Download presentation
Presentation is loading. Please wait.
Published byFlora O’Brien’ Modified over 7 years ago
1
Exchange Online Protection for Exchange On-Premises
BRK3262 Exchange Online Protection for Exchange On-Premises Brian Reid | NBConsult Microsoft Office Servers and Services MVP Exchange Server Microsoft Certified Master
2
Exchange Online Protection
Microsoft’s cloud based anti-malware and anti-spam scanning service Sits in front of all Outlook.com and Office 365 mailboxes Cannot bypass EOP for inbound or outbound with a cloud mailbox Can be used for on-premises and cloud mailboxes
3
Purchase Options for EOP
Standalone Exchange Online Exchange Enterprise CAL with Services Standalone Trial available (30 days)
4
Setup and EOP Mail Flow
5
How Exchange Online Protection Mail Flow Works
Ongoing Administration Spam and Malware Protection Recipient Management MX Record Considerations Mail Flow and Routing Domains
6
Domain Support An Office 365 registered domain is required for EOP to route for that domain Therefore initial setup requires that you register and verify your domain(s) needed for mail flow in the Office 365 portal Note: you don’t need all the DNS records listed in portal Domains are added to Exchange Online Protection as Internal Relay
7
Inbound Mail Flow EOP routes to your on-premises environment via outbound connectors Your on-premises system receives via one or more anonymous receive connectors You do not need to configure both inbound and outbound mail flow at the same time
8
Outbound Mail Flow On-premises servers route to EOP for delivery to the internet by utilising a smarthost. In Exchange, that is a send connector for the * address space Use the same address as the MX record is for the internet as smarthost value Configure an inbound connector in Exchange Online Protection to receive s from on-premises Configure connector to accept only from your on-premises TLS certificate OR, configure to receive from your IP range EOP will scan for outbound spam and route to internet via EOP published IP ranges for or the unpublished “high risk pool” of IP addresses for identified spam
9
EOP Routing EOP To/From Internet connector No connector is needed
MX points to Exchange Online Protection EOP Inbound connector ConnectorType: OnPremises RequireTLS: True TlsSenderCertificateName: verifieddomain.com [OR] if no certificate on-premises, use on-premises IP address to set restriction (restrictions apply) Users added to EOP contoso.com = Internal Relay EOP Outbound connector SmartHosts: on-premises endpoint ConnectorType: OnPremises CloudServicesMailEnabled: True AllAcceptedDomains: True (can select specific RecipientDomains instead) TlsDomain: null TlsSettings: EncryptionOnly (aka Opportunistic TLS) or CertificateValidation or DomainValidation
10
On-Premise Routing MX points to Exchange Online Protection
On-Premises Send Connector AddressSpace: * RequireTLS: True TlsCertificateName: <I>Issuer<S>Subject TlsAuthLevel: EncryptionOnly, CertificateValidation or DomainValidation [OR] if no certificate on-premises, ensure routing is via a dedicated IP address (restrictions apply) On-Premises Receive connector Source IP Address: EOP IP Range Firewall: TCP 25 open to server Authentication: Anonymous Allow TLS support (opportunistic) [optional] Publish FQDN in public DNS [optional] Use a load balancer or multiple IP addresses
11
Final Exchange Online Protection Setup
Firewall Block inbound TCP 25 except from EOP Get-HybridMailFlowDatacenterIPs if you have an Exchange Online licence Spam to Junk folder Create three transport rules in on-premises Exchange to route detected spam s to the users junk folder Consider the bulk mail options as well Change your MX record and outbound mail flow both to EOP
12
Architecture With Edge Role
Exchange Edge Role Servers are supported Ensure that any certificate on Edge Server is not the same as the certificate on the Exchange Servers running the transport roles (2010) or CAS role (2013) or mailbox role (2016). Certificate clash causes issues for EdgeSync Exchange Server 2010 Edge Roles might need X-ORG header support To ensure correct directional flow of Set-ReceiveConnector *def* -TlsDomainCapabilities mail.protection.outlook.com:AcceptOorgProtocol -Fqdn <fqdnFromTheInboundReceiveConnectorOnTheHubTransportServer>
13
Configuring Your MX Record
