Exchange Online Protection & Mail Flow Jayant Gupta Premier Field Engineer 200 E, Randolph St Aon...
-
Upload
madisen-wyers -
Category
Documents
-
view
238 -
download
5
Transcript of Exchange Online Protection & Mail Flow Jayant Gupta Premier Field Engineer 200 E, Randolph St Aon...
Exchange Online Protection & Mail FlowJayant Gupta
Premier Field Engineer200 E, Randolph StAon center, Chicago -IL
Conditions and Terms of UseMicrosoft Confidential
This training package is proprietary and confidential, and is intended only for uses described in the training materials. Content and software is provided to you under a Non-Disclosure Agreement and cannot be distributed. Copying or disclosing all or any portion of the content and/or software included in such packages is strictly prohibited.
The contents of this package are for informational and training purposes only and are provided "as is" without warranty of any kind, whether express or implied, including but not limited to the implied warranties of merchantability, fitness for a particular purpose, and non-infringement.
Training package content, including URLs and other Internet Web site references, is subject to change without notice. Because Microsoft must respond to changing market conditions, the content should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication. Unless otherwise noted, the companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred.
Copyright and Trademarks © 2013 Microsoft Corporation. All rights reserved.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.
Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.
For more information, see Use of Microsoft Copyrighted Content athttp://www.microsoft.com/about/legal/permissions/
Microsoft®, Internet Explorer®, Outlook®, SkyDrive®, Windows Vista®, Zune®, Xbox 360®, DirectX®, Windows Server® and Windows® are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. Other Microsoft products mentioned herein may be either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. All other trademarks are property of their respective owners.
3
Overview This module explores the various capabilities of the Exchange Online Protection service, including:
• Anti-Malware protection
• Anti-Spam protection, including connection and content filtering
• Quarantining messages
• Reporting
4
Exchange Online Protection
What is Exchange Online Protection (EOP)?
• EOP is the new version of Forefront Online Protection for Exchange (FOPE), Microsoft’s hosted email gateway
• Provides comprehensive email protection through multi-engine antivirus and continuously evolving anti-spam protection
• Built on Exchange 2013 Transport architecture
• Geographically load-balanced datacenters
• Queuing capabilities to help ensure no mail is lost
• Currently processes 1 billion messages per day
EOP is available:
• As a stand-alone cloud service for on-premises customers
• As part of Office 365 subscriptions
5
Simple to Deploy
1. Add and verify domain ownership in Office 365
2. Change your MX record to point to <domain-com>.mail.protection.outlook.com
3. Create an SPF TXT record for your domainv=spf1 include:spf.protection.outlook.com -all
4. Fine tune anti-malware and anti-spam settings
5. Create rules to meet business needs
6
EOP Administration
Unlike FOPE, Exchange Online Protection administration is incorporated into the Exchange Admin Center
7
EOP inbound filtering
8
EOP outbound filtering
9
Anti-Malware
10
Definition ofMalware
• What is Malware?
• Malware is any kind of unwanted software that is installed without your adequate consent
• What is Spyware?
• Spyware is a general term used to describe software that performs certain behaviors, generally without appropriately obtaining your consent first; such as:
• Advertising
• Collecting personal information
• Changing the configuration of your computer
11
Malware Filter Configuration
What you can do in the Exchange Administration Center (EAC)?
• The Malware detection response (action)
• The custom alert text (deletion txt)
• The notifications (who to send to and the ability to customize the notifications)
12
Anti-Spam
13
Multi-layered anti-spam protection
Connection filtering
• Blocks up to 80% of all spam based on IP block/allow lists
Sender-recipient filtering
• Blocks up to 15% of all spam based on internal lists and sender reputation
Content filtering
• Blocks up to 5% of all spam based on internal lists and heuristics
14
Connection Filter
What is Connection Filtering ?
• It is blocking or allowing inbound messages based on the originating IP address
• The connection filter checks IP Allow and IP Block lists prior to checking the content of each message
• Messages from specifically allowed IP addresses bypass filtering
• Messages from senders in the IP Block list are blocked, except in cases where they also appear in the IP Allow list
• You can add an IP address or address range to an IP Allow list or IP Block list in EAC
15
Content Filter
16
Content Filter Actions
• Delete
• Quarantine
• Add x-header
• Move to Junk Email folder
• Prepend subject line with text
• Redirect to email address
• Filter messages from particular countries, or by language
17
Content Filter Advanced Options
• Increase Spam Score
• Mark As Spam
• Test Mode Options
18
Spam Confidence Level
SCL Rating Spam Confidence Interpretation Default Action
-1Non-spam coming from a safe sender, safe recipient, or safe listed IP address (trusted partner)
Deliver the message to the recipients’ inbox.
