BEST OF IGNITE 2018 - Startel
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
BEST OF IGNITE 2018 EXCHANGE AND OFFICE 365 JAAP WESSELIUS 29 JANUARI 2018
DISCLAIMER • Please…. Don’t shoot the messenger • Slides and text are copy-past from Ignite slidedecks, so when there’s “we” it should read “Microsoft”
AGENDA • Exchange 2019 • Hybrid • Email security • Tips ‘n Tricks
IGNITE IN GENERAL • Ignite is huge….. REAL HUGE • 30.000 attendees • 5.000 organizations • 2 large separate halls, 2 sky bridges • You can easily walk 10 to 12 kilometers per day • Distances might be a problem for the average American ;-)
PROBLEMS WITH DISTANCES?
MY TAKE ON IGNITE TOPICS • Microsoft 365… • Machine learning and AI • Modern Workspace… • Internet of Things • Security… • Oh Yes… Exchange 2019 • Azure Active Directory… • Hybrid • Microsoft 365… • Exchange Online Protection • Security… • And did I mention Microsoft 365, Cloud • Modern Workspace… and Security? ;-) • Cloud…
THE STATE OF EMAIL TODAY • The flow of customers moving from On-Premises to Office 365 is continuing strongly • Office 365 commercial revenue up 38% YOY • Office 365 commercial seats grew 29% YOY • More than 135 million users of Office 365 commercial • Outlook mobile is being used by more than 100m iOS and Android devices • 94% of Fortune 500 companies have Office 365
EXCHANGE ONLINE SCALE
175K Physical Servers
47 Datacenters
70 Network POPs
5.5 Billion Mailboxes
1.1 EB of Data (Logical)
35 Trillion Items
7.2 Billion Messages Delivered
490 Billion Requests Routed
1.4 Trillion Items Read/Opened
9.6 PB Jet Logs ProcessedTHE STATE OF EMAIL TODAY • Some customers can’t adopt the cloud yet, and some customers are still preparing for the change • Most of these customers are large and those customers need Exchange On-Premises to be secure, reliable, easy to manage and always there. • That’s why Microsoft built Exchange Server 2019 • And Microsoft is distributing this release only through Volume Licensing (including CU’s)
RE-ENGINEERING ENGINEERING • Microsoft changed the way they build on-premises software • Microsoft used to share one code branch between Exchange Online and Exchange On- Premises • Microsoft branched the code. • Now Exchange Online and Exchange On-Premises share the same rich heritage but have distinct futures • The end result is less change for On-Premises customers, so less chance of regressions, and more dependability
BUILDING EXCHANGE 2016 AND EXCHANGE
ONLINE
Exchange 2016 CU1 CU2
New feature / Bug fix
Bug fixBUILDING EXCHANGE 2019 AND EXCHANGE
ONLINE
Exchange On-Prem
New feature / Bug fix
Bug fixEXCHANGE 2019
• The latest and greatest on-premises…. For enterprise organizations that need top of the bill
enterprise class messaging
• Need the latest and fanciest features? Go to Exchange Online
• Enterprise Organizations
• Volume License only (including Exchange 2019 CU’s)
• No more ‘hybrid license’ for Exchange 2019EXCHANGE 2019 REQUIREMENTS • Exchange 2019 runs on Windows 2019 only • Windows 2019 Server Core strongly recommended • .NET Server 4.7.2 • Server memory recommendation is 128 GB (64 GB for Edge Transport) • Max supported RAM is now 256 GB • Max processor count is 48 (was 24) • Oh yes….Virtualization is still supported ☺ • AD FFL/DFL is now Windows 2012 R2 • N-2 coexistence (no Exchange 2010 support)
NEW FEATURES IN EXCHANGE 2019
• New search engine (big funnel), based on Bing technology
• Content index stored in Mailbox
• Passive copies of database have identical search indexes
• No more database copy health issues (and failing fail-overs)
• MCDB (Metacache Database)
• Combination of JBOD and SSD (tiered storage)
• ‘Hot’ data is cached on SSD disk (failback to JBOD)
• SSD to disk ration is 1:3
• SSD’s store a maximum of 10% of key data in a MetaCache Database (MCDBRETRIEVAL OF DATA FROM SSD AND JBOD
SSD &
MCDB
USER REQUEST EXCHANGE
HD & DBRETRIEVAL OF DATA FROM JBOD ONLY
USER REQUEST EXCHANGE
HD & DBEXCHANGE 2019 NEW FEATURES
• Dynamic database cache
• Exchange 2016 – all databases have equal memory
• Exchange 2019 – mounted database have more memory
• Dynamic database and MCDB results in:
• A 20% increase to the number of users you can put on a server
• The option to use much larger disks
• This cuts client latency for many operations in half…
• Remove-CalendarEvents - IT admins can cancel all meetings organized by a user.
