connector- based customer delivery pool mailbox (on-premises) mailbox or application (on-premises)...
TRANSCRIPT
Spark the future.
May 4 – 8, 2015Chicago, IL
Exchange Online Protection, Mail flow, and Encryption:Notes from the FieldJennifer GagnonScott Landry
BRK3161
What is EOP? Planning & Deployment Protection: Anti-spam & Malware Encryption Troubleshooting Q&A
Agenda
What is EOP Anyway?
Cloud-based email filtering service Protect from spam and malware
Data Loss Prevention ( DLP) Encryption
Exchange Online Protection
EXO HUB or EOP HUB
EOP CASConnector-
Based
Customer Delivery Pool Mailbox
(On-premises)
Office 365 Routing & FilteringMailbox or Application(On-premises)
Higher RiskHigh Risk Delivery
Pool
Resolve host name to EOP
DC
(contoso-com.mail.protection.outlo
ok.com)
Virus Scanning
AV Engine 1
AV Engine 2
AV Engine 3
EOP CAS
Edge Blocks & Tenant
AttributionIP-based block listsDirectory-
based (Recipient)
Blocks
Internet mail is routed based on MX record resolution
Spam Analysts
Customer Feedback
(False Positive/Negatives)
Outbound PoolNormal Score
Internet mail is routed based on MX record resolution
Mailbox (O365)
Transport Rules / Policy Enforcement
Custom Rules
Email Encryption
Quarantine
Allows/Rejects
SPAM Protection
Content scanning and Heuristics
Content Filter Advanced Options
Outlook Safe Sender/Recipient
Bulk Mail FilteringReso
lver
Deployment: Basic Mail Flow
EOP Types
Filtering only… or with Exchange Online, including Hybrid:
You can easily upgrade
EOP deployment scenarios
Filtering-only Mail flow & hygiene can be hosted in Exchange Online Protection
Datacenters or Exchange Online Datacenters
Requirements:1. Validate Domains2. Configure connectors and test mail flow3. Switch MX
https://ps.protection.outlook.com/powershell-liveid/
is the correct URL to use when connecting to EOP SA
Hybrid Some mailboxes are hosted in Exchange Online and some
mailboxes on-premises Use Hybrid Wizard to configure mail flow MX record can point to EOP or on-premises
Exchange Online All mailboxes in the cloud (“Fully Hosted”) May not need mail flow connectors
EOP deployment scenarios (cont’d)
https://outlook.office365.com/powershell-liveid
/Is the correct URL to use when connecting to Exchange Online
Migration planning is
key
Routing between Exchange on-premises & Exchange Online MUST NOT pass through any 3rd party Use CBR connectors or centralized mail transport if you must for non-Hybrid mail flow
If you keep MX record pointed to on-premises: EOP scanning will have reduced effectiveness On-premises IP reputation & ability to keep the bad stuff out is critical to maintaining
mail flow
Hybrid Architecture FAQs
Exchange
Secure mail:Proprietary ESMTP
Verb helps keep you safe
My Tenant
Not My Tenant
Setting up EOPDomain Validation
Setting up EOP (On-Prem/Hybrid)
Domain Validation – Wizard completion
More on domainsOnce verified, domain will appear in EOP/EXO as an “AcceptedDomain”For EOP, will default to “internal relay”For EXO, will default to “authoritative”
Demo: Connectors & Validation
Test & enable mail flowTestSimply VALIDATE your new connector in the Office 365 Admin CenterOr telnet to assigned host record (contoso-com.mail.protection.outlook.com) and attempt to send a test message to on-premises mailbox
DNS changesMX record (domain-suffix.mail.protection.outlook.com)SPF record (v=spf1 ip4:10.1.2.3 include:spf.protection.outlook.com –all)Do not change Autodiscover CNAME DNS entries for filtering-only customers
On-premises changesCreate smart host from on-premises environment to EOPRestrict on premises firewall to only accept port 25 traffic from EOP
Setting up EOP (cont’d)When you are done:
HINT: Keep your on-premises IP addresses in here too!
