Workshop purpose and objective

Messaging

Workshop purpose and objective Workshop purpose Facilitate planning discussions for messaging coexistence Considerations of Office 365 limits and features Objectives Identify Microsoft Office 365 messaging requirements for: Hybrid deployment. Mail Enabled Applications Recipient and Sender Limits Messaging Limits Mailbox Retention Default Retention Rules In-place Hold Mobile Devices/MDM 2

Plan email coexistence and mail-enabled applications Workshop topics Plan approach for Staged Migration Plan approach for Exchange hybrid environment Mail migration planning Plan deployment approaches for enabling a Staged Exchange Migration (SEM) messaging infrastructure, including necessary hardware and configuration. Plan deployment approaches for enabling a hybrid messaging infrastructure, including necessary hardware and configuration. Provide awareness of bandwidth considerations for both mail migration and day-to-day communication performance between the onpremises organization and the online service. Limits and Features Office 365 has a few limits that need to be considered as well as new features that can be leveraged both during migrations and postmigrations 3

SEM Features and Benefits Simple and flexible migration solution High-fidelity solution all mailbox content is migrated Typically best suited to medium and large organizations Users are provisioned with Directory Sync prior to migration No limit on the number of mailboxes Users can be migrated in batches (up to ) Works with Exch 2003 and 2007 only, on-premises or hosted Identity management on-premises On-premises migration tool is not required

SEM Requirements and Limitations Outlook Anywhere service on source system (m Directory Sync tool enabled in SEM is not supported with Exchange 2010 and 2013 Only simple coexistence is available (no sharing of free/busy, calendar, etc.)

SEM accounts and passwords Accounts provisioning Passwords

SEM Data Migration Scope Migrated Mail messages and folders Rules and categories Calendar (normal, recurring) Out-of-Office settings Contacts Tasks Delegates and folder perms Outlook settings (e.g. favorites) Not Migrated Security Groups, DDLs System mailboxes Dumpster Send-As Permissions Messages larger than 25 MB

SEM Data Migration Scope Partial migrations are not possible (folder exclusion, time range)

SEM batch file format

SEM User Experience recreated

Mail routing: pre-coexistence Active Directory On-premises User Object Mailbox-enabled ProxyAddresses: SMTP: John.Doe@contoso.com Exchange Message filtering MX Record: contoso.com

Exchange Online Protection Mail routing: on-premises to Office 365 Active Directory On-premises User Object Mail-enabled (not mailbox-enabled) ProxyAddresses: SMTP: John.Doe@contoso.com TargetAddresses: SMTP: John.Doe@contoso.mail.onmicrosoft.com Exchange Message filtering MX Record: contoso.com Exchange Online Office 365 Online Directory Logon Enabled User Mailbox-enabled ProxyAddresses: SMTP: John.Doe@contoso.com smtp: John.Doe@contoso.onmicrosoft.com smtp: John.Doe@contoso.mail.onmicrosoft.com DirSync MX Record: contoso.onmicrosoft.com contoso.mail.onmicrosoft.com DirSync Web Service

Exchange Online Protection Mail routing: Office 365 to on-premises On-premises Office 365 MX Record: contoso.com Active Directory User Object Mailbox-enabled ProxyAddresses: SMTP: Jane.Doe@contoso.com Exchange Message filtering Exchange Online Online Directory Logon Enabled User Mail-enabled (not mailbox-enabled) ProxyAddresses: SMTP: Jane.Doe@contoso.com smtp: Jane.Doe@contoso.onmicrosoft.com smtp: Jane.Doe@contoso.mail.onmicrosoft.com TargetAddresses: SMTP: Jane.Doe@contoso.com DirSync MX Record: contoso.onmicrosoft.com contoso.mail.onmicrosoft.com DirSync Web Service

SEM Migration Flow Configure Outlook Anywhere Test using ExRCA Assign migration perms Configure Directory Sync Wizard: Enter server settings and admin creds Initial Sync Change MX record Mark migration as complete Final sync and cleanup License users

Convert mailboxes after a SEM Powershell Scripted Convert Exchange 2003 mailboxes to mail-enabled users after a staged Exchange migration Convert Exchange 2007 mailboxes to mail-enabled users after a staged Exchange migration

Plan approach for Exchange hybrid environment Plan deployment approaches for enabling a hybrid messaging infrastructure. Coexistence is a difficult state Hybrid Deployment Capabilities Deployment Requirements Deployment Requirements Deployment Configuration Changes Workshop participants and outcomes Participants Technical Leads (Email and Active Directory) Outcome Document required steps to enable a hybrid deployment. 17

Hybrid server requirements on-premises organization On-premises environment Exchange 2010 SP3 Hybrid Exchange 2013 CU1 or higher Hybrid Exchange 2013 CU1 or higher Not applicable Supported Exchange 2010 SP3 or higher Supported Supported 1 Exchange 2010 SP2 Supported 4 Not supported 2, 3 Exchange 2010 SP1 Out of Support Out of Support Exchange 2007 SP3 RU10 Supported Supported 1 Exchange 2007 SP3 Not supported Not supported Exchange 2003 SP2 + All Current Windows Updates Supported Not supported 3 Note: 1 Requires at least one on-premises Exchange 2013 CU1 or greater server 2 All Exchange 2010 infrastructure must be running SP3 for Exchange 2013 or higher Hybrid 3 Blocked in Exchange 2013 setup 4 CAS, HT and MBX Exchange 2010 SP2 servers are supported with a dedicated pool of Exchange 2010 SP3 Hybrids 18

Simple and hybrid deployment capabilities Feature Simple Hybrid Mail routing between on-premises and online. Yes Yes Unified GAL Yes Yes Free/busy and calendar sharing cross-premises. No Yes Out-of-office understands that cross-premises is internal. No Yes Mail tips, messaging tracking, and mailbox search cross-premises. No Yes Smart Redirection, OWA, Autodiscover, etc No Yes Outbound mail can be routed on-premises (DLP inspection, etc) No Yes Secure mail routing (TLS plus mutual authentication) cross-premises. No Yes Exchange Management Console (on-premises) administration of Office 365 No Yes Mailbox moves support for on-boarding and off-boarding. No Yes No OST re-sync after mailbox migration. No Yes Public Folder Coexistence (Replica must be Exchange 2007/2010) No Yes Follow-up actions and additional information from prior assessments Service Enablement plan Considerations Draft implementation plan to address affected items in current messaging environment, to enable hybrid deployment. [List specific issues uncovered or context from prior assessments] 19

Hybrid Coexistence Feature Example Cross-Premises Free/Busy and Calendar Sharing Creates the look and feel of a single, seamless organization for meeting scheduling and management of calendars Works with any supported Outlook client 20

Hybrid Coexistence Feature Example Cross-Premises MailTips Correct evaluation of Internal vs. External organization context Allows awareness and correct Outlook representation of MailTips 21

Hybrid Coexistence Feature Example Cross-Premises Mail Flow Preserves internal organizational headers (e.g. auth header) Message is considered trusted and resolve the sender to rich recipient information in the GAL (not SMTP address) Restrictions specified for that recipient are honored 22

Hybrid Architecture On-premises Exchange Org Office 365 Directory Synchronization App Users, Groups, Contacts via DirSync Office 365 Secure Mail Flow Existing Exchange 2003 or later Exchange Hybrid Sharing (free/busy, MailTips, archive, etc.) Mailbox Data via MRS

Exchange Hybrid deployment 1 2 E2010 or 2007 Hub SP/RU E2010 or 2007 MBX E2010 or 2007 CAS Clients autodiscover.contoso.com mail.contoso.com 7 3 E2010/E2 013 CAS/ HT/MBX 5 Internet facing site 6 E2013 MBX E2010 EDGE Office 365 Autodiscover & EWS SMTP 4 Exchange 2010 or 2007 Servers SP/RU Intranet site 1. Prepare Exchange 2010 SP3/2013 CU1 or higher schema Exchange 2010 SP3/2013 CU1 or higher required on CAS servers 2. Deploy Hybrid servers Install EX2010 SP3 or EX2013 CAS/HT/MBX servers Set an ExternalUrl for the Exchange Web Services 3. Obtain and Deploy Certificates Obtain and deploy certificates on Hybrid Servers 4. Publish protocols externally Create public DNS A Records for the EWS, SMTP, and MRS endpoints Validate using Remote Connectivity Analyzer 5. Run the Hybrid Configuration Wizard 6. Switch autodiscover namespace to E2013 CAS Change the public autodiscover DNS record to resolve to Hybrid VIP 7. Move mailboxes

MAIL ROUTING

Standard On-Premises Free/busy Ben Brad Mailbox Server Client Access Server On Premises User Ben On Premises

Federated Free/busy Ben Mailbox Server Microsoft Federation Gateway Client Access Server Free Busy Request From Ben To Joe On Premises User Ben On Premises Exchange Online Joe

Exchange Online Protection (EOP) for Exchange Fully hosted scenario: email flows exclusively through the cloud (Exchange Online), without any interaction with on-premises servers. (Note that this scenario Connectors does not use Exchange Online Protection (EOP) connectors.) 28 Outbound smart-host scenario: EOP acts as a smart host, redirecting outbound mail to an on-premises server that applies additional processing before delivering mail to its final destination. Consider this option for when an on-premises application or other compliance solution is used to filter outgoing mail and to have the benefits of EOP edge, spam, virus, and policy filtering. Inbound safe listing scenario: email is sent inbound through EOP from a trusted organization. In this scenario, EOP is configured to skip IP address filtering on inbound mail sent from IP addresses specified in a safe list. EOP can also be configured to skip policy and spam filtering. Regulated partner with forced TLS scenario: forced inbound and outbound transport layer security (TLS) is used to secure all routing channels with business regulated partners. Default is opportunistic, if certificate exists will use TLS Hybrid scenarios: hybrid mail-flow scenarios can be used to host email partially in the cloud (Exchange Online) and partially on-premises. The following configurations allow for use of a single domain name for all mailboxes in both the on-premises Exchange organization and the cloud: Shared address space with on-premises relay scenario (MX points to on-premises): the mail exchanger (MX) record for the shared email domain is configured to route email to the on-premises mail server before it is sent through EOP to the cloud mailboxes. Use this configuration if the on-premises protection solution is to provide filtering on inbound mail before sending it to the cloud. Shared address space with on-premises relay scenario (MX points to EOP): the MX record for the shared email domain is configured to route email to EOP for spam and policy filtering before it reaches the on-premises server. Use this configuration if EOP is to perform spam and policy filtering before routing mail to the on-premises server for additional processing. Shared address space with cloud relay scenario (MX points to the cloud): the MX record for the shared email domain is configured to route email to EOP for anti-spam processing and policy filtering before it is routed to Exchange Online, where it is filtered again by Exchange Online Protection (EOP) on the Exchange Online transport servers. Use this scenario if all messages that are to be relayed to the onpremises organization have been filtered for spam and viruses by Forefront. Junk Mail Folder: EOP receives telemetry data from Junk Mail folders to improve heuristics of junk mail through aggregate Data Loss Protection DLP: EOP has an ever increasing rule set to allows customers to enforce DLP rules Exchange Hosted Encryption: *New* Encryption services are available with EOP depending on licenses Follow-up actions and additional information from prior assessments Service Enablement plan Considerations Draft implementation plan to address potential use of EOP connectors. [List specific issues uncovered or context from prior assessments]

Deployment considerations Delegation coexistence: delegate permissions (delegate access, folder permissions, and send on behalf of ) are migrated to Exchange Online but are not available after a mailbox move unless all parties are migrated at the same time. Mailbox permissions: on-premises mailbox permissions (send as, receive as, full access) that are explicitly applied on the mailbox are migrated to Exchange Online. However, inherited (non-explicit) mailbox permissions and any permissions on nonmailbox objects such as distribution lists or a mail-enabled user are not migrated. Cross-premises permissions: Microsoft does not support cross-premises permission scenarios. Permissions are migrated and functional when implementing an Exchange hybrid deployment only if there are corresponding directory objects in Exchange Online. Additionally, all objects with special permissions such as send as, receive as, and full access must be migrated at the same time. Archiving/Vaulting: There are three primary approaches to moving content in an Archive or Vault 1. Retire the Archive, don t move any content. Provide a mechanism for users to access historical data. Must unstub items 2. Move content once mailbox migrations are complete through 3 rd party tools, online-archive may be utilized 3. Hydrate Archive content to mailboxes prior to migrations. Caution: This impacts velocity and on-premises infrastructure Off-boarding: as part of ongoing recipient management, you might have to move Exchange Online mailboxes back to your on-premises environment. Decommissioning on-premises Exchange: some organizations might want to remove their on-premises Exchange environment completely after all mailboxes have been migrated.

Deployment requirements Review hybrid deployment requirements, including the hybrid server requirements, Directory Synchronization tool, and Microsoft Federation Gateway. Hybrid server: install a hybrid server running Exchange 2010 Service Pack 3 or Exchange 2013 Cumulative Update 1 in the on-premises Exchange environment, and configure Exchange coexistence between the on-premises Exchange environment and Exchange Online. Directory Synchronization tool: this tool must be running in the local environment. Directory Synchronization write-back is recommended for smooth off-boarding and other advanced coexistence functionality. Microsoft Federation Gateway: an online service that acts as the trust broker between on-premises Exchange organization and the Exchange Online service. Hybrid deployment requires that a federation trust be configured with Microsoft Federation Gateway. Follow-up actions and additional information from prior assessments Service Enablement plan Draft implementation plan to address affected items, and include the need for high availability into the approach. Considerations [List specific issues uncovered or context from prior assessments] 30

Questions? 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION