Granikos Technology Blog

Auf dem aOS Aachen September 2018 Event hat Luise Freese die Vorträge in ihren bekannten Sketchnotes festgehalten. 

Hier sind ihr Sktechnotes zu meinen beiden Sessions.

Migrating Legacy Public Folders to Modern Public Folders

Modern Attachments with OneDrive

Wer die Ignite 2018 besucht, kann Luise Freese dort treffen. Sie ist Chief Community Sketcher der Konferenz in Orlando.

Links

• Luise Freese - Digital Workplace Consultant
• aOS - Aachen | Slidedecks

Stay Connected

• Twitter: @stensitzki
• LinkedIn: https://www.linkedin.com/in/thomasstensitzki/
• Xing: https://www.xing.com/profile/Thomas_Stensitzki

The use of certificate-based email encryption is still a challenging task for administrators. When you store end-user certificates stored locally on computers, you accept the risk of the user certificates being deleted or overwritten unintentionally.

The use of smart cards helps to mitigate the risks associated with locally stored certificates. But smart cards are too complicated for large and agile companies. The use of smart cards with mobile devices is even more complicated, if not impossible.

Gateway Encryption

A simple and reliable solution is to use encryption and decryption capabilities at the company email gateway(s). This approach allows for:

• Central management of user and domain certificates or keys
  • S/MIME
  • PGP
• Central management of digital signage and encryption parameters for email communication with partner companies
• Encryption of any outgoing email communication regardless of the client used to compose the message:
  • Outlook
  • OWA
  • Outlook on the web
  • Mobile phone
  • Tablet Application
• Usage of internal eDiscovery solutions as internally stored email communication is still searchable
• No lost user certificates anymore

Besides the option to import certificates manually, the real benefit is provided by automatic certificate provisioning. By using a certificate authority company account the gateway solution handles certificate requests automatically.

The supported S/MIME certificate authorities are:

• D-TRUST
• GlobalSign
• SwissSign

NoSpamProxy by Net at Work is a gateway solution proving this set of features for on-premise SMTP messaging infrastructures.

Office 365

The advantages provided by NoSpamProxy can be used with Office 365 as well. There is no need to have an Exchange Hybrid configuration ins place to benefit from the NoSpamProxy features. The NoSpamProxy gateway can be configured for the use with Office 365 cloud-only tenants.

The following picture illustrates how NoSpamProxy gateway is integrated into such a scenario.

External emails are received by the local NoSpamProxy Gateway server and not by Exchange Online (1). The NoSpamProxy gateway handles the messages and sends the messages to Office 365 using an Office 365 connector (2). Outgoing messages to external recipients are sent to the on-premise NoSpamProxy gateway using a dedicated Office 365 Send Connector (3). The NoSpamProxy gateway handles the messages and sends the messages to the external recipients.

Multiple NoSpamProxy gateway servers can be deployed for a redundant setup.

NoSpamProxy

The NoSpamProxy gateway solution provides more than just S/MIME or PGP encryption capabilities. NoSpamProxy is a robust fully-fledged anti-spam solution that rejects spam emails legally compliant. Each message that is not fully received by the company does not need to be archived.

NoSpamProxy features:

• Legally compliant spam protection
• Legally compliant email communication using digital signage
• Protected email communication using password-protected PDF attachments
• Large attachment support by using a dedicated we portal
• Geographically dispersed gateways with central management

Want to know more about all NoSpamProxy features?
Not yet an Office 365 customer, but keen to know more about gateway-based encryption and a reliable anti-spam solution?

Get to know more about NoSpamProxy here.

NoSpamProxy Azure Edition is the cloud based email security gateway of the successful NoSpamProxy family of products by Net at Work. The Azure edition of NoSpamProxy can easiliy be deployed using the Microsoft Azure Marketplace.

NoSpamProxy Azure easily connects an Office 365 tenant and offers an easy way to provide centralized email encryption and decryption with PGP and/or S/MIME for mailboxes hosted in Exchange Online. Additionally, NoSpamProxy Azure provides compliant anti-spam handling, an anti-malware component, and a large file portal.

