Many of Citihub Consulting’s enterprise clients have committed to adopting Office 365 as their end-user productivity suite, which includes the de facto standard messaging platform, Microsoft Exchange. Most organisations will begin by planning the deployment of Exchange Server Hybrid as an intermediate step towards moving to Exchange Online. This process presents some challenges for regulated firms and they need to be aware of the pitfalls and risks associated with the “out of the box” configuration tool, the Hybrid Configuration Wizard, and the underlying Hybrid deployment infrastructure.
Here are eight key considerations for planning an Exchange Hybrid deployment for Financial Services firms:
Stay current on your favourite topics
1. Use of Dedicated Exchange Hybrid Servers
Microsoft articles don’t typically discuss the deployment of dedicated Exchange Hybrid Servers. However, Citihub Consulting has found that deploying them in a dedicated logical AD Site, where they are away from confidential mailbox databases, can deliver significant security benefit. This is especially true for firms that are prone to high volumes of attacks. The Exchange Hybrid Server acts as a buffer between Exchange Online (ExO) and Exchange On-Premise (ExOP), allowing them to be shut down in the non-compromised location in order to prevent the spread of attacks, protecting mailboxes.
Creating dedicated Hybrid Servers has multiple benefits:
- Exchange Hybrid Servers in a DMZ, reducing attack surfaces
- Hybrid Config Wizard run on non-Database (DAG) Members, reducing direct connections to servers that hold mailbox databases
- Servers can be powered down in the event of a security breach or zero-day attack to prevent an attack from spreading
- Allows for easier management and upgrading of the Hybrid Configuration Wizard (HCW)
- Increases Mailbox Replication Service Thresholds for Velocity Migration Performance
- Enables a simplified Email Transit Path thus reducing mail hops
Of course, this approach may lead to additional costs and maintenance overheads. Nevertheless, on balance, Citihub Consulting certainly thinks this is worthwhile considering.
2. Creation of a Dedicated Logical Active Directory Site for Hybrid Servers
Creating a dedicated AD site within Active Directory Sites & Services for Hybrid Servers has multiple benefits:
- Cloud Email and LAN client traffic can be segregated
- By deploying Exchange Edge Transport Servers in the perimeter network for Hybrid Mail Flow and creating an Edge Subscription to the Hybrids within this site the security risks can be reduced. This is because there is an additional hop for mail traffic inbound from Exchange Online and outbound to Exchange Online
- Keeping Cloud email separate with “Hybrid to Edge” and “Edge to Hybrid” Server configurations increases ease of email diagnostics, compliance and message tracking to and from Exchange Online
Bear in mind that this requires careful planning and additional set-up cost for the new servers.
3. The Importance of Exchange Edge Servers
When talking about Hybrid Mail Flow, we often hear concerns from security teams about direct connections from Exchange Online being initiated to the company’s local domain configured Exchange Servers. The most common suggestion is to use pre-existing Load balancers, or Firewalls for the communication from Office 365. However, Microsoft states that there needs to be a Microsoft Exchange Server between Exchange Online and Exchange On-Premises.
Therefore, Microsoft Exchange can adopt several roles depending on which version you are using. One of these roles is the Exchange Edge Server Role. Microsoft developed the Edge Server Role to locate email servers in the perimeter network. The big advantage is that the Edge Server Role does not have direct access to Active Directory, instead, it uses an Edge Subscription to the AD Site where your Hybrid servers are deployed. The Edge Servers are configured to store recipient information locally using Active Directory Lightweight Directory Services AD LDS.
However, beware: deploying Edge Servers and creating an Edge Subscription in your current mail environment without a new AD Site is not recommended. This is because Edge Servers will become the default route for the ingress and egress of all emails in your environment sending them to Exchange Online and outbound to the internet. Consequently, the corporate Internet Mail Gateway Stack is bypassed, effectively eliminating all email security.
4. Enabling Centralised Mail Transport
Centralised Mail Flow is a way of maintaining email policy compliance of outbound emails from Exchange Online. This does not include messages sent to and from users within the tenant and only impacts outbound internet mail.
Enabling Centralised Mail Transport will reroute all outbound emails from Exchange Online, via your on-premise Exchange, and across the organisation’s email backbone. This will apply the following important legal and regulatory requirement functions before transiting to The internet:
- Corporate DLP Functions
- Corporate Digital Email Signing
- Corporate Email Hygiene Scanning
- Corporate Compliance
Want to know more about our work in Office 365?
An important scenario to note: if your organisation needs to separate mail flow by geographical region to comply with data sovereignty laws, it is necessary to create and configure additional SMTP Connectors built on Conditional Based Mail Routing. If you do not configure additional Conditional Based Routing Connectors and you have Centralised Mail Flow enabled then all emails will, as designed, flow back on-premise to the servers you configured for Hybrid Mail Flow.
An alternative approach might be to force all outbound mail through the Online Protection Routing and utilise Office 365 Security and Compliance Centre and Exchange Online Protection Toolsets. Note that these toolsets also come with caveats given the current limitations of these maturing features.
There are two potential disadvantages to enabling Centralised Mail Transit:
- Enabling the feature may result in extending a client’s Exchange On-Premises Servers in order to deal with this email transiting these servers.
- Organisations still need to keep existing email, DLP, Signing, Hygiene, and Compliance infrastructure to scale in order to process these emails coming via on-premises.
5. Exchange Online Journaling
Journaling allows organisation-wide email archiving. The feature provides the ability to copy emails as they pass through the transport stack to and from Exchange Online, rerouting the journal copies to the on-premise archive and allowing on-premise compliance tools to execute searches of emails originating in Office 365. Existing on-premise journal rules continue to apply to Exchange Online and can be copied to Exchange Online with a PowerShell script. However, the Journal Mailbox cannot be situated on Exchange Online. Consequently, it is necessary to create a correct set of Journal rules, recipients, mailboxes and SMTP Connectors to reach on-premise infrastructure, where data can be stored in the corporate archive. This provides the organisation with the same configuration as per on-premise Compliance Tool Sets prior to the user(s) being migrated to Office 365.
There is, of course, the option to use In-Place Archive, In-Place Hold or, perhaps, Litigation Hold, as an archiving option; understanding the difference between these features before enabling is essential. Citihub Consulting’s experience has shown that, for large corporates, Microsoft’s Office 365 Security & Compliance Centre does not yet meet some requirements for eDiscovery searches and potentially ruling these features out for large Office 365 deployments. Citihub Consulting recommends using journaling to drive business data back on-premise into the proven corporate archive and compliance toolsets.
There can be some limitations:
- Microsoft states Exchange Online will only support 10 Journal Rules (Microsoft has committed to upgrade the limit to the number of rules. Citihub Consulting is not aware of any confirmed date). Many large organisations will have hundreds of Journal Rules; whilst it is not unknown for Microsoft to extend exceptional support for this volume of rules, larger organisations should bear these limitations in mind.
- Organisations will need to keep their current archiving and compliance infrastructure in place, which can be expensive to maintain and license.
6. Deploying Dedicated Mailbox Replication Service Proxy End-Points
Using dedicated Hybrids as Mailbox Replication Service (MRS) Proxy end-points has two key benefits. Firstly, velocity and large batch mailbox migrations can place a considerable workload on busy Exchange servers supporting on-premise users, especially for legacy versions. Using the Hybrids as MRS Proxy end-points, offloads the batch migration workloads. Secondly, you can amend the Mailbox Replication Service Proxy Configuration to suit environmental needs, to gain the maximum performance for migrations and without affecting the day-to-day performance of Exchange Servers.
The main Advantages are:
- Offloading of large batch migration workloads to these dedicated servers
- Enhancement of MRS Configurations Proxy to enable large batch velocity migrations
However, deploying additional MRS End-Points creates increased maintenance and management overhead, plus the obvious additional costs.
7. Adding @onmicrosoft.com SMTP Addresses and the Potential Impact on the Address Book
The Hybrid Configuration Wizard will, by default, inject an additional SMTP address into the Default Email Address Policy for every mail-enabled item in the Global Address List (GAL) and consequently, will append to the Offline Address Book (OAB). This is acceptable for tens or even hundreds of mailboxes, but can cause a significant performance impact for large enterprises. Adding addresses to every mail-enabled item at once will trigger a mass regeneration of the GAL/OAB. Consequently, cached Outlook Clients will start to download the OAB, which could easily be several hundred Megabytes and across thousands of devices. Citihub Consulting has previously witnessed cases where organisations have triggered the default Email Address Policy changes and brought their On-Premises Exchange and global WAN performance to a grinding halt for several weeks.
8. Enabling Exchange Write-Back Attributes
Azure AD & Exchange Online server supports the write-back of certain attributes configured in the cloud back to on-premise servers. In large financial services organisations, IT risk functions will initially want to prohibit the write-back of metadata and other attributes, on the grounds that attributes changed in the cloud could be a security risk when reproduced in the on-premise infrastructure. Citihub Consulting suggests careful consideration to the write-back of certain attributes in support of a secure and functional environment.
Most organisations will want to track the “litigation hold” status of users so that any individual subject to investigation has email retained until the matter has been resolved. Often, certain online email accounts will need to be brought back on-premise as a user’s status changes (for example, they are promoted to a data sensitive role). Certainly, in most financial services companies, the list of restricted and/or monitored email accounts can vary quite significantly over time and can be complicated by information barriers between advisory and trading functions. However, unless the litigation holds write back attribute is enabled, all accounts being migrated back on-premise will not be flagged for litigation hold once the migration has completed. This can result in a failure to retain some of the data required for litigation purposes. Another example is the mail-routing X500 address which can cause Non-Deliverable Reports (NDR) if the Exchange Online Forest attributes are not written back before mailboxes are migrated. Organisations need to carefully consider the functional and regulatory benefits of enabling a subset of writing back attributes against the possible increased risk of writing the metadata back on-premise.
Recommended Writeback Attributes to Enable & Track;
- Legal/Litigation Hold Tracking
- Online Archive Tracking
- X500 Address Tracking
- External Directory ObjectID
A careful approach should be taken as blanket enablement of write back may expose security holes and other exploits.
These considerations are essential for any regulated financial services firm before moving to Office 365 via an Exchange Hybrid approach. Understanding each of these items and implementing an appropriate migration will mitigate the risk of regulatory, risk and compliance failures.