.5 Windows Server 2008 R2
  • Internet Explorer
  • Adobe Acrobat
  • Java client
  • Clients that use Smart Scan must be in online mode. Offline clients cannot use Smart Scan
  • Administrator or Domain Administrator access on the computer hosting the
  • Security Server
  • File and printer sharing for Microsoft Networks installed
  • Transmission Control Protocol/Internet Protocol (TCP/IP) support installed
  • If Microsoft ISA Server or a proxy product is installed on the network, you need to open the HTTP port (8059 by default) and the SSL port (4343 by default) to allow access to the Web Console and to enable client-server communications

TrendMicro Download Location:

WFB 8.0

Download Center


1. Double-click the SETUP.EXE file. The Trend Micro Installation screen appears.

2. Click Next. The License Agreement screen appears.

3. Read the license agreement. If you agree with the terms, select I accept the terms of the license agreement.

4. Click Next. The Setup Type screen appears.

5. From the Setup Type page, choose one of the following options:

  • Typical install (Recommended) – This provides an easy solution for installing WFBS using Trend Micro default values. This method is suitable for a small business using a single Trend Micro Security Server and up to ten clients.
  • Minimal Install
  • Custom install – This provides flexibility in implementing your network security strategy. This method is suitable if you have many computers and servers or multiple Exchange servers.

6. Click Next. The Product Activation page appears Note: If you do not have an Activation Code, you may not have registered your copy of WFBS yet. Click Register Online to open a new browser window.

7. Click Next. The Setup Overview page appears. The Setup Overview page shows the components that you need configure in order to install the Trend Micro Security Server and the Security Agent (as well as the Messaging Security Agent [MSA] if you are using WFBS Advanced).

8. Click Next. If you selected Custom Installation, the Select Target Folder page would appear. The default WFBS install folder is C:Program FilesTrend MicroSecurity Server. If you want to install WFBS in another folder, click Browse.

9. Click Next. The Select Components page appears.

10. Select the components that you want to install. For WFBS Advanced only: The Configure Security Server page now highlights the Security Server.

  • Security Server (default): The Security Server hosts the centralized web-based management console.
  • Security Agent (default): The agent protects desktops and servers.
  • Messaging Security Agent (optional): When installing the Security Server on a computer that has a Microsoft Exchange server installed on the same computer, Setup prompts you to install a local MSA.
  • Remote Messaging Security Agent (optional):When installing the Security Server on a computer that cannot detect the existence of local Microsoft Exchange servers, Setup prompts you to install the remote MSA to remote servers.

11. Configure the Security Server. The Security Server configuration tasks consist of pre-scanning the server for malware as well as configuring the web server and the proxy server.

12. Click Next. The Computer Prescan page appears.

13. Choose whether or not to pre-scan your computer for threats by selecting one of the following options:

Prescan my computer for threats– The prescan targets the most vulnerable areas of the computer, which include the following:

  • the boot area and boot directory (for boot sector viruses)
  • the Windows folder
  • the Program Files folder
  • Do not prescan my computer for threats – Trend Micro highly recommends pre-scanning your computer for security threats to ensure that the installation goes into a clean environment. Not pre-scanning the computer could prevent a successful installation.

14. Click Next. If you selected Custom Installation, the Web Server page would appear. Select a web server to host the Security Server web console. Choose one of the following:

  • Internet Information Services (IIS) server
  • Apache Web server 2.0.xx

15. Click Next. The Web Server Identification page appears.

16. Choose from one of the following server identification options for client-server communication:

  • Server information – Choose domain name or IP address:
  • Fully Qualified Domain Name – Use the web server’s domain name to ensure successful client-server communications.
  • IP address – Verify that the target server’s IP address is correct.

17. Click Next. The Administrator Account Password page appears.

18. Specify different passwords for the Security Server web console and the Security Agent.

Note: The password field holds 1-24 characters and is case sensitive.

  • Security Server web console – You will need a password to log on the web console. Provide the password and confirm the password.
  • Security Agents – You will need the password to uninstall Security Agents and remove them from your computer.

19. Click Next. The SMTP Server and Notification Recipient(s) page appears.

20. Enter the required information:

  • SMTP server – the IP address of your email server
  • Port – the port that the SMTP server uses for communications
  • Recipient(s) – the email address(es) that the SMTP server uses to send alert notifications. You can enter multiple email addresses when more than one person needs to receive notifications.

21. Click Next. The Trend Micro Smart Protection Network page appears.

22. Choose whether or not you want to participate in the Trend Micro Smart Protection Network feedback program.

23. Click Next. If you selected Custom Installation, the General Proxy Settings page would appear. The Configuring Security Agent page highlights the Security Agent.

  • Proxy server type
  • Server name or IP address
  • Port
  • User name and Password – Provide these only if the proxy server requires authentication.

24. Configure the Security Agent. The Security Agent configuration tasks consist of setting the agent installation path, configuring the agent’s server and desktop settings as well as the proxy server settings for additional services.

25. Click Next. If you selected Custom Installation, the Security Agent Installation Path page would appear.

26. Set the following items:

  • Installation Path – This is the destination folder where the Security Agent files are installed.
  • Security Agent Listening Port – This is the port number used for Security Agent and Security Server communications.

27. Click Next. If you selected Custom Installation, the Configuring Security Agents Settings page would appear.

28. You can configure Security Agent settings for Servers and Desktops: In each group, you can configure the following components:

  • Servers – Windows Server 2003/2008 computers will be added to the default Servers group when you first add them to the web console. You can enable different technologies for this group based on your particular needs.
  • Desktops – Windows XP/Vista/7 computers will be added to the default Desktops group when you first add them to the web console. You can enable different technologies for this group based on your particular needs.
  • Smart Scan – Smart Scan uses a central scan server on the network to take some of the burden of the scanning of clients.
  • Antivirus and Anti-Spyware – This scans files for malicious code as they are accessed or created.
  • Firewall – This protects clients against malware attacks and network viruses by creating a barrier between the clients and the network.
  • Web Reputation – This blocks malicious websites through the credibility of web domains and assigning a reputation score based on several identifying factors.
  • URL Filtering – This blocks specified categories of websites (for example, pornographic sites and social networking) according to your company’s policy.
  • Behavior Monitoring – This analyses program behaviour to proactively detect known and unknown threats.
  • Device Control – This regulates access to external storage devices and network resources.

29. Click Next. If you selected Custom Installation, the Proxy Setting for Additional Services page would appear. The Smart Scan, Web Reputation, and Behaviour Monitoring services use the proxy server address and port used by Internet Explorer on client computers. If that proxy server requires authentication, use this page to specify logon credentials.

30. For WFBS Advanced only: Configure the MSA. You will be prompted to install the MSA at one of the following points: Note: This procedure applies to both local and remote MSA installation.

  • When installing the Security Server on a computer that has Microsoft Exchange server installed on the same computer, Setup prompts you to install a local Messaging Security Agent.
  • When installing the Security Server on a computer that cannot detect the existence of local Microsoft Exchange servers, Setup prompts you to install the remote Messaging Security Agent to remote servers.

31. Click Next. The Install Messaging Security Agent page appears.

32. Provide the following information:

i. Exchange Server

ii. Domain Administrator Account

iii. Password

33. Click Next. If you selected Custom Installation, the Messaging Security Agent Settings page would appear. Configure the following:

  • Target Folder – This is the folder where the MSA files are installed.
  • Temp Folder – This is the system root folder for MSA Agent installation.
  • Spam management
  • End User Quarantine – If selected, WFBS creates a separate spam folder on Microsoft Outlook in addition to the Junk E-mail folder.
  • Outlook Junk Email folder – If selected, WFBS stores spam mail into this folder. Since Outlook typically moves spam mail in the End User Quarantine (EUQ) folder to the Junk E-mail folder, Trend Micro recommends to select this option.

35. Proceed with the installation process. The Start Copying Files page shows a summary of all the parameters that will be used during the installation of WFBS. Do one of the following:

    • If you wish to verify previous installation settings, click Back.
    • Click Next to proceed with the actual installation.

The Install Third Party Components page appears. This page informs you which third party components will be installed.

36. Click Next to start installing the selected components. The entire installation process may take some time to complete. During the installation, a status page will show the progress being made. When the Setup Wizard Complete screen appears, click Finish.

Installing the Client/Server Security Agent (CSA) or Security Agent (SA) using Remote Install

  1. Log on to the WFBS console.
  2. Click Security Settings > Add. The Add Computer page appears.
  3. Under Computer Type section, choose Desktop or server.
  4. Under Method section, choose Remote install.
  5. Click Next. The Remote Install page appears.
  6. From the Groups and Computers list, select the computer on which you will install the CSA and click Add. A prompt for a username and password appears. Note: You need an account with administrator rights for the installation.
  7. Type the username and password of an account with administrator rights, and click Login. For the domain computers, use the Domain_NameUsername format; for workgroup computers, use the Target_Computer_NameLocal_Administrator_User_Name format.
    The computer is added to the Selected Computers list.
  8. Repeat Steps 6-7 if you want to add more computers to the list.
  9. Click Install, and then click Yes when the confirmation window shows up. A progress screen will show the installation status, and the computer names will have a green check mark when the installation is complete.

Installing Agent for Exchange Server

The Messaging Security Agent (MSA) can also be installed from the Web Console.

1. Log on to the Web Console.

2. Click the Security Settings tab, and then click the Add button.

3. Under the Computer Type section, click Microsoft Exchange server.

4. Under Microsoft Exchange Server Information, type the following information:

Server name: The name of the Microsoft Exchange server to which you want

to install MSA.

Account: The built-in domain administrator user name.

Password: The built-in domain administrator password.

5. Click Next. The Microsoft Exchange Server Settings screen appears.

6. Under Web Server Type, select the type of Web server that you want to install on

the Microsoft Exchange server. You can select either IIS Server or Apache Server.

7. For the Spam Management Type, End User Quarantine will be used.

8. Under Directories, change or accept the default target and shared directories for

the MSA installation. The default target and shared directories are C:Program

FilesTrend MicroMessaging Security Agent and C$, respectively.

9. Click Next. The Microsoft Exchange Server Settings screen appears again.

10. Verify that the Microsoft Exchange server settings that you specified in the

previous screens are correct, and then click Next to start the MSA installation.

11. To view the status of the MSA installation, click the Live Status tab.

Configure Smart Host for Outbound Email

1. Open the Exchange Management Console.

2. Click on the plus sign (+) next to Organization Configuration.

3. Select Hub Transport and click the Send Connectors tab.

4. Right-click the existing Send Connector then select Properties and go to the Network tab.

5. Select Route mail through the following smart hosts and click Add.

6. Select Fully Qualified Domain Name (FQDN)and specify the HES relay servers:

o HES US / Other Regions Relay Record:

o HES Europe, Middle East, and Africa (EMEA) Relay Record:

7. Click OK.

8. Go to the Address Space tab and click Add.

9. Add an asterisk (*) and then click OK.

10. Click Apply > OK.

11. Go to the Source Server tab and add your Exchange Server.

12. Click Apply > OK.

Before you begin next step, make sure you have a valid public DNS and MX record configured and available via ping or nslookup. To find Out MX Record, follow the step or contact your ISP.

C:Usersraihan >nslookup

> set type=mx


Non-authoritative answer: MX preference = 20, mail exchanger = MX preference = 10, mail exchanger = internet address = 203.161.x.x internet address = 116.212.x.x

Pinging [203.161.x.x] with 32 bytes of data:

Registered Hosted Email Security

Firstly you’ll need to have registered with Trend Micro Online .

Create service account (See upcoming post on creating a secure services account)

  1. Open ActiveDirectory Users and Computers
  2. Create a user sa-TrendMicroHE with password never expires

Open Hosted Email Security Web console

Register Your Domains with Trend Micro

1. Go to the Trend Micro Online Registration portal.

2. Create a new OLR account.

a. Under the “Not registered” section, select your country and language from the dropdown list, then click Continue.