The edition currently available in Microsoft Azure installs a NoSpamProxy single-server deployment. A single-server deployment combines the NoSpamProxy intranet role and the gateway role on a single server.

The NoSpamProxy Azure Edition is provided as BYOL (Bring Your Own License) deployment. In addition to the recurring fees for the Microsoft Azure VM you are required to buy a NoSpamProxy license. If you already own a NoSpamProxy Version 11 license, the license can be used for the NoSpamProxy Azure Edition as well.

Content

DeploymentOptions
Notes
Deployment
Links

Deployment Options

Due to the nature of a cloud service NoSpamProxy Azure can be operated in different scenarios in Microsoft Azure. By default the system is configured as a workgroup system without any Active Directory domain membership. The different operational scenarios for NoSpamProxy Azure depend on the existence of a Site-2-Site VPN between your Azure deployment and your on-premises IT infrastructure.

• Without Site-2-Site VPN to Microsoft Azure
   
  • An on-premises email server (e.g. Exchange Server or SmarterMail) utilizes NoSpamProxy Azure as an external relay for outgoing messages. Incoming messages are received by NoSpamProxy Azure and are forwarded to the on-premises email server via the internet.
     
  • Email addresses of internal recipients are maintained manually using plain text file. The file itself is imported automatically by NoSpamProxy Azure
    This is a viable option, if there aren't too many email addresses to maintain.
     
  • Good option for Office 365 customers running a cloud only deployment without any on-premises Active Directory users and mailboxes. The required import file can be created by exporting Office 365 recipients and email addresses.
     
  • RDP access to the Azure VM and NoSpamProxy Azure must be limited to an external IP address of the company network.
     
• With Site-2-Site VPN to Microsoft Azure
   
  • AN on-premises email server (e.g. Exchange Server or SmarterMail) utilizes NoSpamProxy Azure as an internal Relay for outgoing messages. Incoming messages are received by NoSpamProxy Azure and forwarded to the on-premises email servers using the Site-2-Site VPN.
     
  • Automated import of internal email recipients from a LDAP source (e.g. Active Directory)
    This option simplifies recipient maintenance, as recipients are automatically imported by NoSpamProxy Azure.
     
  • Perfect option for Office 365 customers maintaining user accounts on-premises and running Azure AD Connect or maybe even having a full Office 365 hybrid setup with centralized mail flow.
     
  • RDP access to the Azure VM and NoSpamProxy Azure restricted to internal company network(s).

Currently a direct connection to Azure AD is not supported, but it is planned for a future release.
 

Notes

• The Azure Service for NoSpamProxy Azure System requires a Reverse-DNS configuration, as any other public facing SMTP service. External SMTP servers must be able to perform a Reverse-DNS check successfully. A link on how to configure Reverse-DNS in Azure is listed in the Links section.
   
• The system name of the NoSpamProxy Azure VM should not follow internal IT naming conventions, as the name is publically resolvable. Otherwise you are going to expose your internal naming conventions.

Depending on the size of the Azure VM different throughputs can be reached in regards to emails per minute.

Tests have shown the following results for Standard A Virtual Machines:

Deployment

The following steps describe a simple deployment of NoSpamProxy Azure.

Go to Azure Marketplace and search for NoSpamProxy, select the NoSpamProxy Azure Edition.

Click Create to configure the NoSpamProxy Azure system.

Configure the required parameters as needed

• Name
  System name which is added to Azure DNS and externally resolvable.
• VM disk type
  When selecting SSD as VM disk type, you must choose an Azure VM supporting SSD in a following step.
• User name, Password
  User name of the local administrator account
  As the Azure VM is accessible via RDP from the internet by default, you should use a non-trivial user name and password.
• Subscription
  Azure subscription to add the Azure resources to.
• Resource group
  Resource group for the new Azure resources. The example creates a new resource group.
• Location
  Azure region for the new resource group.

