Monday, 29 October 2012

FOPE Connectors

In Forefront Online Protection for Exchange (FOPE), you can use FOPE connectors to implement advanced email flow scenarios to provide more control over the mail-flow in its various stages.

There are two sets of connectors that you can set up in FOPE; “Inbound Connector” and “Outbound Connector”. Inbound connector is for emails coming in to the organization and Outbound Connector is to deal with the emails sent out from an organization.
To setup an Inbound Connector in FOPE, follow these instructions:
1. Go to and login with your admin credentials.
2. Under Administration > Company > Connectors > Inbound Connectors click on +Add
The following settings are available to you when setting up an Inbound Connector:
Connection settings
  • Source IP
  • Source Domain
  • Reject non Source IP
Security settings
  • Opportunistic TLS
  • Forced TLS
Filtering settings
  • Connection
  • SPAM
  • Policy

To setup an Inbound Connector in FOPE, follow these instructions:
1. Go to and login with your admin credentials.
2. Under Administration > Company > Connectors > Outbound Connectors click on +Add
The following settings are available to you when setting up an Inbound Connector
Connection settings
  • Destination domain
Security settings
  • Opportunistic TLS
  • Forced TLS
Delivery settings
  • Smarthost
  • MX

Thursday, 11 October 2012

Hybrid Deployment Process in Office 365 using Hybrid Configuration Wizard in Exchange 2010 SP2

Exchange 2010 SP2 introduces the Hybrid Configuration Wizard which provides you with a simple process to configure a hybrid deployment between Exchange 2010 Hybrid server on-premises and Office 365 Exchange organizations. Hybrid Configuration Wizard was introduced in SP2 in an attempt to automate and simplify the Hybrid setup between Exchange 2010 on-premises and Exchange Online which was a very difficult task with more than 50 manual steps in SP1 now reduced to 6 steps which are all GUI based.

Although Hybrid Configuration Wizard is an amazing feature added in SP2 and it is quite easy to run through, there are many factors that can stop the wizard from completing successfully. In order to be able to troubleshoot when things go wrong, you will need to understand how the Hybrid Configuration Wizard functions and how the Organization Relationship creation works in the background when running the wizard.

When you run the Configuration Wizard, it first starts with collecting all the required information from the user and records it using the Set-HybridConfiguration command. This recorded information is referred to as “desired state”. Once the “desired state” is defined, Configuration Wizard starts deploying the Hybrid Configuration by running the Update-HybridConfiguration command. This command tells Hybrid Configuration Engine to start the Hybrid Configuration process. Once the Hybrid Configuration Engine is started, it reads the “desired state” in the HybridConfiguration object in Active Directory.

This Active Directory object stores the hybrid configuration information for the hybrid deployment and is updated using the Manage Hybrid Configuration wizard.

Next, Hybrid Configuration Engine uses Remote PowerShell to connect to your Exchange 2010 On-premises server and Exchange Online. Once the connection is established successfully, Hybrid Configuration Engine checks the “current configuration” and topology of the On-premises Exchange Server and Exchange Online.

Knowing the “current state” and “desired state”, Hybrid Configuration Engine figures out what the “difference” between the states are, and configures the Hybrid Organization to get to the “desired state”.

As Hybrid Configuration Engine just applies the “difference” then it means if you don’t change any details and rerun the wizard, it checks the ”current state” and “desired state”, and if no change is made then the “difference” would be nothing and basically tool will not apply any changes.

When Hybrid Configuration Wizard is setting up the Organization Relationship, it first checks the Federation Information using connection to Exchange Online CAS using Remote PowerShell running Get-FederationInformation –DomainName This requests a delegation token from the Microsoft Federation Gateway. Once it receives the delegation token, it then checks the public DNS to figure out where the autodiscover endpoint is.

Once on-premises autodiscover endpoint is located, Exchange Online Client Access Server uses the delegation token that it had previously received from Microsoft Federation Gateway to connect o Exchange 2010 on-premises CAS. In response, Exchange 2010 on-premises CAS sends back the Federation Trust details. This information includes ApplicationUri, DomainNames, TargetAutodiscoverEpr and TokenIssuerUris.

One of the main issues that may cause the wizard to fail as per my experience is that if the autodiscover is not published correctly or the incoming traffic targeted to Exchange 2010 on-premises CAS server is not directed to the Hybrid server correctly. This is more likely to happen in cases that you have recently added an Exchange 2010 Hybrid server to the environment just for the purposes of setting up Hybrid mail with Exchange Online and you never made sure that the server functions correctly as an Exchange server.

So I would say the best practise is to setup Exchange 2010 Hybrid server, apply all the patches etc. and then ensure it is fully functional before setting up the organization relationship, and definitely as part of this, you ensure that autodiscover works correctly internally and externally.

Wednesday, 3 October 2012

DirSync Write Back Attributes in Hybrid Environment

Microsoft Office 365 Directory Synchronization tool (DirSync) in a none-hybrid environment provides a one-way synchronization from your on-premises Active Directory to Office 365 environment. However when you setup a hybrid environment and run DirSync with the Hybrid check-box selected, it enables a few write backs to your environment which are as follows:

  • For "Filtering Coexistence" which provides on-premises filtering cloud safe/blocked sender data, the followings will be written back:
  • SafeSendersHash
  • "Cloud Archive" feature that allows you to archive mail in the Microsoft Online cloud writes back the following attribute:
  • msExchArchiveStatus
  • "Enable Mailbox" feature that offboards cloud mailboxes on premises writes back the following attributes:
  • ProxyAddresses (LegacyExchangeDN (cloud LegDn) as X500)
  • "Enable UM/cloud voice mail" is a new attribute that is used only for Exchange Unified Messaging–Microsoft Lync Server 2010 integration to indicate to on-premises Lync Server 2010 that the user has voice mail in the cloud. following attribute is written back for this feature:
  • cloudmsExchUCVoiceMailSettings

Office 365 Administrator Roles

Billing administrator
Makes purchases, manages subscriptions, manages support tickets, and monitors service health. 

Global administrator
Sign up to purchase Office 365, you become a global administrator 

Password administrator
Resets passwords, manages service requests and monitors service health 

Service administrator
Administers services, such as Microsoft Exchange Online, but does not require access to user management and other administrative functions. 

User Management administrator
Resets passwords, monitors service health, and manages user accounts, user groups, and service requests. Cannot delete a global admin or create other administrators