© 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Thomas Doehler – General Manager

Milo Oostergo – Sr. Product Manager

October 2015

ISM317

Amazon WorkMailSecure, Corporate Email

in Less Than 10 Minutes

What to Expect from the Session

• Why we built Amazon WorkMail

• What is Amazon WorkMail?

• Features and functionality

• Pricing and availability

• Getting started with Amazon WorkMail

• Integrating with your on-premises environment

• Migrating to Amazon WorkMail

• Q&A

Why we built Amazon WorkMail

• Email has evolved from a simple communication tool to

an enabler of almost any business process

• Secure access is key

• Managing the infrastructure required to operate this

mission critical service adds cost and complexity

Managed service

• Eliminate up-front investments to license and provision on-premises email servers

• WorkMail automatically handles all of the patches, back-ups, and upgrades

• As needs grow, add more users with a few clicks in the AWS Management console

Enterprise grade security

Encryption using

customer managed

keys

Regional data

control

Secure mobile

access

Protection from

malware, spam, and

viruses

Anywhere access

From Outlook on

your PC/Mac

From any browser From your phone

Outlook features

• Native compatible with

Microsoft Outlook on Windows

and Mac

• Shared calendars and shared

mailboxes

• Global Address Book

• Support for resource booking

• Advanced permissions and

delegation

• Server side rules

WebMail features

• Access to your email,

contacts and calendar

• Shared calendars

• Free/busy Scheduling

• Amazon WorkDocs

integration

Pricing and availability

• Pay-as-you-go

• No user or long-term commitments

• Cost-effective - $4/user/month for 50 GB

mailbox

• Bundled with WorkDocs - $6/user/month

• 30-day free trial for up to 25 users

• Initially available in US East (N. Virginia), US

West (Oregon), and EU West (Ireland) region

Set up Amazon WorkMail

Getting started

• Available through the AWS

Management Console

• Quick setup let you get started

in 10 minutes and automatically

creates all required AWS

resources for you

• Custom setup let you integrate

WorkMail with your corporate

directory and use custom keys

Quick setup

Step 1: Create your organization

Step 2: Add your domains

Step 3: Create your users, groups, and resources

Step 4: Migrate your mailboxes

Step 5: Configure your desktop and mobile clients

Step 1 – Create your organization

• WorkMail creates all required AWS resources for you:

• VPC

• Simple AD directory

• Test mail domain

• Service default key in AWS KMS

• Recommended setup for evaluation purposes and small

business deployments

Step 2 - Setting up your domains

• Add your domains (like yourcorporate.com) to WorkMail

to use in your email addresses

• You can have multiple domains to your organization

• Users/groups can have multiple email addresses across

different domains

Setting up your domains (2)

• Add your domain

• Verify your domain by

adding a verification token

in the TXT DNS record

• Set up DomainKeys

Identified Mail (DKIM)

signing

• Switch the MX and

AutoDiscover DNS record

when mailbox migration is

complete

Step 3 - Provisioning of users and groups

• After domains are added, you can provision users and

distribution groups using the domains

• With quick setup, users can be created in the WorkMail

console

Next steps

Step 4 and step 5 are similar to custom setup and will be

discussed later in this presentation

Custom setup

Use custom setup to:

• Use your existing VPC

• Integrate WorkMail with your existing directory

environment

• Use a customer master key for mailbox encryption

Recommended setup for medium size businesses and

enterprises

Custom setup - steps

Step 1: Extend your VPC to your on-premises network and

set up an AD Connector

Step 2: Create your organization in WorkMail

Step 3: Add your domain names

Step 4: Enable your existing users and groups

Step 5: Migrate your mailboxes

Step 6: Configure your desktop and mobile clients

Prerequisites

• Extend your on-premises network to your VPC through a

virtual private network (VPN) connection or AWS Direct

Connect

• Have two subnets in different Availability Zones in VPC

available

• Set up AWS Directory Service AD Connector in the VPC

• No need for any additional on-premises software

components!

