Академический Документы
Профессиональный Документы
Культура Документы
Demonstration Guide
Created in Partnership with Technical Marketing Engineers, Cisco Email Security.
Last Updated: 15-MARCH-2019
Limitation
Requirements
Topology
Get Started
Appendix A. Troubleshooting
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 1 of 21
Doc type
Demonstration Guide
Limitations
Cisco Email Security’s Threat Analyzer Tool for O365 has the following limitations:
• All Mailboxes option will scan 50 mailboxes by default. You can modify the value of mailboxes to be scanned.
Requirements
The table below outlines the requirements for this preconfigured demonstration.
Table 1. Requirements
Required Optional
Laptop Cisco AnyConnect®
This demonstration walks through showcasing the value of the no cost to use, no impact, Cisco Email Security Application Office 365
Threat Analyzer. This tool, coupled with Cisco Email Security, scans identified Microsoft Office 365 mailboxes via an Application
Programming Interface (API), and provides a report containing valuable insight of threats in their Microsoft Office 365 email
environment, threats such as Spam, Virus, Graymail, and Malware.
NOTE: Use of this tool is not meant to provide remediation of any messages or threats identified via the report.
Cisco Email Security delivers industry-leading inbound and outbound email cleansing and control, offering high availability email
protection against the constant, dynamic, rapidly changing threats affecting email today in a variety of form factors to fit customer
needs.
For additional information about Cisco Cloud Email Security, visit http://www.cisco.com/go/emailsecurity. Here you will find detailed
information on Cisco Email Security features and benefits, available form factors, Cisco differentiators, and more.
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 2 of 21
Doc type
Demonstration Guide
Topology
This content includes preconfigured users and components to illustrate the scripted scenarios and features of the solution. Most
components are fully configurable with predefined administrative user accounts. You can see the IP address and user account
credentials to use to access a component by clicking the component icon in the Topology menu of your active session and in the
scenario steps that require their use.
Email Security Cisco Email Security Appliance running Threat esa.dcloud.cisco.com 198.18.133.146 admin C1sco12345
Appliance Analyzer Tool for O365
Workstation 1 Windows 7 workstation used for accessing TA wkst1.dcloud.cisco.com 198.18.133.36 administrator C1sco12345
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 3 of 21
Doc type
Demonstration Guide
Get Started
BEFORE PRESENTING
Cisco dCloud strongly recommends that you perform the tasks in this document with an active session before presenting in front of
a live audience. This will allow you to become familiar with the structure of the document and content.
It may be necessary to schedule a new session after following this guide in order to reset the environment to its original
configuration.
FOR SCHEDULED CISCO EMAIL SECURITY’S THREAT ANALYZER TOOL FOR O365
Follow the steps to schedule a session of the content and configure your presentation environment.
2. For best performance, connect to the workstation with Cisco AnyConnect VPN [Show Me How] and the local RDP client on your
laptop [Show Me How]
NOTE: You can also connect to the workstation using the Cisco dCloud Remote Desktop client [Show Me How]. The dCloud Remote Desktop
client works best for accessing an active session with minimal interaction. However, many users experience connection and performance
issues with this method.
IMPORTANT! The Threat Analyzer Tool is pre-configured. There is no need to administrate or alter any of the configured values for the
associated scanning engines with-in the vESA. Any direct administration of the vESA may result in unexpected reporting and/or errors.
If there are configuration changes needed, any Partner may request to have an On-Prem instance launched for their usage. Please
consult the On-Prem Cisco Threat Analyzer for O365 page for more information.
NOTE: All actions for Scenario 1 must be performed by the customer within their environment.
Before any scanning can commence, the customer must register the Cisco Threat Analyzer for O365 in their Microsoft Azure
environment and grant the necessary permissions. Once this is completed, they must provide their Client ID/Application ID and Tenant
IDs. Without this information, the API within the Cisco dCloud environment cannot be registered.
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 4 of 21
Doc type
Demonstration Guide
VALUE PROPOSITION: Microsoft Azure is a platform as a service (PaaS) solution for building and hosting solutions using Microsoft's
products and in their data centers. It is a comprehensive suite of cloud products that allow users to easily create enterprise-class
applications without having to build out their own infrastructure.
