How to deploy Exchange Online Protection
-
Upload
peter-schmidt -
Category
Technology
-
view
2.603 -
download
3
Transcript of How to deploy Exchange Online Protection
Online Conference
June 17th and 18th 2015
WWW.COLLAB365.EVENTS
How to deploy Exchange Online Protection
Peter SchmidtEG A/S
WWW.COLLAB365.EVENTS
Peter SchmidtEG A/S, Denmark
Email : [email protected] : @petschBlog : www.msdigest.nethttps://dk.linkedin.com/in/petsch
• Cloud and Infrastructure Architect
• 15+ years of experience with Exchange Server
• Microsoft Certified Master: Exchange
• Microsoft MVP: Exchange
WWW.COLLAB365.EVENTS
Introduction
EOP Architecture
Antispam and Deployment
Reporting and Best Practice Summary and Q&A
Agenda
WWW.COLLAB365.EVENTS
Introduction to Exchange Online Protection
WWW.COLLAB365.EVENTS
Stop viruses and malware Multi-engine malware protection Continuously evolving anti-spam protectionProtect sensitive data Data Loss Prevention features Encryption of sensitive emailCommon administration console Office 365 integration Detailed reportingEnterprise class reliability Geographically load-balanced datacenters Queuing capabilities to help ensure no mail is lost 24x7x365 Microsoft Support $$$ backed SLA
Exchange Online Protection (EOP)
WWW.COLLAB365.EVENTS
EOP Service Level Agreements (SLA)
• Mail Delivery• 99.999% EOP uptime • Geo-redundant network• 24/7 Live phone and web technical support• Message queuing for 2 days if customer server
unresponsive
• Filtering Performance• 100% known virus detection (active payload)• 99% spam detection rate• False positive ratio of less than 1:250,000 messages
WWW.COLLAB365.EVENTS
EOP Architecture
WWW.COLLAB365.EVENTS
• On-premises server - Inbound and Outbound email filtered through EOP
EOP Conceptual Diagram
Corporate NetworkEOP
WWW.COLLAB365.EVENTS
• Works with any SMTP email platform!• Every Office 365 customer is an EOP customer • Easy transition from EOP stand-alone to Office 365• On-premises server • - Inbound and Outbound email filtered through EOP
EOP Deployment scenarios
6
On Premise Corporate Network
EOP
O365 Exchange Online
WWW.COLLAB365.EVENTS
EOP Inbound filtering
Email is routed to EOP DC’s based on MX record resolution(contoso-com.mail.protection.outlook.com)
IP-based edge blocking
Reputation blocking
Virus scanning
AV Engine 1
AV Engine 2
AV Engine 3
SPAM protection
Safe Sender/Recipient
Policy enforcement
Custom RulesContent scanning and Heuristics
Bulk Mail filtering
SPF & Sender ID Filter
Quarantine
*International Spam*
Advanced SPAM management
Customer feedback
False +ve / -ve
Spam analysts
Corporate network
Regular expressions
URL block lists
Envelope blocks
Forefront blocks
Allows/Rejects
WWW.COLLAB365.EVENTS
Outbound PoolOutbound Pool
EOP Outbound filtering
High Risk Delivery PoolHigh Score
Outbound Pool
Low ScoreSPAM protection
Content scanning and Heuristics
Advanced SPAM management
Virus scanning
AV Engine 1
AV Engine 2
AV Engine 3
Policy enforcement
Custom Rules
Quarantine
Spam Analysts
Corporate network
Bulk Delivery Pool
Bulk Mail
Internet
Email Encryption
WWW.COLLAB365.EVENTS
Anti-spam
WWW.COLLAB365.EVENTS
• Phishing Campaigns• Spear Phishing (APT)
• Bulk Mail• Backscatter• Malware Distribution• Image Spam
Different Types of SPAM
WWW.COLLAB365.EVENTS
• 1. Connection filtering– Blocks up to 80% of all spam based on IP block/allow lists.
• 2. Sender-Recipient Filtering– Blocks up to 15% of all spam based on internal lists and sender reputation.
