Presentation is loading. Please wait.

Presentation is loading. Please wait.

Exchange Online Protection for Exchange On-Premises

Published byFlora O’Brien’ Modified over 7 years ago

Similar presentations

Presentation on theme: "Exchange Online Protection for Exchange On-Premises"— Presentation transcript:

1 Exchange Online Protection for Exchange On-Premises
BRK3262 Exchange Online Protection for Exchange On-Premises Brian Reid | NBConsult Microsoft Office Servers and Services MVP Exchange Server Microsoft Certified Master

2 Exchange Online Protection
Microsoft’s cloud based anti-malware and anti-spam scanning service Sits in front of all Outlook.com and Office 365 mailboxes Cannot bypass EOP for inbound or outbound with a cloud mailbox Can be used for on-premises and cloud mailboxes

3 Purchase Options for EOP
Standalone Exchange Online Exchange Enterprise CAL with Services Standalone Trial available (30 days)

4 Setup and EOP Mail Flow

5 How Exchange Online Protection Mail Flow Works
Ongoing Administration Spam and Malware Protection Recipient Management MX Record Considerations Mail Flow and Routing Domains

6 Domain Support An Office 365 registered domain is required for EOP to route for that domain Therefore initial setup requires that you register and verify your domain(s) needed for mail flow in the Office 365 portal Note: you don’t need all the DNS records listed in portal Domains are added to Exchange Online Protection as Internal Relay

7 Inbound Mail Flow EOP routes to your on-premises environment via outbound connectors Your on-premises system receives via one or more anonymous receive connectors You do not need to configure both inbound and outbound mail flow at the same time

8 Outbound Mail Flow On-premises servers route to EOP for delivery to the internet by utilising a smarthost. In Exchange, that is a send connector for the * address space Use the same address as the MX record is for the internet as smarthost value Configure an inbound connector in Exchange Online Protection to receive s from on-premises Configure connector to accept only from your on-premises TLS certificate OR, configure to receive from your IP range EOP will scan for outbound spam and route to internet via EOP published IP ranges for or the unpublished “high risk pool” of IP addresses for identified spam

9 EOP Routing EOP To/From Internet connector No connector is needed
MX points to Exchange Online Protection EOP Inbound connector ConnectorType: OnPremises RequireTLS: True TlsSenderCertificateName: verifieddomain.com [OR] if no certificate on-premises, use on-premises IP address to set restriction (restrictions apply) Users added to EOP contoso.com = Internal Relay EOP Outbound connector SmartHosts: on-premises endpoint ConnectorType: OnPremises CloudServicesMailEnabled: True AllAcceptedDomains: True (can select specific RecipientDomains instead) TlsDomain: null TlsSettings: EncryptionOnly (aka Opportunistic TLS) or CertificateValidation or DomainValidation

10 On-Premise Routing MX points to Exchange Online Protection
On-Premises Send Connector AddressSpace: * RequireTLS: True TlsCertificateName: <I>Issuer<S>Subject TlsAuthLevel: EncryptionOnly, CertificateValidation or DomainValidation [OR] if no certificate on-premises, ensure routing is via a dedicated IP address (restrictions apply) On-Premises Receive connector Source IP Address: EOP IP Range Firewall: TCP 25 open to server Authentication: Anonymous Allow TLS support (opportunistic) [optional] Publish FQDN in public DNS [optional] Use a load balancer or multiple IP addresses

11 Final Exchange Online Protection Setup
Firewall Block inbound TCP 25 except from EOP Get-HybridMailFlowDatacenterIPs if you have an Exchange Online licence Spam to Junk folder Create three transport rules in on-premises Exchange to route detected spam s to the users junk folder Consider the bulk mail options as well Change your MX record and outbound mail flow both to EOP

12 Architecture With Edge Role
Exchange Edge Role Servers are supported Ensure that any certificate on Edge Server is not the same as the certificate on the Exchange Servers running the transport roles (2010) or CAS role (2013) or mailbox role (2016). Certificate clash causes issues for EdgeSync Exchange Server 2010 Edge Roles might need X-ORG header support To ensure correct directional flow of Set-ReceiveConnector *def* -TlsDomainCapabilities mail.protection.outlook.com:AcceptOorgProtocol -Fqdn <fqdnFromTheInboundReceiveConnectorOnTheHubTransportServer>