For security, the tie in to Threat Analyzer is read-only. This helps you protect business and personal information by enabling you to
manage user identities and credentials plus control access.
Prior to running the Threat Analyzer tool, you will need to create the API connection from Microsoft Azure to the Threat Analyzer. This
information will be provided from the customer side. Scenario 1 can be copied and provided to the customer in order for them to have
the instruction set to open the API and provide the needed Client ID and Application ID.
Prerequisites
• Office 365 account subscription. Make sure that your Microsoft Office 365 account subscription includes access to Exchange, such
as an Enterprise E3 or Enterprise E5 account.
• Both the Microsoft Office 365 and Microsoft Azure AD accounts are tied properly to an active user@domain.com email address,
and you are able to send and receive emails via that domain and account.
4. Click New application registration and then fill in the following required fields:
5. Click Create.
6. Click Settings.
b. Click + Add.
c. Click Select an API and then choose Microsoft Graph in the API list.
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 5 of 21
Doc type
Demonstration Guide
f. Scroll down and similarly, select the below permissions on Delegated Permissions:
h. Click Done.
i. Finally, click Grant permissions to ensure that your new permissions are applied to the application.
If Grant Permissions is NOT applied after completing the above steps, the application will fail to connect to the Threat Analyzer tool, and you
will receive an API error.
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 6 of 21
Doc type
Demonstration Guide
NOTE: If you are copying from your laptop and pasting into WKST1, use a text editor, like Notepad, to save the data until it is needed. If you
opened and configured the Azure postal inside WKST1, use <Ctrl>+<Alt>+<Shift> to copy and paste the data and/or IDs. For Apple Mac users
the key combination to copy from the local machine to the workstation in dCloud is <CTRL>+<OPTION>+<SHIFT> - this brings up the remote
desktop clipboard and allows the data to be exchanged.
NOTE: The value string that begins with MIIDiTCC and ends with DMevcRz must be on a single line. Notepad text editor is recommended to
edit the string.
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 7 of 21
Doc type
Demonstration Guide
1. Your Client ID in the Azure portal is named Application ID. This can be found from the main pane of the application you have
created:
2. Your Tenant ID can be found in the first level App Registrations > Endpoints pane:
• Your Tenant ID is inside this string, copy any one of the strings listed on the right:
Example:
...windows.net/688a9cde-c495-44d8-afb2-ae1234567890/federationmetadata/2007-06/federationmetadata.xml
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 8 of 21
Doc type
Demonstration Guide
NOTE: This will be in hexadecimal format, with the following notation: 8:4:4:4:12
• Tenant ID
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 9 of 21
Doc type
Demonstration Guide
VALUE PROPOSITION: The Cisco Threat Analyzer for O365 Tool can be run directly from the Cisco dCloud environment using the
Remote Desktop or by using Cisco AnyConnect to establish a (VPN) Virtual Private Network to a Cisco VPN server [Show me How].
The instructions below assume you are utilizing the dCloud workstation and Remote Desktop option. Please refer to the details listed
under the Info or Session Details section of the Cisco dCloud session for access via VPN.
1. Connect to the Workstation 1 in dCloud using the steps in the Get Started section.
3. Google Chrome launches and the ReadMe document will load as the landing page.
• username: admin
• password: C1sco12345
• Customer Name: Your Company Name (for example Outdoor Sports, Inc.)
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 10 of 21
Doc type
Demonstration Guide
NOTE: If you are copying from your laptop and pasting into WKST1, use a text editor, like Notepad, to save the ID until it is needed. If you
opened and configured the Azure postal inside WKST1, use <Ctrl>+<Alt>+<Shift> to copy and paste the IDs. For Apple Mac users the key
combination to copy from the local machine to the workstation in dCloud is <CTRL>+<OPTION>+<SHIFT> - this brings up the remote
desktop clipboard and allows the data to be exchanged.