Remove-CalendarEvents -Identity ″Kim AKers″ -CancelOrganizedMeetings
-QueryStartDate 11-1-2018 -QueryWindowInDays 120UNIFIED MESSAGING SERVER ROLE • UM is completely removed from Exchange 2019 • Replaced by Cloud Voice Mail and Auto Attendant • Currently UM user but do not want cloud? Stay on Exchange 2016 (supported until 2025) • Go to 3rd party vendor
BLOCK CALENDAR WHEN OUT OF OFFICE
DEFAULT END DATE (RECURRING APPOINTMENTS)
DELIGHTING
END USERS
Do Not Forward
Organizers using OWA to create a meeting can mark it so that attendees
won't be able to forward
Transport in Exchange Server 2016 and 2019 will respect the flag and
prevent forwarding
Example of a feature that didn’t make it….EMAIL ADDRESS INTERNATIONALIZATION
• What’s an EAI?
• Latin alphabet (with diacritics): Pelé@example.com
• Greek alphabet: δοκιμή@παράδειγμα.δοκιμή
• Traditional Chinese characters: 我買@屋企.香港
• Japanese characters: 甲斐@黒川.日本
• Cyrillic characters: чебурашка@ящик-с-апельсинами.рф
• Hindi email address: संपर्क@डाटामेल.भारत
• send and receive to/from external users with EAI addressesHYBRID EXCHANGE
THE HYBRID CHALLENGE It’s necessary, but it’s hard.
ORGANIZATION CONFIGURATION TRANSFER
OCT v1 – Released June 2018
• One time copy of Org Config objects to
EXO
• Sub set of policies & objects
• Retention Policy
• Retention Policy Tags
• OWA Mailbox Policy
• Mobile Device Mailbox Policy
• Active Sync Mailbox Policy
• New-* actions onlyORGANIZATION CONFIGURATION TRANSFER V2
• One time copy of Org Config objects to EXO
• Set-* actions added
• Sub set of policies & objects
• Retention Policy
• Retention Policy Tags
• OWA Mailbox Policy
• Mobile Device Mailbox Policy
• Active Sync Mailbox Policy
• DLP Policy
• Organization Config
• Active Sync Device Access Rule
• Active Sync Organization Settings
• Malware Filter Policy
• Policy Tip Config
• Address ListHYBRID SETUP AND ONBOARDING Sign up for Exchange Online Read the 20 different pages on Docs about hybrid Create a DataFlow Diagram (DFD) Review with your networking team Review with your security team Update the DFD config when we publish new IPs Re-review with networking Deploy some new “Exchange hybrid servers” Argue with security about installing Exchange in the DMZ Create some new DNS records Create some inbound firewall flows Run the HCW (with OCT!) Test some flows for onboarding and free/busy Go back to the networking team to fix some inbound flows missed Security team puts the project on hold and shuts down connectivity Etc…
HYBRID AGENT Outbound ACL Only
IP Whitelist
Tenant-specific endpoint:
https://{guid}.resource.{flow}.his.msappproxy.net
• No customer DNS changes
• No certificate changes
• No firewall/network changes
• Protect On-Prem systemsHYBRID AGENT V1
• V1 supports hybrid f/b and mailbox moves only
• V1 will support new hybrid setups only
• Install 3 or more agents
• Install the agent on existing Exchange servers
• Oh… and it’s auto-update only
• Maybe better installing on separate servers?TAKE-AWAYS (ACCORDING TO MICROSOFT)
• EXO Hybrid setup has never been easier
• Your networking and security teams can bother other people now
• My take on this….
