In this blog post, I want to talk about Exchange Online protection and how it can help you protect your cloud (a.k.a hosted) or/and on-premises mailboxes. You can also check this blog post about EOP Exchange Online Protection Architecture.
I have deployed Exchange Online Protection or EOP since couple of years, and I got the chance to evaluate the product and understand how it works in great details. I hope you will find this blog post relevant and useful.
The world before Exchange Online Protection
Do you remember when you used to have a hardware box or server in your datacenter acting as your anti-spam filter. All incoming emails from the internet would pass through that box or server, then spam emails got filtered, and perhaps an antivirus engine will work to clean any attachments. Microsoft used to have Exchange Forefront server installation that act as such anti-spam box, but it is out of support now, leaving many customers wondering what to do next.
I worked with many anti-spam solutions, like IronPort from Cisco, Websense and even Microsoft Forefront for Exchange. They are all good products, and they all share one thing in common. They are all on-premise solutions that require maintenance, patching, configuration and the usual overhead of checking definition updates. You might have monitoring solution to monitor such solutions and you might not bother to do so.
Of course, you have the usual scenario, where someone important in your company is calling, asking about an email that was not delivered, and he needs an answer now. You would spend some time to trace back his message, depending on how friendly your anti-spam solution is when it comes to tracking messages.
Furthermore, you need to worry about reporting and audit logs. Perhaps you want some integration with your local directory, so that people using the product are using the same corporate credentials. Also, once a year, you might get a call from some business unit asking you about the total number of emails your company is receiving per month or so.
Add to that the high demand on compliance and security requirements nowadays, that you are asked to implement a DKIM digital signature for outgoing messages. You start adding plugins or adding a third-party software to stamp each outgoing message with a digital signature. When I started doing that with Forefront with Exchange years back, I had to use an open source component on one server to do the DKIM thing, ending up with a single point of failure.
Then attacks start to be smarter, and they use email attachments to get in. You quickly recognize that normal antivirus definitions on your antispam box is not enough for stopping zero-day attacks. Now, you need to consider one of those expensive solutions like FireEye, and install couple of boxes in your data center, just to handle zero-day attacks.
You would also realize by now that phishing attacks are becoming smarter, and they use email messages to trick your users. You start to think of a way to inspect each hyper link inside incoming messages, and things become more complicated if that hyper link is actually a link to an infected document.
It goes without saying that the game has been changed, and your old way of protecting your mailboxes from incoming messages should be revisited.
I visited a company once, where they have a separated DMZ subnet for a pool of Exchange HUB servers, protected by advance firewall, and then another subnet with IronPort appliances for filtering incoming email messages, and in top of that, FireEye boxes to inspect for zero-day attacks. Finally, they are using Palo Alto advance firewall to publish and protect the whole show. They have at least two pieces of boxes in each layer, and a separate mirrored data center for disaster recovery. Add to this, a team that is responsible of monitoring this complex implementation, and to do tracking for messages.
There is absolutely nothing wrong with that. Each piece of equipment is mitigating a risk that the company is not willing to accept. My point is that nowadays you can simply offload all that to a cloud service, that can do the same, but with better high availability and control.
Exchange Online Protection or EOP
What if you can offload the anti-spam and anti-virus functionalities for your on-premises mailboxes to a trusted cloud solution? What if you can worry about your email systems and mailboxes, and not to worry anymore about inspecting incoming emails and filtering the noise. Instead of all these hardware boxes and solutions, and all the money they cost, just simply connect to a cloud solution.
“Microsoft Exchange Online Protection (EOP) is a cloud-based email filtering service that helps protect your organization against spam and malware, and includes features to safeguard your organization from messaging-policy violations. EOP can simplify the management of your messaging environment and alleviate many of the burdens that come with maintaining on-premises hardware and software.”
Of course, it goes without saying, that if you have Office 365 hosted mailboxes, then you are already using EOP.
People think that using a cloud anti-spam solution is something complex and require a lot of experience and cloud knowledge. Let me give you a small example of how I think about this. Your email system servers nowadays on premise might be using a third party anti-spam solution in a form of a box or server. So, your MX records are pointing to this box or server, and then it gets routed to your internal email system servers via SMTP. EOP Exchange Online Protection Architecture is built with defense in depth in mind.
Well, the same applies with EOP. Instead of having that anti-spam box or server in your network, it is simply an address in the internet. Your MX records will point to that address, so that incoming messages will hit EOP, and then it will be routed to your email system servers via SMTP. Same concept, but stretched out. Two things to notice here:
- Only clean emails are routed to your on-premise network, which saves you from most spam emails hitting your IPs.
- Your on-premise email system will listen to port 25 still from the internet, but only if the connection is secured via digital certificate that is exchanged previously with EOP. This will make sure that your email system will only accepting incoming messages from the internet if they originate from EOP.
EOP can protect your Office 365 mailboxes, and your on-premise mailboxes. You do not need to have Exchange or using Microsoft Exchange servers on -premises to benefit from EOP. You could be using any email system and still use EOP as your anti-spam filter.
Deep integration with your directory and Outlook
What I like about Exchange Online Protection or EOP is the integration it offers with your own directory. If you are using Azure Active Directory, or you are syncing your own directory with Azure Active Directory via AAD Connect, then Exchange Online Protection can enforce Directory Based Edge Blocking (DBEB). With this feature, Exchange Online Protection will sync with your Azure Active Directory, and will be aware of all your email recipients. When an email comes from the internet, EOP will check the recipient and perform a lookup in Azure AD to see if that recipient exists. If it does not exist, the message will not pass through.
The other interesting part is how Safe sender and blocked sender lists from user’s outlook are used by Exchange Online Protection. This can help a lot with false positives. This means that when the user marks a sender as safe from his desktop Outlook client or Outlook on the web, this information is stored on his Active Directory. Through Azure AAD Connect, this information is synced with Azure Active Directory, and picked up by EOP, which will owner such information when evaluating future messages. Let me give a quick example. Let us suppose that:
- john@contoso.com is sending an email to smith@fabrikan.com and mark@fabrikan.com.
- Smith added John@contoso.com to his safe senders while Mark did not.
- EOP decided that the message from John should not pass due to some content filtering logic.
- The message will still arrive to Smith, but not to Mark.
- Smith is happy now as he could communicate from his Outlook client to EOP to respect his decision to mark John as a safe sender.
How it is licensed?
The service is licensed by the number of mailboxes you have. Of course if you have Office 365 mailboxes, then those are already protected by EOP.
- Standalone EOP provides cloud-based email protection for your on-premises mailboxes.
- EOP features as part of Exchange Online.
- Exchange Enterprise CAL with Services Where EOP protects your on-premises mailboxes, like EOP standalone, and includes data loss prevention (DLP) and reporting using web services.
You can check Exchange Online Protection pricing here to have more idea about how much does it cost.
Advance features
To demonstrate the power of the cloud, think about how easy it is to add advance features and plugins to Exchange Online Protection. You can purchase an additional license for Exchange Advance Threat Protection or ATP, and suddenly all your mailboxes that are protected by EOP, will benefit from the amazing ATP features.
Exchange Advance Threat Protection integrates perfectly with EOP. You just need to purchase a license, and if your mailboxes are already protected with EOP, they will just have the extra protection features. Nothing to be done more than purchasing the license.
With ATP, you will have two advance features, that are focused on protecting your users from zero-day attacks and suspicious hyperlinks inside your emails. I might dedicate a blog post later on to talk about such great feature.
Trust worthy solution
Years back when I decided to look at Exchange Online Protection, I was not sure that EOP can do the same as my on-premise expensive anti-spam solutions. Now, I am confident that EOP provides a high end enterprise level email protection that can be used by extremely secure and sensitive corporations and business. There is no doubt at all that this product is solid. It has all it takes to be marked as one of the best anti-spam solutions out there. It does not matter if you have Exchange on-premises or using Office 365. EOP is flexible enough to work with almost any environment.
Further reading
- Exchange Online Protection Product Page.
- EOP TechNet Articles.
- EOP Exchange Online Protection Architecture
Very Good Article and very well explained. We are also planning to move from IronPort to EOP/ATP. DO you have any comparison article or document. Thanks
Thanks for your comment. Couple of years back, I did a massive transition from IronPort to EOP/ATP by moving a small SMTP domain and then the primary one. I can tell you that I didn’t have trouble doing so and even got additional features with EOP like safe sender aggregation.