How to deploy Exchange Online Protection

Online Conference

June 17th and 18th 2015

WWW.COLLAB365.EVENTS

How to deploy Exchange Online Protection

Peter SchmidtEG A/S


Peter SchmidtEG A/S, Denmark

Email : [email protected] : @petschBlog : www.msdigest.nethttps://dk.linkedin.com/in/petsch

• Cloud and Infrastructure Architect

• 15+ years of experience with Exchange Server

• Microsoft Certified Master: Exchange

• Microsoft MVP: Exchange


Introduction

EOP Architecture

Antispam and Deployment

Reporting and Best Practice Summary and Q&A

Agenda


Introduction to Exchange Online Protection


Stop viruses and malware Multi-engine malware protection Continuously evolving anti-spam protectionProtect sensitive data Data Loss Prevention features Encryption of sensitive emailCommon administration console Office 365 integration Detailed reportingEnterprise class reliability Geographically load-balanced datacenters Queuing capabilities to help ensure no mail is lost 24x7x365 Microsoft Support $$$ backed SLA

Exchange Online Protection (EOP)


EOP Service Level Agreements (SLA)

• Mail Delivery• 99.999% EOP uptime • Geo-redundant network• 24/7 Live phone and web technical support• Message queuing for 2 days if customer server

unresponsive

• Filtering Performance• 100% known virus detection (active payload)• 99% spam detection rate• False positive ratio of less than 1:250,000 messages


EOP Architecture


• On-premises server - Inbound and Outbound email filtered through EOP

EOP Conceptual Diagram

Corporate NetworkEOP


• Works with any SMTP email platform!• Every Office 365 customer is an EOP customer • Easy transition from EOP stand-alone to Office 365• On-premises server • - Inbound and Outbound email filtered through EOP

EOP Deployment scenarios

6

On Premise Corporate Network

EOP

O365 Exchange Online


EOP Inbound filtering

Email is routed to EOP DC’s based on MX record resolution(contoso-com.mail.protection.outlook.com)

IP-based edge blocking

Reputation blocking

Virus scanning

AV Engine 1

AV Engine 2

AV Engine 3

SPAM protection

Safe Sender/Recipient

Policy enforcement

Custom RulesContent scanning and Heuristics

Bulk Mail filtering

SPF & Sender ID Filter

Quarantine

*International Spam*

Advanced SPAM management

Customer feedback

False +ve / -ve

Spam analysts

Corporate network

Regular expressions

URL block lists

Envelope blocks

Forefront blocks

Allows/Rejects


Outbound PoolOutbound Pool

EOP Outbound filtering

High Risk Delivery PoolHigh Score

Outbound Pool

Low ScoreSPAM protection

Content scanning and Heuristics

Advanced SPAM management

Virus scanning

AV Engine 1

AV Engine 2

AV Engine 3

Policy enforcement

Custom Rules

Quarantine

Spam Analysts

Corporate network

Bulk Delivery Pool

Bulk Mail

Internet

Email Encryption


Anti-spam


• Phishing Campaigns• Spear Phishing (APT)

• Bulk Mail• Backscatter• Malware Distribution• Image Spam

Different Types of SPAM


• 1. Connection filtering– Blocks up to 80% of all spam based on IP block/allow lists.

• 2. Sender-Recipient Filtering– Blocks up to 15% of all spam based on internal lists and sender reputation.

• 3. Content Filtering– Blocks up to 5% of all spam based on internal lists and heuristics.

Multi-layered anti-spam protection

14


• Connection filtering Static IP allow/block list Opt-in to Microsoft-maintained reputable sender list

• Content spam categories Obvious spam High confidence spam

• Content Filtering Actions Delete Quarantine Add X-Header Modify Subject Redirect

Granular anti-spam filtering controls

15


Block external threats quicklyAdvanced fingerprinting technologies that identify and stop new spam and phishing vectors in real time.

Enable more control Mark all bulk messages as spamBlock unwanted email based on language or geographic origin

•Effective spam blocking

Block email based on language

Block email based on geography


• Suspect junk mail by default goes to the Outlook junk mail folder.• Uses Outlook safe senders and block lists.• SPAM Quarantine was currently available to administrators only.

End user quarantine rolled out NOW!• Email Spam Notification for the end-users

Junk mail management


• End User Quarantine • End users can release from quarantine• Report Spam, not spam

Quarantine


Set Frequency from 1-15 days

End User Spam Notification


False Negatives and False Positives

Outlook Junk Mail Reporting Tool for missed spamhttp://www.microsoft.com/en-us/download/details.aspx?id=18275

Send spam email as an attachment to [email protected]

Send false positive messages [email protected]


Deployment


• StandaloneAll mailboxes are located on-premises

• Purchasable on its own or Part of Exchange Enterprise CAL with Services

• Fully hosted • All mailboxes are hosted in the cloud with Microsoft Exchange Online

Exchange Online license

Hybrid Some mailboxes are hosted in Exchange Online, and some mailboxes on-premises

