Office 365 MailFlow Scenarios and Best Practices

Microsoft Office 365 gives you the flexibility to configure mail flow based on your requirements and uses scenario to delivered email to your organisation’s mailboxes. The simplest way to configure mail flow is to allow Microsoft EOP to handle spam filter and Maiflow of your organisation. However, you may have already invested your infrastructure handle mail flow. Microsoft also accepts this situation and allow you to use your own spam filter.

The below scenario and use cases will allow you to determine how you can configure MailFlow of your organisation.

Mailbox Location MailFlow Entry Point Scenario & Usecases Recommended MailFlow Configuration  and Example MX record
Office 365 Office 365 Use Microsoft EOP

Demote or migrate all mailboxes to office 365

Use Office 365 mailboxes

MX record Pointed to Office 365

MX: domain-com.mail.protection.outlook.com

SPF:  v=spf1 include:spf.protection.outlook.com -all

 

On-premises On-prem Prepare the on-prem to be cloud ready

Build and Sync AAD Connect

Built ADFS Farm

MX record Pointed to On-prem

MX1.domain.com

SPF: v=spf1 include: MX1.domain.com  include:spf.protection.outlook.com -all

Third-party cloud, for example, G-Suite Both third-party and office 365 Prepare to migrate to Office 365

Stage mailbox data

MailFlow co-existance

MX record pointed to third-party cloud

MX record Pointed to On-prem

in.hes.trendmicro.com

SPF: v=spf1 include:spf.protection.outlook.com include: in.hes.trendmicro.com include: ASPMX.L.GOOGLE.COM -all

Combination of On-premises and Office 365 On-premises Hybrid Environment

Stage mailbox migration

MailFlow co-existance

MX record Pointed to On-prem spam filter

MX record Pointed to On-prem

MX1.domain.com

SPF: v=spf1 include: MX1.domain.com  include:spf.protection.outlook.com -all

Combination of On-premises and Office 365 Third-party cloud spam filter Hybrid Environment

Stage mailbox migration

MailFlow co-existance

MX record Pointed to third-party cloud spam filter

MX record pointed to third-party cloud

MX record Pointed to On-prem

in.hes.trendmicro.com

SPF: v=spf1 include:spf.protection.outlook.com include: in.hes.trendmicro.com -all

MailFlow Configuration Prerequisites:

  1. Make sure that your email server (also called “on-premises mail server”) is set up and capable of sending and receiving mail to and from the Internet.
  2. Check that your on-premises email server has Transport Layer Security (TLS) enabled, with a valid public certification authority-signed (CA-signed) certificate.
  3. Make a note of the name or IP address of your external-facing email server. If you’re using Exchange, this will be the Fully Qualified Domain Name (FQDN) of your Edge Transport server or CAS that will receive an email from Office 365.
  4. Open port 25 on your firewall so that Office 365 can connect to your email servers.
  5. Make sure your firewall accepts connections from all Office 365 IP addresses. See Exchange Online Protection IP addresses for the published IP address range.
  6. Make a note of an email address for each domain in your organisation. You’ll need this later to test that your connector is working correctly.
  7. Make sure you add all datacenter IP addresses of Office 365 into your receive connector of on-premises Exchange server

Configure mail to flow from Office 365 to your email server and vice-versa. There are three steps for this:

  1. Configure your Office 365 environment.
  2. Set up a connector from Office 365 to your email server.
  3. Change your MX record to redirect your mail flow from the Internet to Office 365.

Note: For Exchange Hybrid Configuration wizard, connectors that deliver mail between Office 365 and Exchange Server will be set up already and listed here. You don’t need to set them up again, but you can edit them here if you need to.