• A potential man-in-the-middle issue
• Security officer will not like this idea
• Lots of possibilities… think about searching on-premises mailboxes from Search Online…. Or on-
premises management from EXO (dangerous guess ☺)
• But not a word about removing this last Exchange Server EMAIL SECURITY
EMAIL, WHAT ARE WE TALKING ABOUT?
Phish • The fraudulent attempt to obtain sensitive information
Spoofing • Creation of email messages with a forged sender address
Impersonation • Common technique in targeted phishing attacks
Authentication • A way to prove the sender really is the sender
SPF • Sender Policy Framework
DKIM • DomainKeys Identified Mail
DMARC • Domain Message Authentication Reporting & ConformanceWHAT’S THE ISSUE? • SMTP has always been by default anonymous • You can easily send an email pretending it came from someone else • “Proper” uses of this include outsourced marketing and mailing lists • Its difficult to implement this well and the perceived complexity means that companies worry their email will get blocked if they implement it badly
DMARC POLICIES OF FORTUNE 500 COMPANIES
6%
3%
Reject
Quarantine
31%
None (take no action on a spoofed
60% message)
No record publishedHOW DO WE AUTHENTICATE EMAILS WE RECEIVE
SPF • v=spf1 ip4:1.2.5.5 ip4:8.2.7.4 ip4:7.3.2.2 ip4:5.5.1.8
include:_spf.salesforce.com include:spf.protection.outlook.com -all
DKIM • "v=DKIM1; p=MIGfMA0GDQEBgQCrZ6z … 6UvqP3QIDAQAB"
DMARC • v=DMARC1; p=reject; rua=mailto:dmarc@dmarc-aggregator.com;
ruf=mailto:dmarc-ruf@dmarc-aggregator.comWHAT ARE THE OPTIONS TO PROTECT USERS?
• ATP features
• Office ATP for Safe Links and Safe Attachments
• Insider Phishing
• Attack Simulator
• Multi-Factor Authentication
• Conditional Access
• Stopping Weak Password, Legacy Auth etc.
• Authenticators and Hardware TokensSCOTT SCHNOLL – TIPS ‘N TRICKS
DOZENS OF TIPS AND TRICKS, INCLUDING • Exchange 2019 RAM pagefile • Mailbox autoreply and timezones • Windows A/V software on Exchange servers • Best practices for health mailboxes • How/when to decommission on-prem servers • Resources for Managing change in Office 365 • Changes to EOP IP Address Ranges • Exchange Online Achrive auto-expansion • Handling accounts/data for former employees • License Administrator built-in role in Preview • Mailflow insights
MIGRATE DLS FROM ON-PREMISES TO CLOUD
• Migration process involves moving the DL to an OU that does not sync
• AAD Connect will see this as a DL deletion and remove it from Azure AD
• DL settings are exported for later import
• Change propagates to Exchange Online Active Directory, resulting in the DL being deleted
• New replacement DL is created in Office 365
• DL settings imported to recreate DL users, groups and attributes
• Entire process can now be scripted https://aka.ms/DLMoveScript
• We’ve tested a script using a DL with 10,000 members, with a minimum of 10 members in each of
the multi-valued attributes
• Took just over 3 hours to migrate
• DL is maintained on-premises during entire processMAIL FLOW INSIGHTS
• Microsoft is building a dashboard of mail flow insights that includes
• Mail flow map
• Outbound and inbound mail flow
• Recent alerts
• Non-delivery report
• Sent and received mail
• VIP (exec) mail status
• Queues
• Auto-forwarded message
• SMTP auth submission
• Fixes for slow mail flow rules, incorrect connector, mail loops and sender domainsSUMMARY • Ignite 2018 was a huge event with 30,000 attendees from 5,000 organizations • Dozens and dozens and donzes of different tracks and technologies • Lots of technical information, mostly level 200 ~ 300 • But also Vision and Strategy information • Exchange? Just a handful of sessions, despite the new version • Exchange Online? Settled technology, a bit more sessions • Azure AD, security, security, security, there’s the main focus? • Next year again? Hell yeah!
