Spark the future.

May 4 – 8, 2015Chicago, IL

Exchange Online Protection, Mail flow, and Encryption:Notes from the FieldJennifer GagnonScott Landry

BRK3161

What is EOP? Planning & Deployment Protection: Anti-spam & Malware Encryption Troubleshooting Q&A

Agenda

What is EOP Anyway?

Cloud-based email filtering service Protect from spam and malware

Data Loss Prevention ( DLP) Encryption

Exchange Online Protection

EXO HUB or EOP HUB

EOP CASConnector-

Based

Customer Delivery Pool Mailbox

(On-premises)

Office 365 Routing & FilteringMailbox or Application(On-premises)

Higher RiskHigh Risk Delivery

Pool

Resolve host name to EOP

DC

(contoso-com.mail.protection.outlo

ok.com)

Virus Scanning

AV Engine 1

AV Engine 2

AV Engine 3

EOP CAS

Edge Blocks & Tenant

AttributionIP-based block listsDirectory-

based (Recipient)

Blocks

Internet mail is routed based on MX record resolution

Spam Analysts

Customer Feedback

(False Positive/Negatives)

Outbound PoolNormal Score

Internet mail is routed based on MX record resolution

Mailbox (O365)

Transport Rules / Policy Enforcement

Custom Rules

Email Encryption

Quarantine

Allows/Rejects

SPAM Protection

Content scanning and Heuristics

Content Filter Advanced Options

Outlook Safe Sender/Recipient

Bulk Mail FilteringReso

lver

Deployment: Basic Mail Flow

EOP Types

Filtering only… or with Exchange Online, including Hybrid:

You can easily upgrade

EOP deployment scenarios

Filtering-only Mail flow & hygiene can be hosted in Exchange Online Protection

Datacenters or Exchange Online Datacenters

Requirements:1. Validate Domains2. Configure connectors and test mail flow3. Switch MX

https://ps.protection.outlook.com/powershell-liveid/

is the correct URL to use when connecting to EOP SA

Hybrid Some mailboxes are hosted in Exchange Online and some

mailboxes on-premises Use Hybrid Wizard to configure mail flow MX record can point to EOP or on-premises

Exchange Online All mailboxes in the cloud (“Fully Hosted”) May not need mail flow connectors

EOP deployment scenarios (cont’d)

https://outlook.office365.com/powershell-liveid

/Is the correct URL to use when connecting to Exchange Online

Migration planning is

key

Routing between Exchange on-premises & Exchange Online MUST NOT pass through any 3rd party Use CBR connectors or centralized mail transport if you must for non-Hybrid mail flow

If you keep MX record pointed to on-premises: EOP scanning will have reduced effectiveness On-premises IP reputation & ability to keep the bad stuff out is critical to maintaining

mail flow

Hybrid Architecture FAQs

Exchange

Secure mail:Proprietary ESMTP

Verb helps keep you safe

My Tenant

Not My Tenant

Setting up EOPDomain Validation

Setting up EOP (On-Prem/Hybrid)

Domain Validation – Wizard completion

More on domainsOnce verified, domain will appear in EOP/EXO as an “AcceptedDomain”For EOP, will default to “internal relay”For EXO, will default to “authoritative”

Demo: Connectors & Validation

Test & enable mail flowTestSimply VALIDATE your new connector in the Office 365 Admin CenterOr telnet to assigned host record (contoso-com.mail.protection.outlook.com) and attempt to send a test message to on-premises mailbox

DNS changesMX record (domain-suffix.mail.protection.outlook.com)SPF record (v=spf1 ip4:10.1.2.3 include:spf.protection.outlook.com –all)Do not change Autodiscover CNAME DNS entries for filtering-only customers

On-premises changesCreate smart host from on-premises environment to EOPRestrict on premises firewall to only accept port 25 traffic from EOP

Setting up EOP (cont’d)When you are done:

HINT: Keep your on-premises IP addresses in here too!