  1. To create a connectorExchange in Office 365, click Admin, and then click to go to the Exchange admin center. Next, click mail flow click mail flow, and click connectors.
  2. To start the wizard, click the plus symbol +. On the first screen, choose the appropriate options when creating MailFlow from Office 365 to On-premises Server
  3. Click Next, and follow the instructions in the wizard.
  4. Repeat the step to create MailFlow between On-premises to Office 365.
  5. To redirect email flow to Office 365, change the MX (mail exchange) record for your domain to Microsoft EOP, i.e. domain-com.mail.protection.outlook.com

Relevant Articles:

Mailflow Co-existence between G-Suite and Office 365 during IMAP Migration

Office 365 Hybrid Deployment with Exchange 2016 Step by Step

Centralized MailFlow: NDR Remote Server returned ‘550 5.7.1 Unable to relay’

Windows Server Patching Best Practices

This article provides actionable advice about how to manage patches to reduce downtime while still maintaining the security of software services through the proactive reduction of dependencies and the use of workaround solutions.

Patching Requirements

Windows Server patches, hotfixes and service pack is critical for compliance, service level agreement and security purposes. Keeping an operating systems and application up to date is the key to align your infrastructure with latest software. Patches and hotfixes also enable you to prevent any security breaches and malware infection.

Windows Patch Classification

The following are strongly recommended patches:

  1. Critical
  2. Security
  3. Definition Updates for malware
  4. Service packs

Windows Product Classification

It is highly recommended that you patch Windows Servers, Windows Clients, Office, Applications (Silverlight, .Net Framework, SQL, Exchange, SharePoint, FF TMG).

Patching Groups

Consultants should take time to test the patches in a non-production environment prior to being deployed to production. This will help to gauge the impact of such changes. Ideally you will have the following patching groups:

1. UAT (UAT1, UAT2, etc)

2. Test Environment (Test1, Test2, etc)

3. Development Environment (Dev1, Dev2 etc)

4. Production (Prod1, Prod2, etc)

If you have clustered environment like SQL, Exchange and SharePoint then create Prod1, prod2 group and place each node on each group.

Change Management

System administrators should maintain a log, written or electronic, of all changes to the operating environment, to include hardware, system security software, operating system, and applications. Prior to any changes being implemented on a system, the system administrator should receive approval of stakeholders.

Backup

Why am I discussing backup with patching best practice? In case of emergency you can rollback completely and restore a server to its original state if necessary. It is very important that servers be backed up on a regular basis. Depending on the use of the server, it may be adequate to backup the server once per week. A backup of a more critical environment may be needed daily, and possibly continuously. The backup program provided with Windows is capable of backing up to virtually any writable media, which can include network drives provided by a server in another physical location. This program is also capable of scheduling backups which can ensure backups occur on a regular interval.

Microsoft strongly recommends that you create the following backups before you install an update rollup, service pack and patch on Exchange and SQL:

  • A full backup of all databases on the server.
  • A full backup of transaction log and log backup
  • A system state backup of the server.
  • A snapshot of virtualized exchange server. Delete snapshot after successful patching and updating.

Application Compatibility

Read release notes of each hotfixes you are going to apply so that you are compliant with the application installed on the server. Consult with application vendor before applying service pack to any server if the server is hosting specific business application. Consult with application engineer about the importance of server patching. Inform and educate application engineer as much as possible to avoid conflict of interest.

Documentation

Documentation released with the updates is usually in the form of web pages, attached Word documents and README.TXT files. These should be printed off and attached to change control procedures as supporting documentation.

Back out Plan

A back-out plan will allow the system and enterprise to return to their original state, prior to the failed implementation. It is important that these procedures are clear, and that contingency management has tested them, because in the worst case a faulty implementation can make it necessary to activate contingency options. Historically, service packs have allowed for uninstalling, so verify there is enough free hard disk space to create the uninstall folder. Create a back out plan electronically and attach with change management software.

User Notifications

You need to notify helpdesk staff and support agencies of the pending changes so they may be ready for arising issues or outages.

Consistency across Servers

Always install the same service packs or hotfixes to each SQL server node, Exchange DAG member and Domain Controller.