Select an appropriate virtual machine type. NoSpamProxy Azure doesn't have extraordinary system requirements for processor and memory. SQL Server 2014 Express is downloaded and installed as part of the standard setup of NoSpamProxy. Even SQL Server 2014 Express can be run on a standard VM..

All other settings remain unchanged for this simple deployment. You can adjust the settings, if required for your individual deployment. Especially if you want to utilize exisiting resources.

• Storage Account
  Storage for Azure VM VHD files
• Virtual Network
  Azure virtual network for the new Azure VM
• Subnet
  Azure virtual network subnet
• Public IP Address
  External IP address
• Network Security Group
  Network firewall configuration

Verify the technical summary and click OK to add the configured system to your shopping cart.

Verify the selected Azure service offering and the configured virtual machine. Click Purchase to buy the selected subscription. The deployment is a so called BYOL Deployment and requires a valid NoSpamProxy trial license or an existing full license. After the NoSpamProxy setup as been completed in the virtual machine you will be redirected to a web page to request a trial license.

Connect to the newly deployed virtual machine using Remote Desktop. After first log on NoSpamProxy setup will start automatically as part of an scheduled task. The scheduled task will execute the following steps:

• Configure the preinstalled SQL Server Express Edition
• Download and setup of the most current release of NoSpamProxy
• Redirect to the NoSpamProxy Azure web page to request a trial license
• Removal of the scheduled task

Do not close or interrupt the Windows PowerShell window.

After the setup has finished the public web page of NoSpamProxy Azure Edition will be opened in Internet Explorer. After initial setup of the operating system Internet Explorer runs in secure mode. Therefore, a security warning is displayed. Just add the web page to the list of exclusions and request your personal NoSpamProxy trial license.

The program setup adds new security groups and adds the logged on account to these security groups. It is required to log off and log on again to reflect the new group memberships. This is mandatory to sucessfully manage NoSpamProxy.

After log on start the NoSpamProxy Configuration MMC to import the license.

The NoSpamProxy Configuration MMC displays the NoSpamProxy version.

After initial import of the license you can start configuring NoSpamProxy to suit your needs.

Links

• NoSpamProxy Azure
• NoSpamProxy Protection
• Blogartikel: Gateway based email encryption with Office 365
• Microsoft Azure Trial
• Microsoft Azure Reverse DNS
• Microsoft Azure Reverse DNS mit der CLI

Die NoSpamProxy Gateway-Rolle benötigt für mehrere Funktionen Zugriff ins Internet. Dieser Zugriff kann sowohl direkt, als auch über einen klassischen Proxy erfolgen. Zu den Funktionen gehört u.a. der Webservice-Zugriff auf De-Mail.

Die Proxy-Konfiguration erfolgt direkt in der Konfigurationsdatei des Gateway-Service. Diese Anpassung muss auf jedem Server mit installierter Gateway-Rolle durchgeführt werden.

• Dateipfad (Beispiel): E:\Program Files\Net at Work Mail Gateway\Gateway Role
• Dateiname: NetatworkMailGatewayRole.exe.config

Für die Konfiguration eines Proxy-Servers wird in der Konfigurationsdatei ein zusätzlicher Xml-Node hinzugefügt.

1. Stoppen der NoSpamProxy Gateway-Rolle über die NoSpamProxy Managementkonsole
2. Erstellen einer Kopie der Konfigurationsdatei
3. Anpassen der Konfigurationsdatei
4. Starten der NoSpamProxy Gateway-Rolle über die NoSpamProxy Managementkonsole