13 Configuring Your MX Record
Standalone EOP assumes MX goes to tenant-com.mail.protection.outlook.com This URL is hosted in regional datacenters based on your original Office 365 tenant registration address. Your EOP server address only ever resolves to your region Previous versions of the URL look like “mail.messaging.microsoft.com” and could route out of region Don’t have any other MX records Testing: Use conditional routing in another system first

14 Recipients

15 Initial Recipient Management
Initial setup creates your Office 365 tenant, your tenant address (tenant.onmicrosoft.com) and your Azure Active Directory Domain verification is required to add your custom domain, which results in Internal Relay domains in Exchange Online Protection Internal Relay means EOP will route via connectors that you need to create for any domains that you have registered

16 Recipient Management Add recipients
Manually – New-EOPMailUser Or automatically with AADConnect If Azure Active Directory contains all your recipients then you can change your domain to authoritative Authoritative domains result in EOP blocking to unknown recipients

17 Recipient Management Consideration
Mail Enabled Public Folders Ensure you are using version of AADConnect or later and sync public folder objects You need to enable the sync of mail enbled public folder objects Dynamic Distribution Groups are not synced to Azure AD If on-premises Exchange is also internal relay and there are multiple discrete systems in place Be careful of internal relay mail loops

18 AADConnect

19 Why Use AADConnect Outlook safe sender and blocked sender lists honored Directory Based Edge Blocking (DBEB) is more likely to work End user spam quarantine – AADConnect sign-in options Transport Rules Users and groups automatically uploaded, so transport rules can use this information without you making them again manually

20 Spam and Malware Filtering

21 Inside Exchange Online Protection
Content Filtering Detonation Chamber (ATP) Optional Quarantine Transport Rules – Policy Filtering/DLP is routed to the datacenter, based on MX-record resolution Connection Filtering Anti-Malware Safe Links (ATP)

22 Anti-Spam Considerations
Chaining SMTP relay providers results in less information available to EOP’s machine learning engines for filtering EOP will turn of some of its filtering if it detects an upstream filter MX to on-premises and avoiding direct delivery to EOP Firewall rules are important message headers can be used to identify mail flow route Ensure reputation filtering at network edge First hop needs to filter spam and malware Stamp 3rd party filtered s and have EOP process them

23 Exchange Online Hybrid Mode
Hybrid is a likelihood when you have Exchange Online mailboxes and Exchange Server on-premises All to an Exchange Online mailbox goes through EOP – no direct delivery even with hybrid Therefore configure hybrid properly to ensure internal is treated as internal

24 Other Connectors Partner Internet Other On-Premises Sites
Inbound and outbound from EOP with special considerations such as TLS and 3rd party filtering services Internet Creating your own connector is not required Other On-Premises Sites Standard connectors route based on choosing the best one Conditional connectors (with rules) can be used for more control Multifunction devices, such as printers and scanners For Exchange Online Protection, configure device to talk to on-premises servers

25 Administration

26 Administration Exchange Control Panel Security and Compliance Center
Remote PowerShell into Exchange Online Protection Multi-Factor Authentication Download the Exchange Online/EOP PowerShell module from the hybrid page on the Exchange Control Panel

27 Exchange Admin Center https://admin.protection.outlook.com/ecp

28 Exchange Admin Center Recipients
Add via the contacts menu under recipients Mail Users created here sync back to Azure AD so user can login to Office 365 portal including EOP Quarantine Add via AADConnect This manages all the attributes required, gives authentication options for same and single sign-on (SSO) and syncs junk safe and block lists from on-premises to EOP so they can be acted upon by the EOP filters