0, 1Non-spam because the message was scanned and determined to be clean
Deliver the message to the recipients’ inbox.
5, 6 Spam
The initial default is to deliver the message to the quarantine. However, if the default spam content filter policy is modified, by default the message will instead be delivered to the Junk Email folder.
9 High confidence
The initial default is to deliver the message to the quarantine. However, if the default spam content filter policy is modified, by default the message will instead be delivered to the Junk Email folder.
19
Outbound Spam
Why do you need outbound spam filtering?
• Outbound spam filtering is needed because malicious programmers and their malware are out there taking over computers inside corporate networks every day. This means that users in your organization can be sending large amounts of outbound spam without your knowledge
20
Quarantine
21
Quarantined Messages
• Messages that are identified as spam or that match an Exchange transport rule can be sent to the quarantine
• If you are an administrator, you can perform the following actions against quarantined messages via EAC:
- Search for quarantined messages- View details about quarantined messages - Release specific messages to a recipient within your organization - Quickly report a quarantined message as a false positive
22
Working with Quarantined Messages and PowerShell
• To retrieve information about quarantined emails
Get-QuarantineMessage -StartReceivedDate 02/13/2013 -EndReceivedDate 02/14/2013
• To release a quarantined message
Get-QuarantineMessage -MessageID <[email protected]> | Release-QuarantineMessage
23
Junk Email Management
• Users can now receive spam notifications for messages destined to them that were marked as junk and quarantined
• Users can choose to either release or report on quarantined messages
24
Reporting
25
Built-in Reporting
• Provides a clear view on spam filtering and malware attacks
26
Testing changes to Malware and Content filters
Testing Malware filter
• Create a file called EICAR.txt with the following text: X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
• Attach EICAR.TXT to a new mail message, and send it through the service. • Confirm your antimalware filter settings have taken affect (policy changes
can take up to an hour to replicate across datacenters)• This “EICAR” test attachment will cause the message to be treated as
malicious antivirus/antimalware engines
Testing Content filter
• Test Content filter using GTUBE message. A GTUBE message should always be detected as spam by the content filter, and the actions that are performed upon the message should match your configured settings. Include the following GTUBE text in a mail message on a single line, without any spaces or line breaks:
• XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34X
27
Module Review
1. What are the three main topics which make up the suite in Exchange Online Protection ?
• Anti-Malware, Anti-Spam, Quarantine
2. What are the three types of filtering available ?
• Malware Filtering, Content Filtering, Connection Filtering
3. What does the outbound spam policy do ?
• If an outbound message is determined to be spam, it is routed through the high risk delivery pool, which reduces the probability of the normal outbound-IP pool being added to a block list. If a customer continues to send outbound spam through the service, they will be blocked from sending messages
Exchange Online Mail Flow
29
Overview This module covers the mail flow capabilities of Exchange Online, including
• Transport rules
• Delivery reports and message tracing
• Inbound and outbound connectors
30
Rules
31
Types Of Rules
Transport Rules
• Let you apply messaging policies to messages in the transport pipeline
• Actions, such as redirecting a message or adding recipients, rights-protecting messages, and rejecting or silently deleting a message can be taken
Transport Protection Rules
• Administrators can use transport protection rules to implement messaging policies to inspect message content, encrypt sensitive email content, and use rights management to control access to the content
Outlook Protection Rules
• In Exchange Online, Outlook, and OWA users and administrators can apply Information Rights Management (IRM) protection to messages by applying an Active Directory Rights Management Services (AD RMS) rights policy template. This requires an AD RMS deployment in the organization
32
Transport Rules
• Use transport rules to look for specific conditions on messages that pass through your organization and take action on them
• Transport rules allow you to:- Prevent inappropriate content from entering or leaving- Filter confidential organization information- Track or copy messages that are sent to or received from specific individuals- Redirecting inbound and outbound messages for inspection before delivery- Applying disclaimers to messages as they pass through the organization
• You can only create a maximum of 100 transport rules in Exchange Online
33
Transport Rule Components
A transport rule consists of the following components:
• Conditions: identify the messages that you want the rule to apply to
• Actions: specify what you want to do to the messages that are identified by the conditions
• Exceptions: override conditions and prevent the rule from acting on specific messages
• Choose a mode for this rule: (Enforce, Test with Policy Tips, Test without Policy Tips)
34
How to Create a New Rule?