Das nachfolgende Beispiel bezieht sich auf NoSpamProxy 11.1.179.0

NetatworkMailGatewayRole.exe.config vor der Anpassung

<?xml version="1.0" encoding="utf-8"?>
<configuration>
	<runtime>
	   <gcServer enabled="true" />
	   <generatePublisherEvidence enabled="false" />
	   <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">
		   <dependentAssembly>
			   <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />
			   <bindingRedirect oldVersion="0.0.0.0-8.0.0.0" newVersion="8.0.0.0" />
		   </dependentAssembly>
		   <dependentAssembly>
			   <assemblyIdentity name="System.Web.Http" publicKeyToken="31bf3856ad364e35" culture="neutral" />
			   <bindingRedirect oldVersion="0.0.0.0-5.2.3.0" newVersion="5.2.3.0" />
		   </dependentAssembly>
		   <dependentAssembly>
			   <assemblyIdentity name="Microsoft.Owin" publicKeyToken="31bf3856ad364e35" culture="neutral" />
			   <bindingRedirect oldVersion="0.0.0.0-3.0.1.0" newVersion="3.0.1.0" />
		   </dependentAssembly>
	   </assemblyBinding>
	</runtime>
</configuration>

NetatworkMailGatewayRole.exe.config mit konfiguriertem Proxy-Server

<?xml version="1.0" encoding="utf-8"?>
<configuration>
	<runtime>
	   <gcServer enabled="true" />
	   <generatePublisherEvidence enabled="false" />
	   <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">
		   <dependentAssembly>
			   <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />
			   <bindingRedirect oldVersion="0.0.0.0-8.0.0.0" newVersion="8.0.0.0" />
		   </dependentAssembly>
		   <dependentAssembly>
			   <assemblyIdentity name="System.Web.Http" publicKeyToken="31bf3856ad364e35" culture="neutral" />
			   <bindingRedirect oldVersion="0.0.0.0-5.2.3.0" newVersion="5.2.3.0" />
		   </dependentAssembly>
		   <dependentAssembly>
			   <assemblyIdentity name="Microsoft.Owin" publicKeyToken="31bf3856ad364e35" culture="neutral" />
			   <bindingRedirect oldVersion="0.0.0.0-3.0.1.0" newVersion="3.0.1.0" />
		   </dependentAssembly>
	   </assemblyBinding>
	</runtime>
	<system.net>
	   <defaultProxy>
		   <proxy usesystemdefault="true" proxyaddress="http://10.29.10.11:8080" bypassonlocal="true"  />
	   </defaultProxy>
	</system.net>
</configuration>

Hinweis

Bei der Installation eines Updates von NoSpamProxy wird die Datei NetatworkMailGatewayRole.exe.config überschrieben.

Dies bedeutet, dass nach die Konfiguration eines Proxy-Servers nach erfolgreicher Installation des Updates wieder eingetragen werden muss.

Links

• NoSpamProxy KB: Updates von Version 11.0 auf Version 11.1

A custom domain can only be registered once across all available Office 365 instances (Global, Germany, and China). In order for a registered domain to be used in a new tenant, the registered domain must be removed from the old tenant.

Note

The following text assumes that you have already migrated or backed up all user data. Otherwise, the steps described will result in the immediate deletion of data or a release for deletion within Office 365. If the domain to be deleted is the tenant's default domain, accounts for guest users (user_remotedomain#EXT#mydomain.com) stored in Azure AD also use that domain name. using that domain. These accounts must be removed as well.

Steps to delete a custom domain

Azure AD Connect

If the old tenant synchronizes with Azure AD Connect this configuration must be removed first. The domain to be deleted must not be used by any user or group object in Azure AD. Your options are:

• The tenant should be deleted completely
  
  Move the synchronized objects (user accounts, groups) in the local Active Directory to organizational units that are not synchronized by Azure AD Connect. The removal of users in the Azure AD automatically deletes the data in the services formerly licensed to the user.
   
• Only the domain should be removed
  
  If the domain is used as an UPN logon domain you must modify the UPN domain in the local Active Direcory for all affected users first. Update the UPN domain to a different domain already registered as custom domain in Office 365 and synchronize the changes to Azure AD. The CAN IT PRO-Team has published an excellent blog post on this topic. 
  
  If the domain is used for email services all proxy addresses using that domain name must be removed. The proxy addresses must be removed from objects in the on-premises Active Directory. Changes are synchronized to Azure AD by Azure AD Connect.

Office 365 

Use PowerShell to verify if there are still objects using the domain name to be deleted..

