CoLabora UC User Group Meeting - June 2015 Topic about: Exchange Online Protection. Speaker: Peter Schmidt (MVP & MCM - www.msdigest.net)

1. Peter Schmidt
Solution Architect, EG A/S
Exchange Online Protection
Introduction and Architecture

2. About me
© EG A/S 2
Peter Schmidt
Solution Architect, EG A/S
Expertise:
Office 365, Exchange, Skype for Business,
Microsoft Azure, ADFS, PKI
Microsoft MVP: Exchange, MCM: Exchange
MCSE: Messaging, MCSA: Office 365
MCSE: Server Infrastructure, MCSE: Public Cloud
Contact me:
E-mail: pesch@eg.dk
Blog: www.msdigest.net
Twitter: @petsch
Phone: +45 7260 2775/+45 2080 9436

3. Agenda
© EG A/S 3
 Introduction to Exchange Online Protection
 EOP Architecture
 Deployment
 Best Practices
 Summary
 Q&A

4. Introduction to
Exchange Online Protection

5. Stop viruses and malware
 Multi-engine malware protection
 Continuously evolving anti-spam protection
Protect sensitive data
 Data Loss Prevention features
 Encryption of sensitive email
Common administration console
 Office 365 integration
 Detailed reporting
Enterprise class reliability
 Geographically load-balanced datacenters
 Queuing capabilities to help ensure no mail is lost
 24x7x365 Microsoft Support
 $$$ backed SLA
Exchange Online Protection (EOP)

6. • Mail Delivery
• 99.999% EOP uptime
• Geo-redundant network
• 24/7 Live phone and web technical support
• Message queuing for 2 days if customer server unresponsive
• Filtering Performance
• 100% known virus detection (active payload)
• 99% spam detection rate
• False positive ratio of less than 1:250,000 messages
EOP Service Level Agreements

7. EOP Architecture

8. On-premises server - Inbound and Outbound email filtered through EOP
EOP Conceptual Diagram
Corporate NetworkEOP

9. Works with any SMTP email platform!
Every Office 365 customer is an EOP customer
Easy transition from EOP stand-alone to Office 365
On-premises server
- Inbound and Outbound email filtered through EOP
EOP Deployment scenarios
6
On Premise
Corporate Network
EOP
O365
Exchange Online

10. EOP Inbound filtering
Email is routed to EOP DC’s based on MX record resolution
(contoso-com.mail.protection.outlook.com)
IP-based edge blocking
Reputation blocking
Virus
scanning
AV Engine 1
AV Engine 2
AV Engine 3
SPAM protection
Safe Sender/Recipient
Policy enforcement
Custom Rules
Content scanning and Heuristics
Bulk Mail filtering
SPF & Sender ID Filter
Quarantine
*International Spam*
Advanced SPAM management
Customer feedback
False +ve / -ve
Spam analysts
Corporate network
Regular expressions
URL block lists
Envelope blocks
Forefront blocks
Allows/Rejects

11. Outbound Pool
Outbound Pool
EOP Outbound filtering
High Risk Delivery PoolHigh Score
Outbound Pool
Low ScoreSPAM protection
Content scanning and Heuristics
Advanced SPAM management
Virus
scanning
AV Engine 1
AV Engine 2
AV Engine 3
Policy enforcement
Custom Rules
Quarantine
Spam Analysts
Corporatenetwork
Bulk Delivery Pool
Bulk Mail
Internet
Email Encryption

12. Anti-spam

13. • Phishing Campaigns
• Spear Phishing (APT)
• Bulk Mail
• Backscatter
• Malware Distribution
• Image Spam
Different Types of SPAM

14. 1. Connection filtering
Blocks up to 80% of all spam based on IP block/allow lists.
2. Sender-Recipient Filtering
Blocks up to 15% of all spam based on internal lists and sender reputation.
3. Content Filtering
Blocks up to 5% of all spam based on internal lists and heuristics.
Multi-layered anti-spam protection
14

15. Connection filtering
 Static IP allow/block list
 Opt-in to Microsoft-maintained reputable sender list
Content spam categories
 Obvious spam
 High confidence spam
Content Filtering Actions
 Delete
 Quarantine
 Add X-Header
 Modify Subject
 Redirect
Granular anti-spam filtering controls
15

16. Block external threats quickly
Advanced fingerprinting technologies that identify and
stop new spam and phishing vectors in real time.
Enable more control
Mark all bulk messages as spam
Block unwanted email based on language or
geographic origin
Block email based on language
Block email based on geography
Effective spam
blocking

17. • Suspect junk mail by default goes to the Outlook junk mail folder.
• Uses Outlook safe senders and block lists.
• SPAM Quarantine was currently available to administrators only.
End user quarantine rolled out NOW!
• Email Spam Notification for the end-users
Junk mail management

18. End User Quarantine
• End users can release from quarantine
• Report Spam, not spam
Quarantine

19. Set Frequency from 1-15 days
End User Spam Notification

20. False Negatives and False Positives
Outlook Junk Mail Reporting
Tool for missed spam
http://www.microsoft.com/en-
us/download/details.aspx?id=18275
Send spam email as an
attachment to
abuse@messaging.microsoft.com
Send false positive messages
to
false_positive@messaging.microsoft.c
om

21. Deployment

22. Standalone
All mailboxes are located on-premises
Purchasable on its own or Part of Exchange Enterprise CAL with Services
Fully hosted
All mailboxes are hosted in the cloud with Microsoft Exchange Online
Exchange Online license
Hybrid
Some mailboxes are hosted in Exchange Online, and some mailboxes on-premises
Exchange Online license
EOP deployment scenarios

