Comprehensive protection Multiengine antivirus Continuously evolving antispam protection

Comprehensive protection Multi-engine antivirus Continuously evolving anti-spam protection Policy enforcement Next generation of Forefront Online Protection for Exchange (FOPE) Enterprise class reliability Geographically load-balanced datacenters Queuing capabilities to help ensure no mail is lost Live phone support Streamlined administration console Office 365 integration Detailed reporting

Mail Delivery Filtering Performance

- The Big Picture Customer Feedback Email is routed to EOP data centres based on MX record resolution Policy Quarantine SPAM Quarantine Spam Analysts Edge Blocks Virus Scanning Policy Enforcement Spam Protection IP-based edge blocking AV Engine 1 Custom Rules Outlook Safe/Blocked Senders Allows/Rejects Content Scanning Envelope blocks AV Engine 2 AV Engine 3 Bulk Mail Filtering Content Filter Advanced Options False Positive/Negatives

– The Big Picture Corporate Network Outbound Pool Virus Scanning Policy Enforcement Spam Protection AV Engine 1 Custom Rules Content Scanning and Heuristics AV Engine 2 Email Encryption AV Engine 3 Quarantine Content Filter Advanced Options Spam Analysts Normal Score NDR Delivery Pool Bulk Delivery Pool Higher Risk High Risk Delivery Pool Internet

Standalone Fully hosted Hybrid

Step 1: Verify prerequisites Step 2: Configure mail flow (connectors) Step 3: Add and validate domains Step 4: Customize spam and policy settings Step 5: Enable mail flow Step 6: Monitor and fine tune

Applicable to all scenarios Modern web browser Applicable to Standalone or Hybrid scenarios Exchange Online Protection IP Addresses

Standalone Hybrid Optional for all scenarios

Configure mail flow (connectors) Partner Environment Outbound TLS Connector Exchange Online Outbound Connector Protection On-Prem Mail Environment Inbound TLS Inbound Connector EOP connectors between on-premises and EOP need to be created *Additional connectors can be created between EOP and partners to force TLS

Prior to EOP (Fabrikam uses EOP) Contoso Cert CN = mail. contoso. com Fabrikam Cert CN = mail. fabrikam. com With EOP (Fabrikam uses EOP) Contoso Cert CN = mail. contoso. com Cert CN = mail. protection. outlook. com EOP Cert CN = mail. protection. outlook. com Cert CN = mail. fabrikam. com Fabrikam

Exchange Online Protection Outbound Connector 1 On-Prem Mail APAC Inbound Outbound Connector 12 On-Prem Mail AMER Outbound Connector 3 On-Prem Mail EMEA

Purpose Validation steps

Spam and policy customization Configure how to handle spam Spam action settings (content filter) Configure sensitivity of spam detection Create whitelists and blacklists (IP or domain based) Set company policy

EOP and the Junk Mail folder Two rules need to be added to the on premise environment if you would like spam moved to the junk mail folder. Set-Organization. Config –SCLJunk. Threshold 4 New-Transport. Rule "Name. For. Rule" -Header. Contains. Message. Header "X-Forefront-Antispam-Report" Header. Contains. Words "SFV: SPM" -Set. SCL 6 New-Transport. Rule "Name. For. Rule" -Header. Contains. Message. Header "X-Forefront-Antispam-Report" Header. Contains. Words "SFV: SKS" -Set. SCL 6 End users need to be educated about the use of the Junk Mail folder in Outlook

X-Forefront-Antispam-Report: IPV: NLI SFV: SPM SFS SCL: 5 http: //technet. microsoft. com/en-us/library/dn 205071(v=exchg. 150). aspx

Spam and policy customization (ESN)

End user access to quarantine http: //technet. microsoft. com/en-us/library/dn 683870(v=exchg. 150). aspx

Enable mail flow DNS changes MX record (domain-suffix. mail. protection. outlook. com) SPF record (v=spf 1 include: spf. protection. outlook. com –all) Do not change CNAME DNS entries for stand alone customers On-premise changes Create smart host from on premise environment to EOP Restrict on premises firewall to only accept port 25 traffic from EOP

Monitor and fine tune Goals Is the service operating as expected? Make adjustments to rules or settings as needed Evaluate effectiveness of spam settings Tools Reports (Office 365 Portal or Mail Protection Reports for Office 365) Submitting spam and false positive messages to Microsoft Junk Mail Reporting Tool for Outlook

http: //www. microsoft. com/en-us/download/details. aspx? id=30716

Exchange Server 2013 Exchange Online EOP Stand Alone

Do this Use a test domain, subdomain or low volume domain for trying different service features Create O 365 connectors before adding domains Disable EOP inbound connector (type is on-prem) until you are ready to use it Use the Remote Connectivity Analyzer to troubleshoot Restrict inbound SMTP access to allow ONLY from EOP IP ranges Enable Microsoft’s IP Safe List in the Connection Filter When creating safe / black lists, use IP first, and if not possible, then use the domain Don’t do this Daisy chain services Use EOP for sending bulk mail Enable all Content Filter Advanced Options out of the box Safe list your own domain

Connection filtering Sender-recipient filtering Content filtering Blocks up to 5% of all spam based on internal lists and heuristics. Take away: Point your MX record to EOP sooner rather than later as EOP connection filtering only looks at the connecting IP.