# Install the Office 365 PowerShell module
Install-Module MSOnline

# Import the module, if it's installed already
Import-Module MSOnline

# Connect to Office 365 using a global admin account w/o MFA
Connect-Msolservice

# domain name
$Domain = 'granikoslabs.de'
$Filter = "*@$Domain"

# List all Office 365 users with a UPN using the domain name
Get-MsolUser -DomainName $Domain | FL UserPrincipalName

# List all Office 365 users with a proxy address using the domain name
Get-MsolUser | Where-Object {$_.ProxyAddresses -like $Filter}

# List all Office 365 groups with a proxy address using the domain name
Get-MsolGroup | Where-Object {$_.ProxyAddresses -like $Filter}

# List all Office 365 groups with an email address using the domain name 
Get-MsolGroup | Where-Object {$_.EmailAddress -like $Filter} 

If you get any results from the list queries you must clean up the objects first. Without modifying the objects you cannot remove the custom domain from Office 365.

If the queries did not return any result you are safe to remove the custom domain from the old tenant.

# Domain removal
Remove-MsolDomain -DomainName $Domain -Force

After the final removal of the custom domain

After deleting the custom domain from the old tenant, the domain can be added to a new tenant relatively quickly in other Office 365 instances.

Link

• Step-By-Step: Changing The UPN Suffix For An Entire Domain Via PowerShell

Enjoy Office 365!

Mit der neuen Version 9.2 des erfolgreichen Net at Work Mail Gateways erwarten uns einige Neuerungen und Änderungen.

De-Mail Konnektor

Mail Gateway Nutzer, die den De-Mail Konnektor verwenden (egal ob Mentana oder Telekom/T-Systems), müssen die neue Mail Gateway Version 9.2 installieren, ansonsten wird die Verbindung zum DMDA nicht mehr funktionieren. Sowohl Mentana und Telekom/T-Systems stellen zum 31.12.2014 den Dienst der alten Plattform ein.

Neue Zertifikatsschnittstellen

Der bisherige Zertifikatsanbieter SignTrust hat Ende September bekannt gegeben, sich aus dem Trustcenter-Markt zurückzuziehen. Bestehende Kundenverträge wurden zum 31.12.2014 gekündigt. In Zukunft wird die automatische Beantragung von Zertifikaten über das Trustcenter von SwissSign mit den Gateway Solutions möglich sein. SwissSign bietet seit 2001 digitale Zertifikate und Signaturen an und ist seit 2005 eine 100% Tochter der Schweizerischen Post. Als anerkannter Certificate Services Provider (CSP) rangiert SwissSign in den weltweiten Statistiken hinter Unternehmen aus den USA und Japan als europäische Marktführerin und bildet somit eine ideale Alternative für bisherige SignTrust Kunden.

Neben SwissSign als neuem Zertifikatsanbieter wird Anfang 2015 noch das Trustcenter von GlobalSign seinen Weg in die Gateway Solutions von Net at Work finden. Die Implementierung der API hat bereits begonnen und wird in Kürze abgeschlossen sein. GlobalSign wurde 1996 als eine der ersten Zertifizierungsstellen gegründet. Mit der Implementierung von GlobalSign können enQsig Kunden dann wahlweise Zertifikate von zwei europäischen Zertifizierungsstellen beziehen.

• SwissSign, https://www.swisssign.com/de  
• GlobalSign, https://www.globalsign.com/de-de  

32-Bit

Die Version 9.2 der Mail Gateway Lösung ist die letzte Version des Produktes, die eine Installation auf einem 32-Bit betriebssystem erlaubt. Wenn Sie weiterhin auf die Fähigkeiten des Lösung vertrauen möchten, müssen Sie auf ein 64-Bit Betriebssystem migrieren.

Wir unterstützen Sie beim Versionsupdate und der Migration auf ein neues Betriebssystem. Gerne beraten wir Sie zu den Themen E-Mail Spamabwehr mit NoSpamProxy und automatisch sicherer E-Mail Kommunikation mit enQsig. Kontaktieren Sie uns unter info@granikos.eu.