Routine Maintenance Window

A scheduled maintenance window must be agreed with business so that application outage and server reboot can maintain a respectable Service Level Agreement (SLA). If you have a large infrastructure with thousands of servers and many regions working round the clock then you must consider application dependencies. A patching schedule can be considered in between every Friday of every month at 6:00 P.M. Friday to 6:00 A.M Monday. Setup maintenance window in system center or deadline for WSUS to make sure patches are applied when you want instead of when patch is available. In this way you will have a complete control over change windows approved by change advisory board (CAB). Do not allow end users to update patches on their client machine according to their wishes and happiness! then user will never install any patch.

Patching Tools

I strongly recommend that you spend few $$$ to buy Microsoft System Center 2012 to manage and deploy Windows patches, service pack and hotfixes. However you can use Windows Server Update Services (WSUS) as poor man’s patching solutions.

Patching DMZ server can be accomplished using WSUS offline patching solutions available for free to download from http://download.wsusoffline.net/.

Automate, Automate and Automate!

Automated patch management using System Center could enable a single IT administrator to access a pre-populated patch policy. He then could execute the command and with the press of a single button, download the patches from Microsoft’s website, install them on a test machine and test for compatibility issues. Meanwhile, an automatic inventory check could search for systems with the affected software, wake them up, check their readiness and push the verified patches out to waiting machines. The patches would then be automatically installed on each system, and they’d reboot as necessary. The final step is an automated report on the status of the remediated devices.

Standardize Patch Management Processes

Standardized patch management processes could allow for daily assessment and remediation of client devices and weekly assessment and remediation for servers. Reports can then be generated to validate system status on a weekly or bi-weekly schedule. A systems monitoring task that used to take days now takes minutes, and patches are deployed more completely and consistently across the entire IT environment. A single IT administrator can proactively manage thousands of systems tasks in the same amount of time it took an entire team to do the tasks manually.

Reboot Windows Computer

Some application may require reboot of server before patching such as RSA Secure Console. However most of the server must be rebooted after patching. Do not suppress reboot after patching in any circumstances or you will have a messy environment and broken clusters.

X86 and X64 Windows Systems

The most prominent 32-bit application you’re likely to see on a 64-bit Windows system is Office. In this sort of situation System Center benefits most because you can adjust and make decision based on architecture and compliance as well. You can approve patches based on “Needed and Not Installed”. If a server or client need update it will install if not then it will not installed. It’s safe to do so.

Antivirus and Antispyware

Servers are vulnerable to many forms of attack. Implementation and standardization of security methods should be developed to allow early and rapid deployment on servers. It’s important that a Windows server be equipped with a latest centrally managed Antivirus program. Antivirus update must be scheduled with the same maintenance window to update antivirus with latest definition.

Audit Practices

Servers have a powerful auditing feature built in. Typically, server managers would want the auditing system to capture logins, attempted logins, logouts, administrative activities, and perhaps attempts to access or delete critical system files. Auditing should be limited to gathering just the information that is needed, as it does require CPU and disk time for auditing to gather information. Log Management software should be used, if possible, for ease of managing and analysing information. Report can be generated from Systems Center and WSUS as proof of patching cycle.

Log Retention

Servers keep multiple logs and, by default, may not be set to reuse log file entries. It is a good practice to expand the size of the allowed log file and to set it to reuse space as needed. This allows logging to continue uninterrupted. How far back your log entries go will depend on the size of the log file and how quickly you are accumulating log data. If your server environment is critical, you may wish to ensure that the log file size is sufficient to store about 30 days of logging information, and then rotate log files once per month.

Installing Updates on a single Exchange Server

Download Exchange Update from Microsoft Download Center. Record Current Exchange Version information

Check for publisher’s certificate revocation

1. Start Internet Explorer.

2. On the Tools menu, click Internet Options.

3. Click the Advanced tab, and then locate the Security section.

4. Clear the Check for publisher’s certificate revocation check box, and then click OK.

5. After the update rollup installation is complete, select the Check for publisher’s certificate revocation option.

Pre-check before installing

1. Determine which update rollup packages are installed on your Exchange server roles

2. Determine whether any interim updates are installed

3. Review interim updates

4. Obtain the latest update rollup package

5. Apply on a Test Exchange Server

Install Exchange Update

1. Ensure that you have downloaded the appropriate rollup to a local drive on your Exchange servers, or on a remote network share.

2. Run the Windows Installer *.msp Setup file that you downloaded in step 1.

Install Exchange Update on DAG Member

To update all DAG members, perform the following procedures on each DAG member, one at a time. Set the member server in maintenance mode using this PowerShell Command.

.StartDagServerMaintenance.ps1 <ServerName>

Install the update rollup

1. Close all Exchange management tools.

2. Right-click the Exchange update rollup file (.msp file) you downloaded, and then select Apply.

3. On the Welcome page, click Next.

4. On the License Terms page, review the license terms, select I accept the License Terms, and then click Next.

5. On the Completion page, click Finish.

Once installed exit from maintenance mode run the StopDagServerMaintenance.ps1 script. Run the following command to re-balance the DAG, as needed

.RedistributeActiveDatabases.ps1 -DagName <DAGName> -BalanceDbsByActivationPreference -ShowFinalDatabaseDistribution

When the installation is finished, complete the following tasks:

  • Start the Services MMC snap-in, and then verify that all the Exchange-related services are started successfully.
  • Log on to Outlook Web App to verify that it’s running correctly.
  • Restore Outlook Web App customizations, and then check Outlook Web App for correct functionality.
  • After the update rollup installation is complete, select the Check for publisher’s certificate revocation option in Internet Explorer. See “Certificate Revocation List” earlier in this topic.
  • Check Exchange 2010 version information
  • View Update rollup in Control Panel>Programs and Features

Patching Microsoft Failover Cluster

You can install Windows service packs on Windows Server Failover Cluster nodes using the following procedure. Administrative privilege is required to perform the following tasks.

Procedure to install Windows service pack or hotfixes in Windows Server 2003:

  1. Check the System event log for errors and ensure proper system operation.
  2. Make sure you have a current backup and updated emergency repair disk for each system. In the event of corrupt files, power outage, or incompatibility, it may be necessary to revert back to the state of the system prior to attempting to install the service pack/hotfixes.
  3. Expand Node A, and then click Active Groups. In the left pane, right-click the groups, and then click Move Group to move all groups to Node B.
  4. Open Cluster Administrator, right-click Node A, and then click Pause Node.
  5. Install the service pack on Node A, and then restart the computer.
  6. Check the System event log for errors. If you find any errors, troubleshoot them before continuing this process.
  7. In Cluster Administrator, right-click Node A, and then click Resume Node.
  8. Right-click Node B, and then click Move Group for all groups owned by Node B to move all groups to Node A.
  9. In Cluster Administrator, right-click Node B, and then click Pause Node.
  10. Install the service pack on Node B, and then restart the computer.
  11. Check the system event log for errors. If you find any errors, troubleshoot them before continuing this process.
  12. In Cluster Administrator, right-click Node B, and then click Resume Node.
  13. Right-click each group, click Move Group, and then move the groups back to their preferred owner.

Procedure to install Windows service pack or hotfixes in Windows Server 2008 and Windows Server 2012:

  1. Check the event log for errors and ensure proper system operation.
  2. Make sure you have a current backup and updated emergency repair disk for each system. In the event of corrupt files, power outage, or incompatibility, it may be necessary to revert back to the state of the system prior to attempting to install the service pack/hotfixes.
  3. On Node A, Expand Services and Applications, and then click the service or application
  4. Under Actions (on the right), click Move this service or application to another node, then choose the node or select Best possible.
  5. In the Failover Cluster Manager snap-in, right-click Node A, and then click Pause.
  6. Install the service pack/hotfixes on Node A, and then restart the computer.
  7. Check the event log for errors. If you find any errors, troubleshoot them before continuing this process.
  8. In Failover Cluster Manager snap-in, right-click Node A, and then click Resume.
  9. Under Actions (on the right), click Move this service or application to another node, then choose the node.
    Note: As the service or application moves, the status is displayed in the results pane (in the center pane). Follow the Step 9 and 10 for each service and application configured on the cluster.
  10. Install the service pack/hotfixes on Node B, and then restart the computer.
  11. Check the event log for errors. If you find any errors, troubleshoot them before continuing this process.
  12. From the Failover Cluster Manager snap-in, right-click Node B, and then click Pause.
  13. In Failover Cluster Manager, right-click Node B, and then click Resume.
  14. Right-click each group, click Move Group, and then move the groups back to their preferred owner.

