donderdag 8 december 2011

Office 365 hybrid routing ( connectors / TLS ) configuration when using Exchange Edge (Pre SP2)

When migrating to Office 365 we used the Microsoft Deployment assistant / guide for setting up the coexistence server.
Source : http://technet.microsoft.com/en-us/exdeploy2010/default.aspx
One thing I noticed was that the deployment assistant did not describe configuring transport when using an Exchange Edge server.
In our case, we did use an Exchange Edge server.
Documentation about using Exchange Edge with Office 365 was very minimal and at the time of migration we did not have the luxury of SP2 for Exchange.
We wanted a scenario where all mail between mailboxes and the internet is first routed to our on-prem organization and send out via our on-prem edge server. We also use disclaimer software we can only use on-prem, so mail had to be routed via on-prem to get our disclaimer. By routing messages through on-prem you can also apply transport rules, anti-virus policies and anti-spam rules.


  
To save others from searching the whole internet, I will describe the process we went through setting up transport with Office 365 and our on-premise Exchange Edge.
The transport configuration starts at step 21 of the deployment guide.
I will rewrite some of the steps from the deployment guide below.
First of all, we need a certificate for TLS.
Aquire a public trusted certificate for domain name mail.domain.com and install that cert on the edge server.
For creating a new certificate request :
http://technet.microsoft.com/en-us/library/dd351057.aspx
For importing a certificate:
http://technet.microsoft.com/en-us/library/dd351183.aspx
For assigning a certificate:
http://technet.microsoft.com/en-us/library/dd351257.aspx
Make sure you install the cert on the Exchange 2010 Edge and assign it to the "SMTP" Service.
When doing a get-exchangecertificate on the Edge server your cert should look like this

Then we need to create a send connector. The deployment guide mentions that the send connector has to be made on the hybrid server. Forget this and create the send connector with the edge as source server.

Configure Send connector

 Do the following within EMC console to create a Send connector.
  • In the console tree, click Organization Configuration in the on-premises forest, and then click Hub Transport.
  • In the action pane, click New Send Connector.
  • On the Introduction page, in the Name field, enter the name of the new send connector that will be used to send messages to the cloud-based organization. For example, To Cloud Service Connector.
  • In the Select the intended use for this Send connector drop-down box, select Internet, and then click Next.
  • On the Address space page, click Add.
  • In the SMTP Address Space dialog, enter the service-routing namespace in the Address space field, and then click OK. For example, service.domain.com. Click Next.
  • On the Network settings page, select Use domain name system (DNS) "MX" records to route mail automatically and click Next.
  • On the Source Server page, verify the Exchange 2010 Edge server is included in the server list. If not, click Add, select the Exchange 2010 Edge server, and then click OK. Click Next.
  • On the New Connector page, verify your settings and then click New.
  •  In the details pane, right-click the new Send connector and then click Properties.
  • In the Properties dialog, enter the external fully qualified domain name (FQDN) of the Exchange 2010 Edge server in the Specify the FQDN this connector will provide in response to HELO or EHLO field. For example, mail.domain.com. Click OK.
 Configure Default receive connector
  • In the console tree, click Server Configuration in the on-premises forest, and then click Hub Transport.
  • Select the Exchange 2010 hybrid server in the details pane, right-click Default EX2010, and then click Properties.
  • In the Receive connector properties window, click the Permission Groups tab.
  • Select Anonymous Users, and then click OK.
Configure on-premises transport settings
For this procedure, you’ll use the Exchange Management Shell to configure the following:
  •  Transport Layer Security (TLS) for all messages sent between your on-premises and cloud-organizations.
  •  Inbound and outbound messages sent between your on-premises and cloud-organizations are trusted. Anti-spam rules won't be applied to these messages.
  •  All mail sent to your cloud-based organization is routed through a FOPE smart host.
On your on-premises hybrid server, create a remote domain for inbound messages received from the cloud-based organization.
  • New-RemoteDomain "Inbound Remote Domain" -DomainName domain.com
On your on-premises hybrid server, create a remote domain for outbound messages sent to the cloud-based organization.
  • New-RemoteDomain "Outbound Remote Domain" -DomainName service.domain.com
On your on-premises hybrid server, configure the inbound remote domain to trust messages sent from the cloud-based organization.
  • Set-RemoteDomain "Inbound Remote Domain" -TrustedMailInboundEnabled $True
On your on-premises hybrid server, configure the outbound remote domain to enable trusted delivery of messages to the cloud-based organization.
  • Set-RemoteDomain "Outbound Remote Domain" -TrustedMailOutboundEnabled $True -TargetDeliveryDomain $True -AllowedOOFType InternalLegacy -AutoReplyEnabled $True -AutoForwardEnabled $True -DeliveryReportEnabled $True -NDREnabled $True -DisplaySenderName $True -TNEFEnabled $True
On your on-premises hybrid server, modify the “To cloud” Send connector to enable TLS transport and route all mail sent to your cloud-based organization through a FOPE smart host.
  • Set-SendConnector "To cloud" -RequireTLS $True -TlsAuthLevel DomainValidation -TlsDomain mail.messaging.microsoft.com -Fqdn mail.domain.com -ErrorPolicies DowngradeAuthFailures
Configure Receive connector
Now, we create a receive connector for messages from the cloud.
Browse to: FOPE administration center
If this is your first time accessing FOPE, do the following:
  • a. Click Need your password.
  • b. Enter the e-mail address of the account in the cloud-based service in the User name field. This is the e-mail address you specified when you created the account in the cloud-based service. For example, admin@domain.onmicrosoft.com.
  • c. Log on to your cloud-based service admin e-mail account at https://www.outlook.com/domain.com. Open the e-mail message sent by FOPE to that account and retrieve the password provided.
  • d. Browse back to: FOPE administration center
Enter the e-mail address of the account in the cloud-based service in the User name field.
Enter your FOPE password in the Password field.
Click the Information tab, and then click Configuration.
Make a note of the IP addresses listed under IP addresses to configure on your firewall.