AD Connector architecture

Availability Zone

Availability Zone

VPN

connection

corporate data center

AD

LDAP &

Kerberos

requests proxied

to on-premises

over VPN

AD Connector

proxy instance

AD Connector

proxy instance

Using on-premises directory integration

• Easily provision existing users for WorkMail

• Reuse existing AD/Exchange security and distribution

groups in WorkMail

• Automatic propagation of users/groups changes every 4

hours

• Authentication requests are forwarded to your

on-premises directory

Protect your mailbox data

• Mailbox data at rest is protected by AWS Key

Management Service

• Use service default key or customer master key

• Key actions logged in AWS CloudTrail

• WorkMail configures grant to master key during initial

setup

How is WorkMail encrypting your data

• Master key for your

organization

• Asymmetric key per mailbox

• Each item in mailbox

encrypted by symmetric key

Item encrypted with data key

Data keyencrypted withpublic mailbox key

Mailbox private keyencrypted withKMS key

Interoperability support

Integrate WorkMail with your existing email

environment

• Provide users with an unified global address book

containing all users, groups, and resources

• Email routing between on-premises email system and

WorkMail

• Calendar free/busy lookups between on-premises email

systems and WorkMail

Set up interoperability support

• Add all domains to WorkMail

• Set up free/busy service accounts in Microsoft Exchange

and WorkMail

• Set up Availability Address Space in Microsoft Exchange

Add-AvailabilityAddressSpace -ForestNameexample.awsapps.com -AccessMethod OrgWideFB-Credentials <Credential>

• Enable interoperability support in WorkMail

Unified Global Address Book

• Interoperability support will automatically sync all

Microsoft Exchange users, groups, and resources to

WorkMail

• Object changes must be done using Exchange

Management console

• Enabling users for WorkMail still done through AWS

Management console

Email routing in an integrated environment

On-premises environment Amazon WorkMail

example.comexample.comexample.awsapps.com

Forward to: john@example.awsapps.com

Primary: john@example.com Alias: john@example.awsapps.com

john@example.comtargetAddress:john@example.awsapps.com

To: john@example.com

Calendar free/busy interoperability

On-premises environment Amazon WorkMail

example.com4. Free/busy lookup for Mary

with WM service account

john

1. Free/busy lookup for Mary

targetAddress:mary@example.awsapps.com

Primary: mary@example.comAlias: mary@example.awsapps.com

23

5

Migrating to WorkMail

• WorkMail migration tool is utility for migration of

Microsoft Exchange and Office365 mailboxes

• Integration with 3rd party migration vendors will be

available for migrations from Microsoft, Google Apps,

Lotus Notes, Novell Groupwise, Zimbra, and other email

servers

Using the WorkMail migration tool

• Prepare your Microsoft Exchange

environment

• Enable and configure WorkMail

migration setup

• Install and configure the migration

tool

• Prepare the migration user list

• Migrate mailboxes to WorkMail

Using the WorkMail migration tool (2)

• Run migration tool close on an on-premises Windows

client, Amazon EC2, or Amazon WorkSpaces

• Run migration tool close to WorkMail endpoints for

lowest latency

• When migrating large batches, run migration tool on

multiple servers or instances

Finalizing migration

After all mailboxes are successfully migrated:

• Create AutoDiscover DNS record

autodiscover.example.com CNAME autodiscover.mail.us-east-1.awsapps.com

• Turn off local AutodiscoverGet-ClientAccessServer | Set-ClientAccessServer-AutodiscoverServiceInternalURI $Null

• Change MX DNS record to WorkMail SMTP servers

• Turn off interoperability support

• Decommission on-premises email environment

Sign up for WorkMail preview today

• aws.amazon.com/workmail

Q&A

Meet us at the AWS Enterprise Applications booth

Remember to complete

your evaluations!

Thank you!