Recommend: Enable Directory Synchronization

• Automated user/group management

• Ease of administration for rules based on addresses

• Synchronize Outlook safe/block sender lists

• Enable directory-based edge (recipient) blocking

On-premises Exchange Online Protection

Office 365 Directory Sync

Protection: Anti-Spam & Anti-Malware

Migrating from third party to EOPSetting expectationsMay see a change in email patternsEvery product needs to be tuned to your environmentFeatures may function differently

Porting configurationGood opportunity to trim old safe/block listsSpam filtering rules may not be neededReview filtering policies (transport rules)

Spam and Policy customization

***For anything not available in the Connection or Content Filters use Transport Rules

Configure Downstream Spam ActionEOP and the Junk Mail folder

Standalone only (should not be required for proper Hybrid deployment):Set-OrganizationConfig –SCLJunkThreshold 4At least two rules need to be added to the on premises environment:

New-TransportRule "NameForRule" -HeaderContainsMessageHeader "X-Forefront-Antispam-Report" -HeaderContainsWords "SFV:SPM" -SetSCL 6 New-TransportRule "NameForRule" -HeaderContainsMessageHeader "X-Forefront-Antispam-Report" -HeaderContainsWords "SFV:SKS" -SetSCL 6

Make sure Outlook updates are always applied to prevent false negatives (SCL -1 is not recognized without update and will take the spam action)

It is EASY to educate end users to use the Junk Mail folder in Outlook!

Configure Downstream Spam Action (cont’d)EOP and the quarantine

Messages are kept in EOP datacenters away from the user’s view.Administrator can grant access to the quarantine for end-user self- management.Administrator can also configure end-user spam notifications (ESNs)

Spam, phishing & spoofing

Publish an SPF record (Sender Policy Framework)Include EOP IPs and on-premises public IPs Use the Microsoft Configuration WizardAvoid safe-listing own domains - this by-passes the SPF check and negates the check’s effectiveness

Publish a DMARC policy (Domain-based Message Authentication, Reporting and Conformance)If you can’t publish p=reject or p=quarantine, you can still publish p=none and collect feedback.

Spam, phishing & spoofing (cont’d)

Publish a DKIM signature (DomainKeys Identified Mail)

Recommend reporting Spam to MicrosoftGet the Junk email reporting toolAttach to a new email, copy headers into body of new email and send to junk@office365.microsoft.com

Recommend reporting False Positives to MicrosoftAttach to a new email, copy headers into body of new email and send to not_junk@office365.Microsoft.com

Advanced Threat Protection

Protection against unknown malware and virusesThrough a feature called Safe Attachments

Real time, time-of-click protection against malicious URLs

Through a feature called Safe Links

Rich reporting and URL trace capabilities

A new email filtering service coming this summer

Bulk EmailReceiving

Microsoft has begun to get more aggressive against bulk email

New anti-spam header X-Microsoft-AntiSpam

Improvements to bulk email filtering:

Bulk Complain Levels (BCL) – use it today

Bulk EmailSending

Have application send via EOP

Find a 3rd party in the business of sending email

Use same on-premises IPs as core business

emails

Use a separate domain or subdomain for mass

emails

Make sure SPF record(s) include all apps & 3rd

parties

X✓X✓✓

Make adjustments to rules or settings as needed

Evaluate effectiveness of spam settings

Did you report that to the Microsoft Anti-spam team?

Reports (Office 365 Portal or Mail Protection Reports for Office 365) – Updates Coming!

Monitor and fine tune

How do I know if a local machine is compromised?

Encryption

Transport Layer Security (TLS) Great for securing email between Office 365 and on-premises or with specific

partner/external servers All Office 365 SMTP is defaulted to opportunistic; TLS 1.0-1.2 secure ciphers

Office 365 Message Encryption Allows recipient to be external and on any device; if recipient’s mailbox can be

accessed, then the message can be decrypted

Information Rights Management (Azure AD) Keys held on RMS server; organization can set usage rights and custom templates;

requires organizational authentication; does not get in the way of e-Discovery

S/MIME Secure from client-to-client, as long as the private keys remain secure

Office 365 Encryption Features/OptionsIn

creasi

ng

Com

ple

xit

y

Troubleshooting

Non-Delivery Reports

User-friendly Getting deeperWho can fix it?

