Many organizations moving to Exchange Online do so to get rid of the shackles of third-party add-ons such as backup...
software, archiving tools, and the spam and malware prevention products commonly installed alongside Exchange. Sometimes, the core functionality Exchange Online offers doesn't do everything an organization needs, and it needs to once again rely on third-party tools. Knowing how to implement those tools is important.
Exchange 2007 and higher support antispam filtering in the Edge Server role and on the Hub Transport role. Exchange 2010 supports large mailboxes and immutability through litigation hold. Exchange 2013, like Exchange Online, includes built-in antimalware prevention and newer in-place hold features.
One selling point of Office 365 is that it includes basic features as well as many advanced features that are difficult to set up and integrate. It attempts to please many different customers, including small businesses and organizations with hundreds or thousands of users. This means that Microsoft may never be able to tailor Exchange Online to cater for niche requirements some smaller customers have. Larger customers, for example, may need something capable of working on-premises and in the cloud.
Third-party add-on spam, malware and archiving tools have a use with Exchange Online. Some options may provide features that aren't free in Office 365; other tools may provide additional protection in case of a Microsoft cloud issue, while others may act as a substitute to save money on the more expensive Office 365 licenses.
Office 365 backups are another common reason to look for a third-party tool. This are needed during a localized outage or a prolonged service failure. It could also be in case a bug in Exchange Online affects in-place hold.
Use a third-party antispam tool
Exchange Online is like any other email system. It uses the standard SMTP protocol, so it can use most, if not all, third-party antispam tools.
Some proponents of an Office 365-only option might suggest otherwise, but it is perfectly fine to front Exchange Online with another service. One issue is that Exchange Online includes Exchange Online Protection (EOP), which is built into Exchange Online and based on Exchange Server. This is equivalent to using Edge servers with Exchange and still using a third-party antispam tool. EOP will still sit in between the third-party service and your mailboxes, but you won't expect it to perform antispam duties because your third-party option will take care of this (Figure 1).
There are three core areas that need to be reconfigured when you switch over to a third-party option:
- Synchronize email addresses from Office 365 to the third-party spam filtering service so it can perform edge-based blocking of invalid email addresses. This is usually configured by allowing the third-party to connect using Exchange Web Services.
- DNS server records should point the Mail eXchanger (MX) records at the third-party option for inbound mail, along with changes to the Sender Policy Framework (SPF) text record to ensure that the Mail eXchanger option is defined as an allowed sender for your domain.
- Reconfigure inbound and outbound connectors in Office 365. By default, you may not need to change the inbound connector, as it will already be set to receive mail from external IP addresses. You'll usually need to configure an outbound connector to ensure outbound mail is filtered by the third-party spam filter.
IT teams can configure these steps one by one. Ensure that address synchronization is in place before making any adjustments to your DNS records. After making DNS record changes, you can lock down inbound mail to your new antispam provider after you're confident the service works as expected. Then you can configure outbound mail to flow through your new provider. By configuring the steps separately and testing at each stage, you reduce the risk of interrupting mail flow.
Choose the right third-party journaling or archiving tool
If you choose to supplement Office 365 with a third-party archiving tool, or if you want to use a cheaper Office 365 license model that doesn't include compliance features such as the E1 and Office 365 Business plans, you need to configure integration with the service.
Integrating a third-party archiving tool is simpler than you think. Although Exchange Online doesn't support using mailboxes for journaling, it's not necessary to set up an external email address for archiving and journaling. It can be configured in the Exchange Admin Center within the Journal rules tab of the Compliance management section (Figure 2).
Once journaling is configured, often with a matching outbound connector to ensure Transport Layer Security secures mail between Exchange Online and your archiving vendor, copies of mail (often all internal and external messages) will be BCCed to the journal recipient address. Most archive vendors look at the original recipients and create matching archive mailboxes. You can access these mailboxes in the event of a disaster, if users need to recover accidentally deleted items or for legal discovery.
About the author:
Steve Goodman is an Exchange MVP and works as a technical architect for one of the U.K.'s leading Microsoft Gold partners. Goodman has worked extensively with Microsoft Exchange since version 5.5 and with Office 365 since its origins in Exchange Labs and Live@EDU.