29 Security and Compliance Center
Quarantine Dkim Anti-Malware Mail Filtering

30 Threat Protection Updates
Friday BRK2090 12:30 – 1:45 OCCC West 315 Threat Protection Updates

31 Remote PowerShell

32 Remote PowerShell The new Exchange Online Remote PowerShell
Which supports MFA logins (OAuth / Modern Auth) – support rolling out now The classic PowerShell with remote connection script Uses a different endpoint than Exchange Online remote sessions Does not support login with MFA requiring admin accounts $ExchangeSession = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri -Credential $cred -Authentication Basic -AllowRedirection Import-PSSession $ExchangeSession

33 Remote PowerShell New-EOPMailUser -LastName Shaw -FirstName John -DisplayName 'John Shaw' -Name 'John Shaw' -Alias john -MicrosoftOnlineServicesID -External Address -Password 'NotAStrongPassword1' OR New-MailUser when using MFA based Remote PowerShell New-MailUser for Premium EOP, New-EOPMailUser for standalone EOP

34 Remote PowerShell New-EOPDistributionGroup "All Staff" -Type Distribution -DisplayName "All Staff" -Name "All Staff" -Alias allstaff -Members mary,joas -PrimarySmtpAddress OR New-DistributionGroup when using MFA based Remote PowerShell and EOP Premium

35 Additional EOP Features
Office 365 Advanced Threat Protection Available as an add-on to EOP. Scans attachments for unknown malware and rewrites links Protects links in Office documents Adds protection to OneDrive, SharePoint and Teams in the next few months Enabling Directory Based Edge Blocking Will block recipients unknown to EOP Changes to SPF Include your on-premises IP(s) in SPF record Data Loss Prevention

36 Advanced EOP Settings The ability to increase spam scores for given features found in the Image links; numeric IP’s; URL redirect to other port; URL to .biz or .info; empty messages; script; frames; object tags; form tags; web bugs; sensitive word lists; SPF hard fail; bulk mail; and backscatter and blocklists

37 Mail Security Settings
Tomorrow during THR2063 10:50am for 20 minutes OCCC South – Expo Theater #4 Sender Policy Framework (SPF) Add your on-premises public IP to SPF DKIM Ensure custom domains are enabled for DKIM (New-DKIMSigningConfig) DMARC

38 Threat management A separate add-on to EOP
Proactively uncover and protect against advanced threats by analyzing billions of data signals across Office consumer and commercial services A dashboard with insights to do investigation of malware, sources and targets

39 Call To Action Current biggest risk and #1 support call generator:
Phish > Compromised Account > Mail Forwarding > Spoof Ensure your connectors are correct and working Use AADConnect to sync users and block lists Enable backscatter protection if EOP only user

40 Please evaluate this session
Tech Ready 15 4/13/2018 Please evaluate this session From your Please expand notes window at bottom of slide and read. Then Delete this text box. PC or tablet: visit MyIgnite Phone: download and use the Microsoft Ignite mobile app Your input is important! © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

41

42 Troubleshooting Reason: [{LED= Certificate validation failed [Message=SubjectMismatch] [LastAttemptedServerName=eopex1.ukwest.cloudapp.azure.com] [LastAttemptedIP= :25] [LO2GBR01FT006.eop-gbr01.prod.protection.outlook.com]};{MSG=SubjectMismatch};{FQDN=eopex1.ukwest.cloudapp.azure.com};{IP= };{LRT=9/20/2017 1:1. OutboundProxyTargetIP: OutboundProxyTargetHostName: eopex1.ukwest.cloudapp.azure.com Connector is expecting to see the endpoint with a certificate, and that certificate needs to match the value of TlsDomain because and TlsSettings = DomainValidation The certificate in the receiving connector is not valid, so mail flow is held. Either fix certificate or downgrade connector to Opportunistic TLS

43 Troubleshooting Get-Queue | fl *error*
LastError : [{LED= Target host responded with error. -> Certificate validation failure, Reason:SubjectMismatch};{MSG=};{FQDN=ignitedemo-co-uk.mail.protection.outlook.com};{IP= };{LRT=9/20/2017 5:14:58 PM}] Outbound connector on premises was set to require a certificate that was not mail.protection.outlook.com Ensure the right connector is being used and the right TLS settings are in place

44 Troubleshooting Mail Flow and Headers

45 Remote PowerShell Troubleshooting
PowerShell with MFA is currently rolling out for Standalone EOP It works for EOP subscriptions where mailboxes exist in the cloud (some E1 or higher licences) or for Premium EOP licences Remote PowerShell Troubleshooting

Download ppt "Exchange Online Protection for Exchange On-Premises"

Similar presentations

Used by many 100,000s of customers Used by many 10,000,000s of users Processing Billions of emails a day Using Thousands of servers Across dozens of.