Indicates error detailsWho generated

the NDR?

joe@contoso.com

Message Header Analyzer

Remote Connectivity Analyzer (http://testconnectivity.microsoft.com)

Message Header Analyzer

Message Header AnalyzerCan be added to OWA & Outlook as an app

Message Trace

Find out everything about a message that Office 365 handled

Search up to 90 days

Get routing details

Message Trace

Message TraceTwo features

New!

“Basic” Message Trace “Extended” Message Trace(Historical Search)

Data Set Between approx. 15 minutes & 7 days

Between approx. 8 hours & 90 days

View Results In UI Download

Results In seconds In minutes/hours (can configure notification email address)

Routing Details Basic detail only Full detail optional

Maximum Size 500 5,000 (3,000 for detail)

Max Queries / Day Reasonable limits 15 per tenant

Finding Message Trace

Go to Exchange Admin Center

Click mail flowClick message trace

Using the UI Two features

share the same UI for simplicity

Using Historical Search After selecting a

period outside of 7 days, new options appear

“Include message events and routing details with report”

Enter Notification email address

Completed Historical Search Click to see running &

completed reports Reports available for

10 days Results of 5000 (or

3000 for detailed) should not be trusted to be complete (truncated warning message)

Scroll to bottom to download the results

Reviewing Historical Search Results Recommend

using Excel DATA -> Filter Sort by

date_time More

information about the fields & value meanings: http://technet.microsoft.com/en-us/library/bb124375(v=exchg.150).aspx

47

Basic: Get-MessageTrace, Get-MessageTraceDetail

Extended: Start-HistoricalSearch, Stop-HistoricalSearch, Get-HistoricalSearch

Pull results inside of (and shorter than) 7 days (but still >8 hours)

Search on advanced criteria such as find all messages that hit a particular DLP rule

PowerShell

Start-HistoricalSearch [[-Organization] <OrganizationIdParameter>] -ReportType <HistoricalSearchReportType> {MessageTrace | MessageTraceDetail | DLP | TransportRule | SPAM | Malware} -ReportTitle <string> -StartDate <datetime> -EndDate <datetime> [-NotifyAddress <MultiValuedProperty[string]>] [-DeliveryStatus <string>] [-SenderAddress <MultiValuedProperty[string]>] [-RecipientAddress <MultiValuedProperty[string]>] [-OriginalClientIP <string>] [-MessageID <MultiValuedProperty[string]>] [-DLPPolicy <MultiValuedProperty[guid]>] [-TransportRule <MultiValuedProperty[guid]>] [-Locale <cultureinfo>] [-Direction <MessageDirection> {All | Sent | Received}]

Demo: Message Trace Scenarios

Check to see if there is any record of the message (if no record, then you’ll need to check with the sender)

Check hygiene results Look for hints about where it may have

gone (forwards, rules, etc.)

Scenario: Inbound

Make sure the message was received from Outlook client (if not, troubleshoot Outlook)

Look for SMTP SEND Event

Scenario: Outbound

Q&A

Visit Myignite at http://myignite.microsoft.com or download and use the Ignite Mobile App with the QR code above.

Please evaluate this sessionYour feedback is important to us!

EXO HUB or EOP HUB

EOP CASConnector-

Based

Customer Delivery Pool Mailbox

(On-premises)

Office 365 Routing & Filtering

Mailbox or Application(On-premises)

Higher RiskHigh Risk Delivery

Pool

Resolve host name to EOP

DC

(contoso-com.mail.protection.outlo

ok.com)

Virus Scanning

AV Engine 1

AV Engine 2

AV Engine 3

EOP CAS

Edge Blocks & Tenant

AttributionIP-based block listsDirectory-

based (Recipient)

Blocks

Internet mail is routed based on MX record resolution

Spam Analysts

Customer Feedback

(False Positive/Negatives)

Outbound PoolNormal Score

Internet mail is routed based on MX record resolution

Mailbox (O365)