Standalone EOP assumes MX goes to tenant-com.mail.protection.outlook.com This URL is hosted in regional datacenters based on your original Office 365 tenant registration address. Your EOP server address only ever resolves to your region Previous versions of the URL look like “mail.messaging.microsoft.com” and could route out of region Don’t have any other MX records Testing: Use conditional routing in another system first
14
Recipients
15
Initial Recipient Management
Initial setup creates your Office 365 tenant, your tenant address (tenant.onmicrosoft.com) and your Azure Active Directory Domain verification is required to add your custom domain, which results in Internal Relay domains in Exchange Online Protection Internal Relay means EOP will route via connectors that you need to create for any domains that you have registered
16
Recipient Management Add recipients
Manually – New-EOPMailUser Or automatically with AADConnect If Azure Active Directory contains all your recipients then you can change your domain to authoritative Authoritative domains result in EOP blocking to unknown recipients
17
Recipient Management Consideration
Mail Enabled Public Folders Ensure you are using version of AADConnect or later and sync public folder objects You need to enable the sync of mail enbled public folder objects Dynamic Distribution Groups are not synced to Azure AD If on-premises Exchange is also internal relay and there are multiple discrete systems in place Be careful of internal relay mail loops
18
AADConnect
19
Why Use AADConnect Outlook safe sender and blocked sender lists honored Directory Based Edge Blocking (DBEB) is more likely to work End user spam quarantine – AADConnect sign-in options Transport Rules Users and groups automatically uploaded, so transport rules can use this information without you making them again manually
20
Spam and Malware Filtering
21
Inside Exchange Online Protection
Content Filtering Detonation Chamber (ATP) Optional Quarantine Transport Rules – Policy Filtering/DLP is routed to the datacenter, based on MX-record resolution Connection Filtering Anti-Malware Safe Links (ATP)
22
Anti-Spam Considerations
Chaining SMTP relay providers results in less information available to EOP’s machine learning engines for filtering EOP will turn of some of its filtering if it detects an upstream filter MX to on-premises and avoiding direct delivery to EOP Firewall rules are important message headers can be used to identify mail flow route Ensure reputation filtering at network edge First hop needs to filter spam and malware Stamp 3rd party filtered s and have EOP process them
23
Exchange Online Hybrid Mode
Hybrid is a likelihood when you have Exchange Online mailboxes and Exchange Server on-premises All to an Exchange Online mailbox goes through EOP – no direct delivery even with hybrid Therefore configure hybrid properly to ensure internal is treated as internal
24
Other Connectors Partner Internet Other On-Premises Sites
Inbound and outbound from EOP with special considerations such as TLS and 3rd party filtering services Internet Creating your own connector is not required Other On-Premises Sites Standard connectors route based on choosing the best one Conditional connectors (with rules) can be used for more control Multifunction devices, such as printers and scanners For Exchange Online Protection, configure device to talk to on-premises servers
25
Administration
26
Administration Exchange Control Panel Security and Compliance Center
Remote PowerShell into Exchange Online Protection Multi-Factor Authentication Download the Exchange Online/EOP PowerShell module from the hybrid page on the Exchange Control Panel
27
Exchange Admin Center https://admin.protection.outlook.com/ecp
28
Exchange Admin Center Recipients
Add via the contacts menu under recipients Mail Users created here sync back to Azure AD so user can login to Office 365 portal including EOP Quarantine Add via AADConnect This manages all the attributes required, gives authentication options for same and single sign-on (SSO) and syncs junk safe and block lists from on-premises to EOP so they can be acted upon by the EOP filters
29
Security and Compliance Center
Quarantine Dkim Anti-Malware Mail Filtering
30
Threat Protection Updates
Friday BRK2090 12:30 – 1:45 OCCC West 315 Threat Protection Updates
31
Remote PowerShell
32
Remote PowerShell The new Exchange Online Remote PowerShell