NOTE: Alternatively, the thumbprint may be copied directly from a file located on the desktop called “Client and Tenant IDs.rtf”
• In the File Upload window, select demo.pem from the C:\Users\Administrator\Downloads\Supporting Info folder
NOTE: The self-signed certificate and private key are pre-defined to streamline the scan task. If the customer has concerns using them, we
can utilize the steps provided for On-Prem steps to generate the needed certificate(s) and keyCredentials, Thumbprint. Please consult
Certificate: Unix/Linux (utilizing openssh) and Certificate: Windows (utilizing Windows PowerShell). A Partner may also request to
have an On-Prem instance launched for their usage. Please consult the On-Prem Cisco Threat Analyzer for O365 page for more
information.
9. Once validation is completed, you can select one of the following to start the scan:
• LDAP Groups
• Following Mailboxes
• All Mailboxes
(*) Please be sure that you have had the pre-scan conversation with your customer to identify which mailboxes they wish to have
included, or not included, in the scan. Keep in mind that the scan will take a look at emails and attachments. The scan provided by the
Cisco Threat Analyzer for O365 tool is not intended to be an all-inclusive scan, but only a brief overview of threats and mail messages
from the inbox of their mailboxes identified.
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 11 of 21
Doc type
Demonstration Guide
NOTE: It may take a few moments to fetch the mailboxes over the API once the Start Scan button has been clicked. Once the mailboxes have
been fetched, the Dashboard will be displayed, with the scan running and in progress.
Please be sure to monitor the dashboard for updates and activity. At the top of the dashboard you will find the mailbox scan progress
percentage, number of mailboxes scanned, and also the number of mailboxes skipped. If there is a # next to the mailboxes skipped,
you may click that # to be provided reasons for the mailbox(es) to not have been scanned.
If you wish to stop the scan for any reason, click Stop Scan and wait for the dashboard to update and refresh.
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 12 of 21
Doc type
Demonstration Guide
VALUE PROPOSITION: Gain visibility into threats that may have gone undetected in your Office 365 inboxes. Identify security
vulnerabilities present in Office 365 mailboxes. And determine whether malicious URLs, malware and spam are present in your Office
365 email.
1. Once the scan is complete, click Export to generate the customer-facing PDF.
3. Using the Box – Cisco Log in bookmark, log into Box and upload your report to your Box account.
4. The results of the report are tabulated from the vESA itself. While the dCloud session is still scheduled and available, you may log-
in to the vESA in order to view the results and associated scanning reports by clicking on the Cisco vESA bookmark from the
Google Chrome browser. Once your dCloud session is completed or expired, the vESA and associated Threat Analyzer report will
no longer be available. All data is scrubbed and removed from the dCloud session once the session is completed or expired.
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 13 of 21
Doc type
Demonstration Guide
VALUE PROPOSITION: Results in the report are formatted in an easy to understand graphical display format .
The results of the report are tabulated from the vESA itself. While the dCloud session is still scheduled and available, you may log-in to
the vESA in order to view the results and associated scanning reports by clicking on the Cisco vESA bookmark from the Google
Chrome browser, or access the vESA from your local workstation/laptop via AnyConnect. (See Topology and Get Started in this
document for details.)
(*) If you are not familiar with the vESA user interface, you may be interested to review the Cisco Email Security Instant Demo, also
available from dCloud!
Page 1 (of 3)
This contains the statistics for the scan results, including the
number of mailboxes scanned, number of mailboxes skipped,
and the elapsed time (how long the scan took to complete).
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 14 of 21
Doc type
Demonstration Guide
Page 2 (of 3)
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 15 of 21
Doc type
Demonstration Guide
Page 3 (of 3)
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 16 of 21
Doc type
Demonstration Guide
vESA Reports
From the vESA UI itself, you can generally browse through the available reports from
Monitor > <name>.
Not all reports will align properly. This is due to the fact that when the API is opened from
Microsoft Azure/Microsoft O365 to the Cisco Threat Analyzer Tool, all mail is bundled into the
one incoming connection and listener on the vESA. This is why from Monitor > Incoming
Mail the Incoming Mail Details table only contains one row of “No Domain Information” and
the associated percentages of the mail traffic.
Remember, the Cisco Threat Analyzer Tool is only meant to showcase what Cisco Email Security
can detect from messages in the inbox of existing O365 mailboxes.
