NoSpamProxy Azure Edition is the cloud based email security gateway of the successful NoSpamProxy family of products by Net at Work. The Azure edition of NoSpamProxy can easiliy be deployed using the Microsoft Azure Marketplace.
NoSpamProxy Azure easily connects an Office 365 tenant and offers an easy way to provide centralized email encryption and decryption with PGP and/or S/MIME for mailboxes hosted in Exchange Online. Additionally, NoSpamProxy Azure provides compliant anti-spam handling, an anti-malware component, and a large file portal.
The edition currently available in Microsoft Azure installs a NoSpamProxy single-server deployment. A single-server deployment combines the NoSpamProxy intranet role and the gateway role on a single server.
The NoSpamProxy Azure Edition is provided as BYOL (Bring Your Own License) deployment. In addition to the recurring fees for the Microsoft Azure VM you are required to buy a NoSpamProxy license. If you already own a NoSpamProxy Version 11 license, the license can be used for the NoSpamProxy Azure Edition as well.
DeploymentOptions Notes Deployment Links
Due to the nature of a cloud service NoSpamProxy Azure can be operated in different scenarios in Microsoft Azure. By default the system is configured as a workgroup system without any Active Directory domain membership. The different operational scenarios for NoSpamProxy Azure depend on the existence of a Site-2-Site VPN between your Azure deployment and your on-premises IT infrastructure.
Currently a direct connection to Azure AD is not supported, but it is planned for a future release.
Depending on the size of the Azure VM different throughputs can be reached in regards to emails per minute.
Tests have shown the following results for Standard A Virtual Machines:
The following steps describe a simple deployment of NoSpamProxy Azure.
Go to Azure Marketplace and search for NoSpamProxy, select the NoSpamProxy Azure Edition.
Click Create to configure the NoSpamProxy Azure system.
Configure the required parameters as needed
Select an appropriate virtual machine type. NoSpamProxy Azure doesn't have extraordinary system requirements for processor and memory. SQL Server 2014 Express is downloaded and installed as part of the standard setup of NoSpamProxy. Even SQL Server 2014 Express can be run on a standard VM..
All other settings remain unchanged for this simple deployment. You can adjust the settings, if required for your individual deployment. Especially if you want to utilize exisiting resources.
Verify the technical summary and click OK to add the configured system to your shopping cart.
Verify the selected Azure service offering and the configured virtual machine. Click Purchase to buy the selected subscription. The deployment is a so called BYOL Deployment and requires a valid NoSpamProxy trial license or an existing full license. After the NoSpamProxy setup as been completed in the virtual machine you will be redirected to a web page to request a trial license.
Connect to the newly deployed virtual machine using Remote Desktop. After first log on NoSpamProxy setup will start automatically as part of an scheduled task. The scheduled task will execute the following steps:
Do not close or interrupt the Windows PowerShell window.
After the setup has finished the public web page of NoSpamProxy Azure Edition will be opened in Internet Explorer. After initial setup of the operating system Internet Explorer runs in secure mode. Therefore, a security warning is displayed. Just add the web page to the list of exclusions and request your personal NoSpamProxy trial license.
The program setup adds new security groups and adds the logged on account to these security groups. It is required to log off and log on again to reflect the new group memberships. This is mandatory to sucessfully manage NoSpamProxy.
After log on start the NoSpamProxy Configuration MMC to import the license.
The NoSpamProxy Configuration MMC displays the NoSpamProxy version.
After initial import of the license you can start configuring NoSpamProxy to suit your needs.
Different technologies are used to verify the validity of email senders. Each technology by itself represents only one component of a holistic solution. It is currently recommended to implement all three technologies.
The technologies are:
The following figure illustrates the protocol relations.
The use of SPF, DKIM, and DMARC are no substitute for email message encryption itself or transport encryption. These technologies are used to identify and asses valid senders and to protect against spam messages.
Keep in mind that SPF, DKIM, and DMARC are offerings for other emails servers. As a sending party, you do not control if and how SPF, DKIM, and DMARC are evaluated by the receiving server. But if evaluated, the configuration must be correct to avoid messages being rejected by receiving email servers.
The following sections focus on the DNS configuration for SPF, DKIM, and DMARC. This post is not intended to rate the technologies, but to describe the implementation.
Each domain is used for sending emails requires an SPF resource record (RR) in its DNS zone. An SPF record is always of the type TXT and does not use any hostname (or resource record name, if you will). An SPF RR is always valid for the entire DNS zone.
mcsmemail.de. 3600 IN TXT "v=spf1 mx a:mail.mcsmemail.de ?all"
The following screenshot illustrates adding a new SPF TXT record in a common DNS management interface (DE) of an internet provider. The hostname textbox remains empty.
Example explained:
v=spf1 SPF Version
mx MX server records defined within the DNS zone are valid senders
a:mail.mcsmemail.de The additional DNS hostname defined as A resource record is a valid sender as well
?all Neutral validation of non listed servers that send emails for this domain
SPF records can be created by using one of the various online resources.
DKIM resource records are configured as TXT resource records as well. In contrast to an SPF record, a hostname is mandatory. In this case its called selector.
