2. WWW.COLLAB365.EVENTS
Peter Schmidt
EG A/S, Denmark
Email : pesch@eg.dk
Twitter : @petsch
Blog : www.msdigest.net
https://dk.linkedin.com/in/petsch
• Cloud and Infrastructure
Architect
• 15+ years of experience
with Exchange Server
• Microsoft Certified
Master: Exchange
• Microsoft MVP: Exchange
5. WWW.COLLAB365.EVENTS
Stop viruses and malware
Multi-engine malware protection
Continuously evolving anti-spam protection
Protect sensitive data
Data Loss Prevention features
Encryption of sensitive email
Common administration console
Office 365 integration
Detailed reporting
Enterprise class reliability
Geographically load-balanced datacenters
Queuing capabilities to help ensure no mail is lost
24x7x365 Microsoft Support
$$$ backed SLA
Exchange Online Protection (EOP)
6. WWW.COLLAB365.EVENTS
EOP Service Level Agreements (SLA)
• Mail Delivery
• 99.999% EOP uptime
• Geo-redundant network
• 24/7 Live phone and web technical support
• Message queuing for 2 days if customer server
unresponsive
9. WWW.COLLAB365.EVENTS
• Works with any SMTP email platform!
• Every Office 365 customer is an EOP customer
• Easy transition from EOP stand-alone to Office 365
• On-premises server
• - Inbound and Outbound email filtered through EOP
EOP Deployment scenarios
6
OnPremise
CorporateNetwork
EOP
O365
ExchangeOnline
10. WWW.COLLAB365.EVENTS
EOP Inbound filtering
Email is routed to EOP DC’s based on MX record resolution
(contoso-com.mail.protection.outlook.com)
IP-based edge blocking
Reputation blocking
Virus
scanning
AV Engine 1
AV Engine 2
AV Engine 3
SPAM protection
Safe Sender/Recipient
Policy enforcement
Custom Rules
Content scanning and Heuristics
Bulk Mail filtering
SPF & Sender ID Filter
Quarantine
*International Spam*
Advanced SPAM management
Customer feedback
False +ve / -ve
Spam analysts
Corporatenetwork
Regular expressions
URL block lists
Envelope blocks
Forefront blocks
Allows/Rejects
11. WWW.COLLAB365.EVENTS
Outbound Pool
Outbound Pool
EOP Outbound filtering
High Risk Delivery PoolHigh Score
Outbound Pool
Low ScoreSPAM protection
Content scanning and Heuristics
Advanced SPAM management
Virus
scanning
AV Engine 1
AV Engine 2
AV Engine 3
Policy enforcement
Custom Rules
Quarantine
Spam Analysts
Corporatenetwork
Bulk Delivery Pool
Bulk Mail
Internet
Email Encryption
14. WWW.COLLAB365.EVENTS
• 1. Connection filtering
– Blocks up to 80% of all spam based on IP block/allow lists.
• 2. Sender-Recipient Filtering
– Blocks up to 15% of all spam based on internal lists and sender reputation.
• 3. Content Filtering
– Blocks up to 5% of all spam based on internal lists and heuristics.
Multi-layered anti-spam protection
14
15. WWW.COLLAB365.EVENTS
• Connection filtering
Static IP allow/block list
Opt-in to Microsoft-maintained reputable sender list
• Content spam categories
Obvious spam
High confidence spam
• Content Filtering Actions
Delete
Quarantine
Add X-Header
Modify Subject
Redirect
Granular anti-spam filtering controls
15
16. WWW.COLLAB365.EVENTS
•Block external threats quickly
–Advancedfingerprintingtechnologiesthatidentifyand
stopnewspamandphishingvectorsin realtime.
•Enable more control
–Markallbulkmessagesasspam
–Blockunwantedemailbasedonlanguageorgeographic
origin
•Effective spam
blocking
Block email based on language
Block email based on geography
17. WWW.COLLAB365.EVENTS
• Suspect junk mail by default goes to the Outlook junk mail folder.
• Uses Outlook safe senders and block lists.
• SPAM Quarantine was currently available to administrators only.
End user quarantine rolled out NOW!
• Email Spam Notification for the end-users
Junk mail management
20. WWW.COLLAB365.EVENTS
False Negatives and False Positives
• Outlook Junk Mail
Reporting Tool for missed
spam
• http://www.microsoft.com/en-
us/download/details.aspx?id=18275
• Send spam email as an
attachment to
abuse@messaging.microsoft.com
• Send false positive
messages to
false_positive@messaging.micros
oft.com
22. WWW.COLLAB365.EVENTS
• Standalone
All mailboxes are located on-premises
• Purchasable on its own or Part of Exchange Enterprise CAL with Services
• Fully hosted
• All mailboxes are hosted in the cloud with Microsoft Exchange Online
Exchange Online license
Hybrid
Some mailboxes are hosted in Exchange Online, and some mailboxes on-premises
• Exchange Online license
EOP deployment scenarios
23. WWW.COLLAB365.EVENTS
Overview of the deployment process
Step 1: Verify prerequisites
Step 2: Configure mail flow (connectors)
Step 3: Add and validate domains
Step 4: Customize spam and policy settings
Step 5: Enable mail flow
Step 6: Monitor and fine tune
24. WWW.COLLAB365.EVENTS
Applicable to all scenarios
Office 365 Tenant – name.onmicrosoft.com
EOP licenses (ExO or EOP Standalone)
Domain to migrate
Modern web browser to access the Office 365 portal
Applicable to Standalone or Hybrid scenarios
Inbound and outbound public IP addresses
Open port 25 to Exchange Online Protection IP Addresses
Information on TLS policy, attachment handling, junk folder use, etc.