• Exchange Online license

EOP deployment scenarios


Overview of the deployment process

Step 1: Verify prerequisitesStep 2: Configure mail flow (connectors)Step 3: Add and validate domainsStep 4: Customize spam and policy settingsStep 5: Enable mail flowStep 6: Monitor and fine tune


Applicable to all scenarios Office 365 Tenant – name.onmicrosoft.com EOP licenses (ExO or EOP Standalone) Domain to migrate Modern web browser to access the Office 365 portal

Applicable to Standalone or Hybrid scenarios Inbound and outbound public IP addresses Open port 25 to Exchange Online Protection IP Addresses Information on TLS policy, attachment handling, junk folder use, etc. DirSync may require additional hardware

Prerequisites


Standalone Create EOP outbound connector to deliver mail on-premises Create EOP inbound connector to accept mail from on-premises Create on-premises send connector to send outgoing mail to EOP

Hybrid Hybrid mail flow is best configured using the Hybrid Configuration Wizard

Optional for all scenarios Create connectors for forced TLS to third party Create connectors for customized mail routing

Configure mail flow


On-Prem Mail Environment

Exchange Online Protection

Outbound Connector

Inbound Connector

Outbound TLS Connector

Inbound TLS Connector

EOP connectors between on-premises and EOP need to be created

Additional connectors can be created between EOP and partners to force TLS

Partner Environment

Configure mail flow (connectors)


• With EOP (Fabrikam uses EOP)

TLS scenarioPrior to EOP (Fabrikam uses EOP)

Contoso FabrikamCert CN = mail.contoso.com

Cert CN = mail.fabrikam.com

Contoso EOP FabrikamCert CN = mail.contoso.com

Cert CN = mail.protection.outlook.com

Cert CN = mail.protection.outlook.com

Cert CN = mail.fabrikam.com


Configure mail flow (connectors)

On-Prem Mail APAC

Exchange Online Protection

On-Prem Mail AMER

On-Prem Mail EMEA

Outbound Connector 1



Inbound Connector 1


• What it does• Blocks messages to invalid recipients at the EOP edge• Beneficial to organizations with on-premises mailboxes

• Configuration• The EAC exposes two domain types. • Authoritative - All email for unknown recipients is rejected. Setting this domain type enables DBEB• Internal relay - Email is delivered to recipients in your org or relayed to another email server

• To enable DBEB, set the domain to be AUTHORITATIVE.

Directory Based Edge Blocking


Reporting


ReportingProvides a clear view on spam filtering and malware attacks

E-mail Protection ReportsExcel Workbook available to enable self-service analysis

Connects to the reporting web service Data can be refreshed from within the workbook at any timeDrill through from recent summary data to the underlying detailed information


• Goals• Is the service operating as expected?• Make adjustments to rules or settings as needed• Evaluate effectiveness of spam settings

• Tools• Reports (Office 365 Portal or Mail Protection Reports for Office 365)• Submitting spam and false positive messages to Microsoft• Junk Mail Reporting Tool for Outlook

Monitor and fine tune


Best Practices


• Do this• Use a test domain, subdomain or low volume domain for trying different service features• Disable EOP inbound connector (type is on-prem) until you are ready to use it• Use the Remote Connectivity Analyzer to troubleshoot• Restrict inbound SMTP access to allow ONLY from EOP IP ranges• Enable Microsoft’s IP Safe List in the Connection Filter• When creating safe / black lists, use IP first, and if not possible, then use the domain

• Don’t do this• Daisy chain services• Use EOP for sending bulk mail• Enable all Content Filter Advanced Options out of the box• Safe list your own domain

Best practices


Telnet is your friend

Test mail flow before MX change

You do/type this Server responds with thistelnet tenantDomainMXRecordHere 25

220

helo your_sending_server_fqdn 250mail from: [email protected] 250 Sender OKrcpt to: [email protected] 250 Recipient OKdata followed by the enter key Server provides directions

on how to enter data.subject: Enter the subject and hit enter twiceEnter the body text. To finish the message, type a period on a line by itself and hit enter.

250 Message queued for delivery.

Quit 221 Service closing transmission channel


• Quarantine• Online viewer only supports up to 500 messages• More can be viewed via PowerShell Get-QuarantineMessage Cmdlet• Can only release in bulk through Release-QuarantineMessage Cmdlet

• Limits• Max message size for EOP delivering to stand-alone customers is 150 MB• Max 100 Transport Rules per tenant – DLP policies consume part of this quota• Max of 900 domains per tenant• EOP outbound connectors use round robin for delivery

Known Issues & Limitations


No Am

APAC

EMEA

Mail is ALWAYS processed ONLY in your region!

PRC


• Protection against unknown malware and viruses by analyzing attachment behavior in a hypervisor environment before delivering them

• Real time, time-of-click protection against malicious URLs that are not yet known by EOP

• Rich reporting and tracing of URL click throughs

• 2$ / month per user

Advanced Threat Protection


• EOP Architecture• Test drive it• Know the limitations of EOP

Summary


QuestionsFeel free to contact me on:@[email protected]


Stay tuned for more great sessions …

How to deploy Exchange Online Protection

Technology

Transcript of How to deploy Exchange Online Protection