Office 365 directory sync Secure mail flow Existing email environment On-premises Office 365 Active Directory Synchronization Policy rules for specific users/groups Synchronize Outlook safe/block sender lists Enables more scenarios for Criteria Based Routing Exchange Online Protection

What it does Configuration • •

Telnet is your friend Telnet can be used to test mail flow from EOP to your on-prem environment. This allows verifying mail flow will work before doing the MX cutover. You do/type this Server responds with this telnet tenant. Domain. MXRecord. Here 25 220 helo your_sending_server_fqdn 250 mail from: you@domain. invalid 250 Sender OK rcpt to: recipient@contoso. com 250 Recipient OK data followed by the enter key Server provides directions on how to enter data. subject: Enter the subject and hit enter twice Enter the body text. To finish the message, type a period on a line by itself and hit enter. 250 Message queued for delivery. Quit 221 Service closing transmission channel

Setting the SCL to 0 for a message will cause EOP to re-scan the message by our spam engines. Mailboxes on-prem and in the cloud. MX points on-prem which relays messages to the cloud. You safe list the IP of the on-prem server, but don’t want to skip filtering on internet originating msgs. Answer: Create a TR that sets SCL to 0 except for where the sender is internal. You want to safe list an IP that is used by multiple domains to send email. You want the EOP spam filters to scan some of the domains on that IP. Answer: Safe list IP. Create a TR that sets SCL to 0 for the domains you want to scan.

Quarantine Online viewer only supports up to 500 messages More can be viewed via Power. Shell Get-Quarantine. Message Cmdlet Can only release in bulk through Release-Quarantine. Message Cmdlet Limits Max message size for EOP delivering to stand-alone customers is 150 MB Max message size for EOP delivering to Office 365 hosted mailboxes is 35 MB Max 100 Transport Rules per tenant – DLP policies consume part of this quota Max of 900 domains per tenant EOP outbound connectors use round robin for delivery

Since January 2014 Extended Message trace (90 days) Directory Based Edge Blocking & Match sub-domains Remote Power. Shell for customers without hosted mailboxes (EOP stand alone) End user access to the quarantine Office 365 Message Encryption Coming Soon DKIM for inbound email Support for IPv 6 Future Outbound DKIM and DMARC Improvements to Bulk mail Advanced Spam Filter option

What they offer Exchange Online Protection implementation and configuration assistance up to 90 days Administrator training on Exchange Online Protection Advise customer on service best practices Single point of contact for duration of engagement Eligibility Net new customers who purchase 1000+ seats EOP stand alone, O 365 D Exception basis for O 365 Hybrid How to Engage an IPM Contact your Technical Account Manager for more information.

Breakout Sessions (session codes and titles) OFC-B 332 Encryption in Microsoft Office 365 OFC-B 319 Data Loss Prevention (DLP) in Microsoft Office 365 OFC-B 312 Building a Hybrid Microsoft Exchange Server 2013 Deployment in Less than 75 Minutes OFC-B 217 Microsoft Office 365 Security, Privacy, and Compliance Overview OFC-B 242 Getting Started with Microsoft Office 365 Deployment Labs (session codes and titles) OFC-H 345 Performing an Exchange Hybrid Deployment with Microsoft Office 365

Links EOP Tech. Net content http: //technet. microsoft. com/en-us/library/jj 723137. aspx EOP best practices http: //technet. microsoft. com/en-us/library/jj 723164(v=exchg. 150). aspx EOP FAQ http: //technet. microsoft. com/en-us/library/jj 871669. aspx False positive/negative submissions http: //technet. microsoft. com/en-us/library/jj 200769. aspx EOP Datacenter IP addresses http: //technet. microsoft. com/en-us/library/dn 163583(v=exchg. 150). aspx Hybrid deployment http: //technet. microsoft. com/en-us/library/jj 200581(v=exchg. 150). aspx

http: //channel 9. msdn. com/Events/Tech. Ed www. microsoft. com/learning http: //microsoft. com/technet http: //microsoft. com/msdn