Microsoft Services Troubleshooting Hybrid Mailflow MNGIN301 Agenda RefresherOverview of Hybrid Routing Mailflow Options EOP in Hybrid Review tools to assist in mail flow troubleshooting Issues ID: 688260
Download Presentation The PPT/PDF document "Vincent Yim Premier Field Engineer" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1Slide2
Vincent YimPremier Field EngineerMicrosoft Services
Troubleshooting Hybrid Mailflow
MNGIN301Slide3
Agenda
Refresher/Overview of Hybrid RoutingMailflow OptionsEOP in HybridReview tools to assist in mail flow troubleshooting
Issues
Other fun stuff
QuestionsSlide4
Refresher/Overview of Hybrid Routing
2 Distinct Exchange organizationsHCW creates connectors in each Exchange org. # of connectors vary based on Exchange versionSecure MailSlide5
Refresher/Overview of Hybrid Routing
All messages that are sent between on-premises and ExO are sent over a secure connection using TLS
The Hybrid Configuration wizard creates a dedicated send connector on-premises scoped to the coexistence domain (tenant.mail.microsoftonline.com)
An outbound connector in EOP is also created and is scoped to the default SMTP domain (contoso.com)
Each organization is configured to treat messages sent from the other organization as internal
This allows messages to bypass anti-spam settings and other services
The TLS connection
for on-
prem
server
must
be a minimum of Exchange 2010 SP1
Any
other SMTP end point accepting the messages will cause the required headers to be lost which
will impact
secure mail functionalitySlide6
Refresher/Overview of Hybrid Routing
E-mail domain sharing Both orgs will accept “contoso.com” authoritative
How do we prevent mail loops?
Actually, it’s all about how addressing works
Requires a coexistence domain for “
Backboning
”
mailflowSlide7
Refresher/Overview of Hybrid Routing
Coexistence DomainBased off of the Microsoft Online Default Routing
Domain
The
coexistence domain is a domain created for each Office 365 tenant in the format of
<
your tenant>.mail.onmicrosoft.com domain
For example, if your Default Routing domain is “tenant.onmicrosoft.com” then your coexistence domain would be “tenant.
mail
.onmicrosoft.com”
Created
when you activate
DirSync
in your Office 365 tenant
AutoDiscover
and MX
records created
automatically for this domain
Provides the backbone of all coexistence features
Added
as an on-premises email address policy when the HCW is run
Mailboxes moved to Exchange Online will have the coexistence domain stamped on their user object as a target
addressSlide8
Demo
DirsyncStates Pre/Post MigrationSlide9
On-premise Active Directory
Exchange Online
After initial Dirsync
UserPrincipalName
homemdb/homeMTA/ msexchhomeservername
proxyaddresses
ExternalEmailAddress(targetaddress)
UserPrincipalName
homemdb/homeMTA/ msexchhomeservername
proxyaddresses
ExternalEmailAddress(targetaddress)
Alex.Darrow@contoso.com
present (Mailbox)
SMTP:Alex.Darrow@contoso.com, others
<NULL>
Alex.Darrow@contoso.com
<NULL> (Mail enabled User)
SMTP:Alex.Darrow@contoso.com, others
Alex.Darrow@contoso.com
Kim.Akers@contoso.com
present (Mailbox)
SMTP:Kim.Akers@contoso.com,othe
<NULL>
Kim.Akers@contoso.com
<NULL> (Mail enabled User)
SMTP:Kim.Akers@contoso.com
Kim.Akers@contoso.com
After running Hybrid Configuration Wizard
UserPrincipalName
homemdb/homeMTA/ msexchhomeservername
proxyaddresses
ExternalEmailAddress
(
targetaddress
)
UserPrincipalName
homemdb/homeMTA/ msexchhomeservername
proxyaddresses
ExternalEmailAddress(targetaddress)
Alex.Darrow@contoso.com
present (Mailbox)
SMTP:Alex.Darrow@contoso.com, smtp:Alex.Darrow@contoso.mail.onmicrosoft.com, others
<NULL>
Alex.Darrow@contoso.com
<NULL> (Mail enabled User)
SMTP:Alex.Darrow@contoso.com, smtp:Alex.Darrow@contoso.mail.onmicrosoft.com, others
Alex.Darrow@contoso.com
Kim.Akers@contoso.com
present (Mailbox)
SMTP:Kim.Akers@contoso.com, smtp:Kim.Akers@contoso.mail.onmicrosoft.com,others
<NULL>
Kim.Akers@contoso.com
<NULL> (Mail enabled User)
SMTP:Kim.Akers@contoso.com
,
smtp:Kim.Akers@contoso.mail.onmicrosoft.com,others
Kim.Akers@contoso.com
After moving Alex' mailbox to Exchange Online
UserPrincipalName
homemdb/homeMTA/ msexchhomeservername
proxyaddresses
ExternalEmailAddress(targetaddress)
UserPrincipalName
homemdb/homeMTA/ msexchhomeservername
proxyaddresses
ExternalEmailAddress(targetaddress)
Alex.Darrow@contoso.com
<NULL> (RemoteMailbox/Mail-enabled User)
SMTP:Alex.Darrow@contoso.com, smtp:Alex.Darrow@contoso.mail.onmicrosoft.com, others
Alex.Darrow@contoso.mail.onmicrosoft.com
Alex.Darrow@contoso.com
present (Mailbox)
SMTP:Alex.Darrow@contoso.com, smtp:Alex.Darrow@contoso.mail.onmicrosoft.com, others
<NULL>
Kim.Akers@contoso.com
present (Mailbox)
SMTP:Kim.Akers@contoso.com, smtp:Kim.Akers@contoso.mail.onmicrosoft.com,others
<NULL>
Kim.Akers@contoso.com
<NULL> (Mail enabled User)
SMTP:Kim.Akers@contoso.com, smtp:Kim.Akers@contoso.mail.onmicrosoft.com,others
Kim.Akers@contoso.com
1) Kim sends email to Alex.
2) Exchange on-prem receives message routed to: Alex.Darrow@contoso.com
3) Exchange on-prem reroutes the message to Alex.Darrow@contoso.mail.onmicrosoft.com
4) Exchange on-prem finds a connector that has address space "contoso.mail.onmicrosoft.com" and sends it over to target server.
5) Exchange online receives message addressed to Alex.Darrow@contoso.mail.onmicrosoft.com
6) ExO server finds recipient with a proxy address of Alex.Darrow@contoso.mail.onmicrosoft.com, and delivers into mailbox
6) Alex sees Kim's message and replies. (The mail from: address is always the capitalized SMTP address)
7) Kim receives message , and sees it comes from Alex.Darrow@contoso.com (not @contoso.mail.onmicrosoft.com)Slide10
MailflowOptions
10
On-Premises Organization
External
User
Exchange
Exchange Online
Exchange Online Protection
Internet
Third Party Email Security System
“Chris”
Cloud
Mailbox
“David”
On-premises
Mailbox
Secure Mail
Encrypted & Authenticated Mail Flow
MX resolves to on-premises gateway
MX is switched to Exchange Online Protection
Outbound Exchange Online traffic is delivered direct
You can choose to route outbound on-premises mail via EOPSlide11
Mail Flow Options
In addition to choosing how inbound messages are routed, you can also choose how outbound messages sent from Exchange Online recipients are routed. The following describes the available options:
Centralized mail control: This option routes outbound messages sent from the Exchange Online users through on-premises
This enables you to apply compliance rules to these messages that must be applied to all of your recipients, regardless of whether they're located in Exchange Online or
on-premises
Decentralized mail control: This option routes outbound messages sent from Exchange Online directly to the Internet
Use this option, if you do not need to apply any on-premises policies or other processing to messages that are sent from recipients in the Exchange OnlineSlide12
MailflowOptions
12
Exchange Online
Exchange Online Protection
On-Premises Organization
Exchange
Third Party Email Security System
External
User
Internet
“Chris”
Cloud
Mailbox
“David”
On-premises
Mailbox
Secure Mail
Encrypted & Authenticated Mail Flow
MX resolves to on-premises gateway
All email in and out of the Exchange Online tenant must go via on-premises
MX is switched to Exchange Online ProtectionSlide13
EOP
When you create inbound/outbound connectors in Exchange Online Admin Center, these are sitting at the edge (EOP)SPAM Filtering BypassedSlide14
Review Tools for Troubleshooting
Delivery reports
End user can run. Eliminates some helpdesk calls
Somewhat useless to Admin
Message Trace
Loops
NDRs
Messages dropped due to virus
Export to CSV
Use the protocol log
Set to
verboseSlide15
Review Tools for Troubleshooting
Analyze HeadersExRCA has Message Header AnalyzerOWA MHA AppTelnet
(your Exchange server might be
using
IP that's been blacklisted by SPAMHAUS
or
one of other RBL
services in use by EOP)
DLP policy rule
Hits found through message trace
Or EAC
Or (delayed) Mail Protection Reports for ExchangeSlide16
Demo
Mail Protection Reports for ExchangeSlide17
Other Fun stuff
Testing and Tracing Malware FiltersCreate
a file called EICAR.txt with the following text: X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
Attach EICAR.TXT to a new mail message, and send it through the service.
Confirm your antimalware filter settings have taken affect (policy changes can take up to an hour to replicate across datacenters)
This “EICAR” test attachment will cause the message to be treated as malicious antivirus/antimalware
enginesSlide18
Other Fun stuff
Testing and Tracing Content FilterA
GTUBE message should always be detected as spam by the content filter, and the actions that are performed upon the message should match your configured settings. Include the following GTUBE text in a mail message on a single line, without any spaces or line breaks:
XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34XSlide19
Other fun stuff
On prem senders to internet recipients will get SPAM filteringDemoSlide20
Other fun stuff
Outbound SPAM filterWhy did the on-prem message route through high risk delivery pool?Outbound spam filtering is needed because malicious programmers and their malware are out there taking over computers inside corporate networks every day. This means that users in your organization can be sending large amounts of outbound spam without your
knowledgeSlide21
Issues
Running a Hybrid server from home? ISPs using dynamic IP ranges will connect, but sessions will then be
dropped
by EOP.
"
454 4.7.5 Certificate validation failure."
CRL check from hybrid
server
SMTP
fixup
/
mailguard
220 ****************************************************************************
***********************************
The above is a tell-tale sign that
mailguard
is enabled on a firewall appliance (most likely Cisco PIX), and it prevents either side from seeing the STARTTLS verb
.
Cannot perform secure mail flow without
StartTLS
verbSlide22
Issues
Changing datacenter IP ranges?
Quite possibly need to re-run HCW if datacenter IP changes
With Exchange 2010 HCW, point-in-time list is copiedSlide23
Issues
With Exchange 2010 HCW, you may need to adjust the EHLO response guessed by HCW Slide24
Issues
Missing header?
X-MS-
Exhange
-Organization-
AuthAs
=
Internal or Anonymous
If anonymous, your message took another pathSlide25Slide26
©
2014
Microsoft Corporation. All rights reserved. Microsoft, Windows and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.