You can use the following PowerShell Cmdlet to accomplish the same.

1. Load the module with the command: Import-Module FailoverClusters

2. Suspend (Pause) activity on a failover cluster nodeA: Suspend-ClusterNode nodeA

3. Move a clustered service or application (a resource group) from one node to another: Get-ClusterNode NodeA | Get-ClusterGroup | Move-Cluster Group

4. Resume activity on nodeA that was suspended in step 5: Resume-ClusterNode nodeA

5. Move a clustered service or application (a resource group) from one node to another: Get-ClusterNode NodeB | Get-ClusterGroup | Move-Cluster Group

6. Suspend (Pause) activity on other failover cluster node: Suspend-ClusterNode nodeB

7. Resume activity on nodeB that was suspended in step 10 above: Resume-ClusterNode nodeB

Conclusion

It is critical that when service packs, hotfixes, and security patches are required to be installed, that these best practices be followed.

Bottom line

1. Read all related documents.

2. Use a change control process.

3. Apply updates that are needed.

4. Test patches and hotfixes on test environment.

5. Don’t get more than 2 service packs behind.

6. Target non-critical servers first.

7. Service Pack (SP) level consistency.

8. Latest SP instead of multiple hotfixes.

9. Apply only on exact match.

10. Subscribe to Microsoft email notification.

11. Always have a back-out plan.

12. Have a working Backup and schedule production downtime.

13. Consistency across Domain Controllers and application servers.

Additional Readings:

SQL Server failover cluster rolling patch and service pack process

Patch Management on Business-Critical Servers

Active Directory Certificate Services Best Practices

AD CS is composed of several role services that perform several tasks. One or more of these role services can be installed on a server as required. These role services are as follows:

  • Certification Authority— This role service installs the core CA component, which allows a server to issue, revoke, and manage certificates for clients. This role can be installed on multiple servers within the same root CA chain.
  • Certification Authority Web Enrollment— This role service handles the web-based distribution of certificates to clients. It requires Internet Information Services (IIS) to be installed on the server.
  • Online Responder— The role service responds to individual client requests regarding information about the validity of specific certificates. It is used for complex or large networks, when the network needs to handle large peaks of revocation activity, or when large certificate revocation lists (CRLs) need to be downloaded.
  • Certificate Enrollment Web Service— This new service enables users and computers to enroll for certificates remotely or from non-domain systems via HTTP.
  • Certificate Enrollment Web Policy Service— This service works with the related Certificate Enrollment Web Service but simply provides policy information rather than certificates.
  • Network Device Enrollment Service— This role service streamlines the way that network devices such as routers receive certificates.

Windows Server 2012 Step by Step
Active Directory Certificate Services Hierarchy

Public Key Infrastructure must be deployed in hierarchical order to securely deliver certificates to clients, application and servers. The best way to achieve this is to deploy a Standalone Offline Root CA and Online Enterprise Subordinate CA. Offline Root CA meaning you have to shut down the CA once you obtain the CRL chain for subordinate CA. Subordinate stays powered on and joined to the domain. Offline Root CA works in a workgroup not a domain member.

