Post on 10-Apr-2017
transcript
Peter SchmidtSolution Architect, EG A/S
Exchange Online ProtectionIntroduction and Architecture
© EG A/S 2
About me
Peter SchmidtSolution Architect, EG A/S
Expertise:Office 365, Exchange, Skype for Business, Microsoft Azure, ADFS, PKI
Microsoft MVP: Exchange, MCM: Exchange MCSE: Messaging, MCSA: Office 365MCSE: Server Infrastructure, MCSE: Public Cloud
Contact me:E-mail: pesch@eg.dkBlog: www.msdigest.netTwitter: @petschPhone: +45 7260 2775/+45 2080 9436
© EG A/S 3
Agenda
Introduction to Exchange Online Protection
EOP Architecture Deployment Best Practices Summary Q&A
Introduction to Exchange Online Protection
Stop viruses and malware Multi-engine malware protection Continuously evolving anti-spam protectionProtect sensitive data Data Loss Prevention features Encryption of sensitive emailCommon administration console Office 365 integration Detailed reportingEnterprise class reliability Geographically load-balanced datacenters Queuing capabilities to help ensure no mail is lost 24x7x365 Microsoft Support $$$ backed SLA
Exchange Online Protection (EOP)
• Mail Delivery• 99.999% EOP uptime • Geo-redundant network• 24/7 Live phone and web technical support• Message queuing for 2 days if customer server unresponsive
• Filtering Performance• 100% known virus detection (active payload)• 99% spam detection rate• False positive ratio of less than 1:250,000 messages
EOP Service Level Agreements
EOP Architecture
On-premises server - Inbound and Outbound email filtered through EOP
EOP Conceptual Diagram
Corporate Network
EOP
Works with any SMTP email platform!Every Office 365 customer is an EOP customer Easy transition from EOP stand-alone to Office 365On-premises server - Inbound and Outbound email filtered through EOP
EOP Deployment scenarios
6
On Premise Corporate Network
EOP
O365 Exchange Online
EOP Inbound filtering
Email is routed to EOP DC’s based on MX record resolution
(contoso-com.mail.protection.outlook.com)
IP-based edge blocking
Reputation blocking
Virus scanning
AV Engine 1
AV Engine 2
AV Engine 3
SPAM protectionSafe Sender/Recipient
Policy enforcement
Custom RulesContent scanning and
Heuristics
Bulk Mail filtering
SPF & Sender ID Filter
Quarantine
*International Spam*
Advanced SPAM management
Customer feedback
False +ve / -ve
Spam analysts
Corporate network
Regular expressions
URL block lists
Envelope blocks
Forefront blocks
Allows/Rejects
Outbound PoolOutbound Pool
EOP Outbound filtering
High Risk Delivery Pool
High Score
Outbound Pool
Low ScoreSPAM protection
Content scanning and Heuristics
Advanced SPAM management
Virus scanning
AV Engine 1
AV Engine 2
AV Engine 3
Policy enforcementCustom Rules
Quarantine
Spam Analysts
Corporate network
Bulk Delivery Pool
Bulk Mail
Internet
Email Encryption
Anti-spam
• Phishing Campaigns• Spear Phishing (APT)
• Bulk Mail• Backscatter• Malware Distribution• Image Spam
Different Types of SPAM
1. Connection filteringBlocks up to 80% of all spam based on IP block/allow lists.
2. Sender-Recipient FilteringBlocks up to 15% of all spam based on internal lists and sender reputation.
3. Content FilteringBlocks up to 5% of all spam based on internal lists and heuristics.
Multi-layered anti-spam protection
14
Connection filtering Static IP allow/block list Opt-in to Microsoft-maintained reputable sender list
Content spam categories Obvious spam High confidence spam
Content Filtering Actions Delete Quarantine Add X-Header Modify Subject Redirect
Granular anti-spam filtering controls
15
Block external threats quicklyAdvanced fingerprinting technologies that
identify and stop new spam and phishing vectors in real time.
Enable more control Mark all bulk messages as spamBlock unwanted email based on language or
geographic origin
Block email based on language
Block email based on geography
Effective spam blocking
• Suspect junk mail by default goes to the Outlook junk mail folder.
• Uses Outlook safe senders and block lists.• SPAM Quarantine was currently available to administrators only.
