mngin301 yim
DESCRIPTION
Mngin301 YimTRANSCRIPT
![Page 1: Mngin301 Yim](https://reader030.vdocuments.site/reader030/viewer/2022020202/577c797c1a28abe05492d3f7/html5/thumbnails/1.jpg)
![Page 2: Mngin301 Yim](https://reader030.vdocuments.site/reader030/viewer/2022020202/577c797c1a28abe05492d3f7/html5/thumbnails/2.jpg)
Vincent YimPremier Field EngineerMicrosoft Services
Troubleshooting Hybrid Mailflow
MNGIN301
![Page 3: Mngin301 Yim](https://reader030.vdocuments.site/reader030/viewer/2022020202/577c797c1a28abe05492d3f7/html5/thumbnails/3.jpg)
AgendaRefresher/Overview of Hybrid RoutingMailflow OptionsEOP in HybridReview tools to assist in mail flow troubleshootingIssuesOther fun stuffQuestions
![Page 4: Mngin301 Yim](https://reader030.vdocuments.site/reader030/viewer/2022020202/577c797c1a28abe05492d3f7/html5/thumbnails/4.jpg)
Refresher/Overview of Hybrid Routing2 Distinct Exchange organizationsHCW creates connectors in each Exchange org. # of connectors vary based on Exchange versionSecure Mail
On-premises Organization
Exchange Online
Protection
Inbound from Office 365
Outbound to On-premises
Inbound from On-premises
Outbound to Office 365*
Exchange Online
![Page 5: Mngin301 Yim](https://reader030.vdocuments.site/reader030/viewer/2022020202/577c797c1a28abe05492d3f7/html5/thumbnails/5.jpg)
Refresher/Overview of Hybrid RoutingAll messages that are sent between on-premises and ExO are sent over a secure connection using TLS• The Hybrid Configuration wizard creates a dedicated send connector on-premises
scoped to the coexistence domain (tenant.mail.microsoftonline.com)• An outbound connector in EOP is also created and is scoped to the default SMTP
domain (contoso.com)
Each organization is configured to treat messages sent from the other organization as internal• This allows messages to bypass anti-spam settings and other services
The TLS connection for on-prem server must be a minimum of Exchange 2010 SP1Any other SMTP end point accepting the messages will cause the required headers to be lost which will impact secure mail functionality
![Page 6: Mngin301 Yim](https://reader030.vdocuments.site/reader030/viewer/2022020202/577c797c1a28abe05492d3f7/html5/thumbnails/6.jpg)
Refresher/Overview of Hybrid RoutingE-mail domain sharing
Both orgs will accept “contoso.com” authoritative
How do we prevent mail loops?Actually, it’s all about how addressing works
Requires a coexistence domain for “Backboning” mailflow
![Page 7: Mngin301 Yim](https://reader030.vdocuments.site/reader030/viewer/2022020202/577c797c1a28abe05492d3f7/html5/thumbnails/7.jpg)
Refresher/Overview of Hybrid RoutingCoexistence Domain• Based off of the Microsoft Online Default Routing Domain• The coexistence domain is a domain created for each Office 365 tenant
in the format of <your tenant>.mail.onmicrosoft.com domain• For example, if your Default Routing domain is “tenant.onmicrosoft.com”
then your coexistence domain would be “tenant.mail.onmicrosoft.com”• Created when you activate DirSync in your Office 365 tenant• AutoDiscover and MX records created automatically for this domain• Provides the backbone of all coexistence features• Added as an on-premises email address policy when the HCW is run• Mailboxes moved to Exchange Online will have the coexistence domain
stamped on their user object as a target address
![Page 8: Mngin301 Yim](https://reader030.vdocuments.site/reader030/viewer/2022020202/577c797c1a28abe05492d3f7/html5/thumbnails/8.jpg)
Demo
DirsyncStates Pre/Post Migration
![Page 9: Mngin301 Yim](https://reader030.vdocuments.site/reader030/viewer/2022020202/577c797c1a28abe05492d3f7/html5/thumbnails/9.jpg)
MailflowOptions
10
On-Premises Organization
External User
Exchange
Exchange Online
Exchange Online Protection
Inte
rnet
Third Party Email
Security System
“Chris”Cloud
Mailbox
“David”On-premises
Mailbox
Secure MailEncrypted & Authenticated Mail Flow
MX resolves to on-
premises gateway
MX is switched to Exchange
Online Protection
Outbound Exchange
Online traffic is delivered
direct
You can choose to
route outbound on-
premises mail via EOP
![Page 10: Mngin301 Yim](https://reader030.vdocuments.site/reader030/viewer/2022020202/577c797c1a28abe05492d3f7/html5/thumbnails/10.jpg)
Mail Flow OptionsIn addition to choosing how inbound messages are routed, you can also choose how outbound messages sent from Exchange Online recipients are routed. The following describes the available options:• Centralized mail control: This option routes outbound messages sent from the
Exchange Online users through on-premises• This enables you to apply compliance rules to these messages that must be applied
to all of your recipients, regardless of whether they're located in Exchange Online or on-premises
• Decentralized mail control: This option routes outbound messages sent from Exchange Online directly to the InternetUse this option, if you do not need to apply any on-premises policies or other
processing to messages that are sent from recipients in the Exchange Online
![Page 11: Mngin301 Yim](https://reader030.vdocuments.site/reader030/viewer/2022020202/577c797c1a28abe05492d3f7/html5/thumbnails/11.jpg)
MailflowOptions
12Exchange Online
Exchange Online Protection
On-Premises Organization
Exchange