DirSync may require additional hardware
Prerequisites
25. WWW.COLLAB365.EVENTS
Standalone
Create EOP outbound connector to deliver mail on-premises
Create EOP inbound connector to accept mail from on-premises
Create on-premises send connector to send outgoing mail to EOP
Hybrid
Hybrid mail flow is best configured using the Hybrid Configuration Wizard
Optional for all scenarios
Create connectors for forced TLS to third party
Create connectors for customized mail routing
Configure mail flow
26. WWW.COLLAB365.EVENTS
On-Prem Mail
Environment
Exchange Online
Protection
Outbound Connector
Inbound Connector
Outbound TLS
Connector
Inbound TLS
Connector
EOP connectors between on-premises and EOP need to be created
Additional connectors can be created between EOP and partners to force TLS
Partner
Environment
Configure mail flow (connectors)
28. WWW.COLLAB365.EVENTS
Configure mail flow (connectors)
On-Prem Mail
APAC
Exchange Online
Protection
On-Prem Mail
AMER
On-Prem Mail
EMEA
Outbound
Connector 1
Outbound
Connector 3
Outbound
Connector 2
Inbound
Connector 1
29. WWW.COLLAB365.EVENTS
• What it does
• Blocks messages to invalid recipients at the EOP edge
• Beneficial to organizations with on-premises mailboxes
• Configuration
• The EAC exposes two domain types.
• Authoritative - All email for unknown recipients is rejected. Setting this domain type enables DBEB
• Internal relay - Email is delivered to recipients in your org or relayed to another email server
• To enable DBEB, set the domain to be AUTHORITATIVE.
Directory Based Edge Blocking
31. WWW.COLLAB365.EVENTS
Reporting
• Provides a clear view on
spam filtering and malware
attacks
• E-mail Protection Reports
– Excel Workbook available to enable self-service
analysis
– Connects to the reporting web service
– Data can be refreshed from within the workbook
at any time
– Drill through from recent summary data to the
underlying detailed information
32. WWW.COLLAB365.EVENTS
• Goals
• Is the service operating as expected?
• Make adjustments to rules or settings as needed
• Evaluate effectiveness of spam settings
• Tools
• Reports (Office 365 Portal or Mail Protection Reports for Office 365)
• Submitting spam and false positive messages to Microsoft
• Junk Mail Reporting Tool for Outlook
Monitor and fine tune
34. WWW.COLLAB365.EVENTS
• Do this
• Use a test domain, subdomain or low volume domain for trying different service features
• Disable EOP inbound connector (type is on-prem) until you are ready to use it
• Use the Remote Connectivity Analyzer to troubleshoot
• Restrict inbound SMTP access to allow ONLY from EOP IP ranges
• Enable Microsoft’s IP Safe List in the Connection Filter
• When creating safe / black lists, use IP first, and if not possible, then use the domain
• Don’t do this
• Daisy chain services
• Use EOP for sending bulk mail
• Enable all Content Filter Advanced Options out of the box
• Safe list your own domain
Best practices
35. WWW.COLLAB365.EVENTS
Telnet is your friend
Test mail flow before MX change
You do/type this Server responds with this
telnet tenantDomainMXRecordHere 25 220
helo your_sending_server_fqdn 250
mail from: you@domain.invalid 250 Sender OK
rcpt to: recipient@contoso.com 250 Recipient OK
data followed by the enter key Server provides directions on
how to enter data.
subject: Enter the subject and hit
enter twice
Enter the body text. To finish the
message, type a period on a line by
itself and hit enter.
250 Message queued for
delivery.
Quit 221 Service closing
transmission channel
36. WWW.COLLAB365.EVENTS
• Quarantine
• Online viewer only supports up to 500 messages
• More can be viewed via PowerShell Get-QuarantineMessage Cmdlet
• Can only release in bulk through Release-QuarantineMessage Cmdlet
• Limits
• Max message size for EOP delivering to stand-alone customers is 150 MB
• Max 100 Transport Rules per tenant – DLP policies consume part of this quota
• Max of 900 domains per tenant
• EOP outbound connectors use round robin for delivery
Known Issues & Limitations
38. WWW.COLLAB365.EVENTS
• Protection against unknown malware and viruses by analyzing attachment
behavior in a hypervisor environment before delivering them
• Real time, time-of-click protection against malicious URLs that are not yet
known by EOP
• Rich reporting and tracing of URL click throughs
• 2$ / month per user
Advanced Threat Protection