MORE INFORMATION, PRESENTATIONS AND VIDS • BRK2176 - Welcome to Exchange 2019 https://mediusprodstatic.studios.ms/presentations/Ignite2018/BRK2176.pptx https://www.youtube.com/watch?v=XTAEmDoU5jU • BRK3143 - Hybrid Exchange: Making it easier and faster to move to the cloud https://www.youtube.com/watch?v=QhOh5RCcLu8 https://mediusprodstatic.studios.ms/presentations/Ignite2018/BRK3143.pptx • THR3024 - How to add MFA to your Exchange Online/on-premises mailboxes in 20 minutes or less https://mediusproduction.blob.core.windows.net/presentations/Ignite2018/THR3024.pptx https://www.youtube.com/watch?v=7hoEmEwV8Rk • BRK3279 - So long and thanks for all the (email) phish https://mediusproduction.blob.core.windows.net/presentations/Ignite2018/BRK3279.pptx https://www.youtube.com/watch?v=6XFTDdsILZw
MORE INFORMATION, PRESENTATIONS AND VIDS • THR2145 - Why do we need to keep an Exchange Server on-premises when we move to the cloud? https://mediusproduction.blob.core.windows.net/presentations/Ignite2018/THR2145.pptx https://www.youtube.com/watch?v=XHFleM6OElc • BRK3147 - Scott Schnoll’s Exchange and Office 365 tips and tricks https://mediusproduction.blob.core.windows.net/presentations/Ignite2018/BRK3147.pptx https://www.youtube.com/watch?v=0WNMX8EKYZk • BRK3130 - Email search in a flash! Accelerating Exchange 2019 with SSDs https://mediusproduction.blob.core.windows.net/presentations/Ignite2018/BRK3130.pptx https://www.youtube.com/watch?v=VHrScskhCQk • BRK2177 - Outlook mobile for the enterprise https://www.youtube.com/watch?v=jEbjTOfezLU https://mediusproduction.blob.core.windows.net/presentations/Ignite2018/BRK2177.pptx
MORE INFORMATION, PRESENTATIONS AND VIDS • BRK3145 - Deploying Outlook mobile securely in the enterprise https://mediusproduction.blob.core.windows.net/presentations/Ignite2018/BRK3145.pptx https://www.youtube.com/watch?v=4mHlxdJMh1Q • BRK3146 - What's amazing and new in calendaring in Outlook! https://mediusproduction.blob.core.windows.net/presentations/Ignite2018/BRK3146.pptx https://www.youtube.com/watch?v=-ZrNTylawOA • BRK3114 - Manage your tenant's security and privacy settings, and protect your organization's data using Compliance Manager https://mediusprodstatic.studios.ms/presentations/Ignite2018/BRK3114.pptx https://www.youtube.com/watch?v=wyO2lNs0ZRA • BRK2407 - Windows 10 and Office 365 ProPlus lifecycle and servicing update (CONDENSED) https://mediusprodstatic.studios.ms/presentations/Ignite2018/BRK2407.pptx https://youtu.be/t9Bs55czc1E
MORE INFORMATION, PRESENTATIONS AND VIDS • BRK3234 - An IT pros guide to Open ID Connect, OAuth 2.0 with the V1 and V2 Azure Active Directory endpoints https://mediusproduction.blob.core.windows.net/presentations/Ignite2018/BRK3234.pptx https://www.youtube.com/watch?v=sXRp2s0DKXw • THR3036 - Azure Active Directory hybrid identity and banned password detection https://mediusprodstatic.studios.ms/presentations/Ignite2018/THR3036.pptx https://www.youtube.com/watch?v=kuVkfIiapI4 • BRK3226 - Secure access to Office 365/Azure Active Directory with new features in AD FS in Windows Server 2019 and Azure AD Password Protection https://mediusproduction.blob.core.windows.net/presentations/Ignite2018/BRK3226.pptx https://www.youtube.com/watch?v=DC4cyF_JEgw • BRK3081 - Implementing a modern network architecture to get the most out of Office 365 https://mediusproduction.blob.core.windows.net/presentations/Ignite2018/BRK3081.pptx https://www.youtube.com/watch?v=FGMzS_MjuPY
MORE INFORMATION, PRESENTATIONS AND VIDS • BRK3408 - Azure Active Directory best practices from around the world https://mediusprodstatic.studios.ms/presentations/Ignite2018/BRK3226.pptx https://youtu.be/wGk0J4z90GI
You can also read