Please utilize the results of the services made available on the tool to move onto a proper
proof-of-value (PoV) with Cisco Email Security. The customer will then be able to see results
from the connection level, security scanning, and delivery of their mail traffic – and will be
able to view and interact directly with the full-on reporting capabilities that Cisco Email
Security and Cisco Security Management provides from their own Cisco Email Security
(CES) environment.
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 17 of 21
Doc type
Demonstration Guide
Appendix A. Troubleshooting
TIP! For any issues within dCloud instance, please open a support case from your dCloud session.
The following troubleshooting notes are provided from the Cisco Threat Analyzer for Microsoft Office 365 page:
https://docs.ces.cisco.com/docs/troubleshooting
NOTE: Not all scenarios will be applicable for Threat Analyzer Tool instances scheduled and run from dCloud.
1. Review the interface configuration of the vESA to assure that AsyncOS API (Monitoring) is enabled for AsyncOS API HTTP
(6080). You do NOT need to enable AsyncOS API HTTPS (6443).
2. Review your network and/or firewall to assure that port 6080 is allowed for the IP address you have configured. If you are using
network address translation (NAT), assure that you have the interface properly mapped.
1. Review to make sure that you started the scan from the CLI by running startofflinescan
2. Review to make sure that you started the scan with the proper interface's IP address
1. Review the Client ID (Application ID), Tenant ID. Assure that you have copied them over correctly from Microsoft Azure during the
application creation steps.
2. Assure you are using the correct Thumbprint and the same .pem certificate that was used during the application creation steps.
4. Worst case scenario delete your application in Microsoft Azure and re-perform the application creation steps.
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 18 of 21
Doc type
Demonstration Guide
offlinescan_logs show...
• "Error while requesting token AADSTS90002: Tenant 'a2745a99-9999-999a-b999-cf78f467999a' not found. This may happen
if there are no active subscriptions for the tenant. Check with your subscription administrator."
Check to make sure you have not transposed your Application ID and Tenant ID.
offlinescan_logs show...
• "Error in requesting token: AADSTS70002: Error validating credentials. AADSTS50012: Client assertion is not within its valid
time range."
Adjust the time manually on the CLI of the vESA using the command settime:
analyzer.lab> settime
WARNING: Changes to system time will take place immediately and do not require the user to run the commit
command.
Typically, setting the time forward by one (1) day will correct the error. If you had configured an NTP server, it is possible that the port
for NTP (123) is not open on the network/firewall for your vESA.
offlinescan_logs show...
Review the LDAP group name entered on the Email Scan Setup page. You may need to validate that the AD group exists. Log in to
the Exchange Admin Center to review the Display Name(s).
offlinescan_logs show...
• "Tue Jan 15 19:25:58 2019 Info: Unable to read attachments(s) from the recipient's (sam@myexamplebank.com) mailbox"
• "Tue Jan 15 19:29:26 2019 Info: Skipping one message from the recipient's (sam@myexamplebank.com) mailbox since error
((552, 'size limit exceeded', u'tess@trainingcenterexample.com')) has occured"
These are OK to ignore. The attachment was either corrupt, too large to scan, or in a non-support format to be scanned. If 'size limit
exceeded', this is just the size of the message was larger than the support mail size of the vESA itself - 25 MB.
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 19 of 21
Doc type
Demonstration Guide
offlinescan_logs show...
If you have entered in comma-separated values for the mailboxes to be scanned, you have copied over improper spacing. "%20" is
ASCII code for (space). Reformat your comma-separated list to not include spaces.
Example: bob@example.com,joe@example.com
• The scan is running and showing progress; however, results are not being posted to the dashboard for Spam, Graymail, etc.:
First, patience! The Threat Analyzer relies on the vESA to consume the reporting and message data in order to build the dashboard
results and final report. Allow this to elapse at least one (1) hour.
If this continues to show 0% results, this is usually due to a firewall and API port (6080). Review the network and firewall configuration
for your vESA. Assure the port is open. The firewall may need a reset, as traffic through the port is not allowing the reporting data to
properly.
IMPORTANT! For any issues within dCloud instance, please open a support case from your dCloud session.
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 20 of 21
Doc type
Demonstration Guide
https://docs.ces.cisco.com/docs/frequently-asked-questions-faq-threat-analyzer-tool
What’s Next?
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 21 of 21