• 3. Content Filtering– Blocks up to 5% of all spam based on internal lists and heuristics.
Multi-layered anti-spam protection
14
WWW.COLLAB365.EVENTS
• Connection filtering Static IP allow/block list Opt-in to Microsoft-maintained reputable sender list
• Content spam categories Obvious spam High confidence spam
• Content Filtering Actions Delete Quarantine Add X-Header Modify Subject Redirect
Granular anti-spam filtering controls
15
WWW.COLLAB365.EVENTS
Block external threats quicklyAdvanced fingerprinting technologies that identify and stop new spam and phishing vectors in real time.
Enable more control Mark all bulk messages as spamBlock unwanted email based on language or geographic origin
•Effective spam blocking
Block email based on language
Block email based on geography
WWW.COLLAB365.EVENTS
• Suspect junk mail by default goes to the Outlook junk mail folder.• Uses Outlook safe senders and block lists.• SPAM Quarantine was currently available to administrators only.
End user quarantine rolled out NOW!• Email Spam Notification for the end-users
Junk mail management
WWW.COLLAB365.EVENTS
• End User Quarantine • End users can release from quarantine• Report Spam, not spam
Quarantine
WWW.COLLAB365.EVENTS
Set Frequency from 1-15 days
End User Spam Notification
WWW.COLLAB365.EVENTS
False Negatives and False Positives
Outlook Junk Mail Reporting Tool for missed spamhttp://www.microsoft.com/en-us/download/details.aspx?id=18275
Send spam email as an attachment to [email protected]
Send false positive messages [email protected]
WWW.COLLAB365.EVENTS
Deployment
WWW.COLLAB365.EVENTS
• StandaloneAll mailboxes are located on-premises
• Purchasable on its own or Part of Exchange Enterprise CAL with Services
• Fully hosted • All mailboxes are hosted in the cloud with Microsoft Exchange Online
Exchange Online license
Hybrid Some mailboxes are hosted in Exchange Online, and some mailboxes on-premises
• Exchange Online license
EOP deployment scenarios
WWW.COLLAB365.EVENTS
Overview of the deployment process
Step 1: Verify prerequisitesStep 2: Configure mail flow (connectors)Step 3: Add and validate domainsStep 4: Customize spam and policy settingsStep 5: Enable mail flowStep 6: Monitor and fine tune
WWW.COLLAB365.EVENTS
Applicable to all scenarios Office 365 Tenant – name.onmicrosoft.com EOP licenses (ExO or EOP Standalone) Domain to migrate Modern web browser to access the Office 365 portal
Applicable to Standalone or Hybrid scenarios Inbound and outbound public IP addresses Open port 25 to Exchange Online Protection IP Addresses Information on TLS policy, attachment handling, junk folder use, etc. DirSync may require additional hardware
Prerequisites
WWW.COLLAB365.EVENTS
Standalone Create EOP outbound connector to deliver mail on-premises Create EOP inbound connector to accept mail from on-premises Create on-premises send connector to send outgoing mail to EOP
Hybrid Hybrid mail flow is best configured using the Hybrid Configuration Wizard
Optional for all scenarios Create connectors for forced TLS to third party Create connectors for customized mail routing
Configure mail flow
WWW.COLLAB365.EVENTS
On-Prem Mail Environment
Exchange Online Protection
Outbound Connector
Inbound Connector
Outbound TLS Connector
Inbound TLS Connector
EOP connectors between on-premises and EOP need to be created
Additional connectors can be created between EOP and partners to force TLS
Partner Environment
Configure mail flow (connectors)
WWW.COLLAB365.EVENTS
• With EOP (Fabrikam uses EOP)
TLS scenarioPrior to EOP (Fabrikam uses EOP)
Contoso FabrikamCert CN = mail.contoso.com
Cert CN = mail.fabrikam.com
Contoso EOP FabrikamCert CN = mail.contoso.com
Cert CN = mail.protection.outlook.com
Cert CN = mail.protection.outlook.com
Cert CN = mail.fabrikam.com
WWW.COLLAB365.EVENTS
Configure mail flow (connectors)
On-Prem Mail APAC
Exchange Online Protection
On-Prem Mail AMER
On-Prem Mail EMEA
Outbound Connector 1
Outbound Connector 3
Outbound Connector 2
Inbound Connector 1
WWW.COLLAB365.EVENTS
• What it does• Blocks messages to invalid recipients at the EOP edge• Beneficial to organizations with on-premises mailboxes
• Configuration• The EAC exposes two domain types. • Authoritative - All email for unknown recipients is rejected. Setting this domain type enables DBEB• Internal relay - Email is delivered to recipients in your org or relayed to another email server
• To enable DBEB, set the domain to be AUTHORITATIVE.
