Peter SchmidtSolution Architect, EG A/S

Exchange Online ProtectionIntroduction and Architecture

© EG A/S 2

About me

Peter SchmidtSolution Architect, EG A/S

Expertise:Office 365, Exchange, Skype for Business, Microsoft Azure, ADFS, PKI

Microsoft MVP: Exchange, MCM: Exchange MCSE: Messaging, MCSA: Office 365MCSE: Server Infrastructure, MCSE: Public Cloud

Contact me:E-mail: pesch@eg.dkBlog: www.msdigest.netTwitter: @petschPhone: +45 7260 2775/+45 2080 9436

© EG A/S 3

Agenda

Introduction to Exchange Online Protection

EOP Architecture Deployment Best Practices Summary Q&A

Introduction to Exchange Online Protection

Stop viruses and malware Multi-engine malware protection Continuously evolving anti-spam protectionProtect sensitive data Data Loss Prevention features Encryption of sensitive emailCommon administration console Office 365 integration Detailed reportingEnterprise class reliability Geographically load-balanced datacenters Queuing capabilities to help ensure no mail is lost 24x7x365 Microsoft Support $$$ backed SLA

Exchange Online Protection (EOP)

• Mail Delivery• 99.999% EOP uptime • Geo-redundant network• 24/7 Live phone and web technical support• Message queuing for 2 days if customer server unresponsive

• Filtering Performance• 100% known virus detection (active payload)• 99% spam detection rate• False positive ratio of less than 1:250,000 messages

EOP Service Level Agreements

EOP Architecture

On-premises server - Inbound and Outbound email filtered through EOP

EOP Conceptual Diagram

Corporate Network

EOP

Works with any SMTP email platform!Every Office 365 customer is an EOP customer Easy transition from EOP stand-alone to Office 365On-premises server - Inbound and Outbound email filtered through EOP

EOP Deployment scenarios

6

On Premise Corporate Network

EOP

O365 Exchange Online

EOP Inbound filtering

Email is routed to EOP DC’s based on MX record resolution

(contoso-com.mail.protection.outlook.com)

IP-based edge blocking

Reputation blocking

Virus scanning

AV Engine 1

AV Engine 2

AV Engine 3

SPAM protectionSafe Sender/Recipient

Policy enforcement

Custom RulesContent scanning and

Heuristics

Bulk Mail filtering

SPF & Sender ID Filter

Quarantine

*International Spam*

Advanced SPAM management

Customer feedback

False +ve / -ve

Spam analysts

Corporate network

Regular expressions

URL block lists

Envelope blocks

Forefront blocks

Allows/Rejects

Outbound PoolOutbound Pool

EOP Outbound filtering

High Risk Delivery Pool

High Score

Outbound Pool

Low ScoreSPAM protection

Content scanning and Heuristics

Advanced SPAM management

Virus scanning

AV Engine 1

AV Engine 2

AV Engine 3

Policy enforcementCustom Rules

Quarantine

Spam Analysts

Corporate network

Bulk Delivery Pool

Bulk Mail

Internet

Email Encryption

Anti-spam

• Phishing Campaigns• Spear Phishing (APT)

• Bulk Mail• Backscatter• Malware Distribution• Image Spam

Different Types of SPAM

1. Connection filteringBlocks up to 80% of all spam based on IP block/allow lists.

2. Sender-Recipient FilteringBlocks up to 15% of all spam based on internal lists and sender reputation.

3. Content FilteringBlocks up to 5% of all spam based on internal lists and heuristics.

Multi-layered anti-spam protection

14

Connection filtering Static IP allow/block list Opt-in to Microsoft-maintained reputable sender list

Content spam categories Obvious spam High confidence spam

Content Filtering Actions Delete Quarantine Add X-Header Modify Subject Redirect

Granular anti-spam filtering controls

15

Block external threats quicklyAdvanced fingerprinting technologies that

identify and stop new spam and phishing vectors in real time.

Enable more control Mark all bulk messages as spamBlock unwanted email based on language or

geographic origin

Block email based on language

Block email based on geography

Effective spam blocking

• Suspect junk mail by default goes to the Outlook junk mail folder.

• Uses Outlook safe senders and block lists.• SPAM Quarantine was currently available to administrators only.

End user quarantine rolled out NOW!• Email Spam Notification for the end-users

Junk mail management

End User Quarantine

• End users can release from quarantine• Report Spam, not spam

Quarantine

Set Frequency from 1-15 days

End User Spam Notification

False Negatives and False PositivesOutlook Junk Mail Reporting Tool for missed spamhttp://www.microsoft.com/en-us/download/details.aspx?id=18275

Send spam email as an attachment to abuse@messaging.microsoft.com

Send false positive messages tofalse_positive@messaging.microsoft.com

Deployment

StandaloneAll mailboxes are located on-premisesPurchasable on its own or Part of Exchange Enterprise CAL with Services Fully hosted All mailboxes are hosted in the cloud with Microsoft Exchange OnlineExchange Online license Hybrid Some mailboxes are hosted in Exchange Online, and some mailboxes on-premisesExchange Online license

