Transcript Protect communications Multi-engine anti-malware and enhanced spam filtering to help protect your email environment from threats Enforce policy Flexible tools for policy enforcement that.

Protect communications
Multi-engine anti-malware and enhanced spam filtering
to help protect your email environment from threats
Enforce policy
Flexible tools for policy enforcement that provide the
right level of control
Streamlined management
Flexible administration of anti-spam, anti-malware and policy rules
Mail Delivery
Filtering Performance
Spam Analysts
Email is routed to EOP DC’s based on MX record
resolution
Edge Blocks
IP-based edge
blocking
URL Block lists
Virus
Scanning
AV Engine 1
AV Engine 2
AV Engine 3
Policy
Quarantine
Customer Feedback
False
Positive/Negatives
SPAM
Quarantine
Policy Enforcement
SPAM Protection
Custom Rules
Outlook
Safe Sender/Recipient
Allows/Rejects
Content scanning
Bulk Mail filtering
Content Filter
Advanced Options
Corporate Network
Outbound Pool
Outbound Pool
Outbound Pool
Corporate Network
Virus
Scanning
AV Engine 1
AV Engine 2
Policy Enforcement
Custom Rules
Email Encryption
AV Engine 3
SPAM Protection
Normal Score
Content scanning and
Heuristics
Content Filter Advanced
Options
NDR Delivery Pool
Bulk Delivery Pool
Higher Risk
Higher Risk Delivery Pool
Spam Analysts
Quarantine
Internet
Standalone or as part of Exchange Enterprise CAL
with Services
Part of Exchange Online
• Fully hosted
• Hybrid
Step 1: Verify prerequisites
Step 2: Configure mail flow (connectors)
Step 3: Add and validate domains
Step 4: Customize spam and policy settings
Step 5: Enable mail flow
Step 6: Monitor and fine tune
Applicable to all scenarios
Modern web browser
Applicable to Standalone or Hybrid scenarios
Exchange Online Protection IP Addresses
Exchange Server 2013
Exchange Online
EOP Stand Alone
Standalone
Hybrid
Optional for all scenarios
Partner
Environment
Exchange Online
Protection
On-Prem Mail
Environment
Exchange Online
Protection
On-Prem Mail
APAC
On-Prem Mail
AMER
On-Prem Mail
EMEA
Purpose
Validation steps
Spam and policy customization
Configure how to handle spam
Spam action settings (content filter)
Configure sensitivity of spam detection
Create safelists and blocklists
Set company policy
Spam and policy customization (ESN)
EOP and the Junk Mail folder
Two rules need to be added to the on premise environment.
Set-OrganizationConfig –SCLJunkThreshold 4
New-TransportRule "NameForRule" -HeaderContainsMessageHeader "X-Forefront-Antispam-Report" HeaderContainsWords "SFV:SPM" -SetSCL 6
New-TransportRule "NameForRule" -HeaderContainsMessageHeader "X-Forefront-Antispam-Report" HeaderContainsWords "SFV:SKS" -SetSCL 6
End users need to be educated about the use of the Junk Mail folder in Outlook
Enable mail flow
DNS changes
MX record (domain-suffix.mail.protection.outlook.com)
SPF record (v=spf1 include:spf.protection.outlook.com –all)
Do not change CNAME DNS entries for stand alone customers
On-premise changes
Create smart host from on premise environment to EOP
Restrict on premises firewall to only accept port 25 traffic from EOP
Monitor and fine tune
Goals
Is the service operating as expected?