Recommend: Enable Directory Synchronization
• Automated user/group management
• Ease of administration for rules based on addresses
• Synchronize Outlook safe/block sender lists
• Enable directory-based edge (recipient) blocking
On-premises Exchange Online Protection
Office 365 Directory Sync
Protection: Anti-Spam & Anti-Malware
Migrating from third party to EOPSetting expectationsMay see a change in email patternsEvery product needs to be tuned to your environmentFeatures may function differently
Porting configurationGood opportunity to trim old safe/block listsSpam filtering rules may not be neededReview filtering policies (transport rules)
Spam and Policy customization
***For anything not available in the Connection or Content Filters use Transport Rules
Configure Downstream Spam ActionEOP and the Junk Mail folder
Standalone only (should not be required for proper Hybrid deployment):Set-OrganizationConfig –SCLJunkThreshold 4At least two rules need to be added to the on premises environment:
New-TransportRule "NameForRule" -HeaderContainsMessageHeader "X-Forefront-Antispam-Report" -HeaderContainsWords "SFV:SPM" -SetSCL 6 New-TransportRule "NameForRule" -HeaderContainsMessageHeader "X-Forefront-Antispam-Report" -HeaderContainsWords "SFV:SKS" -SetSCL 6
Make sure Outlook updates are always applied to prevent false negatives (SCL -1 is not recognized without update and will take the spam action)
It is EASY to educate end users to use the Junk Mail folder in Outlook!
Configure Downstream Spam Action (cont’d)EOP and the quarantine
Messages are kept in EOP datacenters away from the user’s view.Administrator can grant access to the quarantine for end-user self- management.Administrator can also configure end-user spam notifications (ESNs)
Spam, phishing & spoofing
Publish an SPF record (Sender Policy Framework)Include EOP IPs and on-premises public IPs Use the Microsoft Configuration WizardAvoid safe-listing own domains - this by-passes the SPF check and negates the check’s effectiveness
Publish a DMARC policy (Domain-based Message Authentication, Reporting and Conformance)If you can’t publish p=reject or p=quarantine, you can still publish p=none and collect feedback.
Spam, phishing & spoofing (cont’d)
Publish a DKIM signature (DomainKeys Identified Mail)
Recommend reporting Spam to MicrosoftGet the Junk email reporting toolAttach to a new email, copy headers into body of new email and send to [email protected]
Recommend reporting False Positives to MicrosoftAttach to a new email, copy headers into body of new email and send to [email protected]
Advanced Threat Protection
Protection against unknown malware and virusesThrough a feature called Safe Attachments
Real time, time-of-click protection against malicious URLs
Through a feature called Safe Links
Rich reporting and URL trace capabilities
A new email filtering service coming this summer
Bulk EmailReceiving
Microsoft has begun to get more aggressive against bulk email
New anti-spam header X-Microsoft-AntiSpam
Improvements to bulk email filtering:
Bulk Complain Levels (BCL) – use it today
Bulk EmailSending
Have application send via EOP
Find a 3rd party in the business of sending email
Use same on-premises IPs as core business
emails
Use a separate domain or subdomain for mass
emails
Make sure SPF record(s) include all apps & 3rd
parties
X✓X✓✓
Make adjustments to rules or settings as needed
Evaluate effectiveness of spam settings
Did you report that to the Microsoft Anti-spam team?
Reports (Office 365 Portal or Mail Protection Reports for Office 365) – Updates Coming!
Monitor and fine tune
How do I know if a local machine is compromised?
Encryption
Transport Layer Security (TLS) Great for securing email between Office 365 and on-premises or with specific
partner/external servers All Office 365 SMTP is defaulted to opportunistic; TLS 1.0-1.2 secure ciphers
Office 365 Message Encryption Allows recipient to be external and on any device; if recipient’s mailbox can be
accessed, then the message can be decrypted
Information Rights Management (Azure AD) Keys held on RMS server; organization can set usage rights and custom templates;
requires organizational authentication; does not get in the way of e-Discovery
S/MIME Secure from client-to-client, as long as the private keys remain secure
Office 365 Encryption Features/OptionsIn
creasi
ng
Com
ple
xit
y
Troubleshooting
Non-Delivery Reports
User-friendly Getting deeperWho can fix it?