Used by many 100,000s of customers Used by many 10,000,000s of users Processing Billions of s a day Using Thousands of servers Across dozens of.
Enterprise CAL Overview. Different Types of CALs Standard CAL base A component Standard CAL is a base CAL that provides access rights to basic features.

Enterprise CAL Overview. Different Types of CALs Standard CAL base A component Standard CAL is a base CAL that provides access rights to basic features.
What’s New in Exchange Online. Disclaimer This presentation contains preliminary information that may be changed substantially prior to final commercial.

What’s New in Exchange Online. Disclaimer This presentation contains preliminary information that may be changed substantially prior to final commercial.
SIM309. Connection Analysis (IP-based edge blocks) Reputation Analysis Connection Filtering Protect businesses from receiving email–borne viruses.

SIM309. Connection Analysis (IP-based edge blocks) Reputation Analysis Connection Filtering Protect businesses from receiving –borne viruses.
On-premises Exchange Online Protection Office 365 Directory Sync Secure mail flow Existing email environment.

On-premises Exchange Online Protection Office 365 Directory Sync Secure mail flow Existing environment.
Protect communications Conditions Actions Exceptions Conditions Actions Exceptions.

Protect communications Conditions Actions Exceptions Conditions Actions Exceptions.
Success through People with LinkedIn and O365

Success through People with LinkedIn and O365
How to Implement Exchange Online Protection (EOP)

How to Implement Exchange Online Protection (EOP)
Office 365 Migration – Understanding Migrations Part 1

Office 365 Migration – Understanding Migrations Part 1
Recording Brief EMS Partner Bootcamp Variables Values Module Title

Recording Brief EMS Partner Bootcamp Variables Values Module Title
9/12/2018 6:21 PM BRK2203 Protect and control your sensitive emails with new Office 365 Message Encryption capabilities Praveen Vijayaraghavan Principal.

9/12/2018 6:21 PM BRK2203 Protect and control your sensitive s with new Office 365 Message Encryption capabilities Praveen Vijayaraghavan Principal.
Successfully migrate existing databases to Azure SQL Database

Successfully migrate existing databases to Azure SQL Database
Deploy and get started with Microsoft Advanced Threat Analytics

Deploy and get started with Microsoft Advanced Threat Analytics
Enterprise Security in Practice

Enterprise Security in Practice
5/21/2018 9:40 PM BRK3021 Learn about modern infrastructure roles in RDS: Next generation Windows desktop & app virtualization Clark Nicholson - Principal.

5/21/2018 9:40 PM BRK3021 Learn about modern infrastructure roles in RDS: Next generation Windows desktop & app virtualization Clark Nicholson - Principal.
Building Compliant Team Sites

Building Compliant Team Sites
5/29/2018 1:51 AM THR2071 Managing enterprise applications, permissions, and consent in Azure Active Directory Adam Steenwyk & Jeff Sakowicz Program Managers.

5/29/2018 1:51 AM THR2071 Managing enterprise applications, permissions, and consent in Azure Active Directory Adam Steenwyk & Jeff Sakowicz Program Managers.
Cloud Security IS Application-Centric Security

Cloud Security IS Application-Centric Security
Office 365 mail flow insights

Office 365 mail flow insights
6/5/2018 1:30 PM THR1029 Spend less time managing data and more time with customers: Quick tour of Outlook Customer Manager Welly Lee Welly.Lee@microsoft.com.

6/5/2018 1:30 PM THR1029 Spend less time managing data and more time with customers: Quick tour of Outlook Customer Manager Welly Lee

Similar presentations

Ads by Google