Transport Rules / Policy Enforcement

Custom Rules

Email Encryption

Quarantine

Allows/Rejects

SPAM Protection

Content scanning and Heuristics

Content Filter Advanced Options

Outlook Safe Sender/Recipient

Bulk Mail Filtering

SMTP Client Submission(EXO only)

EXO CAS

(smtp.office365.com)

Mailbox (O365)

Reso

lver

ResourcesLinksEOP TechNet content http://technet.microsoft.com/en-us/library/jj723137.aspx EOP best practices http://technet.microsoft.com/en-us/library/jj723164(v=exchg.150).aspxEOP FAQ http://technet.microsoft.com/en-us/library/jj871669.aspxFalse positive/negative submissions http://technet.microsoft.com/en-us/library/jj200769.aspxEOP Datacenter IP addresses http://technet.microsoft.com/en-us/library/dn163583(v=exchg.150).aspxHybrid deployment http://technet.microsoft.com/en-us/library/jj200581(v=exchg.150).aspxProtecting your Organization with EOP (TechEd 2014)http://channel9.msdn.com/Events/TechEd/NorthAmerica/2014/OFC-B322#fbid=Exchange Online Limits: http://technet.microsoft.com/library/exchange-online-limits.aspxFiltering Dirsync: http://technet.microsoft.com/en-us/library/jj710171.aspx

Related SessionsTHR0483R – Updates to Cloud Security and Information ProtectionBRK3106 – Deep Dive into How Microsoft Handles Spam and Advanced Email ThreatsBRK2198 – Evolving Email Protection for Tomorrow’s Needs with Exchange Online ProtectionTHR0136 – First Look at Advanced Threat Protection in Office 365 to Stop Unknown Malware and Phishing AttacksBRK3109 – Shut the Front Door! Securing Your Messaging Environment BRK3159 – Using Connectors and Mail RoutingBRK3160 – Mail Flow and Transport Deep DiveTHR0135 – Advanced Threat Protection in Office 365THR0161 – Data Loss Prevention in Office 365BRK3172 – Your Encryption Controls in Office 365: Across Devices and PlatformsBRK3139 – Exchange Hybrid – Make Office 365 Work for youBRK4115 – Advanced Exchange Hybrid TopologiesTHR0145 – Getting started with deployment planning in FastTrack for Office 365

Visit Myignite at http://myignite.microsoft.com or download and use the Ignite Mobile App with the QR code above.

Please evaluate this sessionYour feedback is important to us!

© 2015 Microsoft Corporation. All rights reserved.

Appendix

Monitor and fine tune (reports)Mail Protection Reports for Office 365http://www.microsoft.com/en-us/download/details.aspx?id=30716

Weighting for Mail DeliveryFailover configurationUsing a second MX record to accomplish failover

Contoso.com has 3 on-premises IPs:Site A - 10.0.0.5 & 10.0.0.6, Site B - 10.1.1.5, Site C - 10.2.2.5

 Contoso.com wants mail to route to Site A but if it is down wants mail to go to Site B, and Site C as last resort. Specify onprem.contoso.com in the outbound connector smart host field & create the following DNS records:

contoso.com              MX preference = 10    contoso-com.mail.protection.outlook.com (routes all mail for contoso.com) onprem.contoso.com       MX preference = 10    mail-a.contoso.comonprem.contoso.com       MX preference = 20    mail-b.contoso.comonprem.contoso.com       MX preference = 30    mail-c.contoso.com mail-a.contoso.com A     10.0.0.5, 10.0.0.6mail-b.contoso.com A     10.1.1.5mail-c.contoso.com A     10.2.2.5

Testing with TelnetHow to telnet from EOP/Exchange online Tenant:You do/type this Server responds with this

Telnet tenantDomainMxRecordHere 25 220

HELO your_sending_server_fqdn 250 (followed by human readable message)

MAIL FROM: you@host.com 250 Sender OK

RCPT TO: recipient@domain.com 250 Recipient OK

DATA (followed by the enter key) Tells you to send data and how to end.

SUBJECT: Test (hit enter twice) Hitting enter twice conforms to the standard.

Enter the body message. To end put a single period on a line by itself and press enter.

 

You should see something about message accepted or message queued.

 

QUIT