Third Party Email
Security System
External User
Inte
rnet
“Chris”Cloud
Mailbox
“David”On-premises
Mailbox
Secure MailEncrypted & Authenticated Mail Flow
MX resolves to on-
premises gateway
All email in and out of the
Exchange Online tenant must go via on-premises
MX is switched to Exchange
Online Protection
![Page 12: Mngin301 Yim](https://reader030.vdocuments.site/reader030/viewer/2022020202/577c797c1a28abe05492d3f7/html5/thumbnails/12.jpg)
EOPWhen you create inbound/outbound connectors in Exchange Online Admin Center, these are sitting at the edge (EOP)
SPAM Filtering Bypassed
![Page 13: Mngin301 Yim](https://reader030.vdocuments.site/reader030/viewer/2022020202/577c797c1a28abe05492d3f7/html5/thumbnails/13.jpg)
Review Tools for TroubleshootingDelivery reportsEnd user can run. Eliminates some helpdesk callsSomewhat useless to Admin
Message TraceLoopsNDRsMessages dropped due to virusExport to CSV
Use the protocol logSet to verbose
![Page 14: Mngin301 Yim](https://reader030.vdocuments.site/reader030/viewer/2022020202/577c797c1a28abe05492d3f7/html5/thumbnails/14.jpg)
Review Tools for TroubleshootingAnalyze HeadersExRCA has Message Header AnalyzerOWA MHA App
Telnet(your Exchange server might be using IP that's been blacklisted by SPAMHAUS or one of other RBL services in use by EOP)
DLP policy ruleHits found through message traceOr EACOr (delayed) Mail Protection Reports for Exchange
![Page 15: Mngin301 Yim](https://reader030.vdocuments.site/reader030/viewer/2022020202/577c797c1a28abe05492d3f7/html5/thumbnails/15.jpg)
Demo
Mail Protection Reports for Exchange
![Page 16: Mngin301 Yim](https://reader030.vdocuments.site/reader030/viewer/2022020202/577c797c1a28abe05492d3f7/html5/thumbnails/16.jpg)
Other Fun stuff• Testing and Tracing Malware Filters• Create a file called EICAR.txt with the following text: X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
• Attach EICAR.TXT to a new mail message, and send it through the service. • Confirm your antimalware filter settings have taken affect (policy changes can take up
to an hour to replicate across datacenters)• This “EICAR” test attachment will cause the message to be treated as malicious
antivirus/antimalware engines
![Page 17: Mngin301 Yim](https://reader030.vdocuments.site/reader030/viewer/2022020202/577c797c1a28abe05492d3f7/html5/thumbnails/17.jpg)
Other Fun stuff• Testing and Tracing Content Filter• A GTUBE message should always be detected as spam by the content filter, and the actions that are performed upon the message should match your configured settings. Include the following GTUBE text in a mail message on a single line, without any spaces or line breaks:
• XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34X
![Page 18: Mngin301 Yim](https://reader030.vdocuments.site/reader030/viewer/2022020202/577c797c1a28abe05492d3f7/html5/thumbnails/18.jpg)
Other fun stuffOn prem senders to internet recipients will get SPAM filteringDemo
![Page 19: Mngin301 Yim](https://reader030.vdocuments.site/reader030/viewer/2022020202/577c797c1a28abe05492d3f7/html5/thumbnails/19.jpg)
Other fun stuffOutbound SPAM filterWhy did the on-prem message route through high risk delivery pool?Outbound spam filtering is needed because malicious programmers and their malware are out there taking over computers inside corporate networks every day. This means that users in your organization can be sending large amounts of outbound spam without your knowledge
![Page 20: Mngin301 Yim](https://reader030.vdocuments.site/reader030/viewer/2022020202/577c797c1a28abe05492d3f7/html5/thumbnails/20.jpg)
IssuesRunning a Hybrid server from home?
ISPs using dynamic IP ranges will connect, but sessions will then be dropped by EOP.
"454 4.7.5 Certificate validation failure." CRL check from hybrid server
SMTP fixup/mailguard220 *************************************************************************************************************** The above is a tell-tale sign that mailguard is enabled on a firewall appliance (most likely Cisco PIX), and it prevents either side from seeing the STARTTLS verb.Cannot perform secure mail flow without StartTLS verb
![Page 21: Mngin301 Yim](https://reader030.vdocuments.site/reader030/viewer/2022020202/577c797c1a28abe05492d3f7/html5/thumbnails/21.jpg)
IssuesChanging datacenter IP ranges? Quite possibly need to re-run HCW if datacenter IP changesWith Exchange 2010 HCW, point-in-time list is copied
![Page 22: Mngin301 Yim](https://reader030.vdocuments.site/reader030/viewer/2022020202/577c797c1a28abe05492d3f7/html5/thumbnails/22.jpg)
IssuesWith Exchange 2010 HCW, you may need to adjust the EHLO response guessed by HCW
![Page 23: Mngin301 Yim](https://reader030.vdocuments.site/reader030/viewer/2022020202/577c797c1a28abe05492d3f7/html5/thumbnails/23.jpg)
Issues Missing header?X-MS-Exhange-Organization-AuthAs = Internal or AnonymousIf anonymous, your message took another path
![Page 24: Mngin301 Yim](https://reader030.vdocuments.site/reader030/viewer/2022020202/577c797c1a28abe05492d3f7/html5/thumbnails/24.jpg)
![Page 25: Mngin301 Yim](https://reader030.vdocuments.site/reader030/viewer/2022020202/577c797c1a28abe05492d3f7/html5/thumbnails/25.jpg)
© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.