2017-07-06 Discuss approaches to achieve O365 Exchange campus independence

Date

06 Jul 2017 

Attendees

• Priya Srinivasan

• HEINDRICK YU

• Thomas Acker
• Kyle Kurr
• David Severance
• Derek Chee

Agenda

• Management has indicated that achieving O365 Exchange campus independence is a high priority goal

• This meeting is to discuss approaches to remove O365 dependencies on campus.

• Can a cloud service receive an email first, do spam filtering and route to O365 or MTA?

• Send report to management on whether there is an agreed approach to achieve this goal 

Discussion items

O365 has routing and authentication dependencies on resources located on campus

Authentication Dependencies

• DNS, dependent on user location, campus (internal) DNS and external (public) DNS
• Directory Service (Campus LDAP, Microsoft Active Directory or Azure AD)
• AutoDiscover

Routing Dependencies

• DNS, dependent on user location, campus (internal) DNS and external (public) DNS
• MTA

Following options were discussed to alleviate authentication dependencies

1) Use Option 2 - Synched identities in the cloud with password hash. This would enable replicating password hashes in both locations and authentication can happen on-premise or in the cloud.

• Managing Identities on Office365
• WSG mentioned that currently, we are using federated identities option and would like to determine the feasibility of implementing synched identities.

2) If above approach is not feasible, then we might want to consider lift/shift in Azure/AWS.

• Approach to be explored after WSG comes back with the feasibility of implementing synched identities.

Following options were discussed to alleviate routing dependencies

1) Can Exchange Online or Google be an initial recipient of O365 emails?

• Need to figure out if anti-spam and anti-virus filtering by above cloud services are comparable to MTA.
• There could be route delays to services on-premise due to the cloud being the first delivery point. This needs to be tested in POC
• Filtering could be limited by cloud provider's capability and not match OIT standards or requirements.
• Can we test delivering to a cloud delivery point with a POC?
  • exchangetest.uci.edu test domain is available per WSG.
  • We can test with ExchangeOnline and Google being the first delivery point
  • Most of the delivery points are in Google. So WSG and EUS prefer Google to be the initial delivery point for POC.
  • Need level of effort and estimates for POC to test delivery of exchangetest.uci.edu test domain to Google delivery point for virus scan/spam filtering

Action items

• HEINDRICK YU , Thomas Acker  - Get level of effort for recommended/available routing options, if Google is the first recipient of email to campus
• David Severance - Get level of effort for recommended/available spam filtering options, if Google is the first recipient of email to campus
• HEINDRICK YU , Thomas Acker  - Determine level of effort for recommended/available routing options, if Exchange Online is the first recipient of email to campus
• HEINDRICK YU , Thomas Acker - Determine the feasibility of password hash solution for Exchange Online authentication. If feasible, what is the level of effort? 
• HEINDRICK YU , Thomas Acker - If password hash is not feasible, what is required architecture and level of effort to move ADFS capability to AWS cloud? Priya & David K to assist with AWS
• David Severance, Derek Chee - What is level of effort to put MX / MTA servers in the cloud?
• Priya Srinivasan - Create project tasks to determine LOE on above action items
  Created Project PRJ0014527 with above action items as tasks and assigned to appropriate resources