Indicates error detailsWho generated
the NDR?
Message Header Analyzer
Remote Connectivity Analyzer (http://testconnectivity.microsoft.com)
Message Header Analyzer
Message Header AnalyzerCan be added to OWA & Outlook as an app
Message Trace
Find out everything about a message that Office 365 handled
Search up to 90 days
Get routing details
Message Trace
Message TraceTwo features
New!
“Basic” Message Trace “Extended” Message Trace(Historical Search)
Data Set Between approx. 15 minutes & 7 days
Between approx. 8 hours & 90 days
View Results In UI Download
Results In seconds In minutes/hours (can configure notification email address)
Routing Details Basic detail only Full detail optional
Maximum Size 500 5,000 (3,000 for detail)
Max Queries / Day Reasonable limits 15 per tenant
Finding Message Trace
Go to Exchange Admin Center
Click mail flowClick message trace
Using the UI Two features
share the same UI for simplicity
Using Historical Search After selecting a
period outside of 7 days, new options appear
“Include message events and routing details with report”
Enter Notification email address
Completed Historical Search Click to see running &
completed reports Reports available for
10 days Results of 5000 (or
3000 for detailed) should not be trusted to be complete (truncated warning message)
Scroll to bottom to download the results
Reviewing Historical Search Results Recommend
using Excel DATA -> Filter Sort by
date_time More
information about the fields & value meanings: http://technet.microsoft.com/en-us/library/bb124375(v=exchg.150).aspx
47
Basic: Get-MessageTrace, Get-MessageTraceDetail
Extended: Start-HistoricalSearch, Stop-HistoricalSearch, Get-HistoricalSearch
Pull results inside of (and shorter than) 7 days (but still >8 hours)
Search on advanced criteria such as find all messages that hit a particular DLP rule
PowerShell
Start-HistoricalSearch [[-Organization] <OrganizationIdParameter>] -ReportType <HistoricalSearchReportType> {MessageTrace | MessageTraceDetail | DLP | TransportRule | SPAM | Malware} -ReportTitle <string> -StartDate <datetime> -EndDate <datetime> [-NotifyAddress <MultiValuedProperty[string]>] [-DeliveryStatus <string>] [-SenderAddress <MultiValuedProperty[string]>] [-RecipientAddress <MultiValuedProperty[string]>] [-OriginalClientIP <string>] [-MessageID <MultiValuedProperty[string]>] [-DLPPolicy <MultiValuedProperty[guid]>] [-TransportRule <MultiValuedProperty[guid]>] [-Locale <cultureinfo>] [-Direction <MessageDirection> {All | Sent | Received}]
Demo: Message Trace Scenarios
Check to see if there is any record of the message (if no record, then you’ll need to check with the sender)
Check hygiene results Look for hints about where it may have
gone (forwards, rules, etc.)
Scenario: Inbound
Make sure the message was received from Outlook client (if not, troubleshoot Outlook)
Look for SMTP SEND Event
Scenario: Outbound
Q&A
Visit Myignite at http://myignite.microsoft.com or download and use the Ignite Mobile App with the QR code above.
Please evaluate this sessionYour feedback is important to us!
