Integration of IronPort Edge devices with AIP

%3CLINGO-SUB%20id%3D%22lingo-sub-801440%22%20slang%3D%22en-US%22%3EIntegration%20of%20IronPort%20Edge%20devices%20with%20AIP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-801440%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20all%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDoes%20anyone%20have%20any%20knowledge%20or%20insight%20on%20how%20to%20intregrate%20IronPort%20devices%20with%20AIP.%20The%20scenario%20is%20a%20as%20follows%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E1.)%20I%20can%20send%20a%20DNF%20protected%20e-mail%20to%20a%203rd%20party%20no%20problem.%20They%20are%20able%20to%20open%20it%20and%20read%20it%20without%20any%20issues.%26nbsp%3B%3C%2FP%3E%3CP%3E2.)%20Howwever%20their%20replies%20are%20coming%20into%20my%20mailbox%20as%20what%20appears%20to%20be%20OMEV2%20protected%20content.%20However%20I%20can't%20open%20these%20mails%20in%20either%20Outlook%20or%20OWA.%20The%20e-mail%20arrives%20as%20a%20.rpmsg%20protected%20file%20but%20I%20can't%20open%20it.%26nbsp%3B%3C%2FP%3E%3CP%3E3.)%20Looking%20at%20the%20headers%20I%20have%20a%20suspicion%20that%20the%20Ironport%20devices%20are%20unable%20to%20succesfully%20open%20the%20file%20and%20are%20messing%20with%20it%20to%20the%20point%20where%20it's%20signature.%20Something%20is%20applying%20a%20warning%20in%20the%20message%20body%20indicating%20that%20the%20e-mail%20is%20from%20an%20external%20source%20nd%20I%20think%20this%20breaking%20the%20message%20sealing%20to%20the%20point%20where%20I%20can't%20open%20it...%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAnyone%20got%20any%20ideas%3F%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-801440%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EInformation%20Protection%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ERights%20Management%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-804972%22%20slang%3D%22en-US%22%3ERe%3A%20Integration%20of%20IronPort%20Edge%20devices%20with%20AIP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-804972%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F391132%22%20target%3D%22_blank%22%3E%40PeterJNGL%3C%2FA%3E%26nbsp%3BI%20don't%20know%20if%20this%20is%20related%20specifically%20to%20IronPort%20but%20it%20seems%20like%20your%20Exchange%20server%20is%20not%20enabled%20for%20AIP%20(Information%20Rights%20Management).%20Please%20review%20this%20document%20to%20see%20how%20to%20enable%20it%20and%20control%20the%20features%3A%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Foffice365%2Fsecuritycompliance%2Fmanage-office-365-message-encryption%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Foffice365%2Fsecuritycompliance%2Fmanage-office-365-message-encryption%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Finformation-protection%2Fconfigure-office365%23exchangeonline-irm-configuration%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Finformation-protection%2Fconfigure-office365%23exchangeonline-irm-configuration%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-804994%22%20slang%3D%22en-US%22%3ERe%3A%20Integration%20of%20IronPort%20Edge%20devices%20with%20AIP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-804994%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F169989%22%20target%3D%22_blank%22%3E%40Nir%20Hendler%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHi%20Nir%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIt%20appears%20to%20have%20been%20something%20else%20but%20the%20question%20does%20still%20arise%2C%20if%20you%20wanted%20to%20allow%20a%203rd%20party%20edge%20device%20to%20inspect%20outbound%20and%20inbound%20mail%20that%20was%20protected%20with%20AIP%20it%20would%20need%20to%20have%20an%20ability%20to%20login%20into%20Azure%20AD%20as%20a%20superuser%20right%20and%20I'm%20talking%20in%20theory%20here%20%3A)%3C%2Fimg%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20same%20would%20apply%20to%20some%203rd%20party%20service%20that%20was%20stamping%20signatures%20on%20outbound%20e-mail%20correct%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-805004%22%20slang%3D%22en-US%22%3ERe%3A%20Integration%20of%20IronPort%20Edge%20devices%20with%20AIP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-805004%22%20slang%3D%22en-US%22%3ETo%20integrate%20encryption%20and%20decryption%20capabilities%20by%203rd%20party%20apps%20and%20devices%20you%20can%20leverage%20the%20MIP%20SDK%20which%20provides%20you%20the%20required%20tools%20to%20achieve%20that.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-805009%22%20slang%3D%22en-US%22%3ERe%3A%20Integration%20of%20IronPort%20Edge%20devices%20with%20AIP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-805009%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F169989%22%20target%3D%22_blank%22%3E%40Nir%20Hendler%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI've%20been%20chatting%20to%20another%20colleague%20of%20yours%20about%20this%20and%20will%20take%20this%20discussion%20offline..%20Ok%20if%20I%20email%20you%20directly%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-805141%22%20slang%3D%22en-US%22%3ERe%3A%20Integration%20of%20IronPort%20Edge%20devices%20with%20AIP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-805141%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F391132%22%20target%3D%22_blank%22%3E%40PeterJNGL%3C%2FA%3E%26nbsp%3BTwo%20additional%20considerations%3A%20if%20a%20product%20integrates%20into%20the%20Exchange%20Server%20Transport%20pipeline%20(most%20email%20content%20scanning%20solutions%20do)%2C%20they%20should%20be%20able%20to%20leverage%20the%20Transport%20Decryption%20functionality%20in%20Exchange%2C%20through%20which%20if%20their%20transport%20agent%20sits%20after%20the%20Transport%20Decryption%20agent%20and%20Exchange%20has%20Transport%20Decryption%20enabled%2C%20the%20third%20party%20solution%20receives%20decrypted%20versions%20of%20the%20email%20(Exchange%20itself%20has%20SuperUser%20privileges%20so%20it%20can%20decrypt%20the%20email%20for%20processing)%2C%20without%20the%20solution%20having%20to%20have%20SuperUser%20itself%2C%20or%20use%20the%20SDK.%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThis%20is%20how%20most%20antimalware%20solutions%20work%2C%20for%20example%3A%20they%20sit%20after%20the%20transport%20decryption%20phase%2C%20so%20they%20see%20the%20content%20in%20decrypted%20form.%20Content%20is%20reencrypted%20before%20exiting%20the%20transport%20pipeline.%3C%2FP%3E%0A%3CP%3EFor%20all%20this%20you%20have%20to%20enable%20Exchange%20Server%20to%20integrate%20with%20AIP%20using%20the%20RMS%20Connector.%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20other%20consideration%20is%20that%20this%20work%20for%20outbound%20protected%20email%2C%20and%20for%20inbound%20emails%20that%20are%20a%20reply%20to%20a%20protected%20outbound%20email.%20But%20if%20a%20third%20party%20protects%20email%20with%20their%20own%20key%20and%20sends%20it%20to%20you%2C%20you%20do%20not%20have%20the%20authority%20to%20use%20SuperUser%20privileges%20to%20decrypt%20someone%20else's%20content.%20So%20you%20cannot%20scan%20content%20protected%20by%20others%20at%20the%20transport%20layer%20(note%20that%20this%20is%20not%20the%20case%20in%20Exchange%20Online%2C%20since%20EXO%20has%20global%20superuser%20privileges%20for%20the%20purposes%20of%20content%20scanning%20so%20it%20can%20scan%20inbound%20protected%20content).%26nbsp%3B%3C%2FP%3E%0A%3CP%3EHTH%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

Hi all

 

Does anyone have any knowledge or insight on how to intregrate IronPort devices with AIP. The scenario is a as follows:

 

1.) I can send a DNF protected e-mail to a 3rd party no problem. They are able to open it and read it without any issues. 

2.) Howwever their replies are coming into my mailbox as what appears to be OMEV2 protected content. However I can't open these mails in either Outlook or OWA. The e-mail arrives as a .rpmsg protected file but I can't open it. 

3.) Looking at the headers I have a suspicion that the Ironport devices are unable to succesfully open the file and are messing with it to the point where it's signature. Something is applying a warning in the message body indicating that the e-mail is from an external source nd I think this breaking the message sealing to the point where I can't open it...

 

Anyone got any ideas??

 

 

5 Replies

@PeterJNGL I don't know if this is related specifically to IronPort but it seems like your Exchange server is not enabled for AIP (Information Rights Management). Please review this document to see how to enable it and control the features:

https://docs.microsoft.com/en-us/office365/securitycompliance/manage-office-365-message-encryption

https://docs.microsoft.com/en-us/azure/information-protection/configure-office365#exchangeonline-irm...

@Nir Hendler 

 

Hi Nir 

 

It appears to have been something else but the question does still arise, if you wanted to allow a 3rd party edge device to inspect outbound and inbound mail that was protected with AIP it would need to have an ability to login into Azure AD as a superuser right and I'm talking in theory here :) 

 

The same would apply to some 3rd party service that was stamping signatures on outbound e-mail correct?

 

 

 

To integrate encryption and decryption capabilities by 3rd party apps and devices you can leverage the MIP SDK which provides you the required tools to achieve that.

@Nir Hendler 

 

I've been chatting to another colleague of yours about this and will take this discussion offline.. Ok if I email you directly?

 

 

@PeterJNGL Two additional considerations: if a product integrates into the Exchange Server Transport pipeline (most email content scanning solutions do), they should be able to leverage the Transport Decryption functionality in Exchange, through which if their transport agent sits after the Transport Decryption agent and Exchange has Transport Decryption enabled, the third party solution receives decrypted versions of the email (Exchange itself has SuperUser privileges so it can decrypt the email for processing), without the solution having to have SuperUser itself, or use the SDK. 

This is how most antimalware solutions work, for example: they sit after the transport decryption phase, so they see the content in decrypted form. Content is reencrypted before exiting the transport pipeline.

For all this you have to enable Exchange Server to integrate with AIP using the RMS Connector. 

The other consideration is that this work for outbound protected email, and for inbound emails that are a reply to a protected outbound email. But if a third party protects email with their own key and sends it to you, you do not have the authority to use SuperUser privileges to decrypt someone else's content. So you cannot scan content protected by others at the transport layer (note that this is not the case in Exchange Online, since EXO has global superuser privileges for the purposes of content scanning so it can scan inbound protected content). 

HTH