23. Overview of the deployment process
Step 1: Verify prerequisites
Step 2: Configure mail flow (connectors)
Step 3: Add and validate domains
Step 4: Customize spam and policy settings
Step 5: Enable mail flow
Step 6: Monitor and fine tune

24. Applicable to all scenarios
 Office 365 Tenant – name.onmicrosoft.com
 EOP licenses (ExO or EOP Standalone)
 Domain to migrate
 Modern web browser to access the Office 365 portal
Applicable to Standalone or Hybrid scenarios
 Inbound and outbound public IP addresses
 Open port 25 to Exchange Online Protection IP Addresses
 Information on TLS policy, attachment handling, junk folder use, etc.
 DirSync may require additional hardware
Prerequisites

25. Standalone
 Create EOP outbound connector to deliver mail on-premises
 Create EOP inbound connector to accept mail from on-premises
 Create on-premises send connector to send outgoing mail to EOP
Hybrid
 Hybrid mail flow is best configured using the Hybrid Configuration Wizard
Optional for all scenarios
 Create connectors for forced TLS to third party
 Create connectors for customized mail routing
Configure mail flow

26. On-Prem Mail
Environment
Exchange Online
Protection
Outbound Connector
Inbound Connector
Outbound TLS
Connector
Inbound TLS
Connector
EOP connectors between on-premises and EOP need to be created
*Additional connectors can be created between EOP and partners to force TLS
Partner
Environment
Configure mail flow (connectors)

27. With EOP (Fabrikam uses EOP)
TLS scenario
Prior to EOP (Fabrikam uses EOP)
Contoso FabrikamCert CN = mail.contoso.com
Cert CN = mail.fabrikam.com
Contoso EOP FabrikamCert CN = mail.contoso.com
Cert CN = mail.protection.outlook.com
Cert CN = mail.protection.outlook.com
Cert CN = mail.fabrikam.com

28. Configure mail flow (connectors)
On-Prem Mail
APAC
Exchange Online
Protection
On-Prem Mail
AMER
On-Prem Mail
EMEA
Outbound
Connector 1
Outbound
Connector 3
Outbound
Connector 2
Inbound
Connector 1

29. Policies
Anti-spam, anti-malware and
DLP controls integrated into
the Exchange Admin Center
and Office 365.

30. • What it does
• Blocks messages to invalid recipients at the EOP edge
• Beneficial to organizations with on-premises mailboxes
• Configuration
• The EAC exposes two domain types.
• Authoritative - All email for unknown recipients is rejected. Setting this domain type enables DBEB
• Internal relay - Email is delivered to recipients in your org or relayed to another email server
• To enable DBEB, set the domain to be AUTHORITATIVE.
Directory Based Edge Blocking

31. Reporting

32. Reporting
Provides a clear view on spam filtering
and malware attacks
E-mail Protection Reports
Excel Workbook available to enable self-
service analysis
Connects to the reporting web service
Data can be refreshed from within the
workbook at any time
Drill through from recent summary data to
the underlying detailed information

33. • Goals
• Is the service operating as expected?
• Make adjustments to rules or settings as needed
• Evaluate effectiveness of spam settings
• Tools
• Reports (Office 365 Portal or Mail Protection Reports for Office 365)
• Submitting spam and false positive messages to Microsoft
• Junk Mail Reporting Tool for Outlook
Monitor and fine tune

34. Best Practices

35. • Do this
• Use a test domain, subdomain or low volume domain for trying different service features
• Disable EOP inbound connector (type is on-prem) until you are ready to use it
• Use the Remote Connectivity Analyzer to troubleshoot
• Restrict inbound SMTP access to allow ONLY from EOP IP ranges
• Enable Microsoft’s IP Safe List in the Connection Filter
• When creating safe / black lists, use IP first, and if not possible, then use the domain
• Don’t do this
• Daisy chain services
• Use EOP for sending bulk mail
• Enable all Content Filter Advanced Options out of the box
• Safe list your own domain
Best practices

36. Telnet is your friend
Telnet can be used to test mail flow from EOP to your on-prem environment.
This allows verifying mail flow will work before doing the MX cutover.
Test mail flow before MX change
You do/type this Server responds with this
telnet tenantDomainMXRecordHere 25 220
helo your_sending_server_fqdn 250
mail from: you@domain.invalid 250 Sender OK
rcpt to: recipient@contoso.com 250 Recipient OK
data followed by the enter key Server provides directions on how to
enter data.
subject: Enter the subject and hit enter
twice
Enter the body text. To finish the message,
type a period on a line by itself and hit
enter.
250 Message queued for delivery.

37. • Quarantine
• Online viewer only supports up to 500 messages
• More can be viewed via PowerShell Get-QuarantineMessage Cmdlet
• Can only release in bulk through Release-QuarantineMessage Cmdlet
• Limits
• Max message size for EOP delivering to stand-alone customers is 150 MB
• Max 100 Transport Rules per tenant – DLP policies consume part of this quota
• Max of 900 domains per tenant
• EOP outbound connectors use round robin for delivery
Known Issues & Limitations

38. No Am
APAC
EMEA
Mail is ALWAYS processed ONLY in your region!
PRC

39. • Protection against unknown malware and viruses by analyzing attachment
behavior in a hypervisor environment before delivering them
• Real time, time-of-click protection against malicious URLs that are not yet
known by EOP
• Rich reporting and tracing of URL click throughs
• 2$ / month per user
Advanced Threat Protection

40. EOP Architecture
Test drive it
Know the limitations of EOP
Summary

41. Questions !
© EG A/S 41