End user quarantine rolled out NOW!• Email Spam Notification for the end-users
Junk mail management
End User Quarantine
• End users can release from quarantine• Report Spam, not spam
Quarantine
Set Frequency from 1-15 days
End User Spam Notification
False Negatives and False PositivesOutlook Junk Mail Reporting Tool for missed spamhttp://www.microsoft.com/en-us/download/details.aspx?id=18275
Send spam email as an attachment to abuse@messaging.microsoft.com
Send false positive messages tofalse_positive@messaging.microsoft.com
Deployment
StandaloneAll mailboxes are located on-premisesPurchasable on its own or Part of Exchange Enterprise CAL with Services Fully hosted All mailboxes are hosted in the cloud with Microsoft Exchange OnlineExchange Online license Hybrid Some mailboxes are hosted in Exchange Online, and some mailboxes on-premisesExchange Online license
EOP deployment scenarios
Overview of the deployment process
Step 1: Verify prerequisitesStep 2: Configure mail flow (connectors)Step 3: Add and validate domainsStep 4: Customize spam and policy settingsStep 5: Enable mail flowStep 6: Monitor and fine tune
Applicable to all scenarios Office 365 Tenant – name.onmicrosoft.com EOP licenses (ExO or EOP Standalone) Domain to migrate Modern web browser to access the Office 365 portal
Applicable to Standalone or Hybrid scenarios Inbound and outbound public IP addresses Open port 25 to Exchange Online Protection IP Addresses Information on TLS policy, attachment handling, junk folder use, etc. DirSync may require additional hardware
Prerequisites
Standalone Create EOP outbound connector to deliver mail on-premises Create EOP inbound connector to accept mail from on-premises Create on-premises send connector to send outgoing mail to EOP
Hybrid Hybrid mail flow is best configured using the Hybrid Configuration Wizard
Optional for all scenarios Create connectors for forced TLS to third party Create connectors for customized mail routing
Configure mail flow
On-Prem Mail Environment
Exchange Online Protection
Outbound Connector
Inbound Connector
Outbound TLS Connector
Inbound TLS Connector
EOP connectors between on-premises and EOP need to be created
*Additional connectors can be created between EOP and partners to force TLS
Partner Environment
Configure mail flow (connectors)
With EOP (Fabrikam uses EOP)
TLS scenarioPrior to EOP (Fabrikam uses EOP)
Contoso FabrikamCert CN = mail.contoso.com
Cert CN = mail.fabrikam.com
Contoso EOP FabrikamCert CN = mail.contoso.com
Cert CN = mail.protection.outlook.com
Cert CN = mail.protection.outlook.com
Cert CN = mail.fabrikam.com
Configure mail flow (connectors)
On-Prem Mail APAC
Exchange Online Protection
On-Prem Mail AMER
On-Prem Mail EMEA
Outbound Connector 1
Outbound Connector 3
Outbound Connector 2
Inbound Connector 1
PoliciesAnti-spam, anti-malware and DLP controls integrated into the Exchange Admin Center and Office 365.
• What it does• Blocks messages to invalid recipients at the EOP edge• Beneficial to organizations with on-premises mailboxes
• Configuration• The EAC exposes two domain types.
• Authoritative - All email for unknown recipients is rejected. Setting this domain type enables DBEB• Internal relay - Email is delivered to recipients in your org or relayed to another email server
• To enable DBEB, set the domain to be AUTHORITATIVE.
Directory Based Edge Blocking
Reporting
ReportingProvides a clear view on spam filtering and malware attacks
E-mail Protection ReportsExcel Workbook available to enable self-service analysisConnects to the reporting web service Data can be refreshed from within the workbook at any timeDrill through from recent summary data to the underlying detailed information
• Goals• Is the service operating as expected?• Make adjustments to rules or settings as needed• Evaluate effectiveness of spam settings
• Tools• Reports (Office 365 Portal or Mail Protection Reports for Office 365)• Submitting spam and false positive messages to Microsoft• Junk Mail Reporting Tool for Outlook
Monitor and fine tune
Best Practices
• Do this• Use a test domain, subdomain or low volume domain for trying different service features• Disable EOP inbound connector (type is on-prem) until you are ready to use it• Use the Remote Connectivity Analyzer to troubleshoot• Restrict inbound SMTP access to allow ONLY from EOP IP ranges• Enable Microsoft’s IP Safe List in the Connection Filter• When creating safe / black lists, use IP first, and if not possible, then use the domain
• Don’t do this• Daisy chain services• Use EOP for sending bulk mail• Enable all Content Filter Advanced Options out of the box• Safe list your own domain
Best practices
Telnet is your friendTelnet can be used to test mail flow from EOP to your on-prem environment. This allows verifying mail flow will work before doing the MX cutover.
Test mail flow before MX change
You do/type this Server responds with thistelnet tenantDomainMXRecordHere 25 220helo your_sending_server_fqdn 250mail from: you@domain.invalid 250 Sender OKrcpt to: recipient@contoso.com 250 Recipient OKdata followed by the enter key Server provides directions on how
to enter data.subject: Enter the subject and hit enter twiceEnter the body text. To finish the message, type a period on a line by itself and hit enter.
250 Message queued for delivery.
Quit 221 Service closing transmission channel
• Quarantine• Online viewer only supports up to 500 messages• More can be viewed via PowerShell Get-QuarantineMessage Cmdlet• Can only release in bulk through Release-QuarantineMessage Cmdlet
• Limits• Max message size for EOP delivering to stand-alone customers is 150 MB• Max 100 Transport Rules per tenant – DLP policies consume part of this quota• Max of 900 domains per tenant• EOP outbound connectors use round robin for delivery
Known Issues & Limitations
No Am
APAC
EMEA
Mail is ALWAYS processed ONLY in your region!
PRC
• Protection against unknown malware and viruses by analyzing attachment behavior in a hypervisor environment before delivering them
• Real time, time-of-click protection against malicious URLs that are not yet known by EOP
• Rich reporting and tracing of URL click throughs
• 2$ / month per user
Advanced Threat Protection
EOP ArchitectureTest drive itKnow the limitations of EOP
Summary
© EG A/S 41
Questions !