Directory Based Edge Blocking
WWW.COLLAB365.EVENTS
Reporting
WWW.COLLAB365.EVENTS
ReportingProvides a clear view on spam filtering and malware attacks
E-mail Protection ReportsExcel Workbook available to enable self-service analysis
Connects to the reporting web service Data can be refreshed from within the workbook at any timeDrill through from recent summary data to the underlying detailed information
WWW.COLLAB365.EVENTS
• Goals• Is the service operating as expected?• Make adjustments to rules or settings as needed• Evaluate effectiveness of spam settings
• Tools• Reports (Office 365 Portal or Mail Protection Reports for Office 365)• Submitting spam and false positive messages to Microsoft• Junk Mail Reporting Tool for Outlook
Monitor and fine tune
WWW.COLLAB365.EVENTS
Best Practices
WWW.COLLAB365.EVENTS
• Do this• Use a test domain, subdomain or low volume domain for trying different service features• Disable EOP inbound connector (type is on-prem) until you are ready to use it• Use the Remote Connectivity Analyzer to troubleshoot• Restrict inbound SMTP access to allow ONLY from EOP IP ranges• Enable Microsoft’s IP Safe List in the Connection Filter• When creating safe / black lists, use IP first, and if not possible, then use the domain
• Don’t do this• Daisy chain services• Use EOP for sending bulk mail• Enable all Content Filter Advanced Options out of the box• Safe list your own domain
Best practices
WWW.COLLAB365.EVENTS
Telnet is your friend
Test mail flow before MX change
You do/type this Server responds with thistelnet tenantDomainMXRecordHere 25
220
helo your_sending_server_fqdn 250mail from: [email protected] 250 Sender OKrcpt to: [email protected] 250 Recipient OKdata followed by the enter key Server provides directions
on how to enter data.subject: Enter the subject and hit enter twiceEnter the body text. To finish the message, type a period on a line by itself and hit enter.
250 Message queued for delivery.
Quit 221 Service closing transmission channel
WWW.COLLAB365.EVENTS
• Quarantine• Online viewer only supports up to 500 messages• More can be viewed via PowerShell Get-QuarantineMessage Cmdlet• Can only release in bulk through Release-QuarantineMessage Cmdlet
• Limits• Max message size for EOP delivering to stand-alone customers is 150 MB• Max 100 Transport Rules per tenant – DLP policies consume part of this quota• Max of 900 domains per tenant• EOP outbound connectors use round robin for delivery
Known Issues & Limitations
WWW.COLLAB365.EVENTS
No Am
APAC
EMEA
Mail is ALWAYS processed ONLY in your region!
PRC
WWW.COLLAB365.EVENTS
• Protection against unknown malware and viruses by analyzing attachment behavior in a hypervisor environment before delivering them
• Real time, time-of-click protection against malicious URLs that are not yet known by EOP
• Rich reporting and tracing of URL click throughs
• 2$ / month per user
Advanced Threat Protection
WWW.COLLAB365.EVENTS
• EOP Architecture• Test drive it• Know the limitations of EOP
Summary
WWW.COLLAB365.EVENTS
QuestionsFeel free to contact me on:@[email protected]
WWW.COLLAB365.EVENTS
Stay tuned for more great sessions …