Enter your HES Registration Key.


If you have other Trend Micro products or services you want to register, enter their Registration Keys and click Continue. Otherwise, click No. The License Terms page appears.

Select I Accept, then click Submit.

Complete the registration information form.


Specify your OLR logon ID.


Note: The OLR logon ID will also serve as your HES portal login ID.

Click Submit.

The next page will show your HES Activation Code (AC). This means that you have successfully registered HES. You will receive an email copy containing your Activation Code, username and temporary password.

3. Using the provided OLR username and password, log on to the HES console:

For US:


Note: Make sure that the Log on with Trend Micro Online Registration user name and password checkbox is ticked.

4. Enter your domain and IP information, then click Add Domain.


5. Once your managed domain list is complete, tick the checkbox beside your managed domain and click Submit.

6. Wait for your confirmation email. This will take 48 hours at most. The confirmation email will guide you through the final steps needed before starting the service.


Navigate to Administration > Domain Management

  1. All the fields are pretty much self-explanatory, except for Seats assigned: 1 (no need to use more)
  2. Click Activate Domain
  3. Now this you would think would be it, except it goes to the list below which you then need to check the tick box of the domain and then Click Check MX Record

Download the ActiveDirectory Sync Client

  1. Navigate to Administration > Directory Management


  1. Click Imported User Directories so it becomes Enabled with a green tick
  2. Navigate to Administration > Web Services


  1. Click on the Applications bar so it get’s a Green Tick as above
  2. Click on Generate Service Authentication Key, copy this key for use later in the setup
  3. Click and download the ActiveDirectory Sync Client

Install the ActiveDirectory Sync Client

1. Extract the ActiveDirectory Sync Client file and run setup.exe

2. Usual I agree, next, next stuff

3. Then you’ll need your DOMAIN, the user will be the sa-TrendMicroHE we created earlier along with it’s password.

4. Click Next

5. Leave installation path as is, and change to install for Everyone

6. Click Next

7. Click Next

8. Click Close when finish

9. The ActiveDirectory Sync Client will then open

10. For the source paths you’ll need to enter the LDAP source paths for your server where users and groups are located to get you start some defaults are (don’t forget to change it to <yourdomain>)


11. Click Add

LDAP://OU=Distribution Groups, OU=companyname,DC=<yourdomain>,DC=com

12. Click Add

13. Click Configure

  • Username: as per web login
  • Service Auth Key: as the key we copied earlier from the web console under Administration> Web Services
  • Proxy: leave as automatic unless your network requires otherwise
  • Synchronize: leave at 1

14. Click OK

15. Click Apply

16. This will restart the service

Amend ClientMHS_AD_ACL.config

1. Open C:Program Files (x86)Trend MicroHosted Email Security ActiveDirectory Sync ClientIMHS_AD_ACL.config in notepad

2. Installed Config file looks like this:

<?xml version=”1.0″ encoding=”utf-8″?>
<ldap_path name=”default”>
<objectClass name=”User”>

3. Change the following to add groups and public folders. Ref

<?xml version=”1.0″ encoding=”utf-8″?>


<ldap_path name=”default”>

<objectClass name=”User”>






<ldap_path name=”default”>

<objectClass name=”group”>







<ldap_path name=”default”>

<objectClass name=”publicFolder”>







<ldap_path name=”default”>

<objectClass name=”*”>







4. Save this (you’ll need to save to desktop then move it back over the original file, otherwise it will Access Denied) and return the the ActiveDirectory Sync Client

5. Click Sync Now

6. Give it a few moments then click History

7. Here you should see the correct number of groups and users you expect.  Check the times are correct for when you’ve pressed. And it should finish with Sync domain <> successful

8. Click Close

9. Click Close

Post Configuration Check

  1. open the Hosted Email Security Console
  2. Navigate to Administration > Directory Management
  3. Click the Export to CSV for the domain you’re wanting to check
  4. This will generate a CSV file, which you can use notepad to check that all your email addresses have synced

Worry Free Business Files and Folder Exclusion

Worry-Free Business Best Practice