Many organizations are using different email gateways (namely Proofpoint, Mime Cast, Ironport, Synmantec, Barracuda) instead of Exchange online protection.
This blog is about a scenario from one of our customer that is using Cisco Ironport cloud and their current email routing from Internet is as below.
Internet –> Ironport Cloud –> Exchange Onpremise –> Exchange online.
Goal is to change the Email routing so that after Third Party gateway it directly hits Exchange online instead of traversing thru Exchange on-premise.
Steps in the post are generic and completed for Cisco Ironport System but can be used for other email gateways as well.
First step is to configure the Receiving Connector on Exchange online.
As an Exchange Online Administrator or Global Administrator log on to Exchange admin console.
https://outlook.office365.com/ecp/
- Navigate to mail flow > connector
- Create a new connector
3. Enter the Name of the connector (From Gateway to Office 365 – use as per your environment)
4. Use the sender’s IP address (add all the IP addresses for your gateway from which email will hit office 365)
5. Select Reject email messages if they aren’t sent over TLS
6. Save it.
Now update the connection filters as well.
Go to –> Protection –> Connection filter
Update IP Allow list with the IP Addresses of the third party Gateway from which you will receive emails.
Last step is for the third-party gateway, for this post we are considering Ironport Cloud.
Log on to ESA –> Network –> SMTP Routes
Select the domain and update the Destination to Office 365 –> company.mail.protection.outlook.com
Priority should be less then other mail route so that email start routing from office 365 and other route can act as secondary.
Example:
labtest.mail.protection.outlook.com
You can start testing the email flow now by sending emails from internet to your domain.
Thanks for reading
Tech Wizard
Tech Wizard 
Nice blog, easy to understand