Make adjustments to rules or settings as needed
Evaluate effectiveness of spam settings
Tools
Reports (Office 365 Portal or Mail Protection Reports for Office 365)
Submitting spam and false positive messages to Microsoft
Junk Mail Reporting Tool for Outlook
http://www.microsoft.com/en-us/download/details.aspx?id=30716
Do this
Use a test domain, subdomain or low volume domain for trying different service features
Create O365 connectors before adding domains
Use the Remote Connectivity Analyzer to troubleshoot
Restrict inbound SMTP access to allow ONLY from EOP IP ranges
Don’t do this
Daisy chain services
Use EOP for sending bulk mail
Enable all Content Filter Advanced Options out of the box
On-premises
Office 365 Directory Sync
Exchange Online
Protection
Automated user/group
management
•
Ease of administration for CBRs or
other rules based on user address
•
Synchronize Outlook safe/block
sender lists
DBEB
You may see a change in email patterns
Every product needs to be tuned to your environment
Features may function differently
Porting configuration
Good opportunity to trim old safe/block lists
Spam filtering rules may not be needed
Review filtering policies (transport rules)
Educate email users
Avoid using links in emails to access secure online services
Do not respond to requests for sensitive information via email
Unsubscribe from legitimate bulk mail – e.g. known online retailers
Use the Junk mail reporting tool to submit spam samples
Resources to help educate users – Outlook Phishing Detection, Crabby Office Lady
Publish an SPF record (Sender Policy Framework)
Include EOP IPs and on-premises public IPs
Use the Microsoft Configuration Wizard
Turn on the SPF check Content Filter Advanced Options
Other considerations
Enable the Bulk Mail Content Filter Advanced Options
Utilize Regular Expression (Reg-Ex) capability of ETRs to fine tune filtering of bulk mail
e.g. Header field name match “List-Unsubscribe” sets SCL to 6
More details posted on Terry Zink’s Cyber Security Blog
Scope Inbound Allow rules by IP where possible
Avoid safe-listing own domains - this by-passes the SPF check and negates the check’s effectiveness
Prevent Spam Notification Delivery to DLs
Use DirSync and a custom Content Filter
Apply custom Content Filter to that OU or OUs with “Enable end-user spam notifications” de-selected
Block using Transport rule on-premises:
Create a contact object (e.g. EOP ESN) with the address of [email protected]
In PowerShell:
Get-DistributionGroup -ResultSize Unlimited -IgnoreDefaultScope | where { !$_.RejectMessagesFrom and !$_.RejectMessagesFromDLMembers } | Set-DistributionGroup -IgnoreDefaultScope RejectMessagesFrom " EOP ESN"
Coming soon - end user access to Spam Quarantine
 End users manage spam via end user spam quarantine notifications which may be scheduled for
daily delivery
 Administrator only access to quarantine
Viewer only supports up to 500 messages
More can be viewed via PowerShell Get-QuarantineMessage Cmdlet
Can only release in bulk through Release-QuarantineMessage Cmdlet
Limits
Max message size for EOP delivering to stand-alone customers is 150 MB
Max message size for EOP delivering to Office 365 hosted mailboxes is 35 MB
Max 100 Transport Rules per tenant – DLP policies consume part of this quota
Failover configuration
Using a second MX record to accomplish failover
Contoso.com has 3 on-premises IPs:
Site A - 10.0.0.5, Site B - 10.1.1.5, Site C - 10.2.2.5
Contoso.com wants mail to route to Site A but if it is down wants mail to go to Site B, and Site C as last resort.
contoso.com
MX preference = 10
onprem.contoso.com
onprem.contoso.com
onprem.contoso.com
MX preference = 10
MX preference = 20
MX preference = 30
mail-a.contoso.com
mail-b.contoso.com
mail-c.contoso.com
A
A
A
contoso-com.mail.protection.outlook.com (routes all mail for contoso.com)
mail-a.contoso.com
mail-b.contoso.com
mail-c.contoso.com
10.0.0.5
10.1.1.5
10.2.2.5
*Specify onprem.contoso.com in the outbound connector smart host field
• Match Sub-domains
• DKIM for inbound email
• Support for IPV6
What they offer
Exchange Online Protection implementation and configuration assistance
1 – 5 days of engagement over a period of 90 days
Administrator training on Exchange Online Protection
Advise customer on service best practices
Eligibility
Net new customers who purchase 1000+ seats EOP stand alone, O365D
Exception basis for O365 Hybrid
How to Engage an IPM
Contact your Technical Account Manager for more information.
Session
Title
Timing
Tue 10:45 AM - 12:00 PM
Room
SPR.202
Encryption in Exchange
Ballroom E
SPR.201
Eliminate the Regulatory Compliance
Nightmare
Tue 9:00 AM-10:15 AM
MR 19ab
SPR.UN.305
Exchange Online Protection: Notes
from the field
Wed 10:15 AM – 11:30 AM
Ballroom G
SPR.UN.304
Experts Unplugged: EOP &
Encryption
Wed 8:30-9:45 AM
Wed 1:00-2:15 PM
MR 18d
MR 17b
SPR.401
Extending Data Loss Prevention For
Your Business
Wed 4:45 PM- 6:00 PM
MR 18bc
SPR.203
Protect your Organization with
Exchange Online Protection (EOP)
Mon 4:30 PM - 5:45 PM
MR 18bc
SPR.301
So how does Microsoft handle my
spam?
Tue 4:45 PM – 6:00 PM
MR 19ab
SPR.401
Using Connectors & Mail Routing
Wed 2:45 PM - 4:00 PM
MR 18bc
ARC.304
Exchange Server 2013 Transport
Architecture
Tues 9:00 AM - 10:15 AM
Ballroom F
EDC.302
Advanced Data Loss Prevention in
Exchange
Tues 1:30 PM-2:45 PM
Ballroom F
EDC.UN.301
Experts Unplugged: Data Loss
Prevention
Tue 3:00 PM-4:15 PM
Wed 10:15 AM-11:30 AM
MR 18d
MR 13ab
EDC.204
Data Loss Prevention in Exchange,
Outlook, OWA
Mon 2:45 Pm-4:00PM
MR 18bc
MNG.304
Reporting On O365 Mail flow and
Mailbox Data
Wed 1:00 PM-2:15 PM
MR 17a