Date

06 Jul 2017

Attendees

Agenda

Management has indicated that achieving O365 Exchange campus independence is a high priority goal
This meeting is to discuss approaches to remove O365 dependencies on campus.
Can a cloud service receive an email first, do spam filtering and route to O365 or MTA?
Send report to management on whether there is an agreed approach to achieve this goal

Discussion items

O365 has routing and authentication dependencies on resources located on campus

Authentication Dependencies

DNS, dependent on user location, campus (internal) DNS and external (public) DNS
Directory Service (Campus LDAP, Microsoft Active Directory or Azure AD)
AutoDiscover

Routing Dependencies

DNS, dependent on user location, campus (internal) DNS and external (public) DNS
MTA

Following options were discussed to alleviate authentication dependencies

1) Use Option 2 - Synched identities in the cloud with password hash. This would enable replicating password hashes in both locations and authentication can happen on-premise or in the cloud.

Managing Identities on Office365
WSG mentioned that currently, we are using federated identities option and would like to determine the feasibility of implementing synched identities.

2) If above approach is not feasible, then we might want to consider lift/shift in Azure/AWS.

Approach to be explored after WSG comes back with the feasibility of implementing synched identities.

Following options were discussed to alleviate routing dependencies

1) Can Exchange Online or Google be an initial recipient of O365 emails?

Need to figure out if anti-spam and anti-virus filtering by above cloud services are comparable to MTA.
There could be route delays to services on-premise due to the cloud being the first delivery point. This needs to be tested in POC
Filtering could be limited by cloud provider's capability and not match OIT standards or requirements.
Can we test delivering to a cloud delivery point with a POC?
- exchangetest.uci.edu test domain is available per WSG.
- We can test with ExchangeOnline and Google being the first delivery point
- Most of the delivery points are in Google. So WSG and EUS prefer Google to be the initial delivery point for POC.
- Need level of effort and estimates for POC to test delivery of exchangetest.uci.edu test domain to Google delivery point for virus scan/spam filtering

Action items

HEINDRICK YU , Thomas Acker - Get level of effort for recommended/available routing options, if Google is the first recipient of email to campus
David Severance - Get level of effort for recommended/available spam filtering options, if Google is the first recipient of email to campus
HEINDRICK YU , Thomas Acker - Determine level of effort for recommended/available routing options, if Exchange Online is the first recipient of email to campus
HEINDRICK YU , Thomas Acker - Determine the feasibility of password hash solution for Exchange Online authentication. If feasible, what is the level of effort?
HEINDRICK YU , Thomas Acker - If password hash is not feasible, what is required architecture and level of effort to move ADFS capability to AWS cloud? Priya & David K to assist with AWS
David Severance, Derek Chee - What is level of effort to put MX / MTA servers in the cloud?
Priya Srinivasan - Create project tasks to determine LOE on above action items
Created Project PRJ0014527 with above action items as tasks and assigned to appropriate resources

Browser not supported