35
Transport Rules via PowerShell
• How to create a New Transport RuleNew-TransportRule -Name "Mark messages from the Internet to Sales DG" -FromScope NotInOrganization -SentTo "Sales Department" -PrependSubject "External message to Sales DG:“
• How to verify the Rule was created
Get-TransportRule "Mark messages from the Internet to Sales DG“
• How to view all rules in your Exchange Online Tenant
Get-TransportRule
36
Delivery Reports
37
Delivery Reports
• Message tracking within your Exchange Organization only
• Track delivery information about messages sent by or received from any specific mailbox in your organization
• Optionally add words to search for in the subject line
• Subject line is displayed in the results, not message content
• Track messages for up to 14 days after they were sent or received
• Note: It does not track messages sent from POP or IMAP email clients, such as Windows Mail, Outlook Express, or Mozilla Thunderbird
38
Message Tracking
39
Message Trace
• The message trace feature enables an administrator to follow email messages as they pass through your Exchange Online or Exchange Online Protection service
• It helps you determine whether a targeted email message was received, rejected, deferred, or delivered by the service within the past 7 days
• It also shows what actions have occurred to the message before reaching its final status
• Obtaining detailed information about a specific message lets you efficiently answer your user’s questions, troubleshoot mail flow issues, validate policy changes, and alleviates the need to contact technical support for assistance
40
How to Run a Message Trace
• Navigate to Mail Flow > Message Trace in EAC
• Select Fields (to narrow search)
• Options include:
• Sender
• Recipient
• Message was Sent or Received
• Delivery Status or Message ID
None is also an allowed option, which will display the previous 7 days of information. Please note that only 7 days is retained by the Service
• Click Search to run the Message Trace
• *Message Trace information is available for up to 90 days
41
View Message Trace Results
• After running a search, the results will be listed in the Message Trace Results pane below the search section
• The following information is displayed about each message:
• Date
• Sender
• Recipient
• Subject
• Status
• Each column can be sorted by clicking on the column name. Clicking it will switch the current sort order
• If results exceed 500 entries there will be a page navigation section which will appear for use
42
Message Tracing via PowerShell
• Using Get-MessageTrace to see information
Get-MessageTrace -SenderAddress [email protected] -StartDate 06/13/2012 -EndDate 06/15/2012
• Obtain more detailed information by pipelining the results to the Get-MessageTraceDetail cmdlet
Get-MessageTrace -Id 2bbad36aa4674c7ba82f4b307fff549f -SenderAddress [email protected] -StartDate 06/13/2012 -EndDate 06/15/2012 | Get-MessageTraceDetail
43
Connectors
44
Connector Types
• Connectors are used to control inbound and outbound mail flow
• With connectors, you can route mail to and receive mail from recipients outside of your organization, a partner through a secure channel, or a message-processing appliance
• The most commonly used connector types are Outbound connectors, which control outbound messages, and Inbound connectors, which control inbound messages
• Connectors can be configured to enforce IP address and domain restrictions, as well as TLS encryption, for both inbound and outbound mail
45
Using Connectors
• Mail flows into and out of Exchange Online through EOP without the need to create any inbound or outbound connectors by default
• Create connectors when you need to customize inbound and outbound mail flow between:
• Exchange Online and On-Premises
• Exchange Online and External Recipients
• Exchange Online and Partner Organizations
An example scenario where connectors using TLS are created to enforce encrypted mail flow between EOP and
a partner
46
Secure Mail
On-Premises Organization
External Recipient
Exchange
Exchange Online
Exchange Online Protection
Inte
rnet
Third Party Email
Security System
“Chris”Cloud
Mailbox
“David”On-premises
Mailbox
Secure Mail
Encrypted & Authenticated Mail Flow
MX resolves to on-
premises gateway
MX is switched to Exchange
Online Protection
Outbound Exchange
Online traffic is delivered
direct
You can choose to
route outbound
on-premises mail via EOP
47
Centralized Transport
Exchange Online
Exchange Online Protection
On-Premises Organization
Exchange
Third Party Email
Security System
External Recipient
Inte
rnet
“Chris”Cloud
Mailbox
“David”On-premises
Mailbox
Secure Mail
Encrypted & Authenticated Mail Flow
MX resolves to on-
premises gateway
All email in and out of the
Exchange Online tenant must go via on-premises
MX is switched to Exchange
Online Protection
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION
Contact
Jayant Gupta Office 365, Premier Field [email protected]© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks
in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION
Who Wants to Ask Questions??