EOP deployment scenarios

Overview of the deployment process

Step 1: Verify prerequisitesStep 2: Configure mail flow (connectors)Step 3: Add and validate domainsStep 4: Customize spam and policy settingsStep 5: Enable mail flowStep 6: Monitor and fine tune

Applicable to all scenarios Office 365 Tenant – name.onmicrosoft.com EOP licenses (ExO or EOP Standalone) Domain to migrate Modern web browser to access the Office 365 portal

Applicable to Standalone or Hybrid scenarios Inbound and outbound public IP addresses Open port 25 to Exchange Online Protection IP Addresses Information on TLS policy, attachment handling, junk folder use, etc. DirSync may require additional hardware

Prerequisites

Standalone Create EOP outbound connector to deliver mail on-premises Create EOP inbound connector to accept mail from on-premises Create on-premises send connector to send outgoing mail to EOP

Hybrid Hybrid mail flow is best configured using the Hybrid Configuration Wizard

Optional for all scenarios Create connectors for forced TLS to third party Create connectors for customized mail routing

Configure mail flow

On-Prem Mail Environment

Exchange Online Protection

Outbound Connector

Inbound Connector

Outbound TLS Connector

Inbound TLS Connector

EOP connectors between on-premises and EOP need to be created

*Additional connectors can be created between EOP and partners to force TLS

Partner Environment

Configure mail flow (connectors)

With EOP (Fabrikam uses EOP)

TLS scenarioPrior to EOP (Fabrikam uses EOP)

Contoso FabrikamCert CN = mail.contoso.com

Cert CN = mail.fabrikam.com

Contoso EOP FabrikamCert CN = mail.contoso.com

Cert CN = mail.protection.outlook.com

Cert CN = mail.protection.outlook.com

Cert CN = mail.fabrikam.com

Configure mail flow (connectors)

On-Prem Mail APAC

Exchange Online Protection

On-Prem Mail AMER

On-Prem Mail EMEA

Outbound Connector 1

Outbound Connector 3

Outbound Connector 2

Inbound Connector 1

PoliciesAnti-spam, anti-malware and DLP controls integrated into the Exchange Admin Center and Office 365.

• What it does• Blocks messages to invalid recipients at the EOP edge• Beneficial to organizations with on-premises mailboxes

• Configuration• The EAC exposes two domain types.

• Authoritative - All email for unknown recipients is rejected. Setting this domain type enables DBEB• Internal relay - Email is delivered to recipients in your org or relayed to another email server

• To enable DBEB, set the domain to be AUTHORITATIVE.

Directory Based Edge Blocking

Reporting

ReportingProvides a clear view on spam filtering and malware attacks

E-mail Protection ReportsExcel Workbook available to enable self-service analysisConnects to the reporting web service Data can be refreshed from within the workbook at any timeDrill through from recent summary data to the underlying detailed information

• Goals• Is the service operating as expected?• Make adjustments to rules or settings as needed• Evaluate effectiveness of spam settings

• Tools• Reports (Office 365 Portal or Mail Protection Reports for Office 365)• Submitting spam and false positive messages to Microsoft• Junk Mail Reporting Tool for Outlook

Monitor and fine tune

Best Practices

• Do this• Use a test domain, subdomain or low volume domain for trying different service features• Disable EOP inbound connector (type is on-prem) until you are ready to use it• Use the Remote Connectivity Analyzer to troubleshoot• Restrict inbound SMTP access to allow ONLY from EOP IP ranges• Enable Microsoft’s IP Safe List in the Connection Filter• When creating safe / black lists, use IP first, and if not possible, then use the domain

• Don’t do this• Daisy chain services• Use EOP for sending bulk mail• Enable all Content Filter Advanced Options out of the box• Safe list your own domain

Best practices

Telnet is your friendTelnet can be used to test mail flow from EOP to your on-prem environment. This allows verifying mail flow will work before doing the MX cutover.

Test mail flow before MX change

You do/type this Server responds with thistelnet tenantDomainMXRecordHere 25 220helo your_sending_server_fqdn 250mail from: you@domain.invalid 250 Sender OKrcpt to: recipient@contoso.com 250 Recipient OKdata followed by the enter key Server provides directions on how

to enter data.subject: Enter the subject and hit enter twiceEnter the body text. To finish the message, type a period on a line by itself and hit enter.

250 Message queued for delivery.

Quit 221 Service closing transmission channel

• Quarantine• Online viewer only supports up to 500 messages• More can be viewed via PowerShell Get-QuarantineMessage Cmdlet• Can only release in bulk through Release-QuarantineMessage Cmdlet

• Limits• Max message size for EOP delivering to stand-alone customers is 150 MB• Max 100 Transport Rules per tenant – DLP policies consume part of this quota• Max of 900 domains per tenant• EOP outbound connectors use round robin for delivery

Known Issues & Limitations

No Am

APAC

EMEA

Mail is ALWAYS processed ONLY in your region!

PRC

• Protection against unknown malware and viruses by analyzing attachment behavior in a hypervisor environment before delivering them

• Real time, time-of-click protection against malicious URLs that are not yet known by EOP

• Rich reporting and tracing of URL click throughs

• 2$ / month per user

Advanced Threat Protection

EOP ArchitectureTest drive itKnow the limitations of EOP

Summary

© EG A/S 41

Questions !