EXO HUB or EOP HUB
EOP CASConnector-
Based
Customer Delivery Pool Mailbox
(On-premises)
Office 365 Routing & Filtering
Mailbox or Application(On-premises)
Higher RiskHigh Risk Delivery
Pool
Resolve host name to EOP
DC
(contoso-com.mail.protection.outlo
ok.com)
Virus Scanning
AV Engine 1
AV Engine 2
AV Engine 3
EOP CAS
Edge Blocks & Tenant
AttributionIP-based block listsDirectory-
based (Recipient)
Blocks
Internet mail is routed based on MX record resolution
Spam Analysts
Customer Feedback
(False Positive/Negatives)
Outbound PoolNormal Score
Internet mail is routed based on MX record resolution
Mailbox (O365)
Transport Rules / Policy Enforcement
Custom Rules
Email Encryption
Quarantine
Allows/Rejects
SPAM Protection
Content scanning and Heuristics
Content Filter Advanced Options
Outlook Safe Sender/Recipient
Bulk Mail Filtering
SMTP Client Submission(EXO only)
EXO CAS
(smtp.office365.com)
Mailbox (O365)
Reso
lver
ResourcesLinksEOP TechNet content http://technet.microsoft.com/en-us/library/jj723137.aspx EOP best practices http://technet.microsoft.com/en-us/library/jj723164(v=exchg.150).aspxEOP FAQ http://technet.microsoft.com/en-us/library/jj871669.aspxFalse positive/negative submissions http://technet.microsoft.com/en-us/library/jj200769.aspxEOP Datacenter IP addresses http://technet.microsoft.com/en-us/library/dn163583(v=exchg.150).aspxHybrid deployment http://technet.microsoft.com/en-us/library/jj200581(v=exchg.150).aspxProtecting your Organization with EOP (TechEd 2014)http://channel9.msdn.com/Events/TechEd/NorthAmerica/2014/OFC-B322#fbid=Exchange Online Limits: http://technet.microsoft.com/library/exchange-online-limits.aspxFiltering Dirsync: http://technet.microsoft.com/en-us/library/jj710171.aspx
Related SessionsTHR0483R – Updates to Cloud Security and Information ProtectionBRK3106 – Deep Dive into How Microsoft Handles Spam and Advanced Email ThreatsBRK2198 – Evolving Email Protection for Tomorrow’s Needs with Exchange Online ProtectionTHR0136 – First Look at Advanced Threat Protection in Office 365 to Stop Unknown Malware and Phishing AttacksBRK3109 – Shut the Front Door! Securing Your Messaging Environment BRK3159 – Using Connectors and Mail RoutingBRK3160 – Mail Flow and Transport Deep DiveTHR0135 – Advanced Threat Protection in Office 365THR0161 – Data Loss Prevention in Office 365BRK3172 – Your Encryption Controls in Office 365: Across Devices and PlatformsBRK3139 – Exchange Hybrid – Make Office 365 Work for youBRK4115 – Advanced Exchange Hybrid TopologiesTHR0145 – Getting started with deployment planning in FastTrack for Office 365
Visit Myignite at http://myignite.microsoft.com or download and use the Ignite Mobile App with the QR code above.
Please evaluate this sessionYour feedback is important to us!
© 2015 Microsoft Corporation. All rights reserved.
Appendix
Monitor and fine tune (reports)Mail Protection Reports for Office 365http://www.microsoft.com/en-us/download/details.aspx?id=30716
Weighting for Mail DeliveryFailover configurationUsing a second MX record to accomplish failover
Contoso.com has 3 on-premises IPs:Site A - 10.0.0.5 & 10.0.0.6, Site B - 10.1.1.5, Site C - 10.2.2.5
Contoso.com wants mail to route to Site A but if it is down wants mail to go to Site B, and Site C as last resort. Specify onprem.contoso.com in the outbound connector smart host field & create the following DNS records:
contoso.com MX preference = 10 contoso-com.mail.protection.outlook.com (routes all mail for contoso.com) onprem.contoso.com MX preference = 10 mail-a.contoso.comonprem.contoso.com MX preference = 20 mail-b.contoso.comonprem.contoso.com MX preference = 30 mail-c.contoso.com mail-a.contoso.com A 10.0.0.5, 10.0.0.6mail-b.contoso.com A 10.1.1.5mail-c.contoso.com A 10.2.2.5
Testing with TelnetHow to telnet from EOP/Exchange online Tenant:You do/type this Server responds with this
Telnet tenantDomainMxRecordHere 25 220
HELO your_sending_server_fqdn 250 (followed by human readable message)
MAIL FROM: [email protected] 250 Sender OK
RCPT TO: [email protected] 250 Recipient OK
DATA (followed by the enter key) Tells you to send data and how to end.
SUBJECT: Test (hit enter twice) Hitting enter twice conforms to the standard.
Enter the body message. To end put a single period on a line by itself and press enter.
You should see something about message accepted or message queued.
QUIT