Which supports MFA logins (OAuth / Modern Auth) – support rolling out now The classic PowerShell with remote connection script Uses a different endpoint than Exchange Online remote sessions Does not support login with MFA requiring admin accounts $ExchangeSession = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri -Credential $cred -Authentication Basic -AllowRedirection Import-PSSession $ExchangeSession
33
Remote PowerShell New-EOPMailUser -LastName Shaw -FirstName John -DisplayName 'John Shaw' -Name 'John Shaw' -Alias john -MicrosoftOnlineServicesID -External Address -Password 'NotAStrongPassword1' OR New-MailUser when using MFA based Remote PowerShell New-MailUser for Premium EOP, New-EOPMailUser for standalone EOP
34
Remote PowerShell New-EOPDistributionGroup "All Staff" -Type Distribution -DisplayName "All Staff" -Name "All Staff" -Alias allstaff -Members mary,joas -PrimarySmtpAddress OR New-DistributionGroup when using MFA based Remote PowerShell and EOP Premium
35
Additional EOP Features
Office 365 Advanced Threat Protection Available as an add-on to EOP. Scans attachments for unknown malware and rewrites links Protects links in Office documents Adds protection to OneDrive, SharePoint and Teams in the next few months Enabling Directory Based Edge Blocking Will block recipients unknown to EOP Changes to SPF Include your on-premises IP(s) in SPF record Data Loss Prevention
36
Advanced EOP Settings The ability to increase spam scores for given features found in the Image links; numeric IP’s; URL redirect to other port; URL to .biz or .info; empty messages; script; frames; object tags; form tags; web bugs; sensitive word lists; SPF hard fail; bulk mail; and backscatter and blocklists
37
Mail Security Settings
Tomorrow during THR2063 10:50am for 20 minutes OCCC South – Expo Theater #4 Sender Policy Framework (SPF) Add your on-premises public IP to SPF DKIM Ensure custom domains are enabled for DKIM (New-DKIMSigningConfig) DMARC
38
Threat management A separate add-on to EOP
Proactively uncover and protect against advanced threats by analyzing billions of data signals across Office consumer and commercial services A dashboard with insights to do investigation of malware, sources and targets
39
Call To Action Current biggest risk and #1 support call generator:
Phish > Compromised Account > Mail Forwarding > Spoof Ensure your connectors are correct and working Use AADConnect to sync users and block lists Enable backscatter protection if EOP only user
40
Please evaluate this session
Tech Ready 15 4/13/2018 Please evaluate this session From your Please expand notes window at bottom of slide and read. Then Delete this text box. PC or tablet: visit MyIgnite Phone: download and use the Microsoft Ignite mobile app Your input is important! © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
42
Troubleshooting Reason: [{LED= Certificate validation failed [Message=SubjectMismatch] [LastAttemptedServerName=eopex1.ukwest.cloudapp.azure.com] [LastAttemptedIP= :25] [LO2GBR01FT006.eop-gbr01.prod.protection.outlook.com]};{MSG=SubjectMismatch};{FQDN=eopex1.ukwest.cloudapp.azure.com};{IP= };{LRT=9/20/2017 1:1. OutboundProxyTargetIP: OutboundProxyTargetHostName: eopex1.ukwest.cloudapp.azure.com Connector is expecting to see the endpoint with a certificate, and that certificate needs to match the value of TlsDomain because and TlsSettings = DomainValidation The certificate in the receiving connector is not valid, so mail flow is held. Either fix certificate or downgrade connector to Opportunistic TLS
43
Troubleshooting Get-Queue | fl *error*
LastError : [{LED= Target host responded with error. -> Certificate validation failure, Reason:SubjectMismatch};{MSG=};{FQDN=ignitedemo-co-uk.mail.protection.outlook.com};{IP= };{LRT=9/20/2017 5:14:58 PM}] Outbound connector on premises was set to require a certificate that was not mail.protection.outlook.com Ensure the right connector is being used and the right TLS settings are in place
44
Troubleshooting Mail Flow and Headers
45
Remote PowerShell Troubleshooting
PowerShell with MFA is currently rolling out for Standalone EOP It works for EOP subscriptions where mailboxes exist in the cloud (some E1 or higher licences) or for Premium EOP licences Remote PowerShell Troubleshooting
Similar presentations
© 2025 SlidePlayer.com Inc.
All rights reserved.