Standalone offline Root CA:

Benefits:

  • Principal component of PKI infrastructure
  • Provide CRL sign off capacity for subordinate authority
  • Provide Web Enrolment for Sub-ordinate Certificate Authority
  • Maintain CAPolicy.inf to record OID and certificate authority validity period

Online Enterprise Subordinate CA

Benefits:

  • Subordinate Component of PKI infrastructure
  • Present and issue Certificates to clients
  • Sign off Web Certificates for application
  • Management point of Certificate Infrastructure
  • Maintain CAPolicy.inf to record OID and certificate authority validity period

Certificate Services Best practices

  • Analyze and plan necessity of Active Directory Certificates or public key infrastructure (PKI) in your organization before deploying certification authorities (CAs)
  • Place database and transaction log files on separate hard drives possibly SAN
  • Keep the root certification authority offline and secure its signing key by hardware and keep it in a vault to minimize potential for key compromise
  • When changing security permissions for the certification authority (CA), always use the Certification Authority snap-in
  • Do not issue certificates to users or computers directly from the root certification authority
  • Always point client to subordinate certificate any certificates
  • Back up the CA database, the CA certificate, and the CA keys
  • Ensure that key lifetimes are long enough to avoid renewal issues
  • Review the concepts of security permissions and access control, since enterprise certification authorities issue certificates based on the security permissions of the certificate requester
  • Use Secure Sockets Layer (SSL) when using Web-based certificate enrollment

Certificate Provider

You have to select RSA#Microsoft Software Key Storage Provider” with sha1 if there is any Windows XP Client otherwise select RSA#Microsoft Software Key Storage Provider” with sha256 as certificate provider.

Cryptographic Key Length

Use 2048 bit cryptographic length for both offline Root CA and Subordinate CA.

Templates

  • Plan certificate templates before deployment
  • Only Publish templates that are necessary
  • Duplicate new templates from existing templates closest in function to the intended template
  • Do not exceed the certificate lifetime of the issuing certification authority
  • Do not delete the Certificate Publishers security group

Validity Period

  • Offline Standalone Root CA- 10 Years
  • Online Enterprise Subordinate CA- 10 Years

Revocation List

The following sections summarize how certificate revocation checking works.

  • Basic chain and certificate validation
  • Validating revocation information
  • Network retrieval and caching

Revocation Best Practice

  • Leave the default revocation checking behavior instead of using CRLs for revocation checking
  • Instead of creating long listings of URLs for OCSP and CRL retrieval, consider limiting the lists to a single OCSP and a single CRL URL
  • Use CryptoAPI 2.0 Diagnostics to Troubleshoot Revocation Settings
  • Use Group Policy to Define Revocation Behavior

Audit Policy

Select the following Audit Policy for both Certificate Authority

  • Backup and restore the CA database
  • Change CA configuration
  • Change CA security settings
  • Issue and manage certificate request
  • Revoke certificates and publish CRL

Backup Certificate Authority

  • Backup Public Key
  • Backup CA database
  • Retention: Daily increment/Monthly Full

Security Permission on Template

The following table summarize certificate security permission in AD CS.

Domain Computers Auto-Enroll Read Only
Domain Users Auto-Enroll Read Only
Wintel Administrator Full Control Full Control

Security Permission on Servers

You must create role separation in Active Directory Certificate Services to provide greater control on Certificate Authority. To enable Role separation, Open Elevated command prompt and type certutil -setreg caRoleSeparationEnabled 1. The following table describe role separation for AD CS.

CA Administrator Full Permission
Certificate Manager Issue and Manage Certificates
Auditor Manage auditing and security logLocal Security Settings/ Security Settings/Local Policies/User Rights Assignments
Backup Operator Back up file and directories

Local Security Settings/ Security Settings/Local Policies/User Rights Assignments

Enrollees Authenticated Users

The Following are the messy configurations you must avoid when installing a Certificate Authority.

  • Do not install Certificate Authority on any Domain Controller or server with other roles unless you are a small business and you have only one or two servers in your organization. In this case, you don’t have any choice.
  • Do not install both certificate authority in two different operating systems such as Windows Server 2003 and Windows Server 2008.
  • Do not keep CAs in different patch and update level.
  • Do not use 1024 bit encryption length.

Relevant Articles:

Microsoft Active Directory Best Practice Part II

Microsoft Active Directory—Best Practice