On your on-premises Edge server, create a new Receive connector to accept messages from FOPE.
You cannot do this from the Hybrid server and you need to log on to the edge server.
The Receive connector is configured to only accept connections from the FOPE IP addresses obtained in the previous step and to treat messages sent by the cloud-based organization as internal messages. The FQDN configured on the connector must match the common name of the SSL certificate that you want to use for secure mail.
  • New-ReceiveConnector -Name "From Cloud" -Usage Internet -RemoteIPRanges <FOPE Outbound IP Addresses> -Bindings 0.0.0.0:25 -FQDN mail.domain.com -TlsDomainCapabilities mail.messaging.microsoft.com:AcceptOorgProtocol
The deployment guide shows mail2.domain.com, but you can use the FQDN of your internet facing Exchange Edge.

Configure Cloud-Based transport settings
For this procedure, you’ll use the Shell to configure the following:
  • Configure the shared SMTP domain as an internal relay domain and set the domain as outbound only.
  • Inbound and outbound messages sent between your on-premises and cloud-organizations are trusted. Anti-spam rules won't be applied to these messages.
First, we need to connect to Exchange online with remote powershell.
To do this, use the following script in "normal" powershell:

$LiveCred = Get-Credential -credential admin@domain.onmicrosoft.com
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell/ -Credential $LiveCred -Authentication Basic -AllowRedirection



