?
Solved

Design Question: Office 365 + Exchange 2016 Hybrid

Posted on 2016-08-23
5
Medium Priority
?
211 Views
Last Modified: 2016-10-07
Hello All!

I was wondering if any expert minds had a better way to do this.  We want to have this setup in our environment:

Capture.PNG
The only issue is that the amount of IPs required to pass through the firewall under Exchange Online at this URL is quite large.  Adding it to both the connector on our on-prem exchange server and firewall makes it extremely messy.

The reason we desire this flow is for our signature software (CodeTwo Exchange) that stamps everyone's outbound e-mail with the standard signature.  We also have journaling but that doesn't affect it either way.  

We currently have it setup so that the Office 365 mail is going right to Proofpoint (as a test).  It makes firewall rules+connector whitelisting much easier but there are issues with internal e-mails being tagged as phishing e-mails + signature issues.  

Any ideas/tips & tricks would be much appreciated.
0
Comment
Question by:Edward Cho
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
5 Comments
 
LVL 43

Accepted Solution

by:
Adam Brown earned 1000 total points
ID: 41767153
Ok, so you want Incoming mail to go through Proofpoint, then on-prem, then cloud, correct? And Outgoing should do the reverse?

You'll first want to run through the Hybrid Configuration Wizard tool that is available from MS through O365 to set up the relationship between the onprem server and Office 365. That will actually create the connectors necessary to communicate with O365 along with all the necessary IPs. In the wizard you would just configure things using the option to have all mail go through your On-prem environment.

The issue with Office 365 messages getting flagged as spam through Proofpoint is actually kind of tricky to resolve, since it would require you to white-list either all O365 IPs or configure it so your email domain is acceptable in the From: field for incoming mail, both of which significantly increase the amount of spam you'll get, since any spam sent from a different O365 tenant would end up getting allowed, and using your address in From: is a common spam tactic.

You'll also need to disable all spam filtering in Exchange Online. If you have your mail-flow going through Proofpoint, you'll be double filtering messages, which is just a huge problem. Getting rid of Proofpoint would simplify things, since Exchange Online does have some fairly capable Spam/malware filters already, but if proofpoint has features you require, you can of course continue doing things through their systems.
0
 
LVL 4

Author Comment

by:Edward Cho
ID: 41767173
Thanks for the reply!  

I did forget to mention that we did run the O365 Hybrid Config but had to modify the outbound connector rules to directly go to Proofpoint for the O365 environment.  Incoming e-mails actually flow perfectly.  

We do want to keep Proofpoint since we also utilize the Archiving function from Proofpoint.  

I did think about whitelisting O365 IPs and just getting over it but the increase in spam is also a huge concern for us.  

Thanks.
0
 
LVL 49

Assisted Solution

by:Jackie Man
Jackie Man earned 500 total points
ID: 41768242
whitelisting O365 IPs are nothing easy to be done.

Why do not connect office 365 directly to Proofpoint? You can have CodeTwo Exchange integrate with Office 365.

http://www.codetwo.com/email-signatures/
1
 
LVL 4

Author Comment

by:Edward Cho
ID: 41768643
That's what we were thinking as well -- CodeTwo does offer a nice solution.  The only issue is Proofpoint quarantines internal e-mails going from O365 <=> Exchange.  Not sure if there's anything around this without disabling the spoofing feature (which we do get a lot).  

I guess I could try adding the ranges to our DKIM/SPF?
0
 
LVL 8

Assisted Solution

by:CodeTwo Software
CodeTwo Software earned 500 total points
ID: 41771343
Hello Edward,              

Our (CodeTwo) Support team will be happy to assist you.

Could you please PM your email address so that one of our technicians can contact you to discuss which CodeTwo application would suit you best?

Best regards,
Adam
0

Featured Post

Will your db performance match your db growth?

In Percona’s white paper “Performance at Scale: Keeping Your Database on Its Toes,” we take a high-level approach to what you need to think about when planning for database scalability.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I don't pretend to be an expert at this, but I have found a few things that are useful. I hope that sharing them here will help others, so they will not have to face some rather hard choices. Since I felt this to be a topic of enough importance and…
This month, Experts Exchange sat down with resident SQL expert, Jim Horn, for an in-depth look into the makings of a successful career in SQL.
A company’s greatest vulnerability is their email. CEO fraud, ransomware and spear phishing attacks are the no1 threat to a company’s security. Cybercrime is responsible for the largest loss of money to companies today with losses projected to r…
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…
Suggested Courses

649 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question