A DKIM TXT record is always created as a record in the subdomain _domainkey.
nsp._domainkey.mcsmemail.eu. 3600 IN TXT "v=DKIM1\; k=rsa\; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQChZM8yjegaKfd0ssKyezTW/7xbDSNc0uPd50xa5/ecerv1v3mHKM+T7mClzRmIEx+Ji6AisVeo2uvjTYPemHFMBlQpuS/4zc2QxWHqp62FSQ7lASBOzDfUrIwayPVqwSPD6NrnfVSWoUNrFGGSVeU5uLASecBzTfxPukqTHgYKhQIDAQAB"
The following screenshot illustrates adding a new DKIM TXT record in a common DNS management interface (DE) of an internet provider. The hostname textbox contains the selector nsp followed by the subdomain _domainkey.
v=DKIM1 DKIM version
k=rsa Public key encryption method
p=MIGfMA.... The DKIM public key
DMARC is configured as a TXT resource record as well. The DMARC resource record uses the fixed hostname _dmarc.
_dmarc.mcsmemail.de. 3600 IN TXT "v=DMARC1\; p=none\; rua=mailto:DMARCRUA@mcsmemail.de\; ruf=mailto:DMARCRUF@mcsmemail.de\; fo=1\; adkim=s\; aspf=s\; rf=afrf\"
The following screenshot illustrates adding a new DMARC TXT record in a common DNS management interface (DE) of an internet provider. The hostname textbox contains always the value _dmarc.
v=DMARC1 DMARC version
p=none No DMARC policy defined (You should always start with None, before switching to Quarantine or Reject) rua=mailto:DMARCRUA@mcscmemail.de Email address for status reports
ruf=mailto:DMARCRUF@mcscmemail.de Email address for error reports
fo=1 Error report type
adkim=s DKIM alignment, s = strict
aspf=s SPF alignment, s = strict
rf=afrf Error report message format, afrf = Abuse Report Format following RFC 5965
The DMARC policy (p) should be raised step-by-step. The results for each policy type are:
Recommended reading on this topic: Google Support Post.
DMARC DNS zone entries can easily be checked by using the Net at Works PowerShell tool. The PowerShell script can only be used with NoSpamProxy11+. But there are some online tools available as well.
Do you need assistance with your Exchange Server setup? You have questions about your Exchange Server infrastructure and going hybrid with Office 365?
Contact us at office365@granikos.eu or visit our website http://www.granikos.eu.
The use of certificate based email encryption is still a challenging task for administrators. When you store end user certificates stored locally on computers, you accept the risk of the user certificates being deleted or overwritten unintentionally.
The use of smart cards helps to mitigate the risks associated with locally stored certificates. But smart cards are too complicated for large and agile companies. The use of smart cards with mobile devices is even more complicated, if not impossible.
A simple and reliable solution is to use encryption and decryption capabilities at the company email gateway(s). This approach allows for:
Besides the option to import certificates manually, the real benefit is provided by automatic certificate provisioning. By using a certificate authority company account the gateway solution handles certificate requests automatically.
The supported S/MIME certificate authorities are:
NoSpamProxy by Net at Work is a gateway solution proving this set of features for on-premise SMTP messaging infrastructures.
The advantages provided by NoSpamProxy can be used with Office 365 as well. There is no need to have an Exchange Hybrid configuration ins place to benefit from the NoSpamProxy features. The NoSpamProxy gateway can be configured for the use with Office 365 cloud-only tenants.
The following picture illustrates how NoSpamProxy gateway is integrated in such a scenario.
External emails are received by the local NoSpamProxy Gateway server and not by Exchange Online (1). The NoSpamProxy gateway handles the messages and sends the messages to Office 365 using an Office 365 connector (2). Outgoing messages to external recipients are send to the on-premise NoSpamProxy gateway using a dedicated Office 365 Send Connector (3). The NoSpamProxy gateway handles the messages and sends the messages to the external recipients.
Multiple NoSpamProxy gateway servers can be deployed for a redundant setup.
The NoSpamProxy gateway solution provides more than just S/MIME or PGP encryption capabilities. NoSpamProxy is a robust fully fledged anti-spam solution which rejects spam emails legally compliant. Each message that is not fully received by the company does not need to be archived.
NoSpamProxy features:
Want to know more about all NoSpamProxy features? Not yet an Office 365 customer, but keen to know more about gateway based encryption and a reliable anti-spam solution?
Get to know more about NoSpamProxy here: hier.
Skype for Business (formerly called Lync) is a helpful tool for enabling seamless communication among an organization. As an admin, preventable downtime is simply unacceptable, especially with mission-critical technology like Skype for Business.
However, because Skype for Business is often rolled out in phases, the certificates needed for it to remain operational will have varying expiration dates, which can become difficult to manage between routine maintenance. Even allowing an expired certificate to persist one minute can cause front-end servers to go down - meaning users can’t connect to the server, receive messages or make video calls.
In this scenario, watch how Uniscope - ENow’s monitoring and reporting solution for Skype for Business - quickly and easily helps you identify expired certificates and avoid costly downtime.
Learn more about Uniscope and start a free trial.
On July 28st 2015 Elastica, Inc., will host a cloud security webcast about
Nitin Kumar, Service Deployment Manager, Cisco Cloud Web Security and Kapil Raina, Cloud Security Expert at Elastica, talk about
More about this webcast
Interested in how to secure your Cloud apps and services? Contact uns at info@granikos.eu for a free SaaS audit to identify all the Cloud Apps already in use in your organization. Find the Shadow ITdeployed by your employees.