Import-PSSession $Session

This shows a login box where you enter your credentials, after that powershell connects to Exchange Online.
In the cloud-based organization, create a remote domain for inbound messages received from the on-premises organization. The domain name must contain the name of the certificate published on the Edge server.
  • New-RemoteDomain "Inbound Remote Domain" -DomainName mail.domain.com
In the cloud-based organization, create a remote domain for outbound messages sent to recipients in the on-premises organization. The domain must be the domain portion of the recipient address of on-premises recipients.
  • New-RemoteDomain "Outbound Remote Domain to On-Premises Recipients" -DomainName domain.com
In the cloud-based organization, configure the inbound remote domain to trust messages sent from the on-premises organization.
  • Set-RemoteDomain "Inbound Remote Domain" -TrustedMailInboundEnabled $True
In the cloud-based organization, configure the outbound remote domain to on-premises recipients to enable trusted delivery of messages to the on-premises organization and enable rich e-mail client features.
  • Set-RemoteDomain "Outbound Remote Domain to On-Premises Recipients" -TrustedMailOutboundEnabled $True -AllowedOOFType InternalLegacy -AutoReplyEnabled $True -AutoForwardEnabled $True -DeliveryReportEnabled $True -NDREnabled $True -DisplaySenderName $True -TNEFEnabled $True
In the cloud-based organization, configure the outbound remote domain to Internet recipients to enable trusted delivery of messages to the on-premises organization.
  • Set-RemoteDomain Default -TrustedMailOutboundEnabled $True
In the cloud-based organization, set the accepted domain for the shared SMTP domain to be an internal relay domain, and set the domain as outbound only, using the following command.
  • Set-AcceptedDomain "domain.com" -DomainType InternalRelay -OutboundOnly $True
Configure FOPE to route mail to and from on-premises organization
Browse to: FOPE administration center
Enter the e-mail address of the account in the cloud-based service in the User name field.
Enter your FOPE password in the Password field.
Within FOPE, do the following:
Click the Administration tab, and then click the Company tab.
Click Add next to Inbound Connectors under Connectors.
In the Add inbound Connector dialog, configure the following
  • Name Enter a name for the inbound connector.
  • Description Enter a description for the inbound connector.
  • Under Connector Scope, specify *.* in the Sender Domains text box.
  • Under Connector Scope, specify the source IP address that your firewall presents to hosts on the Internet in the Sender IP Addresses text box. Depending on the configuration of your firewall, this might be the external IP address of your Edge server, or it might be the WAN IP address of the firewall. If you want to specify a range of IP addresses, use CIDR notation. You can also specify multiple IP addresses by separating each IP address with a comma.
  • Select Add these IP addresses to the safelist and only accept mail from these IP addresses for the domains specified above.
  • Under Connector Settings, select the Force TLS option in Transport Layer Security (TLS) Settings. ( Or choose opportunistic for testing purposes if you are not sure your TLS configuration is correct)
  • Select the Sender certificate matches check box and, in the associated text field, specify the certificate subject name that you configured on the on-premises Edge server certificate ( first step in this guide ). For example, mail.domain.com.
    Make sure that all the check boxes are cleared in Filtering in Connector Settings.
  • Click Save.
Click Enforce next to the inbound connector you just created. Click OK on the Enforce Inbound Connector dialog box.
Click Add next to Outbound Connectors under Connectors settings.
In the Add outbound Connector dialog, configure the following:
  • Name Enter a name for the outbound connector.
  • Description Enter a description for the outbound connector.
  • Under Connector Scope, specify *.* in the Recipient Domains text box.
  • Under Message Delivery Settings, select the Deliver all messages to the following destination check box.
  • Select the Fully Qualified Domain Name option and specify the external FQDN of the on-premises Edge server. For example, mail.domain.com.
  • Under Transport Layer Security (TLS) Settings, select The recipient certificate matches and, in the associated text field, specify the certificate subject name that you configured on the on-premises Edge server. For example, mail.domain.com. ( Or choose opportunistic for testing purposes if you are not sure your TLS configuration is correct)
  • Click Save.
I Chose opportunistic TLS instead of Forced TLS.
Forefront Online Protection for Exchange (FOPE) using opportunistic TLS by default which means that if you server is correctly configured for TLS then FOPE will communicate via TLS.

If TLS is not setup correctly, and forced TLS is set instead of Opportunistic TLS cross premise e-mail will be bounced because TLS requirements are not met. ( Wrong cert or not assigned cert )

Click Enforce next to the outbound connector you just created. Click OK on the Enforce Outbound Connector dialog box.
Now transport configuration for communications between the edge server and Office 365 is ready !

You can test this by sending an email with an on-prem user to a cloud mailbox and vice versa.
Take a look at the internet headers for both emails.
If everything is set up correctly, your X-MS-Exchange-Organization-AuthAs header should be set to internal. THis means that messages from Office 365 to on-prem and vice versa are treated as internal.



If you missed something, and TLS is not setup correctly, the header shows as Anonymous.




Hope this helps!
In SP2 the Hybrid Configuration will deal with all these steps, although I havent seen any settings for edge servers yet....

UPDATE:
Since beginning of januari 2012 there is a Office 365 community Wiki about configuring Hybrid deployments with an Exchange Edge server.
http://community.office365.com/en-us/w/exchange/configuring-mail-routing-with-an-exchange-2010-edge-transport-server-in-a-hybrid-deployment.aspx

2 opmerkingen: